Blizzhackers

Home of the Dupe since 2001

* Login   * Register    * FAQ    * Search

Join us on IRC: #bh@irc.synirc.net (or Mibbit Web IRC)


It is currently Sat Sep 23, 2017 8:59 pm


All times are UTC [ DST ]





Post new topic Reply to topic  [ 13 posts ] 
Author Message
 Post subject: Automated User Input Detection - SendKeys, PostMessage, Etc
PostPosted: Sat Aug 05, 2017 11:33 pm 
 
User
User
User avatar

Joined: Tue Aug 31, 2004 11:39 pm
Location: WI
Apologies if this info is readily available somewhere.. I did the ol' blizzhackers.cc google search and found quite a few threads...but nothing particularly recent and it seemed like a lot of back and forth on this issue even 10 years ago. lol

What's the general consensus these days on the detectability / likelihood of a ban for using various common user input api's on the D2 process?

A few weeks ago I started playing D2 again. Fun trip down memory lane... 😄 But now I have an account full of mules, all are basically full of items, and none of the mules have been permed yet haha. So I was thinking I'd like to automate this process a bit if possible. Using some random mule perming script with a publicly available bot seems pretty risky imo. Like there's a good chance Blizzard would / could have the bot and really easily have Warden specifically detect it.

So I think it makes sense to just write my own in this case. Obviously nothing fancy. I just want this thing to automatically log in with one of my mules for a couple hours, shuffle around in a game for awhile, then exit, repeat the process with the next mule sometime later that day or maybe the next day, and stop once all of the mules are permanent.

To help ensure this looks human - mouse clicks are fairly randomly placed, random-length delays are used between keys presses / mouse clicks to simulate a human activity, etc.

But I'm using SendKeys and PostMessage api's. I know Warden can in theory hook those api calls to detect their use. But is there any evidence that they ever have? How are the current bots of 2017 handling user input? Packets? These api's? Something else altogether? I literally haven't used a bot in D2 since JED so I'm a little out of touch. 😂

Any thoughts on this would be much appreciated!

_________________
Image
Image

Top
 Profile  
 Post subject: Re: Automated User Input Detection - SendKeys, PostMessage,
PostPosted: Sun Aug 06, 2017 12:02 am 
 
User
User
User avatar

Joined: Mon Aug 09, 2010 12:37 am
Location: /home/loser/.local/share/Trash/
viewtopic.php?f=182&t=545043
i made an account refresh script, it logs into as many accounts you want with random clicks and delays.

When i have some time ill making a perming feature.

_________________
If you click "refresh" you will see in real time what is playing on my computer :)
Image

Top
 Profile  
 Post subject: Re: Automated User Input Detection - SendKeys, PostMessage,
PostPosted: Sun Aug 06, 2017 12:45 am 
 
User
User
User avatar

Joined: Tue Aug 31, 2004 11:39 pm
Location: WI
Appreciate the help!

Buuuut I'm really not trying to use AutoIt for this task. Maybe I'm being overly paranoid but that seems super easy for Blizzard to detect since all they would have to do is look for an AutoIt process running in memory. By writing this myself, I'm at least attempting to obscure my automation. haha

_________________
Image
Image

Top
 Profile  
 Post subject: Re: Automated User Input Detection - SendKeys, PostMessage,
PostPosted: Sun Aug 06, 2017 1:34 am 
 
User
User
User avatar

Joined: Thu Aug 04, 2005 1:12 am
Location: Australia
Who's to say the autoit process running has anything to do with diablo?

The current public bots of 2017 (made in 2007) use a mixture of those apis, packets and game functions

Top
 Profile  
 Post subject: Re: Automated User Input Detection - SendKeys, PostMessage,
PostPosted: Sun Aug 06, 2017 7:36 am 
 
User
User
User avatar

Joined: Tue Aug 31, 2004 11:39 pm
Location: WI
Who's to say the autoit process running has anything to do with diablo?

True, however recently Blizzard has definitely become increasingly non-discriminant with their auto bans / mutes. Sometimes they realize it and reverse a significant number of bans, sometimes they shrug their shoulders and tell players to be more careful with how they play and even (literally) what they say.

It's probably safe to assume that 95%+ of the people simultaneously running the Diablo II process + an AutoIt process are doing something that breaches the D2 / Bnet ToS. It literally might even be 100%. So the odds are in their favor - they could ban everyone running AutoIt and then maaaaybe just take a deeper look into the accounts of those who contact support claiming they were falsely swept up in the banhammer. Or just leave them banned because fuck it...the game is 17 years old and the servers cost money. They would probably rather everyone stop playing the game already or at least repurchase it so they get some level of revenue again. lololol

The current public bots of 2017 (made in 2007) use a mixture of those apis, packets and game functions

Good to know. So sticking with these API's is probably my best bet here.

_________________
Image
Image

Top
 Profile  
 Post subject: Re: Automated User Input Detection - SendKeys, PostMessage,
PostPosted: Mon Aug 07, 2017 12:23 am 
 
D2BS Dev
D2BS Dev
User avatar

Joined: Sun Jun 22, 2008 7:00 pm
Right now there is no client side detection so you can pretty much do anything. However if there were client side detection, you could do a couple things to increase robustness
1) hook the client side request, parse it, respond with clean data
2) hook the client at a higher privilege level than the detection

1 is pretty clear, you can look at implementations of warden responses done by "motoko" and look at threads about "cguard" to learn more about it
2 basically assumes that any sort of clientside detection would be limited to blizzard scanning user space processes and its own memory. You can inject your code into the network stack and write a network filter for example, do some packet inspection and modify the packet stream to/from client/server, you can load a hack in privileged memory and trap into a kernel mode driver call when you want your hack to do something. Another option would be to utilize hypervisor functions of your computer (like intel vt-x) and manipulate memory outside of the scope of when its page is loaded into userspace, you would basically need to "containerize" your d2 client in this case

_________________
NipCheck -- An offline .nip checker
PhotoGrid Sharp -- An image collage maker with formatting features
d2bot# with kolbot -- For live support: irc://irc.synirc.net/d2bs

Top
 Profile  
 Post subject: Re: Automated User Input Detection - SendKeys, PostMessage,
PostPosted: Mon Aug 07, 2017 3:25 am 
 
User
User

Joined: Tue Mar 01, 2005 8:31 pm
You lack a lot of understanding regarding warden.

Warden has several scan types Blizzard has never used the full potential of warden in D2.

After mousepad and netter have been shut down warden modules were far more docile because they only used modules for memory scanning and client validation. Maybe because they fired the original warden guy or gave up on D2.

Crapguard would easily be owned by an IAT lookup. It was detected in WC3 and SC1 fyi.

A flight into the kernelmode prevents you to use a lot of windows API functions would be quiet bad in his case.

When you still use the d2 functions you are still a target for warden eg stack traces aka in short "What's that? Unknown? No Access? Ban it". You need to do a lot more than just go into kernel hiding your code and fixing vulnerabillities are different things.

Top
 Profile  
 Post subject: Re: Automated User Input Detection - SendKeys, PostMessage,
PostPosted: Mon Aug 07, 2017 5:28 am 
 
User
User
User avatar

Joined: Tue Aug 31, 2004 11:39 pm
Location: WI
cGuard sounds neat but I'd be worried that if I didn't keep up with one minor change in how Warden responds, I would suddenly be an obvious ban when it starts responding incorrectly.

I wrote a proxy for D2 back in the day (and for WoW). It obviously doesn't work anymore as-is, but I was considering fixing it up and adding it to the backend of my bot to gather data. I probably wouldn't send/manip any packets with it except where absolutely necessary. Seems like a pretty easy route...and maybe easier to evade detection? Unless Warden checks to see what server the client is connected to, I think I'd be in the clear. For the most part..

_________________
Image
Image

Top
 Profile  
 Post subject: Re: Automated User Input Detection - SendKeys, PostMessage,
PostPosted: Mon Aug 07, 2017 7:34 pm 
 
D2BS Dev
D2BS Dev
User avatar

Joined: Sun Jun 22, 2008 7:00 pm
You lack a lot of understanding on how to read. I never mentioned cguard was a correct implementation, hence why I said you can look it up to read about it.
Warden scan types are useless, at the end of the day unless Blizzard is at your door with a court ordered mandate allowing them to view your memory "as is" it is useless.
IAT can (and ofc should be) patched if you are going that route.
If you are in kernel mode, why would you be using win API functions, doesn't make any sense?
If you are using d2 functions in usermode, clean your stack frame and nothing out of the ordinary will be in the stack trace.

This is all super simple memory management 101.

@Alex-m, the client responses can't be changed unless there is a patch to the client code. Warden request type can change, but the code to respond to it must already be in the client. You would need to keep it up to date with what ever the current patch is.

_________________
NipCheck -- An offline .nip checker
PhotoGrid Sharp -- An image collage maker with formatting features
d2bot# with kolbot -- For live support: irc://irc.synirc.net/d2bs

Top
 Profile  
 Post subject: Re: Automated User Input Detection - SendKeys, PostMessage,
PostPosted: Mon Aug 07, 2017 8:07 pm 
 
User
User

Joined: Tue Mar 01, 2005 8:31 pm
The only thing he would find about the work of crapguard is a deleted posting by lord2800. Other stuff is just asskissing.
Also I was talking about crapguard which emptied IAT which is very easy to detect.

He wants to use WinAPI functions. WDK isn't that userfriendly, you can't expect everybody to know more than the basics about drivers and you have to do things differently. The drivercode related to D2 you saw is just proof of concept.

You realize a proper implemented stack trace knows the difference between garbage code and real addresses? A nulled dword is the same as having an invalid address. What you need to do is redirecting.

Most stuff he will find here is so outdated as the idea of the govenor.

He better looks at newer concepts on mpgh or uc.

Top
 Profile  
 Post subject: Re: Automated User Input Detection - SendKeys, PostMessage,
PostPosted: Tue Aug 08, 2017 8:14 pm 
 
D2BS Dev
D2BS Dev
User avatar

Joined: Sun Jun 22, 2008 7:00 pm
mpgh? really?
Have fun sifting through the circle jerk of "how to change compiler flags and rebuild your hack on each use to prevent signature detection"

the only "new" concept in clientside detection prevention I've seen lately was a Virtual box exploit that let virtualized environment get access to ring 0 to execute userspace page (which to be fair, is more of an intel fault because there is no reason ever to allow ring 0 to execute anything that isn't in the privileged address space)

_________________
NipCheck -- An offline .nip checker
PhotoGrid Sharp -- An image collage maker with formatting features
d2bot# with kolbot -- For live support: irc://irc.synirc.net/d2bs

Top
 Profile  
 Post subject: Re: Automated User Input Detection - SendKeys, PostMessage,
PostPosted: Tue Aug 08, 2017 9:52 pm 
 
User
User

Joined: Tue Mar 01, 2005 8:31 pm
I talk about quality threads which aren't that outdated not about BS which is on Tyler Erdie level.

Gamedeception actually was the best place but it got shut down years ago.


When somebody is willing to invest time searching he could also use /r/reverseengineering or stackoverflow.

Top
 Profile  
 Post subject: Re: Automated User Input Detection - SendKeys, PostMessage,
PostPosted: Wed Aug 09, 2017 1:17 am 
 
User Gold
User Gold

Joined: Mon Dec 14, 2009 1:40 pm
I talk about quality threads which aren't that outdated not about BS which is on Tyler Erdie level.

Gamedeception actually was the best place but it got shut down years ago.


When somebody is willing to invest time searching he could also use /r/reverseengineering or stackoverflow.

Lol... even when I leave u alone you still bring up my name.
Can I ask why you always got something to say? Can you not be such an asshole ... for someone who doesn't give a fuck about d2 you sure do sprout your mouth off alot.

Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ] 

All times are UTC [ DST ]


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron