Haha yeah, I didn't get banned and I've had NG installed since like v2.x. Daniel put that theory down, so as of now I'm looking at MC, packets, and possibly the memory being checked for signs of alteration.Originally Posted by Blazed
Jo3
Haha yeah, I didn't get banned and I've had NG installed since like v2.x. Daniel put that theory down, so as of now I'm looking at MC, packets, and possibly the memory being checked for signs of alteration.
Jo3
THEORY 1:
So far I have some gold cases like a person that was banished, even not cheating since 6 months ago. He only left blackd proxy installed. So what is that solid proof? Having a bot name in the list of your installed programs?
My guess is Tibia client can obtain the list of your installed programs, and it can send the list to tibia servers, probably only on request, when a scan wave happens, maybe only once each month (because it causes big lag, kicks and deaths for everybody) If tibia client sended that always at start then it would bee too easy to catch that packet.
I will appreciate help from people who can read hex, and know about the API who can obtain the list of installed programs. The call is probably somewhere in the code of the tibia client. That would confirm my theory
In that case the solution would be hiding the installed bot from the list of installed programs or making an installer that register every dll+ocx without adding anything to the list of installed programs.
A temporal solution would be uninstalling Blackd Proxy and unzipping the latest update zip in a random folder like C:\abcfsdopjh\
Blackd Proxy should still work, even if not "installed" and if my theory is true then it should save you the ban.
This is not proven yet and I will need a lot of help to catch their autodetection code. I will need to read a lot of comments from people who was banished.
---------
progress: list of dlls that tibia uses...
Executable modules
Base Size Entry Name File version Path
00400000 003A4000 00556284 Tibia 8.40 C:\Archivos de programa\Tibia\Tibia.exe
58C30000 0009A000 58C334BA COMCTL32 5.82 (xpsp.08041 C:\WINDOWS\system32\COMCTL32.dll
5F120000 000CC000 5F12A322 OPENGL32 5.1.2600.5512 (x C:\WINDOWS\system32\OPENGL32.dll
5FEA0000 00021000 5FEA15D5 GLU32 5.1.2600.5512 (x C:\WINDOWS\system32\GLU32.dll
62E30000 00009000 62E32EAD LPK 5.1.2600.5512 (x C:\WINDOWS\system32\LPK.DLL
71A20000 00008000 71A21638 WS2HELP 5.1.2600.5512 (x C:\WINDOWS\system32\WS2HELP.dll
71A30000 00017000 71A31273 WS2_32 5.1.2600.5512 (x C:\WINDOWS\system32\WS2_32.dll
72F80000 00026000 72F854A5 WINSPOOL 5.1.2600.5512 (x C:\WINDOWS\system32\WINSPOOL.DRV
736E0000 0004B000 736E1431 DDRAW 5.03.2600.5512 ( C:\WINDOWS\system32\DDRAW.dll
73B40000 00006000 73B41089 DCIMAN32 5.1.2600.5512 (x C:\WINDOWS\system32\DCIMAN32.dll
74D20000 0006B000 74D3E409 USP10 1.0420.2600.5512 C:\WINDOWS\system32\USP10.dll
76340000 0001D000 763412C0 IMM32 5.1.2600.5512 (x C:\WINDOWS\system32\IMM32.DLL
76B00000 0002E000 76B02B61 WINMM 5.1.2600.5512 (x C:\WINDOWS\system32\WINMM.dll
770F0000 0008B000 770F1560 OLEAUT32 5.1.2600.5512 C:\WINDOWS\system32\OLEAUT32.dll
774B0000 0013D000 774CD0B9 ole32 5.1.2600.5512 (x C:\WINDOWS\system32\ole32.dll
77BE0000 00058000 77BEF2A1 msvcrt 7.0.2600.5512 (x C:\WINDOWS\system32\msvcrt.dll
77DA0000 000AC000 77DA70FB ADVAPI32 5.1.2600.5512 (x C:\WINDOWS\system32\ADVAPI32.dll
77E50000 00092000 77E5628F RPCRT4 5.1.2600.5512 (x C:\WINDOWS\system32\RPCRT4.dll
77EF0000 00049000 77EF6587 GDI32 5.1.2600.5698 (x C:\WINDOWS\system32\GDI32.dll
77F40000 00076000 77F451FB SHLWAPI 6.00.2900.5512 ( C:\WINDOWS\system32\SHLWAPI.dll
77FC0000 00011000 77FC2126 Secur32 5.1.2600.5512 (x C:\WINDOWS\system32\Secur32.dll
7C800000 00103000 7C80B63E kernel32 5.1.2600.5512 (x C:\WINDOWS\system32\kernel32.dll
7C910000 000B5000 7C922C28 ntdll 5.1.2600.5512 (x C:\WINDOWS\system32\ntdll.dll
7E390000 00091000 7E39B217 USER32 5.1.2600.5512 (x C:\WINDOWS\system32\USER32.dll
Now see what is needed to program something that read your list of installed programs: advapi32.dll ! Coincidence? I think not a simple coincidence. Why tibia needs to access your registry? I don't think that is legal. I think that maybe Cipsoft also cheats after all. And in that case, if my theory is true, then they cheat against real law, not game laws, and they can be sued for that after a serious investigation.
Note that their massive scans also require a lot of packet move and that causes massive lag and kicks for servers. So consider them also responsible for the death of lots of players by lag that they generated: Players that were mostly not cheating died because their original way to detect cheaters.
Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" _
(ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, _
lpType As Long, lpData As Any, lpcbData As Long) As Long
Private Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias "RegOpenKeyExA" _
(ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, _
ByVal samDesired As Long, phkResult As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Declare Function RegEnumKeyEx Lib "advapi32.dll" Alias "RegEnumKeyExA" _
(ByVal hKey As Long, ByVal dwIndex As Long, ByVal lpName As String, lpcbName As Long, _
ByVal lpReserved As Long, ByVal lpClass As String, lpcbClass As Long, _
lpftLastWriteTime As FILETIME) As Long
Theory 1 fails because...
- why not everybody who had blackd proxy installed was not banished?
- why Cipsoft would risk their great business doing something illegal like obtaining your list of installed programs?
-----------
THEORY 2:
they search strings "blackd" "ng" "elfbot" in your chat logs (private or not) If string is found more than 10 times in the log of the last 6 months then that would be "enough" proof and you get an automatic ban. Searching over big logs for every player would take some minutes of cpu even for a powerfull server. That makes sense considering the long lag that happened during the waves.
+ They started adding unique id to private messages and storing them since 6 months ago (that is when they started with this anticheat thing)
+ They also protected their back by writting this privacy page since 6 months ago (that is when they started with this anticheat thing)
http://www.tibia.com/support/?subtop...s&page=privacy
"CipSoft collects, processes and uses stock and usage data, to the extent that is necessary in individual cases, if it is required to reveal and to stop fraudulent behaviour or any other form of using CipSoft's services which violates legal regulations or the service agreement. In particular, CipSoft reserves the right to log, process and use information such as the time and the content of conversations and expressions of opinion that take place in their online services if there are complaints, reports or other credible indications of behaviour that violates legal regulations or the service agreement, for example the serious insulting of other users. This regulation extends to all parts of CipSoft's online service, including, but not limited to, guild channels, private channels and private messages."
Solution: Never talk about your bot inside tibia! Use msn or ventrilo for 100% safe communication
Maybe you already wrote the word Blackd 2 or 3 times and it is "not enough proof yet" for their automatic function. Stop writing such forbidden words from now and maybe you will be safe in the future!
I disbelieve both of his theories, and I'd like to add to my list: blacklist. They've just blacklisted players they know who have broke the rules, waited til they got a fairly big list, then banned them to scare bot developers.
Jo3
no joe, i believe that ive found evidence of the client doing memory scanning to detect altered addresses.
1) How many accounts do you use, and were any of them banished?
1 account, and it was banned.
2) Do you use a hexed MC client, a run-time MC patcher, or neither?
None
3) Do you use a modified .pic file, .spr file, both, or neither?
I had a .pic file before, but recently no.
4) Which bot programs do you use, if any?
Tibiabot NG
5) Do you send error reports when the client crashes, or have you ever sent one?
Hell no.
6) Do you use a program to bypass the login servers?
No.
8) Does your bot program use memory reading/writing, packet.dll, proxy, hooking, or something else?
Tibiabot NG uses hooking.
10) Please post any other helpful information here, such as: have you abused a game weakness?
I ONLY used NG for things such as scripts and occasionaly healing, etc. Never used cavebot or any of the more common features.
Alright so I'll type up a list of common functions that alter the memory.
- Level Spy
- Name Spy
- Light
- Outfit Changer
- World Only View
- "Fun Stuff" (Edit xp, level, eq, etc.)
This is just a basic list, there are more I'm sure. Seeing as though Level Spy, Name Spy, and Light Hack are the main used ones we should work on redoing these without memory editing. Level Spy - We could read the map in memory for the floor we want to see and create a "map update" packet and send it to the client? Name Spy - Read the battlelist and save the name/coordinates for each entry then use an injected DLL to write the names on the screen? Light Hack - Create a "world light" packet and send it to the client.
Aha! Take that cip...
Jo3
isn't it illegal?
Reading information from their own program? No, lol.
Jo3
Yeah, I thought you were talking about scanning other processes, nvm.
i dont think they "only" detect memory editing, if they do so a packet should be sent containing the info or something so i guess it will be easy to check.
And I've seen most of the banneds i know have been visited or reported by a gm so they are probably blacklisteds as "possible botters". So i guess theory 1 could be right but they will only ban if blacklisted+registry.
who knows..still need more time.
1) How many accounts do you use, and were any of them banished?
2 accounts, no bans.
2) Do you use a hexed MC client, a run-time MC patcher, or neither?
None
3) Do you use a modified .pic file, .spr file, both, or neither?
no
4) Which bot programs do you use, if any?
Elfbot , Blacksmith Bot
5) Do you send error reports when the client crashes, or have you ever sent one?
no
6) Do you use a program to bypass the login servers?
No.
8) Does your bot program use memory reading/writing, packet.dll, proxy, hooking, or something else?
pcaket.dll,proxy,memory reading/writing,hook...
10) Please post any other helpful information here, such as: have you abused a game weakness?
i knew this would happen so i didnt bot during this last week / 10 days xD
Posting Permissions
Reply With Quote