Automatic Bot-Detection Tool Discussion

[Sketchy]

I took a small look in to that padding bytes theory almost a year ago. From my findings I determined they were using the ISAAC PRNG which was seeded from mouse co-ordinates gathered when the client started up and whenever the mouse was moved before logging in (and it was also likely seeded by other information such as current time as well). The generator was used to generate the XTEA key and each padding byte within packets, I didn't see any evidence of data hiding within the padding bytes. Like I said though it was only a small look and that was a year ago.

I have also just taken a look at the Flash client's generator and they are actually using "their own" PRNG. The PRNG they are using is the RC4 keystream generator with a 256-byte key, they are however generating the key from Flash's random class and the current time. Their actual implementation comes from the open source as3crypto library for which you can find the source code up on Google Code (files of interest are Random.as and ARC4.as), and CIP are also in breach of not including the as3crypto library anywhere.

[*DEAD*]

I took a small look in to that padding bytes theory almost a year ago. From my findings I determined they were using the ISAAC PRNG which was seeded from mouse co-ordinates gathered when the client started up and whenever the mouse was moved before logging in (and it was also likely seeded by other information such as current time as well). The generator was used to generate the XTEA key and each padding byte within packets, I didn't see any evidence of data hiding within the padding bytes. Like I said though it was only a small look and that was a year ago.

I have also just taken a look at the Flash client's generator and they are actually using "their own" PRNG. The PRNG they are using is the RC4 keystream generator with a 256-byte key, they are however generating the key from Flash's random class and the current time. Their actual implementation comes from the open source as3crypto library for which you can find the source code up on Google Code (files of interest are Random.as and ARC4.as), and CIP are also in breach of not including the as3crypto library anywhere.

Wow you've done a much better job than I did, thank you. I found it strange that they bothered to include their own RNG instead of using libc, so ive always been a little suspicious. Anyway, if they are transmitting the seed it would be appended to the RSA packets. I guess one only needs to watch the packet construction to determine if this is the case.

[Sketchy]

Well the ISAAC algorithm uses seeds made up of 256 32-bit integers which far surpass the size of the RSA encrypted packets. Even without sending the seed there is still a chance they could be hiding a very specific pattern inside the trailing bytes which act as a boolean flag, of course the pattern would have to be at least 3-4 bytes to minimise collisions with actual random numbers and could possibly span over multiple packets to help with this. I didn't see any evidence of them doing this but I didn't dig too deep into it.

[*DEAD*]

Well the ISAAC algorithm uses seeds made up of 256 32-bit integers which far surpass the size of the RSA encrypted packets. Even without sending the seed there is still a chance they could be hiding a very specific pattern inside the trailing bytes which act as a boolean flag, of course the pattern would have to be at least 3-4 bytes to minimise collisions with actual random numbers and could possibly span over multiple packets to help with this. I didn't see any evidence of them doing this but I didn't dig too deep into it.

True that. If the entire buffer is initialised using mouse movements as you say, then this would be impossible.

[tulio150]

One thing that i've done while developing my recording program that got me banned was related to generating a game server login packet

What i did was starting a new game connection and logging in with a character that was already logged in to get a new SelfAppear (0x0A) packet from the server

Possible causes:
1- The XTEA key was the same as the previous connection
2- The RSA padding bytes was junk (tried with rand(), zeroes and later with unitialized bytes)
3- Maybe kicking myself up from the game was detected as Multiclienting or Account sharing, but the report said: "Using unofficial software to play".. And i've done this before with the client before many ban waves without a sratch

I'm gonna try this feature again, but using packets generated by the client to eliminate the 3rd cause

EDIT: of course it was a testing character, this never got released

EDIT2: can anybody check if a SelfAppear (0x0A) packet makes the client reset the attack and follow counters?

[Singularity]

Lets open up the discussions.

It might be pretty easy for Cipsoft to use a classifier trained with botting and non botting behaviors. I doubt it would be difficult to extract certain features that are closely related to botters.

Just to name a few:

- Always healing with the same method at the same time
- Doing stuff at the same time (e.g. looting and healing)
- How often you walk on the same spots when hunting
- Mapclick and keyboard ratio

It is probably easier to classify if you combine botting with regular hunting with the same character. We probably have to think of ways of making our bots perform more human-like behavior.

- Environmental and mob awareness (not going to a place when it is pretty obvious -for a human - that there is nothing there, moving strategically when facing large amount of mobs)
- Add human like behavior (interacting with the floor, using different ways to sort your loot, changing targets, taking pauses, etc..)

Seems to be a nice challenge

[Theaso]

and about manual check ?

[klusbert]

I would say manual check is the method they uses, otherwise I think it's weird that ibot redbot and xeno have about the same ban ratio/users. And I do not think the report button is for nothing.

[maozao]

You must be kidding saying that red and xeno got the same amout of ibot users deleted, I'm sorry =D

[Blequi]

You must be kidding saying that red and xeno got the same amout of ibot users deleted, I'm sorry =D

tbh, current bots doesn't make huge server sided mistakes. Clearly, Cip has modified their system (or doing it manually, which I don't believe due the huge amount of players) and is catching users of each side. Is quite hard make some kind of "deleted comparison" when "main ban thread" of redbot/ibot is not visible for non-users (I'm not saying able to post, but able to see).

And I let this suggestion: make some ban thread visible for non-users, this way we can compare and ppl interested in buy the "safer" will be able to do the best choice.