Building Bots for Java Games: A Beginner's Guide - Maxim G

um p d good morning uh thank you for coming to this talk and today we'll be discussing building Bots for Java Games a beginnner guide um before I start one common pattern you'll see throughout this talk is me tying it back to security somehow as this is a security conference at the end of the day um so moving forward here's the agenda for today's talk first we'll talk about the disclaimers we'll introduce the game that we'll writing the bot for um we'll talk about some of the techniques we'll be using and finally we'll get into building the bot so quick disclaimers um as we are writing Bots you know it can the legal territory is questionable so whatever

you learn here just do it at your own risk um and I don't do this for my day job so this is a pure hobby of mine so it's not affiliated with my employer in any way shape or form if my employer listening to this talk um so let's start off with the meme to kind of light in the mood so um some of you may have seen this uh meme it's how to draw an owl so step one just draw two circles and then step two draw the rest of the owl so the purpose of this meme is to kind of convey the challenges that speakers face when talking about you know such dense

topics as this you can break a lot of the topics in this talk out into their own sections that will be hours long though my goal is for this talk to be of all levels and while you may not understand what is happening on this the hood you will understand or sorry why you you may not understand why we're doing something in the hood you will understand what is

happening so let's introduce the game um so the game that we're going to be working with is RuneScape some of you may be familiar with this game if not I'll give a quick tldr so RuneScape was released in 2001 um it's been regularly updated to this point in fact 10 years ago it was split into two there's the more modern version which which has you know what you expect in modern games such as graphics and you know gameplay mechanics and there's the old school version um so RuneScape itself is point and click meaning that to interact with the game you basically point at the screen and you click what you want to do so for example if you want to interact

with the monster you click on the monster if you want to interact with the player you click on it this is a little bit different from your typical games where you use the WD keys to move while on RuneScape the only time you really use the keyboard is to move the camera or to speak with other people or I guess type to other people so the reason it's actually point and click is the history behind RuneScape is that it actually started off as a browser game and that's what gained so much popularity is because back then you could actually run it on low-end machines and have a fully fledged game in the browser you know

typically you have these browser games which are just like mini games but this is an actual full MMO in the browser and this is where it gained its reputation as being the game where people played at the library or people played it at school um the game itself is written in Java there's an asterisk because the old school version is written in Java while the newer version is obviously written in C++ and the game itself follows the client server architecture pattern meaning for every one server there's many clients and but the quick caveat is that we're actually not going to be writing a bot for the real RuneScape we're going to be writing a bot for what's known as

a RuneScape private server so let's talk about what RuneScape private servers are so rsps is an acronym for RuneScape private server and really what it is it's a version of RuneScape that's not ran by the official developers but rather individuals who basically reverse the game and were able to write their own version of the game um it typically features custom content and a different style of gameplay so that's what makes these games so alluring is that for example in RuneScape it was one of the first I think concepts of a premium game which means that you it's free to play but eventually you hit a pay wall and if you want to continue you have to buy

membership um the difference between RuneScape private servers though is that typically they would actually give you all the membership content and all the features for free the pay model was sorry the revenue model a little bit different in the sense that you could pay for um like custom items you know because people value exclusivity and as proven by nfts in the recent past you know people want to have one of one of everything um there were lots of different private servers like actually they've been dying recently but um in the past there have been thousands on the left you see some of the more popular private servers back in the day some of these are from like 2007 all the

way to now and um so RuneScape itself had I think around 100 had actually hundreds of thousands of players but the difference between RuneScape and RuneScape private servers is that private servers actually only had like around a thousand players but the games felt more populated because RuneScape would split these players across different worlds so you would have maybe 100 worlds with a thousand players on each of them while RuneScape private servers you would only have one world with a thousand players so you felt you know it was a little bit it was a lot more dense and last but not least there's different revisions AKA versions of RuneScape private servers so a revision is RuneScape a version of

RuneScape so for example maybe you like the version of RuneScape in 2007 maybe you like it in 2009 so that's what's known as revisions so moving forward so let's discuss some of the techniques we will be using today that will allow us to write the bot so first and foremost is reflection so reflection there's reflection is in other languages so for example a language may have its own variant of reflection so goang python Ruby has reflection as well um basically what it is is a technique allowing runtime inspection and manipulation of objects methods and Fields basically what this mean is that while the program is running you could get the value of whatever you want at

the current time and you can actually modify it reflection has a close cousin called introspection and I think introspection is what python has is basically while you're not able to modify the value you're able to actually see the value um you'll see reflection commonly used in Frameworks and libraries that deal with you know serialization testing and you know stuff along those lines um one limitation to know about reflection is that new logic cannot be introduced what that means is that I can't inject entirely New Logic into the client so I can only use what's there and this will come in handy later and last not but least sorry last but not least um reflection may cause some

performance overhead so really based on the number of values you're trying to access with reflection it the performance the more your trying to get the more it can be impact your performance and an extension of the last point is that anytime you use reflection to access the value of something you're only accessing the value at that current state and time you're only getting that state at the current time meaning if the value does change for example like a player's Health in the game constantly changes then you'll have to use reflection to retrieve it again so you're basically um having to keep constantly reusing it and reflection will be the technique that we actually we use to write the bot

today um so here's an example of reflection so in the first case you see that we're instantiating an instance of the runtime exact class and what this will allow you to do is just execute a method or sorry execute um execute a command and as shown in Rio's wonderful talk yesterday about hacking Cobalt um they if you took a close look Cobalt actually uses reflection to instantiate the objects um the in the arbitrary objects that he would pass using the object HTML tag so so let's talk about where you may see reflection in the real world so if you've ever had a deal with deral um leveraging deserialization in Java you may have most likely used the tool

called wio serial if you're not familiar with wio serial is basically a tool that you can use to generate der serialization payloads that when evaluated by the Target will result in active exploitation so um here's a gadget for Commons collections 5 so common collections is a popular set of Library published by the Apache Foundation that just adds like utility and helper methods to Java and so the one thing you should note about here is that on line six sorry we're instantiating um an instance of the bad attribute value exception class and then on line seven we're getting the declared Field Val you can see there and then finally we're setting a value using it so you may be wondering why are we using

reflection to do this right it's a little bit of an Overkill it seems like well if we take a closer look at the actual class definition of bad attribute value exception you'll see on line 11 that the um the value actually has the private modifier meaning if you're familiar with object-oriented programming it means you're not able to access this value directly and this value can only um outside of this class so the value can only be accessed inside the class unless there's mutator method like Getters and seters but that's out of scope for this talk um a second technique we'll be using um that you will commonly come across is called instrumentation um so what

instrumentation really allows you to do is add new logic to whatever you're instrumenting and like I mentioned earlier one of the limitations of reflection is that you're only able to reuse existing logic while here you're actually just able to add any arbitrary logic you want into the application um so instrumentation is commonly used for monitoring tracing and profiling so for example if you want to you know Trace um sorry like trace the metrics of your app how long does you know a specific method run for example you will be using instrumentation for this um it's you'll commonly come across this as called injection because you are injecting code essentially and one of the most popular

forms of instrumentation are actually Java agents which itself is another topic that can uh have its own talk and basically what you just need to know is that you're able to attach a Java agent to an existing Java program and it's able to inject into that program and in our case the most common use case to use instrumentation is to inject mutators such as the getter and Setter method so for example if the class has a field that's only private we can um inject a a getter method that can now return that object and one last thing to leave off about in uh instrumentation is that it's typically faster than reflection and that's because when you are injecting

getter and Setters you're able now you're directly you have direct access to the fields rather than using reflection to get them and um so today we actually won't be demonstrating reflection um or sorry we won't be using injection to write the bot due to time constraints so let's examine a real world um example of instrumentation so hopefully everyone can see this so

oops so basically here's a basic Java program all it does is print hello besides Pisa to standard out and let's see the code it's or let's see it run so here we are compiling it and we're running it so right like I said it's going to just print B sides Pisa and I ran it twice just to show you there's nothing happening under the hood so now let's look at the agent that we're going to use so the first thing you should examine the only thing we're going to use with this agent is we're going to connect to the main method and then what we're going to do is insert the last line goodbye Pristina 2023 and we

preened this agent tag to it just so you can for visibility just so you can see that this is the agent that's actually doing it so um and then obviously we um then it manipulates The Bu code and all that stuff so let's run it um so actually now I show the original code again so this is the main method that we're going to be instrumenting and we're just going to insert that uh system. out. print line goodbye besides P so let's do this um so here's how we run the Java agent we passed an argument called Java agent and we uh point it to our agent and as soon as it executes you now see it

insert goodbye bid P 2023 and I think I'm going to run the pro the original Pro oh no that's it so that's an example use case of using a Java agent um so let's get into building the bot so what is the client itself so the client is a picture of it you see to the left and it's essentially a graphical user interface that the player interacts with in order to play the game so if you think about it in a way the client constraints what the player's able to do and what they're not able to do and what I mean by this is that for example if the player doesn't have an item in their

inventory they're not able to equip that item or if the player is not able you know the view distance of what they're able to see if something's happening far off they're not able to see that because they're only able to play the game the way that the client wants them to play the game and because of this the client can be thought as an intermediary basically a middleman between the player and the game so let's talk about oops I didn't realize it was not in full

screen so let's talk about maybe let me provide an analogy that maybe a lot of people some people may understand is that essentially the browser like your web browser is a client and the website that you're interacting with can be considered the server so in the same sense um the browser comes um with the engine which is able to render JavaScript and because of that you're now able to have client side code and what's happening is for example there are cases where the client s side is able to control what how the user is able to interact with the website so in this example this is a simple HTML form and basically it has one input field and what it does is

before the player or sorry before the user submits the form it'll check if the input field has a single quote and basically what this is is the ultimate SQL injection protection right who needs sanitization or prepared statements when you can do something like this because if we're talking in the sense where the client has full control that means the player like in rcap they're not able to directly interface with the server they have to go through the client but just like many of you may know that in so here's an example like where I type in test with a single quote and it tells me single quote are not allowed so would this protect against SQL injection no

and that's because what you're able to do is maybe use a lower level like curl for example which doesn't support JavaScript to send data directly to the server or if you really wanted to you could just uh send raw HTTP requests you can get really really low on how you get around this and we're actually going to be using this to be able to interface with the client or sorry interface with the server and just like with any other client server communication that exchanges user input always trust verify the data so let's talk about how the actual Runescape or RuneScape private server client Works under the hood so the game itself is a Java applet which is bound

to a jframe a jframe and the jframe itself is a container which contains all the interface components of the game so you like your health for example it draws the Sprites in it and so here is an ex and last but not least um ja the jframe is also able to receive events such as like Mouse clicks or keyboard input and so here's an example of how it may work under the hood at a very simplified level So within the client I want to equip an item so in this case the Santa hat and what happens is that a listener is invoked when I click it which then processes the action it checks hey what action do you want to

process each action has a code associated with it an integer so in this case it's going to be equip item and then it's going to run a series of checks first it's going to say okay if you want to equip item we'll remove your item from the inventory and then we'll update your the player's appearance to show the equipped item what's actually happening is before these checks are ran the client sends a packet to the server and this is how the packet structure looks like so the first value here is the op code so op code 41 means equip item the second value is the item ID so what item do you want to equip so in

this case the item id you may see it here it says 1050 right there and then the last two values are not important it's just basically the interface ID you can ignore them and what happens is the server receives that packet it then says okay the player wants to equip the item cool so then we're going to perform some checks does the player have an item in the inventory um Can the player wear the item like you know maybe there's some stats associated with item that the player may need like requirements and if so okay cool let's um send the packet back to the client telling everything is okay and now we'll um update every other

player to show that you've equipped the

item so let's talk about some of the layers that we'll be writing a bot for so we'll be writing a a bot for each of these layers today okay so you may have heard the terms if you're familiar with game hacking uh you may have term heard the terms of external and internal in the context of C++ game hacking it's not the same here as in like using right process memory or read process memory for external or injecting a dll for internal but rather what external is is we'll we'll explore each of these Avenues but just understand that we'll be working on three layers so let's actually start with the last layer which is um the packet AK the network layer so

this spot will be known as a headless spot so let's kind of talk about what that means so a headless spot doesn't have a graphical user interface um and because of that it's able to run on machines that are lacking desktop environments and T typically these machines are like um auntu servers you know Windows servers and due to having no desktop enironment and no graphical user interface this will actually conserve resources even if it's a 1% performance Improvement you have to remember that majority of people who write Bots are typically using it to make like money and they're known as gold Farmers so and that means are running like maybe thousands if not tens of thousands of bots so if you

extrapolate a 1% performance increase across you know several thousands of bots it can actually make a big impact the one thing about writing headless Bots or network is that you need to have extensive knowledge about how the client operates under the hood so for example if the server sends you a packet of 41 do you know what that means and you really need to understand what's going on and one of the Beauties though is that you can write this in other languages so it's interoperable since you're working at such a low level like you're working literally with bytes at this point you can write it in any language you want and to prove this let's um actually before that here's how

you would originally log in using the client or the graphical universe so notice that first you click there then you type in your username and your password and then you click login so this can be considered very manual and tedious if you're trying to run thousands and thousands of bots and and the reason for this is first and foremost is that copy and paste is disabled so you're not just able to copy username and password and you have to click twice as you've seen and one of the other things that we'll talk about is that the client in this case like I said it has constraints and you're not able to use special characters apart

from alpha numeric which are forbidden and this will become important in um the next

slide so let's see what's happening so we just saw the login happen this is what's actually happening under the hood so in red are the packets that the client sends and in blue are what the server sends so you see that the client sends um I think in4 0x0e um basically telling the client it's like a magic buy to start the handshake and then the server sends back um a sequence of bytes and this is the server key and then finally the client sends back a large uh buffer and finally the server sends back a response and one thing you should notice about this um large buffer you may not see it yeah the big uh buffer right here is that there

is no um you don't see my PL Tex username or my PL Tex password so my username was maximum my password is maximum you don't see that here and that means that something some form of encoding is happening under the hood so that can either be compression can be encryption could be both could be something entirely else um in a lot of cases um for games like this login handshake is already documented by people who've already reversed it and if not um just take a look at yourself as what's happening in the code so we'll see the code here on the left don't worry if you can't read it it's not supposed to be read um but rather what's

happening is that um the TC TCP is used as the transport mechanism to send data between the client and server um Isaac is actually the cipher used for encryption and if you don't know what um Isaac is sorry

so sorry as I was saying Isaac is used the encryption Cipher and the way it works is that the cipher is seated with a combination of random values generated by the client and it's concatenated with this uh server key that's sent back by the server in the original handshake and then the seed and the credentials so my username and password are exchanged using RSA and then um between the client and server but as I mentioned Isaac is used the encryption Cipher so where does RSA come in so stream ciphers such as Isaac are typically way quicker than something like RSA which is compute heavy especially if you're having high data throughput so if this handshake

looks familiar it should because this is actually how TLS Works under the hood so the way TLS works is essentially once the client so the client will use RSA to send the Ser um and encrypt uh random value using the server's public key it send that value to the server the server will then decrypt that value and then finally it will um then they will switch to another um encryption algorithm that's a stream Cipher most likely AAS and then they'll be able to encrypt uh and send data back and forth to each other so like I mentioned um we're able now to basically write this login handshake in any language and something that can come out of this is actually a

login brute forcer for example so that's one of the security imp P so here I'll play um the video so basically what I did is I reimplemented the logic and goink and so you can see here basically I'm just quickly scrolling through the code and again it's you're not really meant to read and understand the code basically what it shows is sends a login request one of the most important things that I'll highlight here is showing um using the server seats so one of the things that I know is that the server in particular did was that it never verified that the the server seed you sent it is the one that it sent you it's

not really security impact it was just kind of interesting it makes it way easier to uh write this so essentially what this is happening is now it's going to try a username and passwords and try to reforce accounts and one thing is look in the bottom left corner and the reason I say this is because if it's login is successful you'll see it say player has logged in so let's try so it's attempting to use the credentials Sparkle 7 Sparkle gem 79 with the password maximum and if you look in the bottom left it says a player has logged in and therefore you know we know it's valid credentials and it keeps going through until it eventually finds

it exhausts the word list cool another thing you could write with this is a server is a server flooder so essentially you can um you know flood the server with a bunch of uh arbitrary logins and fill up the queue and prevent legitimate uh players from logging in and as I mentioned earlier you're now able to send the server unexpected data so for example the client didn't allow you to use Alpha numerical characters in your name well using this way we're able to send the server whatever you want and what if during the login um process there's a bunch of SQL transactions happening under the hood well if there is no you know form of SQL injection protection

implemented you're now able to you know potentially leverage something like SQL injection um or another use case is for example now what if you send the server unexpected data that it doesn't know how to deal with this can result in a layer s denial of service essentially crashing the server um sorry I didn't looks like every time I go into full screen cool um let's move on to internal Bots um so internal Bots are really achieved using reflection injection and a combination of both which is why I showed you um a quick tldr of each in the earlier slides um the cool thing about internal Bots it saves you a lot of time because you're able to reuse

existing code like I mentioned earlier like with uh a packet bot or like one that works at the network layer you really need to know what's happening between the client and server well in this case you're just able to reuse existing code and see what's happening and typically this using um this is the most popular form of Bot ridden for Java Games because of the reasons

above so let's talk about what the client. Java is so a lot of RuneScape Rivers follow very similar boiler plate um and and the reason for that is because the majority of people who write these servers their whole intention is to my Apes their whole intention is not to really because the game itself works well so really what they're trying to do is add custom content so they're not really trying to change anything under the hood so you'll find the majority of servers will follow the same boiler plate and the client D Java itself is you can think of it as a centralized component that works as a controller and what you'll see to the left here is a

bunch of um values declared that hold references to objects of Interest especially if you're writing a bot so to the instance of your local player um NPCs other player instances as well as like The Current player's location and so on and the client class itself inherits from the game applet class which you can see right here on the first line extends game applet which in turn inherits from the applet class so the client is able to be cast as an applet and if you're not really um familiar with I just said don't worry about it it doesn't make a big difference until you you start writing the bot so let me show you how we'll use

reflection to um write this bot so first and foremost we have to discover how the real client is scaffolded and what that means is how it's built so in red you'll see here it says original client which means this is the code from the original client so first and foremost we need to find the main method which is invoked whenever a Java program is started so we see what happens and for context this main method actually lives in client. Java which is why I mentioned it's such an vital aspect of this whole um process so you'll see the uh first things that happen is that we assign a value of 10 or sorry we uh initialize the node ID

field as a value of 10 Port offs at zero this none of it's important and you know essentially you see a call um well it's important if you're writing the bot it's not important in this case um it calls a method and then you know it further goes on and finally in instantiates a new instance of the client and then lastly it invokes the create client frame method passing in the frame width and frame height on the instance and the reason this is important is because we'll need to replicate this process using reflection so let me show you how that would look using reflection so this is our reflected client as denoted by the green text here so first

we get an in uh we get the client class from the class loader we then grab the Constructor from this class and the Constructor is the method that's executed when you instantiate a new object in Java and what we do is we instantiate the applet whenever you use reflection to instantiate an object or get a value it'll always return the object of type of type object which is a generic uh object in Java in which every um object I keep saying object I'm sorry um inherits from and we then cast it as an applet because if we never casted it it would just treat it as an object and we wouldn't be able to have all the

methods that the typical applet would have and lastly like I shown you earlier you can see the node ID set to 10 here well this is how we would do it in reflection we use reflection to get the node ID declared field we set it accessible to True um if it's private I don't remember if it's private in this case it doesn't make a difference if it is and you just call it and then finally we set the value you see 10 and the first argument we pass in is actually the class itself and then um we do the same thing with the port and so on so you can if you look back and forth it's

basically we're doing everything the same up to here this part so now let's examine how this part Works line 10 and 11 so um line 10 calls crate Cline frame and the crate client frame method lives in the game applet class and the game applet extends to applet like I mentioned earlier so it inherits from applet and you see it implements a bunch of interfaces such as like Mouse motion listener uh Mouse wheel listener and this is what allows you this is what allows it to receive events so if you click something in the game you're invoking the mouse listener for example or if you move your mouse you're invoking the mouse motion listener so

that's why it does it so let's see to create client Frame Works so again it does similar stuff it assigns a bunch of values or initializes a bunch of values but once one important thing what it does is it instantiates a new game frame and let's look at this game frame class um so the game frame extends inherits from the uh frame so this is itself a jframe an extension of a jframe and first thing it does is initializes the applet it then sets the title of the frame of whatever is defined in the configuration file it sets the resizable it sets whether it could be full screen and then finally it set visible is true

so you can actually see the frame so now let's see how we would do this in reflection so what we need to do is use reflection to get the create client frame method um and then what we do is we invoke it on the applet that we instantiated earlier and one of the interesting things what we could do is now that we can access the game frame field from the client and what we do here is you see we use reflection to grab an instance of it and we set the title of the frame to besides 2023 demo reflection client

and exactly uh so that means that uh this bot will be shown as an update or it will still be run at the console so you you can run on a syst with no uh guey interface now so um that's a good question and I should have mentioned this is so this will actually in invoke the guey so what we do is we take over the guey and now we have full control over the guey so this is you playing with the goey and when I mean internal basically it means you can access the internal code that the client encapsulates so if the client has like a method you want to call you're now able

to do that because before when you click the GUI it locks you out like the guy runs and you can just only you know play with it as a game now we have full control control of it okay okay thanks thank you for the question so like I said we set the title and if this is successful now you see the client load and now it has bsize 2023 demo reflection client as the title so with the applet now under air control we can now achieve the following things so first and foremost one of the most important things for a bot is that we can read and modify values that will influence gameplay and when I mean

influence gameplay for example now we can read our health you know if our health is lower than a specific threshold we set we can now you know eat food or drink a potion whatever the case may be if we're fighting a monster now we can see hey we're fighting a monster what's the monster's you know Health level and stuff like that we're able to call existing logic defin in the code so there's several helpers spread throughout this Pro um throughout the code base such as like the send packet method which basically does exactly the same as our internal bot does but at a higher level so now instead of having to send raw bites we can now call a helper

with some predefined op codes that will be able to you know achieve the same thing and this is what I mentioned by using the code in the earlier slide um finally we can simulate interaction in the client such as sending Mouse events to mimic clicking or key events to mimic keyboard inputs and this is important for a bot because at this stage you have two ways to use the Bots you can still be sending packets throughout using the send packet method or you can be actually using Mouse events in Java to simulate clicks and whichever you use is up to you um both of them may invoke some anti-che but again that's there's no anti- in

this um server so so let me show you some of the things we could do reflection so here's a funny quote uh dance is a hidden language of the soul and so what you'll see here is my client and my C player and you'll see that here are some non-playable characters like NPCs and on the left here is a jell and what that basically means is you can think of it as like a reppel or an idol like Python's Idol where or Ruby's IRB um we're basically able to execute code in the context of this and the way you get the jshell to work and this is not in scope for the talk is basically jell is launched into

its own isolated process so you have to share the class loader and again if you're not really too sure what that means don't focus on it you can always look it up later um in the bottom left here's the code that we're going to be executing so first we get the NPC's field which is defined in the client and you see that it's private and means it has the private modifier so then we call set accessible true on it cool and finally we get the actual NPCs themselves which returns an array of NPCs so you see a bunch of them are null because the array is a predefined size but some of you see some instances right

here because these are these guys instances finally we'll iterate through each NPC and we'll set an animation and now you can we can make them all dance so we have like full control of the client um take a sip of water

so let me show you excuse me let me show you something else we can do so another quote the only way to do the impossible is to believe it's impossible so my case I want to run through walls in the game but the game doesn't allow me to run through walls so anytime I click you see it automatically passs me the like across the wall and what we could do is what we do very similar what we just did in the last slide or is we grab the Collision Maps we set them to accessible because you can see that they're private or sorry we grabb the field and now we actually grab the actual Collision map

so you can see it's an array of initialized with the Collision maps and we'll iterate through each Collision map and we'll basically set it through zero so now I'm able to no clip through walls and if the server didn't have any um logic that will validate your location you would essentially be able to no clip anywhere and um here I show that I'm able to noclip in an area that's in the bank that's never accessible to players so those are some things we could do with reflection so reflect it's essentially a bot and a cheat client like if you're familiar with the term cheat client tread on the same line there's a very very minim minimal

difference between what you could do with a bot and a cheat client as shown here so this no clip for example would be something you would find in a cheat

client okay cool let's move forward to external bots so external Bots um so so external Bots are essentially you may have heard the term pixel or color Bots um really what it does it just reads data using pixels on the screen so what this means is basically what you see is what you get so what you see as a player is the same thing the bot would see so for example you could see um there's this interesting blog post about someone writing u a bot using OCR libraries and um other image detection such as like tesser and stuff like that and what they were able to do is highlight like the Rocks so again this is fully external

you're not injecting or manipulating the in any way this is running in a completely separate process um so it's common to find library so most like you'll most likely find these Bots written in Python because it has support for these kinds of libraries um like I said test open CV and Etc um there's other software like Auto hotkey you may have heard of that you know you can have uh scripts written that will detect a pixel on the screen um Simba which is a actually was built for RuneScape so here's what is actually happening under the hood with an external bot we take a screenshot of a section of the screen we pre pre-process the image we detect use

OCR to detect what's happening on and then we take an action so like for example if we're using health you know in the action is our health is low we need to eat food we'll probably have another um script running that's able to locate the location of the food on the screen and then send a click and then it just Loops itself so let's take a look at what's happening um so what I'm doing here is you may not see it but my prayer level is right here and this is in the game prayer is just used as Buffs you can consider and um what you see here is I'm using a color bot that's basically or a bot that's

basically extracting the values of my prayer and printing it on the screen and you'll see that it's really not that reliable so like it prints q1 or prints something like 539 or one and again my colorb is very very brittle it's very rudimentary um usually you would use like you know Implement pre-processing and all this stuff to make it like I'm saying is that it's not as robust as in internal Bots but some people make them really really well but to me I find it a lot more hard so another uh something I just missed is that if I close this interface for example which you'll see me do right here uh just missed it again

sorry there's a so basically what it does is that it reads this value so if this interface is closed it's not going to be able to read the value anymore and I think I show an example of here so there we go I closed the interface and you could see that it you know it's not able to find the value so that's why these Bots can be considered brittle these Bots can easily be broken so for example someone once wrote a mining bot that would find the rock would be a specific color and it would just click on the Rock whenever we would find the color what another player found was that he found another item in the game that

was the same color so they went around and dropping that item so what happened was the players bought just started clicking that item and completely broke and made it obvious they were Bing um

so last but not least I'd like to leave off with the slide so one essential fact that I didn't show you is that in the real world the client's going to be obfuscated and what that means is that the Java code basically in layman's terms it's going to be scrambled it's going to be hard to read and that's done on purpose to prevent you know people like ourselves from writing the bot and what and if you're interested in this talk and want to actually see how you can you know write a bot for an off fiscated client um there will be a blog post on my blog hopefully by uh tomorrow that will actually detail the process so basically

we'll leave off from where we ended here and then use um some de alisation techniques to write the bot and last but not least here are some cool references you can look at if you um are interested in this kind of stuff and yeah that's pretty much it thank you Max thanks so much that was so great I'm not a gamer but now I know how cheating is done I'm kidding do we have any question for Max there you go I ask in private but you know just for the sake of others um so you mentioned that when you instrument the client you can walk through walls and uh if I understand it correctly that all

happens uh in the client um did you see any so there's obviously going to be communication between the client and the server for some stuff like where's that limitation where you talk to the server and and I assume the server also has protections against some things like where is that line did you find it and what kind of what can you do when that when that happens thank you thank you for the question um so good question so um so when I showed everyone dancing here for example this is only shown on your client you're not going to see like other players are not going to everybody dancing so this is completely client side um this though when you're walking

when you're making any movement in the game it's actually sending packets to the server telling it's your location so the way you would Implement an anti-che on the server this is you would have have a list of locations that you can Pro potentially say hey the player cannot be here and if the player is going there then you know something's happening under the hood that should not be happening and so anytime I walk in the game anytime you click or you walk anywhere it actually sends the location of your XY and your Z coordinates and z the plane to the server um yeah so lastly I just want to thank my colleagues for coming out and

watching my talk thank you spend and thank you Max