Results 1 to 11 of 11

Thread: Third Party Client Detection Methods

  1. #1
    Join Date
    Dec 2006
    Location
    Banville
    Posts
    3,905
    Mentioned
    12 Post(s)
    Quoted
    98 Post(s)

    Default Third Party Client Detection Methods

    I'm looking for references like this:

    1. http://rs-hacking.com/forum/index.ph.../?hl=detection
    2. http://rs-hacking.com/forum/index.ph.../?hl=detection

    Provided courtesy of @Joopi. Unfortunately I can't view those threads as I don't have an account on that website. Would someone please summarize or offer their own take on what Jagex does?

    Particularly I'm referring to how they might detect the recent(?) OSRS HD client, and how other clients are not detected with what appears to be a minimum amount of effort. No speculation please, try to reference reverse engineered code or ban patterns if possible.

    I'm not doing this myself because I don't know where to start. The goal is to make a client which is undetectable.
    The jealous temper of mankind, ever more disposed to censure than
    to praise the work of others, has constantly made the pursuit of new
    methods and systems no less perilous than the search after unknown
    lands and seas.

  2. #2
    Join Date
    Sep 2014
    Location
    C:\Simba\
    Posts
    559
    Mentioned
    9 Post(s)
    Quoted
    71 Post(s)

    Default

    Personally I'm more interested in how they can differentiate OSBuddy (which they have said that is okay and won't alert their bot detection system (right?)) from literally any other modified client. I have a vague memory about OSBuddy setting a method param to some odd integer in contrast to regular client for no apparent reason, which could be their way of saying "Hi I'm OSBuddy!". Maybe someone like @Kasi; or @the bank; could share their wisdom
    Feel free to ask me any questions, I will do my best to answer them!

    Previously known as YouPee.

  3. #3
    Join Date
    Dec 2008
    Posts
    135
    Mentioned
    0 Post(s)
    Quoted
    44 Post(s)

    Default

    I'm trying to write my own mechanism for detecting whether foreign classes have been loaded in a JVM.

    To test this, I have written an agent which tries to hide itself from this detection mechanism: the idea is to understand theoretical detection methods, and how they can be circumvented.



    I have come up against something quite tricky to circumvent: namely, finding the top level ClassLoader and attempting to load a known illegal class:

    private boolean runBadClassLookup() {
    for(String bad : KNOWN_BAD_CLASSES) {
    try {
    Class c = system_loader.loadClass(bad);
    if(c != null) {
    System.out.println("Found illegal class " + c.getName());
    return true;
    }
    } catch (Exception e) {
    System.out.println("Couldn't find: " + bad);
    }
    }
    return false;
    }

    The loadClass method calls some native methods to find loaded classes, so I am at a loss as to how to hide from this.



    This would be a really easy way for Jagex to detect popular bots running inside their JVM.



    Let me know your thoughts!
    I'm seeing a lot of bans lately and hopefully, will take a closer look when I have more time. There has been reflection in the client for some time now. However, it has always been determined to have nothing to do with client sided detection. It seems to me that modifiers of various methods, fields are being sent directly to the buffer (#121 dp).



    Opcodes

    0 - Int (Modifiers)

    1 - Long

    2 - String (Method Name)



    -10 through -21 are for each different type of exception



    http://pastebin.com/UwFnzZR4



    If someone has already looked over this and can prove it is not used for detection I would be interested in seeing your findings.
    They didn't ban me when I was running decompiled and renamed client, while client was sending this info to the server.

    if (3 == i1)

    never ran for me when I was testing back then (a few revisions ago.. maybe 119).



    I could prove that it was trying to look for methods in classes and failed, but the account was never banned. I would guess the account just gets flagged as a modified client, but I don't really understand why they wouldn't ban you instantly since it's clear you're sum kinda hakr. Maybe they look at other parameters aswell before banning.



    Might've changed as of rev 121 though!
    how other clients are not detected
    ..how do u know?

  4. #4
    Join Date
    Aug 2007
    Location
    Hawaii
    Posts
    3,852
    Mentioned
    7 Post(s)
    Quoted
    142 Post(s)

    Default

    This would be groundbreaking.
    Faith is an oasis in the heart which will never be reached by the caravan of thinking.

  5. #5
    Join Date
    Dec 2010
    Posts
    483
    Mentioned
    30 Post(s)
    Quoted
    328 Post(s)

    Default

    My insight is simple. But also entirely opinionated.

    I set a breakpoint on send() and recv(), logged packet exchanges, and determined within a degree of reasonable doubt that no client sided "detection" exists. The client polls plenty of data and send it to the server, but it's all information that the server requires simply to run an online game, such as click locations etc.

    So to respond to how they detect 3rd party clients, well, they don't really. I think they're full of shit.

    A modified client could very well be detected. If you invoke a function manually, then the function call counters will be offset, for example. NXT also features a binary checksum, though I am unsure if this has a legitimate purpose or not.

    Making a connection to the server with a host user agent of "test123" could very well get you detected, but that's from stupidity. Once again - the server will see your connection info when you connect to it. That does not constitute client sided detection, it is just a byproduct of legitimate server interactions.

    How OSHD could be detected could be, for example, the fact it never asks for (fetches) the official assets from the server, as I assume it does not cache assets that it doesn't use. Alternatively they're, once again, full of shit since numerous people have reported no ban with it and even achieved things like the quest cape on it.

    The client itself we've been tearing apart since rs2 317 and earlier. If there was anything, at all, we'd have found it by now in one of the almost entirely refactored releases floating around out there. Just like how we found their low level mouse hook (unfunctional however).

    All this to say, it is my strong belief that all bot detection is done in the form of server sided heuristics. Clients aren't detected unless they're modified or you're stupid in how you formulate your server connection and/or browser emulation. And even in those cases I am not saying that the client would be detected, simply that it could be.

    That's my 2cents. I've argued with others about it so I know there's many schools of thought. I try and base my opinion in testable and viewable fact, rather than the words of anyone else (especially Jagex). To each their own.

  6. #6
    Join Date
    Dec 2006
    Location
    Banville
    Posts
    3,905
    Mentioned
    12 Post(s)
    Quoted
    98 Post(s)

    Default

    Quote Originally Posted by Grunt View Post
    ..how do u know?
    Because there's lots of people who don't get banned. I experienced a lot of randoms when using SMART - they might detect it because it's high profile and makes no effort to hide itself. Some of the discussion however makes me think people are assuming Jagex is omniscient. Moreover my knowledge of computers indicates that a lot of things that happen can't be distinguished as fake or real.


    Quote Originally Posted by the bank View Post
    My insight is simple. But also entirely opinionated.

    I set a breakpoint on send() and recv(), logged packet exchanges, and determined within a degree of reasonable doubt that no client sided "detection" exists. The client polls plenty of data and send it to the server, but it's all information that the server requires simply to run an online game, such as click locations etc.
    Isn't network traffic encrypted? Did you grab the data before it was encrypted? What leads you to this conclusion? (E.g. a lack of any burst of activity when you start the client.)

    Quote Originally Posted by the bank View Post
    So to respond to how they detect 3rd party clients, well, they don't really. I think they're full of shit.
    This was my take on it especially because Jagex's actions w.r.t. modified clients is similar to their reaction to world switchers some time ago. When that was happening they claimed to be able to detect world switchers, despite the fact that most world switchers used the Windows internet form control - so it looks like someone was connecting using IE. If they didn't I every developer to my knowledge was savvy enough to copy a valid user agent. As far as I know nobody ever received a ban and Jagex was lying through their teeth. In this case however there are valid things they can detect, but it seems like one has to go out of their way to do something that is detectable.

    Quote Originally Posted by the bank View Post
    A modified client could very well be detected. If you invoke a function manually, then the function call counters will be offset, for example. NXT also features a binary checksum, though I am unsure if this has a legitimate purpose or not.

    Making a connection to the server with a host user agent of "test123" could very well get you detected, but that's from stupidity. Once again - the server will see your connection info when you connect to it. That does not constitute client sided detection, it is just a byproduct of legitimate server interactions.

    How OSHD could be detected could be, for example, the fact it never asks for (fetches) the official assets from the server, as I assume it does not cache assets that it doesn't use. Alternatively they're, once again, full of shit since numerous people have reported no ban with it and even achieved things like the quest cape on it.

    The client itself we've been tearing apart since rs2 317 and earlier. If there was anything, at all, we'd have found it by now in one of the almost entirely refactored releases floating around out there. Just like how we found their low level mouse hook (unfunctional however).

    All this to say, it is my strong belief that all bot detection is done in the form of server sided heuristics. Clients aren't detected unless they're modified or you're stupid in how you formulate your server connection and/or browser emulation. And even in those cases I am not saying that the client would be detected, simply that it could be.

    That's my 2cents. I've argued with others about it so I know there's many schools of thought. I try and base my opinion in testable and viewable fact, rather than the words of anyone else (especially Jagex). To each their own.
    Can you write down some of the things you've mentioned in an itemized list? If you can reference how they were found or some documentation on them it would help, but I'm only really asking for sufficient pointers that they can be reinvestigated in the future. Are there any credible guesses as to what heuristics they are looking at? Where are refactored versions of the client?
    The jealous temper of mankind, ever more disposed to censure than
    to praise the work of others, has constantly made the pursuit of new
    methods and systems no less perilous than the search after unknown
    lands and seas.

  7. #7
    Join Date
    Jun 2017
    Posts
    13
    Mentioned
    0 Post(s)
    Quoted
    2 Post(s)

    Default

    Quote Originally Posted by Joopi View Post
    Personally I'm more interested in how they can differentiate OSBuddy (which they have said that is okay and won't alert their bot detection system (right?)) from literally any other modified client. I have a vague memory about OSBuddy setting a method param to some odd integer in contrast to regular client for no apparent reason, which could be their way of saying "Hi I'm OSBuddy!". Maybe someone like @Kasi; or @the bank; could share their wisdom
    Somewhere within their client, they have a very obscure server flag, which essentially informs the server of their status as a 'white listed' client. You would never be able to know exactly what it is, even if you managed to decompile their fpack (which I have), because they invoke many dummy methods, to throw off would be copycats. Jagex detects a third party client many different ways, i.e; garbage collection, window name, environment settings, and likely their own proprietary server flags, which we can't and won't know.

  8. #8
    Join Date
    Dec 2010
    Posts
    483
    Mentioned
    30 Post(s)
    Quoted
    328 Post(s)

    Default

    Quote Originally Posted by R0b0t1 View Post
    Isn't network traffic encrypted? Did you grab the data before it was encrypted? What leads you to this conclusion?
    Yes it is, and yes I did. The encryption itself is purely cipher based, and features a key obtained through the initial handshake connection between the client and server. Additionally each packet contains a checksum (seems like a CRC32 "Halifax" implementation) on the data, likely to attempt to ward off modified packets. As I was explaining in Discord, the original goal was to investigate the possibility of difference in packet structure between OSRS, RS2, and NXT (for the record, there is none). Keep in mind this is a scene I've been heavily involved in (client hacking wise) since 2006.

    The packet system itself can be explored at great length simply by looking at any private server, which essentially fully emulates the official jagex server's communication. Tracing what the data being sent is, is quite simple. Each packet has a "type" specifier, which you can then RE in the client to determine the data contents (assuming it not obvious from the packet itself). All information is sent and receieved in serialized structures


    Quote Originally Posted by R0b0t1 View Post
    it seems like one has to go out of their way to do something that is detectable.
    This really is my take on it. Of course Jagex isn't going to say "Yeah we can't detect you don't worry!"

    They rule the masses by fear that if you using a 3rd party client, or a bot, etc, that you will be detected and banned. They even specifically say "We can detect every bot", which I also believe to be a blatant lie.


    Quote Originally Posted by R0b0t1 View Post
    Can you write down some of the things you've mentioned in an itemized list? If you can reference how they were found or some documentation on them it would help, but I'm only really asking for sufficient pointers that they can be reinvestigated in the future.
    I've spent over a decade gaining the understanding I have of the client itself. In Discord, under the '#programming' channel, Zyt3x has pinned a post of mine featuring several tutorials and tools that I have made for the purposes of reverse engineering the runescape client, understand client hacking, and implementing those practices yourself. It should always be cached there even for new members, but if you'd prefer I can simply PM you the raw post itself, just let me know

    A full list would be far outside the scope of what I am prepared to itemize in this post unfortunately, but along with the resources I mentioned above you can feel free to contact me directly with any specific questions and I am always happy to help.


    Quote Originally Posted by R0b0t1 View Post
    Are there any credible guesses as to what heuristics they are looking at?
    Some fairly standard ones that are documented and in use on many online games today:

    * Intervals between actions
    * Navigational path repetition
    * Unrealistic play time
    * Perfect accuracy

    Of course it is only a guess what they may use, but these are all documented as having been used in other, similar, online games. Additionally, for the people who do like to believe what Jagex say - Jagex have claimed numerous times (see: Bot busting streams), that their "server sided heuristics play a large role in detecting bots", "our heuristics detected this bot", "our sever heuristics have found another bot", etc.

    Essentially any "pattern" of gameplay (that could be constructed via actions reported to the server - again for the purposes of legitimate gameplay) can be used for heuristical analysis and bot detection.


    Quote Originally Posted by R0b0t1 View Post
    Where are refactored versions of the client?
    All over. Pick your poison, there have been major refactors of several major client versions.

    317 was a huge one, as it was kind of the "mother" of RSPS revisions.
    https://github.com/Rabrg/refactored-client

    512 was another big one, it was the HD client introduction and inspired a lot of people to get back into RE'ing the client (myself included). You can find several floating around my old stomping grounds (MITB).

    Here's a very good and more recent one of OSRS:
    https://github.com/kinztechcom/OSRS-Refactored

    There are others that I haven't personally looked at, but found with a quick & easy search, such as;

    377:
    https://www.rune-server.ee/runescape...77-client.html

    530 (modified for longer draw distance):
    https://www.moparscape.org/community...client/675098/

    Also many updaters, including my own, will refactor the client so far as deobfuscating it and refactoring the found fields and classes before finishing execution, however that is not nearly as complete (of course) as the refactor projects mentioned above. I know for a fact I am missing some big ones too, but with the MITB site acquisition its been a royal pain to search for all the old projects etc.

    Though its not a scene I was ever a part of (I was on the MITB client hacking side, not the MPSC side), the RSPS scene would be another good place to investigate.

  9. #9
    Join Date
    Dec 2006
    Location
    Banville
    Posts
    3,905
    Mentioned
    12 Post(s)
    Quoted
    98 Post(s)

    Default

    All right, thanks. Unfortunately this all seems to be rather basic and what was available a number of years ago. My first guess is that no advances have been made on Jagex's side, though it is possible a lack of botting interest means nothing new has been discovered.
    The jealous temper of mankind, ever more disposed to censure than
    to praise the work of others, has constantly made the pursuit of new
    methods and systems no less perilous than the search after unknown
    lands and seas.

  10. #10
    Join Date
    Dec 2010
    Posts
    483
    Mentioned
    30 Post(s)
    Quoted
    328 Post(s)

    Default

    Download the client yourself, decompile it (JD-GUI is a good decompiler for Java8+) and go through it. Java is essentially open-source, in the same way .NET is. Their only protection is obfuscation, which besides some basic control-flow changes only really serves to strip variable and function names.

    With even an elementary knowledge of Java you should be able to understand everything going on in it. See for yourself what they do, that's the best thing I could suggest. Its a very basic exercise.

  11. #11
    Join Date
    Aug 2017
    Posts
    5
    Mentioned
    0 Post(s)
    Quoted
    0 Post(s)

    Default

    interesting tbh

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •