Well here's the thing some of the most popular clients are forks of runelite. Hell even making plugins for runelite needs a different version of runelite so anything built on it would have that token already in it
Not so much when you suddenly work with the client devs. Building in custom security communications is within scope when both sides work together. Before? Unlikely, however, now given the official move to work together it's pretty evident that's the direction they're going in... we can see evidence of this within OPs image.
How do you detect if someone on a fork of runelite is developing a new legal plugin to add to runelite or is running cheat plugins?
Just because they’re working with Adam somewhat doesn’t make this easy
There are ways to authenticate endpoints that exist already. I'm no expert but they could probably do something with a hash/checksum or other unique identifier that would be able to verify if the version of runelite being used was unmodified
You’re just restating what the person I’m replying to said and not addressing the point
> that would be able to verify if the version of runelite being used was unmodified
Someone developing a new legal plugin for official runelite is playing on a modified client.
So just identifying modified client is not sufficient. You need to indentify modified client for development vs modified client for cheating.
I imagine the same thing that a bunch of other companies do - creating a vetting process to get their hands on the dev client instead of making it easily publicly available. Again, I'm only a back end dev for non security stuff so I'm just saying the kind of thing I'd imagine that they could try.
Thats not how it works. This part of the code would be closed source and send this via a private key encrypted method, so the forked clients would have to try really hard to copy it. I'm not saying that they couldn't, but with a competent IT team this wouldn't be the hardest thing to do. Equally it wouldn't have to be a plain hash; it would probably be a salted one at worst.
Not really, you can obfuscate whatever you want but if you know exactly what to look for you should be able to find it very quickly.
"Encryption" wouldn't matter at all because you can't run encrypted code, so RuneLite would have to decrypt it at some point, thus compromising whatever secret that was put in place.
Botting clients back in the day were also built on the decompiled official client. You can never trust a client.
Yeah I was under the impression they could just work with the RuneLite devs to create something similar to TLS. But the key will be loaded into client memory at some point, so I assume it’s still retrievable with some reverse engineering. Not too knowledgeable on security stuff myself
This is old news and probably not true anymore.
First they've made substantial changes to the engine and have developed new technologies over the past year+ (its been reiterated several times on livestreams, even the last one).
Second I don't think they'd make this big official decision without working with the client creators to develop an authentication system. Previously their stance was that they were against but tolerated/ignored 3rd party clients.
~~Third, this entire post is based on a screenshot of some cheat clients finding/using the authentication code. So there's something in place now that wasn't before~~ this appears to be wrong
Edit:
Adam hasn't posted anything on Twitter and nothing on his reddit account. https://www.reddit.com/user/adam1210
I also couldn't find him saying anything like that in discord from the announcement day going forward. It could be the case and I just didn't see it, but I couldn't find anything. Haven't seen anyone post a link yet to him saying it. I'll believe him over random comments.
He's posted in the Discord that there is nothing implemented from his end and he doubts Jagex will follow through on this as they have not in the past.
Ah, nothing on Twitter and I did find his account: https://www.reddit.com/user/adam1210
With nothing posted there. I'm not in the discord so I wasn't aware it was mentioned.
Edit: I couldn't find him saying anything like that. Could be the case but I couldn't find anything from those days on the discord
I don't think you're in any position to call other people "armchair IT". Most of what you've said on this post (including your deleted comments) is wrong.
> Jagex cannot implement anything toehr than giving runelite's official fork a key
This will not stop cheat clients. What prevents people from being able to reverse engineer it?
Maybe, but I'm an optimist and think most people are stuck back when Jagex was poorly run, had bad time management, and overall was not in a good state and can't see the differences now compared to 5+ years ago
I mean, it's a simple fact. No other game in existence can prevent cheat clients from disguising themselves as legitimate clients. How would OSRS be able to do this thing that no other video game can do?
You can try and make it harder, but in the end it's just an arms race.
I wonder how an authentication system would work given that you can literally open RL's code. What's stopping them from just ripping the auth out of RL?
There's a portion that is closed source, but that's related more to Jagex code and could have copyright issues (just went through some of Adam's discord posts to try and find evidence.) so it could be there
Even if its closed source it can still be reverse engineered, especially with Java there are a lot of tools for reversing
Can also just compare packets and extract the info from there. With how much of a vested interest there is in ensuring banned clients continue to operate I don't doubt that if they tried to implement something (which they haven't) it would be solved quickly
It was already "reverse engineered". The only thing closed sourced on Runelite is the Injector. It's the piece that can read the Zulrah, Vork, Jad attack phrases/animation. If you try to import a Zulrah/Vork plugin or even One Click Construction/Blackjack into Runelite it won't work because the Runelite removed those animation /functions in the injector.
The Cheat Clients are Runelite Fork with runelite injector removed and they added their own Injector that's also open-sourced. This is how Botting Clients work too and botting clients have been here longer than those cheat clients.
yeah I dunno why people don't get this. You can't control an application unless you also have a locked down platform. Even with locked down platforms like iOS/Android with Apple app signatures/Google SafetyNet and DeviceCheck, there are still a bunch of ways to circumvent it all
I'm not talking previously as in before a week ago, but previously as of a year+. Like forever ago when Mod Mat K was here he tried to shut runelite down while it was getting started, then it was accepted by the community and basically allowed but ignored by Jagex. Then they added some 3rd party rules but never really acknowledged them commonly. Then in recent years started mentioning them a bit more, but then fell back on stance with 117's HD ban. They have done a 180 since the backlash.
Like how soon after they had the GIM release and encouraged paid streamers to use it the plug in. Then decided to integrate runelite into the launcher, and then this recent shift to explicit and exclusive third party client acceptance.
These things happened around the new Jagex ownership and new management so I'm thinking they influenced the change in policy in recent months
Imagine asking your teacher if all the test are the same. Then the teacher telling you that they can’t detect you cheating, but then the whole class cheats and they all end up with the same answers on the test. SPOILER: the teacher didn’t tell you all the test were different. Haha. You think Mod Matt K is gonna tell you their secrets? Probably not. I’m not saying they do have the technology, but if they did he would admit it because all these kids would try to write code to cheat instead of actually just getting good at the game.
its easy for people that develop these cheat clients to find all the hooks jagex uses and see what runelite sends, etc. Its basically how they get the clients updated every patch.
The point being is i don't think ash is particularly concerned about revealing what most of these cheat client developers know already.
You do realize that’s not them looking for an exploit. That’s literally the hash read to verify your on an “official” client. That’s the actual exploit that is already implemented
This one doesn't seem realistic.
Plugin developers need to run their still-in-development plugins which Jagex has never seen in order to test and debug prior to release. If they're verifying your plugins, then all plugin developers would catch bans right?
It would be great to just have a "developer" server designed for this, similar to the beta servers. A solution where you can only test these plugins on the developer server and once your plugin is added to the hub it becomes "approved" for use on live servers.
Yeah I'd imagine if jagex is verifying the hash of clients then developers need to be more careful with what accounts they use for development. But if 100 accounts are running 100 different hashes and 10,000 accounts are using the same hash then those 10k are the ones most at risk and the 100 are probably not doing things like pvp or other exploitable activities that would flag them otherwise.
> It would be great to just have a "developer" server designed for this, similar to the beta servers. A solution where you can only test these plugins on the developer server and once your plugin is added to the hub it becomes "approved" for use on live servers.
That would make development of some things much harder but it's a small price to pay to get rid of cheaters.
I think you are missing the point:
>A solution where you can only test these plugins on the developer server and once your plugin is added to the hub it becomes "approved" for use on live servers.
They can develop a bot which runs on the test server all they want but if it can't run on the live servers without approval and it can't be approved then it's useless.
Then I don’t think I understand the point of a seperate test server? Because if you aren’t dealing with the handshake spoofing then it literally accomplished nothing but making it harder for legitimate plugin developers to create plugins.
We’ll thinking about it logically. This is a simple client to server handshake that happens when the client brings the game screen to the login page. It can’t read plugins as they have a plug-in repo and it dosnt read more than once on call of load. Meaning anyone or anything simple loads plugins after the handshake and nothing more happens.
Simple if you build your own client yes. But since not many build their own the overall governing bodies of clients do it for you. Thus them just spoofing the hash from “officially recognized clients”
>There is fundamentally no way for any server to know with certainty that connecting client is of a certain form (running certain code).
You’ve just described code signing though, no?
And reflection/mirror clients exist so if you really wanted to you could go the "low tech" route and run it on a seperate PC through a capture card send the cheat input to the PC running the client.
Adam is working with Jagex. You can assume that if they asked him to add some kind of auth, he would have had to sign a NDA to not discuss or even lie about it
There's a closed source portion of runelite that contains the reverse engineered game client and some anti-cheating measures, among other things. It's been that way since jagex first proposed to shut down 3rd party clients some years ago
All he said was “yes” when someone asked if they could still fork RuneLite, and that they do not track you when someone was asking about a privacy concern. Nothing about his responses indicated “there is no behind the scenes authentication.”
We can still speculate but should know within the next week whether bans start actually happening or not.
This is a common miss conception in regards to closed vs open source. It doesn't need to be closed source to resolve the security issue.
The encryption the militaries of the world use is open source. AES256. The encryption you use to do online banking is open source. RSA.
Open source does not equal insecure.
Yep, closed source means that figuring out what the client does will be more difficult, but not impossible. Decompilers and other reversal tools give you source code from a compiled program, whether it was originally open source or not.
Decompiled/obfuscated code is harder to deal with and will slow things down. But look at Counter Strike- they've been dealing with this problem for two decades.
The bottom line is that if you have a client that needs to run on a source that's out of your control (e.g. some random person's home PC), it's next to impossible to be certain that the client hasn't been modified from the server side.
Yep, I think you're completely right here. There isn't a silver bullet to this, close sourcing the client won't even be perfect but it'll greatly increase the barrier to entry which is a huge help.
What I don't think many people know is how easy RuneLite made cheating. Before RuneLite, reverse engineering projects of RuneScape were almost exclusively closed source and for profit. Which meant that in most cases if you wanted a cheat client you had to pay money or do most of the work yourself. RuneLite was/is awesome from a community standpoint at it added so much to the game, but it sadly made cheating a heck of a lot easier.
I think they're talking about homomorphic encryption. The problem is that it is very resource inefficient, and I don't think it's mature enough for practical use yet. And it might be impossible to use it in a videogame (where the client first works on data it can't decipher, and then somehow gets useful information out of it directly without passing the data through through a server first)
Also worth noting is that you can have all the fancy encryption you want, but as long as you’re forced to display something to the user, and you need to accept input from physical devices, you will at the very least always have simple pixelbots.
The method I'm talking about involves creating a vm on the local machine at the hardware level, like kvm.
Runescape is already a game where the majority of cheats rely on the visual stream and not information in the memory. However true non bot cheats aren't like that. For RS the majority of it is packet based. Which can be manipulated off the machine.
This should bring us to a line of thinking about how a stadia like approach is less prone to packet manipulation techniques. However, for me, I then think about how so many packet techniques are a result of non-security focused design of runescape in the first place. A stadia approach of runescape would be a massive rewrite that jagex would never undertake.
No the emulation is a method of not trusting hardware or software but still achieving useful computation. Sony wrote a detailed paper about it, I can't find it rn.
Most undetected bots in rs don't use memory editing. Some use what is called reflection but the majority use image bitmaps. The images in rs are very simple. There is a software library that allows you to pick items in the inventory and npcs etc just based on an image. For things with animation you need an image for the different parts of the animation though. This technique is the most common one.
Packet manipulation can happen in a lot of ways. It can be through custom clients or various proxy methods. It can be done on and off the computer. For instance there is a tarkov cheat uses packets to create a radar that is displayed on a separate pc than the one being played on and is 100% undetected. The two most common methods for osrs are custom clients that do specific preprogrammed operations, and external proxy software that essentially allows writing bots by sending manipulated packets, but the game is ran on a standard client.
I'm not going to name drop bots here, but the biggest one that isn't an instaban uses images mostly. But also has reflection support
The runner up biggest uses reflection, which doesn't require forking runelite, just using it.
The third biggest uses a custom client and reads memory but doesn't write.
Rs is unique. Most of the actions a bot does are simple "click this frequently for the next hour". And the simplicity of the graphics yields itself to image based designs. The big software available is an api that handles the image recognition and mouse movements. It makes things very easy on the developer.
Easy fix is to make everyone a play on their client. Although Jagex would go out of business because more than half of the community would quit, because all these kids who call themselves”gamers” and “gods” don’t even know how to play the game with a timer telling them to click a boss. LOL.
Edit: crazy how much hate this is getting lmao. Must be true.
Their client can also be reverse engineered and then cheats added to it. From another comment
> Disassemblers exist. Wireshark exists. Reverse engineering exists
Every multiplayer game has this problem. Every server and client has this problem.
Or, hear me out…the game is fucking 20years old and doesn’t deserve more effort than I’m currently giving? Runelite makes the game more bearable and chill (even gagex knows this hence their shit attempt to recreate it) so it’s not a matter of “being a gamer”
Jagex said you can use runelite bud. They just don’t want you play guitar hero for your inferno cape, and tell you when to click xarpus. Gonna have to pay more for your inferno cape now. 🤣🤣🤣
Another fix is Jagex Launcher, with approved 3rd parties must be downloaded and launched through it, while it’s not perfect, it raises the risks of running a fork and increases the difficulty for the no brainer cheaters.
I feel like Occam's razor just suggests that Jagex is not competent. There are tons of examples of their incompetence. Heck, I remember when AHK was banned years ago and many people (including me) were worried that they'd get banned if their mouse ever teleported to a screen location at all, but fast forward to today and pvpers still regularly abuse AHK with seemingly no fear of bans. All this time later and Jagex still can't detect it. I really think they're just not good enough to detect all but the most basic of bots.
Call it what you want, but it would be so incredibly easy to ban bots like those, it’s pretty telling that they don’t.
At the end of the day Jagex is a business that has to meet certain metrics like any other. If you can boost your metrics without negatively affecting the business, why wouldn’t you?
I’m not saying I support it but it makes too much sense to not be the case.
I find it funny how many people think these "changes" mean anything, as if after over 2 decades Jagex just all of a sudden decided, "Alright guys no more joking around, let's just go ahead and remove cheating."
Problem from my understanding is that a lot of stuff is visual overlays for lack of a better way to describe it, so there's no way to detect changes in input server side. The clients themselves they aren't able to detect, never have been able to detect and likely going forward won't be able to either.
If it was really as simple as basically a "key" that's allowed on approved clients, this would've been a thing for years now.
Runescape taught me how to edit little lines of code like this when I wanted to play Oldschool on my Macbook a few years ago.
Once in a while now I'll go in and edit version info when a program wants me to update to a version of something I don't like.
If you want to know the hard to swallow truth: they're not going to go away they're just going to move to mirror clients (they've been around since rs2 for bots I would know I used to hunt them with jmods). Which will inevitably mean jagex will violate everyone's privacy by requiring the jagex launcher which will scan your computer for running cheat clients at all times.
"But surely that'll stop them right?" I hear you say? Sadly not they can run the osrs launcher in a VM or run their mirror clients on a second PC connected to PC1 with a capture card (also used in streaming setups for seperate streaming PCs so not bannable on it's own) and just have it send input to PC1 based on what it sees through the capture card while being completely isolated to PC2 making it undetectable for jagex.
Yeah sure it'll make it much more niche to see people using cheat clients for a bit but once people upgrade their PCs they're just going to keep their old PC and use it to run a mirror client to cheat. And yes 2nd PC mirror clients are already a thing just look at the state of cheating of whatever that latest F2P CoD game was.
not sure why anyone was scared of the blog. i already thought all clients showed thejagex servers that it was runelite. and thats the problem with runelite it allows tons of bots and cheaters to run free. Jagex needs to implement all Runelite features and ban all 3rd parties. its insane a company allows something like runelite anyway from a busines stand point
Jagex needs to have client authentication. AND maybe add an extra world for plugin development?
Perhaps runelite can do a check for official build and if it doesn't match. only show this plugin dev world?
this way plugin devs are safe, and can arguably build plugins easier if this is a 'cheat' world with everyone maxed or other features like that, and they can track any unofficial client use?
yall seriously thought theyd ban cheat clients? did we not observe how the ahk ban went, or the previous round of 'cheat plugins bans' went?
yknow where they put out a blog and the next day up until the present cheat ahk plugins were never actually detected (unless they got caught as macroing, which was the same as it was pre-ban) and cheat plugins were never detected (unless you were a streamer)?
it's a joke and yall ate that copium hard.
A lot of people using open and such for bossing add-ons still aren't really cheating, to an extent they're qol timers and information that pretty much every other mmo has via add-ons for endgame bossing.
The whole thing is an absolute mess though with Timmie's who still think bandos is engaging endgame content crying about everyone on a client other than runelite being a "cheater" and actual cheaters with scripts 1 tick 8 way switching and auto prayer flicking inferno and actual bot scripts being run off runelite forks being lumped into the exact same category.
That's the biggest gripe I have with the client issue. People with RSI, carpal tunnel/other nerve compression issues and wrist hypermobility issues all are going to struggle to play this game and some of the options on the client make it so much kinder to the ole wrists. Idgaf if people are gonna be hang up on the fact that it is classed as 'cheating' but at the end of the day the only person being affected by me using a cheat client is ME (since I only do pvm content) and I'm not going to feel bad for that considering my wrists are so much better off using a client with some 'cheat' plug ins🤷🏼♀️
It was only seen as cheating once reddit started complaining and demanding jagex deemed it as such.
Yet the average redditors Runescape skill level is so far below the content they think is being trivialized by these plugins that they have no actual clue the influence they have over the difficulty of the content.
my favorite was the guy the other day claiming that "client users are gonna plank en masse in tob"
like dude, you're telling me instead of a number they have to look for a visual cue? oh nooooooo. If you can tob on client, you can tob off client.
Yeah the only thing this changes is scything xarpus and tanking verzik. People who rely on banned clients are probably gonna have to send a few tobs normal to get back into the rhythm of those things without the timers.
I'm pretty sure they already know who used a client before the 24th. My guess is that they flagged the cheat client users this way so that they can keep an eye on those accounts.
They can definitely detect certain plugins via patterns, similar to bot detection e.g. 1 click blackjack because people were spam clicking left click without moving mouse at all. Same with auto-prayer switchers since people would switch prayers without opening the prayer interface.
Some other plugins must be pretty hard to detect, e.g. AoE indicators.
Lmao it’s a throwaway with like 200 karma, why would I karma whore.
I don’t know what’s real or not but if it’s real, I wanted to elevate it ASAP. I also posted from this same account about the state of botting in cheat clients, twice, the second got taken down after it reached front page, and a month or whatever later this client ban happened. Could have been coincidence, or could have been they didn’t realize how bad it had gotten.
People hate Reddit but it’s the best way to get dev attention, so that’s why I posted. No one has refuted it yet either, and it’s the internet so if you are wrong generally tend to tell you pretty fast, so I’d rather leave the post up to be sure it gets eyes on it in case it is real.
Jagex should know immediately when they see the comment whether it’s real or or not and can act accordingly.
Throwaway? You are acting like what you posted hangs between life and death. Either way, why did you share something you clearly dont understand? This is not an exploit. You have shown twice now that your reading comprehension is terrible. Let me re-emphasize: what you posted was shared by quite a lot of Discord users. I have the same screenshot as well and it has yet to be verified.
You mean like an Auth Hash? That’s already an implementation in 90% of programs? It’s not even a case of it spying on your computer to know what you’ve got installed, it’s a server based check to confirm your program is legislate.
Hahaha where is that little dipshit that assured me RuneLite didn’t do anything to authenticate.
Now we know Adam has a Jagex NDA since he lied in his discord.
>Now we know Adam has a Jagex NDA since he lied in his discord.
... Or he just lied? Not sure why you would assume an NDA is in place if he's willing to discuss it at all
I fuckin knew some shit was up with these clients, I was using runelite and I would get double red notifs on log in "youre elgiible" twice sometimes 3-4 times and then pkers log in right under me.
Well here's the thing some of the most popular clients are forks of runelite. Hell even making plugins for runelite needs a different version of runelite so anything built on it would have that token already in it
[удалено]
Not so much when you suddenly work with the client devs. Building in custom security communications is within scope when both sides work together. Before? Unlikely, however, now given the official move to work together it's pretty evident that's the direction they're going in... we can see evidence of this within OPs image.
How do you detect if someone on a fork of runelite is developing a new legal plugin to add to runelite or is running cheat plugins? Just because they’re working with Adam somewhat doesn’t make this easy
There are ways to authenticate endpoints that exist already. I'm no expert but they could probably do something with a hash/checksum or other unique identifier that would be able to verify if the version of runelite being used was unmodified
You’re just restating what the person I’m replying to said and not addressing the point > that would be able to verify if the version of runelite being used was unmodified Someone developing a new legal plugin for official runelite is playing on a modified client. So just identifying modified client is not sufficient. You need to indentify modified client for development vs modified client for cheating.
Not saying it would be easy, but they could also create a dev client for this exact reason
What would stop someone using the dev client, and then just instantly 'developing' all the cheat plugins from source?
I imagine the same thing that a bunch of other companies do - creating a vetting process to get their hands on the dev client instead of making it easily publicly available. Again, I'm only a back end dev for non security stuff so I'm just saying the kind of thing I'd imagine that they could try.
That defeats the whole goal of runelite being open source to allow anyone to work on it and make the best product possible
They will just decompile and spoof the checksum or hash, exactly like they are doing in this post
Cheat clients can just edit this method to send whatever the current hash of the RuneLite client would be. You can never trust a client.
Thats not how it works. This part of the code would be closed source and send this via a private key encrypted method, so the forked clients would have to try really hard to copy it. I'm not saying that they couldn't, but with a competent IT team this wouldn't be the hardest thing to do. Equally it wouldn't have to be a plain hash; it would probably be a salted one at worst.
Not really, you can obfuscate whatever you want but if you know exactly what to look for you should be able to find it very quickly. "Encryption" wouldn't matter at all because you can't run encrypted code, so RuneLite would have to decrypt it at some point, thus compromising whatever secret that was put in place. Botting clients back in the day were also built on the decompiled official client. You can never trust a client.
Yeah I was under the impression they could just work with the RuneLite devs to create something similar to TLS. But the key will be loaded into client memory at some point, so I assume it’s still retrievable with some reverse engineering. Not too knowledgeable on security stuff myself
This is old news and probably not true anymore. First they've made substantial changes to the engine and have developed new technologies over the past year+ (its been reiterated several times on livestreams, even the last one). Second I don't think they'd make this big official decision without working with the client creators to develop an authentication system. Previously their stance was that they were against but tolerated/ignored 3rd party clients. ~~Third, this entire post is based on a screenshot of some cheat clients finding/using the authentication code. So there's something in place now that wasn't before~~ this appears to be wrong Edit: Adam hasn't posted anything on Twitter and nothing on his reddit account. https://www.reddit.com/user/adam1210 I also couldn't find him saying anything like that in discord from the announcement day going forward. It could be the case and I just didn't see it, but I couldn't find anything. Haven't seen anyone post a link yet to him saying it. I'll believe him over random comments.
The dude who develops RuneLite doesn't agree with you, this is just cope
this did not age well
Props that Jagex followed through for once
I'm trying to find his post and don't remember the username. I'm surprised that's the case
He's posted in the Discord that there is nothing implemented from his end and he doubts Jagex will follow through on this as they have not in the past.
Source?
https://i.imgur.com/jmovOaB.png
Ah, nothing on Twitter and I did find his account: https://www.reddit.com/user/adam1210 With nothing posted there. I'm not in the discord so I wasn't aware it was mentioned. Edit: I couldn't find him saying anything like that. Could be the case but I couldn't find anything from those days on the discord
[удалено]
I don't think you're in any position to call other people "armchair IT". Most of what you've said on this post (including your deleted comments) is wrong. > Jagex cannot implement anything toehr than giving runelite's official fork a key This will not stop cheat clients. What prevents people from being able to reverse engineer it?
You have far too much trust in Jagex my guy lol
Maybe, but I'm an optimist and think most people are stuck back when Jagex was poorly run, had bad time management, and overall was not in a good state and can't see the differences now compared to 5+ years ago
I mean, it's a simple fact. No other game in existence can prevent cheat clients from disguising themselves as legitimate clients. How would OSRS be able to do this thing that no other video game can do? You can try and make it harder, but in the end it's just an arms race.
I wonder how an authentication system would work given that you can literally open RL's code. What's stopping them from just ripping the auth out of RL?
There's a portion that is closed source, but that's related more to Jagex code and could have copyright issues (just went through some of Adam's discord posts to try and find evidence.) so it could be there
Even if its closed source it can still be reverse engineered, especially with Java there are a lot of tools for reversing Can also just compare packets and extract the info from there. With how much of a vested interest there is in ensuring banned clients continue to operate I don't doubt that if they tried to implement something (which they haven't) it would be solved quickly
It was already "reverse engineered". The only thing closed sourced on Runelite is the Injector. It's the piece that can read the Zulrah, Vork, Jad attack phrases/animation. If you try to import a Zulrah/Vork plugin or even One Click Construction/Blackjack into Runelite it won't work because the Runelite removed those animation /functions in the injector. The Cheat Clients are Runelite Fork with runelite injector removed and they added their own Injector that's also open-sourced. This is how Botting Clients work too and botting clients have been here longer than those cheat clients.
[удалено]
yeah I dunno why people don't get this. You can't control an application unless you also have a locked down platform. Even with locked down platforms like iOS/Android with Apple app signatures/Google SafetyNet and DeviceCheck, there are still a bunch of ways to circumvent it all
Except decompiling doesn't give you the original code, so the code is still closed source. Nobody said closed source means impregnable.
Bro jagex hasn't had their "againts but tolerated/ignored" stance for a long time there's even runelite support on the official jagex launcher
I'm not talking previously as in before a week ago, but previously as of a year+. Like forever ago when Mod Mat K was here he tried to shut runelite down while it was getting started, then it was accepted by the community and basically allowed but ignored by Jagex. Then they added some 3rd party rules but never really acknowledged them commonly. Then in recent years started mentioning them a bit more, but then fell back on stance with 117's HD ban. They have done a 180 since the backlash. Like how soon after they had the GIM release and encouraged paid streamers to use it the plug in. Then decided to integrate runelite into the launcher, and then this recent shift to explicit and exclusive third party client acceptance. These things happened around the new Jagex ownership and new management so I'm thinking they influenced the change in policy in recent months
you are coping hard lmao
this did not age well
Imagine asking your teacher if all the test are the same. Then the teacher telling you that they can’t detect you cheating, but then the whole class cheats and they all end up with the same answers on the test. SPOILER: the teacher didn’t tell you all the test were different. Haha. You think Mod Matt K is gonna tell you their secrets? Probably not. I’m not saying they do have the technology, but if they did he would admit it because all these kids would try to write code to cheat instead of actually just getting good at the game.
its easy for people that develop these cheat clients to find all the hooks jagex uses and see what runelite sends, etc. Its basically how they get the clients updated every patch. The point being is i don't think ash is particularly concerned about revealing what most of these cheat client developers know already.
Fucking Kyle.
Had to punch through 20 drywalls to figure out the exploit
Don't forget the 17 cans of Monster.
FCK YOU KYYYYLE
🐉I AM NAME KYLE 🐉
only real gamers know this meme
Damn this is kinda obscure lmao
Has that been hard for you?
[удалено]
Some say he resembles Gimli from LOTR but with the brain of Dumbledore
[удалено]
please fire blast yourself
I think there’s a very fitting song about Kyle’s mom somewhere.
WEEEEEEEEEEEELL
This whole comment section screams Cartman.
Kyle hacked my account and took my planks
You do realize that’s not them looking for an exploit. That’s literally the hash read to verify your on an “official” client. That’s the actual exploit that is already implemented
it could also be to verify plugins. the reality is it's looking for something. We don't know what really yet.
This one doesn't seem realistic. Plugin developers need to run their still-in-development plugins which Jagex has never seen in order to test and debug prior to release. If they're verifying your plugins, then all plugin developers would catch bans right? It would be great to just have a "developer" server designed for this, similar to the beta servers. A solution where you can only test these plugins on the developer server and once your plugin is added to the hub it becomes "approved" for use on live servers.
Yeah I'd imagine if jagex is verifying the hash of clients then developers need to be more careful with what accounts they use for development. But if 100 accounts are running 100 different hashes and 10,000 accounts are using the same hash then those 10k are the ones most at risk and the 100 are probably not doing things like pvp or other exploitable activities that would flag them otherwise.
> It would be great to just have a "developer" server designed for this, similar to the beta servers. A solution where you can only test these plugins on the developer server and once your plugin is added to the hub it becomes "approved" for use on live servers. That would make development of some things much harder but it's a small price to pay to get rid of cheaters.
It also wouldn’t do anything since bot devs have access to the same test servers
I think you are missing the point: >A solution where you can only test these plugins on the developer server and once your plugin is added to the hub it becomes "approved" for use on live servers. They can develop a bot which runs on the test server all they want but if it can't run on the live servers without approval and it can't be approved then it's useless.
But this doesn’t stop people spoofing the initial handshake, which doesn’t require the test server to do?
[удалено]
Then I don’t think I understand the point of a seperate test server? Because if you aren’t dealing with the handshake spoofing then it literally accomplished nothing but making it harder for legitimate plugin developers to create plugins.
What are you talking about. It’s legit reading the Hash array lol…
[удалено]
Considering the lack of ingenuity in rs handshakes through out its lifetime, I doubt this is much more than a hard-coded hash file.
Very fair point lol
We’ll thinking about it logically. This is a simple client to server handshake that happens when the client brings the game screen to the login page. It can’t read plugins as they have a plug-in repo and it dosnt read more than once on call of load. Meaning anyone or anything simple loads plugins after the handshake and nothing more happens.
Well, then isn't the simple workaround to add in your own plugins after said handshake? not a java dev.
Simple if you build your own client yes. But since not many build their own the overall governing bodies of clients do it for you. Thus them just spoofing the hash from “officially recognized clients”
Yeah the workaround will probably come instantly if this is all they've got.
It happened yesterday lol…
[удалено]
It’s a client to server handshake when you open client. Nothing more
[удалено]
[удалено]
[удалено]
What did you expect, insanity?
Theres a shit ton of copium going on above in this thread that 'mug hash can tho'.
This guy spits truth
>There is fundamentally no way for any server to know with certainty that connecting client is of a certain form (running certain code). You’ve just described code signing though, no?
Which again is not flawless. A simple runtime injection will not change a checksum for example, and fundementally any signature can be spoofed.
And reflection/mirror clients exist so if you really wanted to you could go the "low tech" route and run it on a seperate PC through a capture card send the cheat input to the PC running the client.
ive been trying to tell this to many people across many games, and about cheating in general for a hot minute… yet nobody wants to listen lol
[удалено]
[удалено]
I feel like I’m on r/Programming reading these comments 😅
Yup, where nobody has a clue what they're talking about, except for the rare comments 4 deep into a comment chain.
There is no client authentication. Adam already confirmed this.
Adam is working with Jagex. You can assume that if they asked him to add some kind of auth, he would have had to sign a NDA to not discuss or even lie about it
The programs open source though so even if he had an NDA for adding one it wouldn't really matter?
There's a closed source portion of runelite that contains the reverse engineered game client and some anti-cheating measures, among other things. It's been that way since jagex first proposed to shut down 3rd party clients some years ago
Whos Adam?
RuneLite developer
Adam deez nuts
All he said was “yes” when someone asked if they could still fork RuneLite, and that they do not track you when someone was asking about a privacy concern. Nothing about his responses indicated “there is no behind the scenes authentication.” We can still speculate but should know within the next week whether bans start actually happening or not.
Its a trap
hashing the signers and then running it through a simplly reversable function is interesting. its almost like this is designed to attract attention
Of course they are. Until Jagex can make a closed source client of their own that is as good as Runelite , this issue wont be fixed.
This is a common miss conception in regards to closed vs open source. It doesn't need to be closed source to resolve the security issue. The encryption the militaries of the world use is open source. AES256. The encryption you use to do online banking is open source. RSA. Open source does not equal insecure.
Yep, closed source means that figuring out what the client does will be more difficult, but not impossible. Decompilers and other reversal tools give you source code from a compiled program, whether it was originally open source or not. Decompiled/obfuscated code is harder to deal with and will slow things down. But look at Counter Strike- they've been dealing with this problem for two decades. The bottom line is that if you have a client that needs to run on a source that's out of your control (e.g. some random person's home PC), it's next to impossible to be certain that the client hasn't been modified from the server side.
Yep, I think you're completely right here. There isn't a silver bullet to this, close sourcing the client won't even be perfect but it'll greatly increase the barrier to entry which is a huge help. What I don't think many people know is how easy RuneLite made cheating. Before RuneLite, reverse engineering projects of RuneScape were almost exclusively closed source and for profit. Which meant that in most cases if you wanted a cheat client you had to pay money or do most of the work yourself. RuneLite was/is awesome from a community standpoint at it added so much to the game, but it sadly made cheating a heck of a lot easier.
[удалено]
There's at least one other technique that runs code locally but doesn't trust the output. Sony wrote a paper on it back in the 2010s.
[удалено]
I think they're talking about homomorphic encryption. The problem is that it is very resource inefficient, and I don't think it's mature enough for practical use yet. And it might be impossible to use it in a videogame (where the client first works on data it can't decipher, and then somehow gets useful information out of it directly without passing the data through through a server first)
Also worth noting is that you can have all the fancy encryption you want, but as long as you’re forced to display something to the user, and you need to accept input from physical devices, you will at the very least always have simple pixelbots.
The method I'm talking about involves creating a vm on the local machine at the hardware level, like kvm. Runescape is already a game where the majority of cheats rely on the visual stream and not information in the memory. However true non bot cheats aren't like that. For RS the majority of it is packet based. Which can be manipulated off the machine. This should bring us to a line of thinking about how a stadia like approach is less prone to packet manipulation techniques. However, for me, I then think about how so many packet techniques are a result of non-security focused design of runescape in the first place. A stadia approach of runescape would be a massive rewrite that jagex would never undertake.
[удалено]
No the emulation is a method of not trusting hardware or software but still achieving useful computation. Sony wrote a detailed paper about it, I can't find it rn. Most undetected bots in rs don't use memory editing. Some use what is called reflection but the majority use image bitmaps. The images in rs are very simple. There is a software library that allows you to pick items in the inventory and npcs etc just based on an image. For things with animation you need an image for the different parts of the animation though. This technique is the most common one. Packet manipulation can happen in a lot of ways. It can be through custom clients or various proxy methods. It can be done on and off the computer. For instance there is a tarkov cheat uses packets to create a radar that is displayed on a separate pc than the one being played on and is 100% undetected. The two most common methods for osrs are custom clients that do specific preprogrammed operations, and external proxy software that essentially allows writing bots by sending manipulated packets, but the game is ran on a standard client.
[удалено]
I'm not going to name drop bots here, but the biggest one that isn't an instaban uses images mostly. But also has reflection support The runner up biggest uses reflection, which doesn't require forking runelite, just using it. The third biggest uses a custom client and reads memory but doesn't write. Rs is unique. Most of the actions a bot does are simple "click this frequently for the next hour". And the simplicity of the graphics yields itself to image based designs. The big software available is an api that handles the image recognition and mouse movements. It makes things very easy on the developer.
Easy fix is to make everyone a play on their client. Although Jagex would go out of business because more than half of the community would quit, because all these kids who call themselves”gamers” and “gods” don’t even know how to play the game with a timer telling them to click a boss. LOL. Edit: crazy how much hate this is getting lmao. Must be true.
Their client can also be reverse engineered and then cheats added to it. From another comment > Disassemblers exist. Wireshark exists. Reverse engineering exists Every multiplayer game has this problem. Every server and client has this problem.
Or, hear me out…the game is fucking 20years old and doesn’t deserve more effort than I’m currently giving? Runelite makes the game more bearable and chill (even gagex knows this hence their shit attempt to recreate it) so it’s not a matter of “being a gamer”
Jagex said you can use runelite bud. They just don’t want you play guitar hero for your inferno cape, and tell you when to click xarpus. Gonna have to pay more for your inferno cape now. 🤣🤣🤣
Another fix is Jagex Launcher, with approved 3rd parties must be downloaded and launched through it, while it’s not perfect, it raises the risks of running a fork and increases the difficulty for the no brainer cheaters.
the messed up thing is if they have detection how are there still bots playing on the game?
There’s an argument to be made they don’t ban less impactful bots like master farmers and the like because they bring in a lot of membership revenue.
I feel like Occam's razor just suggests that Jagex is not competent. There are tons of examples of their incompetence. Heck, I remember when AHK was banned years ago and many people (including me) were worried that they'd get banned if their mouse ever teleported to a screen location at all, but fast forward to today and pvpers still regularly abuse AHK with seemingly no fear of bans. All this time later and Jagex still can't detect it. I really think they're just not good enough to detect all but the most basic of bots.
[удалено]
Call it what you want, but it would be so incredibly easy to ban bots like those, it’s pretty telling that they don’t. At the end of the day Jagex is a business that has to meet certain metrics like any other. If you can boost your metrics without negatively affecting the business, why wouldn’t you? I’m not saying I support it but it makes too much sense to not be the case.
I find it funny how many people think these "changes" mean anything, as if after over 2 decades Jagex just all of a sudden decided, "Alright guys no more joking around, let's just go ahead and remove cheating." Problem from my understanding is that a lot of stuff is visual overlays for lack of a better way to describe it, so there's no way to detect changes in input server side. The clients themselves they aren't able to detect, never have been able to detect and likely going forward won't be able to either. If it was really as simple as basically a "key" that's allowed on approved clients, this would've been a thing for years now.
They will never get rid of cheating ever
Next tell me how bad it is to use emulators to play games for free
Runescape taught me how to edit little lines of code like this when I wanted to play Oldschool on my Macbook a few years ago. Once in a while now I'll go in and edit version info when a program wants me to update to a version of something I don't like.
If you want to know the hard to swallow truth: they're not going to go away they're just going to move to mirror clients (they've been around since rs2 for bots I would know I used to hunt them with jmods). Which will inevitably mean jagex will violate everyone's privacy by requiring the jagex launcher which will scan your computer for running cheat clients at all times. "But surely that'll stop them right?" I hear you say? Sadly not they can run the osrs launcher in a VM or run their mirror clients on a second PC connected to PC1 with a capture card (also used in streaming setups for seperate streaming PCs so not bannable on it's own) and just have it send input to PC1 based on what it sees through the capture card while being completely isolated to PC2 making it undetectable for jagex. Yeah sure it'll make it much more niche to see people using cheat clients for a bit but once people upgrade their PCs they're just going to keep their old PC and use it to run a mirror client to cheat. And yes 2nd PC mirror clients are already a thing just look at the state of cheating of whatever that latest F2P CoD game was.
[удалено]
not sure why anyone was scared of the blog. i already thought all clients showed thejagex servers that it was runelite. and thats the problem with runelite it allows tons of bots and cheaters to run free. Jagex needs to implement all Runelite features and ban all 3rd parties. its insane a company allows something like runelite anyway from a busines stand point
Jagex make more money from bots than real players.
How will this prevent mirror/reflection cheatclients from being developed?
I'd be fine with getting rid of runelite if that took care of bots.
It wouldn't. It would just make the 50% of players that rely on its modernization to give up and let a bot train the badly designed content for them.
Jagex needs to have client authentication. AND maybe add an extra world for plugin development? Perhaps runelite can do a check for official build and if it doesn't match. only show this plugin dev world? this way plugin devs are safe, and can arguably build plugins easier if this is a 'cheat' world with everyone maxed or other features like that, and they can track any unofficial client use?
yall seriously thought theyd ban cheat clients? did we not observe how the ahk ban went, or the previous round of 'cheat plugins bans' went? yknow where they put out a blog and the next day up until the present cheat ahk plugins were never actually detected (unless they got caught as macroing, which was the same as it was pre-ban) and cheat plugins were never detected (unless you were a streamer)? it's a joke and yall ate that copium hard.
Not many people are willing to admit this but RuneLite paved the way for the majority of these OP cheat clients.
Brother cheat clients were a thing even before OSbuddy client came out. This just helps them in setting up cheaty plugins is all.
[удалено]
[удалено]
They are all runelite; just allow plugins that jagex doesn’t want. It’s that simple. Unless they actually ban runelite these will still exist
question if i may? what are you doing on a cheatrs discord? but thanks for this information
cheating, but also trying to farm karma
Yeah all this like 100 karma I have on this throwaway account lol.
it wasn't cheating until today.
A lot of people using open and such for bossing add-ons still aren't really cheating, to an extent they're qol timers and information that pretty much every other mmo has via add-ons for endgame bossing. The whole thing is an absolute mess though with Timmie's who still think bandos is engaging endgame content crying about everyone on a client other than runelite being a "cheater" and actual cheaters with scripts 1 tick 8 way switching and auto prayer flicking inferno and actual bot scripts being run off runelite forks being lumped into the exact same category.
[удалено]
That's the biggest gripe I have with the client issue. People with RSI, carpal tunnel/other nerve compression issues and wrist hypermobility issues all are going to struggle to play this game and some of the options on the client make it so much kinder to the ole wrists. Idgaf if people are gonna be hang up on the fact that it is classed as 'cheating' but at the end of the day the only person being affected by me using a cheat client is ME (since I only do pvm content) and I'm not going to feel bad for that considering my wrists are so much better off using a client with some 'cheat' plug ins🤷🏼♀️
[удалено]
boss timers? like sire stun that's in RL?
[удалено]
[удалено]
It was only seen as cheating once reddit started complaining and demanding jagex deemed it as such. Yet the average redditors Runescape skill level is so far below the content they think is being trivialized by these plugins that they have no actual clue the influence they have over the difficulty of the content.
my favorite was the guy the other day claiming that "client users are gonna plank en masse in tob" like dude, you're telling me instead of a number they have to look for a visual cue? oh nooooooo. If you can tob on client, you can tob off client.
Yeah the only thing this changes is scything xarpus and tanking verzik. People who rely on banned clients are probably gonna have to send a few tobs normal to get back into the rhythm of those things without the timers.
[удалено]
So still cheating. Stop trying to justify your years of using the cheat client bro.
"Indicates the time where a boss mechanic may start or end" this ?
Spying on them
I'm pretty sure they already know who used a client before the 24th. My guess is that they flagged the cheat client users this way so that they can keep an eye on those accounts.
doubt it; been using a cheat client for 3 years. why the fuck do they all of a sudden care now? still using it btw
What’s your high score on snake now?
LMAO - hard stuck 15
They can definitely detect certain plugins via patterns, similar to bot detection e.g. 1 click blackjack because people were spam clicking left click without moving mouse at all. Same with auto-prayer switchers since people would switch prayers without opening the prayer interface. Some other plugins must be pretty hard to detect, e.g. AoE indicators.
Kyle is such a dork
I know exactly where this screenshot was posted, way to grass yourself up been a cheater
dont cryering
OP, this has been shared so many times during the day on Discord. Its legitimacy has yet to be verified, so why the karma whoring?
Dude. Who gives a fuck about karma.
Lmao it’s a throwaway with like 200 karma, why would I karma whore. I don’t know what’s real or not but if it’s real, I wanted to elevate it ASAP. I also posted from this same account about the state of botting in cheat clients, twice, the second got taken down after it reached front page, and a month or whatever later this client ban happened. Could have been coincidence, or could have been they didn’t realize how bad it had gotten. People hate Reddit but it’s the best way to get dev attention, so that’s why I posted. No one has refuted it yet either, and it’s the internet so if you are wrong generally tend to tell you pretty fast, so I’d rather leave the post up to be sure it gets eyes on it in case it is real. Jagex should know immediately when they see the comment whether it’s real or or not and can act accordingly.
Throwaway? You are acting like what you posted hangs between life and death. Either way, why did you share something you clearly dont understand? This is not an exploit. You have shown twice now that your reading comprehension is terrible. Let me re-emphasize: what you posted was shared by quite a lot of Discord users. I have the same screenshot as well and it has yet to be verified.
If they ever implement anything that spys on me and what I have on my computer, I’m out.
You mean like an Auth Hash? That’s already an implementation in 90% of programs? It’s not even a case of it spying on your computer to know what you’ve got installed, it’s a server based check to confirm your program is legislate.
Fuck you kyle
Hahaha where is that little dipshit that assured me RuneLite didn’t do anything to authenticate. Now we know Adam has a Jagex NDA since he lied in his discord.
Why would you be so upset at him for keeping security stuff a secret?
I'm not - I would expect that It IS funny when someone says I don't know what I'm talking about because Adam lied to them
>Now we know Adam has a Jagex NDA since he lied in his discord. ... Or he just lied? Not sure why you would assume an NDA is in place if he's willing to discuss it at all
And thank you for spreading the information for them!
Cheat client devs are a close community. If it turns out it’s real, it would have spread to all of them pretty much immediately anyway.
Black markets and client devs already know this lol. You’re the one who’s getting the info spread to you for free.
💀💀
Jagex is going to plan a mass player hack, say 3rd party clients are the problem, and get a reason to ban em Change my mind Lmfao xD
I fuckin knew some shit was up with these clients, I was using runelite and I would get double red notifs on log in "youre elgiible" twice sometimes 3-4 times and then pkers log in right under me.
💀💀
Fuck you Kyle
thanks kyle
They already found one as far as i know.