Results 1 to 13 of 13

Thread: OSRS Mouse Tracking Exposed

  1. #1
    Join Date
    Jul 2019
    Posts
    9
    Mentioned
    0 Post(s)
    Quoted
    3 Post(s)

    Exclamation OSRS Mouse Tracking Exposed

    Hi,

    I recently just got back into playing OSRS after a few years off and after receiving the ban hammer after a week on a pure I made I decided to look into the ban rates and what I could do to avoid future bans. Then after a google search I found this. (can't post links you will have to seperate the URL).

    https://osbot.org/forum/topic/153397-osbots-mouse-movement-is-easily-detected/"]https://osbot.org/forum/topic/153397-osbots-mouse-movement-is-easily-detected

    To sum it up a member on the OSBot forums has trawled through the OSRS code (sorry, dont know much about programming but trying to learn) and found some code that tracks mouse movements and sends it to the server, presumably for analysis. He found that the mouse methods on OSBot set off the flag and on at least one other bot too. The whole thread is an interesting read and kinda funny and even SRL is even mentioned once or twice.

    I know that you guys know what you are doing so the SRL mouse is probably more advanced than the OSBot mouse but I thought I would post this just to make sure it has been brought to your attention. If it hasn't been done already I suspect someone needs to check the SRL Mouse doesn't set off this flag as I think we can agree it is almost certainly used for bot detection, but to what extent is unknown.

    Also if anyone could help clear this up for me it would be appreciated. My understanding so far is that when using SMART they can track your mouse but strangely when not using SMART, it will appear to them as if your mouse is not moving as you are using a kind of virtual mouse (but they can still record when you click on the game). Is this correct because it's kinda worrying that they can tell your mouse shouldn't be moving when it is?

    Please read the link and discuss and hopefuly it will help increase the understanding of the detection system and how to avoid bans (no arguments like in the link please).

    Thanks
    Last edited by fookinel; 09-10-2019 at 06:29 AM.

  2. #2
    Join Date
    Feb 2012
    Location
    Florida
    Posts
    193
    Mentioned
    0 Post(s)
    Quoted
    6 Post(s)

    Default

    This will be a non issue for SRL/Simba/Smart.
    The only time this becomes an issue is for big games like WoW or what have you.
    They will detect if you are using WinAPI fake keyboard/mouse input methods.
    So you would have to use a program like BlueEyeMacro that utilizes a fake mouse/keyboard
    driver to circumvent detection. As far as i know Jamflex has not gone this far in quite some time.
    And if they ever did. There would be a response for sure. You would see the dead come to life and circumvent further.

    SRL's mouse functions emulate human mouse movement using Wind Mouse along a Gaussian random distribution or any
    distribution u want to set it to in your script.

    The End Awaits. . .

  3. #3
    Join Date
    Jul 2019
    Posts
    9
    Mentioned
    0 Post(s)
    Quoted
    3 Post(s)

    Default

    Thanks for the reply. I dont doubt what you say but I still don't really understand if this would track your mouse movement using Simba or not. If they are checking for mouse input does that mean they are checking for the hardware mouse, the virtual mouse or just whichever happens to be giving input at the time?

    Edit: I think I understand what you are saying. Is it that there is no way for them to tell the difference so they must just track whichever kind of mouse is being used? Sorry if I am being stupid in advance.

    Anyway that is good to know about SRL's mouse functions but I am still a bit curious if any scripts would set this off.
    Last edited by fookinel; 09-10-2019 at 10:25 PM.

  4. #4
    Join Date
    May 2012
    Location
    Glorious Nippon
    Posts
    1,003
    Mentioned
    50 Post(s)
    Quoted
    501 Post(s)

    Default

    There have been quite a few discussions about this topic over the years. From what I remember, the client does detect fake input and record mouse movements. What Jagex does with this is up for debate.
    Here's a good thread about hardware input: https://villavu.com/forum/showthread.php?t=115467
    And a relevant search

  5. #5
    Join Date
    Jul 2019
    Posts
    9
    Mentioned
    0 Post(s)
    Quoted
    3 Post(s)

    Default

    Thanks for the links. Some of them I have not seen before and I found this in one of them.

    As for your question, do they collect mouse movement? They may. There has been old de-obs that show mouse coordinate collection every 50ms. Proof:
    Java Code:

    package com.runescape.client;

    final class MouseDetection implements Runnable {

    private final Client instance;
    public final Object syncObject;
    public final int[] coordsY;
    public boolean running;
    public final int[] coordsX;
    public int coordsIndex;

    public MouseDetection(Client parent) {
    syncObject = new Object();
    coordsY = new int[500];
    coordsX = new int[500];
    running = true;
    instance = parent;
    }

    public void run() {
    while (running) {
    synchronized (syncObject) {
    if (coordsIndex < 500) {
    coordsX[coordsIndex] = instance.mouseX;
    coordsY[coordsIndex] = instance.mouseY;
    coordsIndex++;
    }
    }
    try {
    Thread.sleep(50L);
    } catch (Exception _ex) {
    }
    }
    }
    }
    So it seems that something very similar at least has been discovered before but this new discovery seems to add to this from what I can tell. Below is a part of the post from the OP.

    Reconstructing their mouse collection:

    ||) Equal, or zero movements are tracked by ticks. If you don't move your mouse for 30 ticks, they'll know. They most likely use this for multiple purposes, the biggest being the ability to figure out the entire mouse movement rather then just bits of it.

    1) Movement of the mouse is tracked, smalls/medium movements exactly by this (Only medium/small per-tick movement difference under about 30 in length)

    int yDiff = (recordedY - previouslyRecordedYMove);

    int xDiff = (recordedX - previouslyRecordedXMove);

    handler.packetBuffer.putShort(yDiff + (idleIndexesPassed<< 12) + (xDiff << 6));

    idleIndexesPassed = 0;

    movementIndex = the indexes skipped before finding a mouse move in the X/Y mouse recorder. Used to track time between mouse movmenets.
    The guy used this code to test scripts from at least one the major bots and they were detected and this was only a few months ago. It seems to me that the significance of this isn't really being appreciated.

  6. #6
    Join Date
    Dec 2007
    Posts
    2,114
    Mentioned
    70 Post(s)
    Quoted
    580 Post(s)

    Default

    Mouse recorder code has been known in the scene since as early as i can remember. Since before OSRS was released.

    Your assumptions are incorrect. Injected input flags won't be detected with event dispatching (for example on smart) since they completely avoid the windows message queue. It only detects injected input through the use of SendMessage/PostMessage etc. WinAPI functions.

    Injected input flag checks aren't present in any osrs clients either.

    People at osbot are mainly retards.

    /thread.
    Last edited by Kasi; 09-11-2019 at 05:45 PM.

  7. #7
    Join Date
    Jul 2019
    Posts
    9
    Mentioned
    0 Post(s)
    Quoted
    3 Post(s)

    Default

    LMAO. Thanks for clearing that up. I will make sure never to use that one but maybe I am a retard too because I'm still unsure about what you have said.

    I am taking it as OSRS can't detect any difference between the hardware input and virtual input. That is comforting if I have it right but it still remains that they are tracking your mouse. On the OSBot thread the OP states that there is nothing to stop them from tracking things such as how long your mouse is stationary for in 50ms ticks. This means that if I made a script in simba with a randomrange wait of 200ms between mouse movements then that would mean they could potentially be gathering evidence of me moving the mouse in these 4 ticks consistantly.

    Probably more important is that a legit players hand is actually attached to the mouse so I'm guessing the mouse will be stationary a lot less on certain tasks compared to a bot or clicker.

    I suppose it has always been obvious considering all the randomness that you can use in Simba that they are doing something like this because otherwise it would be pointless to add them into your scripts but I never knew how it worked in any detail. Before this I was thinking along the lines that they would only be recording times between clicks to the ms, so a 200ms randomrange seemed not so bad but I suppose it is still a bit short.

    Now I have a better idea of how it works I am having a bit of a rethink about the script that I am trying to write and I hope other people will too if it will help reduce their chances of a ban.
    Last edited by fookinel; 09-12-2019 at 11:03 AM.

  8. #8
    Join Date
    Dec 2007
    Posts
    2,114
    Mentioned
    70 Post(s)
    Quoted
    580 Post(s)

    Default

    Quote Originally Posted by fookinel View Post
    I am taking it as OSRS can't detect any difference between the hardware input and virtual input. That is comforting if I have it right but it still remains that they are tracking your mouse. On the OSBot thread the OP states that there is nothing to stop them from tracking things such as how long your mouse is stationary for in 50ms ticks. This means that if I made a script in simba with a randomrange wait of 200ms between mouse movements then that would mean they could potentially be gathering evidence of me moving the mouse in these 4 ticks consistantly.
    Yes, they can't detect any differences between hardware input and virtual input in OSRS.

    Yes, they still track mouse events being dispatched to the client canvas through your mouse or virtual.

    If your actual mouse moves over the canvas then yes, they can still track those movements during that 200ms. In other words, mouse events outside the client canvas don't get registered except on the edge case of some MouseExited events. It can't track mouse movement outside the client.

    This is completely client implementation specific though. Most clients have the option to block input so this doesn't happen - SMART is an example of one. It's mainly implemented so your human error doesn't interfere with the running of the script.

    Beyond the client detection that exists. The only way you'll be getting banned is if your account has similar play data to some other account/s. That's why people struggle to scale. That's why a lot of scripts only really get bans after there's a bunch of people using them. There's no such thing as pattern-less data. As shitty as jagex's system is. It prevents gold farmers for the most part.

  9. #9
    Join Date
    Jul 2019
    Posts
    9
    Mentioned
    0 Post(s)
    Quoted
    3 Post(s)

    Default

    Thanks for the help. I think I understand it now. I was using SMART with a free script when I got banned so it follows that it was mouse tracking and/or client detection that gave them all the proof they needed to ban me in the end.

    Now I'm thinking I should use a private script with the main client and hope that will make a difference. The OP reckons that he found how they collect all this data and send it to the server. Assuming that is true then we know all the data they collect. If their anti-bot really is shitty, then maybe there is a way to use this information to reduce your chances of a ban. Maybe this has already been done and would explain why some bots appear to last way longer than others, but I doubt the owners would be willing to confirm this or not.

  10. #10
    Join Date
    Dec 2007
    Posts
    2,114
    Mentioned
    70 Post(s)
    Quoted
    580 Post(s)

    Default

    Quote Originally Posted by fookinel View Post
    Thanks for the help. I think I understand it now. I was using SMART with a free script when I got banned so it follows that it was mouse tracking and/or client detection that gave them all the proof they needed to ban me in the end.
    Not so much the mouse tracking with smart, but client detection sure.

  11. #11
    Join Date
    Feb 2012
    Location
    Florida
    Posts
    193
    Mentioned
    0 Post(s)
    Quoted
    6 Post(s)

    Default

    Quote Originally Posted by fookinel View Post
    Thanks for the help. I think I understand it now. I was using SMART with a free script when I got banned so it follows that it was mouse tracking and/or client detection that gave them all the proof they needed to ban me in the end.

    Now I'm thinking I should use a private script with the main client and hope that will make a difference. The OP reckons that he found how they collect all this data and send it to the server. Assuming that is true then we know all the data they collect. If their anti-bot really is shitty, then maybe there is a way to use this information to reduce your chances of a ban. Maybe this has already been done and would explain why some bots appear to last way longer than others, but I doubt the owners would be willing to confirm this or not.
    You have to make it seem like its a real account. If all you do is bot on it. Then expect a ban. Most people recommend private scripts. This community isn't as active as it was back in the day so a lot of these scripts have been laying around.
    Learn to make your own scripts and be forever delighted. Or pay up for private stuff and make sure not a lot of people are using it.

    The End Awaits. . .

  12. #12
    Join Date
    Jul 2015
    Location
    San Diego
    Posts
    13
    Mentioned
    0 Post(s)
    Quoted
    6 Post(s)

    Default

    Quote Originally Posted by Kasi View Post
    People at osbot are mainly retards.
    Lmao
    Simba Code:
    Wait(1);

  13. #13
    Join Date
    Jul 2019
    Posts
    9
    Mentioned
    0 Post(s)
    Quoted
    3 Post(s)

    Default

    Quote Originally Posted by LordJashin View Post
    You have to make it seem like its a real account. If all you do is bot on it. Then expect a ban. Most people recommend private scripts. This community isn't as active as it was back in the day so a lot of these scripts have been laying around.
    Learn to make your own scripts and be forever delighted. Or pay up for private stuff and make sure not a lot of people are using it.
    Yeah, I understand what you mean but the way I see it is all that will do is reduce your chances of being flagged. There is a difference between being flagged and being banned for botting. For example: I could make a level 3 account now and go picking flax or something manually and I would look like all the world to be a bot. I would be flagged and then I assume my mouse movements and client analysed. They would not find anything suspect so I would not be banned.

    If there are dead giveaways with the mouse movements then once you are flagged to the point they check your mouse movements then nothing will save you. I'm working on assumptions here obviously but it makes sense to me.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •