[USA][7.4] Miracle 7.4 - Launch on May 28th

[draken1]

sort the online list by level, saddest shit i've ever seen in my life, tibia ot's truly are dead

nothing surprising to be honest, 50% of list are chars with level<=20, im on maker aswell at the moment

just took a peek on tibiantis online list with 260 players and only 30 players are above level 38, so ~~90% are makers (probably close to 95% considering chars like 50 ms didn't make any level for a year, only killed by noobchars)

 

[assassinho]

sort the online list by level, saddest shit i've ever seen in my life, tibia ot's truly are dead

no login and try to find a spawn that is empty.

 

[assassinho]

rly good server

 

[Slatera]

rly good server

Idk bro need some good war clips for good data set. xD

 

[Zyzz immortal]

Idk bro need some good war clips for good data set. xD

This guy was relevant only on faloria, rpg server with nobody playing pvp xD no matter what would you send to him, it's not enough

 

[assassinho]

Idk bro need some good war clips for good data set. xD

no war only rpg.

 

[Sanraiz]

good server

 

[JeiDi]

I was looking at the terms and conditions/privacy policy on your website, but I can't find it.

Do you inform your players anywhere that you capture their mouse and keyboard with your client?

I am asking explicitly about the OPCODE 83 you use, which sends information about mouse positions and catches the keyboard inputs and modifiers registered right away when the g_game.isOnline(), just to make sure you know what I ask about.

function parseKMPacket(protocol, msg)
    local msgType = msg:getU8()

    if msgType == TYPE_KEYDOWN then
        local keyCode = msg:getU16()

        onListenKeyDown(keyCode)
    elseif msgType == TYPE_KEYUP then
        local keyCode = msg:getU16()

        onListenKeyUp(keyCode)
    elseif msgType == TYPE_KEYMOD then
        local modifiers = msg:getU32()

        onListenModKey(modifiers)
    elseif msgType == TYPE_MOUSEMOVE then
        local x = msg:getU32()
        local y = msg:getU32()

        onListenMouse(x, y)
    end
end

 

[Helaxo]

I was looking at the terms and conditions/privacy policy on your website, but I can't find it.

Do you inform your players anywhere that you capture their mouse and keyboard with your client?

I am asking explicitly about the OPCODE 83 you use, which sends information about mouse positions and catches the keyboard inputs and modifiers registered right away when the g_game.isOnline(), just to make sure you know what I ask about.

function parseKMPacket(protocol, msg)
    local msgType = msg:getU8()

    if msgType == TYPE_KEYDOWN then
        local keyCode = msg:getU16()

        onListenKeyDown(keyCode)
    elseif msgType == TYPE_KEYUP then
        local keyCode = msg:getU16()

        onListenKeyUp(keyCode)
    elseif msgType == TYPE_KEYMOD then
        local modifiers = msg:getU32()

        onListenModKey(modifiers)
    elseif msgType == TYPE_MOUSEMOVE then
        local x = msg:getU32()
        local y = msg:getU32()

        onListenMouse(x, y)
    end
end

So basically a key logger?

 

[JeiDi]

So basically a key logger?

I am not sure what a keylogger's definition is, but this one is being terminated when a client goes offline, so it might not be 1:1. But yeah, it's close. If they do not inform players about it, which is absolutely illegal.

Maybe they thought nobody would find out when there's custom client encryption, but come on...

 

[fridai]

I am not sure what a keylogger's definition is, but this one is being terminated when a client goes offline, so it might not be 1:1. But yeah, it's close. They do not inform players about it, which is absolutely illegal.

Maybe they thought nobody would find out when there's custom client encryption, but come on...

 

[Jinwo]

So basically a key logger?

There's no virus and keylogger in the client.

KM packets - Keyword/Mouse packets are sent from server to cam system (adding output cam packets).
Then client display in the cam your mouse/keyboard actions in the Miracle client.

There are many agreements about that and cam system while you are playing Miracle. I'm pretty sure that this is common thing is almost all games, and it's part of our security system to detect automation.

 

[JeiDi]

There's no virus and keylogger in the client.

I don’t believe mapping the entire keyboard and capturing mouse inputs in real-time is necessary for implementing a cam system.

What you’re describing aligns closely with the definition of a keylogger:
"A keylogger, sometimes called a keystroke logger, is a type of surveillance technology used to monitor and record each keystroke on a device. It can be software-based and used to capture sensitive information." - Source

The fact that these inputs are not stored locally but are transmitted directly to a server—potentially overseas and passing through multiple proxies—raises serious privacy concerns. From what I can see, the only reference to this in your agreement is:
"I consent that Miracle is saving play sessions for the sole purpose of improving the gaming experience or enforcing the Miracle Rules. Saved play sessions will contain the entire user experience, including, but not limited to, chats and player interaction." - durign sign-up process.

However, this wording does not explicitly inform users that everything they type or every mouse movement they make is being captured and sent to a remote server. There’s no mention of how this data is handled, who is responsible for its security, who has the access to users keyboard and mouse recordings, or how long it’s stored.

This lack of transparency is particularly concerning given that you have players from regions like the EU and the Americas, where privacy laws (e.g., GDPR, CCPA) require clear and explicit user consent for such data collection. Under GDPR, for instance, capturing and transmitting personal input data (including keystrokes) without clear consent or a legitimate purpose could be a serious violation.

It’s difficult to justify why such invasive data capture is necessary, especially when less intrusive solutions exist. This could very well fall under the scope of illegal surveillance, particularly in jurisdictions with strict data privacy laws.

--

And what about process scanning? It’s clear from functions like getBlackListProcessError, hasRunningBlacklistProcess, and getBlackListProgram that the client actively scans for running processes on users' systems. Yet, there’s no mention of this in your agreements or privacy policy.

This raises serious concerns because you are not only capturing and transmitting keyboard and mouse inputs while the client is running (hopefully only during that time) but also monitoring the user’s operating system.

What exactly are you scanning, and what other data is being sent to your servers?
Transparency is key here. Players have a right to know what’s being collected and why. This level of monitoring goes far beyond what most users would reasonably expect when playing a game.

 

[Dip Set]

I don’t believe mapping the entire keyboard and capturing mouse inputs in real-time is necessary for implementing a cam system.

What you’re describing aligns closely with the definition of a keylogger:
"A keylogger, sometimes called a keystroke logger, is a type of surveillance technology used to monitor and record each keystroke on a device. It can be software-based and used to capture sensitive information." - Source

The fact that these inputs are not stored locally but are transmitted directly to a server—potentially overseas and passing through multiple proxies—raises serious privacy concerns. From what I can see, the only reference to this in your agreement is:
"I consent that Miracle is saving play sessions for the sole purpose of improving the gaming experience or enforcing the Miracle Rules. Saved play sessions will contain the entire user experience, including, but not limited to, chats and player interaction." - durign sign-up process.

However, this wording does not explicitly inform users that everything they type or every mouse movement they make is being captured and sent to a remote server. There’s no mention of how this data is handled, who is responsible for its security, who has the access to users keyboard and mouse recordings, or how long it’s stored.

This lack of transparency is particularly concerning given that you have players from regions like the EU and the Americas, where privacy laws (e.g., GDPR, CCPA) require clear and explicit user consent for such data collection. Under GDPR, for instance, capturing and transmitting personal input data (including keystrokes) without clear consent or a legitimate purpose could be a serious violation.

It’s difficult to justify why such invasive data capture is necessary, especially when less intrusive solutions exist. This could very well fall under the scope of illegal surveillance, particularly in jurisdictions with strict data privacy laws.

--

And what about process scanning? It’s clear from functions like getBlackListProcessError, hasRunningBlacklistProcess, and getBlackListProgram that the client actively scans for running processes on users' systems. Yet, there’s no mention of this in your agreements or privacy policy.

This raises serious concerns because you are not only capturing and transmitting keyboard and mouse inputs while the client is running (hopefully only during that time) but also monitoring the user’s operating system.

What exactly are you scanning, and what other data is being sent to your servers?
Transparency is key here. Players have a right to know what’s being collected and why. This level of monitoring goes far beyond what most users would reasonably expect when playing a game.

Most "antibot" servers run a system made by a developer on these forums who is very well known for selling unique OTCV8 modules. I can't give more or go into specifics because they will ban me for "advertising". The code here is just a snippet of client side code. It does send all your mouse movements, key strokes to the "GM" watching the screen. Example of the client module below. NOT ADVERTISING Just giving some supplemental information to Jeidi's post.

If a player is using tasker, it's very obvious. If they are using rifbot or some other packet based bot system, it's also very obvious. You'll see actions without movement/keystroke.

The key difference between this and a keylogger is this is only active when player is on this screen. If you go to another screen e.g. bank website, it wont show any input, this is specific to tibia client. Also the process checker is part of the same module. Even without any client input, many servers use server side logs to track all messages, NPC interactions, parcel movement, even item movement (e.g. time to use a rune after HP hits x%). If you're playing tibia with some idea of privacy, you're mistake. Have you ever heard of battleye? all decent antibot systems use some sort of similar tool.

 

[JeiDi]

The key difference between this and a keylogger is this is only active when player is on this screen. If you go to another screen e.g. bank website, it wont show any input, this is specific to tibia client. Also the process checker is part of the same module. Even without any client input, many servers use server side logs to track all messages, NPC interactions, parcel movement, even item movement (e.g. time to use a rune after HP hits x%). If you're playing tibia with some idea of privacy, you're mistake. Have you ever heard of battleye? all decent antibot systems use some sort of similar tool.

"only active when player is on this screen"
That's only you assuming something without having access to the code. Since the company doesn't inform you about what they are doing and what they are processing, and since they are happy with breaking the law, why wouldn't they go further?
Oh, they did...

Have you ever heard of battleye?
There's a very tiny, subtle difference. In one, you EXPLICITLY agree to everything the client has access to; in the second, you have no idea about anything. It's like inviting someone home and allowing that person to look around and investigate your whole house while you are not watching what they are doing or allowing that person to visit you and ask you if they can use the bathroom.

"a system made by a developer on these forums who is very well known for selling unique OTCV8 modules."
I won't comment on this one, as this would go into another huge rabbit hole with "A." if I'm not mistaken.

 

[Danger II]

"only active when player is on this screen"
That's only you assuming something without having access to the code. Since the company doesn't inform you about what they are doing and what they are processing, and since they are happy with breaking the law, why wouldn't they go further?
Oh, they did...

Have you ever heard of battleye?
There's a very tiny, subtle difference. In one, you EXPLICITLY agree to everything the client has access to; in the second, you have no idea about anything. It's like inviting someone home and allowing that person to look around and investigate your whole house while you are not watching what they are doing or allowing that person to visit you and ask you if they can use the bathroom.

"a system made by a developer on these forums who is very well known for selling unique OTCV8 modules."
I won't comment on this one, as this would go into another huge rabbit hole with "A." if I'm not mistaken.

Oh Ehm No. Not “A.”

 

[JeiDi]

Oh Ehm No. Not “A.”

That's the person whose nickname is written in the "authors" in their .otmod

 

[Dip Set]

Oh Everyone kNows 44 people who have this module. I agree you can’t know what is being done, I was only mentioning the original module.

 

[Helaxo]

Are these "players" in pz bots? I'm referring to the ppl selling items in their private shop. I mean a "player" has been standing in rook temple and selling life fluid for 90g for 10 days. There are probably 100 other examples of other players selling other stuff all over the map in DP. When they stand there they are obviously at the computer all day to keep the character online. Seems like a waste of time? Especially those selling shit items day in and day out and never play the game or make runes etc. Or is it just the fact that they are spoof chars controlled by GM, or just jusing a bot/tasker to stay on, or perhaps MC?

Just curious

 

[assassinho]

Are these "players" in pz bots? I'm referring to the ppl selling items in their private shop. I mean a "player" has been standing in rook temple and selling life fluid for 90g for 10 days. There are probably 100 other examples of other players selling other stuff all over the map in DP. When they stand there they are obviously at the computer all day to keep the character online. Seems like a waste of time? Especially those selling shit items day in and day out and never play the game or make runes etc. Or is it just the fact that they are spoof chars controlled by GM, or just jusing a bot/tasker to stay on, or perhaps MC?

Just curious

its just an extra feature of this ot. You can put your char "afk" and open a shop. This chars don't count as "online" on the website. You are basically offline and can't do anything unless you log in again. But you can sell your items/runes while you are sleeping.