So this happened.

image.png1442x932 326 KB

they’re gone now, but it was pretty freaky to see regardless

That’s a real throwback to the multiboxer groups that used to be so common many years ago! Hopefully they do not make a comeback.

Nooo! That’s the 5th time I’ve seen mention of them lately. What could possibly be the loophole they discovered?

Here’s one I saw a couple of days ago. They are not visible in the screenshot as I had moved down, away from them, to get some performance back. They seemed to be appearing, moving to the middle of nexus then disappearing after saying one line.

I think that they are all accounts that were not claimed by their owners during the Great Migration, then snapped up as mules by someone else when the accounts names were released. The reason is that most of the names look like real names, not bot-generated ones, and the few I looked at were old accounts, several years old, but with next to no activity.

So maybe someone with a lot of old accounts they’ve been unable to use or sell is messing around with them while they can, knowing that the EOL of Flash will also put an end to scripts soon after when servers enforce only Exalt clients connecting.

Screenshot 2020-09-08 at 19.01.00.png1024x768 294 KB

I did notice the numbered ones. That’s unfortunate, (and kind of funny in a morbid way) but makes sense. It’s the multiboxers that worry me.

I would not worry as I think they will stop with the retirement of Flash. They clearly don’t use Flash as no-one would be able to run 100+ Flash clients on a PC to do that. But they are talking to the servers pretending to be Flash clients.

DECA can detect whether you are using Flash or Exalt. Hackers tried to fake it in their hacked clients, and a whole lot of them got banned when the detection kept working and they did things Flash was supposedly not able to do.

Come Sept 23rd they won’t just detect and ban non-Exalt clients. They will simply disconnect them, or stop them connecting in the first place. And on Sept 23 the Exalt client will be changing in significant ways that make it even harder to emulate, and it will keep changing much more rapidly than the Flash client before.

That’s why I think they are suddenly active now, to use them while they still can. The person doing it probably thinks they are very clever, adding RANDOM NUMBERS and RHYMING WORDS, but it just makes it even more obvious it’s a mindless script running them, and the person doing it has wasted years holding on to these accounts for absolutely no good reason.

There was a piece of that puzzle I was missing. Thanks for the explanation!

There are more

Realm doesn’t have good security against bots, and on top of that it’s a free game; flash ending by itself won’t aid in preventing this kind of thing from happening unless a proper detection algorithm is implemented and maintained…

All things considered, it’s hard for a small indie game company with a free-to-play game to not take extreme measures in cases like this, like making it a paid (even if cheap) game or investing hard in security.

They can already detect Exalt/Unity. Hackers thought they could fool it with their changes to the Flash client. Result: lots of bans. Those were I presume some of the most experienced hackers involved in ROTMG, and they were unable to get round ROTMG’s security, they just got their users banned trying.

And it’s about to get much much harder. Once Flash is gone they will lose their most useful tool for hacking, access to the source code. Unity can and will change things, and I think quite quickly, as a lot of changes have been held up by the Flash client.

The only way to hack will be by hacking the Unity client but that will get harder too, perhaps much harder. They have been unable to add security while Flash is still part of the game, but that will change come Sept 23.

Maybe they’re just a bunch of genuine light blue stars looking for friends to play with.

Yeah, that must be it.

Yeah!

Who knows, maybe they’re just a bunch of hapless (Senshin’s) Oalei clones. I’m sure that if we offer them all a random gumball, they’ll shut up, right?

Today:

Nah bots are still gonna work after Flash dies

Sept 23:

What’s this error? “Client not recognised as a Unity client” Not seen that before. Never mind, can look at the Flash client code for a fix, it will be there as always…

Me too. I’ve been seeing them on USMidwest2 quite a bit.

I mean, as long as they’re not doing anything harmful who cares

On the other hand this probably means someone will find a multiboxer on some server eventually

You’re mixing regular cheaters with the bots we see in OPs post

I’m talking exclusively about those mass botting cases… This doesn’t involve player or cheater clients and as I said just the flash-unity switch alone won’t prevent them

Clearly they are not using the Flash client, yes. But also they are not using Unity. So it’s a custom app/script. So what happens on the 23rd. Do DECA try and detect the Flash client and stop it connecting?

No. They will detect the Unity client, in a reliable way that hackers cannot easily fake (see their failed attempts to do so with the Flash client). Anything else, including whatever the bots are using, won’t be able to connect. Will hackers be able to fake a Unity client? In theory, though they have not managed it so far. And it is about to get much harder.

Once DECA stops making a Flash client hackers will no longer be able to disassemble it for the code that talks to servers. At the same time the Unity client is being overhauled with changes that were not possible because of Flash. Many of those are user-facing changes (graphics improvements, a new Vault UI) but they could include changes to lower level code which changes how it talks to the server.

I don’t think this will stop hacking altogether. But I think the only way to do it will be to modify the Unity client. So no more scripts running bot flash-mobs, or running spam/notifier bots on every server.

You’re far too optimistic on that lol.

I can’t give any opinion on that since I don’t know how to hack a unity game or mimick its behaviour with bots.

However it’s still a free game and the hardest part of creating a new account is filling a simple captcha so I really can’t blame myself for being skeptical on your very optimistic previsions about security.

They still don’t have any algorithm to detect multiboxers I saw one in the nexus last time I played

Nah. Flash is uniquely bad for security. You can simply download a free too which can then decompile the game (the .swf file that you load to play ROTMG) into plaintext source you can then mess with to your hearts content. Make changes so you have a hacked client. Or extract the network code to put in a script for bots.

AFAIK there is nothing similar for Unity. DECA have said the client has been written with security in mind from the ground up, Unity is a standalone app making it much harder to run multiple instances of it side by side, for muling, multiboxing or duping,

And there’s code on the server already to detect whether it’s a Unity client, using code in that client. Hackers tried to fake this in their hacked client and failed, as they were unable to see how the Unity client works. They can use the same check to bar all non-Unity clients from Sept 23. That should see the end of most bots and multiboxers, as it will become impractical to run them.

I wonder if DECA has considered searching for willing “white hat” hackers to probe for weaknesses in their system, or if they are trusting their own abilities with Unity. Not calling that second point as bad, just a neutral statement.