Java-Gaming.org    
Featured games (81)
games approved by the League of Dukes
Games in Showcase (487)
Games in Android Showcase (112)
games submitted by our members
Games in WIP (553)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1] 2
  ignore  |  Print  
  Jagex kills reflection apparently  (Read 5190 times)
0 Members and 1 Guest are viewing this topic.
Offline Mads

JGO Ninja


Medals: 26
Projects: 3
Exp: 6 years


One for all!


« Posted 2011-10-27 03:27:12 »

So, anyone hear about the bot-nuke on Runescape recently? i just visited their site for recent updates, because I do like the game, even though economy and stuff doesn't work because of... smart reverse engeneering people.

I'm not going to point fingers, I was on that team too! However, now Jagex states that they've effeciently killed 98% of the botters in their game.
You can see it in the online-players count! It's insane!

I'm interested in the technology though - how does one secure his/her java application from reflection? In the case of an online game, I do not see how they can monitor the client like that. I believe they had a packet to check if everything was okay, but everything can be faked - right?

Offline Waterwolf

Junior Member


Medals: 3



« Reply #1 - Posted 2011-10-27 04:56:54 »

They use a new obfuscation that basically makes every method and field static and passes object contents in Object[]. It effectively kills reflection bots but I'm fairly sure something else will pop up sooner or later.

Edit: I'm not sure if I am allowed to tell that though..
Offline JL235

JGO Coder


Medals: 10



« Reply #2 - Posted 2011-10-27 05:22:36 »

They use a new obfuscation that basically makes every method and field static and passes object contents in Object[]. It effectively kills reflection bots but I'm fairly sure something else will pop up sooner or later.

Edit: I'm not sure if I am allowed to tell that though..
I'm sure spending 5 minutes of applet decompilation would have worked this out, so I wouldn't worry too much about it. But it's interesting to hear this.

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline princec

JGO Kernel


Medals: 366
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #3 - Posted 2011-10-27 07:50:33 »

The Jagex team are apparently clueless about security. And 3D rendering.

Cas Smiley

Offline theagentd
« Reply #4 - Posted 2011-10-27 09:05:39 »

Aaaw. Natsukashiiiii... (nostalgic xD)
I used to bot with SCAR, which uses a script language similar to Pascal. It's just a simple color clicker basically, but it did have some graphics drawing features (for bot feedback). SCAR was actually how I got interested in programming. After making bots for mostly random Flash games for a year or so, I made a small SNES like game where you could walk around in a very small tile world without any tutorial on how to do this. At this point my dad walked in and asked what I was doing. After explaining how I did it, he basically said "Move aside!" and installed Eclipse on my computer. o_0

EDIT: WHAT THE HELL?! They only have 35k players?!

Myomyomyo.
Offline kappa
« League of Dukes »

JGO Kernel


Medals: 77
Projects: 15


★★★★★


« Reply #5 - Posted 2011-10-27 09:11:44 »

EDIT: WHAT THE HELL?! They only have 35k players?!
That sounds alot more realistic considering how old the game is now, the 10 million active accounts figure that had been thrown around did sound way too good to be true, could be why they didn't remove the bots earlier.
Offline princec

JGO Kernel


Medals: 366
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #6 - Posted 2011-10-27 09:25:33 »

Thing is, I consider bots to be a perfectly legitimate way to play the game. Bah.
<edit>Also, I wonder how exactly they're going to keep all those employees in beans with a free player base of only 35k unless their conversion ratio is absolutely stunning.

Cas Smiley

Offline theagentd
« Reply #7 - Posted 2011-10-27 09:38:08 »

Thing is, I consider bots to be a perfectly legitimate way to play the game. Bah.
<edit>Also, I wonder how exactly they're going to keep all those employees in beans with a free player base of only 35k unless their conversion ratio is absolutely stunning.

Cas Smiley
Conversion ratio? Are they a religious sect? I knew it!

Myomyomyo.
Offline kappa
« League of Dukes »

JGO Kernel


Medals: 77
Projects: 15


★★★★★


« Reply #8 - Posted 2011-10-27 09:50:53 »

Well they do have 3 announced MMO's in development which all look relatively decent. Two of them are almost done and the other is the Hasbro licensed Transformers Universe due out next year. Also the films Transformers 4 & 5 have been announced (luckily Michael Bay isn't directing them, so hopeful it'll be a proper reboot and not crappy like the first 3 films) again the tie in effect here should help sales of the Jagex MMO a little. So it does look like Jagex as a company should be OK for the next 2-3 years at least.
Offline Mads

JGO Ninja


Medals: 26
Projects: 3
Exp: 6 years


One for all!


« Reply #9 - Posted 2011-10-27 17:24:07 »

The Jagex team are apparently clueless about security. And 3D rendering.

Cas Smiley

Can you elaborate on this point, please? Smiley

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline Mike

JGO Wizard


Medals: 74
Projects: 1
Exp: 6 years


Java guru wanabee


« Reply #10 - Posted 2011-10-27 17:27:52 »

EDIT: WHAT THE HELL?! They only have 35k players?!
That sounds alot more realistic considering how old the game is now, the 10 million active accounts figure that had been thrown around did sound way too good to be true, could be why they didn't remove the bots earlier.

There are currently 72k people online, the number on the website is number of people currently online and not number of players.

Mike

My current game, Minecraft meets Farmville and goes online Smiley
State of Fortune | Discussion thread @ JGO
Offline princec

JGO Kernel


Medals: 366
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #11 - Posted 2011-10-27 18:28:14 »

The Jagex team are apparently clueless about security. And 3D rendering.

Cas Smiley

Can you elaborate on this point, please? Smiley
If they think that obscuring the client is going to stop bots they are probably in for a bit of a shock.

Cas Smiley

Offline Mads

JGO Ninja


Medals: 26
Projects: 3
Exp: 6 years


One for all!


« Reply #12 - Posted 2011-10-27 18:38:38 »

The Jagex team are apparently clueless about security. And 3D rendering.

Cas Smiley

Can you elaborate on this point, please? Smiley
If they think that obscuring the client is going to stop bots they are probably in for a bit of a shock.

Cas Smiley

I don't think that's their move, cause they've been obfuscating for years.

Offline theagentd
« Reply #13 - Posted 2011-10-28 01:27:48 »

EDIT: WHAT THE HELL?! They only have 35k players?!
That sounds alot more realistic considering how old the game is now, the 10 million active accounts figure that had been thrown around did sound way too good to be true, could be why they didn't remove the bots earlier.

There are currently 72k people online, the number on the website is number of people currently online and not number of players.

Mike
I know, but 72k people online vs 10 million active accounts sounds a little low, doesn't it?

The Jagex team are apparently clueless about security. And 3D rendering.

Cas Smiley

Can you elaborate on this point, please? Smiley
If they think that obscuring the client is going to stop bots they are probably in for a bit of a shock.

Cas Smiley

I don't think that's their move, cause they've been obfuscating for years.
Of course. During my RS hacking days, people hadn't managed to decrypt much of the source code yet. The most advanced thing that had been done was basically a custom log in screen where you could enter an IP address. It basically just started the normal client but connected to the specified IP instead of the official RS servers.

http://www.rsbot.org/
Now THAT is creepy.

EDIT: I'll just leave this here: http://www.kaitnieks.com/AutoRune/history/

Myomyomyo.
Offline Mads

JGO Ninja


Medals: 26
Projects: 3
Exp: 6 years


One for all!


« Reply #14 - Posted 2011-10-28 05:30:03 »

EDIT: WHAT THE HELL?! They only have 35k players?!
That sounds alot more realistic considering how old the game is now, the 10 million active accounts figure that had been thrown around did sound way too good to be true, could be why they didn't remove the bots earlier.

There are currently 72k people online, the number on the website is number of people currently online and not number of players.

Mike
I know, but 72k people online vs 10 million active accounts sounds a little low, doesn't it?

The Jagex team are apparently clueless about security. And 3D rendering.

Cas Smiley

Can you elaborate on this point, please? Smiley
If they think that obscuring the client is going to stop bots they are probably in for a bit of a shock.

Cas Smiley

I don't think that's their move, cause they've been obfuscating for years.
Of course. During my RS hacking days, people hadn't managed to decrypt much of the source code yet. The most advanced thing that had been done was basically a custom log in screen where you could enter an IP address. It basically just started the normal client but connected to the specified IP instead of the official RS servers.

http://www.rsbot.org/
Now THAT is creepy.

EDIT: I'll just leave this here: http://www.kaitnieks.com/AutoRune/history/

Well, if they were able to modify the login-screen that means both decompiling, deobfuscating, and recompiling the source.
Moparscape has been around forever.

I'm interrested in, if anyone knows how to make your java application safe from reflection, because looking at the project, that seems like a pretty hard task.

Offline princec

JGO Kernel


Medals: 366
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #15 - Posted 2011-10-28 08:08:16 »

If your design requires that the client be secure, then your design is just wrong. No amount of protection can protect client code, in any language, on any platform.

Cas Smiley

Offline theagentd
« Reply #16 - Posted 2011-10-28 11:28:28 »

Well, if they were able to modify the login-screen that means both decompiling, deobfuscating, and recompiling the source.
Moparscape has been around forever.

I'm interrested in, if anyone knows how to make your java application safe from reflection, because looking at the project, that seems like a pretty hard task.
I'm pretty sure they never deobfuscated the majority of the code in the game, just the login and connect part. They probably reverse engineered the encryption though. Like I said, I'm years behind in all this.

If your design requires that the client be secure, then your design is just wrong. No amount of protection can protect client code, in any language, on any platform.

Cas Smiley
How long your game survives the constant onslaught from hackers depends on how much time you spend securing it VS how much time/resources the hacking community has. The problem is that the hacking community grows (probably not linearly) as your game gets more famous, so if it's a well known game someone's bound to hack it if it's possible.

However I disagree with your outright statement that a client should not need to be secure. The problem in Runescape's case is not only the client's security. The client obviously needs to have enough information about the game world and its objects, e.t.c, so that the player can play the game. Obviously a bot can play the game with that information too, and it can capture it by using a proxy or hijacking the network information one way or something like that. Reflection was only used to issue custom commands to the game, which is obviously doable in other ways, like injecting them into the network traffic, using a program click with the mouse, e.t.c.

The only way to enforce Cas standard client security would be to only stream the final rendered image like OnLive does.

Myomyomyo.
Offline princec

JGO Kernel


Medals: 366
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #17 - Posted 2011-10-28 13:12:24 »

I'm thinking more about the problem at a right angle. Why should bots be disallowed from playing at all?* Perhaps that's how I'd like to play RuneScape - making bots for it. I think the concept of an open client is a very worthy design goal.

Cas Smiley

* Rights for AIs!

Offline Matzon

JGO Knight


Medals: 19
Projects: 1


I'm gonna wring your pants!


« Reply #18 - Posted 2011-10-28 16:19:57 »

problem with bots, is that they automate much of the game mechanics - and ruin the economy.

Sort of like the wall street trading systems that work on micro changes on stocks...

Offline pjt33
« Reply #19 - Posted 2011-10-28 17:26:54 »

If they think that obscuring the client is going to stop bots they are probably in for a bit of a shock.
They're not as stupid as you think. Six years ago they were pushing a reobfuscated client every week. Doesn't make it impossible to crack, but does mean that the person writing the crack really has to write an automatic crack writer.

If your design requires that the client be secure, then your design is just wrong. No amount of protection can protect client code, in any language, on any platform.
Yes, but this is a fundamental problem of the genre, not something RS-specific.
Offline philfrei
« Reply #20 - Posted 2011-10-28 17:47:15 »

Quote
I know, but 72k people online vs 10 million active accounts sounds a little low, doesn't it?

Comparison (as of this post): JGO has 30,328 members.
We have 92 people present, of whom only 4 are members.
(How many of these are Bots!  persecutioncomplex Oh no!)

72,000 to 10,000,000 vs. 4 to 30,328 seems comparable to me. Even vs. 92 to 30,328.

"But this is a forum, not a game. Apples & Oranges." I guess. But I've spent a lot of time here, more than I have at RuneScape.

When I worked through the "free-loader" quests at RuneScape about a year ago, they would occasionally toss your avatar into some dungeon and force an answer to a simple puzzle, as a way to thin out the bots. It really was a weird thing, walking around seeing these folks chopping down trees for hours on end. I remember trying to strike up the occasional conversation and having no success...

I suppose I'm still on the member rolls. But it's been over a year since I last checked in.

"Greetings my friends! We are all interested in the future, for that is where you and I are going to spend the rest of our lives!" -- The Amazing Criswell
Offline bienator

Senior Member




OutOfCoffeeException


« Reply #21 - Posted 2011-10-28 20:00:32 »

I'm thinking more about the problem at a right angle. Why should bots be disallowed from playing at all?* Perhaps that's how I'd like to play RuneScape - making bots for it. I think the concept of an open client is a very worthy design goal.

Cas Smiley

* Rights for AIs!
in a MMO its a problematic topic. Botfarmer which sell lvl 80 chars etc can destroy balancing/ingame mechanics.

e.g Eve Online has a quite boring profession: mining
a few people really like it since its relaxing (nice graphics, almost no user interaction, you can do something else "half AFK", chat..). I would assume that most of the miners are bots (there are no official numbers), since its an open sandbox mining gets basically worthless. You spend n hours for almost no ingame gain since you can't compete with bot armies. (-> botting kills an ingame activity in this example)

Offline ruben01

Senior Member


Medals: 4
Projects: 3



« Reply #22 - Posted 2011-10-28 20:22:49 »

Bots would be a problem for almost any game

if your game has an economy, bots ruin it
if your game involves interaction with other players, it adds a lot of "players" that you can't interact with, and your players have to deal with them
if your game is PvP in nature, it ruins peoples games, maybe the bot can't beat the best players, but it sure as hell will ruin the noobs
if your game has highscores/achievements as one motivation for your players, then bots ruin it

Even with an onlive like system, you can make bots that scan the image, and send input

Ruben

Offline princec

JGO Kernel


Medals: 366
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #23 - Posted 2011-10-28 20:54:05 »

If someone merely playing the game incessantly or well can ruin it then I think there's a fundamental design issue. Things like mining are only possible because of the fundamental flaw of infinite resources, for example. Grinding too - designed simply to play to the darker side of human psychology in order to cause addiction. Lots of things like this. Design a game fundamentally accounting for this sort of stuff and the whole thing is a non-issue.

Cas Smiley

Offline Mads

JGO Ninja


Medals: 26
Projects: 3
Exp: 6 years


One for all!


« Reply #24 - Posted 2011-10-28 20:57:38 »

If someone merely playing the game incessantly or well can ruin it then I think there's a fundamental design issue. Things like mining are only possible because of the fundamental flaw of infinite resources, for example. Grinding too - designed simply to play to the darker side of human psychology in order to cause addiction. Lots of things like this. Design a game fundamentally accounting for this sort of stuff and the whole thing is a non-issue.

Cas Smiley

You're not going to have a playerbase for very long if there is not continously stuff to do, though.

Offline princec

JGO Kernel


Medals: 366
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #25 - Posted 2011-10-28 21:10:58 »

Therein lies the problem of a game which rewards you for simply spending time playing. Consider Minecraft - a Minecraft bot would actually be quite a cool thing (depending on what it did!).

Cas Smiley

Offline ruben01

Senior Member


Medals: 4
Projects: 3



« Reply #26 - Posted 2011-10-28 21:51:08 »

In any game where there is a component of competition involved, or comparing skill, bots will be an issue
for almost any complexity of bot there will always be people who aren't as skilled as it at playing the game

chess, go, starcraft, diablo, wow, if someone wants to he will always be able to create a bot, that can either beat people in those games, or at least assist a human player to give him an unfair advantage (aimbot, etc).

That is not a problem of game design per se, just a problem of computers being better at some stuff than we are.

Even in the minecraft example, I am sure there are people who will find it fun to grief others, and a bot that does that would help them with it.

This is so much worse than piracy for example, a pirate you can ignore him (downloaded game is not a lost sale), attempt to use other ways to monetize your game (free to play, ads, etc), but with bots, if you are unlucky enough to be targeted by those, you can't ignore them, you really have to deal with them or find a way to keep them from ruining your other players time.

Rubén

Offline JL235

JGO Coder


Medals: 10



« Reply #27 - Posted 2011-10-28 21:55:40 »

If your design requires that the client be secure, then your design is just wrong. No amount of protection can protect client code, in any language, on any platform.
In terms of making the client 100% secure, I 100% agree. But being 99% secure will deter more hackers then being 10% secure. It also makes it easier to reduce the variety in bots and other attacks, due to the added complexity needed to build them. In turn, this helps to bunch all illegal players into one single target.

I've built simple bots for some small web games (as a proof of concept), and in all cases it's been because it only took me an afternoon to do it. I believe being able to do it is what motivates most bot writers to write their first bot, and if that takes weeks or months rather then hours or days, they will be far less likely to succeed.

Offline theagentd
« Reply #28 - Posted 2011-10-29 03:07:19 »

The question of how they killed Reflection still hangs in the air...  Yawn

Myomyomyo.
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 783
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #29 - Posted 2011-10-29 03:58:25 »

The question of how they killed Reflection still hangs in the air...  Yawn
It was answered in the first reply.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Pages: [1] 2
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

TehJavaDev (16 views)
2014-08-28 18:26:30

CopyableCougar4 (25 views)
2014-08-22 19:31:30

atombrot (38 views)
2014-08-19 09:29:53

Tekkerue (34 views)
2014-08-16 06:45:27

Tekkerue (32 views)
2014-08-16 06:22:17

Tekkerue (20 views)
2014-08-16 06:20:21

Tekkerue (30 views)
2014-08-16 06:12:11

Rayexar (66 views)
2014-08-11 02:49:23

BurntPizza (44 views)
2014-08-09 21:09:32

BurntPizza (34 views)
2014-08-08 02:01:56
List of Learning Resources
by Longor1996
2014-08-16 10:40:00

List of Learning Resources
by SilverTiger
2014-08-05 19:33:27

Resources for WIP games
by CogWheelz
2014-08-01 16:20:17

Resources for WIP games
by CogWheelz
2014-08-01 16:19:50

List of Learning Resources
by SilverTiger
2014-07-31 16:29:50

List of Learning Resources
by SilverTiger
2014-07-31 16:26:06

List of Learning Resources
by SilverTiger
2014-07-31 11:54:12

HotSpot Options
by dleskov
2014-07-08 01:59:08
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!