Page 1 of 6 123 ... LastLast
Results 1 to 25 of 129

Thread: Use your hardware mouse!

  1. #1
    Join Date
    Dec 2010
    Posts
    483
    Mentioned
    30 Post(s)
    Quoted
    328 Post(s)

    Default Use your hardware mouse!

    Hey folks!

    Been working on a rather large couple of projects lately, which a couple of you know about.

    During this time I've been doing a lot of inspection into possible detection avenues that Jagex can take. Of course, as outlined before, theres a million and one things they could do to try and detect us. However, I've found one thing that they are definitely doing.

    After I found it, I checked around to see if anyone else had. Stumbled upon this old post from MITB: https://www.moparscape.org/smf/index.php?topic=597618.0

    That post is almost 3 years old. I can't believe it never gained traction.

    So, essentially, Jagex has a native link library installed onto our machines - jaclib.dll. It is located in your runescape cache's LIVE folder.

    Code:
    int __stdcall Java_jaclib_ping_IcmpService_run(int a1, int a2)
    {
      int v2; // edi@1
      int v3; // eax@1
      int (__stdcall *v4)(_DWORD, _DWORD, _DWORD, _DWORD); // edx@1
      HHOOK v5; // eax@1
      int (__stdcall *v6)(_DWORD, _DWORD, _DWORD, _DWORD); // edx@1
      int v7; // eax@1
      int result; // eax@3
      struct tagMSG Msg; // [sp+30h] [bp-1Ch]@1
    
      v2 = (*(int (__stdcall **)(int, int))(*(_DWORD *)a1 + 124))(a1, a2);
      v3 = (*(int (__stdcall **)(int, int))(*(_DWORD *)a1 + 84))(a1, a2);
      v4 = *(int (__stdcall **)(_DWORD, _DWORD, _DWORD, _DWORD))(*(_DWORD *)a1 + 132);
      dword_100241B4 = v3;
      dword_10024170 = v4(a1, v2, "notify", "(III)V");
      idThread = GetCurrentThreadId();
      v5 = SetWindowsHookExA(14, (HOOKPROC)fn, hmod, 0);
      v6 = *(int (__stdcall **)(_DWORD, _DWORD, _DWORD, _DWORD))(*(_DWORD *)a1 + 132);
      hhk = v5;
      v7 = v6(a1, v2, "notify", "(I)V");
      sub_10005DA0(a1, dword_100241B4, v7, 0);
      while ( GetMessageA(&Msg, 0, 0, 0) )
      {
        TranslateMessage(&Msg);
        DispatchMessageA(&Msg);
      }
      UnhookWindowsHookEx(hhk);
      (*(void (__stdcall **)(int, int))(*(_DWORD *)a1 + 88))(a1, dword_100241B4);
      result = 0;
      dword_10024170 = 0;
      hhk = 0;
      return
    }
    Here's a reference for you: https://msdn.microsoft.com/en-us/lib...=vs.85%29.aspx

    Specifically, check out LLMHF_INJECTED.

    I confirmed - using Robot this flag is set to 1. Using my hardware mouse it remains at 0.

    This flag may be sent to the server (unconfirmed), notify is called natively.


    Take what you want from this.


    EDIT:

    A small note. Why don't they just ban us all if this flag has existed this long? I believe after the last ban wave they learned that its better to have bots in the game then not. Both from a company financial stand point and an in-game economy stand point. This is why skilling bots hardly EVER get banned, yet money making ones are banned commonly across all platforms.

  2. #2
    Join Date
    Dec 2011
    Posts
    2,142
    Mentioned
    221 Post(s)
    Quoted
    1067 Post(s)

    Default

    Do TeamViewer/AHK/similar programs also set the flag to 1? They've stated that these are legal to use, so this seems like a more general detection for potential botting which would have to be examined further.

  3. #3
    Join Date
    Dec 2010
    Posts
    483
    Mentioned
    30 Post(s)
    Quoted
    328 Post(s)

    Default

    Quote Originally Posted by Clarity View Post
    Do TeamViewer/AHK/similar programs also set the flag to 1? They've stated that these are legal to use, so this seems like a more general detection for potential botting which would have to be examined further.
    I'm not at my workstation currently, but my inital checks seemed to indicate that while using TeamViewer, jaclib's notify() method is disabled entirely.

    Could be coincidence, i'll check again when I get home. TeamViewer likely uses SendInput so I would be surprised if that didn't set the flag.

    Regardless, Jagex have admitted their detection system is tiered.

  4. #4
    Join Date
    Sep 2008
    Location
    Not here.
    Posts
    5,422
    Mentioned
    13 Post(s)
    Quoted
    242 Post(s)

    Default

    jaclib, the result of Jacmob working for jagex.
    SMART doesn't use Robot.

  5. #5
    Join Date
    Nov 2011
    Location
    England
    Posts
    3,067
    Mentioned
    293 Post(s)
    Quoted
    1089 Post(s)

  6. #6
    Join Date
    Dec 2010
    Posts
    483
    Mentioned
    30 Post(s)
    Quoted
    328 Post(s)

    Default

    Quote Originally Posted by tls View Post
    SMART doesn't use Robot.
    Robot was an example. Anything other than hardware mouse, including directly sending calls to the applet like SMART does, is flagged.

    If anyone would like to check for themselves its very easy. The flag is arg3 (or the last argument) and it is not obfuscated (other than the corresponding class - but that extends a jaclib class which is not obfuscated) so it is super easy to hook.

  7. #7
    Join Date
    Dec 2010
    Posts
    483
    Mentioned
    30 Post(s)
    Quoted
    328 Post(s)

    Default

    Quote Originally Posted by Olly View Post
    https://www.moparscape.org/smf/index...710#msg4207710

    EDIT:

    Further explanation, just because the callback is empty doesn't mean they can't add an implementation elsewhere. It passes the flag to the callback as a boolean (var1 == 0).

  8. #8
    Join Date
    Sep 2008
    Location
    Not here.
    Posts
    5,422
    Mentioned
    13 Post(s)
    Quoted
    242 Post(s)

    Default

    If they send the data with java, it can be spoofed.

  9. #9
    Join Date
    Dec 2010
    Posts
    483
    Mentioned
    30 Post(s)
    Quoted
    328 Post(s)

    Default

    Quote Originally Posted by tls View Post
    If they send the data with java, it can be spoofed.
    Yes of course, either by Xbooting or overwriting the responsible class in the Java libraries themselves.

    Unfortunately, the first option can be detected. They already scan cmdLines, which is how they detect instrumentation. Of course the latter will have an effect on any other Java program.

    Regardless that isn't a permanent solution.

  10. #10
    Join Date
    Nov 2011
    Location
    England
    Posts
    3,067
    Mentioned
    293 Post(s)
    Quoted
    1089 Post(s)

    Default

    Also I could be wrong, but i'm quite sure you can install your own hook and remove the injected flag before jaclib gets hold of it.

    @Brandon would know more.
    Last edited by Olly; 01-20-2016 at 10:25 PM.

  11. #11
    Join Date
    Dec 2010
    Posts
    483
    Mentioned
    30 Post(s)
    Quoted
    328 Post(s)

    Default

    Regardless of whether they currently send the information to the server or not, this should be something we are worried about.

    I can not confirm at this point what they do. Yes, the callback is empty, but they may have another implementation and just override the callback. Seems pointless to have and not use.

  12. #12
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    I wrote an anti-jaclib hook before. I don't remember if I shared it or not but I remember writing it.. There was lots of features but the one you seem to be interested in is the MouseHook and KeyboardHook flag removal.. Below should be enough to get you started on writing your own.


    How it works? We get the game to load our code/plugin/dll (use whatever method you want). Then in DLLMain we HIDE ourselves from detection so if the game tries to detect that our module is loaded/injected, it won't. Then we hook the SetWindowsHookEx function. If the game tries to hook the mouse, return our custom hooks instead and keep a pointer to the original function (Trampoline).

    In our trampoline function, we remove the Injection Flags and call the original hook function (don't break the chain). Voila. We are undetected and our mouse and keyboard is undetected. All without the need of a driver.


    C++ Code:
    #include <windows.h>
    #include <winternl.h>
    #include <TlHelp32.h>
    #include <chrono>
    #include <thread>
     
    typedef struct _LDR_MODULE
    {
        LIST_ENTRY              InLoadOrderModuleList;
        LIST_ENTRY              InMemoryOrderModuleList;
        LIST_ENTRY              InInitializationOrderModuleList;
        PVOID                   BaseAddress;
        PVOID                   EntryPoint;
        ULONG                   SizeOfImage;
        UNICODE_STRING          FullDllName;
        UNICODE_STRING          BaseDllName;
        ULONG                   Flags;
        SHORT                   LoadCount;
        SHORT                   TlsIndex;
        LIST_ENTRY              HashTableEntry;
        ULONG                   TimeDateStamp;
    } LDR_MODULE, *PLDR_MODULE;

    typedef struct _ProcessModuleInfo
    {
        std::uint32_t Size;
        std::uint32_t Initialized;
        HANDLE SsHandle;
        LIST_ENTRY LoadOrder;
        LIST_ENTRY InitOrder;
        LIST_ENTRY MemoryOrder;
    } ProcessModuleInfo, *pProcessModuleInfo;


    void* DetourFunction(BYTE *src, const BYTE *dst, const int len);
    typedef HHOOK (__stdcall *SetWindowsHookEx_t)(int idHook, HOOKPROC lpfn, HINSTANCE hMod, DWORD dwThreadId);
    SetWindowsHookEx_t o_SetWindowsHookEx;
    HOOKPROC oMouseHookedProc = NULL;





    LDR_MODULE* GetModuleIterator()  //I use assembly here but you can remove it and use GetPEB() from WinAPI.
    {
        #ifndef _USE_GET_PEB_
            void* result = NULL;

            #ifdef INTEL_SYNTAX     /**-masm=intel**/
            asm (".intel_syntax noprefix\n");
            #else
            asm (".att_syntax noprefix\n");
            #endif // INTEL_SYNTAX

            #ifndef INTEL_SYNTAX
            asm volatile
            (
                "movl %%FS:0x18,   %%eax\n"
                "movl 0x30(%%eax), %%eax\n"
                "movl 0x0C(%%eax), %0\n"
                : "=r" (result) :: "eax"
            );
            #else
            asm volatile
            (
                "mov eax, DWORD PTR [FS:0x18]\n\t"
                "mov eax, DWORD PTR [eax + 0x30]\n\t"
                "mov %0,  DWORD PTR [eax + 0x0C]\n"
                : "=r" (result) :: "eax"
            );
            #endif // INTEL_SYNTAX

            return reinterpret_cast<ProcessModuleInfo*>(result)->LoadOrder.Flink;
        #else
            reinterpret_cast<ProcessModuleInfo*>(GetPEB())->LoadOrder.Flink;
        #endif
    }

    void LinkLocalProcessModule(LDR_MODULE* module)
    {
        auto AddLink = [&](LIST_ENTRY* Link)
        {
            Link->Flink->Blink = Link;
            Link->Blink->Flink = Link;
        };

        AddLink(&module->InLoadOrderModuleList);
        AddLink(&module->InMemoryOrderModuleList);
        AddLink(&module->InInitializationOrderModuleList);
        AddLink(&module->HashTableEntry);
    }

    void UnlinkLocalProcessModule(LDR_MODULE* module)
    {
        auto RemoveLink = [](LIST_ENTRY* Link)
        {
            Link->Blink->Flink = Link->Flink;
            Link->Flink->Blink = Link->Blink;
        };

        RemoveLink(&module->InLoadOrderModuleList);
        RemoveLink(&module->InMemoryOrderModuleList);
        RemoveLink(&module->InInitializationOrderModuleList);
        RemoveLink(&module->HashTableEntry);
    }

    void HideSelf(HMODULE self, LDR_MODULE** old)
    {
        LDR_MODULE* module = GetModuleIterator();

        while (module->BaseAddress)
        {
            if (module->BaseAddress == self)
            {
                *old = module;
                UnlinkLocalProcessModule(module);
            }

            module = reinterpret_cast<LDR_MODULE*>(module->InLoadOrderModuleList.Flink);
        }
    }


    LRESULT __stdcall mHookedProc(int Code, WPARAM wParam, LPARAM lParam)
    {
        if (Code == HC_ACTION)
        {
            MSLLHOOKSTRUCT* Info = reinterpret_cast<MSLLHOOKSTRUCT*>(lParam);
            Info->flags &= ~LLMHF_INJECTED; //remove the injected flag.
            Info->flags &= ~LLMHF_LOWER_IL_INJECTED; //remove the injected flag.
        }
        return oMouseHookedProc(Code, wParam, lParam);
    }

    HHOOK __stdcall HOOKED_SetWindowsHookEx(int idHook, HOOKPROC lpfn, HINSTANCE hMod, DWORD dwThreadId)
    {
        if (idHook == WH_MOUSE_LL)
        {
            oMouseHookedProc = (HOOKPROC)DetourFunction((unsigned char*)lpfn, (unsigned char*)&mHookedProc, 6);
        }

        return o_SetWindowsHookEx(idHook, oMouseHookedProc, hMod, dwThreadId);
    }

    void* DetourFunction (BYTE *src, const BYTE *dst, const int len)
    {
            BYTE *jmp = (BYTE*)malloc(len+5);
            DWORD dwBack;

            VirtualProtect(src, len, PAGE_EXECUTE_READWRITE, &dwBack);
            memcpy(jmp, src, len);
            jmp += len;
            jmp[0] = 0xE9; //Assembly JMP instruction.
            *(DWORD*)(jmp+1) = (DWORD)(src+len - jmp) - 5;
            src[0] = 0xE9;
            *(DWORD*)(src+1) = (DWORD)(dst - src) - 5;
            for (int i=5; i<len; i++)
            src[i]=0x90; //Assembly NOP instruction.
            VirtualProtect(src, len, dwBack, &dwBack);
            return (jmp-len);
    }

    void InitialiseHooks()
    {
        while(!GetModuleHandle("User32.dll")) //hook user32's SetWindowsHookEx function..
        {
            std::this_thread::sleep_for(std::chrono::milliseconds(100));
        }

        o_SetWindowsHookEx = (SetWindowsHookEx_t) GetProcAddress(GetModuleHandle("User32.dll"), "SetWindowsHookExA");
        o_SetWindowsHookEx = (SetWindowsHookEx_t) DetourFunction((unsigned char*)o_SetWindowsHookEx, (unsigned char*)&HOOKED_SetWindowsHookEx, 5);
    }






    static LDR_MODULE* me = NULL;
    DWORD __stdcall DllMain(HINSTANCE hInst, DWORD nReason, LPVOID Reserved)
    {
        switch(nReason)
        {
            case DLL_PROCESS_ATTACH:
            {
                DisableThreadLibraryCalls(hInst);
                HideSelf(hInst, &me);
                std::thread([&] {InitialiseHooks();}).detach();
            }
            break;

            case DLL_PROCESS_DETACH:
            {
                LinkLocalProcessModule(me);
            }
            break;
        }
        return TRUE;
    }
    Last edited by Brandon; 01-21-2016 at 03:53 AM.
    I am Ggzz..
    Hackintosher

  13. #13
    Join Date
    Dec 2013
    Location
    Pitcairn Island
    Posts
    288
    Mentioned
    20 Post(s)
    Quoted
    166 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    I wrote an anti-jaclib hook before. I don't remember if I shared it or not but I remember writing it.. There was lots of features but the one you seem to be interested in is the MouseHook and KeyboardHook flag removal.. Below should be enough to get you started on writing your own.


    How it works? We get the game to load our code/plugin/dll (use whatever method you want). Then in DLLMain we HIDE ourselves from detection so if the game tries to detect that our module is loaded/injected, it won't. Then we hook the SetWindowsHookEx function. If the game tries to hook the mouse, return our custom hooks instead and keep a pointer to the original function (Trampoline).

    In our trampoline function, we remove the Injection Flags and call the original hook function (don't break the chain). Voila. We are undetected and our mouse and keyboard is undetected. All without the need of a driver.
    You are a whiz mate

  14. #14
    Join Date
    Dec 2007
    Posts
    2,113
    Mentioned
    71 Post(s)
    Quoted
    580 Post(s)

    Default

    @Brandon; Did you update it? I have an older version somewhere. You never shared it publicly but you put it on pastebin a couple times :P

  15. #15
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Quote Originally Posted by Kasi View Post
    @Brandon; Did you update it? I have an older version somewhere. You never shared it publicly but you put it on pastebin a couple times :P
    I did but everything is on my windows hard drive

    Post the version you have? I want to see the difference. Hopefully I didn't miss much in the one I wrote above. I actually wrote that out based on one of my previous posts

    I can't believe you kept it lol
    I am Ggzz..
    Hackintosher

  16. #16
    Join Date
    Dec 2007
    Posts
    2,113
    Mentioned
    71 Post(s)
    Quoted
    580 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    I did but everything is on my windows hard drive

    Post the version you have? I want to see the difference. Hopefully I didn't miss much in the one I wrote above. I actually wrote that out based on one of my previous posts

    I can't believe you kept it lol
    C++ Code:
    #include <windows.h>
    #include <winternl.h>
    #include <thread>
    #include <chrono>
    #include "detours.h"

    #pragma comment(lib, "detours.lib")

    typedef void(__stdcall *ExitProcess_t)(UINT uExitCode);
    typedef HHOOK(__stdcall *SetWindowsHookEx_t)(int idHook, HOOKPROC lpfn, HINSTANCE hMod, DWORD dwThreadId);

    ExitProcess_t o_ExitProcess = NULL;
    SetWindowsHookEx_t o_SetWindowsHookEx = NULL;
    HOOKPROC oMouseHookedProc = NULL;
    HOOKPROC oKeyHookedProc = NULL;
    void* removedModule = NULL;


    typedef struct _LDR_MODULE
    {
        LIST_ENTRY              InLoadOrderModuleList;
        LIST_ENTRY              InMemoryOrderModuleList;
        LIST_ENTRY              InInitializationOrderModuleList;
        PVOID                   BaseAddress;
        PVOID                   EntryPoint;
        ULONG                   SizeOfImage;
        UNICODE_STRING          FullDllName;
        UNICODE_STRING          BaseDllName;
        ULONG                   Flags;
        SHORT                   LoadCount;
        SHORT                   TlsIndex;
        LIST_ENTRY              HashTableEntry;
        ULONG                   TimeDateStamp;
    } LDR_MODULE, *PLDR_MODULE;

    typedef struct _ProcessModuleInfo
    {
        DWORD Size;
        DWORD Initialized;
        HANDLE SsHandle;
        LIST_ENTRY LoadOrder;
        LIST_ENTRY InitOrder;
        LIST_ENTRY MemoryOrder;
    } ProcessModuleInfo, *pProcessModuleInfo;

    void LinkLocalProcessModule(LDR_MODULE* module)
    {
        auto AddLink = [&](LIST_ENTRY* Link)
        {
            Link->Flink->Blink = Link;
            Link->Blink->Flink = Link;
        };

        AddLink(&module->InLoadOrderModuleList);
        AddLink(&module->InMemoryOrderModuleList);
        AddLink(&module->InInitializationOrderModuleList);
        AddLink(&module->HashTableEntry);
    }

    void UnlinkLocalProcessModule(LDR_MODULE* module)
    {
        auto RemoveLink = [](LIST_ENTRY* Link)
        {
            Link->Blink->Flink = Link->Flink;
            Link->Flink->Blink = Link->Blink;
        };

        RemoveLink(&module->InLoadOrderModuleList);
        RemoveLink(&module->InMemoryOrderModuleList);
        RemoveLink(&module->InInitializationOrderModuleList);
        RemoveLink(&module->HashTableEntry);
    }

    void HideSelf(HMODULE self, LDR_MODULE** old)
    {
        auto GetModuleIterator = []() -> LDR_MODULE* {
            ProcessModuleInfo *pmInfo = nullptr;

            #if defined _WIN32
            __asm
            {
                mov eax, fs:[0x30];
                add eax, 0x0C;
                mov eax, [eax];
                mov pmInfo, eax;
            };
            #elif defined _WIN64
            __asm
            {
                mov rax, gs:[0x60];
                add rax, 0x18;
                mov rax, [rax];
                mov pmInfo, rax;
            };
            #endif
            return reinterpret_cast<LDR_MODULE*>(pmInfo->LoadOrder.Flink);
        };


        LDR_MODULE* module = GetModuleIterator();

        while (module->BaseAddress)
        {
            if (module->BaseAddress == self)
            {
                *old = module;
                UnlinkLocalProcessModule(module);
            }

            module = reinterpret_cast<LDR_MODULE*>(module->InLoadOrderModuleList.Flink);
        }
    }

    template<typename T, typename U>
    void DetourFunction(T &OriginalFunction, U HookFunction)
    {
        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
        DetourAttach(&reinterpret_cast<void*&>(OriginalFunction), reinterpret_cast<void*>(HookFunction));
        DetourTransactionCommit();
        DetourTransactionBegin();
        DetourUpdateThread(GetCurrentThread());
    }

    void __stdcall mHookedExit(UINT uExitCode)
    {
        LinkLocalProcessModule(static_cast<LDR_MODULE*>(removedModule));
        o_ExitProcess(uExitCode);
    }

    LRESULT __stdcall mHookedProc(int Code, WPARAM wParam, LPARAM lParam)
    {
        if (Code == HC_ACTION)
        {
            MSLLHOOKSTRUCT* Info = reinterpret_cast<MSLLHOOKSTRUCT*>(lParam);
            Info->flags &= LLMHF_INJECTED;
        }
        return oMouseHookedProc(Code, wParam, lParam);
    }

    LRESULT __stdcall kHookedProc(int Code, WPARAM wParam, LPARAM lParam)
    {
        if (Code == HC_ACTION)
        {
            KBDLLHOOKSTRUCT* Info = reinterpret_cast<KBDLLHOOKSTRUCT*>(lParam);
            Info->flags &= LLKHF_INJECTED;
            Info->flags &= 0x00000002;
        }
        return oKeyHookedProc(Code, wParam, lParam);
    }

    HHOOK __stdcall mSetWindowsHookEx(int idHook, HOOKPROC lpfn, HINSTANCE hMod, DWORD dwThreadId)
    {
        if (idHook == WH_MOUSE_LL)
        {
            oMouseHookedProc = lpfn;
            return o_SetWindowsHookEx(idHook, mHookedProc, hMod, dwThreadId);
        }
        else if (idHook == WH_KEYBOARD_LL)
        {
            oKeyHookedProc = lpfn;
            return o_SetWindowsHookEx(idHook, kHookedProc, hMod, dwThreadId);
        }

        return o_SetWindowsHookEx(idHook, lpfn, hMod, dwThreadId);
    }

    DWORD __stdcall InitialiseHooks(void* param)
    {
        while (!GetModuleHandleW(L"User32.dll") && !GetModuleHandleW(L"Kernel32.dll"))
        {
            std::this_thread::sleep_for(std::chrono::milliseconds(100));
        }

        o_ExitProcess = (ExitProcess_t)GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "ExitProcess");
        o_SetWindowsHookEx = (SetWindowsHookEx_t)GetProcAddress(GetModuleHandleW(L"User32.dll"), "SetWindowsHookExA");

        DetourFunction(o_ExitProcess, mHookedExit);
        DetourFunction(o_SetWindowsHookEx, mSetWindowsHookEx);
        return 0;
    }

    extern "C" __declspec(dllexport) bool __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
    {
        switch (fdwReason)
        {
            case DLL_PROCESS_ATTACH:
                DisableThreadLibraryCalls(hinstDLL);
                HideSelf(hinstDLL, reinterpret_cast<LDR_MODULE**>(&removedModule));
                CreateThread(NULL, 0, &InitialiseHooks, NULL, 0, NULL);
                break;

            case DLL_PROCESS_DETACH:
                MessageBoxA(NULL, "Detaching", "", 0);
                break;
        }
        return true;
    }

    Not much difference it seems, Generics and uses MSDetours :P keeping it...Lmao! i have random files on my desktop, when i wanna clean my desktop, i drag all said files into a new folder. in time, my desktop gets messy again and i drag this file into a new file. It's a vicious endless cycle. i found the file like 3 generations down. Dated back to feb 2015. Isn't the first version you wrote.

    Man... the shit i found though
    Last edited by Kasi; 01-22-2016 at 02:07 AM.

  17. #17
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Quote Originally Posted by Kasi View Post
    Not much difference it seems, Generics and uses MSDetours :P keeping it...Lmao! i have random files on my desktop, when i wanna clean my desktop, i drag all said files into a new folder. in time, my desktop gets messy again and i drag this file into a new file. It's a vicious endless cycle. i found the file like 3 generations down. Dated back to feb 2015. Isn't the first version you wrote.

    Man... the shit i found though

    I'm actually glad you have this lol. Even has the 64-bit assembly too! The one I wrote above is for GCC and I forgot about 64-bit. I just wrote the Intel and AT&T syntax for anyone that doesn't understand one or the other. Yeah the one you have is nice! It does the keyboard as well as the mouse but only compiles with MSVC.

    Other than that, your version is better. It even hooks ExitProcess to properly reattach the module before termination. Swap out the detours with the one I posted above and voila. Perfect. Or just keep both

    Glad you kept it man!
    Last edited by Brandon; 01-22-2016 at 02:14 AM.
    I am Ggzz..
    Hackintosher

  18. #18
    Join Date
    Dec 2007
    Posts
    2,113
    Mentioned
    71 Post(s)
    Quoted
    580 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    I'm actually glad you have this lol. Even has the 64-bit assembly too! The one I wrote above is for GCC and I forgot about 64-bit. I just wrote the Intel and AT&T syntax for anyone that doesn't understand one or the other. Yeah the one you have is nice! It does the keyboard as well as the mouse but only compiles with MSVC.

    Other than that, your version is better. It even hooks ExitProcess to properly reattach the module before termination. Swap out the detours with the one I posted above and voila. Perfect. Or just keep both

    Glad you kept it man!
    Yeah, the plan was to add it to the cpp bot! Shame i didn't get around to adding it Maybe i'll get time after this year. i'll probably just bookmark this thread too

  19. #19
    Join Date
    Nov 2006
    Posts
    2,369
    Mentioned
    4 Post(s)
    Quoted
    78 Post(s)

    Default

    I remember that there was a thread about this here years ago. Nice to see that Brandon has already made an anti detection hook.

    Here are some ideas that came to my mind, that are probably useless since Brandon already has a solution:

    Buy an arduino and program it to take commands from simba and send mouse events back to operating system.
    https://www.arduino.cc/en/Reference/MouseKeyboard

    Use mouse api of a virtual machine. I don't know if this would actually prevent the flag.
    https://www.virtualbox.org/sdkref/in...94607e6ce6e418
    Quote Originally Posted by DeSnob View Post
    ETA's don't exist in SRL like they did in other communities. Want a faster update? Help out with updating, otherwise just gotta wait it out.

  20. #20
    Join Date
    Dec 2007
    Posts
    289
    Mentioned
    4 Post(s)
    Quoted
    86 Post(s)

    Default

    Quote Originally Posted by Clarity View Post
    Do TeamViewer/AHK/similar programs also set the flag to 1?
    I asked myself the same question. All my scripts interact with the official client, though some use AHK for things like dropping. I use SendKeys() to fire off the AHK keybinds/shortcuts.

    Quote Originally Posted by the bank View Post
    Regardless, Jagex have admitted their detection system is tiered.
    Undoubtedly. This is similar to how Jagex (may) view mouse movements. Someone using a touchscreen to interact with the game will appear to have their mouse teleporting all over the place.

    I suspect this is just yet another indicator amongst many others to help identify potential macroers.

  21. #21
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    Just tested SurfaceBook touch screen. It registers as hardware input. Also tested the SurfacePen, it registers as hardware input. However, any calls to SendInput in WinAPI registers as software input. So it seems that it is actually a viable option of detecting a bot. It makes sense that the touch and pen registers as hardware input because it really is hardware. Has drivers and everything.

    However, the mouse does indeed appear magically from one place to another when using the touch screen or the pen. For that reason, I don't think recording the mouse clicks or movement is a good idea for bot detection.

    Not sure whether or not a virtual machine would use SendInput or hardware input. Especially with VT-D (Virtual Technology Direct-IO).
    Last edited by Brandon; 01-30-2016 at 02:58 AM.
    I am Ggzz..
    Hackintosher

  22. #22
    Join Date
    Oct 2014
    Posts
    32
    Mentioned
    0 Post(s)
    Quoted
    23 Post(s)

    Default

    What does SCAR/Simba result in when not using SMART?

    ..and how hard/easy would it be to add something like this to SMART?, or would it have to be a separate plugin?

  23. #23
    Join Date
    Feb 2006
    Location
    Australia
    Posts
    628
    Mentioned
    15 Post(s)
    Quoted
    105 Post(s)

    Default

    Quote Originally Posted by weequ View Post
    Buy an arduino and program it to take commands from simba and send mouse events back to operating system.
    This actually sounds like a great product.. Botting mouse - $29.99 from the simba store..

  24. #24
    Join Date
    Dec 2008
    Posts
    135
    Mentioned
    0 Post(s)
    Quoted
    44 Post(s)

    Default

    Quote Originally Posted by Krazy_Meerkat View Post
    This actually sounds like a great product.. Botting mouse - $29.99 from the simba store..
    I went out and bought an arduino zero. Comming in 2 days, will report back

  25. #25
    Join Date
    Feb 2006
    Location
    Australia
    Posts
    628
    Mentioned
    15 Post(s)
    Quoted
    105 Post(s)

    Default

    Quote Originally Posted by Grunt View Post
    I went out and bought an arduino zero. Comming in 2 days, will report back
    I hope you didn't spend too much, the ones I saw were like $70-$100.. I was talking about the cheaper boards like arduino UNO which I'm seeing for $6-$15 or something like that.. I wanted to learn about aduino's because they looked a bit more fun than PCB's but there's always a shortage of time for all these little projects..

Page 1 of 6 123 ... LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •