Simple Anti-Bot Client

Discussion in 'Requests' started by Drinc, Jun 14, 2018.

  1. Drinc

    Drinc Active Member

    Joined:
    Jan 25, 2012
    Messages:
    263
    Likes Received:
    27
    Best Answers:
    0
    Hello. I want to create an anti-bot client that forces "well known bots" off the grid. When looking at tibia machine code, every variable is on the exact same memory all the time.(f.e currentHp might be on Tibiaclient.exe + 0xA434C). Can the memory locations be changed by:

    1) Just moving around the functions in the server source code? (I assume not, since this has nothing to do with the client?)
    2) How do i change the memory location for variables in the client?
    3) How do i prevent people logging onto my client through the normal tibia 7.72 + ip changer?

    Thanks.
     
  2. Mister Budex

    Mister Budex Thats Not Me

    Joined:
    Jun 22, 2016
    Messages:
    851
    Likes Received:
    119
    Best Answers:
    16
    Maybe try using OTClient ?
     
  3. Drinc

    Drinc Active Member

    Joined:
    Jan 25, 2012
    Messages:
    263
    Likes Received:
    27
    Best Answers:
    0
    Oh yeah. Aren't there many "well known bots" for OTClient too, though?
     
    Last edited: Jun 15, 2018
  4. Mister Budex

    Mister Budex Thats Not Me

    Joined:
    Jun 22, 2016
    Messages:
    851
    Likes Received:
    119
    Best Answers:
    16
    No clue right, but you could try to edit OTClient if its possible to prevent botting.
    I think that would be faster way instead of normal client.
     
    Drinc likes this.
  5. pasiak12

    pasiak12 Active Member

    Joined:
    Jun 7, 2009
    Messages:
    241
    Likes Received:
    48
    Best Answers:
    10
    afaik otclient has just another bot list for it
    also 'cracker' can easy look into otclient source code - its significant help in bot creation (but on the other side - after all years tibia client has been detailed diagnosed)

    Still, as long as before your server become rly popular you need to handle only already-existing bots, so I will try to defend yourself only against them.
    Moving 'normal variables' wouldn't do much - scanning, finding their new address will take 10 sec, while 'moving' them might take really long time (consider that you need to learn how exactly computer program works at low level + learn how to properly edit it through for example dll injection)

    My advice - if you want to fight hackers - become one. Try to create bot, then you will learn what things needs to blocked/changed first :>


    ip changer block thing - change tibia client version to the one only you know (ex tibia 7.89) (you need to do that on server files too then) - its just one variable. Thats the simplest solution, but maybe you will find something better.
     
    Drinc and Mister Budex like this.
  6. Drinc

    Drinc Active Member

    Joined:
    Jan 25, 2012
    Messages:
    263
    Likes Received:
    27
    Best Answers:
    0
    Great advice. I've done some simple hacking on tibia servers, and i found out rotating addresses seem to be popular. I don't expect to prevent someone who has hacking experience, i just want to prevent people whom have no or low amount of experience. For example, in similar fashion:

    Every time the client is executed, it receives from server a randomly encrypted (to avoid packet sniffing?) offset value, used to change the addresses. I want to implement something that at least increases the time/knowledge it takes to create a bot, and a dynamic way of changing things up.

    Is this complicated? Can you refer a tutorial, or suggest a path in learning more of this? I have basic programming knowledge in assembly/c/data communication. Thanks
     
  7. pasiak12

    pasiak12 Active Member

    Joined:
    Jun 7, 2009
    Messages:
    241
    Likes Received:
    48
    Best Answers:
    10
    Rotating addresses - Do you mean that some parameter you found (for example in cheat engine) is on another memory address every time you run the client yea?
    - Well if yes, then I need to disappoint you. Those params are just dynamically allocated (while program starts) and mid-experienced cracker will find their position by memory/pointer scanning. In the end It will be something like chain of addresses starting with constant address (that never change its position with respect to base address) pointing to some address, then pointing to some address then pointing to wanted address. Those are exactly multi pointers in C/C++.

    Packet anti-sniffing is already done since tibia 7.7 when RSA encryption was added.

    Im not sure if you can multiply change the physical address of something in your client by easy way. Creating some more 'clone' parameters and defining by server which one is correct in given time might be a solution, but what about time synchronization between server and many clients? Remember that server must confirm every action player do and everything needs to run smooth.

    Anyway you're on good way to go because - you want to create something unique

    Usually cracker just treat tibia client just as every other and try to hack it traditionally, but when he met first extraordinary protection (or client uncommonness) he might and probably will just give up.

    Your server will be safe as long it wont become super popular and it will be worth to spend super-more time to find out what did you create there.


    In future I plan to try to create some easy anti-bot. I will start with creating some tibia-api, dll injection and then try to mess with tibia packets send/receive. Thats how bot works, they just send packets with action codes (opcodes) instead of you. I would recommend you to look there then.

    Would be great if someone more experienced will join this discussion. I'd love to know some already known tips to fights with botters too. If not , there might be also chance to talk about it on some cracker forums - tpforums/tibiapf - you can met there some pros, but usually forums are quite dead.
     
  8. Drinc

    Drinc Active Member

    Joined:
    Jan 25, 2012
    Messages:
    263
    Likes Received:
    27
    Best Answers:
    0
    Thanks for response.

    Voidcores client changes the offset (of some values such as hp, mana, light, etc) by +156 or -156 bytes every time client restarts, for the static values, by using .dll injections i think he said. "It's something at least." - voidcore
    The suggestion you gave me @pasiak12 about changing the client version in server/client is really appreciated. It's easy and smart. I want a similar solution to prevent the already existing cheats out there.
    .dll injections seem like a good route, except for the risk of virus programs treating the client as a virus i guess? I think Voidcore's client is fine tho.
    Preventing cheats with packets received feels tricky. I know some servers have tried auto-ban (auto-ban cheaters = packet sniffing + algorithms ?) and many times they do very little, or they ban people who aren't cheating at all.

    Another question that just popped out: How do you let the clients automatically update? That is, without the player having to re-download the client of the website.
     
  9. pyschod

    pyschod New Member

    Joined:
    Jun 4, 2018
    Messages:
    8
    Likes Received:
    1
    Best Answers:
    0
    This is the question Cipsoft was asking for many years and I think there is no easy solution for it, unfortunately.
    Dealing with bots is the same as dealing with hackers, people always find a way to bypass your protection and make it work. And in a game like tibia even a simple macro can do the job some times, so how to avoid it completely?
    Unless you hire a 3rd party company to deal with it you would need to create your own anti cheat, blocking memory access to the client, signature scanning of common bots, even string scanning, etc. Could be easily bypassed but would protect from most users!
     
  10. pasiak12

    pasiak12 Active Member

    Joined:
    Jun 7, 2009
    Messages:
    241
    Likes Received:
    48
    Best Answers:
    10
    1. That small change is good while your server is quite not big (lets say active players <100). The first result I see is just doing simple multiple scan to checkout how the protection systems works and then implement some auto-finder at the start of the client (Check all address in range as long as you find correct value -> go).
    Anyway its good, because casual botter wont spend more time than download standard bot + click&play

    2. How do you want to handle your client without dll injection then? :) You need to have some tools to manipulate things inside. If not dll injection, I see only switching to OTClient. You're in definitely better position then while u got the client sources, but not everyone wants to play using that and you will also need to handle also client, not only server while developing your ots.

    3. Haven't done that yet. But if I would I will start with some external program (or dll injection xD, but some launcher might be good) that check your .spr and .dat, then if theres need - it switch it with the latest one from some cloud server or blocks the tibia (impossibru to play on unupdated client -> can be blocked with version flag and shout 'run the updater and restart' while trying to log in)


    Yup, but the Tibia is super popular and its worth to spend extra time for that. Cracker that successful creates something might earn a nice amount of money per month.
    On the other side -> super-popular server has super-money, so it can afford a nice fight against it.

    Anything that human created can be broken by another human. Anything that computer computed can be broken by another computer. But here We can use some nice algorithms, such a sum controls/cryptographic functions, that computes result for some key in seconds but in opposite way it needs a lot more time to be broken (can be boosted by special algorithms/clusters - but still might takes years for latest safe version). But its next level of talk :)
     
  11. Drinc

    Drinc Active Member

    Joined:
    Jan 25, 2012
    Messages:
    263
    Likes Received:
    27
    Best Answers:
    0
    Auto update: Launchers. How does the launcher bypass the virus-programs? Automatically downloading files to the clients computer feels fishy. Are .dat & .spr guaranteed safe files (cannot contain malicious software)?
    Client-manipulation: I was thinking just changing a few things with hex-editor, f.e locations of data to force people to change the source files of the cheat (update address table).

    Anti-bot is definitely an interesting subject. I'm going to have to read up on .dll injections and packet-sniffing, etc.
    Any changes to the client can easily be reversed by hackers, but at least stops the majority of cheaters on a low pop-server as you already stated.

    I think the optimal way of stopping more experienced cheaters/hackers is creating an "auto-ban" with packet-sniffing and smart algorithms (i'm guessing):
    My hypothesis, please do correct me if i'm wrong:

    0) Hard as fuck to implement something that works well :-(
    1) Cheaters don't know how it works, since it's server-side.
    2) Requires a lot of computation and storage - Have to store player actions and do calculations with algorithms to detect repetitive, or suspicious packets.
    3) Can easily catch tasker-macro, since it's 100% repetitive. F,e, player creates UH 20 times in a row with the exact same cycle time.
    4) Can accidentally ban non-cheaters, as long as the algorithms aren't perfect. I know this has happened on other servers
    5) Hard to catch aimbot (unless player spams, because humans cannot attempt to shoot 5 sds / sec on players, only bots can?)
    6) Hard to catch cavebot - easy to catch with GM's though
    7) Easy to catch auto-healing if performed enough times with constant time between damage and heal at % health.
     
  12. pasiak12

    pasiak12 Active Member

    Joined:
    Jun 7, 2009
    Messages:
    241
    Likes Received:
    48
    Best Answers:
    10
    File correctness can be confirmed by check sums (SHA-1,MD5 etc). Anyway putting malwares that way sounds like some really advanced bad person want to hurt someones tiny project xd

    1) yup they dont know - but they don't care how it works. They care about message output from server for certain input and the job is to reproduce it in the way they want it to work =)
    2) If smth requires too much work/procesor time/ram usage it just bad idea. If I will be in need of some system I will start with checking what already has been done and there I will look for inspiration/improvement for my needs.
    6) imo active GMs are great solution. Then only auto-healers/macros/etc left

    We need to understand why those persons creates bots. Usually they sell them to other players. If the bot will be unstable even once a month (get ban/needs update to work again) - ppl might not buy it (get ban after a month - lost account creating 1 year / bot is working only 2 weeks per month) - there would be no sense to spend more time on its creation.
    So keep around realistic things, as long the 'hacker' isnt psycho or really hate you or your server is super mega popular and the first one who creates bot for it become millionare - small smart protections will be enough.

    I will stick to GM's + something detecting the macro usage (here I would start with opcodes)

    Keep in mind I haven't done anything of above in practice. Im 100% sure If I will seriously start doing one of these, some more serious things will show up immediately . We are only theorising now.
     
  13. Drinc

    Drinc Active Member

    Joined:
    Jan 25, 2012
    Messages:
    263
    Likes Received:
    27
    Best Answers:
    0
    Yeah, we will have a few active GMs once everything is done. The anti-bot client is as stated earlier to remove standard 'well known' cheats, and because the subject of security is an interesting subject. Thanks for the tips, i'll do some research.
     

Share This Page

Loading...