*Possible* methods of bot detection

[air]

This is my thoughts about latest 6 months US bans. I think blizz get smarted. Botting accounts can be flagged, then if they are meets some criteria/filters account is banned.
Criteria for ban can be different: amount of gold, auctions count, reported while botting, botting in bg(many complaints from players), player activities(more time player is gaming, more likely hi create new sub after ban), other.

So, this is my list of possible detection methods.

0. Possible botting players can be filtered out by checking if they using: 32 bit client + windowed only mode + Click to move. That is simple.

1. Detection using Honeypot for gatherbuddy. It can be flagged then bot even try to use/harvest mineral or herb that is visible on map, but not accessible b'cos it's hidden inside some object.
I know 1 spot in Ashran, inside tree. And 1 spot in Gorgrond under rocks.

2. Detection by LUA fingerprinting

Bot can be detected then there is many LUA calls coming from WoW client like this in tuanha rogue CR

  var currentEnergy = Lua.GetReturnVal<int>("return UnitPower(\"player\", SPELL_POWER_ENERGY );", 0);

or from GarrisonBuddy, which flooded WoW so much, as it keeps crashing WoW client. So i stopped using GarrisonBuddy after that.

        public static Building GetBuildingById(String buildingId)
        {
            String lua =
                "C_Garrison.RequestLandingPageShipmentInfo();" +
                "local RetInfo = {}; Temp = {}; local buildings = C_Garrison.GetBuildings();" +
                String.Format(
                    "for i = 1, #buildings do " +
                    "local buildingID = buildings[i].buildingID;" +
                    "if (buildingID == {0}) then " +
                    "local nameShipment, texture, shipmentCapacity, shipmentsReady, shipmentsTotal, creationTime, duration, timeleftString, itemName, itemIcon, itemQuality, itemID = C_Garrison.GetLandingPageShipmentInfo(buildingID);" +
                    "local id, name, texPrefix, icon, rank, isBuilding, timeStart, buildTime, canActivate, canUpgrade, isPrebuilt = C_Garrison.GetOwnedBuildingInfoAbbrev(buildings[i].plotID);" +
                    "Temp[0] = buildings[i].buildingID;" +
                    "Temp[1] = buildings[i].plotID;" +
                    "Temp[2] = buildings[i].buildingLevel;" +
                    "Temp[3] = name;" +
                    "Temp[4] = rank;" +
                    "Temp[5] = isBuilding;" +
                    "Temp[6] = timeStart;" +
                    "Temp[7] = buildTime;" +
                    "Temp[8] = canActivate;" +
                    "Temp[9] = canUpgrade;" +
                    "Temp[11] = isPrebuilt;" +
                    // Info on shipments
                    "Temp[12] = nameShipment;" +
                    "if (not shipmentCapacity) then Temp[13] =  0; else Temp[13] = shipmentCapacity;end;" +
                    "if (not shipmentsReady) then Temp[14] = 0; else Temp[14] = shipmentsReady;end;" +
                    "if (not shipmentsTotal) then Temp[15] =  0; else Temp[15] = shipmentsTotal;end;" +
                    "Temp[16] = creationTime;" +
                    "Temp[17] = duration;" +
                    "Temp[18] = itemName;" +
                    "Temp[19] = itemQuality;" +
                    "Temp[20] = itemID;" +
                    "end;" +
                    "end;" +
                    "for j_=0,20 do table.insert(RetInfo,tostring(Temp[j_]));end; " +
                    "return unpack(RetInfo)", buildingId);
            List<String> building = Lua.GetReturnValues(lua);

 

[toNyx]

This is my thoughts about latest 6 months US bans. I think blizz get smarted. Botting accounts can be flagged, then if they are meets some criteria/filters account is banned.
Criteria for ban can be different: amount of gold, auctions count, reported while botting, botting in bg(many complaints from players), player activities(more time player is gaming, more likely hi create new sub after ban), other.

So, this is my list of possible detection methods.

0. Possible botting players can be filtered out by checking if they using: 32 bit client + windowed only mode + Click to move. That is simple.

1. Detection using Honeypot for gatherbuddy. It can be flagged then bot even try to use/harvest mineral or herb that is visible on map, but not accessible b'cos it's hidden inside some object.
I know 1 spot in Ashran, inside tree. And 1 spot in Gorgrond under rocks.

2. Detection by LUA fingerprinting

Bot can be detected then there is many LUA calls coming from WoW client like this in tuanha rogue CR

  var currentEnergy = Lua.GetReturnVal<int>("return UnitPower(\"player\", SPELL_POWER_ENERGY );", 0);

or from GarrisonBuddy, which flooded WoW so much, as it keeps crashing WoW client. So i stopped using GarrisonBuddy after that.

        public static Building GetBuildingById(String buildingId)
        {
            String lua =
                "C_Garrison.RequestLandingPageShipmentInfo();" +
                "local RetInfo = {}; Temp = {}; local buildings = C_Garrison.GetBuildings();" +
                String.Format(
                    "for i = 1, #buildings do " +
                    "local buildingID = buildings[i].buildingID;" +
                    "if (buildingID == {0}) then " +
                    "local nameShipment, texture, shipmentCapacity, shipmentsReady, shipmentsTotal, creationTime, duration, timeleftString, itemName, itemIcon, itemQuality, itemID = C_Garrison.GetLandingPageShipmentInfo(buildingID);" +
                    "local id, name, texPrefix, icon, rank, isBuilding, timeStart, buildTime, canActivate, canUpgrade, isPrebuilt = C_Garrison.GetOwnedBuildingInfoAbbrev(buildings[i].plotID);" +
                    "Temp[0] = buildings[i].buildingID;" +
                    "Temp[1] = buildings[i].plotID;" +
                    "Temp[2] = buildings[i].buildingLevel;" +
                    "Temp[3] = name;" +
                    "Temp[4] = rank;" +
                    "Temp[5] = isBuilding;" +
                    "Temp[6] = timeStart;" +
                    "Temp[7] = buildTime;" +
                    "Temp[8] = canActivate;" +
                    "Temp[9] = canUpgrade;" +
                    "Temp[11] = isPrebuilt;" +
                    // Info on shipments
                    "Temp[12] = nameShipment;" +
                    "if (not shipmentCapacity) then Temp[13] =  0; else Temp[13] = shipmentCapacity;end;" +
                    "if (not shipmentsReady) then Temp[14] = 0; else Temp[14] = shipmentsReady;end;" +
                    "if (not shipmentsTotal) then Temp[15] =  0; else Temp[15] = shipmentsTotal;end;" +
                    "Temp[16] = creationTime;" +
                    "Temp[17] = duration;" +
                    "Temp[18] = itemName;" +
                    "Temp[19] = itemQuality;" +
                    "Temp[20] = itemID;" +
                    "end;" +
                    "end;" +
                    "for j_=0,20 do table.insert(RetInfo,tostring(Temp[j_]));end; " +
                    "return unpack(RetInfo)", buildingId);
            List<String> building = Lua.GetReturnValues(lua);

I put my 2 posts.... ERRRRR cents sorry.

0) So playing in windowed/32b/ctm is forbidden.
1) That's a good point. has been there for now shit ton of years tho.
2) Every official addon makes lua calls... You get the point.

 

[panfrolo]

I think he mean that some activity now put you on a "blacklist" where you are more checked than other?

 

[air]

I mean that string in LUA call like "local id, name, texPrefix, icon, rank, isBuilding, timeStart, buildTime, canActivate, canUpgrade, isPrebuilt = C_Garrison.GetOwnedBuildingInfoAbbrev(buildings.plotID);" can be used to identify bot with 100% confidence.

 

[Tier539]

All we know is that players are getting banned NOW. We don't know when the detection occurred, or even started. We presume it all happened recently or just started, but it could have gone back months. With the 6 month bans going out, it's clear they just want to ban botters now so that they can get an accurate reading of how much gold each player might be willing to spend on a Token. They have a lot riding on it and only one real chance to get it right. If it goes off as a big success, then they can pad some of thier sub numbers and keep players hooked in for just some gold until their next expac.

 

[Kavol]

@air, don't addons have similar LUA calls?

Broker Garrison - Garrison - World of Warcraft Addons - Curse

 

[air]

The pattern strings is similar, but they do not same: C_Garrison.GetOwnedBuildingInfoAbbrev(buildings.plotID) and C_Garrison.GetOwnedBuildingInfoAbbrev(plotID).

For example more unique string "if (not shipmentsReady) then Temp[14] = 0; else Temp[14] = shipmentsReady;end;"

Also i think it's possible to trace LUA calls coming from addon and calls which injected in to wow. But i may be totally wrong.

 

[HvC]

LUA is sure as shit how they are detecting people atm. I am guessing it is the quantity of calls that is doing it.

I wouldn't be surprised at all, many people that I know that were using CRs that use lua calls massively have also been suspended.

 

[Kavol]

@air thanks for clarifying

 

[gunsandunicorns]

I wouldn't be surprised at all, many people that I know that were using CRs that use lua calls massively have also been suspended.

sorry for stupid question, but how do I find out if a CR uses massive lua calls? precisely, does Oracle Premium belong to those routines? Thanks for help

 

[gunsandunicorns]

Most of the CR's out there all came from the same core which used to be "Pure". Most of those CR's were VERY heavy on the LUA. So I Am guessing probably all the CR's that are popular right now are suspect. I am 100% guessing at this point, but if people are using CR only and getting nailed, I am about 99% on LUA being the culprit, especially with the new rules from HB Team about LUA calls.

thanks for the detailed answer

 

[Keanu]

LUA is sure as shit how they are detecting people atm. I am guessing it is the quantity of calls that is doing it.

Nah, they are not counting LUA calls. I'd rather try to detect whether protected LUA methods are called from outside ;-)

 

[bennyquest]

Most of the CR's out there all came from the same core which used to be "Pure". Most of those CR's were VERY heavy on the LUA. So I Am guessing probably all the CR's that are popular right now are suspect. I am 100% guessing at this point, but if people are using CR only and getting nailed, I am about 99% on LUA being the culprit, especially with the new rules from HB Team about LUA calls.

sorry for stupid question, but how do I find out if a CR uses massive lua calls? precisely, does Oracle Premium belong to those routines? Thanks for help

First and foremost the core for PURE is so outdated and I am 100% certain that all of the old Pure devs do not use it anymore, Mira, Millz, Storm, Navi, Xceis, Nom, Wulf, Weisch, Ama, Dagradt, and Myself do not use that core. I cannot speak for everyone except wulf and Myself about how much LUA is used though.

Oracle 2 Uses the least amount of LUA you can imagine. And, with the recent LUA issues we have reduced this down to I think 2 LUA calls in the entire routine.

Before you start pointing fingers know your facts.

The new LUA comments from the HB staff were actually brought on by most of the "PURE team" as we had concerns for people printing to chat, and having "in game" GUI not using the current HB overlay. This is about all I will say on that.

I will say that, there was some sort of detection (in my opinion). Be it from garrison bots, reloggers, routines or what I cannot say.

All's well that Heals well,
Bennyquest

 

[<Weischbier>]

Most of the CR's out there all came from the same core which used to be "Pure". Most of those CR's were VERY heavy on the LUA. So I Am guessing probably all the CR's that are popular right now are suspect. I am 100% guessing at this point, but if people are using CR only and getting nailed, I am about 99% on LUA being the culprit, especially with the new rules from HB Team about LUA calls.

Wrong. Don't spread this rumor.

best wishes,

Weischbier

 

[DX123]

Possible botting players can be filtered out by checking if they using: 32 bit client + windowed only mode + Click to move. That is simple.

Problem with that is, that is legit how I play. For whatever reason.. WOW64 does NOT like my video card so I use 32-bit in windowed mode. I also use click-to-move all the time. I just prefer it for mundane movements.

As far as these latest bans go.. there must be SOMETHING that correlates. AH use? How long botting per day, etc? There must be something. Because while there are several getting these bans, there are many more that are not.

Myself, I never use the AH.. never run more than 3-4 hours.. Don't do BG's.. DEFINITELY don't do dungeons or use DungeonBuddy at all. Oh and very VERY rarely do I ever go afk. Even if I'm watching TV while its doing something, I still keep an eye on it. ONCE a while back I left it running all night and set LogMeOut to dump me after 3 hours. I woke up the next morning to find myself sitting AFK in a crater in the middle of no where. Bottom line.. don't trust any plugin, or profile, no matter how good.

 

[Xcesius]

Most of the CR's out there all came from the same core which used to be "Pure". Most of those CR's were VERY heavy on the LUA. So I Am guessing probably all the CR's that are popular right now are suspect. I am 100% guessing at this point, but if people are using CR only and getting nailed, I am about 99% on LUA being the culprit, especially with the new rules from HB Team about LUA calls.

Hi Phelon,

Please do not spread rumors you don't even know about. Thanks

 

[Stormchasing]

Most of the CR's out there all came from the same core which used to be "Pure". Most of those CR's were VERY heavy on the LUA. So I Am guessing probably all the CR's that are popular right now are suspect. I am 100% guessing at this point, but if people are using CR only and getting nailed, I am about 99% on LUA being the culprit.

Short answer: not true
Long answer: there aren't that much routines based on pure, some started a while.back on the core of pure,most.of them didn't.


Pure had exactly two lua calls,which were active (in the past) for 2 weeks until hb stuff was fixed,after that every lua call was disabled and some.times.later removed from the source code.


And you only quoted half of the truth about the lua stuff and the new rules.
It is (if I remember right) about creating objects/global variables/wow add-ons to interact with routine (or other stuff) Which also never was done with pure (it was done by some . popular crs in the past but.alsi removed months ago, as soon as we already heard about the rumors and have seen bans from other tools)


And last but not least: some.of the common functions many people using in there code, related to lua, which was / is printing to the wow client could already be disabled by a user himself,and often there was a message stating that u should disable it




So back to your comment related to pure: pure.never had these massive lua calls you are talking about nor the forks have had them (but I don't know about any fork that is still working on the old core, each fork was already rewritten to another core which has not much from.the pure code...pure,code.was.also removed from public access 6 or 7 months ago)

 

[wulf]

As I stated in my prior posts, everything I am saying is 100% speculation on my part, it is all theory. I personally think I am right, but I am sure we will find out eventually. I would be interested to see how many LUA calls are made per second from the CRs out there

Not 100% correct ...

Question: If a CR uses the Lua class to do Lua things (even for protected-mode LUA calls), this is 'safe' (i.e., no detection risk). Correct?
Answer: Yes, However it depends entirely on what the CR does.. If it leaves named lua variables in global scope, that is not safe.

I had "HB-2123 Add dox Lua class API to provide basic guidance on what may/may not be safe?" created just to have clarification around what is "Not Safe".

Link to Updated Docs: Lua.DoString Method (String, String, IntPtr)

 

[biGGer]

1. Detection using Honeypot for gatherbuddy. It can be flagged then bot even try to use/harvest mineral or herb that is visible on map, but not accessible b'cos it's hidden inside some object.
I know 1 spot in Ashran, inside tree. And 1 spot in Gorgrond under rocks.

You can still get to them without mouse, just bind interact key to something and use it instead of the mouse.

 

[HvC]

To be honest most of the ban reports were playing until the tripwire I wouldn't be surprised if the tripwire didn't trigger immediately and the people that at the time were using CRs/Bases that use restricted Lua, may have been scanned before tripwire could kill their wow process.