raresecure
Expert Cheater
![]() Reputation: 0
Joined: 04 Oct 2008
Posts: 204
|
 Posted: Fri Feb 06, 2009 5:51 pm Post subject: Tibia new anti cheat detection |
 |
|
The Game
http://www.tibia.com/news/?subtopic=latestnews
The problem
| Quote: | | Today, we have punished 4959 Tibia accounts for using unofficial software to play in the last couple of weeks. These accounts have been identified by an automatic tool with complete accuracy, therefore any complaints about these punishments are in vain. They are final and complaints will be ignored. We will neither reveal our criteria for these punishments, nor will we hand out any proofs. |
More information
Hacking tibia is a big buisness over 90% of players on the game cheat , this new anti cheat detection however has us all puzzled. There are two types of bots for tibia , packet hooks or proxys. Now the proxy tool is the one i work on because if a unrecognised packet is sent or recieved we can log it , no such logs have been found by any player who got banned so we can count out a packet being sent.
Some people who got banned claim they had not used a cheat in the last 6 months but did have one installed.
This has everyone puzzled so i thought where better to post than cef I hop esomeone can find somehting in the .exe.
Some theroes on how it works:
[QUOTE=blackd]
THEORY 1:
So far I have some gold cases like a person that was banished, even not cheating since 6 months ago. He only left blackd proxy installed. So what is that solid proof? Having a bot name in the list of your installed programs?
My guess is Tibia client can obtain the list of your installed programs, and it can send the list to tibia servers, probably only on request, when a scan wave happens, maybe only once each month (because it causes big lag, kicks and deaths for everybody) If tibia client sended that always at start then it would bee too easy to catch that packet.
I will appreciate help from people who can read hex, and know about the API who can obtain the list of installed programs. The call is probably somewhere in the code of the tibia client. That would confirm my theory 
In that case the solution would be hiding the installed bot from the list of installed programs or making an installer that register every dll+ocx without adding anything to the list of installed programs.
A temporal solution would be uninstalling Blackd Proxy and unzipping the latest update zip in a random folder like C:\abcfsdopjh\
Blackd Proxy should still work, even if not "installed" and if my theory is true then it should save you the ban.
This is not proven yet and I will need a lot of help to catch their autodetection code. I will need to read a lot of comments from people who was banished.
---------
progress: list of dlls that tibia uses...
Executable modules
Base Size Entry Name File version Path
00400000 003A4000 00556284 Tibia 8.40 C:\Archivos de programa\Tibia\Tibia.exe
58C30000 0009A000 58C334BA COMCTL32 5.82 (xpsp.08041 C:\WINDOWS\system32\COMCTL32.dll
5F120000 000CC000 5F12A322 OPENGL32 5.1.2600.5512 (x C:\WINDOWS\system32\OPENGL32.dll
5FEA0000 00021000 5FEA15D5 GLU32 5.1.2600.5512 (x C:\WINDOWS\system32\GLU32.dll
62E30000 00009000 62E32EAD LPK 5.1.2600.5512 (x C:\WINDOWS\system32\LPK.DLL
71A20000 00008000 71A21638 WS2HELP 5.1.2600.5512 (x C:\WINDOWS\system32\WS2HELP.dll
71A30000 00017000 71A31273 WS2_32 5.1.2600.5512 (x C:\WINDOWS\system32\WS2_32.dll
72F80000 00026000 72F854A5 WINSPOOL 5.1.2600.5512 (x C:\WINDOWS\system32\WINSPOOL.DRV
736E0000 0004B000 736E1431 DDRAW 5.03.2600.5512 ( C:\WINDOWS\system32\DDRAW.dll
73B40000 00006000 73B41089 DCIMAN32 5.1.2600.5512 (x C:\WINDOWS\system32\DCIMAN32.dll
74D20000 0006B000 74D3E409 USP10 1.0420.2600.5512 C:\WINDOWS\system32\USP10.dll
76340000 0001D000 763412C0 IMM32 5.1.2600.5512 (x C:\WINDOWS\system32\IMM32.DLL
76B00000 0002E000 76B02B61 WINMM 5.1.2600.5512 (x C:\WINDOWS\system32\WINMM.dll
770F0000 0008B000 770F1560 OLEAUT32 5.1.2600.5512 C:\WINDOWS\system32\OLEAUT32.dll
774B0000 0013D000 774CD0B9 ole32 5.1.2600.5512 (x C:\WINDOWS\system32\ole32.dll
77BE0000 00058000 77BEF2A1 msvcrt 7.0.2600.5512 (x C:\WINDOWS\system32\msvcrt.dll
77DA0000 000AC000 77DA70FB ADVAPI32 5.1.2600.5512 (x C:\WINDOWS\system32\ADVAPI32.dll
77E50000 00092000 77E5628F RPCRT4 5.1.2600.5512 (x C:\WINDOWS\system32\RPCRT4.dll
77EF0000 00049000 77EF6587 GDI32 5.1.2600.5698 (x C:\WINDOWS\system32\GDI32.dll
77F40000 00076000 77F451FB SHLWAPI 6.00.2900.5512 ( C:\WINDOWS\system32\SHLWAPI.dll
77FC0000 00011000 77FC2126 Secur32 5.1.2600.5512 (x C:\WINDOWS\system32\Secur32.dll
7C800000 00103000 7C80B63E kernel32 5.1.2600.5512 (x C:\WINDOWS\system32\kernel32.dll
7C910000 000B5000 7C922C28 ntdll 5.1.2600.5512 (x C:\WINDOWS\system32\ntdll.dll
7E390000 00091000 7E39B217 USER32 5.1.2600.5512 (x C:\WINDOWS\system32\USER32.dll
Now see what is needed to program something that read your list of installed programs: advapi32.dll ! Coincidence? I think not a simple coincidence. Why tibia needs to access your registry? I don't think that is legal. I think that maybe Cipsoft also cheats after all. And in that case, if my theory is true, then they cheat against real law, not game laws, and they can be sued for that after a serious investigation.
Note that their massive scans also require a lot of packet move and that causes massive lag and kicks for servers. So consider them also responsible for the death of lots of players by lag that they generated: Players that were mostly not cheating died because their original way to detect cheaters.
Private Declare Function RegQueryValueEx Lib "advapi32.dll" Alias "RegQueryValueExA" _
(ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, _
lpType As Long, lpData As Any, lpcbData As Long) As Long
Private Declare Function RegOpenKeyEx Lib "advapi32.dll" Alias "RegOpenKeyExA" _
(ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, _
ByVal samDesired As Long, phkResult As Long) As Long
Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long
Private Declare Function RegEnumKeyEx Lib "advapi32.dll" Alias "RegEnumKeyExA" _
(ByVal hKey As Long, ByVal dwIndex As Long, ByVal lpName As String, lpcbName As Long, _
ByVal lpReserved As Long, ByVal lpClass As String, lpcbClass As Long, _
lpftLastWriteTime As FILETIME) As Long
Theory 1 fails because...
- why Cipsoft would risk their great business doing something illegal like obtaining your list of installed programs?
-----------
THEORY 2:
they search strings "blackd" "ng" "elfbot" in your chat logs (private or not) If string is found more than 10 times in the log of the last 6 months then that would be "enough" proof and you get an automatic ban. Searching over big logs for every player would take some minutes of cpu even for a powerfull server. That makes sense considering the long lag that happened during the waves.
+ They started adding unique id to private messages and storing them since 6 months ago (that is when they started with this anticheat thing)
+ They also protected their back by writting this privacy page since 6 months ago (that is when they started with this anticheat thing)
http://www.tibia.com/support/?subtopic=legaldocuments&page=privacy
"CipSoft collects, processes and uses stock and usage data, to the extent that is necessary in individual cases, if it is required to reveal and to stop fraudulent behaviour or any other form of using CipSoft's services which violates legal regulations or the service agreement. In particular, CipSoft reserves the right to log, process and use information such as the time and the content of conversations and expressions of opinion that take place in their online services if there are complaints, reports or other credible indications of behaviour that violates legal regulations or the service agreement, for example the serious insulting of other users. This regulation extends to all parts of CipSoft's online service, including, but not limited to, guild channels, private channels and private messages."
Solution: Never talk about your bot inside tibia! Use msn or ventrilo for 100% safe communication
Maybe you already wrote the word Blackd 2 or 3 times and it is "not enough proof yet" for their automatic function. Stop writing such forbidden words from now and maybe you will be safe in the future!
Theory 2 fails because...
- why people that never talked about bots was also punished?
THEORY 3:
According to this theory a scan wave happens in broadcast maybe once each 2 weeks. Maybe it can also be casted against specific targets by cms whenever they want.
When a scan happen your client will secretly send all your chat windows to Cipsoft server, probably using the same game connection. This chat report will include all typical bot messages like "cavebot enabled", "welcome to blackd proxy", etc.
It is also possible that the client send the tibia title. All bots change tibia title nowadays.
Solution: avoid changing tibia title. You can unmark that option in cheats + Clear your chat window inmediately after bot writes anything in your chats (even if they are bot system messages that nobody is supposed to read).
THEORY 4:
Cipsoft checking waypoints? Wow!... that would be really more smart than what I can expect from their programmers. But who knows! Considering that some people was banned only because stairhopping ("cavebot script with 2 waypoints") ... let's say it is possible.
In that case, the most probable way they have to check waypoints is checking clicks in minimap. Unfortunatelly all bots use clicks in minimaps, more or less.
Solution: At this moment try to use scripts with conditional paths taking one or another depending on random numbers - or don't use cavebot at all. In the future you will be able to set cavebot to move without minimap clicks (in a worse way, but also adding some randomization to the movement)
THEORY 5:
Did they buy a public anticheat tool in order to detect most famous bot executables? Did they add something in tibia client code? Maybe! (they probably included that in latest christmas update) In that case, botting with known bots is risky at this moment.
Solution: Update Blackd Proxy: It will be specially hard to detect Blackd Proxy 14.1+ since it removes itself from installation list and gets a random name for process. For paranoid people I will also recommend to install your bot in a weird folder with random name like C:\f4gijbcvjlk\ , just in case they search in default installation paths of famous bots.
OTHER THEORY?
We are open to read different theories and fight against them as much as possible. The reports should come from trusted users (high post count and old registration date) or people with some kind of relation with cipsoft / cms / gms (you must try to give me proofs of that relation by email, obviously not here in public)
My email: [EMAIL="[email protected]"][email protected][/EMAIL][/QUOTE]
I know its alot to ask but there are some good game hackers here who can hack game guard ect so im sure finding this new anti cheat detection in a crappy game like tibia should be easy for some of you guys.
_________________
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
)]
