Selling   PC  PareidoliaTriggerbot - Hypervisor-based, external Widowmaker triggerbot (Undetected Since 2018)

Discussion in 'Overwatch Boosting for Sale - Buy and Sell' started by Harry Harbour, 4/16/21.

Thread Status:
Not open for further replies.
  1. Harry Harbour

    Harry Harbour
    Expand Collapse
    Unverified Member

    0   0   0

    Offline
    Joined:
    4/16/21
    Posts:
    2
    Likes Received:
    0
    My Location:
    Price $:
    0.99
    Make Offer
    My discord - Stick#1642 - Please read all details below if you're commited in being a legit customer

    PareidoliaTriggerbot is an external Widowmaker triggerbot which uses the VivienneVMM and MouClassInputInjection projects to bypass the Overwatch Anti-Cheat.

    This # has remained undetected since its initial completion in early 2018.



    Implementation

    PareidoliaTriggerbot is composed of a user mode client application and a kernel mode driver. The client contains the triggerbot logic, and the driver provides support services for the client (e.g., reading process memory without a handle) via a device interface.

    Triggerbot Logic

    The client executes an infinite tick loop to update the triggerbot state machine. The following diagram depicts a simplified overview of the tick loop:

    Code:
    1. .-----------------------.
    2. | |
    3. v |
    4. +===============================+ |
    5. | Process user input | |
    6. +===============================+ |
    7. | |
    8. v |
    9. .-------------------------------. |
    10. | Is the round context valid? |--No-->+
    11. '-------------------------------' |
    12. | |
    13. Yes |
    14. | |
    15. v |
    16. .-------------------------------. |
    17. | Is the triggerbot enabled? |--No-->+
    18. '-------------------------------' |
    19. | |
    20. Yes |
    21. | |
    22. v |
    23. +===============================+ |
    24. | Read Widowmaker Trace State | |
    25. +===============================+ |
    26. | |
    27. v |
    28. .-------------------------------. |
    29. | Is the player's crosshair |--No-->+
    30. | over an enemy player? | |
    31. '-------------------------------' |
    32. | |
    33. Yes |
    34. | |
    35. v |
    36. +===============================+ |
    37. | Activate trigger | |
    38. +===============================+ |
    39. | |
    40. v |
    41. +===============================+ |
    42. | Trigger cooldown | |
    43. +===============================+ |
    44. | |
    45. '-----------------------'
    Widowmaker Trace State

    The Widowmaker trace state is a ULONG-sized variable which has a nonzero value when:
    1. There is a Widowmaker player in a match.

    2. The Widowmaker player has the Widow's Kiss sniper rifle equipped.

    3. The Widowmaker player is scoped (i.e., zoomed in) and the Widow's Kiss is fully charged.

    4. The Widowmaker player's crosshair is over an enemy player entity or a dynamic, non-player entity (e.g., the payload, a closed spawn door, or the lid of a trash can).

    This variable exists as a field in the trace state object type. The following diagram depicts the trace state elements inside the Overwatch virtual address space:

    1. Low Memory
    2. +====================+
    3. | | Trace State Object
    4. | | ~
    5. | | +=============+
    6. | | | | Trace State
    7. |--------------------| |-------------| ~
    8. | Dynamic Allocation | -----> | Trace State | -----> [0, MAXULONG]
    9. |--------------------| | Variable |
    10. | | |-------------|
    11. | | | |
    12. | | +=============+
    13. | |
    14. | |
    15. | |
    16. | |
    17. | |
    18. +====================+
    19. High Memory
    The game engine maintains one trace state object for each Widowmaker player in a match. A trace state object is created each time a non-Widowmaker player swaps to the Widowmaker hero. The object is destroyed when the player swaps to a non-Widowmaker hero, the round ends, or the player leaves the match.

    NOTE We do not fully understand the purpose of the trace state variable. We refer to this concept as the 'trace state' because the variable behaves as if it were the hit detection result of the game engine running a trace ray whose origin vector is the Widowmaker player's crosshair.

    Widowmaker Trace State Instruction

    The trace state mechanic provides all of the functionality required to write a triggerbot. In order to use this mechanic we need to be able to locate the address of our (local player) trace state object inside the remote Overwatch process. This is nontrivial for the following reasons:
    1. The address of the target trace state object changes when the object is destroyed and recreated.

    2. We cannot hook code in the Overwatch process because the anti-cheat frequently scans for code patches.

    3. Overwatch's code and data are significantly obfuscated.

    We can reliably recover the address of our trace state object using the VivienneVMM Capture Execution Context Register request. Our target instruction is executed whenever a Widowmaker player presses their 'zoom' keybind. The following is the annotated assembly of the target instruction:

    1. Platform: Windows 7 x64
    2. File Name: Overwatch.exe
    3. Version: 1.41.1.0 - 63372
    4. SHA256:
    5. 9d079af7df9ed332f32d303c1eec0aab886f300dc79489019b8bbae682cbdb99
    6. Assembly:
    7. 89 87 FC 01 00 00 mov [rdi+1FCh], eax
    8. rdi = Pointer to the base address of a trace state object.
    9. 1FC = The field offset of the trace state variable.
    10. eax = The new trace state value.
    NOTE We found this instruction by scanning Overwatch's virtual memory for values which changed when the local player was scoped / not scoped.

    NOTE We do not fully understand the purpose of the trace state instruction or its containing function.

    Anti-Cheat Bypass

    PareidoliaTriggerbot passively avoids detection using the following strategies:
    1. The client interacts with the target Overwatch process using the driver interface. i.e., The client does not open any handles to the target Overwatch process.

    2. The client uses the MouClassInputInjection project for stealthy mouse input injection.

    3. The driver registers kernel object callbacks to prevent the target Overwatch process from reading the client's virtual address space.

    4. The triggerbot simulates realistic mouse clicks by waiting for a dynamic amount of time before injecting the mouse release event. This release delay is a pseudo-random number bounded by parameters in the config file.
    The initialization process will be explained on Discord via legit buyers

    This cheta has been undetected for 3 years, I would like it to stay that way, so to ensure this, only legit buyers can buy my product and there will be a limit of 15 slots, after all the slots have been used my cheta will not be available anymore, first come first served process to conbat any bans

    My discord - Stick#1642

    Prices may vary, discounts will be offered to those that are really keen in joining my small community

    All payments will be done through paypal, if you can prove to me you are an active overwatch player and are a legit buyer you can pay through "goods and services" if not you will have to pay through "friends and family" to combat any scams.
     
    #1 Harry Harbour, 4/16/21
    • This user is inactive. Hasn't logged into their account in over 60 days.
(You must log in or sign up to post here.)
Thread Status:
Not open for further replies.