EQ TLP - Vaniki (Level-Locked Progression)

  • Guest, it's time once again for the massively important and exciting FoH Asshat Tournament!



    Go here and give us your nominations!
    Who's been the biggest Asshat in the last year? Give us your worst ones!

Tuco

I got Tuco'd!
<Gold Donor>
47,343
80,679
Can just use a linux VM on the same pc too for showEQ, don't even need to get fancy with a 2nd pc.

Factorio is so good, i have to stay away though because I will lose 8 or 9 hours when playing it and not get the stuff done I need to in RL or get enough sleep!
Yeah but then you need to run a VM on your PC. I don't know if they'll get to a point where they start using the presence of vmware (or whatever) in action against your account, but it poses some risk whereas running show eq on another PC (which, for the record, I've never done so maybe it's harder than it sounds) poses none.
 

Tuco

I got Tuco'd!
<Gold Donor>
47,343
80,679
so if i recompile myseq.exe and server.exe into your_mum.exe am i good?

what about changing the name of macroquest.exe?

I mean p99 at least detects injection (and this renaming of the myseq program did not work on p99 long time ago when i tried)... so i dont see how process list is the only detection method? is there evidence of them having more detection than simply what programs i'm running when launcher/eq is running?
Secret's post earlier in this thread goes into detail on one mechanism they may still use for detection. That information discusses not just the .exe, but the other libraries that get linked at runtime. But that's an incomplete picture of what they use. What they use is likely poorly understood by anyone, including the people who made it, so trying to divine how to guarantee protection against it is impossible.
 

Secrets

ResetEra Staff Member
1,900
1,914
Seems like they're mostly cracking down on show EQ and macroquest and leaving Gamparse, GINA, inner space boxer etc alone. If they start going after ISBoxer users they'll lose a lot of users without really hurting botting much. ISBoxer makes life easier for manual users than it does for someone trying to automate stuff with autohotkey. Will be a lot more people using the linux version of ShowEQ on a separate computer if this continues, which can be done in an 100% undetectable way.

This doesn't make sense from a business perspective but I kind of wish DPG embraced botting and whitelisted a version of macroquest + plugins that didn't have any warping for usage on a special server where botting was encouraged. Maybe it's just that I've been playing a lot of Factorio lately but EQ is such an automation friendly RPG that it could be fun to bot. I imagine the server would be totally dead though, most people who bot either want to make $$$ or do more than just bot trivial content on their server.
EQ2 cracks down on Innerspace already, actually. If anyone uses it to broadcast keystrokes, they can detect and ban all of that.
 

Crone

Bronze Baronet of the Realm
9,714
3,211
EQ2 cracks down on Innerspace already, actually. If anyone uses it to broadcast keystrokes, they can detect and ban all of that.
Isn't that the same in EQ1 where you get "true boxed" because it detected from the same IP address keystrokes going at the same time and instantly get kicked?
 

Rajaah

Honorable Member
<Gold Donor>
12,508
16,531
Fight Fight Nevermind bro, group just fell apart at the last minute because all the key people had RL stuff come up. Lame thing for me is that it was about one minute too late for me to join the other group I was gonna run with before it filled up.

So uh, SK or Enc LFG for tomorrow!
 
  • 1Like
Reactions: 1 user

Greyman

Trakanon Raider
715
953
Heard vicious is interested in starting a guild on Yelinak... Sure would be fucking nice.

View attachment 420454

He was hanging in a public discord voice with 2 officers from WR, make of that what you will, didn't listen in or enquire as to what was discussed.

The server could definitely use a top end guild IMO I don't think Resurgence or WR could compete if he bought his gang here. I'd expect both guilds to be hit with some defections as well.
 

Secrets

ResetEra Staff Member
1,900
1,914
Isn't that the same in EQ1 where you get "true boxed" because it detected from the same IP address keystrokes going at the same time and instantly get kicked?
They explicitly check for the DLL names.

See earlier in this thread for the image Zaide linked. That's about the extent of what they can track in terms of process names, and DLL module names.
It's the full path (except if it's in a system folder, and excluding the Windows username for privacy reasons).

They also exclude common paths - ie; C:\Windows\System32\wsock32.dll - from the list and shorten them to <system>\wsock32.dll

By the way, I don't mean to post this to shit on their work or anything, or encourage you all to bypass anything. If you bypass by renaming the program, it's likely you'll be caught anyways if you don't know how to properly hide it. if you're reported for fuckery, they can still check your processes for nonstandard ones. That alone may be enough to nail you if you're disruptive.

All it takes is one fuckup and you're flagged anyways. You might think it'd be easy to avoid - but eventually, everyone slips up at least once due to overconfidence or forgetting to unload something, or some system timing happens at the same time that prevents MQ2 from hiding a process, or your process is launched from the wrong folder - and even then, you'd have to have Windows internals to know all of the ways they could catch you.

On my servers, that was commonplace. I had someone on Rise of Zek rename their MySEQ instance to "Panda.exe" in C:\Vacation, but I was able to detect it anyways due to window titles, the size of the dll itself, and the player was also removing the no-nameplate skeletons from the GlobalLoad to make PVP targeting easier. All it takes is one day of your complacency and them to add a small 'gotcha' and your months of work are gone.
 
  • 1Like
Reactions: 1 user

Secrets

ResetEra Staff Member
1,900
1,914
I knew EQ2 was a mistake.
EQ2 has had a lot more drama regarding third party programs, to be honest. It's the nature of their player base to be angry and witch hunt people they don't like... even outside of botting.

EQ2's community can be described as a Christian Minecraft server mentality. They're against swearing, loud noises, anything that breaks traditional guild structure (IE; good luck ever doing a GDKP-style run in that game), and are against anything that ruins gameplay as they believe the developers intended - like RMT, multiboxing, exploiting, etc.

I think EQ2 is where I picked up on the whole, "Botting = Cheating = Ban 100% of the time" thing that I had to unlearn from when I was younger. EQ2 was my primary MMO for most of my childhood as opposed to EQ1. I was also literally 11-14 years old, so take that how you will. Rule breaking and doing something wrong was my main concern when I didn't understand how the world worked yet in the offline world, let alone the online culture.

EQ2 also tried various efforts to contain various undesirable playstyles over the years:
-Station Exchange: The Bazaar / Vox servers which allowed for eBay-style bids on characters, lump sums of platinum, and items.
-Drunder, the prison server for rule breakers.

A lot of their players did not like ISXEQ2 botters, and they often lump them into the same bucket as Innerspace users that keystroke broadcast (without ISXGames' module). So the EQ2 team has just enforced blanket bans on various methods of module/keystroke injection over the years, and do not warn when they no longer ban for methods of injection.

In 2013 or so, Linux users saw perma-bans without recourse due to the VM detection in EQ2 that was ported over from EQ1. They got backlash, so they stopped doing that.
 

Greyman

Trakanon Raider
715
953
Part of me wonders if they discriminate a little bit between Krono users and Subscribers, my suspicion is that long time subscribers get a bit more leeway compared to brand new krono driven accounts but I could be wrong.

As somebody that has a few accounts with very high sub time I seem to get away with a lot.
 

alavaz

Trakanon Raider
2,003
714
Part of me wonders if they discriminate a little bit between Krono users and Subscribers, my suspicion is that long time subscribers get a bit more leeway compared to brand new krono driven accounts but I could be wrong.

As somebody that has a few accounts with very high sub time I seem to get away with a lot.
I'd definitely say this is true. At least insofar as I've never gotten banned at all on either of my two main accounts and they've both loaded MQ2 plenty of times on live servers. I always loaded it on throwaways for TLPs though and even at that only briefly to check on a couple of theories. Those accounts never got banned either though.

If they are actually gathering and analyzing data, it has to be pretty easy to spot bottish behavior. I'd also bet with the 64 bit client they implemented a few more detection procedures (i.e. GetCurrentInputMessageSource function (winuser.h) - Win32 apps)
 

Elderan

Blackwing Lair Raider
619
462
Part of me wonders if they discriminate a little bit between Krono users and Subscribers, my suspicion is that long time subscribers get a bit more leeway compared to brand new krono driven accounts but I could be wrong.

As somebody that has a few accounts with very high sub time I seem to get away with a lot.

They dont.

I'd definitely say this is true. At least insofar as I've never gotten banned at all on either of my two main accounts and they've both loaded MQ2 plenty of times on live servers. I always loaded it on throwaways for TLPs though and even at that only briefly to check on a couple of theories. Those accounts never got banned either though.

If they are actually gathering and analyzing data, it has to be pretty easy to spot bottish behavior. I'd also bet with the 64 bit client they implemented a few more detection procedures (i.e. GetCurrentInputMessageSource function (winuser.h) - Win32 apps)

They dont.

A ton of misinformation going on in this thread. In part because of how things "used" to work vs how they are working now. What they are doing is pretty simple, and it has about a 25% error (false detection, association) rate.
 

Kharzette

Watcher of Overs
5,337
4,067
Or you could just, ya know, not cheat?

I wonder what the overlap is for cheaters and people that leave their shopping carts behind.
 
  • 3Like
  • 1Worf
  • 1Dislike
Reactions: 4 users

Elderan

Blackwing Lair Raider
619
462
Or you could just, ya know, not cheat?

I wonder what the overlap is for cheaters and people that leave their shopping carts behind.

Even those who play clean get caught up in false flags normally by account association. It happens far more than people think.

Its like having your identity stolen. Most people will never have it stolen, but even those who are very diligent can have it stolen without any fault of their own.
 

Animosity

Silver Baronet of the Realm
7,041
5,921
Wonder what percent of those people who are actually clean, shared their account info with someone who cheats and thats what got them flagged.
 

your_mum

Trakanon Raider
280
158
A ton of misinformation going on in this thread. In part because of how things "used" to work vs how they are working now. What they are doing is pretty simple, and it has about a 25% error (false detection, association) rate.

I don't want to question your methods because the last time someone asked how you come up with your random server population numbers you got all butt hurt. So I'm just going to ignore this statement since it's not backed by a shred of evidence lol.
 
  • 1Worf
  • 1Solidarity
Reactions: 1 users

Secrets

ResetEra Staff Member
1,900
1,914
They dont.



They dont.

A ton of misinformation going on in this thread. In part because of how things "used" to work vs how they are working now. What they are doing is pretty simple, and it has about a 25% error (false detection, association) rate.
Zero misinformation from my part. If they use the detection I am mentioning, it has a 0% false detection/association rate.

MQNext is aware of this functionality, and bypasses it for itself, but not MySEQ.


MySEQ is 100% detectable this way. The launchpad has HWID tracking capabilities. The game client and game loginserver uses the same utility (it's part of a library) and allows them to track you across games.

They even left in the slash command (albeit not hooked up) to test this stuff.

1657122928232.png


Beyond that, there's the normal 'memory check' stuff that has existed since 2003, though they don't use it anymore as I think ASLR broke it, though it's still used on spellcasts:
1657123016914.png


1657123056780.png


That same functionality is used for checking to see if you have the proper eqgame.exe, spells, basedata, skill caps, newzone_info, player profile length received from the server, etc:

1657123099375.png


The string MQ2 uses to identify itself is part of this checksum, in fact.

Beyond that, the zone server can request this data as part of a network message:

1657123266559.png



I don't believe any of that is used anymore, but it's hard to tell without emulating it to see what MQ2 changes, or making a mockup of the functions in a standalone program.

That brings me back to my point: None of what I said was based on misinformation. There's multiple layers of detection and none of them are surface visible to the average MQ user. I've named a handful of them, and not all of them are clientsided like these examples are. Analytics is a big part of our industry, EQ is no exception.

Wonder what percent of those people who are actually clean, shared their account info with someone who cheats and thats what got them flagged.
Fairly high. This is why MMO companies tell you to not share your account, and why CSRs will often deny account change requests that can't prove they are actually the owner. It's a clusterfuck for CSRs to deal with if they arbitrarily allowed that shit. It's why account to account transfers require ownership proof. It's so they can take the burden of responsibility off of them and onto you, and why they have no qualms banning people based on detections on your account.

"Your account is your responsibility."
 
Last edited:
  • 2Like
Reactions: 1 users

Animosity

Silver Baronet of the Realm
7,041
5,921
It's why account to account transfers require ownership proof. It's so they can take the burden of responsibility off of them and onto you, and why they have no qualms banning people based on detections on your account.

"Your account is your responsibility."
Or in DBG's case, "the guy who knew how to do those quit".
 
  • 1Worf
Reactions: 1 user