Jump to content

Just because you bot less time doesn't mean you're not being detected

asdttt

By asdttt
in Botting & Bans

 Share

Recommended Posts

DoubleD Steel Poster

DoubleD

Posted
Posted (edited)
On 3/29/2019 at 3:53 PM, asdttt said:

 So now to figure out how the anti-bot works, we must become the anti-bot. If you read some of my newest posts, you can see I've found a way to very easily detect OSBot based on mouse movement. I also linked the code DIRECTLY to where the runescape client sends mouse movements to the server 100% verifying that they do  use mouse movements. If you review my data I provided, you can see that you TOO can see that the mouse movement on OSBot is VERY flawed and would flag heuristics  100%. 

I believe you have looked into this more than I did. Nevertheless, I believe only clicks matter. 

Most proof about this can be found on another botting client rspeer. This client uses no mouse movement at all and there are many successtories. 

In my belief randomized timings matter most. Waiting a randomized period between 1 and 15 seconds before chopping the next tree instead of moving to the next tree instantly is more human like and will result in Less bans.

Edited by DoubleD
Link to comment
Share on other sites
Impensus Adamantite Poster

Impensus

Posted
Posted (edited)
35 minutes ago, terratraitor said:

Holy shit, so much ignorance and hate against OP @asdttt. guy is doing a great job.

to the hating retards neck it, to OP, keep it going

Nobody’s hating on him just trying to give feedback on his findings which he didn’t take very maturely. There is a difference between feedback and hating.

its clearly a good thing that op is passionate about working out detection just some of the lads in here such as @Naked are very very experienced when it comes to mass Automated Botting and using their huge samples of data to help tackle bot detection. Coming in here and telling these boys how it’s done when all you’ve done is run a few bots is not the correct way to go about it. If op posted actual evidence instead of just “I can see jagex track this and most accounts are banned quickly so it must be this” then that would get the ball moving differently.

Just as a side note, I can tell you now that although mouse data is sent over every 50ms some user a few years ago did a test with this and it is not frequently enough to reconstruct an accurate mouse path as a user or bot would move this too quickly. It would also be masses of data to store mouse movements of 100s of thousands of different players daily and even more processing time to trawl though this, it doesn’t make sense when there’s easier stuff to use to identify a bot.

hopefully this points you in the right direction @asdttt as you seem very committed towards working out detection and I wish you luck!

Edited by Impensus
Link to comment
Share on other sites
asdttt Steel Poster

asdttt

Posted
  • Author
Posted (edited)
1 hour ago, Impensus said:

Nobody’s hating on him just trying to give feedback on his findings which he didn’t take very maturely. There is a difference between feedback and hating.

its clearly a good thing that op is passionate about working out detection just some of the lads in here such as @Naked are very very experienced when it comes to mass Automated Botting and using their huge samples of data to help tackle bot detection. Coming in here and telling these boys how it’s done when all you’ve done is run a few bots is not the correct way to go about it. If op posted actual evidence instead of just “I can see jagex track this and most accounts are banned quickly so it must be this” then that would get the ball moving differently.

Just as a side note, I can tell you now that although mouse data is sent over every 50ms some user a few years ago did a test with this and it is not frequently enough to reconstruct an accurate mouse path as a user or bot would move this too quickly. It would also be masses of data to store mouse movements of 100s of thousands of different players daily and even more processing time to trawl though this, it doesn’t make sense when there’s easier stuff to use to identify a bot.

hopefully this points you in the right direction @asdttt as you seem very committed towards working out detection and I wish you luck!

I literally posted evidence that the mouse movement on OSBot is easily detected... Test for yourself if you don't believe me. Check the delta between mouse movements of OSBot and you'll see a very clear pattern. I've confirmed this was banning me by  changing my mouse movement all together. 

I'm very active in the anti-cheat community on various platforms and came here to share some of my knowledge. You'd be surprised how big mouse delta/movement plays in detecting all sorts of hacks ranging from aimbot, all the way to automation. I provided the easiest way we'd use to detect a pattern, mouse delta patterns. More specifically, how the mouse ends a movement. 

 

Edit: Also if you call what people have said here feedback, yikes.

Continued with evidence further down->

Edited by asdttt
Link to comment
Share on other sites
asdttt Steel Poster

asdttt

Posted
  • Author
Posted (edited)
2 hours ago, DoubleD said:

I believe you have looked into this more than I did. Nevertheless, I believe only clicks matter. 

Most proof about this can be found on another botting client rspeer. This client uses no mouse movement at all and there are many successtories. 

In my belief randomized timings matter most. Waiting a randomized period between 1 and 15 seconds before chopping the next tree instead of moving to the next tree instantly is more human like and will result in Less bans.

Rspeer injects spoofed data into the mouse location arrays. It's very inaccurate data however, and will still lead to a ban assuming jagex checks mouse accuracy (Rumors claiming they do). Therefor as far as Jagex knows, it's making mouse movements. 

Timings matter a lot too, which is why i mention mouse consistency. This, however, isn't the only factor you need to account for. 

Edited by asdttt
Link to comment
Share on other sites
asdttt Steel Poster

asdttt

Posted
  • Author
Posted (edited)
1 hour ago, Impensus said:

Nobody’s hating on him just trying to give feedback on his findings which he didn’t take very maturely. There is a difference between feedback and hating.

its clearly a good thing that op is passionate about working out detection just some of the lads in here such as @Naked are very very experienced when it comes to mass Automated Botting and using their huge samples of data to help tackle bot detection. Coming in here and telling these boys how it’s done when all you’ve done is run a few bots is not the correct way to go about it. If op posted actual evidence instead of just “I can see jagex track this and most accounts are banned quickly so it must be this” then that would get the ball moving differently.

Just as a side note, I can tell you now that although mouse data is sent over every 50ms some user a few years ago did a test with this and it is not frequently enough to reconstruct an accurate mouse path as a user or bot would move this too quickly. It would also be masses of data to store mouse movements of 100s of thousands of different players daily and even more processing time to trawl though this, it doesn’t make sense when there’s easier stuff to use to identify a bot.

hopefully this points you in the right direction @asdttt as you seem very committed towards working out detection and I wish you luck!

You said the test was done a few years ago.. This directly renders whatever findings they had useless and outdated. They've updated the anti-bot many many many times in the past few years, and banrates directly prove that. 

And 50ms is a perfect amount to detect mouse patterns. That's 20 ticks a second (What minecraft runs on). Within those 20 minutes, you can map out their angles, check for deviation, check for DPI consistency, and check for patterns. You'd have on average 6-10 point captures per mouse movement. 

And it's not really that much data, especially since they combine the 2 byte integers into a single 4 byte and save/send it as that. That means  they can store 250,000 x/y captures per 1mb. That translates to around 3.4 HOURS of data capture per user. My personal thought is they run a botcheck about every day, apply bans, and reset data. I really don't believe they'd keep the data over a few days otherwise i would of been easily banned by now. There's really no need to keep the data over a day anyways unless they do daily behavioral checks based on previous days (They defiantly don't, or just haven't done it in a few weeks).

Edit: Here's evidence of how they combine x/z and send: https://github.com/zeruth/runescape-client/blob/master/src/Client.java#L3342

Also notice how they too capture the difference of the movement: https://github.com/zeruth/runescape-client/blob/master/src/Client.java#L3337 

That means they're clearly using the same, or near check as I was. Simple by recording the delta's they can pickup on patterns with little to no math. 

 

Edit2: Here's evidence of the laughable flaws in OSBot's movement (My original evidence got deleted). These samples were made testing by interacting with an NPC, pond, and a tree (All at tutorial island)

OSBot: https://pastebin.com/AJn2NC31
My mouse movement, I tried to mimic OSBot the best i could: https://pastebin.com/vnGtX16z

As you can clearly see, OSBot repeats ONLY 4-5 at the end of movements, AND at the last few deltas at the end of the movement, it goes from Lower, Bigger, Lower, Bigger. A programmer with 1 week of experience could make something to detect that. Jagex has all the data I used on that sample (50MS tick), and yet you all say I'm wrong :(

Edited by asdttt
Link to comment
Share on other sites
Impensus Adamantite Poster

Impensus

Posted
Posted
1 hour ago, asdttt said:

You said the test was done a few years ago.. This directly renders whatever findings they had useless and outdated. They've updated the anti-bot many many many times in the past few years, and banrates directly prove that. 

And 50ms is a perfect amount to detect mouse patterns. That's 20 ticks a second (What minecraft runs on). Within those 20 minutes, you can map out their angles, check for deviation, check for DPI consistency, and check for patterns. You'd have on average 6-10 point captures per mouse movement. 

And it's not really that much data, especially since they combine the 2 byte integers into a single 4 byte and save/send it as that. That means  they can store 250,000 x/y captures per 1mb. That translates to around 3.4 HOURS of data capture per user. My personal thought is they run a botcheck about every day, apply bans, and reset data. I really don't believe they'd keep the data over a few days otherwise i would of been easily banned by now. There's really no need to keep the data over a day anyways unless they do daily behavioral checks based on previous days (They defiantly don't, or just haven't done it in a few weeks).

Edit: Here's evidence of how they combine x/z and send: https://github.com/zeruth/runescape-client/blob/master/src/Client.java#L3342

Also notice how they too capture the difference of the movement: https://github.com/zeruth/runescape-client/blob/master/src/Client.java#L3337 

That means they're clearly using the same, or near check as I was. Simple by recording the delta's they can pickup on patterns with little to no math. 

 

Edit2: Here's evidence of the laughable flaws in OSBot's movement (My original evidence got deleted). These samples were made testing by interacting with an NPC, pond, and a tree (All at tutorial island)

OSBot: https://pastebin.com/AJn2NC31
My mouse movement, I tried to mimic OSBot the best i could: https://pastebin.com/vnGtX16z

As you can clearly see, OSBot repeats ONLY 4-5 at the end of movements, AND at the last few deltas at the end of the movement, it goes from Lower, Bigger, Lower, Bigger. A programmer with 1 week of experience could make something to detect that. Jagex has all the data I used on that sample (50MS tick), and yet you all say I'm wrong :(

Just because a test happened “long” ago does not invalidate it’s results. Since the captures were made then (the same ones you show) the packets transferring mouse data have the same content. Now I do agree this Mouse data is used in some sense for building profiles. I do not think it is stored enmasse and in the way you envision it. 50ms as a frequency could be the difference between mouse being on the inventory and over the other side of the screen. Not enough time to build a profile of a players heuristics.

 

all data they capture is done for a reason and you are on the right path though so keep exploring, it’s just trial and error made difficult by the delayed bans!

Link to comment
Share on other sites
asdttt Steel Poster

asdttt

Posted
  • Author
Posted (edited)
21 minutes ago, Impensus said:

Just because a test happened “long” ago does not invalidate it’s results. Since the captures were made then (the same ones you show) the packets transferring mouse data have the same content. Now I do agree this Mouse data is used in some sense for building profiles. I do not think it is stored enmasse and in the way you envision it. 50ms as a frequency could be the difference between mouse being on the inventory and over the other side of the screen. Not enough time to build a profile of a players heuristics.

 

all data they capture is done for a reason and you are on the right path though so keep exploring, it’s just trial and error made difficult by the delayed bans!

I think the big disconnection here is I have a lot of experience building anti-cheats, and you have a lot of experience building bots. Please take the time to fully read my post so you understand what I'm saying because I still believe you're not understanding me. If you believe 1mb per 3.4 HOURS of constant mouse movement is a lot then... I reeally can't argue with you because that's your opinion. It's such a minimal amount of data based on other heuristic checks used by companies like Dice. 

I'm basing those samples on a 50MS tick - the exact same Jagax does. As you can see by my results, OSBot repeats patterns on a 100% basis on mouse movements, no matter where on the screen you click. 

I'm not sure why you think 20 samples in a single second is so small, so here's a visual representation:

https://i.gyazo.com/4eb9de90c1c8a60959e874fb24488ab3.mp4

 

This picture is a result of applying my recorded samples of my own movements on a 50MS tick-rate. As you can see, it's very smooth, very clear to see deviation, and very easy to follow.  

 

Edit: And I've found the right path so far.. Still haven't gotten banned, but still haven't botted over 6 hours straight. When I'm done training this account I'll likely sell or release the scripts for all. Soon I'll be releasing a little trainer tool you guys can use to create your own autoclickers / mouse movement patterns.

Edit2: Forgot to address the age of the previous tests. My point was, Jagex changed their anti-cheat massively in the past two years, and trained more patterns. There was a time RSPeer bypassed even 

Edited by asdttt
Link to comment
Share on other sites
Impensus Adamantite Poster

Impensus

Posted
Posted
8 hours ago, asdttt said:

I think the big disconnection here is I have a lot of experience building anti-cheats, and you have a lot of experience building bots. Please take the time to fully read my post so you understand what I'm saying because I still believe you're not understanding me. If you believe 1mb per 3.4 HOURS of constant mouse movement is a lot then... I reeally can't argue with you because that's your opinion. It's such a minimal amount of data based on other heuristic checks used by companies like Dice. 

I'm basing those samples on a 50MS tick - the exact same Jagax does. As you can see by my results, OSBot repeats patterns on a 100% basis on mouse movements, no matter where on the screen you click. 

I'm not sure why you think 20 samples in a single second is so small, so here's a visual representation:

https://i.gyazo.com/4eb9de90c1c8a60959e874fb24488ab3.mp4

 

This picture is a result of applying my recorded samples of my own movements on a 50MS tick-rate. As you can see, it's very smooth, very clear to see deviation, and very easy to follow.  

 

Edit: And I've found the right path so far.. Still haven't gotten banned, but still haven't botted over 6 hours straight. When I'm done training this account I'll likely sell or release the scripts for all. Soon I'll be releasing a little trainer tool you guys can use to create your own autoclickers / mouse movement patterns.

Edit2: Forgot to address the age of the previous tests. My point was, Jagex changed their anti-cheat massively in the past two years, and trained more patterns. There was a time RSPeer bypassed even 

I’ll revisit this topic in my own scripts and see what I can dig up myself. My old roots from being round here for so long have taught me not to always trust the word of newbies claiming to have cracked antiban. You clearly known your stuff around the cheating/anti-cheat stuff so thank you for coming to this community to spread your knowledge.

one thing I will say is just be wary of it being the weekend as bans are notoriously low around this period of time. I hope you have cracked it though mate and no delayed bans catch up with you Monday morning!

Link to comment
Share on other sites
asdttt Steel Poster

asdttt

Posted
  • Author
Posted
1 hour ago, Impensus said:

I’ll revisit this topic in my own scripts and see what I can dig up myself. My old roots from being round here for so long have taught me not to always trust the word of newbies claiming to have cracked antiban. You clearly known your stuff around the cheating/anti-cheat stuff so thank you for coming to this community to spread your knowledge.

one thing I will say is just be wary of it being the weekend as bans are notoriously low around this period of time. I hope you have cracked it though mate and no delayed bans catch up with you Monday morning!

Yeah that's what I've heard, so far I've made it through one weekend, but we'll see about this one.. 

  • Like 1
Link to comment
Share on other sites
vikingraider Newbie

vikingraider

Posted
Posted
On 4/6/2019 at 9:37 PM, asdttt said:

Yeah that's what I've heard, so far I've made it through one weekend, but we'll see about this one.. 

I recently started botting in OSRS, I used to bot >5years ago and I clearly notice the difference between the client. I think it was p****bot, **** and rsbot that I'd just back in the day. And I can't exactly recall which client it was, but it seemed like they smoothed mouse movement out after a click. So the mouse still dragged on a bit after clicking or moving to a target and it also curved more and didn't move in a straight line.

 

I've tried ***** first and especially the mouse movement seems a dead giveaway.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...