Careful with Botting on Netherwing!

[Bambo 148]

Hey wRobot Community,

unfortunately the time has come. The TBC Server Netherwing now is able to detect Mass botters (eventough they hide their IP). If you get caught on one Bot on Netherwing, chances are you will loose every Account being online at that time.

DO NOT USE YOUR MAIN/GOLD ACCOUNTS ON NETHERWING WITH THE SAME MACHINE THAT YOU BOT ON!

My source, which I can not reveal here, said that he knows for sure that Namreeb (talented Programmer) has helped the guys of Netherwing to execute code through the warden of vanilla/tbc World of Warcraft. Same thing has happened to Lights Hope's Northdale and I was one of the first mass botters to taste it myself.

Unfortunately we still have no way of fighting back. Since the arbitrary code gets executed on your local machine it will not help to hide with proxies or vpns.

The only thing that MIGHT help here is virtualization, from my understanding it should stop the linking between accounts. Obviously you still have to make sure your IP does not reveal you.

Also as far as my source knows, they do not ban automatically. They look at data, make sure it is not a false-positive and then proceed to ban all of your accounts. Which means that appealing your massbans is absolutely hopeless.

Another thing that I would like to mention is, the method they are using to execute code on all of our computers, is highly illegal.

 

Thanks for your time,

Bambo

Edited February 20, 2019 by Bambo

[fissemonsteretto 0]

?
 lost 6 bots today. 

lvl: 

45, 28, 59, 21, 44, 18 

 

I was hiding my ips and using your grinding profile. 

sad but second time i was caught on netherwing. 

 

I hope we (us botters) can find a way to continue botting on netherwing ?

[maukor 34]

Their forum is on maintanance, will see soon how it goes

[CocoChanel 63]

Hasn't affected me so far.

 

[maukor 34]

i didnt get any ban past days, but still, dont wanna check it, so if anyone has additional info - let us know ;D

[CocoChanel 63]

"Talented programmer" nah dude

They are just checking the time your pc has been running which is possible through warden (Matenia mentioned it before), and if multiple players match the same time, it's obviosly a multi-botter.

 

Matenia even wrote a script that lets you bypass this, but I can't find it at the moment ?

[shaded 5]

If you're interested in the virtualization option, you can use Hyper-V or VirtualBox w/ Windows 10 per this post: https://www.windowscentral.com/you-do-not-need-activate-windows-10

[muskel 1]

On 2/20/2019 at 10:48 PM, CocoChanel said:

"Talented programmer" nah dude

They are just checking the time your pc has been running which is possible through warden (Matenia mentioned it before), and if multiple players match the same time, it's obviosly a multi-botter.

 

Matenia even wrote a script that lets you bypass this, but I can't find it at the moment ?

Any chance we could get a link to this? ❤️ @Matenia

[Mykoplazma 24]

The option - Launch multiple wow clients with random delay (set random time spread ( like 5-10 min etc )  in seprate option window ) should be added to a launcher.

[maukor 34]

Just now, Mykoplazma said:

The option - Launch multiple wow clients with random delay (set random time spread ( like 5-10 min etc )  in seprate option window ) should be added to a launcher.

It's already in relogger, i think he's talking about your PC run time. For example you turn on PC, and after 1 day it will shows somewhere in warden as 24:00:00 runtime, and all of your chars will show that value, so if 3 or more chars has the same running time, may trigger handcheck, if i understand it correct

[Matenia 628]

On 2/20/2019 at 10:48 PM, CocoChanel said:

"Talented programmer" nah dude

They are just checking the time your pc has been running which is possible through warden (Matenia mentioned it before), and if multiple players match the same time, it's obviosly a multi-botter.

 

Matenia even wrote a script that lets you bypass this, but I can't find it at the moment ?

If this is the time that the Lua function GetTime() returns, then someone with more reverse engineering skills than me would need to figure out what function in memory (C function) the Lua function is calling, overwriting or hooking that one and making it return a seemlingy random value.

Or you'd have to modify your Kernel32.dll (on your system) so GetTickCount() returns different values.

If they actually use Lua to check this somehow, all you would need to do is execute this script ingame (using Development Tools or a macro or an addon):
 

_oldGetTime = GetTime;
function GetTime()
  return _oldGetTime() + math.random(1000, 15000);
end

This can and will result in breaking addons and possibly all kinds of cooldown timers, which rely on this function. Any internal cooldown timer would have to call the _oldGetTime function instead (so anything wRobot needs). This would actually be easily doable, if it's actually confirmed that this is what gets people mass-banned on these servers AND that this Lua change prevents you from getting mass-banned.

[Mykoplazma 24]

ahh so each wow client is returning the same time value in the same moment in  epoch time? that's so clever. So virtual machine will solve it.

[wookie_cookie 5]

Interesting. I got banned 3 weeks ago, changed my IP address and started botting about 2 weeks ago. My character is still good. I wonder if they ban new accounts based off reports? Or on a monthly routine. 

Also, I find it essential to manually level to 12 or 20 to be safe. The reason for this is because most new players are roaming around the starting zone. It's so easy to catch a botter that chances are, you will most likely be reported. Thus resulting in a ban around level 30-40 because that's when Admins get to your ticket request. This is just all theory though. 

[Findeh 34]

Also manually level from 1 to 70 is even safer. If you constantly got reported till level 20 you probably do something wrong.

[CocoChanel 63]

35 minutes ago, Findeh said:

Also manually level from 1 to 70 is even safer. If you constantly got reported till level 20 you probably do something wrong.

yes that is true.

[Bambo 148]

13 hours ago, Matenia said:

If this is the time that the Lua function GetTime() returns, then someone with more reverse engineering skills than me would need to figure out what function in memory (C function) the Lua function is calling, overwriting or hooking that one and making it return a seemlingy random value.

Or you'd have to modify your Kernel32.dll (on your system) so GetTickCount() returns different values.

If they actually use Lua to check this somehow, all you would need to do is execute this script ingame (using Development Tools or a macro or an addon):
 

_oldGetTime = GetTime;
function GetTime()
  return _oldGetTime() + math.random(1000, 15000);
end

This can and will result in breaking addons and possibly all kinds of cooldown timers, which rely on this function. Any internal cooldown timer would have to call the _oldGetTime function instead (so anything wRobot needs). This would actually be easily doable, if it's actually confirmed that this is what gets people mass-banned on these servers AND that this Lua change prevents you from getting mass-banned.

Could you please give us an insight if your products make use of that GetTime() function?

Because then more people are willing to try and that means we can have faster results. 

Edited February 22, 2019 by Bambo

[maukor 34]

+ can try on one pc

[Matenia 628]

Yes, my products use GetTime to read Spell and item cooldowns. So does wrobot internally as far as I know. 

Just FYI though, using it itself isn't what would get you banned. The function itself is used by almost every addon in the addon because all of WoW's other API calls and timers depend on it. Look up GetInventoryItemCooldown as an example on how it's used. 

Edit: to maintain cooldown timers, it'd probably be best to add a random number to GetTime once per client, instead of randomizing on every call

Edited February 23, 2019 by Matenia

[Droidz 2738]

You can try code like (no tested):

if not _oldGetTime then
	_oldGetTime = GetTime;
	_randomTime = math.random(1000, 86400);
	function GetTime()
	  return _oldGetTime() + _randomTime;
	end
end

it should not cause problem to the bot and addons (and use custom variable name).

[Amontis 2]

Lost 5 Accounts today, including my main which I have not logged onto in WEEKS. I don't know how they identified my main account as I have transferred no gold or items, nor ever botted on my main account.

Something is seriously up, and I would definitely recommend not botting on the same PC you use your main account on or run bots or main in a VM.

4 of the 5 accounts banned were not even online at the time.

[Mykoplazma 24]

Maybe they are reading HWID of computer or they can detect wrobot but don't speak about it just ban the users after some time  ... 

[Amontis 2]

This seems to be the most valid theory, and I will look into setting up VMs.

I mourn the lost most of my Main account's names - names I have used since Beta Vanilla.

[Gunkas 8]

I just lost all 3 of my bots today. All were on their own PC, all on their own VPNs, and all running only 6 hours (2 sessions of 2-3 hours) a day set up to quick launch relogger 3-6 hours after the computers were scheduled to randomly restart once a day (at different times from each other). One bot was using Bambo's 1-70, one Andoido's 1-60 quester, and the last one was using a custom made profile in which I had been programming quests into for the last 2 weeks as it leveled running my newly programmed quests. Digging through the logs I can't find a single instance of them ever being whispered or talked to by a GM, just straight up closed.

I can see maybe the two purchased questers being something Netherwing is tracking, but I rarely ran them. What got me though was my third custom profile being caught, it's exp earned was almost 80% quests and I used it  3-4 hours a day at best. PLUS it was only level 18! I'm honestly not sure what else I could have done to prevent this.

It would seem Netherwing has some weird trick up their sleeve that tracks bots.

 

Edit: I just checked an account I made and played on for an hour 3 weeks ago, never even botted on. Closed. Something tells me this is a HWID log of some sort that it is scrapping.

[artur.k 10]

Gunkas first they always catch  ingame second they check any account is linked to this and ban all but always first ingame,even if 0 whispers you can be reported by player,many report with not  even one word in whsiper or say ,report and they go.

[Matenia 628]

If all accounts were registered through the same IP or emails/account names enumerated, that'S how they can catch you. But HWID doesn't work if you run them on 3 different computers with a VPN each.