What's new
By:
  • Visit Rebornbuddy
  • Visit Panda Profiles
  • Visit LLamamMagic
  • Visit Resources
  • Visit Downloads
  • Visit Portal
RebornBuddy Forums

Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

32-bit Detection Method and possible Anti-Way

Status
Not open for further replies.
R

redhand

New Member
Joined
May 15, 2015
Messages
12
From Build18019, Blizzard added a new detection method in the 32-bit client. A few days ago, they activated this dectection and put many accounts into ban-list whitch using “FrameScriptExecute” Bot.

Detection method here:
----------------------------------------------------
_lua_load[Wow.exe + 0x0B2223] is hooked with the function at HBDetectionLuaLoadHook[Wow.exe + 0x93514C]. It appears to check the call stack for calls coming from outside of Wow.exe, similar to the method that Blizzard tried a couple of years ago to detect Honorbuddy IIRC. The hook is applied by the function at HBDetectionPacketHandler[Wow.exe + 0x8DDD30]. It appears to be called in response to a packet send during or immediately after login.

Before Hook:
----------------------------------------------------
000B2223 - 55 - push ebp
000B2224 - 8b ec - mov ebp,esp
000B2226 - 83 ec 14 - sub esp,14
000B2229 - 83 7d 14 00 - cmp dword ptr [ebp+14],00
000B222D - 75 07 - jne 000B2236
000B222F - c7 45 14 9c 75 c3 01 - mov [ebp+14],getbattlenetallocator+2a1455
000B2236 - ff 75 10 - push [ebp+10]
000B2239 - 8d 45 ec - lea eax,[ebp-14]
000B223C - ff 75 0c - push [ebp+0c]
000B223F - 50 - push eax
000B2240 - ff 75 08 - push [ebp+08]
000B2243 - e8 d6 c1 00 00 - call 000Be41e

After Hook:
----------------------------------------------------
000B2223 - e9 24 2f 88 00 - jmp getbattlenetallocator+21f005
000B2228 - 14 83 - adc al,83
000B222A - 7d 14 - jnl 000B2240
000B222C - 00 75 07 - add [ebp+07],dh
000B222F - c7 45 14 9c 75 c3 01 - mov [ebp+14],getbattlenetallocator+2a1455
000B2236 - ff 75 10 - push [ebp+10]
000B2239 - 8d 45 ec - lea eax,[ebp-14]
000B223C - ff 75 0c - push [ebp+0c]
000B223F - 50 - push eax
000B2240 - ff 75 08 - push [ebp+08]
000B2243 - e8 d6 c1 00 00 - call 000Be41e

Key offsets here:
----------------------------------------------------
5.4.7.18019
0x0D75CE : _lua_load
0x8673BC : HBDetectionPacketHandler
0x8BD916 : HBDetectionLuaLoadHook

6.1.0.19702
0x0B2580 : _lua_load
0x8DA9FE : HBDetectionPacketHandler
0x9322E8 : HBDetectionLuaLoadHook

6.1.0.19865
0x0B2223 : _lua_load
0x8DDD30 : HBDetectionPacketHandler
0x93514C : HBDetectionLuaLoadHook

Ref: New 32-bit Detection Method Added

Possible Anti-Way Here:
----------------------------------------------------
Original Seq:
1、WoW.exe Startup
2、Account Loggined
3、Recieve HBDetectionPacket
4、Call HBDetectionPacketHandler
5、Call HBDetectionLuaLoadHook
6、_lua_load Hooked
7、Any Bot Call _lua_load outside WoW.exe, Hook _lua_load dectected
8、Report to blizz.

Anti Seq:
1、WoW.exe Startup - [Anti Step1] Hook HBDetectionPacketHandler
2、Account Loggined
3、Recieve HBDetectionPacket
4、Call HBDetectionPacketHandler - [Anti Step2] Call HBDetectionPacketHandler_Hooked, then call HBDetectionPacketHandler_Original
5、Call HBDetectionLuaLoadHook
6、_lua_load Hooked - [Anti Step3] Anter call HBDetectionPacketHandler_Original, unhook _lua_load
7、Any Bot Call _lua_load outside WoW.exe - [Anti Step4] Detection Failed
8、Report to blizz - [Anti Step5] It should never happend

Welcome any discution :)
 
Last edited:
Warden scan these offsets now:

address data
0x00002D4E E8 D7 CE 1B 00 E8
0x0001D7BA 59 59 85 C0 74 F0 83
0x000250FE 8B 4D 10
0x00025101 89 0D C8 F7
0x0008588D 55 8B EC 8B 0D 60 67
0x00085896 FF 75 08 8B 01 FF 50 78
0x000B77BB 55 8B EC 83 EC 48 8B 45 08
0x000B794D 55 8B EC 83 EC 64 56 8B 75 08
0x000B7F99 55 8B EC 8B 45 0C 83 78 08 06
0x000EB99F 55 8B EC A1
0x00202BF6 55 8B EC 53 56 8B F1 8B 4D
0x002884F5 75 1F 8B CB
0x0028CADE 55 8B EC 83 EC 20 53 57 FF
0x00294972 55 8B EC 56 8B F1 F7 46 40 00 00 00 40
0x00297F94 55 8B EC A1 C0
0x0029A4F3 55 8B EC 83 EC 4C 53 56 57 8B
0x0029A6A9 0F 87 3F 0C 00 00 FF 24 85
0x0029B4CB 55 8B EC 83 EC 0C 8B 45 0C 83
0x0029C18C E8 6C 14 E5 FF 8B F0
0x002A80C5 75 0B F7 46 40 00 00 10 01 75 02 5E C3
0x002E617F 8B 81 B8 0A 00 00 25 00 00 80
0x002F6C11 74 24 F3 0F
0x002F9C96 55 8B EC 83 EC 24 53 56 57 6A
0x00304A1B 75 10 68 5B 01 00 00
0x00309093 55 8B EC 83 EC 24 56 8B F1
0x00309181 85 C0 74 1F
0x00309185 8B 06 8D 4D
0x0036380F 0F 2F 44 06 08 72 05
0x003663AB A9 00 00 00 04 74 24
0x003663B0 74 24 A9 00 00 10 00
0x00381469 F7 C2 00 00 10 01 75 0C 81 66 04 FF FF EF FF
0x0038AA39 7F 27 6A 20
0x0038AA60 7E 0B 8B CF
0x003D0CCB 55 8B EC 83 EC 20 53 56 57
0x003D10C6 55 8B EC 81 EC B0 00 00 00
0x0051CCAE 74 25 F6 40 2C
0x00520B61 55 8B EC FF 75 10 FF
0x00532C94 0F 85 D5 01 00 00 8D 45 D4 50 8D 45 C4
0x0056351F 55 8B EC 83 EC 2C 53 8B 5D 08
0x00563541 F7 45 1C 00 00 F0 00 74
0x00563570 F7 45 1C F0 00 03 00 74
0x00563577 74 1F FF 75 1C
0x00563588 FF 75 10 FF 75 0C 50 E8
0x005635C2 FF 75 1C 8D 83 E0 00
0x00563670 F7 45 1C 00 01 00 00 74
0x00563677 74 11 FF 75 18
0x0059D6C1 55 8B EC 81 EC F4 00 00 00
0x008FEFA9 55 8B EC 83 EC 20 8D 45 F8 53 8B
0x008FEFF6 74 7B F3 0F 10
0x008FF82F A9 00 00 10 01 75 04 33 C0 EB 3F
0x008FF884 A9 00 00 10 01 75 04 33 C0 5E C3
0x008FF95D A9 00 00 10 01 74 0A 57 8B CE E8
0x009001CA A9 00 00 00 10 74 04
0x009001FA 75 30 F6 46 44
0x009009C8 81 66 40 FF FF 9F FF 8B 46 40 8B CA
0x00900A85 75 48 D9 86 88 00 00 00
0x0093D4CA 55 8B EC 8B 45 08
0x0093D4DE 78 4A 05 C0
0x0093D629 6A 01 68 C6 BA
0x0093F29A 8B EC 83
0x0093F2B5 FF 24 85 21 F3
0x0094D01D 53 57 E8 A6 04 FF FF
0x00956FF3 55 8B EC B8 68 38 00 00 E8 C0 DF D0
0x009574FC 7D 25 83 FE 0C 7C 54 83 FE
0x0095765A 74 17 83 F8 10
0x0095A022 55 8B EC 81 EC 68 0E 00 00 6A 0A E8
0x0095A3DC 74 46 83 FE 07
0x009E3050 2F 54 9A 41 43 4D 69 73
0x009E8B10 BB 8D 24 3F
0x00BDB94C D8 93 FE C0 48 8C 11 C1
0x00C470A0 00 00 00 00
0x00C470A4 04 00 00 00 B4 02

So maybe this way is safe...
 
yeak so thanks for the team to NOT listen warnings about 32 bits client :p
 
Why only ban 6 months? Because blizz found 20% players using FrameScriptExcute even some AutoLogin Tools.
 
wow redhand you have my respect for this information. Somehwere else I have readed the cc of honorbuddy (singular) should be the reason for the bun but these people didn't gave any logic argumentation like you did.
 
Ref link not working in this thread

Ref: New 32-bit Detection Method added again :)

EDIT:

OP TOOK THIS FROM OWNEDCORE, HE HAD REF LINK in ban report section(where he posted it first) and he forgot to add it here.
 
Last edited:
@redhand

this looks like good info, i guess, i have no clue what any of that means.

and if you post in this ban discussion forum section, you are going to get a lot of responses from people who just dont know either.

this info would be better utilized maybe in the developer forum, where actual coders hang out rather than here among the bandwagoners.

gl with your quest redhand, get your info to the right people
 
I notice further down in that thread he says:

"EDIT: I reversed the hook function more. It doesn't appear to be checking far back enough in the call stack to detect FrameScript_ExecuteBuffer or FrameScript_Execute. Most tools should still be safe."
 
Please stop copy&pasting things you don't understand from other web sites or at least hand out your sources (I assume ownedcore in this case).
In this case it even has nothing to do with current HB detection.
 
Last edited:
Keanu said:
Please stop copy&pasting things you don't understand from other web sites or at least hand out your sources (I assume ownedcore in this case).
In this case it even has nothing to do with current HB detection.
Click to expand...

If you're going to call him out at least provide a source...
 
Keanu said:
Please stop copy&pasting things you don't understand from other web sites or at least hand out your sources (I assume ownedcore in this case).
In this case it even has nothing to do with current HB detection.
Click to expand...


you shouldnt ASS U ME things....for all you know he came up with it in either case I appreciate him sharing this info.
 
Please read the whole first post before flaming, he did state that he got it from ownedcore....

He even has it stated in the first post where he got it from but forgot to add the link, since its the second time he posted it on this forum.

Also Iv posted the ref link to the ownedcores forum post (where it first originated)

But I do agree that OP should made it more obvious that he copy&pasted it form another forum.
 
Last edited:
Status
Not open for further replies.
Back
Top