Northdale Warden scanning for hardware?

[Bambo 148]

My theory with the account creation is broken because 3 Accounts that were created on real world with real different IPs were banned. All at the same time.

I think they detect the botting in the logs Maybe.

 

Also. Same for me i have an account that seems invisible to them. Not created by me. Botted on socks5. Survived 4 mass bans.

[milkme 0]

@Itsalex I was talking about maybe the browser being able to see it but I mean that's not even the same layer, doesn't mean they can't identify your browser fingerprint but Matenia already talked about that.

And yeh the client as discussed is just any old wow client not their specific one.

Throws me back to square one.

 

 

[CocoChanel 63]

Check original post.

[Zandarus 0]

Am I relatively safe by botting with ONLY questing profiles? (and using the best ones?) I just bought this product and I'm starting to wonder if it was worth it if all you guys are getting banned...

[itsalex 1]

1 hour ago, CocoChanel said:

Check original post.

"After speaking with some people who have experience with the Lightshope system and know how it works, I can confirm that they are using a fingerprint system, but I am still unsure if it is in the website or in the Warden, but I assume its in the warden."

Pretty decent information, I'd figure they'd use something like this, first step is to create accounts with unique fingerprints I guess, if we still end up getting shit on it's time to start looking on virtualization 

 

[Bambo 148]

How do we keep those fingerprints unique? Did you try?

[tonycali 24]

whisper me the email provider u used at chara creation i think this is one of the problems if not thee.

[CocoChanel 63]

Update 2, check original post

[Matenia 620]

Warden seriously can't scan for anything that could create a fingerprint. At most, they can check which addons (by name) are active, I think.
MAYBE they can check for a list of drivers or something? I'm unsure of the exact capabilities of vanilla warden.

[CocoChanel 63]

I'm very sure that they can scan your LAN. 

[Matenia 620]

Just now, CocoChanel said:

I'm very sure that they can scan your LAN. 

I'm 99% sure they cannot. Even if they could, it doesn't tell them anything. Or are you implying they could scan for the MAC address of your network adapter? That can "easily" be spoofed.
https://en.wikipedia.org/wiki/MAC_spoofing

[itsalex 1]

It's also possible they might see what port you're using, so if you're using a SOCKS5 proxy with default port 1080 it's pretty obvious you're using a proxy to bot on

[CocoChanel 63]

Maybe that will work, idk, all I know is that I have talked with staff from the server and they told me that this is how they catch botters, but there might be more to it. Yesterday I tried botting 3 accounts on 3 different proxies and the internet I was using was from my iPhone, after 1 hour all my characters got ported to GM island and banned. Now I am using my own network from home, and it seems to go fine

[CocoChanel 63]

1 minute ago, itsalex said:

It's also possible they might see what port you're using, so if you're using a SOCKS5 proxy with default port 1080 it's pretty obvious you're using a proxy to bot on

Maybe, but people are getting banned in waves

[Bambo 148]

Used many 1080 socks5. All dead. But my one survivor is on 1080 too and survived multiple waves.

Also I doubt they ban by Mac or hwid. That would mean my survivor should be gone long Time ago. 

[LukeJudd 6]

11 hours ago, Zandarus said:

Am I relatively safe by botting with ONLY questing profiles? (and using the best ones?) I just bought this product and I'm starting to wonder if it was worth it if all you guys are getting banned...

Its got nothing to do with that. They are detecting a connection between multiple bots and the individual's hardware/software used to bot them. If you haven't been hit with a ban before, you should be fine. At the moment, I am unable to get out of valley of trials without getting every bot banned, and that is all quests.

Used many 1080 socks5. All dead. But my one survivor is on 1080 too and survived multiple waves.

Also I doubt they ban by Mac or hwid. That would mean my survivor should be gone long Time ago. 

I too have had random survivors of ban waves, with nothing obvious differentiating them from the accounts that got banned. Perhaps they leave a survivor to maintain the link between you and future bots you create?

[Bambo 148]

Not a Bad theory. So many speculations. We need to start finding answers.

[milkme 0]

Well they didn't leave me any survivor.

Blizzards Warden used to scan window/process names and hash them then compare the hashes, but that was on what?Windows XP?I don't know if those old methods still work.

As I understand it if they wanted to run their own custom made warden module they'd have to give you a custom client too?

Anything can be a fingerprint if it's hashed, as long as the input data is variable enough for there to be no false positives, but I don't know what else the old warden can scan if they can even use that.

Maybe they are just manually catching all the accounts, then wave-ban them and taunt us to make us think they have a link between accounts(in the GM room there is an NPC called "We see more than you think" and the GM says stuff like "Oh you are running a lot of bots").

 

 

[Bambo 148]

They have links between the accounts . They are not bluffing. They know for sure 

[shadydealer 3]

I found myself to be completely fine with up to 3 clients from the same pc. If I go over that treshold, bans come flying in even in starting zones. Method accounts were created didn't matter, under VPN, normal IP, proxy no difference. 

They basically must have a way to find out how many clients from the same PC are connected. Plus my theory about the proxies being flagged still stands, as I didn't receive any mass bans while under a VPN. 

[Nostradamus 2]

2 hours ago, milkme said:

Well they didn't leave me any survivor.

Blizzards Warden used to scan window/process names and hash them then compare the hashes, but that was on what?Windows XP?I don't know if those old methods still work.

As I understand it if they wanted to run their own custom made warden module they'd have to give you a custom client too?

 

They won't be able to run a custom warden module without a modified client. The warden module contains a signature which is being checked by the client, this signature was signed with the private key on Blizzard's side.

Unless they have cracked the Key, which is highly unlikely, they won't be able to write their own warden modules.

You are correct about them being able to check which processes are running, I assume that Wrobot is circumventing this scan of course, otherwise it would have been detected ages ago. 

 

Looking at all the evidence it is quite clear that they have a way to establish a link between all accounts.

I don't believe that they are using a modified warden module to fingerprint the computer the client is running on, in fact this is quite easily verifiable by hashing their warden module and comparing it to known modules (as far as I know there are only 2 known modules for the 1.12.1 patch - could be wrong though)

As an educated guess I would say that they do one of the following things to fingerprint users (some of which have been mentioned by others as well):

1. Monitor accounts with certain mail providers
2. Browser canvas fingerprinting (highly likely)
3. IP address lookup's to verify that the IP is not from a blacklisted proxy provider (this is one of the most likely methods as well)
4. They've further reverse engineered the client or warden and found a way to fingerprint an individual computer (scariest possibility as there wouldn't be any quick bypass)
5. Wrobot hasn't bypassed all warden scans and warden is still able to scan for processes running (verifiable on the user side)

 

Could be either one of those or all together, who knows. So far I haven't been banned on any of my accounts (I'm running more than 4), therefor it's hard for me to look further into it. Almost wishing I'd get banned so I could tinkle around (hope I didn't jinx myself here)

[Bambo 148]

Once the bans start on you they seem to have you logged. So you better take that Wish back haha. Once it is started it can Not be stopped.

Also;

Theory 1: been talking to many botters . All using different emails. Same Problem everywhere though. Hotmail. Yahoo. They cant just flag all email Providers. Especially the big ones. Way too many false positives.

 

Theory2; i had 3 Accounts created from Friends all over the World. All of them seemed fine till lvl 10. Then I decided to start one of my own characters created in incognito and with vpn. 10mins later i had a ban Party. Never tried it again without adding my self created accounts. I should though.

Theory 3; could be. But i have a guy surviving multiple ban waves with same port and pretty identical range to these that got banned. Also they seem to get me even when used different providers. All at the same time in GM box. Still could be possible though.

Theory 4: Sounds like mission possible but not probable. You never know though.

Theory 5: i Doubt that. We would have gotten such problems way earlier.

[Nostradamus 2]

50 minutes ago, Bambo said:

Theory2; i had 3 Accounts created from Friends all over the World. All of them seemed fine till lvl 10. Then I decided to start one of my own characters created in incognito and with vpn. 10mins later i had a ban Party. Never tried it again without adding my self created accounts. I should though.

Incognito mode doesn't protect you from a website fingerprinting your browsers canvas. Your canvas is unique to your browser, so if you open any website, a tracker could track you through incognito as well as normal modes. 

I suggest you to try "Multiloginapp" which is going to make it virtually impossible to fingerprint your computer through your browser.

[Bambo 148]

Well even if. The 3 accounts created from my worldwide Friends. Were banned immediately after i started my incognito bot. All the 3 accounts had nothing in common. Different Browsers. Different socks5. Maybe the Browser theory is Invalid. 

Whatever it is. It catches the bots before they leave starting area

[Ordush 184]

I am yet to be banned.

100% that it's reports