So, anyone hear about the bot-nuke on Runescape recently? i just visited their site for recent updates, because I do like the game, even though economy and stuff doesn’t work because of… smart reverse engeneering people.
I’m not going to point fingers, I was on that team too! However, now Jagex states that they’ve effeciently killed 98% of the botters in their game.
You can see it in the online-players count! It’s insane!
I’m interested in the technology though - how does one secure his/her java application from reflection? In the case of an online game, I do not see how they can monitor the client like that. I believe they had a packet to check if everything was okay, but everything can be faked - right?
They use a new obfuscation that basically makes every method and field static and passes object contents in Object[]. It effectively kills reflection bots but I’m fairly sure something else will pop up sooner or later.
Edit: I’m not sure if I am allowed to tell that though…
I’m sure spending 5 minutes of applet decompilation would have worked this out, so I wouldn’t worry too much about it. But it’s interesting to hear this.
Aaaw. Natsukashiiiii… (nostalgic xD)
I used to bot with SCAR, which uses a script language similar to Pascal. It’s just a simple color clicker basically, but it did have some graphics drawing features (for bot feedback). SCAR was actually how I got interested in programming. After making bots for mostly random Flash games for a year or so, I made a small SNES like game where you could walk around in a very small tile world without any tutorial on how to do this. At this point my dad walked in and asked what I was doing. After explaining how I did it, he basically said “Move aside!” and installed Eclipse on my computer. o_0
EDIT: WHAT THE HELL?! They only have 35k players?!
That sounds alot more realistic considering how old the game is now, the 10 million active accounts figure that had been thrown around did sound way too good to be true, could be why they didn’t remove the bots earlier.
Thing is, I consider bots to be a perfectly legitimate way to play the game. Bah.
Also, I wonder how exactly they’re going to keep all those employees in beans with a free player base of only 35k unless their conversion ratio is absolutely stunning.
Well they do have 3 announced MMO’s in development which all look relatively decent. Two of them are almost done and the other is the Hasbro licensed Transformers Universe due out next year. Also the films Transformers 4 & 5 have been announced (luckily Michael Bay isn’t directing them, so hopeful it’ll be a proper reboot and not crappy like the first 3 films) again the tie in effect here should help sales of the Jagex MMO a little. So it does look like Jagex as a company should be OK for the next 2-3 years at least.
I know, but 72k people online vs 10 million active accounts sounds a little low, doesn’t it?
Of course. During my RS hacking days, people hadn’t managed to decrypt much of the source code yet. The most advanced thing that had been done was basically a custom log in screen where you could enter an IP address. It basically just started the normal client but connected to the specified IP instead of the official RS servers.
Well, if they were able to modify the login-screen that means both decompiling, deobfuscating, and recompiling the source.
Moparscape has been around forever.
I’m interrested in, if anyone knows how to make your java application safe from reflection, because looking at the project, that seems like a pretty hard task.
If your design requires that the client be secure, then your design is just wrong. No amount of protection can protect client code, in any language, on any platform.
I’m pretty sure they never deobfuscated the majority of the code in the game, just the login and connect part. They probably reverse engineered the encryption though. Like I said, I’m years behind in all this.
How long your game survives the constant onslaught from hackers depends on how much time you spend securing it VS how much time/resources the hacking community has. The problem is that the hacking community grows (probably not linearly) as your game gets more famous, so if it’s a well known game someone’s bound to hack it if it’s possible.
However I disagree with your outright statement that a client should not need to be secure. The problem in Runescape’s case is not only the client’s security. The client obviously needs to have enough information about the game world and its objects, e.t.c, so that the player can play the game. Obviously a bot can play the game with that information too, and it can capture it by using a proxy or hijacking the network information one way or something like that. Reflection was only used to issue custom commands to the game, which is obviously doable in other ways, like injecting them into the network traffic, using a program click with the mouse, e.t.c.
The only way to enforce Cas standard client security would be to only stream the final rendered image like OnLive does.
I’m thinking more about the problem at a right angle. Why should bots be disallowed from playing at all?* Perhaps that’s how I’d like to play RuneScape - making bots for it. I think the concept of an open client is a very worthy design goal.
[quote=“princec,post:12,topic:37420”]
They’re not as stupid as you think. Six years ago they were pushing a reobfuscated client every week. Doesn’t make it impossible to crack, but does mean that the person writing the crack really has to write an automatic crack writer.
[quote=“princec,post:16,topic:37420”]
Yes, but this is a fundamental problem of the genre, not something RS-specific.
