I've seen a lot of discussing/arguing around the forums lately on how CipSoft's automatic bot-detection tool works, and instead of flooding other's threads with off-topic posts I've made an official thread to allow just that. I'll post my thoughts on the subject and finish with some FAQs.
For one, there is no evidence in the client of client-sided bot-detection. The closest thing they've done in this direction is the recent addition of count data to the Attack and Follow packets, which was quickly, and easily, trumped by DarkstaR. If anyone has any evidence of client-side detection we would all be more than happy to see it, but I know it doesn't exist. So, that can only leave one thing; the automatic bot-detection is server-sided. A simple Google search for MMORPG bot-detection will show you plenty of sources explaining server-sided bot-detection methods used for well-known MMORPGs (WoW, Ragnarok Online, etc.). The methods explained are basically the same across the board. Packet Response (Time it takes the user to respond to an incoming packet from the server.) [These include, but are not limited to, healing, looting (TTB looting a backpack in less than 1 second), and much more. Basically anything that is done faster than humanly possible.], Packet Repetitiveness (Sending the same packets at the same interval.) [The biggest culprit that comes to mind is rune making.], and Impossible(?) Packets (Sending packets to the server that could not be done manually.) [LordOfWar brought this to my attention with TibiaBot NG's Player/Creature Information feature. This feature works by sending a Look packet for every player and creature in the battlelist. Even if they're off-screen or above/below the user's current level.]
I'm sure there are more packet-detection methods used, but these are the major ones I wanted to hit on. I'd like to take a moment to talk about probably the biggest bot-detection method CipSoft could be using, in my opinion, and that would be walking systems in cave bots. Most bots today use a system of waypoints that the user continuously loops through. The problem with this is that they write to their player's GoTo XYZ values and the client in turns creates an Auto Walk packet that is sent every time the user tries to go to the waypoint. For example, your first waypoint is 12345, 54321, 6. The bot writes to the addresses and the player starts moving. However, the player gets stopped on the way to attack a creature. After finishing the kill the bot writes the same values to the addresses and the bot goes again. Again, the player is stopped to attack a creature. And repeat. If you don't understand what I'm getting at here then you should re-read it. The player attempts to go to the same location over-and-over-and-over-and-over... And in my opinion, this is the number one way that CipSoft detects botters.
Now, a lot of people are starting to get in to bots based solely on key strokes and mouse clicks, which is fine. The main advantage these bots have over others is that they don't have to worry about packet changes, just memory changes. DarkstaR and myself have done some extensive research in the Tibia client's GUI structure. I can personally do anything with any part of the cilent with just mouse clicks, and key strokes, that anyone can do manually. I can look at/use/move items, interact with other players/creatures/NPCs, anything. I can do all this even if the client is hidden, minimized, anything. But using mouse clicks and key strokes isn't enough to bypass CipSoft's bot-detection. Bots that send packets are just as safe as bots that use key strokes and mouse clicks, it all depends on how the bot acts compared to a human. DarkstaR's TUGBot is used by hundreds, possibly thousands, of users and there have a been 3-4(?) unconfirmed banishments. Either it was more of an accusation or the user was using another bot in conjunction with his. Oh, and his bot doesn't use key strokes or mouse clicks, just packets..
FAQs
Q: MC is detectable. It's the only thing my friend ever used and he got banned.
A: Not really a question, but ok. There is no hard-evidence with the use of MCs that can allow CipSoft to ban you for it. Plenty of players play on a LAN connection, and a lot of the users on these LAN connections use the same type of computer.
Q: What about the extra bytes at the end of the packets? These could easily be encrypted with information letting the server know the player is using a bot.
A: True, they could be, but, if I'm not mistaken (correct me if I'm wrong), the client just fills these 'junk bytes' with zeros. Hence, no information could be concluded from them. The use of the 'junk bytes' is the make the packet divisible by 8 for the XTea encryption/decryption routines.
I'll add more Q&As as they are addressed in the thread.
Thanks for taking the time to read this. Feel free to use this thread as a means to discuss CipSoft's bot-detection system. Everyone is free to express their own opinions here, but without proof (which no one really has) it's just an opinion.
Reply With Quote
Originally Posted by TibiaWarTools
