Automatic Bot-Detection Tool Discussion

[gooden]

Well My opinion about this is very simple.
They have severals methods:
-Bad packets (basic Detection) - Avoid by using keystrokes and mouseclicks.
-The "fast" packets / Clicks, and with the same time interval.
-On cavebots always keep stroking at the same place.


On the cavebots the solution is that when the player gets to the point, the first time, detects surronding walkable squares and add it to a possible list . so it doesn't hit the same spot 2 times .


Or just play without bots hauUHuhAUHHUAhua

kIDDING :d

[klusbert]

Ladabot does exact that thing, store a random list of walkable nodes[/u]

[Pro-grammer]

Bad Packets
Multiple packet sending in the same row (heal + walk)
Bad maintained code.

[wSkull]

I belive on bad packets, but the 'Map Click' always on the same SQM should be a way to detect it.

As I said on shoutbox, ANYBODY can hunt like 15 hours click ALWAYS on the same SQM to walk:

12345, 54321, 7
54321, 12345, 7

This 'infinite' lool will be analyzed by Cipsoft, then they will check how many times you made that action.

My friend hunted with Elfbot from level 120 and he is 310 nowadays and he wasn't banned, he hunted with Distance Target, so he wasn't walking always on the same SQM for Cipsoft, he could 'click' on X SQM all the time, but the Server received a lot of packets when he was running from the monsters and I guess that it makes hard to them detect.

It's all theories, but I guess that's the best idea =P

r u meaning trep?

topic:
From the start of massban I didn't get ban yet . I used Ng,elf,tugbot and neo .

Some things :
I never bot too much , mc using sandboxie and my waypoints, I always create if 1 rule : each next point(or ground or node etc) must be visible on screen .

[maozao]

r u meaning trep?

Not really HEHEHEHE

[wSkull]

r u meaning trep?

Not really HEHEHEHE

hehehe ! soo near
We can change some words about bot and etc on game , with noobchars of corse

[maozao]

r u meaning trep?

Not really HEHEHEHE

hehehe ! soo near
We can change some words about bot and etc on game , with noobchars of corse

Just send me a PM here ;P

@Thread

Well, I was talking about Cavebot and about the same point everytime, but it's wierd, my friend hunt on the same cave everyday, like 20 hours, just logout to get stamina again and he wasn't banned.

I don't know, we should get a spy on Cipsoft!

[megano0body]

Agree with all what Jo3 said, but Ill not do my bot use keyboard/mouse... Makes really hard to detect, but.... We don't really know how it works.

But the major point that I agree with Jo3 is the cavebots.... They always use the GOTO packet and nobody hunt using them.... Everyone uses the 'key arrows' to hunt, or something like... I don't know nobody that hunt using the map.

[maozao]

Agree with all what Jo3 said, but Ill not do my bot use keyboard/mouse... Makes really hard to detect, but.... We don't really know how it works.

But the major point that I agree with Jo3 is the cavebots.... They always use the GOTO packet and nobody hunt using them.... Everyone uses the 'key arrows' to hunt, or something like... I don't know nobody that hunt using the map.

People with Lag use it, but as I said, nobody click on the same SQM all the time =P

Edit: I was reading this post:
Moving character - cavebot

As Ian said looks like the GoTo isn't sent to the Server, only the moves that the character do when you click on the Map, someone know about that? If the GoTo is sent to the server or just the movement made by the character?

[Nostradamus]

Bad packets can be measured by Cyclic Redundancy Checks. I've created a topic to discuss about one hypothesis based on that: http://www.tpforums.org/forum/thread-8078.html
I can explain better if wanted, but my time is short.[hr]
Let me share my hypothesis:

Cyclic Redundancy Checks is commonly used in database consistency checks. Altough some people says that it is not recommended since it is easy to "fake" a redundancy check before the end of a cycle, calculated values are stocastic enough to make that argue invalid. Accidental changes to raw computer data can be caused in a simple download, that's why some projects offers checksums, mostly in MD5 or SHA-1. CRCs can be called as polynomial code checksums, and work as insecure hash functions (reason why you will never use that for encrypting passwords like you do with SHA-1, SHA-256).
The data validation that CRCs does is redundant (adds zero information to the message) and the algorithm is always based on cyclic codes. The simplest error-detection system, the parity bit, is in fact a trivial 1-bit CRC: it uses the generator polynomial x+1.
While leading with communications or even datasources, it is important to check if the data is corrupted, since that information can be in a real fast frequency, it is necessary to provide quick and reasonable assurance of the integrity of messages delivered. However, they are not suitable for protecting against intentional alteration of data. Firstly, as there is no authentication, an attacker can edit a message and recalculate the CRC without the substitution being detected. Secondly, the linear properties of CRC codes allow an attacker even to keep the CRC unchanged while modifying parts of the message (as said before about validations). Nonetheless, it is still often falsely assumed that when a message and its CRC are received from an open channel and the CRC matches the message's calculated CRC then the message cannot have been altered in transit.
And of course, altough cryptographic hash functions can provide stronger integrity guarantees in that they do not rely on specific error pattern assumptions, CRCs they are much slower than CRCs, and are therefore commonly used to protect off-line data, such as files (like i said before).

Now, let's see the points that Jo3 thinks:

Q: MC is detectable. It's the only thing my friend ever used and he got banned.
A: Not really a question, but ok. There is no hard-evidence with the use of MCs that can allow CipSoft to ban you for it. Plenty of players play on a LAN connection, and a lot of the users on these LAN connections use the same type of computer.

This is easy to detect, i can show that if wanted (i can't say that Cip uses that, but it is possible).

Q: What about the extra bytes at the end of the packets? These could easily be encrypted with information letting the server know the player is using a bot.
A: True, they could be, but, if I'm not mistaken (correct me if I'm wrong), the client just fills these 'junk bytes' with zeros. Hence, no information could be concluded from them. The use of the 'junk bytes' is the make the packet divisible by 8 for the XTea encryption/decryption routines.

You are right Jo3, client fills bytes with zeros since the data packets is all with the same length. Junk bytes with zeros... hmm... that makes me think about redundant numbers and redundant numbers makes me think about? Yeah, CRCs!

Now my question: Cipsoft introduced new packets in one of the latest Tibia clients. If i am not wrong, they send information about the computer to "statistics". This kind of data can be used in some way to that kind of detection?