16 replies to this topic

[Nomad]

This is some information I've gathered about the recent bans.  Some of this is fact, some of this is my opinion.  I have not lost a single thing.  I didn't even know about the bans until a couple of days after it happened.

Fact:

Most, if not all, users of D2JSP have been banned. (Thanks JAVA_Sango )

Most, if not all, users of Mousepad's Maphack beta release have been banned.

Most, if not all, users of Netter's EasyPlayGold have been banned.  So far it appears that most users of the "lite" version have not been banned.

Most, if not all, users of Sting's Maphack have been banned (if they used more than "Reveal Act").  I used it and I did not ever use more than "Reveal Act".

The majority of mm.bot users have not been banned.  The few that have used other hacks, like Sting's Maphack.

D2Loader users have not been banned (I'm also a user).  Note: D2Loader has been detectable for years, but has never been banned for to my knowledge.  I theorize this is because of the modding clause, see below.

F1ndIP and reporter users have not been banned. (Thanks JAVA_Sango )

To the best of my knowledge, nobody has been banned for using any AutoIt created hacks.  All of my hacks are created in AutoIt as well.  If anyone was banned and didn't use ANY of the hacks listed here, post a reply here, or in the relevant topic.  Also post all other hacks you do use, if any.

I spent the last couple of months online using D2Loader while experimenting with memory stuff for my Chicken Hack.  But most importantly from my Memory Tool.  I was scanning, reading, and writing to the Diablo II memory while online, with no attempts made to hide my program.  No ban.


Theory:

I've been searching around gathering some info.  Based on what I've read, and on my own experiences, I've formed a theory.

I've read on a few sites that according to the EULA, it is not against the terms of service to mod Diablo II.  In fact, Diablo II has been programmed in such as way as to allow for modding.  Mods such as changing the color of the item text displayed for items, is one example of a perfectly legal mod to use on Battle.net according to what I've read.  The reason is because it does not change anything another player will see, it does not change anything about your players (which requires server-side manipulation anyway), and it does not give you any clear advantage over other players.

The way AutoIt works, is it uses Windows API calls to perform the operations required of it.  It does not ever truly attach itself to any process.  It does not normally interact with Battle.net either (but it can be done).  Reading and writing some info to a file, sending simulated input to the process, and checking the color of pixels displayed in the window of the process is about the most a basic AutoIt program does (mm.bot for example).  From what I've seen, this is not against the EULA, and it is also probably not detectable by Warden.  As long as the program is unknown to Blizzard, I'm very sure they know about mm.bot.

Even using my _MemoryRead function, it still is not violating the EULA since it is only reading from the process, which even a virus scanner can/will do (although differently).  Using _MemoryWrite starts to tread on thin ice though, it depends on what you try to write to with it.

D2Loader is basically a mod, which is why Blizzard has never banned for it.  But that doesn't mean Blizzard is going to post on their site that it's ok to use it.  Most game companies which allow modding of games do not openly support the mods users create.  This is because the game company doesn't want to get support issues from people using these mods which the company had no part in creating, and therefore probably doesn't know exactly how the mod functions.  Basically, "Use at your own risk".

Another reason Blizzard probably doesn't openly support modding is because that is basically telling players that it's ok to download third party programs for Diablo II.  This could, and probably would, lead to a lot of malware being distributed and a lot of players having their accounts hacked, their computers messed up, and maybe even personal information stolen (like credit card numbers).  So it's just more politically correct for Blizzard to not publically announce mod support (keep it on the down-low).

I'm thinking that AutoIt being used the way it is, falls into the modding clause of the EULA.  I know Blizzard has to know about mm.bot, and that's all that is needed to be able to detect a hack.  Once Blizzard has become aware that a hack exists, the most they will need is a copy of that hack and they will know how to detect it.

So why not ban mm.bot users?  Probably because it's a potential legal problem.  If just one person who is banned for using a program which is permitted according Blizzard's EULA files a lawsuit against the company, it could cost Blizzard a lot of money.  It could also have an effect on the money provided to them from the parent company for future development (I forget that company's name).

Also, all of the hacks listed which people were banned for, injected themself into the Diablo II process.  The programmers thought they could hide the injection, but they underestimated Warden. (Warden is mean )

There are a few other possibilities as well.  But the bottom line is this:  Either AutoIt is undetectable while unknown, AutoIt falls into the modding clause, or Blizzard simply doesn't care.

I hope this sheds some light on this,

Nomad :hunter:

Edited by Nomad, 27 July 2006 - 12:36 AM.

[Uchiha-Sango]

You missed 2 crucial things in your Facts section..

a ) F1ndip and reporter both have NOT been banned.

b ) D2JSP bot was the majority of EVERYTHING banned and I haven't heard of ONE person that used D2JSP and got away without a ban..

Outside of that I like this article

[Nomad]

JAVA_Sango, on Jul 26 2006, 09:52 PM, said:

You missed 2 crucial things in your Facts section..

a ) F1ndip and reporter both have NOT been banned.

b ) D2JSP bot was the majority of EVERYTHING banned and I haven't heard of ONE person that used D2JSP and got away without a ban..

Outside of that I like this article

Oh yeah, I forgot about D2JSP.  Thanks for adding that.

I've never used F1ndip or the reporter, and I don't get on mIRC a lot, so I didn't know what the status was about those.  Thanks for adding that too.

Nomad :hunter:

[Nomad]

I actually read through the entire EULA today.  I needed to know exactly what was not in violation of the EULA so I would know what content I was permitted to have on my website.  As it turns out I was mis-informed.

The EULA specifically states that modding is prohibited.  It also specifically states that any program used to allow more than 1 instance of Diablo II to be running at once was prohibited.

So now I'm at a loss.  I know they can detect D2Loader, so why not ban for it?  Not to mention mm.bot.  Maybe they're letting everyone think they are safe to use so that they have something to fall back on the next time they want to show Vivendi that they are still committed to the server stability or some crap.

Anyway, just thought I'd update anyone who might have been using a hack only because they thought it was "legal".

Nomad. :hunter:

[Uchiha-Sango]

Nomad, on Jul 26 2006, 11:30 PM, said:

Oh yeah, I forgot about D2JSP.  Thanks for adding that.

I've never used F1ndip or the reporter, and I don't get on mIRC a lot, so I didn't know what the status was about those.  Thanks for adding that too.

Nomad :hunter:

No problem thats why Im here

Also Imma laugh my ass off when loader gets banned cause I dont use it and I wont use it either so I won't be affected compared to, the reason why the havent banned it.. cause they'd lose about 50% of b.net people cause thats the amount that is using it

P.S. I mean ALL D2JSP.. not most.. ALL XD

[Nomad]

JAVA_Sango, on Jul 28 2006, 10:37 PM, said:

No problem thats why Im here

Also Imma laugh my ass off when loader gets banned cause I dont use it and I wont use it either so I won't be affected compared to, the reason why the havent banned it.. cause they'd lose about 50% of b.net people cause thats the amount that is using it

P.S. I mean ALL D2JSP.. not most.. ALL XD

I don't know why they haven't banned for using D2Loader.  I know they don't care if people come back or not, Blizzard isn't making any money off of them anyway.  Blizzard got all the money they are going to get when the person bought the game.  Banning them would probably make Blizzard more money because then some of the banned people would go out and buy a new game so they could continue playing.  So who knows?

Nomad :hunter:

[Uchiha-Sango]

Oh yea just so people dont get the wrong idea.. F1ndip and Reporter can be detected.. they just havent been banned yet.. so use at your own risk.

[BreCalmor]

Most interesting read.  Thanks for all the information, albeit too late for me...

Bre

[Nomad]

BreCalmor, on Aug 7 2006, 02:42 PM, said:

Most interesting read.  Thanks for all the information, albeit too late for me...

Bre

Did you get banned?  I'm sorry to hear it. *banned

What were you using that got you banned?

[BreCalmor]

Nomad, on Aug 8 2006, 03:43 PM, said:

Did you get banned?  I'm sorry to hear it. *banned

What were you using that got you banned?

d2jsp of course...

[Dimsum]

Banned here also..

danke for info

[DaRK_IMMoRTAL]

uhm. EoN. if you know what I am talking about. there's a thread about stings. and no. stings WITHOUT plugin is not detected. hell I still use it.

..bsector say same thing.

for all I know people who used stings without plugin were also using d2jsp and complained both banned = more confusion to what is bannable.

did I mention mods are not banned. *battle.net use..*

[Uchiha-Sango]

well thats good to know, thanks for mentioning it

[ario]

Nomad, on Jul 25 2006, 08:16 PM, said:

There are a few other possibilities as well.  But the bottom line is this:  Either AutoIt is undetectable while unknown, AutoIt falls into the modding clause, or Blizzard simply doesn't care.

Remember, Warden resides client side and is able to read anything that effects Diablo's memory space. And thus they CAN ban for Autoit, but that does not mean that they will. (the probably never will)

[Nomad]

ario, on Aug 19 2006, 06:24 PM, said:

Remember, Warden resides client side and is able to read anything that effects Diablo's memory space. And thus they CAN ban for Autoit, but that does not mean that they will. (the probably never will)

I don't deny that.    I realize they can ban for any program which gives a player an unfair advantage over other players or that manipulates their programs in any way.  However, all of the hacks which were banned for used dll injection.  They had to inject a dll into the Diablo II process for the maphack functions, and that's what Warden detected.  Detecting a program that is only reading from the virtual memory space of Diablo II is much more difficult to achieve (but not impossible).  I believe it would also severely lag people using a dial-up modem, and that's one of the key selling points for Diablo II, 56k access.  So it's highly unlikely they will ever be able to detect a program which is reading from it's virtual memory space.  They can however detect the program itself by searching the task managers, but only if they know the process name to look for.

None of my programs that I have written manipulate any part of Diablo II, nor do they inject a dll into the process.  The only thing any of them do is read from the virtual memory space, but haven't altered it in any way.  Does that mean nobody is going to get banned for using any of my programs... no.  But it means that it's highly unlikely.  Once I get my website up and running I plan to make a maphack which works soley by reading the virtual memory and not injecting a dll.  If I can accomplish this, it will be the first maphack ever for Diablo II that didn't use dll injection.  I may be reaching beyond my limits, but that's always the best way to learn.  I'm always trying to learn new things, and I think this would make a great learning experience.

In the end, there is no undetectable "public" hack.  The only undetectable hack is the one Blizzard doesn't know about, and that doesn't give itself away to Warden.  The days of dll injection are over, Warden's too mean for that.

[DaRK_IMMoRTAL]

what exactly do we need to do to prevent even more so from detection on client side base programs that only read from the cirtual memmory?

changing the name of program? *as well as processes?*
there are some programs that infact do hide processes so.. if you just do that, you will never get detected for a program just reading the virtual drive... correct?

or could warden somehow make somthing so that it finds somthing searching and detect it that... way....

[Nomad]

DaRK_IMMoRTAL, on Aug 20 2006, 09:45 AM, said:

what exactly do we need to do to prevent even more so from detection on client side base programs that only read from the cirtual memmory?

changing the name of program? *as well as processes?*
there are some programs that infact do hide processes so.. if you just do that, you will never get detected for a program just reading the virtual drive... correct?

or could warden somehow make somthing so that it finds somthing searching and detect it that... way....

Changing the process name would help, and it's directly related to the name of the program.  So, renaming the .exe will essentially rename the process.  This works fine if it's a standalone program, but if there are 2 or more programs, such a .exe and a .dll, then you would also have to rename the .dll because it will show as a process on the list when it's active.  The problem with that is when you rename the .dll, the .exe no longer knows how to find it and the program will not function properly.  You would have to edit the source of the .exe in order to rename any programs it calls.

Hiding the process is a different story.  You can have the process register itself as a service, which will hide it from the main task manager (which is what you see when you press ctrl-alt-del).  But, services have their own task manager and it can be scanned by Warden (and it probably is).

Just reading from the virtual address space of the process is not going to be detected.  But if you attempt to write anything to the virtual address space then that probably will be detected (this is what injecting a dll essentially does).  That doesn't mean that Blizzard won't find another way to detect the hack though.  As I already said, the safest hack is the one Blizzard doesn't know about.  Once they know about it they can get a copy of it.  After they get a copy of it they can reverse engineer it to find out how it works, just like we reverse engineer Diablo II to find out how to hack it.  Once they know how it works they can design a way to detect it if they want to.

In order to have an undetectable hack.  You would have to not break any of the known detection rules, and also not make the hack publically available.  Even then, the hack might not be permanently undetectable.  Blizzard could update Warden because of some other hack.  Then Warden might detect your hack because of a similar method being used by the other hack.  It's always a gamble no matter how you go about it.  But the more odds you have in your favor, the better your chances are.

Edited by Nomad, 20 August 2006 - 06:21 PM.