Monday, June 6, 2011

An Eve Online Bot Developer On How To Combat Bots

Last Thursday I wrote about the unauthorized release of the source code for the Eve Online client and what it might mean in CCP's War On Bots™.  I'm not a master code writer by any means so I suggested for some subjects looking up those with a lot more experience.

One of those people is a man known as Da_Teach.  He is the developer of the Questor missioning bot, which means he may know something about writing bots for Eve Online.  But more importantly, he has experience writing bots and hacks for many MMOs, including the now defunct WoWSharp for World of WarcraftLike CCP Sreegs, Da_Teach also has ties to HBGary, the technology security company that was hacked by Anonymous after the head of HBGary Federal, Aaron Barr, claimed to have obtained the identities of the members of Anonymous.  But Da_Teach's ties aren't professional.  According to Da_Teach, he knows HBGary founder Gary Hoglund though MSN Chat where Mr Hoglund helped Da_Teach with the development of WoWSharp.  Mr. Hoglund allegedly then used much of the information gathered by Da_Teach in his work uncovering the details of Blizzard's Warden anti-hacking software.  Yes, the HBGary founder is THAT Gary Hoglund.  However, Mr. Hoglund apparently doesn't like to share the credit.

Da_Teach is also unusual from what I've seen of other Eve bot developers in that his bot is completely free.  He is actually writing Questor for the lulz.  I'll quote Da_Teach:
"Edgar get's me, I've tried to make this clear to everyone multiple times. But for the ignorant people I'll do it in bold: what I do, I do for fun and for myself. And I can have fun in a lot of ways, I can have fun hacking a game. But (while I never actively tried it) I can probably have a lot of fun protecting a game too.

"One important thing here is the I part! You probably use/develop Questor for money. I don't really care about money, it brings me no pleasure and it doesn't buy me happiness (omg did he just use an old saying, yes he did!).

"I also played EVE long ago (2-3 years) but got bored, I then indeed gave away all my accounts to an ingame friend. Then last year I got the 'need' to play EVE again, only to get bored pretty fast (within a few weeks). I then started writing Questor and had a lot of fun getting to the point where we are now. I must admit that it is slowly losing my interest again.

"What does this mean? I will support Questor (for now) and I still have a half-rewritten Questor v2 (the core-rewrite), but I am spending a lot of my free time on Rift at the moment. You might have noticed this with the less frequent updates to Questor.
I wrote on Thursday that as long as CCP continued to use Python that hackers could decompile the source code.  But that doesn't mean that CCP could not cause bot writers huge headaches.  Da_Tech gave his thoughts on the subject.
"Here's what I see happening, initially CCP will detect bots by behavior. It's probably how they caught the RoidRipper/H-Bot users. Since neither of those two actually change anything within EVE.

"After most of them are caught, I see CCP going for the 'injectors'.

"You have two flavors, you have the Python injectors (Eran bot, spelling) and you have the 'process' injectors (Questor and ISXEVE). Both are easy to stop but I see the python injectors easier to stop then Questor / ISXEVE. For the Python Injectors you could easily just remove the PyRun_ functions completely, with no way of them to actually inject Python, it'll end pretty damn fast for them.

"To disable Questor / ISXEVE in the same way would mean that they'd have to remove the other python functions as well, and those are most likely used by their interal C/C++ functions as well. So that's not really possible. A 'quick' solution would be to mask those functions by using an obfuscator, but that wouldn't stop ISXEVE (it would stop me, because I'd be too bored to keep searching for the required functions).

"Once you're done with the obfuscation path, you'd add checks to the Python functions to detect unauthorized usage. This step would have to be done after the obfuscation, otherwise it would be too easy to crack.

"Possible ways of detecting unauthorized usage would be to send the call-stack to the server (for both the c/c++ functions as for the python functions!), this was done by the Blizzard-Warden and while not impossible, very hard to circumvent. The way to circumvent this would be by modifying the code, however if you then have a separate thread/function/whatever to check for code modifications then it suddenly becomes a factor 10 harder.

"Once your done with that, here's another simple step. Obfuscate your Python code already, but not in the traditional way. Randomize your byte code! Yes, you have the source for both the Python compiles as you do for the Python runtime. Every patch you change this bytecode and RE'ing the python code has become near impossible.

"After that you've pretty much stopped ISXEVE and Questor or made their life very hard. "

If Da_Teach is correct, ultimately stopping or severely curtailing botting in Eve Online is beyond the ability of CCP Sreegs' team.  CCP will need to alter the way they write and deploy their code.  If CCP does this, then CCP Sreegs will have a fighting chance.

One last item.  I'm not in the habit of writing an article that mentions a bot by name without making the comment that using the bot is pretty dumb.  I can't go that far with Questor, but I can leave you with a final quote from Da_Teach.
"In the end the only advice I can give you is that if you do not want to get banned, do not use Questor. But this advice then also counts for ISXEVE, etc. The simple reason is that we currently have no clue what CCP will implement and how hard it'll be to circumvent those protections. It is very easy to miss a detection routine if you do not know it exists! "

No comments:

Post a Comment