Both Proxy and Memory Based are Detectable now!!

Page 1 of 2 1 2
06/30/2012 01:00 xmen01235#1
I thought only memory based program can be detected by the new anti bot but also including the proxy.

I manage to fixed my proxy last night and I was jumping for happiness until my noob got a 1day banned. Damn their anti bot can detect both proxy and memory based program now. Probably because my proxy used some hooking on bypassing the client.

Did anybody who has a private proxy also have same problem with me?
06/30/2012 01:12 Zeroxelli#2
If it uses hooking it's probably a memory based proxy.
06/30/2012 01:25 { Angelius }#3
Speed hacking/jumping/walking seems to work just fine but once i start hunting with the speed hack on it waits until the KO counter is around 1k kills and then it disconnects me and restricts the account :|

Sounds like they are monitoring the incoming data such as melee/magic attack packets.
06/30/2012 01:28 IAmHawtness#4
I heard some of the public bots also had problems with restrictions.
I don't know whether it was because of the "hooking" they used in the client to re-direct the client to the proxy, disable the signout website, allow multi-clients, etc., or if it was because of the proxy itself, but I'm guessing they have probably fixed it by now.
06/30/2012 01:29 Zeroxelli#5
Quote:
Originally Posted by { Angelius } View Post
Speed hacking/jumping/walking seems to work just fine but once i start hunting with the speed hack on it waits until the KO counter is around 1k kills and then it disconnects me and restricts the account :|

Sounds like they are monitoring the incoming data such as melee/magic attack packets.
Interesting... But why 1k kills? A bot could simply disconnect before it got there to reset the counters in the server.

Quote:
Originally Posted by IAmHawtness View Post
I heard some of the public bots also had problems with restrictions.
I don't know whether it was because of the "hooking" they used in the client to re-direct the client to the proxy, disable the signout website, allow multi-clients, etc., or if it was because of the proxy itself, but I'm guessing they have probably fixed it by now.
What, five years later, TQ gets half a brain and decides to actually monitor data the way they should?

Well shit, I guess I owe em a beer for winning that bet. I expected at least a million years to pass by first.
06/30/2012 01:39 { Angelius }#6
Quote:
Originally Posted by Zeroxelli View Post
Interesting... But why 1k kills? A bot could simply disconnect before it got there to reset the counters in the server.
I don't do that :P

I leave them until something stupid happens and disconnects them and i really like to watch them hunt/pick gold and items but.... TQ ruined the whole thing for me when the reduced the gold/items drop :|

8400 kills and all i got is 16 meteor/around 1kk silver/few refined items... LMFAO
06/30/2012 01:39 xmen01235#7
Quote:
Originally Posted by Zeroxelli View Post
If it uses hooking it's probably a memory based proxy.
What I mean is I hook on inet_addr to by pass the client to my localhost(127.0.0.1)... This was also based on nullable tutorial last time when he posted how to bypass the client.

Code:
Public Function connect2IP(ByVal PID As Integer, ByVal IPAdd As String) As Integer
        Dim ws2Handle As IntPtr = LoadLibrary("WS2_32.dll")
        If ws2Handle = vbNull Then
            FreeLibrary(ws2Handle)
            Return 1
        End If
        Dim cHandle As IntPtr = OpenProcess(ProcessAccessFlags.VMOperation Or ProcessAccessFlags.VMRead Or ProcessAccessFlags.VMWrite Or _
                                            ProcessAccessFlags.All, True, PID)
        If cHandle = vbNull Then
            FreeLibrary(ws2Handle)
            Return 2
        End If
        Dim inet_addr As IntPtr = GetProcAddress(GetModuleHandle("WS2_32.dll"), "inet_addr")
        If inet_addr = vbNull Then
            FreeLibrary(ws2Handle)
            Return 3
        End If
        Dim buffer() As Byte = {&HB8, &H0, &H0, &H0, &H0, &HC2, &H4, &H0, &H90, &H90}
        Dim byteIPaddress() As Byte = IPAddress.Parse(IPAdd).GetAddressBytes()
        System.Buffer.BlockCopy(byteIPaddress, 0, buffer, 1, byteIPaddress.Length)
        Dim bytesWritten As Integer = 0
        If Not WriteProcessMemory(cHandle, inet_addr, buffer, buffer.Length, bytesWritten) Then
            FreeLibrary(ws2Handle)
            Return 4
        End If
        CloseHandle(cHandle)
        FreeLibrary(ws2Handle)
        Return 0
    End Function
Probably this is the reason why proxy is detectable now.
06/30/2012 01:43 Zeroxelli#8
Quote:
Originally Posted by xmen01235 View Post
What I mean is I hook on inet_addr to by pass the client to my localhost(127.0.0.1)... This was also based on nullable tutorial last time when he posted how to bypass the client.

Code:
Public Function connect2IP(ByVal PID As Integer, ByVal IPAdd As String) As Integer
        Dim ws2Handle As IntPtr = LoadLibrary("WS2_32.dll")
        If ws2Handle = vbNull Then
            FreeLibrary(ws2Handle)
            Return 1
        End If
        Dim cHandle As IntPtr = OpenProcess(ProcessAccessFlags.VMOperation Or ProcessAccessFlags.VMRead Or ProcessAccessFlags.VMWrite Or _
                                            ProcessAccessFlags.All, True, PID)
        If cHandle = vbNull Then
            FreeLibrary(ws2Handle)
            Return 2
        End If
        Dim inet_addr As IntPtr = GetProcAddress(GetModuleHandle("WS2_32.dll"), "inet_addr")
        If inet_addr = vbNull Then
            FreeLibrary(ws2Handle)
            Return 3
        End If
        Dim buffer() As Byte = {&HB8, &H0, &H0, &H0, &H0, &HC2, &H4, &H0, &H90, &H90}
        Dim byteIPaddress() As Byte = IPAddress.Parse(IPAdd).GetAddressBytes()
        System.Buffer.BlockCopy(byteIPaddress, 0, buffer, 1, byteIPaddress.Length)
        Dim bytesWritten As Integer = 0
        If Not WriteProcessMemory(cHandle, inet_addr, buffer, buffer.Length, bytesWritten) Then
            FreeLibrary(ws2Handle)
            Return 4
        End If
        CloseHandle(cHandle)
        FreeLibrary(ws2Handle)
        Return 0
    End Function
Probably this is the reason why proxy is detectable now.
Yeah.. Don't redirect the socket. Use [Only registered and activated users can see links. Click Here To Register...] to connect to a Hamachi IP (that your proxy is listening on), or if not Hamachi, me and Fang discussed two different options in this thread: [Only registered and activated users can see links. Click Here To Register...]


Quote:
Originally Posted by { Angelius } View Post
I don't do that :P

I leave them until something stupid happens and disconnects them and i really like to watch them hunt/pick gold and items but.... TQ ruined the whole thing for me when the reduced the gold/items drop :|

8400 kills and all i got is 16 meteor/around 1kk silver/few refined items... LMFAO
Wtf.. That's bullshit. That's basically nothing. :/ Glad I don't play anymore, as I hunted manually..
06/30/2012 01:45 { Angelius }#9
Quote:
Originally Posted by xmen01235 View Post
What I mean is I hook on inet_addr to by pass the client to my localhost(127.0.0.1)... This was also based on nullable tutorial last time when he posted how to bypass the client.

Code:
Public Function connect2IP(ByVal PID As Integer, ByVal IPAdd As String) As Integer
        Dim ws2Handle As IntPtr = LoadLibrary("WS2_32.dll")
        If ws2Handle = vbNull Then
            FreeLibrary(ws2Handle)
            Return 1
        End If
        Dim cHandle As IntPtr = OpenProcess(ProcessAccessFlags.VMOperation Or ProcessAccessFlags.VMRead Or ProcessAccessFlags.VMWrite Or _
                                            ProcessAccessFlags.All, True, PID)
        If cHandle = vbNull Then
            FreeLibrary(ws2Handle)
            Return 2
        End If
        Dim inet_addr As IntPtr = GetProcAddress(GetModuleHandle("WS2_32.dll"), "inet_addr")
        If inet_addr = vbNull Then
            FreeLibrary(ws2Handle)
            Return 3
        End If
        Dim buffer() As Byte = {&HB8, &H0, &H0, &H0, &H0, &HC2, &H4, &H0, &H90, &H90}
        Dim byteIPaddress() As Byte = IPAddress.Parse(IPAdd).GetAddressBytes()
        System.Buffer.BlockCopy(byteIPaddress, 0, buffer, 1, byteIPaddress.Length)
        Dim bytesWritten As Integer = 0
        If Not WriteProcessMemory(cHandle, inet_addr, buffer, buffer.Length, bytesWritten) Then
            FreeLibrary(ws2Handle)
            Return 4
        End If
        CloseHandle(cHandle)
        FreeLibrary(ws2Handle)
        Return 0
    End Function
Probably this is the reason why proxy is detectable now.

I'm like 99% sure that the detection process is server sided and has nothing to do with the client because i'm not debugging the process i am only injecting a dll into it and nothing that i have done so far got me banned cept for the super fast massive killing part like ninjas shifting for example :P
06/30/2012 01:46 Zeroxelli#10
Quote:
Originally Posted by { Angelius } View Post
I'm like 99% sure that the detection process is server sided and has nothing to do with the client because i'm not debugging the process i am only injecting a dll into it and nothing that i have done so far got me banned cept for the super fast massive killing part like ninjas shifting for example :P
I guess they really did grow half a brain then lol
06/30/2012 01:55 xmen01235#11
Quote:
Originally Posted by Zeroxelli View Post
Yeah.. Don't redirect the socket. Use [Only registered and activated users can see links. Click Here To Register...] to connect to a Hamachi IP (that your proxy is listening on), or if not Hamachi, me and Fang discussed two different options in this thread: [Only registered and activated users can see links. Click Here To Register...]
lemme try that thanks.
06/30/2012 01:56 Zeroxelli#12
Quote:
Originally Posted by xmen01235 View Post
lemme try that thanks.
No problem. As { Angelius } said, though, it's probably server-side as well now.
06/30/2012 02:48 xmen01235#13
Quote:
Originally Posted by { Angelius } View Post
I don't do that :P

I leave them until something stupid happens and disconnects them and i really like to watch them hunt/pick gold and items but.... TQ ruined the whole thing for me when the reduced the gold/items drop :|

8400 kills and all i got is 16 meteor/around 1kk silver/few refined items... LMFAO
I think you are correct ..Also I noticed something, they check every packet now , for example I played around with my packet for action and I put a zero value on x & y then bang 1day banned on my noob.
06/30/2012 02:54 Zeroxelli#14
Quote:
Originally Posted by xmen01235 View Post
I think you are correct ..Also I noticed something, they check every packet now , for example I played around with my packet for action and I put a zero value on x & y then bang 1day banned on my noob.
I can slightly confirm that. While testing my proxy, I changed the value of one of the packets at random, and the noob got disconnected.
06/30/2012 17:56 xmen01235#15
It seems that they change the encryption from time to time after the initial key exchange. Just my wild guess.
Page 1 of 2 1 2