Runescape Tutorial Island Bot
I began my Runescape journey in 3rd grade. On most days after school, my best friend and I would call while leveling up our skills in free-to-play. I would eventually become a member after 2 years, which occurred around the same time EOC and RS3 was being introduced. I wasn’t a fan of RS3 — especially with an under leveled character — so I’d end up playing private servers where I PK’d lots of people and participated in clan wars.
When OSRS was released, I was ecstatic. Runescape was always a game I came back to because it was one my laptop (at the time) could actually run. I’d end up creating a Zerker (with a Mythical Cape [ds2], Fire Cape, Fighter Torso, Barrows Gloves, Defender, Fury, BGS, Rings, 200m, etc) and a 40 HP 1 DEF pure (38 CB with Desert Treasure). During this time, I’d PK BIG LOOTS with a clan (that we split using spreadsheets I created), PvM in God Wars, and engage in the art of “buying low and selling high” in the Grand Exchange. I even fed hungry Venezuelans directly by donating Runescape Gold to them. I’d stop playing shortly before the Song of the Elves quest was released.
I have never actually botted an account in Runescape for the purpose of training or earning gold. The reason I created a bot is because Jagex had a bot problem and players at the time were hyping up the skills you needed as a programmer to create an undetectable bot. My classes in high school weren’t that hard, so I’d spend time in class creating one.
Create a tutorial island bot that takes a created account from any point of the tutorial island to the end (in order to learn how bots work on Runescape).
The first thing that surprised me was how bots in Runescape actually work. In 2019, most undetectable bots were reflection based (as opposed to using color or injection). This allowed bot clients to retrieve the runtime values from memory addresses needed to create scripts: For more information, read Using Java Reflection. As I was still a programatuer, this task would have been an enormous undertaking. Luckily, geniuses before me had already done it.
Due to the way the Runescape client works, reflection methods must involve minor injection (adding get methods to the source code). This means that they aren’t undetectable. However, banning bots based on the detection of a modified loader (client) will result in too many false positives. Instead, Jagex’s BotWatch uses player heuristics and behavior in order to identify bots. Machine learning can be used to identify patterns, which is why common scripts result in quick bans.
Obviously, there are other giveaways (timing, pseudorandomness, etc) to determine whether a player is a bot or not. A confirmed bot is likely related to a number of accounts that are also bots. In addition, player reports allow Jagex to review more data than a single person would be able to identify. Certain bot clients may or may not contain signature movements which hint at a player using a script. However, most bot clients implement humanized movement, login/logout patterns, and other details which factor into their detectability.
Bot clients run scripts written in Java which control the mouse and keyboard (using an API). The best scripts are designed using a finite-state machine which makes it easy for the developer to account for mistakes or random events. The hardest part about developing a script — to me — was the variance in values (that memory addresses held) in between actions (in a state). This resulted in a lot of unavoidable conditional checks for NULL (if-statements).
After around 3 newly created accounts, the bot was finished (video above). The user decides where the bot ends up after completion and whether or not it logs out. I learned how Runescape bots worked and created one: I never used or sold the script for any other purposes.