• Visit Rebornbuddy
  • *Possible* methods of bot detection

    Discussion in 'Discussions (no Ban Reports here)' started by air, Mar 27, 2015.

    1. air

      air Member

      Joined:
      Feb 24, 2015
      Messages:
      146
      Likes Received:
      4
      Trophy Points:
      18
      This is my thoughts about latest 6 months US bans. I think blizz get smarted. Botting accounts can be flagged, then if they are meets some criteria/filters account is banned.
      Criteria for ban can be different: amount of gold, auctions count, reported while botting, botting in bg(many complaints from players), player activities(more time player is gaming, more likely hi create new sub after ban), other.

      So, this is my list of possible detection methods.

      0. Possible botting players can be filtered out by checking if they using: 32 bit client + windowed only mode + Click to move. That is simple.

      1. Detection using Honeypot for gatherbuddy. It can be flagged then bot even try to use/harvest mineral or herb that is visible on map, but not accessible b'cos it's hidden inside some object.
      I know 1 spot in Ashran, inside tree. And 1 spot in Gorgrond under rocks.

      2. Detection by LUA fingerprinting

      Bot can be detected then there is many LUA calls coming from WoW client like this in tuanha rogue CR

      PHP:
        var currentEnergy Lua.GetReturnVal<int>("return UnitPower(\"player\", SPELL_POWER_ENERGY );"0);
      or from GarrisonBuddy, which flooded WoW so much, as it keeps crashing WoW client. So i stopped using GarrisonBuddy after that.

      PHP:
              public static Building GetBuildingById(String buildingId)
              {
                  
      String lua =
                      
      "C_Garrison.RequestLandingPageShipmentInfo();" +
                      
      "local RetInfo = {}; Temp = {}; local buildings = C_Garrison.GetBuildings();" +
                      
      String.Format(
                          
      "for i = 1, #buildings do " +
                          
      "local buildingID = buildings[i].buildingID;" +
                          
      "if (buildingID == {0}) then " +
                          
      "local nameShipment, texture, shipmentCapacity, shipmentsReady, shipmentsTotal, creationTime, duration, timeleftString, itemName, itemIcon, itemQuality, itemID = C_Garrison.GetLandingPageShipmentInfo(buildingID);" +
                          
      "local id, name, texPrefix, icon, rank, isBuilding, timeStart, buildTime, canActivate, canUpgrade, isPrebuilt = C_Garrison.GetOwnedBuildingInfoAbbrev(buildings[i].plotID);" +
                          
      "Temp[0] = buildings[i].buildingID;" +
                          
      "Temp[1] = buildings[i].plotID;" +
                          
      "Temp[2] = buildings[i].buildingLevel;" +
                          
      "Temp[3] = name;" +
                          
      "Temp[4] = rank;" +
                          
      "Temp[5] = isBuilding;" +
                          
      "Temp[6] = timeStart;" +
                          
      "Temp[7] = buildTime;" +
                          
      "Temp[8] = canActivate;" +
                          
      "Temp[9] = canUpgrade;" +
                          
      "Temp[11] = isPrebuilt;" +
                          
      // Info on shipments
                          
      "Temp[12] = nameShipment;" +
                          
      "if (not shipmentCapacity) then Temp[13] =  0; else Temp[13] = shipmentCapacity;end;" +
                          
      "if (not shipmentsReady) then Temp[14] = 0; else Temp[14] = shipmentsReady;end;" +
                          
      "if (not shipmentsTotal) then Temp[15] =  0; else Temp[15] = shipmentsTotal;end;" +
                          
      "Temp[16] = creationTime;" +
                          
      "Temp[17] = duration;" +
                          
      "Temp[18] = itemName;" +
                          
      "Temp[19] = itemQuality;" +
                          
      "Temp[20] = itemID;" +
                          
      "end;" +
                          
      "end;" +
                          
      "for j_=0,20 do table.insert(RetInfo,tostring(Temp[j_]));end; " +
                          
      "return unpack(RetInfo)"buildingId);
                  List<
      Stringbuilding Lua.GetReturnValues(lua);
       
      chinajade likes this.
    2. toNyx

      toNyx Well-Known Member

      Joined:
      Oct 29, 2011
      Messages:
      3,770
      Likes Received:
      35
      Trophy Points:
      48
      I put my 2 posts.... ERRRRR cents sorry.

      0) So playing in windowed/32b/ctm is forbidden.
      1) That's a good point. has been there for now shit ton of years tho.
      2) Every official addon makes lua calls... You get the point.
       
    3. panfrolo

      panfrolo New Member

      Joined:
      Jan 2, 2015
      Messages:
      20
      Likes Received:
      0
      Trophy Points:
      0
      I think he mean that some activity now put you on a "blacklist" where you are more checked than other?
       
    4. air

      air Member

      Joined:
      Feb 24, 2015
      Messages:
      146
      Likes Received:
      4
      Trophy Points:
      18
      I mean that string in LUA call like "local id, name, texPrefix, icon, rank, isBuilding, timeStart, buildTime, canActivate, canUpgrade, isPrebuilt = C_Garrison.GetOwnedBuildingInfoAbbrev(buildings.plotID);" can be used to identify bot with 100% confidence.
       
    5. Tier539

      Tier539 New Member

      Joined:
      May 30, 2011
      Messages:
      193
      Likes Received:
      1
      Trophy Points:
      0
      All we know is that players are getting banned NOW. We don't know when the detection occurred, or even started. We presume it all happened recently or just started, but it could have gone back months. With the 6 month bans going out, it's clear they just want to ban botters now so that they can get an accurate reading of how much gold each player might be willing to spend on a Token. They have a lot riding on it and only one real chance to get it right. If it goes off as a big success, then they can pad some of thier sub numbers and keep players hooked in for just some gold until their next expac.
       
    6. Kavol

      Kavol New Member

      Joined:
      May 2, 2013
      Messages:
      168
      Likes Received:
      2
      Trophy Points:
      0
      Last edited: Mar 27, 2015
    7. air

      air Member

      Joined:
      Feb 24, 2015
      Messages:
      146
      Likes Received:
      4
      Trophy Points:
      18
      The pattern strings is similar, but they do not same: C_Garrison.GetOwnedBuildingInfoAbbrev(buildings.plotID) and C_Garrison.GetOwnedBuildingInfoAbbrev(plotID).

      For example more unique string "if (not shipmentsReady) then Temp[14] = 0; else Temp[14] = shipmentsReady;end;"

      Also i think it's possible to trace LUA calls coming from addon and calls which injected in to wow. But i may be totally wrong.
       
    8. HvC

      HvC New Member

      Joined:
      Jan 20, 2015
      Messages:
      3
      Likes Received:
      0
      Trophy Points:
      0
      I wouldn't be surprised at all, many people that I know that were using CRs that use lua calls massively have also been suspended.
       
    9. Kavol

      Kavol New Member

      Joined:
      May 2, 2013
      Messages:
      168
      Likes Received:
      2
      Trophy Points:
      0
      @air thanks for clarifying :)
       
    10. gunsandunicorns

      gunsandunicorns New Member

      Joined:
      Apr 23, 2014
      Messages:
      99
      Likes Received:
      0
      Trophy Points:
      0
      sorry for stupid question, but how do I find out if a CR uses massive lua calls? precisely, does Oracle Premium belong to those routines? Thanks for help
       
    11. gunsandunicorns

      gunsandunicorns New Member

      Joined:
      Apr 23, 2014
      Messages:
      99
      Likes Received:
      0
      Trophy Points:
      0
      thanks for the detailed answer :)
       
    12. Keanu

      Keanu Member Buddy Store Developer

      Joined:
      Jan 15, 2010
      Messages:
      871
      Likes Received:
      15
      Trophy Points:
      18
      Nah, they are not counting LUA calls. I'd rather try to detect whether protected LUA methods are called from outside ;-)
       
    13. bennyquest

      bennyquest Community Developer

      Joined:
      Dec 6, 2010
      Messages:
      2,644
      Likes Received:
      22
      Trophy Points:
      38
      First and foremost the core for PURE is so outdated and I am 100% certain that all of the old Pure devs do not use it anymore, Mira, Millz, Storm, Navi, Xceis, Nom, Wulf, Weisch, Ama, Dagradt, and Myself do not use that core. I cannot speak for everyone except wulf and Myself about how much LUA is used though.

      Oracle 2 Uses the least amount of LUA you can imagine. And, with the recent LUA issues we have reduced this down to I think 2 LUA calls in the entire routine.

      Before you start pointing fingers know your facts.

      The new LUA comments from the HB staff were actually brought on by most of the "PURE team" as we had concerns for people printing to chat, and having "in game" GUI not using the current HB overlay. This is about all I will say on that.

      I will say that, there was some sort of detection (in my opinion). Be it from garrison bots, reloggers, routines or what I cannot say.

      All's well that Heals well,
      Bennyquest
       
      Last edited: Mar 27, 2015
    14. <Weischbier>

      <Weischbier> Member Buddy Store Developer

      Joined:
      Jan 18, 2013
      Messages:
      562
      Likes Received:
      16
      Trophy Points:
      18
      Wrong. Don't spread this rumor.

      best wishes,

      Weischbier
       
    15. DX123

      DX123 Member

      Joined:
      Mar 9, 2010
      Messages:
      312
      Likes Received:
      2
      Trophy Points:
      18
      Problem with that is, that is legit how I play. For whatever reason.. WOW64 does NOT like my video card so I use 32-bit in windowed mode. I also use click-to-move all the time. I just prefer it for mundane movements.

      As far as these latest bans go.. there must be SOMETHING that correlates. AH use? How long botting per day, etc? There must be something. Because while there are several getting these bans, there are many more that are not.

      Myself, I never use the AH.. never run more than 3-4 hours.. Don't do BG's.. DEFINITELY don't do dungeons or use DungeonBuddy at all. Oh and very VERY rarely do I ever go afk. Even if I'm watching TV while its doing something, I still keep an eye on it. ONCE a while back I left it running all night and set LogMeOut to dump me after 3 hours. I woke up the next morning to find myself sitting AFK in a crater in the middle of no where. Bottom line.. don't trust any plugin, or profile, no matter how good.
       
    16. Xcesius

      Xcesius Community Developer

      Joined:
      May 1, 2011
      Messages:
      2,050
      Likes Received:
      61
      Trophy Points:
      48
      Hi Phelon,

      Please do not spread rumors you don't even know about. Thanks
       
    17. Stormchasing

      Stormchasing Community Developer

      Joined:
      Jan 15, 2011
      Messages:
      4,029
      Likes Received:
      48
      Trophy Points:
      48



      Short answer: not true
      Long answer: there aren't that much routines based on pure, some started a while.back on the core of pure,most.of them didn't.


      Pure had exactly two lua calls,which were active (in the past) for 2 weeks until hb stuff was fixed,after that every lua call was disabled and some.times.later removed from the source code.


      And you only quoted half of the truth about the lua stuff and the new rules.
      It is (if I remember right) about creating objects/global variables/wow add-ons to interact with routine (or other stuff) Which also never was done with pure (it was done by some . popular crs in the past but.alsi removed months ago, as soon as we already heard about the rumors and have seen bans from other tools)


      And last but not least: some.of the common functions many people using in there code, related to lua, which was / is printing to the wow client could already be disabled by a user himself,and often there was a message stating that u should disable it




      So back to your comment related to pure: pure.never had these massive lua calls you are talking about nor the forks have had them (but I don't know about any fork that is still working on the old core, each fork was already rewritten to another core which has not much from.the pure code...pure,code.was.also removed from public access 6 or 7 months ago)
       
    18. wulf

      wulf Community Developer

      Joined:
      Dec 29, 2010
      Messages:
      1,832
      Likes Received:
      128
      Trophy Points:
      63
      Not 100% correct ...

      Question: If a CR uses the Lua class to do Lua things (even for protected-mode LUA calls), this is 'safe' (i.e., no detection risk). Correct?
      Answer: Yes, However it depends entirely on what the CR does.. If it leaves named lua variables in global scope, that is not safe.

      I had "HB-2123 Add dox Lua class API to provide basic guidance on what may/may not be safe?" created just to have clarification around what is "Not Safe".

      Link to Updated Docs: Lua.DoString Method (String, String, IntPtr)
       
    19. biGGer

      biGGer Member

      Joined:
      Jan 26, 2014
      Messages:
      76
      Likes Received:
      2
      Trophy Points:
      8
      You can still get to them without mouse, just bind interact key to something and use it instead of the mouse.
       
    20. HvC

      HvC New Member

      Joined:
      Jan 20, 2015
      Messages:
      3
      Likes Received:
      0
      Trophy Points:
      0
      To be honest most of the ban reports were playing until the tripwire I wouldn't be surprised if the tripwire didn't trigger immediately and the people that at the time were using CRs/Bases that use restricted Lua, may have been scanned before tripwire could kill their wow process.
       

    Share This Page