• Visit Rebornbuddy
  • 32-bit Detection Method and possible Anti-Way

    Discussion in 'Discussions (no Ban Reports here)' started by redhand, May 15, 2015.

    Thread Status:
    Not open for further replies.
    1. redhand

      redhand New Member

      Joined:
      May 15, 2015
      Messages:
      12
      Likes Received:
      1
      Trophy Points:
      0
      From Build18019, Blizzard added a new detection method in the 32-bit client. A few days ago, they activated this dectection and put many accounts into ban-list whitch using “FrameScriptExecute” Bot.

      Detection method here:
      ----------------------------------------------------
      _lua_load[Wow.exe + 0x0B2223] is hooked with the function at HBDetectionLuaLoadHook[Wow.exe + 0x93514C]. It appears to check the call stack for calls coming from outside of Wow.exe, similar to the method that Blizzard tried a couple of years ago to detect Honorbuddy IIRC. The hook is applied by the function at HBDetectionPacketHandler[Wow.exe + 0x8DDD30]. It appears to be called in response to a packet send during or immediately after login.

      Before Hook:
      ----------------------------------------------------
      000B2223 - 55 - push ebp
      000B2224 - 8b ec - mov ebp,esp
      000B2226 - 83 ec 14 - sub esp,14
      000B2229 - 83 7d 14 00 - cmp dword ptr [ebp+14],00
      000B222D - 75 07 - jne 000B2236
      000B222F - c7 45 14 9c 75 c3 01 - mov [ebp+14],getbattlenetallocator+2a1455
      000B2236 - ff 75 10 - push [ebp+10]
      000B2239 - 8d 45 ec - lea eax,[ebp-14]
      000B223C - ff 75 0c - push [ebp+0c]
      000B223F - 50 - push eax
      000B2240 - ff 75 08 - push [ebp+08]
      000B2243 - e8 d6 c1 00 00 - call 000Be41e

      After Hook:
      ----------------------------------------------------
      000B2223 - e9 24 2f 88 00 - jmp getbattlenetallocator+21f005
      000B2228 - 14 83 - adc al,83
      000B222A - 7d 14 - jnl 000B2240
      000B222C - 00 75 07 - add [ebp+07],dh
      000B222F - c7 45 14 9c 75 c3 01 - mov [ebp+14],getbattlenetallocator+2a1455
      000B2236 - ff 75 10 - push [ebp+10]
      000B2239 - 8d 45 ec - lea eax,[ebp-14]
      000B223C - ff 75 0c - push [ebp+0c]
      000B223F - 50 - push eax
      000B2240 - ff 75 08 - push [ebp+08]
      000B2243 - e8 d6 c1 00 00 - call 000Be41e

      Key offsets here:
      ----------------------------------------------------
      5.4.7.18019
      0x0D75CE : _lua_load
      0x8673BC : HBDetectionPacketHandler
      0x8BD916 : HBDetectionLuaLoadHook

      6.1.0.19702
      0x0B2580 : _lua_load
      0x8DA9FE : HBDetectionPacketHandler
      0x9322E8 : HBDetectionLuaLoadHook

      6.1.0.19865
      0x0B2223 : _lua_load
      0x8DDD30 : HBDetectionPacketHandler
      0x93514C : HBDetectionLuaLoadHook

      Ref: New 32-bit Detection Method Added

      Possible Anti-Way Here:
      ----------------------------------------------------
      Original Seq:
      1、WoW.exe Startup
      2、Account Loggined
      3、Recieve HBDetectionPacket
      4、Call HBDetectionPacketHandler
      5、Call HBDetectionLuaLoadHook
      6、_lua_load Hooked
      7、Any Bot Call _lua_load outside WoW.exe, Hook _lua_load dectected
      8、Report to blizz.

      Anti Seq:
      1、WoW.exe Startup - [Anti Step1] Hook HBDetectionPacketHandler
      2、Account Loggined
      3、Recieve HBDetectionPacket
      4、Call HBDetectionPacketHandler - [Anti Step2] Call HBDetectionPacketHandler_Hooked, then call HBDetectionPacketHandler_Original
      5、Call HBDetectionLuaLoadHook
      6、_lua_load Hooked - [Anti Step3] Anter call HBDetectionPacketHandler_Original, unhook _lua_load
      7、Any Bot Call _lua_load outside WoW.exe - [Anti Step4] Detection Failed
      8、Report to blizz - [Anti Step5] It should never happend

      Welcome any discution :)
       
      Last edited: May 15, 2015
      1101011 likes this.
    2. redhand

      redhand New Member

      Joined:
      May 15, 2015
      Messages:
      12
      Likes Received:
      1
      Trophy Points:
      0
      Warden scan these offsets now:

      address data
      0x00002D4E E8 D7 CE 1B 00 E8
      0x0001D7BA 59 59 85 C0 74 F0 83
      0x000250FE 8B 4D 10
      0x00025101 89 0D C8 F7
      0x0008588D 55 8B EC 8B 0D 60 67
      0x00085896 FF 75 08 8B 01 FF 50 78
      0x000B77BB 55 8B EC 83 EC 48 8B 45 08
      0x000B794D 55 8B EC 83 EC 64 56 8B 75 08
      0x000B7F99 55 8B EC 8B 45 0C 83 78 08 06
      0x000EB99F 55 8B EC A1
      0x00202BF6 55 8B EC 53 56 8B F1 8B 4D
      0x002884F5 75 1F 8B CB
      0x0028CADE 55 8B EC 83 EC 20 53 57 FF
      0x00294972 55 8B EC 56 8B F1 F7 46 40 00 00 00 40
      0x00297F94 55 8B EC A1 C0
      0x0029A4F3 55 8B EC 83 EC 4C 53 56 57 8B
      0x0029A6A9 0F 87 3F 0C 00 00 FF 24 85
      0x0029B4CB 55 8B EC 83 EC 0C 8B 45 0C 83
      0x0029C18C E8 6C 14 E5 FF 8B F0
      0x002A80C5 75 0B F7 46 40 00 00 10 01 75 02 5E C3
      0x002E617F 8B 81 B8 0A 00 00 25 00 00 80
      0x002F6C11 74 24 F3 0F
      0x002F9C96 55 8B EC 83 EC 24 53 56 57 6A
      0x00304A1B 75 10 68 5B 01 00 00
      0x00309093 55 8B EC 83 EC 24 56 8B F1
      0x00309181 85 C0 74 1F
      0x00309185 8B 06 8D 4D
      0x0036380F 0F 2F 44 06 08 72 05
      0x003663AB A9 00 00 00 04 74 24
      0x003663B0 74 24 A9 00 00 10 00
      0x00381469 F7 C2 00 00 10 01 75 0C 81 66 04 FF FF EF FF
      0x0038AA39 7F 27 6A 20
      0x0038AA60 7E 0B 8B CF
      0x003D0CCB 55 8B EC 83 EC 20 53 56 57
      0x003D10C6 55 8B EC 81 EC B0 00 00 00
      0x0051CCAE 74 25 F6 40 2C
      0x00520B61 55 8B EC FF 75 10 FF
      0x00532C94 0F 85 D5 01 00 00 8D 45 D4 50 8D 45 C4
      0x0056351F 55 8B EC 83 EC 2C 53 8B 5D 08
      0x00563541 F7 45 1C 00 00 F0 00 74
      0x00563570 F7 45 1C F0 00 03 00 74
      0x00563577 74 1F FF 75 1C
      0x00563588 FF 75 10 FF 75 0C 50 E8
      0x005635C2 FF 75 1C 8D 83 E0 00
      0x00563670 F7 45 1C 00 01 00 00 74
      0x00563677 74 11 FF 75 18
      0x0059D6C1 55 8B EC 81 EC F4 00 00 00
      0x008FEFA9 55 8B EC 83 EC 20 8D 45 F8 53 8B
      0x008FEFF6 74 7B F3 0F 10
      0x008FF82F A9 00 00 10 01 75 04 33 C0 EB 3F
      0x008FF884 A9 00 00 10 01 75 04 33 C0 5E C3
      0x008FF95D A9 00 00 10 01 74 0A 57 8B CE E8
      0x009001CA A9 00 00 00 10 74 04
      0x009001FA 75 30 F6 46 44
      0x009009C8 81 66 40 FF FF 9F FF 8B 46 40 8B CA
      0x00900A85 75 48 D9 86 88 00 00 00
      0x0093D4CA 55 8B EC 8B 45 08
      0x0093D4DE 78 4A 05 C0
      0x0093D629 6A 01 68 C6 BA
      0x0093F29A 8B EC 83
      0x0093F2B5 FF 24 85 21 F3
      0x0094D01D 53 57 E8 A6 04 FF FF
      0x00956FF3 55 8B EC B8 68 38 00 00 E8 C0 DF D0
      0x009574FC 7D 25 83 FE 0C 7C 54 83 FE
      0x0095765A 74 17 83 F8 10
      0x0095A022 55 8B EC 81 EC 68 0E 00 00 6A 0A E8
      0x0095A3DC 74 46 83 FE 07
      0x009E3050 2F 54 9A 41 43 4D 69 73
      0x009E8B10 BB 8D 24 3F
      0x00BDB94C D8 93 FE C0 48 8C 11 C1
      0x00C470A0 00 00 00 00
      0x00C470A4 04 00 00 00 B4 02

      So maybe this way is safe...
       
    3. shae

      shae Member

      Joined:
      Sep 19, 2010
      Messages:
      105
      Likes Received:
      0
      Trophy Points:
      16
      yeak so thanks for the team to NOT listen warnings about 32 bits client :p
       
    4. redhand

      redhand New Member

      Joined:
      May 15, 2015
      Messages:
      12
      Likes Received:
      1
      Trophy Points:
      0
      Why only ban 6 months? Because blizz found 20% players using FrameScriptExcute even some AutoLogin Tools.
       
    5. Trixiap

      Trixiap Member

      Joined:
      Nov 18, 2010
      Messages:
      441
      Likes Received:
      10
      Trophy Points:
      18
      Did you know assembler, or you just see 32bit and blame devs?
       
    6. 1101011

      1101011 Member

      Joined:
      Dec 4, 2011
      Messages:
      731
      Likes Received:
      3
      Trophy Points:
      18
      wow redhand you have my respect for this information. Somehwere else I have readed the cc of honorbuddy (singular) should be the reason for the bun but these people didn't gave any logic argumentation like you did.
       
    7. Aiolis

      Aiolis New Member

      Joined:
      May 13, 2015
      Messages:
      28
      Likes Received:
      0
      Trophy Points:
      0
      Ref link not working in this thread

      Ref: New 32-bit Detection Method added again :)

      EDIT:

      OP TOOK THIS FROM OWNEDCORE, HE HAD REF LINK in ban report section(where he posted it first) and he forgot to add it here.
       
      Last edited: May 15, 2015
    8. frosticus

      frosticus Community Developer

      Joined:
      Oct 19, 2012
      Messages:
      2,930
      Likes Received:
      58
      Trophy Points:
      48
      @redhand

      this looks like good info, i guess, i have no clue what any of that means.

      and if you post in this ban discussion forum section, you are going to get a lot of responses from people who just dont know either.

      this info would be better utilized maybe in the developer forum, where actual coders hang out rather than here among the bandwagoners.

      gl with your quest redhand, get your info to the right people
       
    9. MrPewterSchmidt

      MrPewterSchmidt New Member

      Joined:
      Nov 9, 2013
      Messages:
      258
      Likes Received:
      1
      Trophy Points:
      0
      I notice further down in that thread he says:

      "EDIT: I reversed the hook function more. It doesn't appear to be checking far back enough in the call stack to detect FrameScript_ExecuteBuffer or FrameScript_Execute. Most tools should still be safe."
       
    10. Keanu

      Keanu Member Buddy Store Developer

      Joined:
      Jan 15, 2010
      Messages:
      871
      Likes Received:
      15
      Trophy Points:
      18
      Please stop copy&pasting things you don't understand from other web sites or at least hand out your sources (I assume ownedcore in this case).
      In this case it even has nothing to do with current HB detection.
       
      Last edited: May 15, 2015
    11. projektt

      projektt Active Member

      Joined:
      Sep 21, 2010
      Messages:
      1,424
      Likes Received:
      8
      Trophy Points:
      38
      If you're going to call him out at least provide a source...
       
    12. Keanu

      Keanu Member Buddy Store Developer

      Joined:
      Jan 15, 2010
      Messages:
      871
      Likes Received:
      15
      Trophy Points:
      18
    13. projektt

      projektt Active Member

      Joined:
      Sep 21, 2010
      Messages:
      1,424
      Likes Received:
      8
      Trophy Points:
      38
      Then keep your mouth shut.
       
      Frayman likes this.
    14. leetdemon

      leetdemon Member

      Joined:
      Jan 15, 2010
      Messages:
      433
      Likes Received:
      3
      Trophy Points:
      18

      you shouldnt ASS U ME things....for all you know he came up with it in either case I appreciate him sharing this info.
       
    15. Dakotahray

      Dakotahray New Member

      Joined:
      May 1, 2015
      Messages:
      19
      Likes Received:
      0
      Trophy Points:
      0
      LMFAO get em @projektt
       
    16. Aiolis

      Aiolis New Member

      Joined:
      May 13, 2015
      Messages:
      28
      Likes Received:
      0
      Trophy Points:
      0
      Please read the whole first post before flaming, he did state that he got it from ownedcore....

      He even has it stated in the first post where he got it from but forgot to add the link, since its the second time he posted it on this forum.

      Also Iv posted the ref link to the ownedcores forum post (where it first originated)

      But I do agree that OP should made it more obvious that he copy&pasted it form another forum.
       
      Last edited: May 15, 2015
    17. Xarian

      Xarian Member

      Joined:
      Aug 31, 2013
      Messages:
      161
      Likes Received:
      11
      Trophy Points:
      18
      Lol.
       
    18. Keanu

      Keanu Member Buddy Store Developer

      Joined:
      Jan 15, 2010
      Messages:
      871
      Likes Received:
      15
      Trophy Points:
      18
      No.
       
    19. JUANNY

      JUANNY Member

      Joined:
      Jan 28, 2013
      Messages:
      141
      Likes Received:
      0
      Trophy Points:
      16
      It seems like flaming the OP comes easy to you which is sad considering that peeps want answers to the detection in HB
       
    20. Xarian

      Xarian Member

      Joined:
      Aug 31, 2013
      Messages:
      161
      Likes Received:
      11
      Trophy Points:
      18
      He is a community dev, he is special.
       
    Thread Status:
    Not open for further replies.

    Share This Page