Protection from SpellManager.CastSpellBy && LuaDoString (or what?)

[Pudge 24]

Hi.


On some server that called Sirus i encountered the weird protection from SpellManager.CastSpellBy and LuaDoString functions for using spells - they're doesn't work in combat.
 

Maybe there are alternative ways? Except PLua (only runmacrotext works)

 

 

[TheSmokie 242]

Idk if that’s a lua Function or if droidz uses memory writing for that but trying using normal lua CastSpellByName 

[Pudge 24]

4 minutes ago, Smokie said:

Idk if that’s a lua Function or if droidz uses memory writing for that but trying using normal lua CastSpellByName 

Doesn't work when in combat, I showed it right on the video. Only runmacrotext works.

[TheSmokie 242]

After finding realmlisting, i was able to log in with my none modified client and was completely able to use 

 SpellManager.CastSpellByNameLUA("Lesser Heal");

CastSpellByName("Lesser Heal");

i did get Dc tho, idk if its because of the lua injection or if its because of my T-moble hotspot, but over all it works.

@Droidz you may want to check if they can detect l if a player is using lua for casting spells, they might not have a ban action in place, just a simple dc.

 

[Matenia 628]

They probably disconnected you, because you didn't have their MPQs. 
You can probably add a custom MPQ that's loaded at the very beginning that just loads FrameXML or something that copies CastSpellByName

 

originalCastSpellByName = CastSpellByName

-- later in wrobot use this code:
originalCastSpellByName("Frostbolt")

Maybe that will work. Otherwise - weird. THey definitely heavily modify the UI with their MPQs

[Pudge 24]

Yes, disconnecting because they require to install their patches, which they update daily.

 

2 hours ago, Matenia said:

You can probably add a custom MPQ that's loaded at the very beginning that just loads FrameXML or something that copies CastSpellByName

 

originalCastSpellByName = CastSpellByName

-- later in wrobot use this code:
originalCastSpellByName("Frostbolt")

Maybe that will work. Otherwise - weird. THey definitely heavily modify the UI with their MPQs

Interesting, will have to try, if I understand how to do that :)

[TheSmokie 242]

Hello,

This is the code they use for there custom MPQ and they check if the file is there and if its not then they download and replace the file with theres. @Droidz Might have to see if he can bypass it.

 

the Mpq file  name : patch-ruRU-i.mpq

 

--	Filename:	Controller.lua
--	Project:	Sirus Game Interface
--	Author:		Nyll
--	E-mail:		[email protected]
--	Web:		https://sirus.su/

local _CastSpellByName = CastSpellByName
local _CastSpellByID = CastSpellByID
local _CastSpell = CastSpell

local ignoreSpell = {
	7620, 7731, 7732, 18248, 33095, 51294,
	2550, 3102, 3413, 18260, 33359, 51296,
	3273, 3274, 7924, 10846, 27028, 45542,
	2259, 3101, 3464, 11611, 28596, 51304, 28677, 28675, 28672,
	2018, 29844, 51300, 3538, 3100, 9785, 9788, 17039, 17040, 17041, 9787,
	13262, 7411, 7412, 7413, 13920, 28029, 51313,
	4036, 4037, 4038, 12656, 30350, 51306, 20222, 20219,
	2366, 2368, 3570, 11993, 28695, 50300,
	51005, 45357, 45358, 45359, 45360, 45361, 45363,
	31252, 25229, 25230, 28894, 28895, 28897, 51311,
	2108, 3104, 3811, 10662, 32549, 51302, 10656, 10660, 10658,
	2656,
	8613, 8617, 8618, 10768, 32678, 50305,
	3908, 3909, 3910, 12180, 26790, 51309, 26798, 26797, 26801
}

local blockSpell = {
	306647,
	306648,
	306649,
	306650,
	306651,
	306652,
	306653,
	306654,
}

local function GetSpellID( ... )
	if ... then
		local link = GetSpellLink( ... )
		if link then
			return tonumber(string.match(link, "spell:(%d*)"))
		end
	end
end

local function SendClientReport( name, ... )
	SendServerMessage("ACMSG_PROTECTED_LUA_CALL_DETECTED", name.."|"..strjoin(" ", tostringall(...)))
end

function CastSpellByName( ... )
	if not ... then
		return
	end

	local id = GetSpellID(...)

	if id and tContains(blockSpell, id) then
		return
	end

	if not UnitAffectingCombat("player") then
		_CastSpellByName(...)
		return
	end

	if id and tContains(ignoreSpell, id) then
		_CastSpellByName(...)
		return
	end

	SendClientReport("CastSpellByName", table.concat({..., id}, ", "))
end

function CastSpellByID( ... )
	if not ... then
		return
	end

	local id = GetSpellID(...)

	if id and tContains(blockSpell, id) then
		return
	end

	if not UnitAffectingCombat("player") then
		_CastSpellByID(...)
		return
	end

	if id and tContains(ignoreSpell, id) then
		_CastSpellByID(...)
		return
	end

	SendClientReport("CastSpellByID", ...)
end

function CastSpell( ... )
	if not ... then
		return
	end

	local id = GetSpellID(...)

	if id and tContains(blockSpell, id) then
		return
	end

	if not UnitAffectingCombat("player") then
		_CastSpell(...)
		return
	end

	if id and tContains(ignoreSpell, id) then
		_CastSpell(...)
		return
	end

	SendClientReport("CastSpell", ...)
end

function JoinBattlefield( ... )
	return nil
end

function AcceptBattlefieldPort( ... )
	return nil
end

function AcceptTrade()
	return nil
end

function GuildInvite()
	return nil
end

function EventHandler:ASMSG_CLIENT_VERSION_REQUEST()
	SendAddonMessage("ACMSG_CLIENT_VERSION_VERIFICATION", 739, "WHISPER", UnitName("player"))
end

 

Edited June 25, 2020 by Smokie

[Matenia 628]

So basically they hook CastSpellByName etc. Smart and exactly what I thought they were doing. Load another custom before BEFORE this one and hook it BEFORE them. Then you may use your own custom function. 

 

[Pudge 24]

 

 

funny but the fact that castspellbyname doesn't work is half the trouble. In addition to this, I can’t run more than 2 wow windows together on the same server....

[Matenia 628]

If they don't check your IP (seems you're proxying) they might check your GetTime() (Lua) result because it is unique to your computer. You can modify this function by hooking it and adding a random offset. Search the forums.

[Droidz 2738]

Hi, if lua is modified only on MPQ file (and server don't check it after) you can try to call this code to reset CastSpell...:

wManager.Wow.Memory.WowMemory.InjectAndExecute(new []
                                               {
                                                 wManager.Wow.Memory.WowMemory.CallWrapperCode(0x53B740),
                                                 "ret"
                                                 });

 

[Pudge 24]

2 hours ago, Matenia said:

If they don't check your IP (seems you're proxying) they might check your GetTime() (Lua) result because it is unique to your computer. You can modify this function by hooking it and adding a random offset. Search the forums.

On 2/22/2019 at 11:28 AM, Matenia said:

_oldGetTime = GetTime; function GetTime() return _oldGetTime() + math.random(1000, 15000); end

Very need your help sir, I added this function that hooking GetTime in custom addon but still disconnecting.... Maybe need to add this in custom patch or what other methods?

[Matenia 628]

Dude, I'm only taking guesses. It's up to you to figure out what they do.
And yes, custom MPQ that loads FIRST is probably what you have to do.

[TheSmokie 242]

@pudge you need Push the variables on the stack then call the address by memory location 

[Pudge 24]

16 hours ago, Smokie said:

Push the variables on the stack

 

I don’t understand how to do this(

[TheSmokie 242]

[Droidz 2738]

WRobot start when you character is already in game, you cannot bypass multiaccount security with him.

You can try to edit mpq file (add code to randomize GetTime in MPQ file or found function used if they don't detect mpq files change)

[TheSmokie 242]

They check to see if the mpq file been edited and if is, downloads there own

[Pudge 24]

Hey! But what if, instead of a lua scripts/patches/modifying kernel32.dll, we make a simple script on c# that will be hacking GetTickCount(), what do you guys think? 

Because attempts to edit interface (lua) files in MPQ always ends up with the same error:

 

[TheSmokie 242]

best bet is find another server 

[Pudge 24]

16 minutes ago, Smokie said:

best bet is find another server 

À l'abordage! We need to capture this server! Yo ho ho!

[Matenia 628]

It's definitely possible to hook GetTickCount() and modify it. But we are taking a very WILD guess that this is what they use to identify your computer. 
This is mostly because I cannot think of anything else they would use (from Lua) to create a "hardware" fingerprint. 

You'll be better off just running VMs.

[Droidz 2738]

And with this wow addon: testaddon.zip (change code, addon/Title/Author name to avoid problem), if this don't works, use VMs is the best way

[Pudge 24]

1 hour ago, Droidz said:

And with this wow addon: testaddon.zip (change code, addon/Title/Author name to avoid problem), if this don't works, use VMs is the best way

 

the addon works but does not solve the problem.

[TheSmokie 242]

@pudge after trying to get pqr (new undetected copy, releasing soon all over to piss off server devs.) i believe only way to cast a spell without heavy modifing anything or using a custom Registerd Hook, ive found that RunMacroText with /cast Comands work, but its only a matter or time for them to add RunMacroText to there protection. but for now use this : 

RunMacroText("/cast Immolate")

@Droidz You can make a seprate function register or if external call the memory address and the arguments to it.