Jump to content
This site uses cookies! Learn More

This site uses cookies!

By continuing to use this site, you agree to allow us to store cookies on your computer. :)

Bambo

Careful with Botting on Netherwing!

Recommended Posts

Hey wRobot Community,

unfortunately the time has come. The TBC Server Netherwing now is able to detect Mass botters (eventough they hide their IP). If you get caught on one Bot on Netherwing, chances are you will loose every Account being online at that time.

DO NOT USE YOUR MAIN/GOLD ACCOUNTS ON NETHERWING WITH THE SAME MACHINE THAT YOU BOT ON!

My source, which I can not reveal here, said that he knows for sure that Namreeb (talented Programmer) has helped the guys of Netherwing to execute code through the warden of vanilla/tbc World of Warcraft. Same thing has happened to Lights Hope's Northdale and I was one of the first mass botters to taste it myself.

Unfortunately we still have no way of fighting back. Since the arbitrary code gets executed on your local machine it will not help to hide with proxies or vpns.

The only thing that MIGHT help here is virtualization, from my understanding it should stop the linking between accounts. Obviously you still have to make sure your IP does not reveal you.

Also as far as my source knows, they do not ban automatically. They look at data, make sure it is not a false-positive and then proceed to ban all of your accounts. Which means that appealing your massbans is absolutely hopeless.

Another thing that I would like to mention is, the method they are using to execute code on all of our computers, is highly illegal.

 

Thanks for your time,

Bambo

Edited by Bambo

Share this post


Link to post
Share on other sites

😞
 lost 6 bots today. 

lvl: 

45, 28, 59, 21, 44, 18 

 

I was hiding my ips and using your grinding profile. 

sad but second time i was caught on netherwing. 

 

I hope we (us botters) can find a way to continue botting on netherwing 🙂

Share this post


Link to post
Share on other sites

"Talented programmer" nah dude

They are just checking the time your pc has been running which is possible through warden (Matenia mentioned it before), and if multiple players match the same time, it's obviosly a multi-botter.

 

Matenia even wrote a script that lets you bypass this, but I can't find it at the moment 😕

Share this post


Link to post
Share on other sites
On 2/20/2019 at 10:48 PM, CocoChanel said:

"Talented programmer" nah dude

They are just checking the time your pc has been running which is possible through warden (Matenia mentioned it before), and if multiple players match the same time, it's obviosly a multi-botter.

 

Matenia even wrote a script that lets you bypass this, but I can't find it at the moment 😕

Any chance we could get a link to this? ❤️ @Matenia

Share this post


Link to post
Share on other sites

The option - Launch multiple wow clients with random delay (set random time spread ( like 5-10 min etc )  in seprate option window ) should be added to a launcher.

Share this post


Link to post
Share on other sites
Just now, Mykoplazma said:

The option - Launch multiple wow clients with random delay (set random time spread ( like 5-10 min etc )  in seprate option window ) should be added to a launcher.

It's already in relogger, i think he's talking about your PC run time. For example you turn on PC, and after 1 day it will shows somewhere in warden as 24:00:00 runtime, and all of your chars will show that value, so if 3 or more chars has the same running time, may trigger handcheck, if i understand it correct

Share this post


Link to post
Share on other sites
On 2/20/2019 at 10:48 PM, CocoChanel said:

"Talented programmer" nah dude

They are just checking the time your pc has been running which is possible through warden (Matenia mentioned it before), and if multiple players match the same time, it's obviosly a multi-botter.

 

Matenia even wrote a script that lets you bypass this, but I can't find it at the moment 😕

If this is the time that the Lua function GetTime() returns, then someone with more reverse engineering skills than me would need to figure out what function in memory (C function) the Lua function is calling, overwriting or hooking that one and making it return a seemlingy random value.

Or you'd have to modify your Kernel32.dll (on your system) so GetTickCount() returns different values.

If they actually use Lua to check this somehow, all you would need to do is execute this script ingame (using Development Tools or a macro or an addon):
 

_oldGetTime = GetTime;
function GetTime()
  return _oldGetTime() + math.random(1000, 15000);
end

This can and will result in breaking addons and possibly all kinds of cooldown timers, which rely on this function. Any internal cooldown timer would have to call the _oldGetTime function instead (so anything wRobot needs). This would actually be easily doable, if it's actually confirmed that this is what gets people mass-banned on these servers AND that this Lua change prevents you from getting mass-banned.

Share this post


Link to post
Share on other sites

Interesting. I got banned 3 weeks ago, changed my IP address and started botting about 2 weeks ago. My character is still good. I wonder if they ban new accounts based off reports? Or on a monthly routine. 

Also, I find it essential to manually level to 12 or 20 to be safe. The reason for this is because most new players are roaming around the starting zone. It's so easy to catch a botter that chances are, you will most likely be reported. Thus resulting in a ban around level 30-40 because that's when Admins get to your ticket request. This is just all theory though. 

Share this post


Link to post
Share on other sites
35 minutes ago, Findeh said:

Also manually level from 1 to 70 is even safer. If you constantly got reported till level 20 you probably do something wrong.

yes that is true.

Share this post


Link to post
Share on other sites
13 hours ago, Matenia said:

If this is the time that the Lua function GetTime() returns, then someone with more reverse engineering skills than me would need to figure out what function in memory (C function) the Lua function is calling, overwriting or hooking that one and making it return a seemlingy random value.

Or you'd have to modify your Kernel32.dll (on your system) so GetTickCount() returns different values.

If they actually use Lua to check this somehow, all you would need to do is execute this script ingame (using Development Tools or a macro or an addon):
 

_oldGetTime = GetTime;
function GetTime()
  return _oldGetTime() + math.random(1000, 15000);
end

This can and will result in breaking addons and possibly all kinds of cooldown timers, which rely on this function. Any internal cooldown timer would have to call the _oldGetTime function instead (so anything wRobot needs). This would actually be easily doable, if it's actually confirmed that this is what gets people mass-banned on these servers AND that this Lua change prevents you from getting mass-banned.

Could you please give us an insight if your products make use of that GetTime() function?

Because then more people are willing to try and that means we can have faster results. 

Edited by Bambo

Share this post


Link to post
Share on other sites

Yes, my products use GetTime to read Spell and item cooldowns. So does wrobot internally as far as I know. 

Just FYI though, using it itself isn't what would get you banned. The function itself is used by almost every addon in the addon because all of WoW's other API calls and timers depend on it. Look up GetInventoryItemCooldown as an example on how it's used. 

Edit: to maintain cooldown timers, it'd probably be best to add a random number to GetTime once per client, instead of randomizing on every call

Edited by Matenia

Share this post


Link to post
Share on other sites

You can try code like (no tested):

if not _oldGetTime then
	_oldGetTime = GetTime;
	_randomTime = math.random(1000, 86400);
	function GetTime()
	  return _oldGetTime() + _randomTime;
	end
end

it should not cause problem to the bot and addons (and use custom variable name).

Share this post


Link to post
Share on other sites

Lost 5 Accounts today, including my main which I have not logged onto in WEEKS. I don't know how they identified my main account as I have transferred no gold or items, nor ever botted on my main account.

Something is seriously up, and I would definitely recommend not botting on the same PC you use your main account on or run bots or main in a VM.

4 of the 5 accounts banned were not even online at the time.

Share this post


Link to post
Share on other sites

This seems to be the most valid theory, and I will look into setting up VMs.

I mourn the lost most of my Main account's names - names I have used since Beta Vanilla.

Share this post


Link to post
Share on other sites

I just lost all 3 of my bots today. All were on their own PC, all on their own VPNs, and all running only 6 hours (2 sessions of 2-3 hours) a day set up to quick launch relogger 3-6 hours after the computers were scheduled to randomly restart once a day (at different times from each other). One bot was using Bambo's 1-70, one Andoido's 1-60 quester, and the last one was using a custom made profile in which I had been programming quests into for the last 2 weeks as it leveled running my newly programmed quests. Digging through the logs I can't find a single instance of them ever being whispered or talked to by a GM, just straight up closed.

I can see maybe the two purchased questers being something Netherwing is tracking, but I rarely ran them. What got me though was my third custom profile being caught, it's exp earned was almost 80% quests and I used it  3-4 hours a day at best. PLUS it was only level 18! I'm honestly not sure what else I could have done to prevent this.

It would seem Netherwing has some weird trick up their sleeve that tracks bots.

 

Edit: I just checked an account I made and played on for an hour 3 weeks ago, never even botted on. Closed. Something tells me this is a HWID log of some sort that it is scrapping.

Share this post


Link to post
Share on other sites

Gunkas first they always catch  ingame second they check any account is linked to this and ban all but always first ingame,even if 0 whispers you can be reported by player,many report with not  even one word in whsiper or say ,report and they go.

Share this post


Link to post
Share on other sites

If all accounts were registered through the same IP or emails/account names enumerated, that'S how they can catch you. But HWID doesn't work if you run them on 3 different computers with a VPN each. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...