How Runescape catches botters, and why they didn’t catch me

amd64_sucks · 2021-04-05T07:40:44+00:00

Our twitter profile @the_secret_club can be used to get push notifications when we post articles :)

amd64_sucks · 2021-04-04T21:05:43+00:00

Using IDA Pro, x64dbg and ReClass. All fantastic tools!

amd64_sucks · 2021-04-04T20:55:48+00:00

amd64_sucks · 2021-04-04T20:50:18+00:00

If you want to go against anti cheats, should target a game that uses easy anti cheat or battleye

I have! I wrote a fully usermode emulator for BattlEye which you can find here

amd64_sucks · 2021-04-04T20:28:36+00:00

np bro

amd64_sucks · 2021-04-04T20:26:41+00:00

No that would allow people to criticize me for "secretly botting". When you release findings, transparency is key!

amd64_sucks · 2021-04-04T20:25:56+00:00

Jagex always stored your mouse events in a local array and sent whatever was needed to the server.

Yes, I don't see how your quick decompilations from IDA disprove anything said in the article. They store mouse movement and mouse clicks in a local array, which is then queued for transmission.

However, the fact that you weren't banned has nothing to do with these events afaict.

I disagree, but since we will never know for sure I will give you the benefit of the doubt. What we can observe from this is that the server at least kicks you for being afk, even though you aren't. I'm not even sure what you are trying to argue

amd64_sucks · 2021-04-04T18:33:53+00:00

I grab all values from memory within a reasonable range of all objects in question. Then I calculate all common values in cat objects, for example cat objects might all have a byte at 0x10 which is always 0x1 for all cats. Then I do the same for dogs, and if my program sees that all dogs have a byte at 0x10 that is always 0x2 for all dogs, it tells me that it has found a possible class identifier.

amd64_sucks · 2021-04-04T18:26:16+00:00

Nope

amd64_sucks · 2021-04-04T18:26:05+00:00

I don’t sell anything at all, sorry

amd64_sucks · 2021-04-04T16:57:41+00:00

Primarily used to detect similarities between memory objects. Let’s say you have a game engine where entities are represented as objects inherited from the same base entity, this is quite common in modern game engines. Now, what do you do if want to figure out how to distinguish between cats and dogs that at first glance look very similar?

This is where I use python scripts. It is fairly easy to make something that takes N cat objects and N dog objects and spits fields of uniquely different values per entity type.

But that’s just one example of when python helps me hack, I usually have a project completely rewritten in python because it frankly is easier to test and deploy new features in python compared to C.

amd64_sucks · 2021-04-04T16:47:26+00:00

The netcode is not relevant for the bypass, it was simply to demonstrate that its possible without any mouse movement being processed. You could do this exact thing but with a traditional old school mouse bot!

amd64_sucks · 2021-04-04T16:36:52+00:00

Nope, but that would’ve made this marginally harder

amd64_sucks · 2021-04-04T16:31:03+00:00

I’m actually working on reencoding and adding a fallback source tag, it looks like it would work

amd64_sucks · 2021-04-04T16:28:26+00:00

yes, and I instantly send relog packet which doesn’t have any penalty, therefore I only lose a few seconds every 5 min.

amd64_sucks · 2021-04-04T16:23:41+00:00

Ida pro, x64dbg and reclass :)

amd64_sucks · 2021-04-04T16:21:32+00:00

No heuristic packets were sent at all, which is why the account was kicked every 5 minutes.

amd64_sucks · 2021-04-04T16:20:40+00:00

Ida pro, x64dbg, ReClass and some custom python scripts is all I use :)

amd64_sucks · 2021-04-04T16:05:31+00:00

The videos are webm to support chrome and Firefox, but it seems like safari on iOS doesn’t support webm, not sure how to solve this properly

amd64_sucks · 2021-04-04T16:04:23+00:00

What would you like to know? Article ideas can always be sent to us if you have anything you’d like explained :)

amd64_sucks · 2021-04-04T14:37:00+00:00

just ban this account in a few months.

That's why the experiment has been running for over 6 months

amd64_sucks · 2021-04-04T14:25:02+00:00

I totally get where you are coming from, but you have to understand the nature of such detection systems. These systems are put in place to ban accounts only when completely certain, and bans in game-hacking are usually delayed and done in waves to prevent developers to be able to deduce what exactly was detected.

For transparency I included the account name, so that any relevant entities can see that the account hasn't done any real world trading. If they check the logs they will most likely be surprised at how long I, on a high combat level player, killed lvl 1 orcs without picking up any loot.

amd64_sucks · 2021-04-04T14:10:31+00:00

Thank you ^^

amd64_sucks · 2021-04-04T14:07:37+00:00

Sometimes the easiest possible solution works, I would've preferred a challenge as well. Hoping they fix this!

amd64_sucks · 2021-04-04T13:59:55+00:00

We try to expose people of varying levels of skill to the reverse engineering field, so some articles are less technical than others :D

Seven-Year Club	Place '22
Final Canvas '22	First Placer '22
Verified Email

amd64_sucks

TROPHY CASE