Friday, August 3, 2007

Heuristics and your one unbanned account

Preface
I don't want to give the wrong impression to people using ISXWarden, so I actually don't want to post this, after having spent an hour or two writing it. But, I mentioned it in IRC and some people want to read what I have to say. So here it is. Before reading on, be aware that client-side detections are not the main focus of the article. That does not mean that I'm not working on potential client-side detections, and this article does also not mean to imply that I believe a significant number of the most recent non-Exploitation of Economy bans are a result of server-side detections. It's about mitigating your risks, and why just because you got lucky enough that one of your accounts was not banned, does not mean that you can go about assuming this or that about what Blizzard does. Without further ado...

The Article..
I guess it's about time I try to explain something to the masses. The masses, in this case, being people wondering why some people get banned and others don't, even under very similar conditions.

I'll get the first part out of the way. This article is not particularly about Warden, but I will cover it anyway. Every 15 seconds as you play, Warden is essentially dealt a hand of several cards out of a deck of cards. It reads each card, writes something on the back, and returns the hand to the dealer. The dealer reads the back of the card, wipes it clean, and shuffles the cards back into the deck. This process is repeated ad infinitum. Notice the bold text. Because the cards are shuffled back into the deck, rather than removed, there is no absolute guarantee that in a playing session, Warden will receive each and every one of the cards. Likely, yes, but not guaranteed (if you need help with this one, talk to someone who is good with statistics and probability).

There's point number one. The point to go along with this one is that not all Warden scans are definitive. Take for example the known false positive debacles: Cedega users were banned in November(?) 2006, and WinEQ 2 users were banned in July 2007. Neither application is harmful to the game, and the bans were quickly reversed -- I'm not sure if Cedega users got added time on their WoW subscription, but WinEQ 2 users got 2 days added. I don't specifically recall anymore what scan hit Cedega, but I've got the information laying around somewhere. But, in the case of WinEQ 2, Warden has been scanning for d3dx9_30.dll. This DLL is distributed with DirectX 9 updates as of April 2006, and there are newer versions as well -- d3dx9_31.dll, and so on. Microsoft provides them to help Direct3D developers with common features. WinEQ 2 and Inner Space both use d3dx9 to display text with standard Windows fonts in 3D. So, how do they tell the difference?

Obviously, depending on the scan (but certainly the case for the Cedega and WinEQ 2 situations), they must use other factors to determine if what they are seeing is something [perceived as] harmful to the game or not. Additionally, said other factors must also be inconclusive on their own. I shouldn't even have to mention this, but the reason that the other factors must be inconclusive on their own is because if they were conclusive, you would already be banned. In other words, if Warden is detecting a memory modification that allows you to climb mountains you would otherwise be unable to climb, they have no reason to do further investigation. It doesn't matter what application made the modification, there is no reason for them to determine that. They see your mountain climbing hack, and ban straight away. But back to the point. If they don't know what it is, they just have to find additional information that provides them with a good enough indication that they will ban you.

Which brings me to the next point. Let's step away from Warden and dive into risk. If you haven't seen Along Came Polly, then for the sake of this discussion I'll sum up the relevant portion. Ben Stiller plays an insurance agent, and he uses some risk analysis software that he's able to enter all sorts of crazy things into, and it comes up with information as to whether his company wants to provide insurance to someone. I'm just going based on memory here, haven't seen it in a while and I didn't see the whole thing either, but for example his rich client goes shark diving or something, and skydiving, and such. Anyway if I remember correctly, there were seriously strange and crazy things (and I don't mean things you've actually heard of people doing, like skydiving) he would enter into the system, and his program was coming up with some sort of risk numbers based on what his client wanted to do, to determine if he wanted to insure the client or not. The point is, he enters multiple pieces of information, and the system comes up with some number that indicates the degree of risk.

Before I continue, the reason I mention the following is unrelated to client-side detection bans. The reason I mention that is I have to put up with people taking everything of this nature that I say as meaning that there is no client-side detection in the recent Inner Space-related bans. There certainly was, but that does not account for the whole of the reported bans. I did say that the more recent ones were not from Warden.

So anyway, now let's assume for a moment that Blizzard is smart enough to have some systems that do not rely on client-side detection methods. We already know to a good degree of certainty that they have various server-side "detections" involving Exploitation of Economy (EoE) bans. They also reportedly have hidden walls of sorts in areas that players cannot normally traverse, that when crossed, raise some sort of flag on the crosser. So, let us assume that they are a) not stupid, and b) implementing other sorts of server-side analysis as well. Granted, many things that they could potentially detect server-side may be too CPU-intensive to use, but that's exactly the sort of challenge programmers love. And that's where heuristics come in. Heuristic algorithms find a way to solve a problem to a reasonable degree, without having to perform too many calculations for the CPU.

If Blizzard wanted to catch bots, all they would have to do is identify a few factors that can be heuristically computed to come up with a comparison between a bot and a human. If bots consistently performed a behavior in a way that humans consistently do not, they can come up with a reasonable risk factor -- a probability that the player is a bot rather than a human. One behavior is usually not a good indication and would lead to false positives. There are of course other inputs as well, such as player reports, linkage of accounts previously reprimanded for botting, playing time and how that time is spent, and so on. Combine all of these factors, and you have now prepared a list of the characters most likely to be bot-controlled. If the aggregate risk factor is high enough for a given player, they could ban without any sort of follow-up observation. If it's not, then the list then serves as a prioritized list for GMs or other employees to run down for confirmation. If you're lucky enough, they don't catch you.

As a botter, you not only want to be sure that you are protected from Warden and other client-side detection mechanisms, but you also want to be sure that you are as low on that prioritized list as possible. The same goes for EoE ban candidates. If you're on their list, then it's simply not going to be good for you.

If you're interested in keeping your accounts, then cover your bases. Don't make the assumption that they won't catch you because you don't believe they would implement server-side detections. Whether they are right now for things that affect you or not, it is almost guaranteed that they will as they look to the future. Computers are only getting faster, storage and memory capacity is only growing, bandwidth capacity is growing, and calculations that were previously too expensive are coming within reach -- either by discovering new solutions, or simply as a result of the hardware improvements. Blizzard knows that client-side detections can only go so far, and can be worked around. They have to constantly come up with new ways to detect your software on the client side. And the right people will always be able to cover their -- and your -- tracks. Anything on the server, however, cannot be reverse engineered by those right people, and cannot (usually) be spoofed by the client.

The moral of the story is this... Don't take chances. Look as human as you possibly can when you bot. It doesn't save you from client-side detections, obviously. That's not the point.

1 comment:

Matthew said...

GoGo Lax /cheer in the attempt to educate the masses

This reminds me of a mad tv show called numb3rs. http://www.tv.com/numb3rs/show/25043/summary.html

and is somewhat relevant to the article. (As to the statistical analysing and heuristics)

Blizz is teh FBI and where the Crims!!!

WE BE VICTIMS I TELL YA!!!