Server Side Bot Detection via Call Stack Analysis

[richarjb]

This is an untested theory. It is food for thought for the developers and a good reason to block your crash logs in the future.

- Add "127.0.0.1 errors.battle.net" to your windows hosts file.
- Add the error reporter app to the block-list of your firewall.
(stolen from another post)


The Problem
Take a look at:

Diablo III\InspectorReporter\ReportedBugs

I have a couple dozen crash logs in there all sent to blizzard.

ErrorReport.Bug -- is for the diablo iii process and contains a list of loaded modules in memory - ok fine. this isn't a big deal. (NOTE this is modules loaded in the D3 memory process NOT a list of process running.)
D3Debug.txt is another story. It has two things that concern me.

[1] the call stack
[2] x86 register dump and 1024 bytes wherever ESP is pointing.

Detection method
I haven't done control flow analysis but I'm concerned that the call stack isn't going to look proper in many cases. If the crash is caused due to some action/injection by DB or a 3rd party plugin it should generate a different call stack (missing clicks events, etc).

Once a group of known botters have been identified via other means (red flags or enough yellow flags) a script could pull their crash logs and a person could start analysis to generate signatures based on call stack analysis. With a decent threshold there would be very few false positives and could be used to generate red flags.


Mitigation We need to block these crash reports. It's possible that blocking them gets you a flag but at least its just a yellow flag.

--------------------------------

[1]
<STACK-0>
------------
Stack Crawl:
------------
DBG-ADDR<00F78852>("Diablo III.exe")
DBG-ADDR<00F6E67E>("Diablo III.exe")
DBG-ADDR<00F6ECB0>("Diablo III.exe")
DBG-ADDR<00852183>("Diablo III.exe")
DBG-ADDR<00865B33>("Diablo III.exe")
DBG-ADDR<008D1A96>("Diablo III.exe")
DBG-ADDR<008D2360>("Diablo III.exe")
DBG-ADDR<00DC3421>("Diablo III.exe")
DBG-ADDR<0080DFA4>("Diablo III.exe")
9 frames dumped

</STACK-0>


[2]
----------------------------------------
x86 Registers
----------------------------------------

EAX = 0018de54 EBX = 00000001 ECX = d8d21f73 EDX = 0008e3c8
ESI = 03934000 EDI = 014e60d8 EBP = 0018dea4 ESP = 0018de54
EIP = 7505c41f FLG = 00000246 CS = 0023 DS = 002b
ES = 002b FS = 0053 GS = 002b SS = 002b


----------------------------------------
Memory Dump
----------------------------------------

Code: 16 bytes starting at (EIP = 7505C41F)

7505C41F: C9 C2 10 00 CC CC CC CC CC 8B FF 55 8B EC 56 8B ...........U..V.


Stack: 1024 bytes starting at (ESP = 0018DE54)

0018DE54: 25 00 00 C0 00 00 00 00 00 00 00 00 1F C4 05 75 %..............u
0018DE64: 00 00 00 00 D5 71 66 77 BC DD E2 18 FE FF FF FF .....qfw........
0018DE74: 10 B7 32 00 01 00 00 00 70 B8 32 00 98 DE 18 00 ..2.....p.2.....
0018DE84: FB C1 CA D8 A8 DE 18 00 E3 C1 CA D8 E7 C1 CA D8 ................
0018DE94: B4 DE 18 00 BD FD 80 00 00 E7 18 00 00 08 00 00 ................
0018DEA4: E4 DE 18 00 52 88 F7 00 25 00 00 C0 00 00 00 00 ....R...%.......
0018DEB4: 00 00 00 00 00 00 00 00 97 C1 CA D8 D8 60 4E 01 .............`N.
0018DEC4: 00 40 93 03 01 00 00 00 BC DE 18 00 7C D8 18 00 .@..........|...
0018DED4: 78 FF 18 00 FB 4C FB 00 B3 41 B6 D9 00 00 00 00 x....L...A......
0018DEE4: 44 FC 18 00 7E E6 F6 00 C9 03 00 00 42 67 31 A9 D...~.......Bg1.
0018DEF4: 14 9B 17 35 78 B8 32 00 01 00 00 00 3C 6E 6F 20 ...5x.2.....<no
0018DF04: 6D 65 73 73 61 67 65 3E 0A 0A 00 00 3C DF 18 00 message>....<...
0018DF14: BF D4 8D 00 00 00 00 00 00 00 00 00 DC E1 18 00 ................
0018DF24: BF D4 8D 00 00 8D B9 18 00 8D B9 18 00 00 00 00 ................
0018DF34: 90 06 00 00 88 DF 18 00 D3 9D 8D 00 70 DF 18 00 ............p...
0018DF44: 50 DF 18 00 60 DF 18 00 00 8D B9 18 AA AA 4A C3 P...`.........J.
0018DF54: 00 00 4F 43 56 55 3D 43 00 80 C9 43 AA AA 4A C3 ..OCVU=C...C..J.
0018DF64: 00 00 4F 43 56 55 3D 43 00 80 C9 43 AA AA 4A C3 ..OCVU=C...C..J.
0018DF74: 00 00 4F 43 56 55 3D 43 00 80 C9 43 1C C7 84 43 ..OCVU=C...C...C
0018DF84: 55 55 FD 43 B4 E1 18 00 1E C2 8D 00 60 AE 05 25 UU.C........`..%
0018DF94: 00 62 24 30 00 00 00 00 88 C2 8D 00 28 DC 8D 00 .b$0........(...
0018DFA4: 38 FC 18 00 FF FF FF FF FF FF FF FF 4E 6F 6E 65 8...........None
0018DFB4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018DFC4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018DFD4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018DFE4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018DFF4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E004: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E014: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E024: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E034: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E044: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E054: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E064: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E074: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E084: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E094: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E0A4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E0B4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E0C4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E0D4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E0E4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E0F4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E104: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E114: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E124: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E134: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E154: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E164: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E174: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E184: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E194: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E1A4: 00 00 00 00 00 00 00 00 00 00 00 00 C7 FE CA D8 ................
0018E1B4: E8 E3 18 00 9F DC 8D 00 DC E1 18 00 60 AE 05 25 ............`..%
0018E1C4: 38 FC 18 00 60 AE 05 25 00 0B 08 33 E4 DC 8D 00 8...`..%...3....
0018E1D4: 60 AE 05 25 10 E4 18 00 FF FF FF FF FF FF FF FF `..%............
0018E1E4: 4E 6F 6E 65 00 00 00 00 00 00 00 00 00 00 00 00 None............
0018E1F4: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E204: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E214: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E224: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E234: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018E244: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

 

[pikpik]

Give me the way to crash diablo client, i try to sniff this.

 

[marlboro]

Give me the way to crash diablo client, i try to sniff this.

If you block 1119 port in Firewall, diablo will crash upon creating a game.

 

[CodenameG]

ill pass this to our developers so they can look at,
in the future please dont make threads like this in the support thread. as you dont need support, and the developer section would be more suited to threads like these, and this one.
http://www.thebuddyforum.com/demonb...server-side-bot-detection-via-gui-bypass.html

thread closed.