Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Buy OSRS Gold

Sell OSRS Gold
Sign in to follow this  
Guest

about charachter profiles (ABC2)

Recommended Posts

Guest

I've been wondering how tribot generates character profiles and if they are secure. Obviously devs can't go into detail about how they are generated specifically but i'd like to share a thought.

The character profile needs to be consistent throughout the accounts lifetime so it either needs to be stored on the client or it needs to be generated by seeding some random function with actual RS account data (such as the username). My concern is that if it's stored on the client and the client loses data then the bot will perform inconsistently with its history which could be a not so obvious flag. If it's randomly generated by seeding RS data then the bot will be consistent forever without having to store data on the client, but it would be incredibly easy to reverse engineer to predict how a bot would behave. The latter would make it incredibly easy for jagex to detect bots no matter how well ABC2 is implemented. Are these valid concerns?

Share this post


Link to post
Share on other sites
20 minutes ago, grand wizard said:

I've been wondering how tribot generates character profiles and if they are secure. Obviously devs can't go into detail about how they are generated specifically but i'd like to share a thought.

The character profile needs to be consistent throughout the accounts lifetime so it either needs to be stored on the client or it needs to be generated by seeding some random function with actual RS account data (such as the username). My concern is that if it's stored on the client and the client loses data then the bot will perform inconsistently with its history which could be a not so obvious flag. If it's randomly generated by seeding RS data then the bot will be consistent forever without having to store data on the client, but it would be incredibly easy to reverse engineer to predict how a bot would behave. The latter would make it incredibly easy for jagex to detect bots no matter how well ABC2 is implemented. Are these valid concerns?

If you know our RNG seed, then all you have are the numbers we generate. You still have no idea how they're used or in what order, so you can't possibly reverse engineer actual actions from them. The reason why the RNG seed is so dangerous to, say, gambling, is because games of chance generally have a very simple outcome as a direct result of the randomly generated number. This isn't the case, here. The numbers we generate are used to generate more numbers which are used to modify the actual random generators that determine the probability of actions. I don't even think it's possible for you to reverse engineer them. In fact, it would be very difficult even if you had our source code.

 

Also, the value in character-specific randomization is so that all of the bots behave differently from each other. I don't think there is any evidence that inconsistent play patterns on the same account results in increase chance of ban.

 

As a scripter, I constantly have to switch play patterns, in mere seconds. I have to test my script, run it, interrupt it with my input, as well as do it manually, sometimes all within the same day or session. I never get banned testing scripts unless it's a stress test (running for long periods). 

Edited by wastedbro

Share this post


Link to post
Share on other sites
30 minutes ago, grand wizard said:

If it's randomly generated by seeding RS data then the bot will be consistent forever without having to store data on the client, but it would be incredibly easy to reverse engineer

I am not entirely sure on how the ABC utility works internally as I don't have direct access to this information, but as far as I know, this would be nearly impossible.

And even if they could somehow do it, there is no point in wasting their time and resources on something so difficult, when the average script generates patterns that are so obviously and fundamentally in-human, that it's not even a matter of "if", but "when" the account is going to get banned.

 

Share this post


Link to post
Share on other sites
Guest
On 11/25/2018 at 11:11 AM, wastedbro said:

If you know our RNG seed, then all you have are the numbers we generate. You still have no idea how they're used or in what order, so you can't possibly reverse engineer actual actions from them. The reason why the RNG seed is so dangerous to, say, gambling, is because games of chance generally have a very simple outcome as a direct result of the randomly generated number. This isn't the case, here. The numbers we generate are used to generate more numbers which are used to modify the actual random generators that determine the probability of actions. I don't even think it's possible for you to reverse engineer them. In fact, it would be very difficult even if you had our source code.

 

Also, the value in character-specific randomization is so that all of the bots behave differently from each other. I don't think there is any evidence that inconsistent play patterns on the same account results in increase chance of ban.

 

As a scripter, I constantly have to switch play patterns, in mere seconds. I have to test my script, run it, interrupt it with my input, as well as do it manually, sometimes all within the same day or session. I never get banned testing scripts unless it's a stress test (running for long periods). 

for probability based things like timed actions I agree that reverse engineering is useless, but what about preferences? I'm no security expert but it seems like it wouldn't be very difficult to use the seed to find things like banking preference or camera movement preference. You could just slap the seed into the obfuscated source code and call those functions with almost no reverse engineering required. If those preferences can be predicted based on the seed alone, then it would raise a huge red flag.

This is all just speculation on my part, Just wanting to share my thoughts. Thanks for your response!

Share this post


Link to post
Share on other sites
5 minutes ago, grand wizard said:

for probability based things like timed actions I agree that reverse engineering is useless, but what about preferences? I'm no security expert but it seems like it wouldn't be very difficult to use the seed to find things like banking preference or camera movement preference. You could just slap the seed into the obfuscated source code and call those functions with almost no reverse engineering required. If those preferences can be predicted based on the seed alone, then it would raise a huge red flag.

This is all just speculation on my part, Just wanting to share my thoughts. Thanks for your response!

Assuming you figured that out, all you would get is "This account has X probability of using the bank booth over the banker NPC if it was using a bot"

Which, the only way to figure that out is take the seed, generate thousands of bank preference calculations, and use some basic stats to average them out to find the real probability.

 

That seems like a lot of work for very little info, plus it would involve using our API, which Jagex likely would never do. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Our picks

    • Hello everyone,

      Last week we tried to roll out Auth0 Login, but we lost that battle. Now it's time to win the war!

      Important changes

      When logging into the client, you'll now have to enter your Auth0 account credentials instead of your forums credentials

      Note: 2FA is still handled through your forums account (for the time being)



      Changes for existing users

      You'll have to link your Auth0 account to your forums account here: https://tribot.org/forums/settings/login/?service=11


      Auth0 accounts have been created for most existing users. Please use your forums email address and password to login.



      Important notes

      Make sure to verify your email address upon creating a new Auth0 account


      When we mention your Auth0 account, we mean your account used for auth.tribot.org as displayed below
      • 43 replies
    • To better support the upcoming changes (TRiBot X, new repository), we're switching our login handler to Auth0. Instead of logging in with the standard form, you'll now be required to login through our Auth0 application.

      All existing accounts which have been used within approximately the past year have been imported into Auth0 using the same email and password combination which has been stored on the forums.

      What does this mean for users?

      Your account credentials are now even more securely stored


      You'll be able to login via Facebook, Google, and others in the future


      Is there anything users have to do differently now?

      Existing users: You'll have to login with the standard login, open your Account Settings, then link your Auth0 account


      New users: You'll be redirected to our Auth0 app (auth.tribot.org) where you'll be able to create an account


      Why was this change made?

      The new apps we are creating (such as the new repository) aren't able to use the forums to handle user logins


      To centralize all user accounts in one area


      To ensure that the client login doesn't go down when the forums are having problems


      To speed up our development


      Other considerations

      There's no documentation or official support for using Invision Community combined with Auth0, so there are still a few kinks we're working out


      We're in the works of creating an account management panel specifically for Auth0 accounts (ETA August)


      It's not possible to change email addresses for the time being (this will be resolved this August)


      Changing passwords is a weird process for the time being. To change your password, you'll have to use the "Don't remember your password" tool on the Auth0 login page
        • Like
      • 10 replies
    • Over the past month, we've been working hard on TRiBot's new repository - a much needed update. This change has been deemed necessary for TRiBot X, and will allow us to really speed up development of all aspects of TRiBot.

      Today we are going to share what we've been working on!


      Now you must be wondering what kind of features the new repository will have.... well, you'll have to be patient for a little while longer. We're still figuring out various technical aspects so we can't provide answers to all possible questions. We're also focusing on development rather than writing about it so that everyone can get access to our latest developments at lightning speed. I will however answer a few users' questions.

      We're planning on a release of this early to mid August, giving users some goodies before TRiBot X's release.

      Thank you all for being patient. I hope everyone is excited as much as I am!
        • Like
      • 17 replies
    • Over the past few months, I’ve been working diligently on a new project - TRiBot X. Everything has been written from the ground up, with all of the best practices of software engineering. Every aspect of TRiBot has been re-imagined to support three main goals: flexibility, useability, and reliability.
        • Like
      • 50 replies
    • Come give us feedback on the next version of TRiBot!
        • Thanks
        • Like
      • 86 replies
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...