Macros - how do they work?

[Dayo]

This may sound newbie but how do macros actually work ie do they scan the code to see what it wants to click or do they go to a set x-y coordinate on the screen and just click. I'm asking this as the game I'm making would be vulnerable to macros and I don't want to add cap has everywhere as I want the game to flow easily so I'm looking at other methods to prevent them, and I order to prevent them I need to know what I'm up against.

Thanks for reading,

Chris Day

[a_bertrand]

Well usually it's called bots and not macros... Anyhow bots usually simply reproduce always the same sequence of "get" or "posts", one after the other. So for example, get a page, extract some hidden fields or whatever and then post back with that values. So simply moving things around with an X-Y is not the way to prevent it. Either use captcha (which are annoying for users), or limit the number of page load per sec, or yet smarter look if the frequency of the actions are too perfect or too fast and detect therefore the bot. You may even mix such solutions, for example the first time your thing doesn't have a captcha, but if you load too quickly it shows a captcha.

[Dayo]

Well how I was thinking of doing it is having dynamic post/get bars so instead if ?id=1 it would be ?jehsu=1 then on the next page reload ?uqhdu=1 each time it changes so basically the get/post is the capcha

[a_bertrand]

that doesn't work, it's easy to parse the HTML and do the right action.

[Guest]

The only ones I have seen use cURL to submit the forms and such, the only way I can think of at this time is adding a script check, recaptcha or another PHPGD image with a code in it.

[Caius]

Ultimately captcha's are just going to piss off users. Add logging and keep an eye on your game's economy then sort and look for patterns. IE training every X amount of minutes, breaking someone from jail/crimes etc.

If its in a browser it can be scripted.

Most scripts work by reading the html elements on the page and then clicking/entering numbers/submitting i.e. whatever is needed to get the job done.

Look up selenium and you'll get an idea.

Stop trying to stop scripters, it'll alienate your entire game. Ban the idiots that you catch and move on.

[Guest]

Ultimately captcha's are just going to piss off users. Add logging and keep an eye on your game's economy then sort and look for patterns. IE training every X amount of minutes, breaking someone from jail/crimes etc.

If its in a browser it can be scripted.

Most scripts work by reading the html elements on the page and then clicking/entering numbers/submitting i.e. whatever is needed to get the job done.

Look up selenium and you'll get an idea.

Stop trying to stop scripters, it'll alienate your entire game. Ban the idiots that you catch and move on.

Sure if you have all the time in the world feel free to watch out for macros, but 99% of owners actually have other things to do.

Captcha based upon actions per minute or every x minutes are best if you want to do that

[KyleMassacre]

This is something im interested in as well.

I have a FF addon called imacro which is used as a bot, and for those that dont know how it works is similar to a macro in excel. Basically it records as you click a link and you can set it up to run X number of times and its a real pain for a game owner cause it works reallllly good for the gym. I know a captcha will work to stop it but running through 10000 will in 2 minutes how are you going to stop that with out pissing legit players off?

[Guest]

This is something im interested in as well.

I have a FF addon called imacro which is used as a bot, and for those that dont know how it works is similar to a macro in excel. Basically it records as you click a link and you can set it up to run X number of times and its a real pain for a game owner cause it works reallllly good for the gym. I know a captcha will work to stop it but running through 10000 will in 2 minutes how are you going to stop that with out pissing legit players off?

Add a flood limit to certain actions maybe?

[bluegman991]

There are many different methods that people use to make bots/macros.

It can be posting/querying a page via cURL, ajax, etc...

It can be an auto clicker/typer acting as if someone is actually using the computer.

It can also be someone injecting javascript through the website from the url bar (or if you're using firefox, the js developers console or whatever it's called) by sending keypress,mouse down/up, and any other action events needed to do tasks.

If you really want to crack down on bot's/macro users you need to add code that will inconspicuously study their actions to determine if they are a bot or not, then take action when and only when you are sure they are using a macro or bot.

[Caius]

Sure if you have all the time in the world feel free to watch out for macros, but 99% of owners actually have other things to do.

Captcha based upon actions per minute or every x minutes are best if you want to do that

deathbycaptcha.com

Don't log your users actions? I'll be the top player in your game without spending a dime. Sounds real fair for your users.

[Guest]

deathbycaptcha.com

Don't log your users actions? I'll be the top player in your game without spending a dime. Sounds real fair for your users.

Please note that our services should be used only for research projects and any illegal use of our services is strictly prohibited

It would be against the game rules & there TOS for you to use there services.

[Seker]

Serialized links and random positioning (IE: In your crystal temple) can be a huge help. Especially with programs such as iMacros. Obviously, there are more advanced programs out there. But, for the average pain in the ass, it does the trick quite nicely.

[Spudinski]

I see some people that doesn't use JavaScript often..

Most of the algorithms I used to write for game security included a simple method of determining if the user is - using - a bot.

It's called exponential growth/decay, I urge you to read up on it. It requires putting the ol' brain to work(I know most people don't like it), but it's actually quite easy to implement.

But, that's the easy part..

I'm more worried about worms when it comes to browser security, because it's something that's often very "complex" to trace and secure against.

Worms are mostly unique per site, because people who do write them have deadly skills and only have bad intentions.

Luckily, I've never fallen victim to these, but it's not something I'm going to boast about anytime soon.

[KyleMassacre]

I see some people that doesn't use JavaScript often..

Most of the algorithms I used to write for game security included a simple method of determining if the user is - using - a bot.

It's called exponential growth/decay, I urge you to read up on it. It requires putting the ol' brain to work(I know most people don't like it), but it's actually quite easy to implement.

But, that's the easy part..

I'm more worried about worms when it comes to browser security, because it's something that's often very "complex" to trace and secure against.

Worms are mostly unique per site, because people who do write them have deadly skills and only have bad intentions.

Luckily, I've never fallen victim to these, but it's not something I'm going to boast about anytime soon.

Ohh boy that made my brain hurt. What I have been trying to do is add some sort of token to some pages/forms since a big problem I have come acrossed is people using bookmarks or refreshing pages. I think that may help with what Dayo is asking for as well but im just getting some problems with unsetting the session then setting the session again with another click