Results 1 to 1 of 1

Thread: Possible Detection Methods.

  1. #1
    Join Date
    Feb 2008
    Posts
    6
    Mentioned
    0 Post(s)
    Quoted
    1 Post(s)

    Default Possible Detection Methods.

    Hi guys, today I was thinking about Jagex's possible detection methods, see, I'm a former RSPS developer and I have been one of those responsible for bringing Private servers into the modern era (I was partly responsible for deobfuscating the 474 client, solely for 503 and many others).
    Anyway, apart from Player reports and manual bans, I want to discuss what I think Jagex uses for automated bans.

    Having a lot of client experience, I can tell you a good bit about how the Jagex File System is composed and how certain client protocol works (though I have not looked through the client in years, the last client I deobfuscated and read through was #92 OSRS). I am interested in learning how Jagex detects bots and I do have a few theories.

    1. Mouse and Keyboard tracking - Having been an RSPS dev (and I mean creating my own original servers from scratch) I do know that Jagex does track mouse and keyboard movement as well as mouse focus client sided. However, I do know also that they do not necessarily use this information for bot analysis, besides, most botting platforms already deal with such movement appropriately.

    2. Custom Loaders/Clients - We all know that custom loaders have been detected by Jagex, its been around for ages and it's quite clear in their code. So we won't stay on this topic. They are able to detect custom loaders and clients (when the code has been altered).

    3. Hardware mouse - Now here's where it becomes interesting. I recently read an article where someone posted code from Jacmob's dll hooking the windows api for the LLMHF_INJECTED flag. I was quite interested in this as this is a good way of determining if the user is using their actual mouse, or a mouse controlled by a piece of software. Though many claim that Jagex don't act upon the flag (notify method empty), its still possible that they might be using it elsewhere. In any case I would still assume that its not possible to ban someone solely based on this flag, as there are multiple applications approved by Jagex (I believe Team Viewer is one?) that use SendInput() which would have that flag set. I believe you can still get banned, even when the flag isn't set.

    4. Screen/Pixel Capture - Here's an interesting one. Most Colour bots use pixels reading for data analysis, is it possible that they can detect screen captures used by these programs? Perhaps, as far as I know I recall seeing something similar to this in the client (for the life of me I can't remember what) but the data was sent to some Jagex server. Don't think it had to do with botting though. I guess this can also be related to them detecting hooked OpenGL methods.

    5. Pixel Clicks and Mouse Jumps - We all know that clicking the same pixel, or jumping to a different mouse coordinate can look sketchy, but the reality is we don't live in the past anymore.. with tablets and phones, this is the new hardware input of the century and is very much an obsolete way of bot detection - and I'm sure Jagex knows this. It is of my opinion that Jagex does NOT use the fluidity of movement and pixel position clicks to catch bots. Not anymore at least.

    6. Time - I believe that time is a factor in catching a bot, but it is not a monumental. I believe that Jagex uses time in tiered banning - Only when that "playing too long and gaining too fast" factor kicks in, does the investigation start.. However I don't believe playing too long is used as a method of identifying a bot by Jagex, because by those standards, a lot of legit players would be long banned.

    7. Process Analysis - This one is new to me, I've heard some people say they are unable to confirm if Jagex in-fact investigates processes that the user has running in the background. This one I have no clue about, but I have yet to see any code in the client which confirms this, although it might be a very real possibility non the less.

    Anyway, that's just my two cents, let me know your opinion.
    Last edited by hotyute; 06-05-2018 at 06:07 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •