How Jagex Detect Bots

[Kerby Reynolds]

Playerautomation has always been a big concern in MMORPGs such as World of Warcraft and Runescape, and this kind of game-hacking is very different from traditional cheats in for example shooter games.

I started this bot back in October with the goal of testing the limits of their bot detection system. I tried to find information online on how Jagex combats these botters, and only found videos of commercial bots bragging about how their mouse movement systems are indistinguishable from humans.

This installs a low level hook on the mouse by appending to the system-wide hook chain. This allows applications on Windows to intercept all mouse events, whether or not the events are related to your application. Low level hooks are frequently used by keyloggers, but have legitimate use cases such as heuristics like the aforementioned mouse hook.

While reversing, I put effort into knowing the relevance of the function I am looking at, primarily by hooking or patching the function in question. You can usually deduce the relevance of a function by rendering it useless and observing the state of the software, and this methodology lead to an interesting observation.

I believe Jagex use a system which filters out the normal players from the abnormal players, after they filter out the abnormal players they then inspect manually or watch for irregular jerky/repeated mouse movements, they have also been caught switching the bot to another world and teleporting to lumbridge right before banning them (because the bot would break being teleported to lumbridge), I believe they also do things like switch round object IDs to see if the bot clicks the wrong object (dreambot developer wouldn't know if they do this, because Jagex might only try this after they suspect botting for longer than X hours - to hide the method).

I believe they filter out players by calculating their average XP/GP gains, their total playtime, their total level, how long they spend playing on average (is there a sudden increase, such as 3 hours average every day to suddenly 9 hours every day).

Also to add to further proof, there are reports from people saying they were banned but were not botting, they report that they were doing something repeatedly for hours on end, like on mobile just tapping a cannon for 6 hours straight (real post that I read)

I'm fairly certain everything id related is in the cache, so they'd have to be live updating the cache (but tbh I could be wrong on this, it's not something I've paid a ton of attention to)

From my experience, a lot of the "false ban" reports are not false.

Yes. They filter players that have abnormal characteristics. Above average playtime/day, above average clicks/unit of time ...etc. They also compare your player profile with known bot profiles from their database. If overall you deviate too much from a normal player you will get banned. The reason the system works so well is because they don't ban with knowing for sure that you're a bot. In the past they banned players that played very efficient like Autumn Elegy who used to do streams of 24hours and used AHK and played overall very efficient.

Secondly, I really think you should maybe do some tests and have a script watch the cache for changes or something, it would explain why a bot which hasn't been programmed to interact with an NPC will accidentally click that NPC, or walk to a wrong tile, depsite it not being programmed in with that ID or tile coordinates... or a delay in the interface loading which causes the bot to repeat itself until the interface disappears (I.E. tanning leather, click tan all and the interface stays for 1.5 seconds causing the bot to try and tan all again).

Live updating cache seems to me like the perfect way to catch a bot... and you got to think as well, if Jagex knew that by instantly updating the cache rather than waiting 2 or 3 hours before doing it then the bot developers would learn this and instantly find a solution, so they would hide the method... Please check the cache and let me know if you find anything, I would feel great knowing that I helped defeat one of Jagex's bot detection methods.

Dreambots model being paying once for a script and unlimited instances, literally makes this bot live up to its name, I was over the moon when I learned I only had to pay once for a script to use on multiple accounts and run as many as I please... I Dreambot.

Guess someone could've, but im pretty sure the "algorithm" changes constantly. Also, if not mentioned: a thing to take into consideration is how much money is put in to the account. I've been botting for almost a decade on my main account, which has had a constant membership and that i've bought a few bonds too. I think they turn a blind eye on recurring profitable players who are botting for their own gain, not ruining the economy by massfarming.

My understanding is that they can tell if you are using a modified client, like OSBuddy for example. It may be something to make them look at you more closely, but doesn't necessarily mean that you are botting.

I'm not too sure about the regular client, but I use mirror mode and I haven't been banned. I assume detection is based upon what you're botting, and if your account is suspicious (level 3, no quests, commonly botted skill/area).

This is all just speculation, but I personally don't think it has anything to do with OSBot specifically. To your 2nd point, I will have to agree with what was said above. If they could detect OSBot (or any other botting client) they would just ban you immediately. There would be no point to waiting to ban people.

Think about it if they waited, they would effectively just be trolling developers because they could solve their problem immediately by banning people right away. While I believe Jagex sucks, I don't think they would troll that hard lol.

Yes they can detect most bot clients and identify them specifically. But if injected in the right way, it becomes way harder to detect at the client level. The Mirror Client mode on OSBot does that and proves that many bans are based on client detection for the biggest part, seeing as how much lower the banning rates are on the Mirror mode. The standard mode on OSBot is similar to the injection methods most other bots use and comes with a higher ban rate.

@ person above me: They gather information for their machine learning systems. Just logging in a bot client won't get you banned as their detection system is not solely based on client detection, but probably also on gains (xp, wealth etc) and behavioural patterns learned by their machine learning systems. It may get you banned though by just logging in alone.

Like I already said, I think the mirror client proves the point. Besides that, they have publicly admitted they can identify most main stream bigger bots specifically. As a developer I know why and how they do it.

I don't think they can detect the client. I feel the game is to light weight to have something on your computer that can tell when you're using any type of client. WoW for example can detect if you have cheat engine open, and it will not let you log on with it open. If they could detect the client, you'd most likely be insta-banned from logging in if they could detect it.

The Mirror Client uses injection but done completely different than what the botting scene has seen so far. Let's just say it does a way better job at hiding its presence. In fact, the injection can't be seen with their current client.

As I said "Most people know". IMO people can choose to believe what they want about Jagex's system, they're likely just as wrong as the next guy. My OP was to emphasize that flagging people based on time zone and time of day is not very critical thinking, doesn't even make sense. To each their own though. ?

So if you're saying that a repetitive movement 5,000 times will throw off a flag, then we are basically just saying the same thing in different words. That would be a flag that would lead to monitoring. There is also a bot detector on runelite that has 50k downloads which autoflags, so players are obviously a tool as well.

Simply read jagex's privacy policy. They have the legal right to get your computers hardware specs, including MAC address which is a unique address to your specific device. Unless you are changing this either with a high end proxy (each proxy will have its own unique MAC address or manually changing it within CMD, jagex will know its the same device. If this device's MAC address is already flagged, its pretty easy to be banned even with changing IP/proxy IP). The timezone DOES matter. They have lots of data on the average players playtime vs specific timezone. If you are constantly playing at irregular times than the average player, its a flag (not a big one, as people do shift work, but a small flag nonetheless).

If you are botting just a single account. Just reset your IP/MAC address in CMD, takes like 30seconds and it'll keep it a safe residential one that has less chance of being banned.

Like Defiled mentioned, the ISP/proxy server address may already be flagged which is a pretty easy way to catch other accounts. Thankfully Brazil has a location based legal right and Jagex abides by it (just read the privacy policy). IMO spoofing Brazil has resulted in less bans than most countries.

Jagex is also able to read the time of your computer, meaning that if you're spoofing a timezone that your computers time isn't set to, they can detect you're not actually there, even if its a residential proxy. I know this as until I modified my computers time to the same as the VPN location, I wasn't able to create an account on their website (for a few proxy IP's, not all).

They aren't doing anything that they don't claim in their privacy policy or they face being sued, and tbh they give away lots of information on how to avoid being detected within it too.

Once you have beaten all of their hardware / software checks, it really just comes down to how long you bot for / the quality of the script, like many have said above.

3a8082e126