Wind Addons Uses Code Injection

While analyzing Wind Addons, @jo3bingham (http://forums.xenobot.net/member.php?u=6) found that Wind Addons was injecting code into the Tibia Client. Naturally I wanted to verify this claim, so I went and reverse engineered Wind Addons myself. What I found was astonishing. Using API monitor, I confirmed that Wind Addons was injecting a TON of memory into the Tibia Client. As you can see in the following screenshot, it injects 1507328 bytes of memory at address 0x00ae0000 using NtWriteVirtualMemory():


http://i.imgur.com/2k36N0J.png



That's a large, suspicious amount of memory. Even if we ignore the TWO other calls to NtWriteVirtualMemory() (which seem to modify Tibia's code directly), this has already proven our case. To investigate if this is really code - and lets face it, at this size, it must be - I dumped it out of memory using a Cheat Engine script:


http://i.imgur.com/raHkhQQ.png

Then, I took the result file and dropped it in Sublime Text's hex viewer (this is just a small chunk of the code):


http://i.imgur.com/VJ3H8NY.png



This proves that it is code that was injected. Why? Well, for those you you unfamiliar with assembly code, here's a few facts:

Recurring groups of 1-4 consecutive 0x00 bytes are common in x86 assembly
Recurring groups of 1-3 consecutive 0xFF bytes are common in x86 assembly
The byte 0xCC is used to pad functions to periods of 16 bytes


The first two points are very easy to verify by eye. These points are especially strong when you consider that 0x00 and 0xFF bytes won't be abundantly present in other types of data, such as text or images (and why would Wind Addons inject text or images, anyways?). As for the last point, we can also verify that easily. If you look at the hex viewer, you will see that there are 16 bytes per line (8 groups of 2 bytes). Additionally, you'll notice that every single group of 0xCC bytes ends at the end of a line, meaning the bytes are padding the lines, which are 16 bytes long. Therefore, the 0xCC bytes are indeed used to pad functions in this code to periods of 16 bytes.

Conclusion: without a doubt, Wind Addons is injecting a LARGE amount of code into Tibia.

Is This The Same As DLL Injection?

Essentially, yes. The term DLL Injection refers to a type of code injection that uses the standard Windows API to load code in the form of a dynamic library into a remote process. In this case, Wind Addons is loading the code manually, and in some format that does not resemble a dynamic library. The fact remains, however, that both DLL Injection and this type of Code Injection both have the same result: they place new code inside of Tibia and then execute that new code inside of Tibia's process' context.

Saying these aren't the same thing is like putting a bullet in somebody's brain using a large hammer instead of a gun and then saying "I didn't shoot them."

I Thought Windbot didn't use injection?!?!

Me too. I guess they lied to everybody, didn't they?

Injection and You

What does this mean? Well, nothing really. As I've said time and time again, injection is safe. I'm not condemning Windbot for injecting code, I'm condemning the fact that they lied to everyone about injection being unsafe, just to sell their "injection free" software. If you had any doubts that injection is safe, you can lay them to rest now. Even the people telling you that it's unsafe don't believe that.

Come to The Dark Side, We Have Injection

If you're not already an XenoBot user, now's the time to start. Using 100% injection makes XenoBot faster and more accurate than Windbot, and it allows you to bot without losing control of your mouse or keyboard. It's better, more powerful, and just as safe. But don't take it from me, just give the people over at Windbot a truth serum and they'll tell you themselves.

Binary Inbound

XenoBot is going to get even better with the release of XenoBot Binary (http://forums.xenobot.net/showthread.php?38571), so stick around.

DarkstaR == Cip Automatic Detection Tool

Conspiracy confirmed.

On a more serious note, yeah this is some concerning stuff. Would be fun to post this on WindBot forums to let them explain themselves or at least hear a comment to this.
Fun stuff reading. I'm again impressed by Darkstar :]

Proves to me we made the right choice with XenoBot!

/Stusse

Interesting..

But still people would use it even about that lie, cuz they learn all from neobot, ibot how to use that kind of bots. XB is on other level, just my opinion.

Marketing > Science genious.

Interesting still, that's why you got the smartest people using xenobot.

GG enious.

I don't have an account on windbot forums. Has anyone asked about this there? I'm curious about what they would say.

Lucas Terra in his sticky on wind addons says that


Does it inject any DLLs to the client?
It does not inject any DLLs to your client, the modifications are made by writing to the program's memory.

So it might not be technically lying, but it is misleading to his customers.

I don't have an account on windbot forums. Has anyone asked about this there? I'm curious about what they would say.

ye several poeple did. still no reaction.

EDIT: here is the post: https://forums.tibiawindbot.com/showthread.php?3133-Wind-Client-Addons&p=292039#post292039

EDIT: here is the post: https://forums.tibiawindbot.com/showthread.php?3133-Wind-Client-Addons&p=292039#post292039


Thanks :)

They will remove the post shortly and ban the user who mention it heheh :D

Isnt thats what Lucas wrote in #3 of Wind Addons FAQ?
https://forums.tibiawindbot.com/showthread.php?2146-WindMods-and-WindMC&p=21506&viewfull=1#post21506
/Imba

I honestly don't give a damn, windbot is simply so much easier as someone has already stated

I tried xenobot first thing after neobot went down, was dissatisfied to say the least

I honestly don't give a damn, windbot is simply so much easier as someone has already stated

I tried xenobot first thing after neobot went down, was dissatisfied to say the least

Bland post, to say the least.

Some input as to what is "harder" on XenoBot can lead to getting changes made.

Isnt thats what Lucas wrote in #3 of Wind Addons FAQ?
https://forums.tibiawindbot.com/showthread.php?2146-WindMods-and-WindMC&p=21506&viewfull=1#post21506
/Imba

Modifying memory and injecting code aren't the same thing.


I honestly don't give a damn, windbot is simply so much easier as someone has already stated

I tried xenobot first thing after neobot went down, was dissatisfied to say the least

XenoBot has gotten 100x better since then, and that'll go up by another order of magnitude with the XenoBot Binary release in the next few days.

I dont wanna say that xeno is bad at all, but windbot has navi scipts for roshamuul ek+ed, walls ek+ed etc

I dont wanna say that xeno is bad at all, but windbot has navi scipts for roshamuul ek+ed, walls ek+ed etc

So what? XenoBot has the capability to do this quite easily, the only difference is that no scripting team has done it yet. We have a way for client to communicate and work together just fine, except we don't call it "navi."

It's foolish to measure the bot based on one single facet of it's capabilities. Also, it's completely off-topic, but if you want to be a fool I'll leave it so everybody can see.

I dont wanna say that xeno is bad at all, but windbot has navi scipts for roshamuul ek+ed, walls ek+ed etc
I have a free "navi" EK & ED script for lower roshamuul that will be released next week. I will keep making free team scripts if there's interest in them.

Windot is shit anyway tbh. Just the fact that it writes the spells using your keyboard when you dont have the hotkeys assigned is freaking hilarious. And shadowart that sounds so sweet ;3

I have a free "navi" EK & ED script for lower roshamuul that will be released next week. I will keep making free team scripts if there's interest in them.

what a bloke

Windot is shit anyway tbh. Just the fact that it writes the spells using your keyboard when you dont have the hotkeys assigned is freaking hilarious. And shadowart that sounds so sweet ;3

Thats like saying nordic walking is better than jogging, because you dont have to run LOL. If you can compare 2 different things, that means you are just fucking retarded.

This isn't a flame Windbot or flame XenoBot thread, so any more posts doing so will receive infractions.

This thread is sticking to the facts, and they are outlined in the main post. Stay on topic, everyone.

what a coincidence, I was just researching a couple of weeks ago about how did WindAddons worked, cause it was kinda ironic to see it for free in there and with sooooo much publicity and not a bit of explanation of what it really did internally (Because it does not simply change the fps variable, you can check that out with Tibia Low Framerate from Chuitox...).
Anyway, nothing new that it was injecting code, but still, I'd die to see the source code from WindAddons.

looking forward to
http://i.imgur.com/OMDnJ71.png

gZ on well done work!

so when you said you were retired, this was just to upset me ? :(

gZ on well done work!

got him

I have a free "navi" EK & ED script for lower roshamuul that will be released next week. I will keep making free team scripts if there's interest in them.

I will be the first one to try it. :rolleyes:

what a coincidence, I was just researching a couple of weeks ago about how did WindAddons worked, cause it was kinda ironic to see it for free in there and with sooooo much publicity and not a bit of explanation of what it really did internally (Because it does not simply change the fps variable, you can check that out with Tibia Low Framerate from Chuitox...).
Anyway, nothing new that it was injecting code, but still, I'd die to see the source code from WindAddons.
jo3bingham is about to release a pretty awesome tool similar to TLF & WindAddons but has a lot of other features as well. ;)

jo3bingham is about to release a pretty awesome tool similar to TLF & WindAddons but has a lot of other features as well. ;)

That'd be nice!