-
Automatic Bot-Detection Tool Discussion
I've seen a lot of discussing/arguing around the forums lately on how CipSoft's automatic bot-detection tool works, and instead of flooding other's threads with off-topic posts I've made an official thread to allow just that. I'll post my thoughts on the subject and finish with some FAQs.
For one, there is no evidence in the client of client-sided bot-detection. The closest thing they've done in this direction is the recent addition of count data to the Attack and Follow packets, which was quickly, and easily, trumped by DarkstaR. If anyone has any evidence of client-side detection we would all be more than happy to see it, but I know it doesn't exist. So, that can only leave one thing; the automatic bot-detection is server-sided. A simple Google search for MMORPG bot-detection will show you plenty of sources explaining server-sided bot-detection methods used for well-known MMORPGs (WoW, Ragnarok Online, etc.). The methods explained are basically the same across the board. Packet Response (Time it takes the user to respond to an incoming packet from the server.) [These include, but are not limited to, healing, looting (TTB looting a backpack in less than 1 second), and much more. Basically anything that is done faster than humanly possible.], Packet Repetitiveness (Sending the same packets at the same interval.) [The biggest culprit that comes to mind is rune making.], and Impossible(?) Packets (Sending packets to the server that could not be done manually.) [LordOfWar brought this to my attention with TibiaBot NG's Player/Creature Information feature. This feature works by sending a Look packet for every player and creature in the battlelist. Even if they're off-screen or above/below the user's current level.]
I'm sure there are more packet-detection methods used, but these are the major ones I wanted to hit on. I'd like to take a moment to talk about probably the biggest bot-detection method CipSoft could be using, in my opinion, and that would be walking systems in cave bots. Most bots today use a system of waypoints that the user continuously loops through. The problem with this is that they write to their player's GoTo XYZ values and the client in turns creates an Auto Walk packet that is sent every time the user tries to go to the waypoint. For example, your first waypoint is 12345, 54321, 6. The bot writes to the addresses and the player starts moving. However, the player gets stopped on the way to attack a creature. After finishing the kill the bot writes the same values to the addresses and the bot goes again. Again, the player is stopped to attack a creature. And repeat. If you don't understand what I'm getting at here then you should re-read it. The player attempts to go to the same location over-and-over-and-over-and-over... And in my opinion, this is the number one way that CipSoft detects botters.
Now, a lot of people are starting to get in to bots based solely on key strokes and mouse clicks, which is fine. The main advantage these bots have over others is that they don't have to worry about packet changes, just memory changes. DarkstaR and myself have done some extensive research in the Tibia client's GUI structure. I can personally do anything with any part of the cilent with just mouse clicks, and key strokes, that anyone can do manually. I can look at/use/move items, interact with other players/creatures/NPCs, anything. I can do all this even if the client is hidden, minimized, anything. But using mouse clicks and key strokes isn't enough to bypass CipSoft's bot-detection. Bots that send packets are just as safe as bots that use key strokes and mouse clicks, it all depends on how the bot acts compared to a human. DarkstaR's TUGBot is used by hundreds, possibly thousands, of users and there have a been 3-4(?) unconfirmed banishments. Either it was more of an accusation or the user was using another bot in conjunction with his. Oh, and his bot doesn't use key strokes or mouse clicks, just packets..
FAQs
Q: MC is detectable. It's the only thing my friend ever used and he got banned.
A: Not really a question, but ok. There is no hard-evidence with the use of MCs that can allow CipSoft to ban you for it. Plenty of players play on a LAN connection, and a lot of the users on these LAN connections use the same type of computer.
Q: What about the extra bytes at the end of the packets? These could easily be encrypted with information letting the server know the player is using a bot.
A: True, they could be, but, if I'm not mistaken (correct me if I'm wrong), the client just fills these 'junk bytes' with zeros. Hence, no information could be concluded from them. The use of the 'junk bytes' is the make the packet divisible by 8 for the XTea encryption/decryption routines.
I'll add more Q&As as they are addressed in the thread.
Thanks for taking the time to read this. Feel free to use this thread as a means to discuss CipSoft's bot-detection system. Everyone is free to express their own opinions here, but without proof (which no one really has) it's just an opinion.
-
RE: Automatic Bot-Detection Tool Discussion
Let's say I got a really fast HealBot. Could the server notice that I, several times, sends a heal-packet directly after a damage-packet is recieved? If then, that could be a problem and probably a way of detecting botters.
About this MC thing you talked about. Tibia could very easily detect if more than one TibiaClient is running at the same computer by using the Mutex function.
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by TibiaWarTools
About this MC thing you talked about. Tibia could very easily detect if more than one TibiaClient is running at the same computer by using the Mutex function.
It is also very easy to counteract that, a better way (although still crackable) for CipSoft would be to send a hardware ID to the server and deny connection if that hardware ID is already connected
edit: Tibia already uses a mutex to detect if several tibia clients are running
edit2: Great thread Jo3, much appreciated
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by Blaster_89
Tibia already uses a mutex to detect if several tibia clients are running
[/quote]
Yes it does, when the TibiaClient loads. But you dont know if the running TibiaClient checks for new Mutexes once in a while, and if detected, sending a "detected packet" the the server.
-
RE: Automatic Bot-Detection Tool Discussion
What if you're online and watching a recording then?
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by TibiaWarTools
Quote:
Originally Posted by Blaster_89
Tibia already uses a mutex to detect if several tibia clients are running
Yes it does, when the TibiaClient loads. But you dont know if the running TibiaClient checks for new Mutexes once in a while, and if detected, sending a "detected packet" the the server.
It doesn't, and even if it did we know all the packets that are sent between the client and server.
-
RE: Automatic Bot-Detection Tool Discussion
Great Thread!
I even got excited and want to make my own safe bot ~a bit of sarcasm but not entirely false~
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by TibiaWarTools
Let's say I got a really fast HealBot. Could the server notice that I, several times, sends a heal-packet directly after a damage-packet is recieved? If then, that could be a problem and probably a way of detecting botters.
About this MC thing you talked about. Tibia could very easily detect if more than one TibiaClient is running at the same computer by using the Mutex function.
Just checked with Olly. The only Mutex is the one we NOP for MC, so this is not the case.
@Thread
Bad packets.
-
RE: Automatic Bot-Detection Tool Discussion
I belive on bad packets, but the 'Map Click' always on the same SQM should be a way to detect it.
As I said on shoutbox, ANYBODY can hunt like 15 hours click ALWAYS on the same SQM to walk:
12345, 54321, 7
54321, 12345, 7
This 'infinite' lool will be analyzed by Cipsoft, then they will check how many times you made that action.
My friend hunted with Elfbot from level 120 and he is 310 nowadays and he wasn't banned, he hunted with Distance Target, so he wasn't walking always on the same SQM for Cipsoft, he could 'click' on X SQM all the time, but the Server received a lot of packets when he was running from the monsters and I guess that it makes hard to them detect.
It's all theories, but I guess that's the best idea =P
-
RE: Automatic Bot-Detection Tool Discussion
I was installing zone alarm to block som services and I started tibia and blackd. And first zonealarm said, tibia is trying to connect to 127.0.01 and I pressed allow.(to connect to blackd)
After a half hour botting This came up:
Weirdo:
So why is tiba trying to connect to this ip 77.237.239.41?
That ip goes to germany.
Edit: after continuing botting tibia was trying to connect to 239.192.152.143
I pressed block and tibia crashed
Edit 2: When I dont allow 77.237.239.41 the client crashes.
-
RE: Automatic Bot-Detection Tool Discussion
Well My opinion about this is very simple.
They have severals methods:
-Bad packets (basic Detection) - Avoid by using keystrokes and mouseclicks.
-The "fast" packets / Clicks, and with the same time interval.
-On cavebots always keep stroking at the same place.
On the cavebots the solution is that when the player gets to the point, the first time, detects surronding walkable squares and add it to a possible list . so it doesn't hit the same spot 2 times .
Or just play without bots hauUHuhAUHHUAhua :p
kIDDING :d
-
RE: Automatic Bot-Detection Tool Discussion
Ladabot does exact that thing, store a random list of walkable nodes[/u]
-
RE: Automatic Bot-Detection Tool Discussion
Bad Packets
Multiple packet sending in the same row (heal + walk)
Bad maintained code.
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by maozao
I belive on bad packets, but the 'Map Click' always on the same SQM should be a way to detect it.
As I said on shoutbox, ANYBODY can hunt like 15 hours click ALWAYS on the same SQM to walk:
12345, 54321, 7
54321, 12345, 7
This 'infinite' lool will be analyzed by Cipsoft, then they will check how many times you made that action.
My friend hunted with Elfbot from level 120 and he is 310 nowadays and he wasn't banned, he hunted with Distance Target, so he wasn't walking always on the same SQM for Cipsoft, he could 'click' on X SQM all the time, but the Server received a lot of packets when he was running from the monsters and I guess that it makes hard to them detect.
It's all theories, but I guess that's the best idea =P
r u meaning trep?
topic:
From the start of massban I didn't get ban yet . I used Ng,elf,tugbot and neo .
Some things :
I never bot too much , mc using sandboxie and my waypoints, I always create if 1 rule : each next point(or ground or node etc) must be visible on screen .
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by wSkull
r u meaning trep?
Not really HEHEHEHE
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by maozao
Quote:
Originally Posted by wSkull
r u meaning trep?
Not really HEHEHEHE
hehehe ! soo near
We can change some words about bot and etc on game , with noobchars of corse
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by wSkull
Quote:
Originally Posted by maozao
Quote:
Originally Posted by wSkull
r u meaning trep?
Not really HEHEHEHE
hehehe ! soo near
We can change some words about bot and etc on game , with noobchars of corse
Just send me a PM here ;P
@Thread
Well, I was talking about Cavebot and about the same point everytime, but it's wierd, my friend hunt on the same cave everyday, like 20 hours, just logout to get stamina again and he wasn't banned.
I don't know, we should get a spy on Cipsoft!
-
RE: Automatic Bot-Detection Tool Discussion
Agree with all what Jo3 said, but Ill not do my bot use keyboard/mouse... Makes really hard to detect, but.... We don't really know how it works.
But the major point that I agree with Jo3 is the cavebots.... They always use the GOTO packet and nobody hunt using them.... Everyone uses the 'key arrows' to hunt, or something like... I don't know nobody that hunt using the map.
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by megano0body
Agree with all what Jo3 said, but Ill not do my bot use keyboard/mouse... Makes really hard to detect, but.... We don't really know how it works.
But the major point that I agree with Jo3 is the cavebots.... They always use the GOTO packet and nobody hunt using them.... Everyone uses the 'key arrows' to hunt, or something like... I don't know nobody that hunt using the map.
People with Lag use it, but as I said, nobody click on the same SQM all the time =P
Edit: I was reading this post:
Moving character - cavebot
As Ian said looks like the GoTo isn't sent to the Server, only the moves that the character do when you click on the Map, someone know about that? If the GoTo is sent to the server or just the movement made by the character?
-
RE: Automatic Bot-Detection Tool Discussion
Bad packets can be measured by Cyclic Redundancy Checks. I've created a topic to discuss about one hypothesis based on that: http://www.tpforums.org/forum/thread-8078.html
I can explain better if wanted, but my time is short.[hr]
Let me share my hypothesis:
Cyclic Redundancy Checks is commonly used in database consistency checks. Altough some people says that it is not recommended since it is easy to "fake" a redundancy check before the end of a cycle, calculated values are stocastic enough to make that argue invalid. Accidental changes to raw computer data can be caused in a simple download, that's why some projects offers checksums, mostly in MD5 or SHA-1. CRCs can be called as polynomial code checksums, and work as insecure hash functions (reason why you will never use that for encrypting passwords like you do with SHA-1, SHA-256).
The data validation that CRCs does is redundant (adds zero information to the message) and the algorithm is always based on cyclic codes. The simplest error-detection system, the parity bit, is in fact a trivial 1-bit CRC: it uses the generator polynomial x+1.
While leading with communications or even datasources, it is important to check if the data is corrupted, since that information can be in a real fast frequency, it is necessary to provide quick and reasonable assurance of the integrity of messages delivered. However, they are not suitable for protecting against intentional alteration of data. Firstly, as there is no authentication, an attacker can edit a message and recalculate the CRC without the substitution being detected. Secondly, the linear properties of CRC codes allow an attacker even to keep the CRC unchanged while modifying parts of the message (as said before about validations). Nonetheless, it is still often falsely assumed that when a message and its CRC are received from an open channel and the CRC matches the message's calculated CRC then the message cannot have been altered in transit.
And of course, altough cryptographic hash functions can provide stronger integrity guarantees in that they do not rely on specific error pattern assumptions, CRCs they are much slower than CRCs, and are therefore commonly used to protect off-line data, such as files (like i said before).
Now, let's see the points that Jo3 thinks:
Quote:
Q: MC is detectable. It's the only thing my friend ever used and he got banned.
A: Not really a question, but ok. There is no hard-evidence with the use of MCs that can allow CipSoft to ban you for it. Plenty of players play on a LAN connection, and a lot of the users on these LAN connections use the same type of computer.
This is easy to detect, i can show that if wanted (i can't say that Cip uses that, but it is possible).
Quote:
Q: What about the extra bytes at the end of the packets? These could easily be encrypted with information letting the server know the player is using a bot.
A: True, they could be, but, if I'm not mistaken (correct me if I'm wrong), the client just fills these 'junk bytes' with zeros. Hence, no information could be concluded from them. The use of the 'junk bytes' is the make the packet divisible by 8 for the XTea encryption/decryption routines.
You are right Jo3, client fills bytes with zeros since the data packets is all with the same length. Junk bytes with zeros... hmm... that makes me think about redundant numbers and redundant numbers makes me think about? Yeah, CRCs!
Now my question: Cipsoft introduced new packets in one of the latest Tibia clients. If i am not wrong, they send information about the computer to "statistics". This kind of data can be used in some way to that kind of detection?
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by Nostradamus
Quote:
Q: MC is detectable. It's the only thing my friend ever used and he got banned.
A: Not really a question, but ok. There is no hard-evidence with the use of MCs that can allow CipSoft to ban you for it. Plenty of players play on a LAN connection, and a lot of the users on these LAN connections use the same type of computer.
This is easy to detect, i can show that if wanted (i can't say that Cip uses that, but it is possible).
What comes to my mind is the hardware ID being sent to the server, or that the Tibia.exe checks for other clients and then sends data
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by Nostradamus
Now my question: Cipsoft introduced new packets in one of the latest Tibia clients. If i am not wrong, they send information about the computer to "statistics". This kind of data can be used in some way to that kind of detection?
Maybe on debug errors they get a CRC of the current memory and a CRC of the modules....
Also bad packets should ban in 100% of the cases (Bad Packets). About the CRC on the end of the packet, this one I don't know, but I personally don't think that they have a client-side detection or trick... Because it can bypassed, I think...
But they already are sending signatures or CRCs of the Tibia.dat / Tibia.spr / Tibia.pic... So maybe yes, maybe they send a CRC (what makes a lot easier to detect MC and some other patches).
-
RE: Automatic Bot-Detection Tool Discussion
MAybe if we think about the MC detection, why they ban only one character that you are botting with MC and the other 3 not ? If they get you in one MC I'm sure that they will get all of your clients.
I still belive on the theory about the Cavebot, unless it works as Ian said in this thread:
http://www.tpforums.org/forum/thread-7119-post-66209.html#pid66209
That make sence with CRC I guess.
-
RE: Automatic Bot-Detection Tool Discussion
One thing that I can't understand....
My Aunt had 2 accounts when she used to Play Tibia.
The Mage Account (first) she NEVER botted, and NEVER used MC, but the Knight Account (second) she used a lot of NG BOT, and one day the Mage Account that never botted was banned, but the Knight Account, that she used to bot was not banned.
I think it's strange.
So, if a player BOT on LAN and you don't BOT on the same LAN computer, you are on risk of being banned XD
PS: I HOPE YOU UNDERSTAND WHAT I SAID.. XD A bit confused...
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by Nostradamus
Quote:
Q: What about the extra bytes at the end of the packets? These could easily be encrypted with information letting the server know the player is using a bot.
A: True, they could be, but, if I'm not mistaken (correct me if I'm wrong), the client just fills these 'junk bytes' with zeros. Hence, no information could be concluded from them. The use of the 'junk bytes' is the make the packet divisible by 8 for the XTea encryption/decryption routines.
You are right Jo3, client fills bytes with zeros since the data packets is all with the same length. Junk bytes with zeros... hmm... that makes me think about redundant numbers and redundant numbers makes me think about? Yeah, CRCs!
Actually the junk bytes that are added to pad out the packets for encryption aren't zero but rather pseudo random numbers which generated using the ISAAC algorithm, this is also used in generating the XTEA key which is generated 1 byte at a time. This algorithm was designed for use in cryptology and works by generating an internal state of 256 32-bit integers based off the value 0x9e3779b9 and if provided a seed also containing 256 32-bit integers. The generator than uses this internal state to generate the random numbers, it generates 256 at a time and stores them in an "external" state and re-calculates this state once each one of the 256 numbers have been used. The Tibia client provides a seed which is generated based on the position of the mouse cursor when the client loads and whenever the mouse is moved.
As for using these bytes for hidden data, well after discovering how these bytes are generated I very highly doubt they would be doing so.
Quote:
Originally Posted by megano0body
Maybe on debug errors they get a CRC of the current memory and a CRC of the modules....
Well last I checked the error.txt report file the client creates doesn't contain any form of checksum values. They could be saving them somewhere else but I doubt it. In any case it wouldn't be hard to check what data the client is sending and where it is getting it from when you send a debug report.
Quote:
Originally Posted by Blaster_89
What comes to my mind is the hardware ID being sent to the serve
Plausible, however I doubt it. I have just taken a quick look at the hardware data they are sending, and how they gathered the data, and there didn't appear to be anything that looked like a hardware ID. All they appear to be getting/sending is the OS version, amount of system memory, processor type and speed, video card model and basic technical information for it such as memory, and display information (ie: resolution). They are getting this information through a variety of API functions and reading the registry, none of the API functions I have seen used don't seem to return any unique identifiers and none of the keys I have seen being read from have any such identifiers either.
As I said though I have only taken a quick look so a more thorough look would be need to say for certain what is being send (won't be me though, couldn't be bothered and don't have too much time to do it), I'm pretty sure however no unique identifiers are being sent.
-
RE: Automatic Bot-Detection Tool Discussion
Theres very good reasons for people to think that mouseclicks are undetectable. Consider this:
ElfBot, NG, and BlackD Proxy all used packet shizzle, messing with Tibia's internals and doing things the normal way. They are all the most detectable bots (probably 50% of the communities have been banned using it).
NeoBot, although new, has not been detected as yet.
Now, I understand that TUG isn't detected yet (though there have been complaints from very new forum members), but perhaps CIP is using methods to detect each bot they know of individually? And of course this would mean that because TUG is such a small bot / community, they may not have heard of it, or may not see it as worthwhile exploring.
Same sorta story for Neo. If they suddenly start getting banned, maybe CIP has just found a weakness in the program which they can exploit?
The simple fact is, I can do virtually anything to the tibia client using API or packet.dll (with a little help from my friends), and I don't think I would get banned, purely because it's not gonna be recognised by CIP as a popular bot (unless maybe I send repetative "look" packets, like NG did, or do something similar to elf or bd.
That's my 2 cents.
-
RE: Automatic Bot-Detection Tool Discussion
I think you are so wrong, before this antibot system came all bot makers did their bot so effective they could. I mean uber fast healing, looting, targeting etc. Human like behavior was not on the board at all in that point.
Yes neobot uses mouse/keyboard to control the client, but i think it best feature is to work human like. I did my own bot that only walked same sqare no randomizing at all when the antibot system came. I got banned from a bot that only got one user me. And your theory fails again since nobody skilled programmer has found a clientside detection and that must be there if its only recognize common bots.
And those 3 bots is/was the most common bots, so ofc you will hear about players getting banned since they got so many users.
Try to make a dash function and dash all over tibia. Or a cavebot that only walks at the same sqare like Ng and works as ng overall. I can bet cash that you will get banned sooner or later. Sry my english my eyes is falling down.
-
RE: Automatic Bot-Detection Tool Discussion
These are my thoughs:
1. Manipulating the client in a bad way, like too many memory leaks
2. Sending the same packets continously???.
-
RE: Automatic Bot-Detection Tool Discussion
Bad Packets and Cavebot made with mapclicks(writing the GoTo memory).
Those are the most detectable thing in my mind, it's easy to detect if you check the packets sent always on the same SQM for hours.
But you know ... I'm playing DOTA on Garena, and I have a Maphack, but yesterday the Garena's cliente updated, and when I open my Warcraft with the Maphack the GArena send me a message saying to close the MH or I will be banned in some days, well, Garena is a differente programa, and the MH works on the WarCraft, that's why it was undetectable by the Garena, but now they can detect it, I hadn't time to check what they did, but it's a good detection tool that they made.
They can check if I've a MH opened on my WarCraft by a program that doesn't work with it, if someone play DOTA on Garena and want to test it :D
-
RE: Automatic Bot-Detection Tool Discussion
So I've been out of the loop for a long time, but im currently coding a private bot to keep myself occupied. I've always been a big fan of proxy / stand alone client methods, so I need to be sure I am perfectly mimicking the client, and that includes the trailing xtea bytes. To be honest, I still have no idea whether or not these trailing bytes are used for bot detection, but I can tell you this.
Tibia has its own "random" number generator compiled into its binary, it is NOT using the random functions from libc, which is what sane people tend to do.
Tibias random number generator appears to be implemented as a singleton, and there are only 5 functions that take pointer to the random number generator. This is not to say that some functions have had their stacks optimised, but its unlikely given the nature of a random number generator.
There are only 3 times when the first 4 bytes of the rng are touched.
1) during initialisation when "Enter Game" is clicked
2) every time a character is typed into the login dialogue (wtf?). not yet sure if this is seeding or generating???
3) every time a random number is generated
The flash client is using flashes own rng
I can't give addresses because the client was just updated, and I use linux anyway so they probably wouldn't be of much use. I planning on reverse engineering the exact algorithm some time over the next week, but theres a bug in the linux client that makes it unbearable slow so I need to wait for a patch.
Anyway, happy hacking.
-
RE: Automatic Bot-Detection Tool Discussion
I took a small look in to that padding bytes theory almost a year ago. From my findings I determined they were using the ISAAC PRNG which was seeded from mouse co-ordinates gathered when the client started up and whenever the mouse was moved before logging in (and it was also likely seeded by other information such as current time as well). The generator was used to generate the XTEA key and each padding byte within packets, I didn't see any evidence of data hiding within the padding bytes. Like I said though it was only a small look and that was a year ago.
I have also just taken a look at the Flash client's generator and they are actually using "their own" PRNG. The PRNG they are using is the RC4 keystream generator with a 256-byte key, they are however generating the key from Flash's random class and the current time. Their actual implementation comes from the open source as3crypto library for which you can find the source code up on Google Code (files of interest are Random.as and ARC4.as), and CIP are also in breach of not including the as3crypto library anywhere.
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by Sketchy
I took a small look in to that padding bytes theory almost a year ago. From my findings I determined they were using the ISAAC PRNG which was seeded from mouse co-ordinates gathered when the client started up and whenever the mouse was moved before logging in (and it was also likely seeded by other information such as current time as well). The generator was used to generate the XTEA key and each padding byte within packets, I didn't see any evidence of data hiding within the padding bytes. Like I said though it was only a small look and that was a year ago.
I have also just taken a look at the Flash client's generator and they are actually using "their own" PRNG. The PRNG they are using is the RC4 keystream generator with a 256-byte key, they are however generating the key from Flash's random class and the current time. Their actual implementation comes from the open source as3crypto library for which you can find the source code up on
Google Code (files of interest are
Random.as and
ARC4.as), and CIP are also in breach of not including the as3crypto library anywhere.
Wow you've done a much better job than I did, thank you. I found it strange that they bothered to include their own RNG instead of using libc, so ive always been a little suspicious. Anyway, if they are transmitting the seed it would be appended to the RSA packets. I guess one only needs to watch the packet construction to determine if this is the case.
-
RE: Automatic Bot-Detection Tool Discussion
Well the ISAAC algorithm uses seeds made up of 256 32-bit integers which far surpass the size of the RSA encrypted packets. Even without sending the seed there is still a chance they could be hiding a very specific pattern inside the trailing bytes which act as a boolean flag, of course the pattern would have to be at least 3-4 bytes to minimise collisions with actual random numbers and could possibly span over multiple packets to help with this. I didn't see any evidence of them doing this but I didn't dig too deep into it.
-
RE: Automatic Bot-Detection Tool Discussion
Quote:
Originally Posted by Sketchy
Well the ISAAC algorithm uses seeds made up of 256 32-bit integers which far surpass the size of the RSA encrypted packets. Even without sending the seed there is still a chance they could be hiding a very specific pattern inside the trailing bytes which act as a boolean flag, of course the pattern would have to be at least 3-4 bytes to minimise collisions with actual random numbers and could possibly span over multiple packets to help with this. I didn't see any evidence of them doing this but I didn't dig too deep into it.
True that. If the entire buffer is initialised using mouse movements as you say, then this would be impossible.
-
RE: Automatic Bot-Detection Tool Discussion
One thing that i've done while developing my recording program that got me banned was related to generating a game server login packet
What i did was starting a new game connection and logging in with a character that was already logged in to get a new SelfAppear (0x0A) packet from the server
Possible causes:
1- The XTEA key was the same as the previous connection
2- The RSA padding bytes was junk (tried with rand(), zeroes and later with unitialized bytes)
3- Maybe kicking myself up from the game was detected as Multiclienting or Account sharing, but the report said: "Using unofficial software to play".. And i've done this before with the client before many ban waves without a sratch
I'm gonna try this feature again, but using packets generated by the client to eliminate the 3rd cause
EDIT: of course it was a testing character, this never got released
EDIT2: can anybody check if a SelfAppear (0x0A) packet makes the client reset the attack and follow counters?
-
RE: Automatic Bot-Detection Tool Discussion
Lets open up the discussions.
It might be pretty easy for Cipsoft to use a classifier trained with botting and non botting behaviors. I doubt it would be difficult to extract certain features that are closely related to botters.
Just to name a few:
- Always healing with the same method at the same time
- Doing stuff at the same time (e.g. looting and healing)
- How often you walk on the same spots when hunting
- Mapclick and keyboard ratio
It is probably easier to classify if you combine botting with regular hunting with the same character. We probably have to think of ways of making our bots perform more human-like behavior.
- Environmental and mob awareness (not going to a place when it is pretty obvious -for a human - that there is nothing there, moving strategically when facing large amount of mobs)
- Add human like behavior (interacting with the floor, using different ways to sort your loot, changing targets, taking pauses, etc..)
Seems to be a nice challenge :)
-
-
I would say manual check is the method they uses, otherwise I think it's weird that ibot redbot and xeno have about the same ban ratio/users. And I do not think the report button is for nothing.
-
You must be kidding saying that red and xeno got the same amout of ibot users deleted, I'm sorry =D
-
Quote:
Originally Posted by
maozao
You must be kidding saying that red and xeno got the same amout of ibot users deleted, I'm sorry =D
tbh, current bots doesn't make huge server sided mistakes. Clearly, Cip has modified their system (or doing it manually, which I don't believe due the huge amount of players) and is catching users of each side. Is quite hard make some kind of "deleted comparison" when "main ban thread" of redbot/ibot is not visible for non-users (I'm not saying able to post, but able to see).
And I let this suggestion: make some ban thread visible for non-users, this way we can compare and ppl interested in buy the "safer" will be able to do the best choice.