Travian script banning

[pavansss91]

I guess u all know that there have been userscipst for some famous browser based games like travian and others

the players install them on their computers
then how can the administration know that the specific players are using scripts or not

they can't  get access to players computer. right ??

is there any script in php or other whihc they use to find this ?
if no then ho do they do this ?

[Harkins]

Depends on the script. If it's a Greasemonkey script that adds elements to the page DOM, the site's Javascript could detect them and notify the admin. Otherwise, they'd probably have to rely on server-side metrics, like noticing that a player refreshes pages every 10 seconds or always starts a new piece of construction less than a second after their previous construction finished.

[pavansss91]

if it's greasemonkey
can't we stop adding the element DOM to the page ??

[travo]

if it's greasemonkey
can't we stop adding the element DOM to the page ??

DOM isnt an object, its pretty much the HTML of the page. You cant stop the DOM from loading... no DOM=no page

Maybe Im misunderstanding you, sorry if I am.

Most of the detection would be server side. For example inthe rules say you cant, for example, launch more than 3 attacks a second. Then in the attacks table, have a start column, with a timestamp. On each in the attack init functions, look through the database. If there are already 3 attacks for the current second, then the user is probably using greasemonkey or similar, log it to a suspicious activities log.

(The folowing will use a system checking timestamps as the user changes pages to detect if their stuff is complete)
You could have an actions column, construction column, whatever, and a system where when an action is created, before any rows are deleted from the database, check the timestamps of the old action (the one which was stopping the user from creating another action earlier) if it is within 1-2 seconds of the current timestamp, add them to the suspicios log.

SUSPICIOUS LOG
have a table, with
playerid | suspicious_code eg 0=attacking too often | num recorded | date

If num = 1, it shows in the suspicious log, 2=moderarte suspicion log, 3=fairly suspicious log, 4=urgent log.

Then have options to lower suspicion, delete record altogether, wipe players slate clean, delete all records older than x, warn/suspen/ban user, etc


I hope you could understand me, and I havent rambled on too much, its getting late...

[Forgotten]

DOM isnt an object, its pretty much the HTML of the page. You cant stop the DOM from loading... no DOM=no page

That's not exactly true....

The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML and XML documents.......

A web browser is not obliged to use DOM in order to render an HTML document. However, the DOM is required by JavaScript scripts that wish to inspect or modify a web page dynamically

[travo]

It was late lol

But still you cant just disable the DOM as a developer, in most browsers it exists, and on any page user can edit the DOM if theyre browser has javascript enabled, and they want to.

[FirePenguins]

I agree with Travo that probably the best way is to log suspicious activity such as player's being constantly logged in and attacking or buying faster than a human possibly could.  Also logging accounts that are on the same IP address so that you can manually investigate and see if they look like seperate players or one player with a bunch of multi accounts.

[travo]

Yes, log the users on same IPs. Dont forget most people have dynamic IPs, so if they login with a different IP, change it.

Also, if you havent yet made your game, this should be easy to implement as you go.

Have a function to check the IP addresses of 2 players. sameIp($user['ip'],$other_player_id) returns boolean or similar.

In all forms of communication (attacking, trading, etc) run this function, if it returns true, log to suspicious log.

[Harkins]

Well, now it's possible to easily write scripts that don't touch the DOM, a new Mozilla extension called Jetpack.

The intro video is pretty impressive for a prototype: basically, Jetpack is a GreaseMonkey that can create (and maybe manipulate?) browser chrome as well as page contents.

So instead of having to add your building queue to the Travian city view page where the Travian js could notice it, it looks like Jetpack will make it very easy to make a browser panel or menu with that same info.

This is basically an alpha release so it'll be a few months before it settles down to really be usable, but it's another reminder to game developers that the browser is in the hands of the enemy.

[karnedge]

This is basically an alpha release so it'll be a few months before it settles down to really be usable, but it's another reminder to game developers that the browser is in the hands of the enemy.

The irony is, the "enemy" is our technically our target audience. heh

[yuppio]

Travian is using fallowing ways to fight scripts/multi accounts:

1) Of course, logging IP addresses and comparing them to other players, they have even daily/week charts, where you can compare players times, when they are logged in and using what IP, also showing percent of matching IP.  It helps find multi and detect if user is online 24/7. They also log user screen resolution.

2) They compare user passwords hashes - on user info tab you can see who else has same password as user selected. Again fighting multi accounts. This makes me thing that they don't use unique hash salt for each user.

3) But the most interesting thing they use is multiple cookies for storing recent accounts logged in. This works like this:

user1 login on the site. Does some stuff and logs out. user1 is logged in cookie. Then he switches to multi account on same PC and browser, on login they store user1, because it was stored in cookies. This method is simple as axe, but it works so damn good for people who use multi accounts on same PC&browser (many does). Actually they are storing last 3 accounts logged in. So you will get snatched in no time, if you don't use other browser or clear cookies each time. It helps a lot, because then you don't need to compare IP addresses or stuff, then you know for sure he is using multi accounts.

As far as I know they don't use some hi-tech methods for catching GreaseMonkey scripts, and I think it's quite unreal to do so and unnecessary. They ban for scripts that send out attacks for you, using control panel with info I described above. Actually if you use those scripts smart, they won't catch you, coders of scripts have implement random delays while sending out troops, by imitating user actions. And if you don't use scripts 24/7, then almost impossible to trace.

EDIT: Only way I can think of is to use captcha image on every 20 attack sent out or something like that, this method is using duels.com

p.s. Sorry if my English is broken, it's far from my native language

[jannesiera]

EDIT: Only way I can think of is to use captcha image on every 20 attack sent out or something like that, this method is using duels.com

I recently started playing Tribal Wars again. They have added this system. After x time playing you get an image where you have to click in the broken circle.