What comes to my mind is the hardware ID being sent to the server, or that the Tibia.exe checks for other clients and then sends dataOriginally Posted by Nostradamus
What comes to my mind is the hardware ID being sent to the server, or that the Tibia.exe checks for other clients and then sends data
Maybe on debug errors they get a CRC of the current memory and a CRC of the modules....
Also bad packets should ban in 100% of the cases (Bad Packets). About the CRC on the end of the packet, this one I don't know, but I personally don't think that they have a client-side detection or trick... Because it can bypassed, I think...
But they already are sending signatures or CRCs of the Tibia.dat / Tibia.spr / Tibia.pic... So maybe yes, maybe they send a CRC (what makes a lot easier to detect MC and some other patches).
MAybe if we think about the MC detection, why they ban only one character that you are botting with MC and the other 3 not ? If they get you in one MC I'm sure that they will get all of your clients.
I still belive on the theory about the Cavebot, unless it works as Ian said in this thread:
http://www.tpforums.org/forum/thread-7119-post-66209.html#pid66209
That make sence with CRC I guess.
One thing that I can't understand....
My Aunt had 2 accounts when she used to Play Tibia.
The Mage Account (first) she NEVER botted, and NEVER used MC, but the Knight Account (second) she used a lot of NG BOT, and one day the Mage Account that never botted was banned, but the Knight Account, that she used to bot was not banned.
I think it's strange.
So, if a player BOT on LAN and you don't BOT on the same LAN computer, you are on risk of being banned XD
PS: I HOPE YOU UNDERSTAND WHAT I SAID.. XD A bit confused...
oi amiguinhos
Actually the junk bytes that are added to pad out the packets for encryption aren't zero but rather pseudo random numbers which generated using the ISAAC algorithm, this is also used in generating the XTEA key which is generated 1 byte at a time. This algorithm was designed for use in cryptology and works by generating an internal state of 256 32-bit integers based off the value 0x9e3779b9 and if provided a seed also containing 256 32-bit integers. The generator than uses this internal state to generate the random numbers, it generates 256 at a time and stores them in an "external" state and re-calculates this state once each one of the 256 numbers have been used. The Tibia client provides a seed which is generated based on the position of the mouse cursor when the client loads and whenever the mouse is moved.
As for using these bytes for hidden data, well after discovering how these bytes are generated I very highly doubt they would be doing so.
Well last I checked the error.txt report file the client creates doesn't contain any form of checksum values. They could be saving them somewhere else but I doubt it. In any case it wouldn't be hard to check what data the client is sending and where it is getting it from when you send a debug report.
Plausible, however I doubt it. I have just taken a quick look at the hardware data they are sending, and how they gathered the data, and there didn't appear to be anything that looked like a hardware ID. All they appear to be getting/sending is the OS version, amount of system memory, processor type and speed, video card model and basic technical information for it such as memory, and display information (ie: resolution). They are getting this information through a variety of API functions and reading the registry, none of the API functions I have seen used don't seem to return any unique identifiers and none of the keys I have seen being read from have any such identifiers either.
As I said though I have only taken a quick look so a more thorough look would be need to say for certain what is being send (won't be me though, couldn't be bothered and don't have too much time to do it), I'm pretty sure however no unique identifiers are being sent.
Theres very good reasons for people to think that mouseclicks are undetectable. Consider this:
ElfBot, NG, and BlackD Proxy all used packet shizzle, messing with Tibia's internals and doing things the normal way. They are all the most detectable bots (probably 50% of the communities have been banned using it).
NeoBot, although new, has not been detected as yet.
Now, I understand that TUG isn't detected yet (though there have been complaints from very new forum members), but perhaps CIP is using methods to detect each bot they know of individually? And of course this would mean that because TUG is such a small bot / community, they may not have heard of it, or may not see it as worthwhile exploring.
Same sorta story for Neo. If they suddenly start getting banned, maybe CIP has just found a weakness in the program which they can exploit?
The simple fact is, I can do virtually anything to the tibia client using API or packet.dll (with a little help from my friends), and I don't think I would get banned, purely because it's not gonna be recognised by CIP as a popular bot (unless maybe I send repetative "look" packets, like NG did, or do something similar to elf or bd.
That's my 2 cents.
I think you are so wrong, before this antibot system came all bot makers did their bot so effective they could. I mean uber fast healing, looting, targeting etc. Human like behavior was not on the board at all in that point.
Yes neobot uses mouse/keyboard to control the client, but i think it best feature is to work human like. I did my own bot that only walked same sqare no randomizing at all when the antibot system came. I got banned from a bot that only got one user me. And your theory fails again since nobody skilled programmer has found a clientside detection and that must be there if its only recognize common bots.
And those 3 bots is/was the most common bots, so ofc you will hear about players getting banned since they got so many users.
Try to make a dash function and dash all over tibia. Or a cavebot that only walks at the same sqare like Ng and works as ng overall. I can bet cash that you will get banned sooner or later. Sry my english my eyes is falling down.
These are my thoughs:
1. Manipulating the client in a bad way, like too many memory leaks
2. Sending the same packets continously???.
Bad Packets and Cavebot made with mapclicks(writing the GoTo memory).
Those are the most detectable thing in my mind, it's easy to detect if you check the packets sent always on the same SQM for hours.
But you know ... I'm playing DOTA on Garena, and I have a Maphack, but yesterday the Garena's cliente updated, and when I open my Warcraft with the Maphack the GArena send me a message saying to close the MH or I will be banned in some days, well, Garena is a differente programa, and the MH works on the WarCraft, that's why it was undetectable by the Garena, but now they can detect it, I hadn't time to check what they did, but it's a good detection tool that they made.
They can check if I've a MH opened on my WarCraft by a program that doesn't work with it, if someone play DOTA on Garena and want to test it
So I've been out of the loop for a long time, but im currently coding a private bot to keep myself occupied. I've always been a big fan of proxy / stand alone client methods, so I need to be sure I am perfectly mimicking the client, and that includes the trailing xtea bytes. To be honest, I still have no idea whether or not these trailing bytes are used for bot detection, but I can tell you this.
Tibia has its own "random" number generator compiled into its binary, it is NOT using the random functions from libc, which is what sane people tend to do.
Tibias random number generator appears to be implemented as a singleton, and there are only 5 functions that take pointer to the random number generator. This is not to say that some functions have had their stacks optimised, but its unlikely given the nature of a random number generator.
There are only 3 times when the first 4 bytes of the rng are touched.
1) during initialisation when "Enter Game" is clicked
2) every time a character is typed into the login dialogue (wtf?). not yet sure if this is seeding or generating???
3) every time a random number is generated
The flash client is using flashes own rng
I can't give addresses because the client was just updated, and I use linux anyway so they probably wouldn't be of much use. I planning on reverse engineering the exact algorithm some time over the next week, but theres a bug in the linux client that makes it unbearable slow so I need to wait for a patch.
Anyway, happy hacking.
Posting Permissions
Reply With Quote