Server Side Bot Detection via GUI bypass

[richarjb]

Hello Mods,

I believe you when you say warden hasn't changed. I understand you elevate privileges when you launch, that you hook calls warden uses to check proc list. I understand demonbuddy.exe in the process list isn't an issue. I'd love to hear your thoughts on the following however. I think it's a real issue that needs to be addressed and could be used by blizzard for detection.

I've noticed that DB has no real protection against running profiles that the character is unable to from the GUI. If, for example, I load up ACT 3 Inferno champ hunting it actually creates a request to the server (the process generates network traffic anyway) and the server responds with an error that is parsed by the client and presented to the user.

The problem is that even one of these mistakes could flag our accounts -- no legitimate user can attempt to create an inferno game from the GUI without unlocking it.

If blizzard isn't using this method to flag accounts it's their mistake. We should be careful loading profiles but protection in DB would be good. This is one example of many and I'm bringing it up to make a point - DB seems to over use injection. Attaching to a process and writing memory is easy. Doing it right is fracking hard. Doing it perfect is near impossible and being perfect is required, else we start crashing. Crashes are Blizzard's best friends. The client going into invalid states all the time over and over and over in a pattern SCREAMS bot, screams injection.

I think if DB is to continue we need a massive brainstorming session.

There are things that blizz logs and we know they log (because they are achievements) that work against us - gold picked up, elites killed, etc. These will get our bots flagged for sure but there isn't anything we can do about that. There *ARE* things that we can fix and we need to look at those. I know DB uses injection heavily and it may be worth re-considering injection when it isn't absolutely necessary (can sending the window a click be used instead in some cases? I know window focus is an issue). If injection is the only way it needs to be done better.

Cheers

 

[Hawker]

This is one of the things we are looking at. Even if its not the cause of so many bans, we will likely change it.

 

[richarjb]

That's great news and I appreciate the timely reply.

One last question -- is anything done to prevent sending the crash log?

I've noticed D3\Diablo III\InspectorReporter\ReportedBugs are quite verbose.

 

[bladerunner]

Quick question to devs: how DB sends movement commands to D3 client?

// client side bot detection
if (d3_window_running_in_backgroud) && (movement_commands_still_coming)
{
bot_detected = 1;
}

if (current_mouse_position_outside_d3_window) && (movement_commands_still_coming)
{
bot_detected = 1;
}

etc.

 

[Zoohnoes]

You should also properly expose some pathing and profile related internal functions, so plugins makers could take proper control over it in case of deaths, stucks and what not.

 

[richarjb]

Quick question to devs: how DB sends movement commands to D3 client?

// client side bot detection
if (d3_window_running_in_backgroud) && (movement_commands_still_coming)
{
bot_detected = 1;
}

if (current_mouse_position_outside_d3_window) && (movement_commands_still_coming)
{
bot_detected = 1;
}

etc.

DB currently hooks and replaces properly for window focus. D3 process always thinks it is in foreground.

...in anycase what you are talking about it client side detection. Mouse movement isn't information that is collected by the client so it would have to be added before it could be reported on... that's a warden update.

EDIT/DISCLAIMER: I am a reverse engineer by profession, however I am not a DB developer.

 

[Chesnut817]

I am a reverse engineer by profession

Do you think you could reverse engineer my girlfriend.?

 

[Xcesius]

Do you think you could reverse engineer my girlfriend.?

Oh you.

I got some interesting news though.. It seems people that were only using the macro software by logitech also got hit by the banwave.

 

[Chesnut817]

Oh you.

I got some interesting news though.. It seems people that were only using the macro software by logitech also got hit by the banwave.

Intresting as I have now got the G13 G600 and G11 logitech setup and was looking into making macro's on them as they record keypress and delays.

 

[RyanGosling]

Any automation software is a bannable offence.

 

[Xcesius]

Any automation software is a bannable offence.

Automation like starting diablo 3 by the push of a macro button on the keyboard? It's these small things that can cause a lawsuit against Blizzard, they have no right of gathering information that you're using macro software on your pc.

 

[Aqueilas]

UGH! I think I actually loaded a wrong profile just not so long ago. Hope I dont get banned :/. Pretty hard not to make any mistakes when you are new at this.

 

[Jigsaw]

I think Blizzard can detect when character is starting to kill monsters out of the screen, i think i actually readed they banned people who were doing it, and DB is doing it, this can easyly be seen in ACT III (Bridge of Korsiak, or whatever the map is), when character starts to shoot the birds a few moments before they appear on the screen. Next thing i dont understand is, how DB is doing teleport, for example, Demonhunter will use "dash" (the skill that rolls him forward) when near the teleport and even if he doesnt land on the teleport, 90% of the time he will go over, the char will still teleport, meaning he's standing on the wrong coordinates when he's getting teleported, so how DB is doing this, i dont know, but its kinda weird. And DB is doing many things without "clicking", like teleport, cursor doesnt move, fixing items at vendor (it doesnt open repair tab, at least on the screen) and some other things. Can this be one of the issues? Or Blizzard cant see such things?

 

[nutshot]

I think Blizzard can detect when character is starting to kill monsters out of the screen, i think i actually readed they banned people who were doing it, and DB is doing it, this can easyly be seen in ACT III (Bridge of Korsiak, or whatever the map is), when character starts to shoot the birds a few moments before they appear on the screen. Next thing i dont understand is, how DB is doing teleport, for example, Demonhunter will use "dash" (the skill that rolls him forward) when near the teleport and even if he doesnt land on the teleport, 90% of the time he will go over, the char will still teleport, meaning he's standing on the wrong coordinates when he's getting teleported, so how DB is doing this, i dont know, but its kinda weird. And DB is doing many things without "clicking", like teleport, cursor doesnt move, fixing items at vendor (it doesnt open repair tab, at least on the screen) and some other things. Can this be one of the issues? Or Blizzard cant see such things?

OhHHH yeaaaa, this reminded me of something else, something that to me seemed huge. When you run a profile, it doesn't match up with your "start game, or resume game" settings, personally I always made sure that the quests and power level in game matched with the profile and settings i was using in DB but I still got banned after only a week of botting. =/ and I was only botting 1 account on this computer.

 

[CodenameG]

Thread Closed, this section is for support issues only, in the future if you wish to discuss development and other related topics please use the developer section.