Jump to content

Just because you bot less time doesn't mean you're not being detected

asdttt

By asdttt
in Botting & Bans

 Share

Recommended Posts

asdttt Steel Poster

asdttt

Posted
  • Author
Posted

As for this "mirror mode".. Jagex could still query tasks for other VM's and simply read the program name. This, believe it or not, is a very popular method of detection and is even used in VAC. A common method to battle it is to simply change the name of the program every bootup. That's once more just speculation however. 

 

As for injection, I'd say the easiest way to detect "stealth injection", without having to do any hashcoding, would be to just grab the list of threads. OSBot creates many threads for it's botting

Link to comment
Share on other sites
Naked Adamantite Poster

Naked

Posted
Posted
8 hours ago, asdttt said:

As for this "mirror mode".. Jagex could still query tasks for other VM's and simply read the program name. This, believe it or not, is a very popular method of detection and is even used in VAC. A common method to battle it is to simply change the name of the program every bootup. That's once more just speculation however. 

 

As for injection, I'd say the easiest way to detect "stealth injection", without having to do any hashcoding, would be to just grab the list of threads. OSBot creates many threads for it's botting

That would be illegal for them to do without consent. And shows a general lack of experience in botting to even suggest such a thing.

Link to comment
Share on other sites
asdttt Steel Poster

asdttt

Posted
  • Author
Posted (edited)
3 hours ago, Naked said:

That would be illegal for them to do without consent. And shows a general lack of experience in botting to even suggest such a thing.

Idk why everyone on here acts like botting is such a difficult task. A 12 year old could do it. Even if you script a bot, OSBot does all the hard work for you. You really think "vein.interact("Mine")" requires extreme botting experience? And if experience is so important, why am I able to bot longer then a good amount of people on here? 

If you read what I said (Clearly you didn't), I simply implied it's a possibility as the majority of other anti-bot/hack software deploys such tactics including VAC which is a very known anticheat program used by Steam. Asking for consent is as easy as wordplay inside your terms. Also checking for the active threads on the VM instance doesn't require consent you moron. The client is obviously detected in injection mode, and mirror doesn't seem any different. There's clearly levels of detection on OSRS and having an unofficial client appears to put you into a higher level. 

Back in the older days, they used to put fake functions inside their code that'd trick you and get you banned. They've obviously still have some detection method for figuring out what client you're on and to say otherwise is stupid. 

 

Edited by asdttt
Link to comment
Share on other sites
asdttt Steel Poster

asdttt

Posted
  • Author
Posted

Probably everyone already knows this one, but proxies/vpn's that are blacklisted as so on OSRS put you into a higher detection algorithm and therefor possibly lead to a faster ban, assuming your script isn't already quickly picked up. Either a higher level detection algorithm, or the heuristic checks flag at lower levels vs ISP IP addresses. Tested this on 2 VPN alts, and 2 ISP alts (Both ISP IP's being different of course). Neither one of the ISP alts got banned for 5 hours of botting clay whereas both the VPN's got banned. Also had 6 hours breaks every 2 hours and 30 minutes. Maybe just a coincidence, maybe real.

Link to comment
Share on other sites
Pegasus Black Poster

Pegasus

Posted
Posted
24 minutes ago, asdttt said:

Probably everyone already knows this one, but proxies/vpn's that are blacklisted as so on OSRS put you into a higher detection algorithm and therefor possibly lead to a faster ban, assuming your script isn't already quickly picked up. Either a higher level detection algorithm, or the heuristic checks flag at lower levels vs ISP IP addresses. Tested this on 2 VPN alts, and 2 ISP alts (Both ISP IP's being different of course). Neither one of the ISP alts got banned for 5 hours of botting clay whereas both the VPN's got banned. Also had 6 hours breaks every 2 hours and 30 minutes. Maybe just a coincidence, maybe real.

you use free or paid vpn?

Link to comment
Share on other sites
asdttt Steel Poster

asdttt

Posted
  • Author
Posted (edited)
47 minutes ago, Triovani said:

Mirror mode = win 
Currently tot lvl 1400 :) bot smart and stop blaming scripts ect... What worked years ago doesnt work now! What worked a few months ago may not even work now ? 

Do you bot moneymaking scripts? That's all I'm concerned with tbo. I haven't ever got banned for combat botting, although I never bot that for over an hour

 

I feel like Jagex 100% tracks mouse movement / mouse delta. It wouldn't make sense otherwise. If that's true, then OSBot's mouse movements would be very detectable due to it's VERY consistent DPI patterns. What if Jagex's detection method detects you within minutes, and simply delays bans based on bottime to further hide the simplicity of their detection systems. 

I've seen people bot 10 hours a day with a custom bot and never get banned. There's more to this then we're lead to believe... Custom scripts aren't enough to prevent bans, only delay  by 1-2 days at most. 

It makes 100% sense that Jagex would target moneymaking scripts mostly to maintain the economy and somewhat "Allow" other botting such as combat botting to further confuse us and distant us from our understanding of their data analyzing methods. 

I believe complete that our scripts are, for the most part, detected by mouse movement. If not that, then the client - but delaying the ban until the user farms a crazy amount of resources. 

 

Edit: The mouse movement is also pretty unrealistic if you draw it out for visual reference compare to a real user. WAAAAY too random, and not smooth like a normal user without Parkinson's lol

 

Edit2: Yup, the client tracks mouse movement: https://github.com/zeruth/runescape-client/blob/master/src/MouseRecorder.java#L40 on a 50MS tick basis. Collects a sample of 500 then ships it off to the server https://github.com/zeruth/runescape-client/blob/master/src/Client.java#L3298. I 100% garantee OSBot's mouse pattern is detected. If it's not detected as a bot's, then they probably compare samples with samples of when you were not botting (Like tut island). 

That being said, it's possible "random" mouse movements actually feed the server MORE data to ban you based off of. That's still based on my speculation that Jagex is onto OSBot's "human like" mouse movements though

Edit3: If I have time tomorrow, I'll try to provide some test results regarding OSBot's mouse pattern and whether it's easily detectable by means of improbable DPI, pattern, or being too inconsistent. 

Edited by asdttt
  • Like 1
Link to comment
Share on other sites
ThoughtVNC Iron Poster

ThoughtVNC

Posted
Posted
56 minutes ago, asdttt said:

This might sound stupid, but what if we simulated touchscreen devices...? That'd cut the whole mouse movement tracking variable out which may help reduce bans

Already possible, bluestacks and a mouse recorder.  Runs into implications if you try to use proxies however.

 

1 hour ago, asdttt said:

Do you bot moneymaking scripts? That's all I'm concerned with tbo. I haven't ever got banned for combat botting, although I never bot that for over an hour

 

I feel like Jagex 100% tracks mouse movement / mouse delta. It wouldn't make sense otherwise. If that's true, then OSBot's mouse movements would be very detectable due to it's VERY consistent DPI patterns. What if Jagex's detection method detects you within minutes, and simply delays bans based on bottime to further hide the simplicity of their detection systems. 

I've seen people bot 10 hours a day with a custom bot and never get banned. There's more to this then we're lead to believe... Custom scripts aren't enough to prevent bans, only delay  by 1-2 days at most. 

It makes 100% sense that Jagex would target moneymaking scripts mostly to maintain the economy and somewhat "Allow" other botting such as combat botting to further confuse us and distant us from our understanding of their data analyzing methods. 

I believe complete that our scripts are, for the most part, detected by mouse movement. If not that, then the client - but delaying the ban until the user farms a crazy amount of resources. 

 

Edit: The mouse movement is also pretty unrealistic if you draw it out for visual reference compare to a real user. WAAAAY too random, and not smooth like a normal user without Parkinson's lol

 

Edit2: Yup, the client tracks mouse movement: https://github.com/zeruth/runescape-client/blob/master/src/MouseRecorder.java#L40 on a 50MS tick basis. Collects a sample of 500 then ships it off to the server https://github.com/zeruth/runescape-client/blob/master/src/Client.java#L3298. I 100% garantee OSBot's mouse pattern is detected. If it's not detected as a bot's, then they probably compare samples with samples of when you were not botting (Like tut island). 

That being said, it's possible "random" mouse movements actually feed the server MORE data to ban you based off of. That's still based on my speculation that Jagex is onto OSBot's "human like" mouse movements though

Edit3: If I have time tomorrow, I'll try to provide some test results regarding OSBot's mouse pattern and whether it's easily detectable by means of improbable DPI, pattern, or being too inconsistent. 

Tracking mouse data would require incredibly large amounts of data, especially to the extent you’re talking about. It’d make more sense for them to process information server side. If anything, they could track click rate and behaviors that multiple users produce on a consistent basis.

thOugHtVNC

  • Heart 1
Link to comment
Share on other sites
asdttt Steel Poster

asdttt

Posted
  • Author
Posted (edited)

Finding some flaws/patterns in OSBot's mouse movement already. I'll do a further analysis/logging tomorrow when I hopefully have more time. Until then, I'll leave you guys with this bit of information:

Here's a small sample I collected from using basic interact functions from OSBot: (Ignore smallest, I was just insuring it made proper movements)

https://pastebin.com/r1PiVRu0

First flaw that instantly pops into your face is the fact that OSBot's mouse nearly ALWAYS ends the movement with a delta of 5.0 pixels or near there. Whereas with a normal user, you'd likely end it with a 1.0 pixel change mostly, or random. 

Another somewhat flaw (Not nearly as vital) is the fact that OSBot hardly ever moves 1 pixel, and when it does, it NEVER repeats more then just one pixel (Edit: It repeats on tiny mouse movements). which is very very common among a human user (Unless you've got very high sensitivity). Now, if the OSBot had very high sensitivity, that wouldn't be too weird. But... It doesn't. It averages at around 30 or so pixels per movement, which is somewhat of a normal sensitivity - but being normal, it should also produce a good amount of smaller pixel changes awell, ranging from 1-3; 

As I already mentioned above, I do plan on diving into this further later on when I have more time. I hope you all are beginning to understand my argument now that I've brought evidence to the table. 

Third flaw: Almost always starts with 1-2 pixel mouse movements

Fourth flaw: Last few numbers go from lower, to suddenly higher:

[INFO][Bot #1][03/29 05:29:50 AM]: Delta: 2.0 Smallest: 1.0 Tick: 489
[INFO][Bot #1][03/29 05:29:50 AM]: Delta: 1.0 Smallest: 1.0 Tick: 491
[INFO][Bot #1][03/29 05:29:50 AM]: Delta: 4.0 Smallest: 1.0 Tick: 493
[INFO][Bot #1][03/29 05:29:50 AM]: --Mouse movement ended

@Patrick @Maxi Might want to look into this. I can detect someone is using OSBot in under 5 minutes. Now imagine if I collected a data-set containing hours of mouse movement data. I'll happily contribute if you've got a repo somewhere on the web. 

 

What I'm wondering now is.. With all this data they're storing, there's no way it has no expiration date? I wonder if the data expires relativity quickly after you logout? Maybe that's why people tend to have success with large break times. Maybe they query the data every 12->24 hours then clear it? Maybe it lasts for weeks..? We'll probably never know....

 

Edit2: The tick-rate, and mouse sampling produced in the samples is based on the draw function provided by OSBot's API. 

 

Edited by asdttt
adding Maxi to taglist
  • Like 1
Link to comment
Share on other sites
Czar Champion Poster

Czar

Posted
Posted

Very interesting read, are you able to confirm mouse movement data is actually sent to the servers now? The last time I checked only mouse clicks were sent, but even that plays a huge role since they most likely check the delta time between clicks, so fast clicks in far away positions can be suspicious. There have been many debates about this in the scripter subforum but it kept concluding to thr fact that mouse movements are only tracked but never sent back.

Link to comment
Share on other sites
asdttt Steel Poster

asdttt

Posted
  • Author
Posted (edited)
13 minutes ago, Czar said:

Very interesting read, are you able to confirm mouse movement data is actually sent to the servers now? The last time I checked only mouse clicks were sent, but even that plays a huge role since they most likely check the delta time between clicks, so fast clicks in far away positions can be suspicious. There have been many debates about this in the scripter subforum but it kept concluding to thr fact that mouse movements are only tracked but never sent back.

Yes it is: https://github.com/zeruth/runescape-client/blob/master/src/Client.java#L3298

If you trace the elements from mouseRecorder, you can see, despite the annoying obfuscation, that they are sending the mouse movements directly to the server as a single integer combined to save resources. 

If I can see whether a user is using OSBot using 100% mouse-movements in a matter of minutes, so can Jagex. They're just fucking with us, feeding us false information on what bans, and what doesn't. Everything people say on this forum is the bullshit Jagex tricked them into believing. 

Edited by asdttt
  • Like 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...