Bots, Memory Editors, Macros, Triggers, and Duping

DMCA can be a very powerful tool to takedown and fight IP circumvention tools.

But you need a copyright for the Digital Millennium Copyright Act to work.

Jagex, the makers of the Runescape MMO, have been engaged in an intense battle against bots that automate play in their game and the companies that make these programs. Recently, Jagex filed suit in the US against Impulse Software, the makers of the iBot Runescape bot. This approach is very similar to that taken by Blizzard against the Glider application.

Jagex's injunction against Impulse Software has been thwarted because the company does not have a copyright in the US on its game that is circumvented.

... a very expensive cost savings (copyrighting the game code would cost around $40... and you don't have to disclose all of the code).

I would think that the quickest way to fix this would be to file a copyright on an updated version of the game client (and server) code and refile the suit. Also, on the current code, and the web site.

In the long term, bot companies are likely to move offshore - to jurisdictions with little or no copyright law, so it is a real question if this strategy will continue to be viable.

R. Crossley (2010). "Runescape hack evades Jagex ban", http://www.casualgaming.biz/news/30439/Runescape-hack-evades-Jagex-ban

What would be the perfect botting tool? It would not be tied to a specific game, it would grab the screen information directly, and, ideally, it would have a visual programming environment.

A visual testing tool.

MIT students have come to help with the problem - Sikuli. Its a pretty nifty, open source GUI testing tool that I stumbled onto.

Its a pretty neat testing tool, at the very least.

"PROJECT SIKULI", http://groups.csail.mit.edu/uid/sikuli/

Blizzard banned 320,000 Warcraft III and Diablo II accounts for cheating, seemingly for using third party programs and exploits:

We’ve recently banned over 320,000 Warcraft III and Diablo II accounts that were found to be violating the Battle.net Terms of Use. If this is a first offense, the CD key associated with the banned account will be suspended for 30 days, while repeat offenders will see their keys banned permanently. All account ban decisions are final.

We would like all players to remember that abuse of unintended mechanics and/or use of third party programs is a violation of the agreement made when signing on to Battle.net, and can subject your account to disciplinary action up to and including a permanent ban of its access to the service. These types of activities can severely impact the stability of our servers, and we’ll continue to aggressively monitor Battle.net in order to protect the service and its players from the harmful effects of cheating.

Many account closures come as the direct result of tips emailed to our hacks team by legitimate Battle.net users. If you come across a hack, find a site responsible for distributing hacks, or have a replay of a newly available hack, please report this to our hacks team at hacks@blizzard.com or through our Hacks Report Form at http://us.blizzard.com/support/article.xml?locale=en_US&tag=hacksform

As always, thank you for your continued support, and we'll see you on Battle.net!

"Diablo II and Warcraft III Battle.net Bans", http://forums.battle.net/thread.html?topicId=24401612571&sid=3000

Exercise. That's what kids need! Hey, let's put gaming and exercise together.

Sounds good until someone cheats.

Nintendo has responded with the PokeWalker pedometer attachment for the latest versions of Pokemon: HeartGold and SoulSilver for the Nintendo DS.

The inevitable cheat:



Ah, hardware hacks.... I guess this is a "bot"

Of course this is far from the first "real" game bot.

M. Fahey (2010), "Cheating At Pokémon And Walking At The Same Time", http://kotaku.com/5497763/cheating-at-pokemon-and-walking-at-the-same-time

Peanut butter and jelly. Ham and eggs. First Person Shooters and Aimbots.

Global Agenda, the recently launched MMO which is also a FPS, has, of course, had problems with aimbots.

The strategy? Lifetime bans (of course) and whatever the countermeasure de jour.

Depending on Global Agenda's success, there is going to be more upside for hacking the game than with a standard FPS. There is going to be gold (or some such) to be had which will be convertible to cash for all of those gold buyers no one wants to talk about.

We shall see how this goes, we shall see.

S. Brennan (2010), "Global Agenda takes aim at bots, aimbots specifically", http://www.massively.com/2010/02/24/global-agenda-takes-aim-at-bots-aimbots-specifically/

Jagex continues its war on cheaters, botters, and frauders. The makers of the MMO, Runescape, are suing Florida-based Impulse software and its two owners in Boston for:

"a history and pattern of owning and operating cheating Web sites, including cheating sites for ... RuneScape," in violation of copyright, trademark and computer fraud laws.

"Via the website rscheata.com, Defendants actively market and promote the Bots with knowledge that they are encouraging and enabling Bot users to breach their contracts with Jagex.

Defendants' actions have unjustly profited Mark Snellman and Eric Snellman while negatively impacting the experience of millions of legitimate RuneScape® gamers and causing significant damage to Jagex, e.g., including but not limited to loss of player revenue due to reduction in the amount of legitimate RuneScape® players who quit when their playing experience was negatively impacted by the defendants' Bots; employee time investigating and addressing user accounts using Bots; employee time responding to complaints from legitimate RuneScape® players regarding others' use of the Bots, and the like."

The article includes some information about how the company's two bots Nexus and iBot bot worked:

"The Bot software downloads a copy of the RuneScape® game client from www.runescape.com just as would a legitimate player using a Web browser. Once downloaded the Bot software uses a process called reflection to examine the operation of the RuneScape® client, which is otherwise normally hidden from players. The Bot software then uses this information in conjunction with color sampling techniques to identify objects within RuneScape® that the Bot software wishes to interact with, such as trees, mining spots or monsters."

The company charges for the bot program with subscription prices ranging from $5/week to $5/month to $200 for a lifetime of botting.

R. Kahn (2010), "Online Game Company Sues 'Cheater' Web Site", http://www.courthousenews.com/2010/02/12/24648.htm

Bots are a hard problem. How do you distinguish a person from a program playing your game?

Jagex's Runescape uses mini-games to detect bots.

Runescape is one of the older, and more successful MMOs. As seen in the recent, well-written review at MMORPG.com, Jagex has added a number of features that any game developer should consider in its MMO design.

One of the questions I've regularly been asked as a game security problem is "How do you detect bots in a game?" I've found this question particularly amusing as a good game design should inherently "detect bots" as our choices are one of the things that clearly indicate that we are human... a game that is repetitive to play or playable "away from the keyboard" is very likely a magnet for bots.

Runescape changes up typical MMO play with manadatory mini-games that help detect bots:

As any Runescape player can tell you, "Random Events" are an ingenious and infuriating solution to Macroing (players using a third-party program to complete their tedious tasks for them). It is almost guaranteed that the most inopportune moment will provide you with a chance to prove you are a human, and not a machine, at play; choosing a sandwich from the nice lady, correcting graves for a grave digger, or completing the maze gives the added benefit of a choice item you probably didn't need, or a minor experience reward.

While no player likes to be distracted from their goal, I will grant Jagex credit for their rather unique and often humorous means of thwarting cheaters. Offering an in-game event is a generous incentive which allows players to be involved with, and rewarded by, this worthy objective.

While such systems are not perfect, they do limit the ability of botters to totally automate game play and their frequency can be set to balance inconvenience with bot detection.

Core game design can also help in the battle against bots - the less "grindy" a game is, the harder it is to macro or bot.

I discuss this and other tactics in my book Protecting Games.



"Runescape Re-Review", http://www.mmorpg.com/gamelist.cfm/game/37/view/reviews/load/108/

Scott Jennings and NCSoft have put out a good, thorough message on the state of the game's security issues.

The message was posted very early this morning (the 20th) and within the first couple of hours has been viewed almost 10,000 times.

People really care about the security of their accounts and their game.

Security messages on the site get a lot of visits (see stats at the bottom of Scott's message). The last message on account security, from December 24th has had over 131,000 views - far more than any other recent message thread.

It will be interesting to see if this is followed up with any press releases or interviews to the games media.

Hopefully, like Jagex, NCSoft will also pursue legal recourse against criminals who engage in account theft (a clear crime under computer security laws).

S. Jennings (2010), "GSU’s Message on Account Security", http://na.aiononline.com/board/notices/view?articleID=197&page=

via

S. Jennings (2010), "A Note From My Day Job", http://brokentoys.org/2010/01/19/a-note-from-my-day-job/

Gambling is banned. Gambling is tightly regulated. But, if you are a "Not Gambling" gaming business you are not/rarely banned and not/hardly regulated.

Welcome to the world of skill games.

While skill games have had a limited impact online, they are becoming a bit more "exciting" in the non-virtual world:

Nebraska is in a serious dispute with American Amusements over its BankShot skill game as to whether the game is a slot machine or a skill game.

Ohio is fighting skill games by limiting them to having $10 non-cash prizes... a law that is being fought as being arbitrary by game operators and developers.

4 skill game arcades, also in Ohio, were raided as gambling operations.

What are these skill games? Are they "games of skill" or gambling games? What are the implications online?

At first blush, BankShot looks like a slot machine: You choose how many tokens to wager (which affects the jackpot), choose which way the balls are randomized (though this "does not affect the outcome"..... which is odd for a "skill" game), and hit the "Play" button to stop the balls and win or lose.

http://www.bankshotgame.com/how.php

This is very similar to Pachinko Slot machines in Japan (actually, the Pachinko Slot machines are much more sophisticated in terms of game design, as far as I can tell). These machines are not considered "gambling" machines as they have an element of skill. They also look like three reel slot machines, but the player is able to "control" the outcome. Instead of a single button that stops the reels, each reel can be stopped separately (and, presumably, a skilled player can control the outcome). The games also have progressive and persistent elements to keep players playing and loyal to a single machine type (see lengthy Castlevania Pachinko Slot video below...).



Demo: http://www.gamedesign.jp/flash/slot/ (the game behaves oddly, so play with care).

In Nebraska, there are around 450 of these game machines installed. The state went after the company and the operators claiming that they are slot machines. The company argued that the machines were predominantly "games of skill". The state sent the software to two companies to determine if the games were games of chance and has not disclosed the results (implying that the companies found the games to have a significant skill element). This has resulted in the company getting an injunction against the state (in October 2009).

The other approach that states have used to fight these games is to limit the prize amounts to small ($10), non-cash prizes. Companies have fought this is as being arbitrary. Companies have also gone towards a two-tier system where players can buy phone cards which can in turn be used for a random drawing for bigger prizes or just used for minutes (called "sweepstakes games").

Lots of drama all around.

Why the fuss?

States do regulate gambling. All forms of wagering on games for money is sometimes banned as well - usually based on arguments that games are not a legitimate form of work (a moral objection to any form of gaming for money).

As a practical question, what is a skill game?

There are two types of skill games - ones where players are competing with each other and ones where they are playing against a machine.

For today, the interesting topic is Player vs. Machine.

Determining whether a game is a game of skill is much harder than determining if it is a gambling game. One has to prove that there is a "predominance of skill".

To my view, looking at the code is not enough. You MUST assess the actual, physical machine.

Why?

Because the program itself will only provide proof that there is a way to play the game with some sort of control... validating that the changing state of the machine can be stopped in a controllable fashion.

The program might look like 2 processes - one listening to the buttons and the other running the continuously updating game state. The Button Listener would have "ON PRESS" stop the other process and freeze the game state.

... which would lead to the belief that the game has an element of skill in terms of timing when to press the button.

However, the actual implementation of the platform could make this apparently "human controlled" result quite random. If the platform is running on any sort of operating system, the flags, semaphores, or messages used to pass information between the two processes is at the mercy of the operating system scheduler and all of the other processes that are running. Also, in many cases today, keyboards and buttons are communicating with a separate micro-controller or processor which in turn sends messages to the main processor.

In other words, even if I hit the button at the exact same time with the display showing the exact same values, my results could vary substantially... in fact, it could be worse than with a slot machine in that I would "near miss" an awful lot and think that with more "practice" I could get better when, in fact, my performance was limited by the random variations introduced by the hardware and software.

The obvious side to this is if these were really "games of skill" certain players would become dominant and sit and play the machines profitably all day long...

Slot Farmers or Slot Campers, if you will... just like gold farmers in MMOs.

... and the machines would be pulled by the company and arcade operators in no time.

I am extremely dubious of player vs. machine games of skill. Either the games are mathematically "chaotic" so that arbitrarily slight differences in input can lead to huge differences in output or there is deep seated random processes that are not immediately apparent, but that have enough impact on the performance of the game that it has positive revenues for the developer and operator.

As I said earlier, player vs. player games of skill are another matter.

Legal & regulatory comments very welcome!

N. Jenkins (2010), "Neb. officials try to restrict gaming machines", http://www.businessweek.com/ap/financialnews/D9D28L180.htm

"BankShot Skill Game", http://www.bankshotgame.com/how.php

"American Amusements Co. vs. Nebraska Dept. of Revenue..." (Legal Agreement), http://www.bankshotgame.com/images/BankShotLegal.pdf

R. Zimmer (2010), "Ohio law defines and regulates games of skill: Don't bet on it", http://www.lancastereaglegazette.com/article/20100112/NEWS01/1120309/1002

J. Balmert (2010), "Newark, Heath raids hit businesses with skill-game machines", http://www.newarkadvocate.com/article/20100112/NEWS01/1120307/1002/Newark-Heath-raids-hit-businesses-with-skill-game-machines

Since its launch, Activision & Infinity Ward's Modern Warfare 2 has been plagued by annoying security problems that have gone along with its huge success. Most of these attacks have been based on unauthorized modifications to the game's configuration. The latest is a speed skating modification:



It is curious that Infinity Ward has fought these piecemeal as they all seem to be specific alterations to configuration files that supercede the legitimate ones. These alterations affect the game for everyone, not just the instigator, so they really change the rules of the game & don't give a particular advantage to one player or another (except the advantage of knowing what the $(#$*%() is going on!).

Interestingly, these attacks are viral, but not persistent. From this, one can surmise that the altered configuration files/data are either labeled or noted as being "newer" as the baseline ones and that they therefore should be used instead of the official configuration info. The changes do work on the console versions of the game, so they are are either based on game save hacks (which I doubt at this point having not heard anything to support it) or on hacked consoles/game disks where some unauthenticated game configuration files are stored (this attack likely exploits the old rewriteable DVD hack on the Xbox 360). It could also be done via the recently uncovered ability to access the game's command console.

A real flaw in the system is that it is viral: As long as you don't turn off your console, this hack will affect (and infect) all games and players that you play with. Thus, the problem acts more like a configuration update than a specific game configuration. The viral nature of these attacks could be mitigated simply by reloading the game configuration for each game session.

Fortunately, the attack is temporary. It does not update the local configuration information, only the "live" game configuration.

Infinity Ward's network design appears to be based on a "distributed object" model where newer versions of game objects are pushed to other players. This should mean that PC game hackers, or more serious console hackers, who can get to the game state for game objects SHOULD be able to modify their own game state to their advantage. Conversely, if they cannot do so, Infinity Ward should apply the same security measures to game configuration information as it has to game state information.

O. Good (2010), "Speed-Skating Plagues Modern Warfare 2 [Update]", http://kotaku.com/5444819/speed+skating-glitch-plagues-modern-warfare-2-%5Bupdate%5D

H. Neary (2010), "New Modern Warfare 2 exploit already fixed", http://www.boomtown.net/en_uk/articles/art.view.php?id=19048