Bot detection

06/26/2020 04:33 vietnguyen09#1
Hi guys,

How do you detect players log in to your server is using bot (such as mBot etc...) or not? I have done about catching locate flag but they easily bypass then.

I'm thinking about injecting a DLL into silkroad.exe and send a special packet but when players hit Start game button, that SOCKET session will be disconnect to open sro_client.exe.

Any idea?
06/26/2020 06:45 #HB#2
You can check if client socket was redirected or not. (since any bot has to redirect the client to itself)
06/26/2020 07:20 vietnguyen09#3
Quote:
Originally Posted by #HB View Post
You can check if client socket was redirected or not. (since any bot has to redirect the client to itself)
Thanks for your hint, can I check that from my filter? I read all the packet that login by bot but see nothing different from the player who enter in game by silkroad.exe.
06/26/2020 08:23 #HB#4
Quote:
Originally Posted by vietnguyen09 View Post
Thanks for your hint, can I check that from my filter? I read all the packet that login by bot but see nothing different from the player who enter in game by silkroad.exe.
Well, yes you can.

You just need to hook client socket after connecting to server and check its ip like [Only registered and activated users can see links. Click Here To Register...] and maybe then inform your filter.
06/26/2020 09:39 vietnguyen09#5
Quote:
Originally Posted by #HB View Post
Well, yes you can.

You just need to hook client socket after connecting to server and check its ip like [Only registered and activated users can see links. Click Here To Register...] and maybe then inform your filter.
I'm doing it, but it always shows the client's WAN IP :( I'm testing with mBot

Can I use DLL to hook sro_client.exe and know that connection is redirected or not?
06/26/2020 18:15 #HB#6
Quote:
Originally Posted by vietnguyen09 View Post
Can I use DLL to hook sro_client.exe and know that connection is redirected or not?
Yes, you can. You can hook WSA's connect func, then check right after its execution.
06/26/2020 18:19 vietnguyen09#7
Quote:
Originally Posted by #HB View Post
Yes, you can.
I'm kind of stuck right know after over 14 hours of working with this dll, I can't get the socket IP with my DLL hook.

Can you give me a hint? I'm using hwid dll trying to get the socket IP after run mBot but not quite easy to do.

Code:
char buf[INET_ADDRSTRLEN] = "";
struct sockaddr_in name;
socklen_t len = sizeof(name);

//sock_fd here is not exist in anywhere, where can I get that?
if (getpeername(sock_fd, (struct sockaddr *)&name, &len) != 0) {
    perror("getpeername");
} else {
    inet_ntop(AF_INET, &name.sin_addr, buf, sizeof buf);
}
06/26/2020 18:27 #HB#8
sock_fd is the actual socket that is used on WSA's connect, so you have to hook to get it.

Something like:

Code:
OnWSAConnect(SOCKET s, const sockaddr* name, int len)
{
	connect(s, name, len);

	sockaddr_in addr;
	socklen_t addrsize = sizeof(addr);
	getpeername(s, (sockaddr*)&addr, &addrsize);

	//...
}