Page 2 of 2 FirstFirst 12
Results 26 to 34 of 34

Thread: A little bit Concern

  1. #26
    Join Date
    Nov 2011
    Location
    England
    Posts
    3,072
    Mentioned
    296 Post(s)
    Quoted
    1094 Post(s)

    Default

    Forget I said anything....

  2. #27
    Join Date
    Mar 2012
    Location
    127.0.0.1
    Posts
    3,383
    Mentioned
    95 Post(s)
    Quoted
    717 Post(s)

    Default

    Quote Originally Posted by Olly View Post
    Forget I said anything....
    We always do.

  3. #28
    Join Date
    Jun 2012
    Posts
    4,867
    Mentioned
    74 Post(s)
    Quoted
    1663 Post(s)

    Default

    Quote Originally Posted by Olly View Post
    Forget I said anything....
    Why?

  4. #29
    Join Date
    Feb 2009
    Location
    Irvine, CA
    Posts
    2,873
    Mentioned
    8 Post(s)
    Quoted
    138 Post(s)

    Default

    Quote Originally Posted by BMWxi View Post
    Why?
    Probably because everyone took his point, ran with it, and took it off a cliff.

  5. #30
    Join Date
    Feb 2011
    Location
    The Future.
    Posts
    5,600
    Mentioned
    396 Post(s)
    Quoted
    1598 Post(s)

    Default

    I don't see why these threads come up so often and it's always the same thing :S "How to detect SMART or Simba".. Since most use Windows (most stuff below is native).. Anyway, you could just ask Benland100 how to detect SMART. He will most likely tell you the best way. For Simba, it's harder.. by a lot.. Go to gamedeception or unknowncheats and look at the decompiled code and circumventions for many detection engines (ie: punkbuster) to see how they do it: http://www.unknowncheats.me/forum/anti-cheat-bypass/ Post a thread on rohitab or w/e.. they will tell you exactly how a company could detect you. Some games are so serious about cheating, they ban you by hardware ID's.. lol.


    Here's the most naive ways I could come up with (by no means advanced):


    Simba:

    - ReadProcessMemory from Winapi could scan for a specific signature in each process (perhaps the layout of one of the functions that hasn't changed in ages). Just like how malware scan for signatures (and UGC condition zero servers).

    - Get each process's physical location on disk, map the file, and scan for known signature and name.

    - Scan each process's import and export tables.. Look for "FindCol" or "FindColorTol", etc..

    - Scan each process's folder for .dll's or export table to find all loaded modules.. Read each dll's export table. Look for tesseract's exports, smart's exports, etc..

    - If simba uses SendInput and set the dwExtraInfo as the hwnd or anything that can be used to identify it, you can read this with a low-level keyboard or mouse hook. And yes, that would rule out teamviewer and vnc (no false positives).

    - Scan the resource table (almost never changes). Read the resource strings, images, etc..

    - Install a global hook module (installs to every process automatically aka low-level hook [similar to keyboard mouse hook]) and hook any GDI functions that deal with bitmaps (GetDC is extremely common; if not, a must). Check if the returned DC or HWND parameter is that of our applet. Ban for attempting to screen scrape. Unhook upon termination (as usual).

    - Install a global hook module. Do whatever you want to detect whatever you want. Global hooks are installed into every process (FRAPS for example.. uses such a hook to decide what dx applications to capture).


    Smart:

    - Scan module tables: LoadLibraryEx("some_module.dll", NULL, DONT_RESOLVE_DLL_REFERENCES); and check for exported function names that don't belong. Anything beginning with SMART_. You'd of course enumerate each module from all processes running (keep a hash table of the names of modules checked already.. this way you don't check the same ones twice [user32, kernel32, etc.. are loaded by every process always]). This is actually very fast. Also can be done in a thread.

    - Scan the PEB and TEB tables (undocumented winapi) to see if any unknown modules were loaded once or twice (opengl or direct-x or any smart plugins and smart itself.. can be patched). VAC2 does this (or at least.. they used to. Not sure if they still do). The PEB alone contains: ProcessParameters, BeingDebugged, ImageBaseAddress, ImageSubsystem (can be used to see if it is a DLL or EXE.. Smart is a dll), .

    - Scan the PEB table (could also just use NtQueryInformationProcess to get a pointer to it) and read: RTL_USER_PROCESS_PARAMETERS. SMART passes specific parameters upon creation of the process. RTL_USER_PROCESS_PARAMETERS contains: CurrentDirectory, ImagePathName, CommandLine, DebugFlags, WindowTitle.

    - ipcs -m on linux will give a list of processes using SharedMemory. Since RS does not use it and has no need for it, you can ban if your process id shows up in the list (granted, this is a pretty bad technique). SMART relies on SHM. On windows, use: GetMappedFileName.

    - Scan the title bar (ineffective)

    - Get the highest parent of the applet owner. Use reflection to get the hwnd, call GetWindowClass, if it's not the regular, ban.. Most bots use SunAwtFrame (a JFrame).. but a browser doesn't.. Would probably have to take measures to not ban that RSBuddy thing.

    - Call CreateToolhelpSnapshot(TH32CS_SNAPMODULE, processID) to find a list of all modules loaded (same as peb/teb.. patch peb/teb, it disables this). Scan each module's import and export table for smart's exports, OpenGL smart plugin export, direct-x smart plugin export, etc..

    - Call List<String> getInputArguments() to get a list of JVM arguments. Look for -Xbootclasspath and ban.. Use JNI to make this not easily patchable by regular java programmers. There is no browser out there that uses -Xbootclasspath and neither does the official client.

    - Use JNI, attach to current JVM using JNI_GetCreatedJavaVMs (from jni.dll/jni.so). Attach to the first JVM found (because usually only one JVM can be ran per process). After attaching, call whatever you want. I'd call "env->FindClass" to find classes that are known to be in bots. Can be used for injection bots as well.. Hard to remove for the average Java programmers. You have a pointer to the JVM, environment, etc.. You can do whatever you feel like.

    - To prevent removal of library loading from the Java side (such as System.load or System.loadLibrary), I'd have the module ping the server upon loading with the same identifier they use when a jar is distributed per person. That way, if you log in and the server doesn't have the ping + extra info for that client, ban the user for circumvention.

    - Implement a java security policy to prevent reflection and "setAccessible": System.setSecurityManager(new SecurityManager()) should do the trick. Otherwise a custom security manager can be used.

    - Call NtQueryInformationProcess (undocumented) and check for the ProcessImageFileName and ban upon known names. Call the same function to check for the parent process id and name and signature (because Simba start's SMART with shellexecute, simba would be detected here and not SMART itself).


    Could go on forever.. Now stop asking these questions. Every bot is detectable in infinite amounts of ways (and the dumbest/naive but easiest ways are shown above).. Do they do it? No.. do they have time for it? maybe.. Do they have the knowledge on their team? Maybe.. You'll never know.. It can be done (natively as mostly shown above or on the java side [barely shown above]). Cat-mouse game goes on; it is a risk you take with ALL bots.

    You'll know if you're being hunted (everyone would be banned.. not just you) and that's all the proof you need..
    Last edited by Brandon; 11-10-2014 at 03:28 PM.
    I am Ggzz..
    Hackintosher

  6. #31
    Join Date
    Mar 2013
    Location
    Argentina
    Posts
    758
    Mentioned
    27 Post(s)
    Quoted
    365 Post(s)

    Default

    Quote Originally Posted by Brandon View Post
    I don't see why these threads come up so often and it's always the same thing :S "How to detect SMART or Simba".. Since most use Windows (most stuff below is native).. Anyway, you could just ask Benland100 how to detect SMART. He will most likely tell you the best way. For Simba, it's harder.. by a lot.. Go to gamedeception or unknowncheats and look at the decompiled code and circumventions for many detection engines (ie: punkbuster) to see how they do it: http://www.unknowncheats.me/forum/anti-cheat-bypass/ Post a thread on rohitab or w/e.. they will tell you exactly how a company could detect you. Some games are so serious about cheating, they ban you by hardware ID's.. lol.


    Here's the most naive ways I could come up with (by no means advanced):


    Simba:

    - ReadProcessMemory from Winapi could scan for a specific signature in each process (perhaps the layout of one of the functions that hasn't changed in ages). Just like how malware scan for signatures (and UGC condition zero servers).

    - Get each process's physical location on disk, map the file, and scan for known signature and name.

    - Scan each process's import and export tables.. Look for "FindCol" or "FindColorTol", etc..

    - Scan each process's folder for .dll's or export table to find all loaded modules.. Read each dll's export table. Look for tesseract's exports, smart's exports, etc..

    - If simba uses SendInput and set the dwExtraInfo as the hwnd or anything that can be used to identify it, you can read this with a low-level keyboard or mouse hook. And yes, that would rule out teamviewer and vnc (no false positives).

    - Scan the resource table (almost never changes). Read the resource strings, images, etc..

    - Install a global hook module (installs to every process automatically aka low-level hook [similar to keyboard mouse hook]) and hook any GDI functions that deal with bitmaps (GetDC is extremely common; if not, a must). Check if the returned DC or HWND parameter is that of our applet. Ban for attempting to screen scrape. Unhook upon termination (as usual).

    - Install a global hook module. Do whatever you want to detect whatever you want. Global hooks are installed into every process (FRAPS for example.. uses such a hook to decide what dx applications to capture).


    Smart:

    - Scan module tables: LoadLibraryEx("some_module.dll", NULL, DONT_RESOLVE_DLL_REFERENCES); and check for exported function names that don't belong. Anything beginning with SMART_. You'd of course enumerate each module from all processes running (keep a hash table of the names of modules checked already.. this way you don't check the same ones twice [user32, kernel32, etc.. are loaded by every process always]). This is actually very fast. Also can be done in a thread.

    - Scan the PEB and TEB tables (undocumented winapi) to see if any unknown modules were loaded once or twice (opengl or direct-x or any smart plugins and smart itself.. can be patched). VAC2 does this (or at least.. they used to. Not sure if they still do). The PEB alone contains: ProcessParameters, BeingDebugged, ImageBaseAddress, ImageSubsystem (can be used to see if it is a DLL or EXE.. Smart is a dll), .

    - Scan the PEB table (could also just use NtQueryInformationProcess to get a pointer to it) and read: RTL_USER_PROCESS_PARAMETERS. SMART passes specific parameters upon creation of the process. RTL_USER_PROCESS_PARAMETERS contains: CurrentDirectory, ImagePathName, CommandLine, DebugFlags, WindowTitle.

    - ipcs -m on linux will give a list of processes using SharedMemory. Since RS does not use it and has no need for it, you can ban if your process id shows up in the list (granted, this is a pretty bad technique). SMART relies on SHM. On windows, use: GetMappedFileName.

    - Scan the title bar (ineffective)

    - Get the highest parent of the applet owner. Use reflection to get the hwnd, call GetWindowClass, if it's not the regular, ban.. Most bots use SunAwtFrame (a JFrame).. but a browser doesn't.. Would probably have to take measures to not ban that RSBuddy thing.

    - Call CreateToolhelpSnapshot(TH32CS_SNAPMODULE, processID) to find a list of all modules loaded (same as peb/teb.. patch peb/teb, it disables this). Scan each module's import and export table for smart's exports, OpenGL smart plugin export, direct-x smart plugin export, etc..

    - Call List<String> getInputArguments() to get a list of JVM arguments. Look for -Xbootclasspath and ban.. Use JNI to make this not easily patchable by regular java programmers. There is no browser out there that uses -Xbootclasspath and neither does the official client.

    - Use JNI, attach to current JVM using JNI_GetCreatedJavaVMs (from jni.dll/jni.so). Attach to the first JVM found (because usually only one JVM can be ran per process). After attaching, call whatever you want. I'd call "env->FindClass" to find classes that are known to be in bots. Can be used for injection bots as well.. Hard to remove for the average Java programmers. You have a pointer to the JVM, environment, etc.. You can do whatever you feel like.

    - To prevent removal of library loading from the Java side (such as System.load or System.loadLibrary), I'd have the module ping the server upon loading with the same identifier they use when a jar is distributed per person. That way, if you log in and the server doesn't have the ping + extra info for that client, ban the user for circumvention.

    - Implement a java security policy to prevent reflection and "setAccessible": System.setSecurityManager(new SecurityManager()) should do the trick. Otherwise a custom security manager can be used.

    - Call NtQueryInformationProcess (undocumented) and check for the ProcessImageFileName and ban upon known names. Call the same function to check for the parent process id and name and signature (because Simba start's SMART with shellexecute, simba would be detected here and not SMART itself).


    Could go on forever.. Now stop asking these questions. Every bot is detectable in infinite amounts of ways (and the dumbest/naive but easiest ways are shown above).. Do they do it? No.. do they have time for it? maybe.. Do they have the knowledge on their team? Maybe.. You'll never know.. It can be done (natively as mostly shown above or on the java side [barely shown above]). Cat-mouse game goes on; it is a risk you take with ALL bots.

    You'll know if you're being hunted (everyone would be banned.. not just you) and that's all the proof you need..
    this is probably the definiton of quallity posting :P

  7. #32
    Join Date
    May 2013
    Posts
    33
    Mentioned
    0 Post(s)
    Quoted
    18 Post(s)

    Default

    Thank you for all your posts, they made me to have less expectations on botting(in the good way) so i won't be so dissapointed if i get banned and one more thing, can you please erase the thread now, cuz' maybe they're not that smart

  8. #33
    Join Date
    May 2012
    Location
    CALGARY
    Posts
    100
    Mentioned
    0 Post(s)
    Quoted
    43 Post(s)

    Default

    Quote Originally Posted by KeepBotting View Post
    Exactly my point. There's no conceivable way.

    Oh wait, Actually I just installed my special "l33t legit ub3r gold generator hax legit notavirus.jpg.exe" onto Jacmob's IP address.
    On his personal computer I found a leaked screenshot of the proposed "color-nuke" that will defeat all screen scraper bots forever!



    We're really in for it this time guys!!!11!1!1one!!!!!1111

    ahahahaha
    People will match their shoes with their hats but won’t match their actions with their words.

  9. #34
    Join Date
    May 2014
    Posts
    633
    Mentioned
    8 Post(s)
    Quoted
    322 Post(s)

    Default

    Quote Originally Posted by Ionutz900 View Post
    Thank you for all your posts, they made me to have less expectations on botting(in the good way) so i won't be so dissapointed if i get banned and one more thing, can you please erase the thread now, cuz' maybe they're not that smart
    lol, it's probably way too late and I'd be shocked if they didn't already know at least half of that stuff.

    As long as you don't bot something which will adversely affect other players (gold farming, running a fishing/wcing army to ruin rocktail/yew log prices etc), I don't think Jagex comes after you apart from those big ban waves that they do in order to discourage us once in a while(unless you run multiple bots for the lulz, let's be real, no one legit has 5+ accounts that they play on regularly).

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •