# Forum > World of Warcraft > World of Warcraft Bots and Programs > WoW Memory Editing >  The Free Lunch Is Over - Obfuscation is Coming

## Torpedoes

*OVERVIEW*
Thanks to a user of this forum who has notified me of this news. Unfortunately it looks like Blizzard has begun testing and deploying a new obfuscated version of the WoW binary (currently on the PTR). Perhaps ending support for Windows XP opened up some new opportunities for improved countermeasures against reverse engineering. In a way, I'm happy to see them finally making a move to reduce the amount of cheaters in this game, but how far will they go?
*OBFUSCATION*
Early indications show an obfuscation pattern similar to Overwatch, which was bypassed early on before being taken down. So at the very least, we might start seeing unpackers akin to StarCraft II and Heroes of the Storm. I have no reason to believe that any internal data structures would change but I would not be surprised to see some nasty tricks being implemented to protect the object manager. If not now then perhaps in the new expansion. We've seen this before with Legacy of the Void.
*ANTI DEBUGGING*
Next, and while I haven't tried this myself, there are reports of anti-debugging capabilities being implemented as well. This means that attaching any sort of debugger will end up crashing the client or otherwise locking it up. As a result, we might have to come up with new strategies to get around this. Perhaps we'll have to revisit the strategies used by the SC2 and HotS community.
*TRAP PAGES*
Until we get more information, I'd avoid performing any unprotected memory scans including any unbounded cheat engine scans. Thanks to Overwatch, we've seen trap pages being implemented which resulted in a client crash. So we know it's a technique they might be using to ban cheaters and cheat developers with. Regardless, it's always a good idea to protect your memory scans. See this thread to learn more.

NOTES: Possible Cheat Engine workaround. Thanks @karliky.
*DLL INJECTION*
As always, be careful with this one. Writing to memory is dangerous enough let alone importing code and spawning threads. I never liked this technique but if you must use it then at least wait for the dust to settle before injecting anything. While I'm not sure we'll see HWID bans in WoW, they have been strictly enforced in Overwatch and you could end up losing all your accounts!! I did when I foolishly injected DLL's in Overwatch. Not even in-game just on the login screen.

NOTES: I've heard people getting away with DLL injection by emulating OBS and other "legit" apps.
*THE FUTURE*
The future of cheating in WoW depends entirely on how far Blizzard is willing to take this. Despite the advanced security of Overwatch, the community has been quite resourceful in counteracting it, so I have no doubt that we'll continue seeing big-name bots continue to bypass and succeed. As for the small players such as myself. Unless we're able to keep up, it might be time to find a new hobby. Regardless of what happens, I'm surprised we've held on for this long without any significant changes to client security.
*Protection is live as of 7.3.0 released Aug 29, 2017*

----------


## Nyarly

Nice recap ! I have faith in this community to always find new ways to exploit and hack. But maybe i'm dreaming...
Anyway, it would be sad to see the end of datamining.

----------


## uzzy13u

// edit - removed

----------


## Zazazu

For reading from memory, i think, this will not affect. I do not think that they will enter a white list of programs that have access to attach WoW. But they can introduce more serious accounting of attached programs for detect bot/keysenders.

----------


## doityourself

> For reading from memory, i think, this will not affect. I do not think that they will enter a white list of programs that have access to attach WoW. But they can introduce more serious accounting of attached programs for detect bot/keysenders.


Reading memory is fine atm, also for static analysis you can still dump the process memory for now. Injecting my dll and calling functions is working too (I guess^^), but game memory write not

----------


## Torpedoes

> You can still dump the process memory for now.


I've tried this before but it ended up being a mess. Is there somewhere you can point me to that explains this technique in more detail?

----------


## air999

Attaching both IDA and CE in debug mode crashed wow.

I've dumped 24759 x32 PTR with GitHub - glmcdona/Process-Dump: Windows tool for dumping malware PE files from memory back to disk for analysis. just fine.

It generate exe file with PE headers and IAT table (seems not complete), so i can open it with IDA and dump my offsets.

----------


## natt_

this makes me happy and sad  :Smile:

----------


## tutrakan

I think is good idea that they try to protect more their content. The sad part is that they are blind against the interest for the earliest versions of their own game.


Can I get unlike button, just in case some bot seller promote his crap for free?



> removed

----------


## DarkLinux

> removed


Good luck with that, I'm guessing you have not been keeping up with OverWatch  :Big Grin:

----------


## doityourself

> Attaching both IDA and CE in debug mode crashed wow.
> 
> I've dumped 24759 x32 PTR with GitHub - glmcdona/Process-Dump: Windows tool for dumping malware PE files from memory back to disk for analysis. just fine.
> 
> It generate exe file with PE headers and IAT table (seems not complete), so i can open it with IDA and dump my offsets.


Use scylla, it's better

----------


## WiNiFiX

> Good luck with that, I'm guessing you have not been keeping up with OverWatch


Actually no, I hate FPS, but i have used AutoIt aim-bots to test out and my account is still very much alive.
Any good sources I can read up on to see how they blocking it in OW?

----------


## Torpedoes

> Use scylla, it's better


Can confirm, it is better and worked just fine. People have also been successfully modifying and using this project.




> Good luck with that, I'm guessing you have not been keeping up with OverWatch


I haven't been keeping up with Overwatch so I'm curious to see what they've done. I was under the impression that pixel aimers were still a thing.

----------


## rail3r85

allready live on Mac version of WoW

----------


## doityourself

> allready live on Mac version of WoW


wat?! The mac version is fine

----------


## silverduck22

> removed


Something that I've been questioning myself a lot... 

Why did you stop with that project?

You don't have to answer if is something legal going, but you were doing great...

Before than late, thanks to you my inner will to develop rose back.

ps: English isn't my first language, so sorry for my bad grammar.

----------


## rail3r85

> wat?! The mac version is fine


It might be fine but the obfuscation is on Live in Mac OS version of World of Warcraft.

It was told to me by Soapbox.

----------


## Alkana

Afaik only the obfuscation is live on the macOS version, it did not take him very long to update his macOS client. I also do not think they are going to take this really further, it's not like WoW is competitive in the same way Overwatch is. Rotation bots in WoW will likely never be better than a good player. Bots on the other hand, they're an issue to them and always have been, but there are no bots available on OSX... or almost. So wait and see I guess !

----------


## doityourself

> Afaik only the obfuscation is live on the macOS version, it did not take him very long to update his macOS client. I also do not think they are going to take this really further, it's not like WoW is competitive in the same way Overwatch is. Rotation bots in WoW will likely never be better than a good player. Bots on the other hand, they're an issue to them and always have been, but there are no bots available on OSX... or almost. So wait and see I guess !


The obfuscation is not on live, ptr or beta macOS client!!!

----------


## WiNiFiX

Anyone know why my prior post which contained my bots discord link was removed as i did not break any rules under
Memory Editing Section Rules
and I have previously advertised on OC without issues?

----------


## DarkLinux

> Anyone know why my prior post which contained my bots discord link was removed as i did not break any rules under
> Memory Editing Section Rules
> and I have previously advertised on OC without issues?


Way off topic, but you're only allowed to advertise @ http://www.ownedcore.com/forums/mmo-...uy-sell-trade/, even then you need a "Legendary Thread" to link offsite.

Unless you have something worked out with the staff, aka they take a % of sales. (unless that has changed)

You also need to read Site rules




> No Spam or Advertisements of any kind.


But it is a gray area, I think you can advertise if it's free with paid components.

----------


## Torpedoes

Thank you for all your hard work over these last several years DarkLinux. It's sad to see your Lua unlocker project come to an end. I will say that I have already seen people bypass their anti-patch and anti-thread-creation protections. But like you said, I question the safety of these bypasses. The golden age of function patching, debugging and DLL injection are over. Even though some folks might disagree. I only hope they don't end up getting banned.

----------


## ShasVa

Going by all this it sounds like (key words there) rotation botting is over and done for once 7.3 goes live. If I'm wrong, feel free to correct me. I just want EWT and badrotations to work so I can play without having to deeply concern myself with the rotation.

----------


## Torpedoes

> Going by all this it sounds like (key words there) rotation botting is over and done for once 7.3 goes live. If I'm wrong, feel free to correct me. I just want EWT and badrotations to work so I can play without having to deeply concern myself with the rotation.


Pixel-based and external rotation bots are probably fine. In fact, I'd be surprised if any external tools are affected by this. But anything internal or requiring function patching such as Lua unlocking is probably over. There are ways around it and I'm sure the machinima folks will figure it out but in terms of safety, I don't think we'll be seeing anything anytime soon.

----------


## karliky

Has anyone tried to remove the trap pages with VirtualFreeEx? I guess you can retrieve the lpAddress from a particular page with QueryWorkingSetEx then use it with VirtualFreeEx but I haven't tried yet.

----------


## Torpedoes

> Has anyone tried to remove the trap pages with VirtualFreeEx? I guess you can retrieve the lpAddress from a particular page with QueryWorkingSetEx then use it with VirtualFreeEx but I haven't tried yet.


Not sure why you'd want to do that. It might end up crashing the game. But I don't see why not, unless it's somehow protected in another way. Some of those trap pages are legitimate as well, as they might be created by the C++ runtime.

----------


## homer91

I feel happy and angry at the same time about this!  :Mad:   :Smile:

----------


## Ramono

The end for emulation?

----------


## Torpedoes

> The end for emulation?


Depends on several factors. Whether their modifications can be done on the non-obfuscated portions of the executable or, if not, whether an unpacker will exist. If neither option is available they may have to do some runtime patching, which is still possible. The thing that might really stop emulation is if they decided to completely change the client somehow, either change the code enough to prevent patching or make it unreasonably difficult to keep up and update or figure out implementations for new features. I don't think that will happen though.

----------


## sitnspinlock

protection too stronk for darklinux

----------


## Torpedoes

> protection too stronk for darklinux


Protection is easy, not getting banned is hard. Simply not worth pursuing.

----------


## WiNiFiX

Thats also easy, use a friends account to test  :Cool:

----------


## Midi12

What you describe is basically the same obfuscator used in overwatch lol. All Blizzard's game will be protected that way in the end.

----------


## Torpedoes

> What you describe is basically the same obfuscator used in overwatch lol. All Blizzard's game will be protected that way in the end.


Hey Midi, thanks for all your contributions, I'm a big fan of your work. I'm hoping we'll be able to get a decrypter going on par with what you had for Overwatch :-)

And yes, it's probably all part of the same build pipeline at this point.

----------


## ShasVa

I'll come back if the obfuscation can be reliably circumvented and maintained. If not, then perhaps my time with WoW is over. It's been fun, mostly.

----------


## Ehnoah

So with the New Memory Read bot of soap, it might bet possible to get around with ease? Or is Memory Reading also affected by the Obs. with the Fake Pages?

----------


## Torpedoes

> So with the New Memory Read bot of soap, it might bet possible to get around with ease? Or is Memory Reading also affected by the Obs. with the Fake Pages?


I have no idea how Soap is reading memory but safe memory reads with VirtualQueryEx should always be used.

----------


## karliky

In case anyone uses CE, here is a plugin that will scan only paged in memory regions Cheat Engine :: View topic - QWS (QueryWorkingSet instead of VirtualQueryEx)

----------


## zakkord

> I have no idea how Soap is reading memory but safe memory reads with VirtualQueryEx should always be used.


Only viable for dumping the process, if you're not suspending game threads you can eventually get caught when they free/allocate a new page inbetween your VirtualQuery/QWS and RPM

----------


## ShasVa

I wonder how reliasin is doing with his attempts to circumvent this obfuscation!?!?

----------


## Torpedoes

> I wonder how reliasin is doing with his attempts to circumvent this obfuscation!?!?


The guy's a pro, I'm sure he's already bypassed every protection Blizzard had. I just hope no one ends up getting banned :-P

----------


## Apoclypse

I am surprised it took Blizzard this long to implement something like this. Could this also complicate future private server development?

----------


## Torpedoes

> I am surprised it took Blizzard this long to implement something like this. Could this also complicate future private server development?


Yes, see my response  (The Free Lunch Is Over - Obfuscation is Coming)here.

----------


## doityourself

> I am surprised it took Blizzard this long to implement something like this. Could this also complicate future private server development?


It's really not that complicated atm. I think the move from in file patching to in memory patching works fine. At least for my sandbox^^

----------


## reliasn

> I wonder how reliasn is doing with his attempts to circumvent this obfuscation!?!?


Progressing well, but some features in EWT will stop working on 7.3, such as the "No memory write Lua Unlocker" available in the Background Mode. Getting EWT to work with 7.3 has proven to be easy so far, but bypassing all the protection that has been added is another story, since it's hard to find all the detection code that could have been added.




> The guy's a pro, I'm sure he's already bypassed every protection Blizzard had. I just hope no one ends up getting banned :-P


Thanks, but don't get other people's expectations too high especially in times like this  :Stick Out Tongue:  I may know "some" stuff, but all these recent protections in WoW are something new for me so I'm learning a lot from it. Better put your bets on those guys at other game hacking websites who already developed many tools to bypass Overwatch's protection  :Big Grin:

----------


## ShasVa

> Progressing well, but some features in EWT will stop working on 7.3, such as the "No memory write Lua Unlocker" available in the Background Mode. Getting EWT to work with 7.3 has proven to be easy so far, but bypassing all the protection that has been added is another story, since it's hard to find all the detection code that could have been added.


As long as EWT can still allow addons like BadRotations to do their thing, then I *personally* do not care what you have to leave out.

----------


## Utimpro

I bring to your attention WowT.exe / x32 ptatform. The file is not working, the version is not for launching, but only for analysis in IDA. Here obfuscation is removed.
Version file is 7.3.0.24781.
Don't complete Import table and Reloc table.
Download WowT.exe x32 ptatform.exe from Sendspace.com - send big files the easy way
I await your comments.

----------


## Ehnoah

> Progressing well, but some features in EWT will stop working on 7.3, such as the "No memory write Lua Unlocker" available in the Background Mode. Getting EWT to work with 7.3 has proven to be easy so far, but bypassing all the protection that has been added is another story, since it's hard to find all the detection code that could have been added.
> 
> 
> 
> Thanks, but don't get other people's expectations too high especially in times like this  I may know "some" stuff, but all these recent protections in WoW are something new for me so I'm learning a lot from it. Better put your bets on those guys at other game hacking websites who already developed many tools to bypass Overwatch's protection




You will hopefully still allow the Network Features  :Smile:  It is just fun to play with Network Packages

----------


## Torpedoes

So StarCraft Remastered came out today, even that game is obfuscated  :Stick Out Tongue:  So yeah, they have a general-purpose packer now.

----------


## jh16

Okay so I've been doing direct edits to the exe itself to allow custom data to be used. The way I've been finding the locations of the edits is through IDA Pro then editing within a hex editor. Since this was introduced, IDA Pro spits out useless stuff. Anyone have any suggestions? It would be very much appreciated.

----------


## danwins

to do that you would need to unpack, edit and repack the exe. instead you'll need to do whatever you were doing before but patching memory at run-time.

----------


## lolp1

> Progressing well, but some features in EWT will stop working on 7.3, such as the "No memory write Lua Unlocker" available in the Background Mode. Getting EWT to work with 7.3 has proven to be easy so far, but bypassing all the protection that has been added is another story, since it's hard to find all the detection code that could have been added.
> 
> 
> 
> Thanks, but don't get other people's expectations too high especially in times like this  I may know "some" stuff, but all these recent protections in WoW are something new for me so I'm learning a lot from it. Better put your bets on those guys at other game hacking websites who already developed many tools to bypass Overwatch's protection


It's not as bad as you think. It really is standard practice and well documented guidance to get by this sort of stuff. It's really just the same process as reversing Malware that attempts to hide it's self. It is scary when it's new, the same as learning the basics of game hacking was. When you dive a bit into it, it is not so bad.

----------


## ShasVa

No offence to reliasin, but I'm currently exploring other avenues. I tried playing with a multi-button mouse but it isn't the same. With apps like this I don't have to worry about or monitor so much. Hence I used them and will continue to do so until WoW is no longer profitable for Blizzard.

----------


## rail3r85

> The obfuscation is not on live, ptr or beta macOS client!!!


I belive soap on this rather than anyone else in ownedcore. He's the one who have only working macOS rotation bot available so if he says obfuscation is live on macOS then it is live on macOS.

Going to be interesting times to see if people can quickly go around the detection methods on 7.3.

----------


## Torpedoes

Yep, they just confirmed *Aug 29th* for the patch. Get all your hacking in now before most of that stuff goes away

----------


## aeo

> Yep, they just confirmed *Aug 29th* for the patch. Get all your hacking in now before most of that stuff goes away


How much research have you actually put into the PTR in its current state? I'm just curious as to where you get this dooms day mentality from? The current PTR (24887) isn't even flagged for release yet so there no reliable proof these are even being implemented. Although, its probably a safe assumption that it will be. I'm curious as to which of these changes is so concerning to you that you feel it is the end of all wow applications?

----------


## WiNiFiX

The poor Americans they can only bot till the 29th, we get 1 bonus day  :Smile:

----------


## charles420

Most of the passive bots will remain fine from a quick glance at it

----------


## Torpedoes

> How much research have you actually put into the PTR in its current state? I'm just curious as to where you get this dooms day mentality from? The current PTR (24887) isn't even flagged for release yet so there no reliable proof these are even being implemented. Although, its probably a safe assumption that it will be. I'm curious as to which of these changes is so concerning to you that you feel it is the end of all wow applications?


I've seen enough to have a strong suspicion that the current implementation of hacks (mainly hacks) including Lua unlockers are going away for good. That being said, I don't think it'll affect traditional bots or external tools but the internal guys might have to step up their game. I just think patching functions and DirectX hooks are going away which a lot of people really like for some reason.

/tar Doomsayer Torpedoes
Would you like a pamphlet?

----------


## GHT

> I've seen enough to have a strong suspicion that the current implementation of hacks (mainly hacks) including Lua unlockers are going away for good. That being said, I don't think it'll affect traditional bots or external tools but the internal guys might have to step up their game. I just think patching functions and DirectX hooks are going away which a lot of people really like for some reason.
> 
> /tar Doomsayer Torpedoes
> Would you like a pamphlet?


I tested on the PTR and I can do everything I already could on Live with the exception of "live debugging".

----------


## DarkLinux

> Most of the passive bots will remain fine from a quick glance at it


Most external/passive bots will be detected. Just take a look at the overwatch section...




> I've seen enough to have a strong suspicion that the current implementation of hacks (mainly hacks) including Lua unlockers are going away for good.


It's still really easy to unlock lua, even most hacks can be updated. Things like registering new lua functions are a little more work. The question is, was it really the method that stopped them from detecting unlockers, or do they not really care?

But who knows, they could be just applying a generic protection to all games. And in the end it's just an extension of Warden (aka little to no updates). Will be interesting to see if they are going to go for the little guys and not just bots like HB.

----------


## lolp1

> *I've seen enough to have a strong suspicion that the current implementation of hacks (mainly hacks) including Lua unlockers are going away for good.* That being said, I don't think it'll affect traditional bots or external tools but the internal guys might have to step up their game. I just think patching functions and DirectX hooks are going away which a lot of people really like for some reason.
> 
> /tar Doomsayer Torpedoes
> Would you like a pamphlet?


Really? Because I'd like to hear what that is. We discussed this in detail on skype and I provided plenty of evidence this is not a big deal. In face, I see zero indication or evidence any of what you said is true even in the least extreme interpretation of your words. What is it you have seen that convinced you of this?

----------


## ShasVa

I just need something that will perform my rotation for me, as close to what BadRotations currently can. I'm still testing various avenues to determine which is the best one for me.

----------


## Torpedoes

> What is it you have seen that convinced you of this?


It mainly comes down to two things: Memory mapped protection and an inability to spawn threads. I don't believe patching functions is safe anymore as you have to forcefully modify the .text section protections. After you successfully map/unmap regions, they'll probably see that and flag you. Next, for injecting your code, you have to spawn a thread. I've seen some weirdness where, even if you freeze the game's threads, the game replaces your spawned-thread entry point code with a retn making your spawned thread return instantly. Trying to write-protect that memory will result in a client crash.

But either way, I'm mainly speculating here. I just really don't want people (like you) to end up making the same mistake I made in Overwatch and get banned day one. You may think you bypassed their protections, but then you wake up with an HWID ban. I don't think it's going to be that severe, given that it's part of their build pipeline now, but I also wouldn't underestimate Blizzard. I'm probably gonna give it a few weeks to see what ends up happening before doing a deep dive again.

----------


## lolp1

> It mainly comes down to two things: Memory mapped protection and an inability to spawn threads. I don't believe patching functions is safe anymore as you have to forcefully modify the .text section protections. After you successfully map/unmap regions, they'll probably see that and flag you. Next, for injecting your code, you have to spawn a thread. I've seen some weirdness where, even if you freeze the game's threads, the game replaces your spawned-thread entry point code with a retn making your spawned thread return instantly. Trying to write-protect that memory will result in a client crash.
> 
> But either way, I'm mainly speculating here. I just really don't want people (like you) to end up making the same mistake I made in Overwatch and get banned day one. You may think you bypassed their protections, but then you wake up with an HWID ban. I don't think it's going to be that severe, given that it's part of their build pipeline now, but I also wouldn't underestimate Blizzard. I'm probably gonna give it a few weeks to see what ends up happening before doing a deep dive again.


I can and always have been able to inject DLLs into the Overwatch process space with zero issues at all. Where the myth came from that some how OverWatch does not allow you to inject any random DLL into its process space I have no clue, nor do they ban for a harmess dll loaded. You can do it, and it will not get you banned. How you got banned I can not say, but I have injected lots of DLLs into overwatch with out issue many times. The need to remap the process is riskier, but there exist work around(s) to the issue.

That is assuming you need to remap at all -- you can have a strong framework with no patches. The very least -- not everything implodes as a result of this.

----------


## ShasVa

Is EWT done for then? If so then whomever is behind BadRotations should just stop. When 7.3 arrives neither will work anymore. Like **** I'm gonna go back to boring, useless manual control.

----------


## DarkLinux

> Is EWT done for then? If so then whomever is behind BadRotations should just stop. When 7.3 arrives neither will work anymore. Like **** I'm gonna go back to boring, useless manual control.


This is not a EWT support thread, ask reliasn.

----------


## WiNiFiX

Figured this was the most suitable location for this EULA Changes

Saved diff S06Rd7um - Diff Checker

----------


## Torpedoes

> Figured this was the most suitable location for this EULA Changes
> 
> Saved diff RCmwj9NR - Diff Checker


It's interesting that they explicitly mention out of process now. Did they not look at out of process in the past?

----------


## WiNiFiX

> It's interesting that they explicitly mention out of process now. Did they not look at out of process in the past?


Not that I saw
Blizzard Entertainment:Battle.net(R) end user License Agreement
or 
Blizzard Entertainment:Battle.net(R) end user License Agreement

----------


## WiNiFiX

This is a full comparison of the EULAs

Saved diff NX3Hte3Q - Diff Checker

----------


## Torpedoes

> Not that I saw


In the new agreement diff, they added "out of process"

----------


## WiNiFiX

Yep we on the same page
I was replying to your question "Did they not look at out of process in the past?"

----------


## Torpedoes

> Yep we on the same page
> I was replying to your question "Did they not look at out of process in the past?"


Sorry mate, my bad.

----------


## ShasVa

Does this mean that the likes of Frozen and Type Omega are not as secure as once thought?

----------


## Owneth

> Does this mean that the likes of Frozen and Type Omega are not as secure as once thought?


Please elaborate?

----------


## _Mike

> Yep we on the same page
> I was replying to your question "Did they not look at out of process in the past?"


They used to, a long time ago. Then someone (Greg Hoglund I think?) was fishing for attention and rigged warden to read his emails and of course the press took the bait and started calling it spyware.
I guess Blizzard are hoping that the spybook generation have stopped caring about privacy this time.

----------


## highs

> Figured this was the most suitable location for this EULA Changes
> 
> Saved diff S06Rd7um - Diff Checker





> It's interesting that they explicitly mention out of process now. Did they not look at out of process in the past?


they said this long time ago.

LAW > EULA

imo nothing new

----------


## ~Unknown~

> They used to, a long time ago. Then someone (Greg Hoglund I think?) was fishing for attention and rigged warden to read his emails and of course the press took the bait and started calling it spyware.
> I guess Blizzard are hoping that the spybook generation have stopped caring about privacy this time.


wow that's a name I haven't heard in a long time. Probably not since the sticky in these forums about the software he wrote called the "Governor". Ah, this thread makes me feel old. I guess I'm glad I got out before Blizzard starting making it harder for people on this forum  :Big Grin:

----------


## XtremImprsv

So while waiting for EU to go to 7.3, I was trying to update my AH bot with the latest offsets on US and didn't managed to do the usual offset / pointer scan using Cheat Engine, the game keeps crashing every few scans

Is there still a way to do it "the old way" and get the debugging to not crash the game or will it be easier to simply switch to Pixel detection / whatever ?

----------


## Torpedoes

> The game keeps crashing every few scans


Remember those trap pages? They're real :-P

I haven't tried  (The Free Lunch Is Over - Obfuscation is Coming)this myself yet but it looks promising.

Please be careful with the client, mistakes like these can and will result in a ban, perhaps even an HWID ban like in Overwatch!




> Is there still a way to do it "the old way" and get the debugging to not crash the game or will it be easier to simply switch to Pixel detection / whatever?


I can't recall if people had too much success with debugging. Maybe see what people have done in Overwatch/SC2?

----------


## XtremImprsv

Thanks for the link ! I'm doing it on a trial account from a "throw-away" laptop who already updated to US, not really worrying on the suspension/ban part of things for now ^^

----------


## Torpedoes

> Thanks for the link ! I'm doing it on a trial account from a "throw-away" laptop who already updated to US, not really worrying on the suspension/ban part of things for now ^^


Good man! Please let me know if that plugin worked once you've had a chance to try it out.

----------


## olilo1

> Pixel-based and external rotation bots are probably fine. In fact, I'd be surprised if any external tools are affected by this. But anything internal or requiring function patching such as Lua unlocking is probably over. There are ways around it and I'm sure the machinima folks will figure it out but in terms of safety, I don't think we'll be seeing anything anytime soon.


AutoHotKey stopped interfacing with WoW during PTR. My homemade rotation bot stopped working.

----------


## XtremImprsv

> AutoHotKey stopped interfacing with WoW during PTR. My homemade rotation bot stopped working.


As in "Can't read pixel anymore with AutoHotKey" or as in "Can't send keyboard / mouse input" anymore ?

----------


## olilo1

Cant send keyboard input anymore.
There's probably a way around it, but I havent found it yet. 

Simple script to try for yourselfs: #ifWinActive World of Warcraft $2:: While GetKeyState("2","P") { - Pastebin.com
It spams 2, when you press it.

----------


## wrah

Maybe am a bit stupid, but why you cant do bot using only mouse, and eyes? (OCR) Think such thing will be pretty stealth, doing only what player can do, not touching ram, exe, anything.

----------


## Torpedoes

> Cant send keyboard input anymore.


Are you using PostMessage or SendInput? If SendInput stopped working then it's time to dust this off. But I'm skeptical because they tried disabling it in Overwatch and reversed it after everyone's shitty keyboards and mice stopped working. Worst case, Arduino's will be back on the menu.

----------


## DarkLinux

It does not look like they are dropping injected input, a quick test is to use windows onscreen keyboard. 

@olilo1 did you even check to see if 



```
#ifWinActive World of Warcraft
```

failed?

----------


## WiNiFiX

> Cant send keyboard input anymore.
> There's probably a way around it, but I havent found it yet. 
> 
> Simple script to try for yourselfs: #ifWinActive World of Warcraft $2:: While GetKeyState("2","P") { - Pastebin.com
> It spams 2, when you press it.


Have you tried with the latest alpha re-write in .NET of AHK?
IronAHK (alpha): cross platform .NET rewrite of AutoHotkey - Scripts and Functions - AutoHotkey Community

----------


## SerenityWOW

Hmm, my AHK button smashing script is still working on 7.3 (like the one you posted)

----------


## BlackRainBow

> Cant send keyboard input anymore.


maybe this? Raw Input (Windows)
even without hook and check LLKHF_INJECTED possible drop fake SendInput's, because they don't have device handle in RAWINPUTHEADER

Mouse SendInput, for example, simply detected via GetAsyncKeyState



```
var d = GetAsyncKeyState(mouseKey) & 1;
if (d == 0)
MessageBox("FAKE");
else
MessageBox("REAL");
```

----------


## olilo1

Hey guyes. Thanks for your suggestions.

I live in europe and patch didnt hit before today. But *it works* after all! But it did not work during PTR.
I started a thread asking if anyone else had the problem on PTR, so I assumed the worst:

[Question] AutoHotKey stopped in 7.3?

----------


## noctural

So, say I injected before. Now, is it a solid strategy to run wow, dump memory to disk, scan for disk image for offsets, then inject using those offsets?

----------


## CatsNimo

The Release build removed this obfuscation. The WoW binary is back to normal.

I assume this means they're still testing it and aren't ready for it to go Live yet.

----------


## Torpedoes

> The Release build removed this obfuscation. The WoW binary is back to normal.
> 
> I assume this means they're still testing it and aren't ready for it to go Live yet.


Are you sure? it's still garbled for me (7.3.0.24931).

----------


## CatsNimo

> Are you sure? it's still garbled for me (7.3.0.24931).


Ah, you're correct. My bad. I just saw the file size drop from PTR to Release and assumed it had gone away. It's the same as PTR though; Live Windows is obfuscated and Live Mac is not.

Interesting side note; Blizzard just released a 7.2.5 build on their Beta branch without the obfuscation, presumably since it's branched away.

----------


## air999

> Live Windows is obfuscated and Live Mac is not.


Now is good time to move into Mac World  :Smile:

----------


## Torpedoes

> Now is good time to move into Mac World


Shameless plug but both robot and  (Writing Bots with Robot-js)robot-js support mac :-D

----------


## Sariam1992

> maybe this? Raw Input (Windows)
> even without hook and check LLKHF_INJECTED possible drop fake SendInput's, because they don't have device handle in RAWINPUTHEADER
> 
> Mouse SendInput, for example, simply detected via GetAsyncKeyState
> 
> 
> 
> ```
> var d = GetAsyncKeyState(mouseKey) & 1;
> ...



Sorry, I've read the whole thread and I'm a bit confused by the virtual key imput, does that mean it could be detected now, making pixel bots like chimpeon a lot more likely to be hit?

----------


## olilo1

> Sorry, I've read the whole thread and I'm a bit confused by the virtual key imput, does that mean it could be detected now, making pixel bots like chimpeon a lot more likely to be hit?


No. It's my fault for the confusion. Pixel bots are still good.

The PTR client didn't accept inputs from autohotkey, but retail client does. No idea why though.

----------


## Sariam1992

Thanks for the reply mate  :Smile:

----------


## Stonerage

> It's interesting that they explicitly mention out of process now. Did they not look at out of process in the past?


So, from the previous it just checked for software running alongside the game which sounds logical and memory efficient. So I brainstormed and then came to the conclustion that I should deob and decrypt their android apps and see if it yields any interesting results in how they monitor memory on android.

But staying OT.
What are they referring to by out-of-process?
I can only assume they're referring to out of process as in out-of-process. 

Seeing as they've renamed from "Game" to "The platform" for most of it, but not in that specific context. Are they referring to the battle.net app? Are they planning on monitoring in how programs run at the same time as the battle.net app? This sounds the most logical to me, would allow them to see if a piece of software is launched/exited along side any of their games and especially seeing as they've added "Mobile Device" to the list. Perhaps they're trying to target their entire branch? After all the only thing you could possibly do on the mobile app would be to bot follower missions.

----------


## Torpedoes

> So, from the previous it just checked for software running alongside the game which sounds logical and memory efficient. So I brainstormed and then came to the conclustion that I should deob and decrypt their android apps and see if it yields any interesting results in how they monitor memory on android.
> 
> But staying OT.
> What are they referring to by out-of-process?
> I can only assume they're referring to out of process as in out-of-process. 
> 
> Seeing as they've renamed from "Game" to "The platform" for most of it, but not in that specific context. Are they referring to the battle.net app? Are they planning on monitoring in how programs run at the same time as the battle.net app? This sounds the most logical to me, would allow them to see if a piece of software is launched/exited along side any of their games and especially seeing as they've added "Mobile Device" to the list. Perhaps they're trying to target their entire branch? After all the only thing you could possibly do on the mobile app would be to bot follower missions.


I have a prediction. Very soon (maybe even as soon as October as that's when they're planning on dropping XP), we'll see the Battle.net app include other components related to anti-cheating. I would go so far as to say they'll start doing what every other anti-cheat system has done for a while now, kernel hooks. So you wanna play Blizzard games? install an EAC style anti-cheat. Perhaps this is their response to Windows Containers coming in the future. So perhaps it's time to brush up on your kernel skills, or just get a Mac :-P

----------


## WiNiFiX

> maybe even as soon as October as that's when they're planning on dropping XP


Where did you see this, I cant see dates specified anywhere?

----------


## Zazazu

> I have a prediction. Very soon ...


I'm more confused by the fact that Blizzard makes it clear that he is watching over you and is perfectly aware of what you are running and what exactly is attached to the WoW.

I have a prediction. Banwave is coming (c)  :Cool: ....

----------


## Torpedoes

> Where did you see this, I cant see dates specified anywhere?


Here you go.




> I have a prediction. Banwave is coming


Banwave is always coming :-P

You either stop playing early, or you play long enough to see yourself getting banned.

----------


## lululalaland

so ... it seems that since 7.3 has been out there havent been any SIG removed wow.exe released. I assume there are some problems ... just like with tmorph since journey hasnt yet decided to update it or not for safety reasons. 
However i cant play the game like that. I hate the animations i just need my mods to actually not hate the gameplay of legion so much. 
Guess i will have to go back to playing on private servers... well it was fun while it lasted but blizzard just has to kill everything for me

----------


## GHT

Has anyone else experienced this error and found a work around yet?



```
The instruction at "0x0000000000000000" referenced memory at "0x0000000000000000".
```

From my research, it only happens while in the world. I had my tools injected for 12 hours at login without issues.

----------


## MrNoble

> Has anyone else experienced this error and found a work around yet?
> 
> 
> 
> ```
> The instruction at "0x0000000000000000" referenced memory at "0x0000000000000000".
> ```
> 
> From my research, it only happens while in the world. I had my tools injected for 12 hours at login without issues.


Ye, i also found that out.

When i get in login screen and wait 20 min, i enter world and get instant crashed.
When i login and enter world, i get a crash after x amount of time.

----------


## GHT

> Ye, i also found that out.
> 
> When i get in login screen and wait 20 min, i enter world and get instant crashed.
> When i login and enter world, i get a crash after x amount of time.


Are you hooking anything, it only happens when I hook it seems.

----------


## doityourself

> Are you hooking anything, it only happens when I hook it seems.


The 32bit WoW gives you much more crashes while working with it. I fully switched to 64bit now and have no crashes atm. 

To what ware you guys remapping? 0x40? 0x80? You should use 0x80 if you remap it.

For example hooking the send/recv functions works fine. Injecting and calling functions also works without remapping.

But sometimes I also get a 'The instruction at "0x0000000000000000" referenced memory at "0x0000000000000000".' crash just while playing^^

// edit: my state from last week^^

----------


## WiNiFiX

So Torpedoes, not really sure where to ask this question as your posts are locked, but whats the next game on your hacking radar, now that Blizzard made you run?
I guess this is the right place as it is this reason you stopped distrubuting your bots.

----------


## DarkLinux

Thinking about releasing a lib that will retrieve encrypted values for external programs. Currently, I have the local player pointer working. What else is encrypted? 




> Position is encrypted, the following function decrypts it (x86)
> 
> 
> ```
> 55 8B EC 56 8B 75 08 51 F3 0F 10 06 F3 0F 59 05 ?? ?? ?? ?? F3 0F
> ```


The player position does not look encrypted (0x124 -> 0x1C).

----------


## GHT

> Thinking about releasing a lib that will retrieve encrypted values for external programs. Currently, I have the local player pointer working. What else is encrypted? 
> 
> 
> 
> The player position does not look encrypted (0x124 -> 0x1C).


Quite sure he means CTM Position.

----------


## DarkLinux

Does anyone have a sig or offset for the current click to move function? I will also add that.

----------


## MrNoble

> Are you hooking anything, it only happens when I hook it seems.


Nothing was hooked to it, i just get random crashes.

----------


## Wildbreath

i have some offsets and all those offsets valid for dumped memory map, but when i try to find it in game memory it fails (in process range)
noone found, but always found in ida

what i doing wrong? and how to do it now?


```
IntPtr currentAddr = IntPtr.Zero;
uint Max = 0;
index = 0;
uint old;
NativeMethods.MEMORY_BASIC_INFORMATION mbi = new NativeMethods.MEMORY_BASIC_INFORMATION();


while (true)
{
    NativeMethods.VirtualQuery(ref currentAddr, out mbi, (IntPtr)sizeof(NativeMethods.MEMORY_BASIC_INFORMATION));
    if (NativeMethods.VirtualProtect((IntPtr)currentAddr, mbi.RegionSize, 0x40, out old))
    {
        if ((uint)currentAddr < Max)
            return 0;
        else
            Max = (uint)currentAddr;


        for (int x = (int)currentAddr; x < ((uint)currentAddr + (uint)mbi.RegionSize); x++)
        {
            if (*(byte*)x == signature[index] || mask[index] == '?')
                index++;
            else
                index = 0;


            if (index >= signature.Length)
                return (uint)(x - signature.Length + 1);
        }
    }
    NativeMethods.VirtualProtect((IntPtr)currentAddr, mbi.RegionSize, old, out old);


    currentAddr = (IntPtr)(currentAddr.ToInt32() + mbi.RegionSize.ToInt32());


    if (len && ((uint)currentAddr >= (baseAddress + moduleSize)))
        return 0;


}
```

offsets is (x86)

```
CGGameUI__EnterWorld = "55 8b ec a0 ? ? ? ? 83 ec ? a8 ? 0f 85 ? ? ? ? 0c ? 53 a2"
lua_pushstring = "55 8b ec 83 7d 0c 00 75 ? ff 75 08 e8"
lua_pushnumber = "55 8b ec ? ? ? ? ? ? ? ? f2 0f 10 45 0c 8b 4a"
lua_pushboolean = "55 8b ec 8b 55 08 a1 ? ? ? ? 8b 4a 0c 89 41 0c 33 c0 39"
CGWorldFrame__Intersect = "55 8b ec 56 8b 75 0c 57 8b 7d 08 51 f3 0f 10 46 04 f3 0f 10 16"
InvalidPtrCheck = "55 8b ec 83 ec ? b8 ? ? ? ? 56 66 89 45 fc 33 f6 f7 c3 ? ? ? ? 73 ? c6 c1 ? 80 eb ? 81", 0x2f
FrameScript_RegisterFunction = "55 8b ec ? ? ? ? ? ? ? 6a ? ff 75 0c ? e8 ? ? ? ? ff 75"
FrameScript_UnregisterFunction = "55 8b ec ? ? ? ? ? ? ? 56 e8 ? ? ? ? ff 75 08 56 e8"
FrameScript_ExecuteBuffer = "55 8b ec ff ? ? ? ? ? ? ? ? ? ? ? ? ? ? 8b 3d ? ? ? ? 6a ? 5b 74 ? 39"
lua_tolstring = "55 8b ec 56 ff 75 0c 8b 75 08 56 e8 ? ? ? ? 59 59 8b c8 83 79 08 04 74"
GetGuidByKeyword = "55 8b ec 83 ec ? 53 56 57 e8 ? ? ? ? 8b 4d 08 89 45 f8 85 c9 0f 84"
CGGameUI__Idle = "55 8b ec 81 ec ? ? ? ? 33 c9 c7 45 f0 a5 62 1e 20 41 7e ? 8a db 7f ? c6 c1", 0x154
ClntObjMgrObjectPtr = "55 8b ec 83 ec ? 83 3d ? ? ? ? ? 57 75 ? 33 c0 5f 8b e5 5d c3 53 56 ff 75 08"
ClntObjMgrEnumVisibleObjects = "55 8b ec 53 56 57 8b 3d ? ? ? ? 33 db 43 8b b7 d8 00 00 00 56 e8 ? ? ? ? 59 33 c9 85 c0 0f 45 f1 56 e8 ? ? ? ? 59 85 c0 75 ? 85 f6"
GetUnitPosition = "55 8B EC 8B 89 ? ? ? ? 8D 41"
TerrainClick = "55 8b ec 83 ec ? 56 8b 75 08 6a ? 56 e8 ? ? ? ? 59 59 85 c0 74 ? e8 ? ? ? ? 8b f0 85 f6"
CPlayerC_ClickToMove = "55 8b ec 83 ec ? 53 56 6a ? 6a ? 8b d9 e8 ? ? ? ? ff 75 10 8b 75"
CanPerformAction = "55 8b ec 83 3d ? ? ? ? ? ? ? ? ? ? ? ? ? ? 77"
```

----------


## Torpedoes

> So Torpedoes, not really sure where to ask this question as your posts are locked, but whats the next game on your hacking radar, now that Blizzard made you run? I guess this is the right place as it is this reason you stopped distributing your bots.


A big reason for me stopping is my lack of interest in developing this type of software and maintaining it; as I've no doubt expressed through my lack of updates these past two years. By getting out now, I get to leave on a high note and open up a path for new developers looking to create something similar. I was always more interested in researching and coming up with new reverse-engineering techniques, which I will continue through my various other projects. Whether people choose to apply that knowledge to Blizzard games is up to them, just know that I prefer to write software for developers rather than end-users.

----------


## ostapus

the problem is in your NativeMethods.VirtualProtect((IntPtr)currentAddr, mbi.RegionSize, 0x40, out old) call, i dont know why you need to change protection for simple search, however
0x40 corresponds to PAGE_EXECUTE_READWRITE, it wont work anymore. you can try change to 0x80 - PAGE_EXECUTE_WRITECOPY which supposed to work, but.. it doesn't work either in my testing.

so basically, because first VirtualProtect fails, block that does search - not executed.

----------


## oDev

Did the whole "trap pages" thing ever get implemented into wow? Seems pretty spooky

----------


## Greyman

I'm quite frankly astounded that it took them this long. I elevated my injection/hook code to the kernel long, long ago and have still managed to remain undetected. Paranoia works!

----------

