Fooling MMORPGS - The Turing Factors

Hey,

In the last week, you would have seen my blog scattered with a lot of posts on a game site called Duels.com. It is a MMPRPG game with a blend of Diablo and WOW. Though I started playing it the regular way, I soon got a little lazy and wrote a script to throw random challenges to everyone. In no time, my experience points were soaring, and I was soon it the top list of duelists.
Hoever, I did inform the developers of the potential exploit, and it has been fixed since then. Though it was a bad move to have released the script it public, it did get a lot of people thinking. A couple of people pinged me on a script, and I realized that the game was not only a Massively Multiplayer Online Role Playing Game. It seemed more like a Multiplayer Online "Script" playing game. This actually meant that scripts would be fighting each other, and idea that i really cool. Writing scripts for the site is simple, and this is a good way for enthusiasts to learn new technology quickly. Many people told me that they were now into learning chicken foot. I was talking to a friend about making the process of issuing challenges quicker. It seemed more like a computer science optimization class. The technical discussions were interesting, and it would be nice to play against scripts, that are getting better all day !
However, here are some issues that script writers may have to watch out against. These points could give away the bots, so watch out. I hope that the developers get a chance to read this, so that they can nail down the cheaters.

Referrer Issues
A couple of scripts that I was looking at do an XMLHTTPRequest to issue challenges and accept challenges. In the case when a human plays, the browser always sends the referrer page at the minimum for every request. A simple scan of the HTTP log will let the developers know of all the people who have gained experience by scripts

Bread Crumbs
The process of issuing challenges covers a whole lot pages. The scripts don't really go though the different pages. If the developers implement bread crumbs, script will find it difficult. From the time a user starts the process of issuing a challenge, till the challenge is issued, the user gors through many pages. If each page would show up with a hidden input field that has the hash of the previous page, the scripts will have to parse all the different pages, making them slower.

Captchas
Another option is the use of captchas. The only problem with captchas is that they are not very user friendly, and a player would hate typing in a captcha every time he issues a challenge. As a compromise, if a player is issuing challenge very fast (resembling a bot), an ocassional captcha could pop up.

DOM Garbling
Most scripts depend heavily on the static DOM structure of the HTML page to parse and use data. A simple javascript at the client side could be used that changes the DOM structure randomly, based on a key, without altering the look and feel of the page. Insertion of random invisible page elements, playing around with Ids are some of the ways of achieving this. A new tree structure would screw up the life of a bot (if it has any), but would have no real impact on the user. If this DOM garbling occurs at the server side, it is even better. Doing it at the server side is a little application specific, but coming up with a client side DOM garbler is easy, and cna be applied for many web sites.

Flash - Javascript Intertwining
Another alternative that can be considered is the combination of Flash and Javascript. Certain actions could be in the Flash movie, and writing good screen scrappers for Flash is not a trivial task. A flash scrapper means the power to read and understand the SWF format, that is complex in itself.

Let us see how the developers stop the scripts. Till then, lets the war of the scripts continue !!