Bots wont be able to go around the riddle system since you only have 1~3 shots of getting it right before disconnecting. It’s impossible for them to get it right. However, it cannot be in text form, it has to be image, otherwise the bot would just create a database where he reads the question and matches it with the right answer from a pre-made list by himself or its programmer.

I am for image riddle-system angels/creatures as well. .
riddle just like how lot of capcha nowadays in forum or webs., multiple choice of pictures, . like. please choose 3 pictures which represent noodles. .
very slight chance to get right and it is unlikely that the bot will answer correctly riddles like that. . .

all hail Riddle Fairies, Angels, Spirits. .

Problem is that Captchas need to be an image that can’t be deciphered using OCR technology and need to be generated on-the-fly by the server with each Captcha being unique (else a bot could easily just have them all pre-solved by a handler).

I’m not sure how much strain this would put the server under, but it seems an pretty overcomplicated system that would probably be foiled anyways, as even the debateably best Captcha in the world (ReCaptcha) is horribly inefficient at stopping OCR-equipped bots. Of course, you could perhaps use video or gifs or sound (although the latter discriminates the deaf), but these become more of an obstruction to real players than bots, who could just log out and in the moment the captcha appears.

In general, screw bots. They’re almost impossible to stop - the only real methods I’ve seen in modern times are to undercut botters by selling ingame money yourself (Eve’s PLEX,Wildstar’s CREDD, Wow tokens) or to implement a sub fee (which makes it less profitable to bot). Every other method just penalizes real people and doesn’t really impede bots. In F2P games, by the time you’ve banned one bot, the handler can create fifty more.

image recognition, captcha recognition, text recognition, sound recognition, everything is bypassable.
the only real prevention is a anti hook system like harmony from the Ragnarok Online Private Servers, which was close to be perfect.

it took the Openkore developers 2 Years to find holes in the security to make their bot work again, and the dev of harmony closed this hole within 2 days.

if imcGames wants to have a perfect protected server, they should get rid of these amateur third level security systems from AhnLab/HackShield whatever, and hire people like Sirius White that they create a full client protection. there is no other way.
the best hack protection can only be written by hackers.

Kind regards
Gardosen

That’s where the secondary GM comes in to restrict bot activities in game.
Maybe we won’t be 100% sure that all bot users will be wiped out, but at least we can reduce them and prevent them.

Bot Hunters are a waste of time. i was working as one for Gravity several years.
for every Bot we catched, China Farmers do send out 3 more. i even got mails from them where they laughted at us and said that they are making tousands of dollars within a month, even when we bann 10 accounts per day from them.
its a windmill system.

the only prevention from bots, is to completely block them with a real working security system OUTSIDE of the game.
the current client does not offer this,

the current system Nexon is using, is bypassable withing minutes.especially on ToS.

Oh Gawd that looks terrible…
IMC better learn our warn of bots… or else the games gonna lose from the farmers
and i dont want it to end that fast…
its really frustating for GM or Moderator working against endless farmers attack, @Gardosen you could contact them directly how you manage it and make them aware against the upcoming threat…
and for farmers wannabe please dont ruin this games

Flash and me wrote them several emails about the offer to support them on several points. (web translator, db for the community, security issues we found while testing cbt1 and cbt2)
sometimes we got a thank you as an answer, or something similar, but they never accepted our help directly.
which is sad, but we accept it if a company sais they want to get it done by their own.

I really enjoyed playing the game while the CBT1 and CBT2, this game has a great potential.
but same as you, I am scared that this game will become a mess, if they don’t take care of these important areas.

Bots are a big problem for all mmos, they are destroying the balance, economy, community and especially the fun of fair gamers.
there are several tricks I learned to prevent botters from being able to be efficient, which would make them leave the game because the profit is not good enougth. implementing these tricks takes a bit time, but the result would be that imcGames can identify and permabann botter accounts withing minutes. if bots are really facing this game, i will contact them again.

kind regards
Gardosen

technically Tree Root Crystals for replenishing Stamina are an anti-bot measure…

the problem with this is that bots doesnt care for something like this.

these trees are really annoying, while i was playing the CBT2 this system was so annoying because if you were unlucky andmissed to recover on one, you where running out of this stuff and the result was that you walked like a turtle. just to get back to a normal playing style.

a bot can bypass this system. he can calculate how much stamina is left over and how much he needs for finding a new tree. that means the system is completly useless for bot prevention, but can be annoying for players.

i call this “user blocking feature” -> a feature which is decreasing the UX of players, just to prevent bots/cheater/exploiter.

best example for this are captchas. many people have problems to solve them because they were made so hard to block bots. funny story, every captcha system can be bypassed by bots, but not by users. i know forums where the captcha system makes me enrage when i want to login…

@Gardosen After reading your posts in this thread, I totally agree with all of them, you seem very well informed about botters, thank you for informing other people about the issue.

As a computer security guy, I’ve looked at the security of the CBT1/2 clients, and it’s really not so great.
Basically, the client offers Lua APIs that botters are going to exploit and make bots very easily using directly the client engine by hooking the Lua instance. It’s even easier than other games, there are so much things exposed by the Lua API.
The client needs a better protection than HackShield. Too much people know perfectly how HS works.
However, I don’t think good hackers will accept to work for little game companies such as IMCGames.

So honestly, I don’t think there is any good solution against bots, except making them not worth for people maintaining them. We have to educate people about not buying items from those guys, and that’s not an easy task.

@MementoMori sadly you are 100% right.

i will not go into detail but i also found several security issues on this client. HackShield is like on every other game a pain. many AV’s identify some of the patch procedures as a virus, some of the windows dlls are used inefficiently which destroyes the performance completely on medium lowend devices.

even if they do not have the chance to hire a experienced hacker to secure the system, it would be already helpful to plan analysis tools to analyse the behavior of the players. bots can be clever, and they can be efficient, but there is a easy rulset bots can not break. this is helpful for the analysis. because humanity, functionality and efficiency can not act together. its like a triangle.

i really hope imcGames will take some time, to take care of these stuff.

what do you think about XTrap as alternative to Hackshield and Gameguard?

I’ve found an interesting article: http://www.koreaittimes.com/story/23420/wiselogic-hidden-champion-online-game-security

@vegax87 : I’m over simplifying things, but currently, all the game protections are the same, and by design, aren’t 100% safe. The article you linked is already 3 years old, you can be sure it already is outdated when you are talking about reverse engineering.

Game industry and players must accept that there is simply no ultimate solution against bots : A talentued bot developper will make its bot behave exactly like a human. In that case, there is no chance to differenciate a human from a bot, whatever the client protection is.

However, we can fight the mediocre bot makers (99% of them) by using new strategies, such as HARES-like technologies, but it isn’t something supported by any anti-cheat gaming industry I know yet.

I will copy-paste my reply from another thread here.

To start, I’d just like to say that any bot might be illegal for a game, but not all bots are bad. It depends on how they are used (think free buffs and heals for every one). Unfortunately, they are, nearly 100% of the time, used for personal/group gains - rarely to improve and help other players’ progress on the game.

"Security" Check

This might be a stupid suggestion but what if instead of captchas, we use something else that involves pressing specific control buttons.

How it could work

At random intervals (1-3 hours), a small, semi-transparent notification would slide from the side telling the player that a quick security check sorta would commence in 60 seconds (with a countdown, but player has option to either close it just to remove it from view, take the check now OR to remind him again ONCE in 10 minutes). This will make the player expect and have enough time to prepare for the check.

When the countdown ends, the player has a 3 second invulnerability/invisibility/untargettable buff to do the check. The last control key/button he’s been using/pressing will also be muted during that window and will not be included in the check (to prevent him from getting consecutive failed tries NOR automatically pass the check). Once the check is up, it will ask the player to press a random control button/key (doesn’t trigger the assigned skills/functions in-game, does not include movement keys and jump key so player can still move around) to remove the prompt. The player has 3 tries. After the failed 3rd try, he’s logged out of the game and will have to wait for a specific amount of time (1 hour?) before he can log in again.

Exceptions

The check will not appear if player is:

• Vending;

• In towns;

• In PVP situations;

• In quest/field boss fights;

• AFK-ing but doing nothing outside of towns.

Advantages

• Bots can guess, but with the number of keys available (can even use 2-key/button combos) and the limited number of tries, they’ll have to be smarter.

• It’s less intrusive than captchas. Players are alerted well without affecting gameplay, and have the option to delay the check in case they’re doing something really critical (e.g. on very low hp).

• It’s joypad-friendly. Captchas may require alphanumeric inputs so players on game controllers will have to reach out for the keyboard just to get around the check. Simply pressing the correct button/key is easier on either keyboard or game controller.

• Consider it a bonus, possibly life-saving, buff. If you’re lucky (the check appears at the right time), you can use it to save yourself from a last-hit demise.

I thought this might work. I’ve nowhere versed with game security, but maybe this will give them ideas (hopefully).

(Most) bots will kill a game

I come from RO and have experienced using bots (I won’t be a hypocrite and say I haven’t) AND know how annoying they are when they’re used by other players against you.

It was not a matter of being able to abuse the system or have advantage over other players, but rather the idea that “if you can’t beat them, might as well join them”.

It was still fun, in a way, but not 100% fun (if there were no bots at all). I doubt there was ever an MMO where the creators thought “hey, let’s create a game botters can enjoy”.

Both ideas of the tough monster among the other monsters and captchas sucks.
The tough monster, as a people in the thread said, will also be like a unintentional prank for
new players, who may end up rage quitting from the game after attacking it, (even more if attack that monster first).

The captcha idea, if the captcha is very hard to read, the player may not be able to complete it in 1 minute and
still get the penalty.

the most annoying solution but yet the most effective one is the captcha system…i vote for that one.

I believe ECOjp is using captcha and security token that the client must be launched from their homepage.

Captcha for game is only a lazy effort made by those who has given up on bots.
And really nowadays you can do image/text recognition easily.
Even if there’s super complex captcha that human can’t even solve,
it’ll not prevent them from online / logged-in. They still can bot for a few hours.

It’s best to not make them online / logged-in at all by blocking them before the game starts.
Microsoft, Apple, Google have it by using two-step authentication/verification albeit it’s for different matters.
Similarly online banking is also using this method.
But it’s too much for a F2P game.

Of course, the best way to eliminate botter is by not giving them a reason to bot.
Sadly this is just a utopia.
Most of the mass-botters are doing it because of RMT.
And there’re always jackasses who ready to give their money to the fkg RMTers.

And besides bots we still have auto-macro abusers who would program their keyboard / mouse to do some task repeatedly.

Finally, It’s all down to lust, gluttony, greed, sloth, wrath, envy, and pride that reside in human nature.
They’re drawn to it because they lack integrity.