Player automation has always been a big concern in MMORPGs such as World of Warcraft and Runescape, and this kind of game-hacking is very different from traditional cheats in for example shooter games.
One weekend, I decided to take a look at the detection systems put in place by Jagex to prevent player automation in Runescape.
Botting
For the past months, an account named sch0u has been playing on world 67 around the clock doing mundane tasks such as killing mobs or harvesting resources. At first glance, this account looks just like any other player, but there is one key difference: it’s a bot.
I started this bot back in October with the goal of testing the limits of their bot detection system. I tried to find information online on how Jagex combats these botters, and only found videos of commercial bots bragging about how their mouse movement systems are indistinguishable from humans.
Therefore, the only thing I could deduce was that mouse movement matters, or does it?
Heuristics!
I started by analyzing the Runescape client to confirm this theory, and quickly noticed a global called hhk set shortly launch.
const auto module_handle = GetModuleHandleA(0);
hhk = SetWindowsHookExA(WH_MOUSE_LL, rs::mouse_hook_handler, module_handle, 0);
This installs a low level hook on the mouse by appending to the system-wide hook chain. This allows applications on Windows to intercept all mouse events, whether or not the events are related to your application. Low level hooks are frequently used by keyloggers, but have legitimate use cases such as heuristics like the aforementioned mouse hook.
The Runescape mouse handler is quite simple in its essence (the following pseudocode has been beautified by hand):
LRESULT __fastcall rs::mouse_hook_handler(int code, WPARAM wParam, LPARAM lParam)
{
if ( rs::client::singleton )
{
// Call the internal logging handler
rs::mouse_hook_handler_internal(rs::client::singleton->window_ctx, wParam, lParam);
}
// Pass the information to the next hook on the system
return CallNextHookEx(hhk, code, wParam, lParam);
}
void __fastcall rs::mouse_hook_handler_internal(rs::window_ctx *window_ctx, __int64 wparam, _DWORD *lparam)
{
// If the mouse event happens outside of the Runescape window, don't log it.
if (!window_ctx->event_inside_of_window(lparam))
{
return;
}
switch (wparam)
{
case WM_MOUSEMOVE:
rs::heuristics::log_movement(lparam);
break;
case WM_LBUTTONDOWN:
case WM_LBUTTONDBLCLK:
case WM_RBUTTONDOWN:
case WM_RBUTTONDBLCLK:
case WM_MBUTTONDOWN:
case WM_MBUTTONDBLCLK:
rs::heuristics::log_button(lparam);
break;
}
}
for bandwidth reasons, these rs::heuristics::log_* functions use simple algorithms to skip event data that resembles previous logged events.
This event data is later parsed by the function rs::heuristics::process, which is called every frame by the main render loop.
void __fastcall rs::heuristics::process(rs::heuristic_engine *heuristic_engine)
{
// Don't process any data if the player is not in a world
auto client = heuristic_engine->client;
if (client->state != STATE_IN_GAME)
{
return;
}
// Make sure the connection object is properly initialised
auto connection = client->network->connection;
if (!connection || connection->server->mode != SERVER_INITIALISED)
{
return;
}
// The following functions parse and pack the event data, and is later sent
// by a different component related to networking that has a queue system for
// packets.
// Process data gathered by internal handlers
rs::heuristics::process_source(&heuristic_engine->event_client_source);
// Process data gathered by the low level mouse hook
rs::heuristics::process_source(&heuristic_engine->event_hook_source);
}
Away from keyboard?
While reversing, I put effort into knowing the relevance of the function I am looking at, primarily by hooking or patching the function in question. You can usually deduce the relevance of a function by rendering it useless and observing the state of the software, and this methodology lead to an interesting observation.
By preventing the game from calling the function rs::heuristics::process, I didn’t immediately notice anything, but after exactly five minutes, I was logged out of the game. Apparently, Runescape decides if a player is inactive by solely looking at the heuristic data sent to the server by the client, even though you can play the game just fine. This raised a new question: If the server doesn’t think I am playing, does it think I am botting?.
This lead to spending a few days reverse engineering the networking layer of the game, which resulted in my ability to bot almost anything using only network packets.
To prove my theory, I botted twenty four hours a day, seven days a week, without ever moving my mouse. After doing this for thousands of hours, I can safely state that their bot detection either relies on the heuristic event data sent by the client, or is only run when the player is not “afk”. Any player that manages to play without moving their mouse should be banned immediately, thus making this oversight worth revisiting.