Beware Ban Wave

[gabeaventh]

Beware, I just got banned for no reason, without the captcha even popping out

[thejoabo]

Hello @gabeaventh , Maybe something related to this discussion: https://github.com/thejoabo/virtualfisher-bot/discussions/12 (?). I'm not following along with these new changes (I'm currently working on another project), so I'll be pinning this issue and linking it in the readme, so new users will be aware of using it at their own risk.

[BigBroski1337]

Same for me. After using the bot for 3 days I got a 2-week ban.

[gabeaventh]

Same for me. After using the bot for 3 days I got a 2-week ban.

the captcha appeared or not?

[BigBroski1337]

No. It just instantly banned me, no CAPTCHA field or anything.

[thejoabo]

@BigBroski1337 , @gabeaventh Literally I have no clue whatsoever why this is happening, unfortunately I have no way to reverse engineer it since it has no executable and doesn't run in a way I can inspect whats going on. If anyone has a theory or solution I would be pleased to hear. =/

[gabeaventh]

i have some thoughts, i think they monitor our behavior, like how long we spent time to solve captcha, how long our play session, same session token every time we play(if I'm not mistaken, the token should refresh and replaced with new one)

the most possible one are

Long Play Session and the bot takes so much time to solve the captcha that normal human being would take 1-5 seconds to finish

id suggest try to disconnect the bot every X minutes, where X random and put Warning to not run the bot more than X hours per day to avoid Ban

i know it's not convenient, but what else we can do, we doing something againts the rules anyway

[thejoabo]

@gabeaventh Maybe, I mean, Discord's API is a piece of shit for larger bots nowadays (due to some security police changes) but I don't really know what type of backend info they have access (for example, other users session ids and other things). But it's true, realistically speaking this bot has nothing related to mimicking human behavior (except the cooldown - which is far from perfect). And yeah, they definitely have a huge set of data and monitor how we play.

When I was first developing it, I thought about having some serious routines to at least confuse their detection system, but It would be very annoying to someone that just want to cheat and what not. The thing is: I'd really need data to put together some strategies about how normal users play and how to emulate it. It is pointless for me to figure out how I think that users play when they can just compare it to real data and spot that something is off.

Also, I would assume that at least they are aware that this "cheat" exists and since it's opensource they can just inspect how I do things and write something specific to detect that (for example the resupply routine which happens at linear intervals). My point is: they have all the advantages they need to pinpoint who is using this bot.

About the captchas, I totally agree. I use a free API which has a decent precision and a easy way to get users with no knowledge to set it up. Unfortunately it's not fast the way it is implemented, I can assure that it will find a correct answer but it'll take time. (no idea how to make it better)

I have lots of things to update in this bot but no time to do it. I'll try to do it in this weekend, but no promises. Also, if you are interested in helping with pre-releases tests dm me at: dev.joabo@pm.me

[gabeaventh]

@gabeaventh Maybe, I mean, Discord's API is a piece of shit for larger bots nowadays (due to some security police changes) but I don't really know what type of backend info they have access (for example, other users session ids and other things). But it's true, realistically speaking this bot has nothing related to mimicking human behavior (except the cooldown - which is far from perfect). And yeah, they definitely have a huge set of data and monitor how we play.

When I was first developing it, I thought about having some serious routines to at least confuse their detection system, but It would be very annoying to someone that just want to cheat and what not. The thing is: I'd really need data to put together some strategies about how normal users play and how to emulate it. It is pointless for me to figure out how I think that users play when they can just compare it to real data and spot that something is off.

Also, I would assume that at least they are aware that this "cheat" exists and since it's opensource they can just inspect how I do things and write something specific to detect that (for example the resupply routine which happens at linear intervals). My point is: they have all the advantages they need to pinpoint who is using this bot.

About the captchas, I totally agree. I use a free API which has a decent precision and a easy way to get users with no knowledge to set it up. Unfortunately it's not fast the way it is implemented, I can assure that it will find a correct answer but it'll take time. (no idea how to make it better)

I have lots of things to update in this bot but no time to do it. I'll try to do it in this weekend, but no promises. Also, if you are interested in helping with pre-releases tests dm me at: dev.joabo@pm.me

its downhill since youtube not allowing discord to use their url on discord but i digress

i agree with every point you made here, especially the resupply routine, you might want to disable the get profile etc, its obvious that we use something to automate

put a random timer everytime the bot read "fish boost ended" etc and redo buff thing, at least there's no patterns shown whatsoever, same thing when we start the bot, do buff at random interval

oh and one more thing, the rate limited thing is annoying, when we put sleep to avoid rate limit, this potentially make the bot predictable, because there's certain delay before every action

and for pre release test, ill contact you when i have some free time to kill

[BigBroski1337]

Quick question: If I leave the OCR_API_KEY field empty, will it disable the CAPTCHA bypass? When using debug, it still shows that it is using the OCR engines?

[thejoabo]

Quick update on this issue:

I finally had to time to make adjustments in the bot structure, there is a lot of things that needed to be refactored.

Here is the preview of the v2.0.0 changelog with things that I already did and is working, but there is some hard things to do next, like refactoring the menu (to adapt to these changes and implement other stuff, this will probably be longest part) or the Scheduler class to manage properly the schedules for automated actions (like buffs, selling, buying...) - this will solve the issue mentioned by @gabeaventh about predefined routines - and some other integrations between classes.

Long Play Session and the bot takes so much time to solve the captcha that normal human being would take 1-5 seconds to finish

Also, this one is already fixed, captcha solving time is way shorter now.

I'll release as soon as I finish and test everything.

The changelog so far : v2.0.0 - 11/x/22

Added

• DiscordWrapper new features
  • native proxy support (https only)
  • reconnections support
• ConfigManager new features
  • argument support for loading specific configs (eg. python autofishbot.py some_config_name) (adaptation of @notvirtio 's solution #51)
  • support for the creation of new (alt) configs using arguments (python autofishbot.py --create)
  • new parameters:
  • Network: proxy_ip, proxy_port, proxy_auth_user, proxy_auth_password, user_agent
  • Automation:
    • added auto_sell, auto_buy_baits, auto_update_inventory, auto_daily
    • splitted auto_buff in more_fish and more_treasures
    • renamed buff_length to boosts_length
  • Menu: refresh_rate
  • Cosmetic: pet, bait, biome
• Profile new features
  • support to charms inventory (/charms) + Charms datatype class
  • support to user leaderboards (/pos) + Leaderboard datatype class
  • support to buffs (multipliers list) (/buffs) + Buffs datatype class
  • support to quests list (/quests) + QuestList and Quest datatypes class

    Changed

• refactored DiscordWrapper class
  • discord's api (v9 -> v10)
  • connect function's structure
  • heartbeat routine (adjusting to documentation requirements)
  • receive_event function (better error management and pre-deserialization)
  • application commands and guild id are now loaded on start-up
  • request function (discord's http api requests):
  • simplification and better data structure
  • better handling of exceptions (and proper returns)
  • better error management to failure requests
  • proper handling of discord's rate limits (429 error) (improvement of @gabeaventh 's solution #36)
• refactored Captcha class
  • compartmentalization
  • multi-threading solving (asynchronous ocr-engine requests) -> each engine request is made simultaneously, so captcha solving time is significantly faster.
  • captcha detection function (added conditional safeguards)
  • status flags (ensuring transparency of actions for external classes)
• refactored Profile class
  • compartmentalization
  • attribute fields (instead of a global fixed list)
  • lists (displayed on menu) are now constructed individually per attribute (datatype classes) using the list property
  • update function
  • gold, diamond, emerald and lava fishes are now grouped to ExoticFish class
• refactored CooldownManager class
  • simplification
  • analysis functions removed
• refactored Message class (better message parsing and fields categorization)
• refactored ConfigManager class
  • better loading/saving logic of config files
  • compartmentalization of config parameters (system, captcha, network, automation, menu and cosmetic)
  • better value parsing and validation

    Fixed

• fixed bug in which the sanitize function in Message class couldn't parse some characters
• fixed bug in which required fields weren't validated in ConfigManager (#48)
• fixed bug in which captcha.regen counter were redefined after solution failure

[DrMkdaddy]

try having a delay on the captcha auto answer system tbh if it's dependant on how quickly it's answered. That's the only way the bot could reasonably detect that behaviour.

[thejoabo]

try having a delay on the captcha auto answer system tbh if it's dependant on how quickly it's answered. That's the only way the bot could reasonably detect that behaviour.

@Nirudium True, but it must be something dynamic, because even if it will usually answer very fast, some captchas could be harder to solve, so a fixed delay to send the '/verify' message won't work either.

Here is an example of the solving time of the new method:

Notes:

• this gif is at normal speed
• the notifications system (at the top) have been changed - now they work as a queue instead of a fixed value - so I still have to adjust the time they stay on the screen, that's why it seems so delayed
• you can compare to the old one here (which is at 1.5x speed)

[ElbertWan]

Is this captcha issue still ongoing? @thejoabo

[thejoabo]

@ElbertWan, this issue is not just about the captcha, but about these bans for no apparent reason, indicating that an unknown detection method is in place. Since we can't simply figure out exactly what it is, we believe that the linear action routines that this bot make, contributes for leaving a "fingerprint" over time. I think that if I make things more "human-like" (with a well reasoned approach of randomness), it should be way harder to detect.

TLDR: yes, until i release the version 2.0.0 (btw, the current captcha solving algorithm works fine, it's just not "human-like", cos it takes too long ~25s) .

[thejoabo]

hi, when you will release v2?

@DomeSs97 I just finished the scheduler class (which pseudo-randomizes the buffs/automation routine), other than that, I need to refactor the "CompactMenu" (to adapt it to the new changes), do some code cleanup - and, obviously, a lot of tests. I won't promise a specific date, but it shouldn't take too long (couple of days at most).

[thejoabo]

New version experimental-2.0.0 (changelog) available. I'll be converting this issue into a discussion.