[0x4C Handler] Develop Anti-cheat detection and avoidance

[noah-]

Blizzard is using 0x4C message to require clients to download a MPQ file containing new clientside anti-cheat that detects kolbot.

Proposed bypass: Create bypass for this specific anti-cheat

if anti-cheat matches the fix, use it if new anti-cheat is detected, shutdown

work needed: analyze d2stage*.dll files and log messages sent back for valid clients add a 0x4C handler to verify anti-cheat method by taking hash of dll file downloaded by the request

[StoneOfJordan]

Even if you manage to bypass/spoof the requiredwork request by patching it or sending a valid response the library will still require a major overhaul. It'll run into their server side detection.

[noah-]

@StoneOfJordan this is 100% true. Libs need 'humanizing' to say the least.

[ToxicRS]

what about "ExtraWork Blocker"

[noah-]

ExtraWork blocker is easy to do and would probably let you get a few weeks (at most) the truth is, any real AAC will require RE into very annoying code for a dead game it's time to stick a fork in it, it's done

[kamikazzi1]

Noah, While it really hurts to see a message like that coming from a person like you it's almost settling. I want to thank You for the foundation that you put in place they give me years and years of joy. You have actually helped shape my career and getting into computers and finding joy in learning to program and what you can make a program do by reverse engineering what you've put forth. It was an amazing ride and a lot of that is thanks to you and the other heavy hitters that contributed to D2BS and Kolbot. Thank you to you and all the others that helped us all.

[gtoilet]

vouch sad day in the botting arena when d2bs is rip , was such a good run shame all my accs got 8s from last seasons ban wave when they got you via keys

[dzik87]

Since 5th January there is new mpq file 8F643EB7B81BD40E01827D86D4FC40D9.mpq. It is smaller than previous one but it is sending now new packet (80 packets in a row) before sending ExtraWork response. New packet is on SID connection 0xDE.

Example packet sent looks like this: Client -> SID FF DE 7A 00 0A 74 1F 51 B4 B2 3E A0 02 65 E7 4B 7F 84 59 5A B0 CC 99 B0 56 CA 2E B2 84 58 CC EF 59 AC AB F5 C9 1A 8D 50 03 12 1A 44 A5 A4 9C 8E 0D 23 30 80 78 5F 77 2F D1 91 0B 63 E9 81 F7 D7 8A A6 06 9F A0 1D 8B 2A 66 92 F3 62 46 3B 28 FA 14 22 58 87 17 29 BA E2 CE 01 F4 A0 25 F5 D4 FF 23 0F AB A8 B8 24 9F CF 5B 57 EB DC 44 A0 3F 29 CD 30 D7 97 5E BE FA 62 AA B7

My guess on struct for this packet is following but it doesnt match all sent packets. There is 3 scenarios in here: Header - 4 BYTEs BYTE - 0x0A (always same) BYTE - DataSize BYTE[DataSize] - Data

Header - 4 BYTEs BYTE - 0x0A (always same) BYTE - DataSize BYTE - Something (0x01) BYTE[DataSize] - Data

Header BYTE - 0x0A (always same) BYTE - DataSize BYTE - Something (0x02) BYTE[DataSize] - Data BYTE[?] - With Something set to 0x02 we have some extra bytes after data.

"Something" might be to define what type of data if used (BYTE or WORD) but those are just my assumptions.

[gtoilet]

anything yet? im sure a lot of private just wondering if there much going on