I've updated LuaNinja for WoW v3.3.0. Download it here.
Have fun you dirty cheaters.
Showing newest posts with label wow. Show older posts
Showing newest posts with label wow. Show older posts
Wednesday, December 9, 2009
Monday, November 30, 2009
WoWMimic v71 Failure
While reading the patch notes to the latest version of WoWMimic I noticed the following gem:
"2.Updated bot's security against warden"
Naturally, I took this as a challenge, and lets just say, it was disappointing.
To 'protect' themselves from Warden they are using a DR hook on GetProcAddress. What they don't seem to realize is that they're still 100% detectable. Whilst Warden does indeed get its function pointers via GetProcAddress, it doesn't need to. All their hooks can by bypassed by simply enumerating the module's target EAT manually in order to find the functions needed to detect Mimic.
GetThreadContext and VirtualQuery are the two obvious contenders. The former to detect the hooks, the latter to detect the module.
They are also using a DR hook on an engine function in order to detect GM chat. Totally unnecessary, but hey, what can you really expect from their developers.
At any rate, both their DR hooks and their module are STILL detectable, because they fail at API hooking. I don't know when they intend to hire someone competent, but they should probably make it sooner than later, because right now they're just asking to be banned.
Detailed information snippets:
"2.Updated bot's security against warden"
Naturally, I took this as a challenge, and lets just say, it was disappointing.
To 'protect' themselves from Warden they are using a DR hook on GetProcAddress. What they don't seem to realize is that they're still 100% detectable. Whilst Warden does indeed get its function pointers via GetProcAddress, it doesn't need to. All their hooks can by bypassed by simply enumerating the module's target EAT manually in order to find the functions needed to detect Mimic.
GetThreadContext and VirtualQuery are the two obvious contenders. The former to detect the hooks, the latter to detect the module.
They are also using a DR hook on an engine function in order to detect GM chat. Totally unnecessary, but hey, what can you really expect from their developers.
At any rate, both their DR hooks and their module are STILL detectable, because they fail at API hooking. I don't know when they intend to hire someone competent, but they should probably make it sooner than later, because right now they're just asking to be banned.
Detailed information snippets:
0:061> ~0 rM 20dr0=004ac5e5 dr1=767e1202 dr2=00000000dr3=00000000 dr6=00000000 dr7=00000100GDI32!NtGdiDdDDIPresent+0x15:768fe823 83c404 add esp,40:061> dt 767e1202GetProcAddressStubSymbol not found.0:061> x kernel32!GetProcAddress*767e120f kernel32!GetProcAddress =767e1202 kernel32!GetProcAddressStub =0:061> u kernel32!GetProcAddressStubkernel32!GetProcAddressStub:767e1202 8bff mov edi,edi767e1204 55 push ebp767e1205 8bec mov ebp,esp767e1207 5d pop ebp767e1208 eb05 jmp kernel32!GetProcAddress (767e120f)767e120a 90 nop767e120b 90 nop767e120c 90 nop
Thursday, November 12, 2009
Status Update
Been a while since I've posted so I'll give a quick update as to what's going on.
Currently I'm working on a new WoW hack to supersede LuaNinja. When it will be done depends primarily on whether I can pull myself away from MW2 long enough to do it. :P
I've also fixed a few bugs in my dll injector and posted an updated version in the original post.
Lastly, I may have more code from either my rootkit or my packer incoming soon.
Currently I'm working on a new WoW hack to supersede LuaNinja. When it will be done depends primarily on whether I can pull myself away from MW2 long enough to do it. :P
I've also fixed a few bugs in my dll injector and posted an updated version in the original post.
Lastly, I may have more code from either my rootkit or my packer incoming soon.
Subscribe to:
Posts (Atom)
