Info for people writing "out-of-process" bots

[Cypher]

I keep hearing of people who are writing "out-of-process" bots, who when I ask how they've implemented certain functionality say "I write to memory address X", or "I use BlackMagic to call engine function Y".

Protip for the retards:
As soon you actively modify the game in some way or another (through a memory write, engine call, dynamic hook, etc) YOU ARE NO LONGER OUT OF PROCESS.

The whole point of an out-of-process bot is that you stay 100% passive so that you can't be detected unless Warden starts doing its out-of-process scans again.

If you're calling engine funcs or modifying memory you've already made yourself detectable via in-process checks so you may as well just inject a DLL and stop wasting so much time (both your own and that of the people in this section) trying to stay 'passive' when you aren't.

Notes:
Anyone who knows anything about Windows programming and how various anti-cheat techniques are implemented would know there are exceptions to the above (i.e. certain memory writes are 'safe' and you can still call yourself 'passive', however most of the ones people normally use are not).

However, there are no exceptions when calling engine functions. If you're calling engine functions you're already vulnerable to a stack trace, so just inject a DLL already, being out of process is just a waste of time at that point.

Contrary to popular belief, injecting a DLL does not suddenly make you a high-risk for bans. As long as your bot is private there is no difference between an injected bot and an out-of-process bot if you're calling engine functions.

[Cypher]

Kynox has brilliantly summed up the opposition's point of view:
(5:58:14 PM) Kynox: HI I AM PASSIVE OUT OF PROCESS BUT I AM MAKE INJECTION
(5:58:23 PM) Kynox: I DO THIS BECUZ DLL INJECT = BAN
(5:58:29 PM) Kynox: OMG SRS TBH CROSS AM MY HART

[tymezz]

There definately is a lot of confusion amongst people who come here looking to scrape code snippets together and make themselves a "bot". It comes with the territory though, consider this:

Guy X comes looking for information on "hacking" WoW, walking tall cause hes coded a little bit, he made a script in xyzscriptinglanguage! Now theres a wealth of information and code laying around that he can just compile into his newly downloaded C#/C++ IDE and have something.

This guy maybe have some vague idea about dll injection, hooking, and memory reading/writing.. but at some point on these forums anything other than injection became synonymous with out of process. Guy X does not know that's wrong. 85% of mmowned's userbase is just like him, nothing against mmowned at all, that's just the nature of sites like these.

On the flip side, look at G-D. Sure Guy X could go there, but it's "really technical".. and mmowned is more.. comfortable.

It's my hope that you guys will post more often(cypher, kynox, apoc, greyman[please?], and a few others), you guys generally have the effect of scaring those people away, as well as provide invaluable information. My "thing" is being able to pick your brain so to speak, peering into how others work is more interesting than source snippets.

[flo8464]

Its so true.

The most funny thing is that enough people are sure they are out-of-process even if they allocate memory, write code to that memory and run that code...

[Cypher]

Quote:

Originally Posted by tymezz

There definately is a lot of confusion amongst people who come here looking to scrape code snippets together and make themselves a "bot". It comes with the territory though, consider this:

Guy X comes looking for information on "hacking" WoW, walking tall cause hes coded a little bit, he made a script in xyzscriptinglanguage! Now theres a wealth of information and code laying around that he can just compile into his newly downloaded C#/C++ IDE and have something.

This guy maybe have some vague idea about dll injection, hooking, and memory reading/writing.. but at some point on these forums anything other than injection became synonymous with out of process. Guy X does not know that's wrong. 85% of mmowned's userbase is just like him, nothing against mmowned at all, that's just the nature of sites like these.

On the flip side, look at G-D. Sure Guy X could go there, but it's "really technical".. and mmowned is more.. comfortable.

It's my hope that you guys will post more often(cypher, kynox, apoc, greyman[please?], and a few others), you guys generally have the effect of scaring those people away, as well as provide invaluable information. My "thing" is being able to pick your brain so to speak, peering into how others work is more interesting than source snippets.

Scaring noobs is one of my favourite pastimes, I'll be sure to keep it up.

Quote:

Originally Posted by flo8464

Its so true.

The most funny thing is that enough people are sure they are out-of-process even if they allocate memory, write code to that memory and run that code...

When it comes to public bots however I don't know whether it's funny or depressing.

[Barnzy]

I don't know why people are so scared of injecting a DLL into a bot tbh, I know it can mean a high risk of a ban, but, wouldn't it help a bit cloacking that certain injection?

[Only registered and activated users can see links. ]

As you see there alot of people are scared to use it, when I am all for it, mainly because I don't play WoW but...

Edit: I am bracing myself for flame by cyther or someone like that.

[_Mike]

Quote:

Originally Posted by Cypher

As soon you actively modify the game in some way or another (through a memory write, engine call, dynamic hook, etc) YOU ARE NO LONGER OUT OF PROCESS.

I guess it comes down to how you define the words "in process"..
To me, even if you are only reading memory you are still reading from inside wow's address space

[Harko]

Quote:

Originally Posted by _Mike

I guess it comes down to how you define the words "in process"..
To me, even if you are only reading memory you are still reading from inside wow's address space

Correct.

for some people injecting a code stub is out of process

for some people using click to move is out of process

for some people overwriting guids is still out of process

in the end it all depends on blizzard

[Cypher]

Quote:

Originally Posted by _Mike

I guess it comes down to how you define the words "in process"..
To me, even if you are only reading memory you are still reading from inside wow's address space

I would say that in the most technical sense (given the context we're discussing it in), "in-process" would be defined as your code actively 'interfering/modifing' the other process in some way or another.

Examples would include:
* Changing memory page flags
* Modifying memory
* Allocating memory
* Creating remote threads
* Modifying threads
etc

The reason being that these can be detected by the anti-cheat system without elevated privileges and without breaking the process boundary.

Non-examples would include:
* Reading memory
* Reading data off disk
etc

The reason being that these actions require the AC to break the process boundary.

Ergo, if you can be detected "in-process" you are an "in-process" bot, if you can not be detected "in-process" then you are an "out-of-process".

Whilst in the most pure sense this is not 100% accurate, I believe it's accurate in the context of an anti-cheat system (which is the ONLY reason people do 'passive' bots to begin with, so it's the only RELEVANT context).

Hope that clears it up.

Quote:

Originally Posted by Harko

Correct.

for some people injecting a code stub is out of process

for some people using click to move is out of process

for some people overwriting guids is still out of process

in the end it all depends on blizzard

See above.

Quote:

Originally Posted by Barnzy

I don't know why people are so scared of injecting a DLL into a bot tbh, I know it can mean a high risk of a ban, but, wouldn't it help a bit cloacking that certain injection?

[Only registered and activated users can see links. ]

As you see there alot of people are scared to use it, when I am all for it, mainly because I don't play WoW but...

Edit: I am bracing myself for flame by cyther or someone like that.

The people in that threads are morons, but that's irrelevant. I'm not quite sure what the point of your post is, or if there's a real question in there somewhere... Mind clarifying?

[_Mike]

Quote:

Originally Posted by Cypher

Ergo, if you can be detected "in-process" you are an "in-process" bot, if you can not be detected "in-process" then you are an "out-of-process".

Whilst in the most pure sense this is not 100% accurate, I believe it's accurate in the context of an anti-cheat system (which is the ONLY reason people do 'passive' bots to begin with, so it's the only RELEVANT context).

Hope that clears it up.

Great summary. It never occurred to me to see it from that point of view, and it did clear things up. Thanks.

[~OddBall~]

Quote:

Originally Posted by Barnzy

I don't know why people are so scared of injecting a DLL into a bot tbh, I know it can mean a high risk of a ban, but, wouldn't it help a bit cloacking that certain injection?

[Only registered and activated users can see links. ]

As you see there alot of people are scared to use it, when I am all for it, mainly because I don't play WoW but...

Edit: I am bracing myself for flame by cyther or someone like that.

From reading this post and those in that thread it's pretty evident you have no idea what you're talking about.

Yes, if Blizzard want to detect a bot they will, however what you're missing is that the warden dev is lazy. The chances of him going after a passive bot are low as it requires a bit more work, however going after a fully fledged injection bot is like giving candy to a baby and requires much less effort to detect therefore your chance of getting banned increases exponentially (unless your bot is private which WR isn't..)

You may or may not remember Kynox's LUA patch (actually can't remember if it was that but something along those lines), allowing anyone to call protected functions in the API. This was a big problem for Blizzard and it was detected after something like 3 days?

Apoc then made something similar which was detected in a bit over a week? Also resulted in a GB banwave cos they were retards.

if WoW-Robot implements luaDoString, you are just as easy to detect and just as much a threat....(that's not a good thing)

-Odd

[Cypher]

Quote:

Originally Posted by ~OddBall~

From reading this post and those in that thread it's pretty evident you have no idea what you're talking about.

Yes, if Blizzard want to detect a bot they will, however what you're missing is that the warden dev is lazy. The chances of him going after a passive bot are low as it requires a bit more work, however going after a fully fledged injection bot is like giving candy to a baby and requires much less effort to detect therefore your chance of getting banned increases exponentially (unless your bot is private which WR isn't..)

You may or may not remember Kynox's LUA patch (actually can't remember if it was that but something along those lines), allowing anyone to call protected functions in the API. This was a big problem for Blizzard and it was detected after something like 3 days?

Apoc then made something similar which was detected in a bit over a week? Also resulted in a GB banwave cos they were retards.

if WoW-Robot implements luaDoString, you are just as easy to detect and just as much a threat....(that's not a good thing)

-Odd

No. YOU are missing the point.

First off, the previous tools mentioned to "unlock" lua required modification of the game. In the context of a bot however that is not necessary because you're not trying to unlock macros and addons, you're trying to expos the API for people to use in their botting scripts (to be run though the bot).

Both Kynox's and Apoc's tool were detected via their HOOK, they were NOT caught via their DLL or the function call itself.

Given that the bot already 'does the dirty' (i.e. performs an action which is counted as "in-process" -- It uses CTM as far as I can see from the vids), the addition of a call to FrameScript__Execute does NOT raise the level of detectability in an "out vs in" sense.

WoW-Robot is NOT passive and hence the premise you base your conclusion on is invalid, making your conclusion invalid.

[~OddBall~]

Quote:

Originally Posted by Cypher

No. YOU are missing the point.

First off, the previous tools mentioned to "unlock" lua required modification of the game. In the context of a bot however that is not necessary because you're not trying to unlock macros and addons, you're trying to expos the API for people to use in their botting scripts (to be run though the bot).

Both Kynox's and Apoc's tool were detected via their HOOK, they were NOT caught via their DLL or the function call itself.

Given that the bot already 'does the dirty' (i.e. performs an action which is counted as "in-process" -- It uses CTM as far as I can see from the vids), the addition of a call to FrameScript__Execute does NOT raise the level of detectability in an "out vs in" sense.

WoW-Robot is NOT passive and hence the premise you base your conclusion on is invalid, making your conclusion invalid.

Silence Sydney fag!

[Cypher]

Quote:

Originally Posted by ~OddBall~

Silence Sydney fag!

You fail. True story.

[Shynd]

The difference, in my mind, between out-of-process and in-process bots is not contained wholly in what is manipulated or not manipulated but, rather, in where the thread of logic is executed. An out-of-process bot can inject into a process to execute certain procedures, but its thread is mainly external so it cannot be considered wholly in-process.

The line does tend to blur, in some cases, and one should not consider one type specifically more or less risky than another, depending on implementation. A lot of confusion would be abated if the general level of knowledge was raised just one iota, but that's wishful (and inevitably ridiculous) thinking.