I began my Runescape journey in 3rd grade. Most days after school, my best friend and I would call while leveling up our skills in free-to-play. I would eventually become a member after 2 years, which occurred around the same time EOC and RS3 were being introduced. I wasn’t a fan of RS3 — especially with an under leveled character — so I’d end up playing private servers where I PK’d lots of people and participated in clan wars.
When OSRS was released, I was ecstatic. Runescape was always a game I returned to because my laptop (at the time) could run it. I’d end up creating a Zerker (with a Mythical Cape [ds2], Fire Cape, Fighter Torso, Barrows Gloves, Defender, Fury, BGS, Rings, 200m, etc) and a 40 HP 1 DEF pure (38 CB with Desert Treasure).
During this time, I’d PvM and PK BIG LOOTS with a clan: We shared splits using a spreadsheet I created. I also engaged in the art of “buying low and selling high” at the Grand Exchange. I even fed hungry Venezuelans by donating Runescape Gold directly to them. I’d stop playing shortly before the Song of the Elves quest was released.
I have never actually botted an account in Runescape to train or earn gold. The reason I created a bot is because Jagex had a bot problem and players at the time were hyping up the skills you needed as a programmer to create an undetectable bot. My classes in high school weren’t that hard, so I’d spend time in class creating one.
Create a tutorial island bot that takes a created account from any point of the tutorial island to the end (to learn how bots work on Runescape).
The first thing that surprised me was how bots in Runescape actually work. In 2019, most undetectable bots were based on reflection(as opposed to using color or injection). This method involves a bot client, which runs bot scripts on a reflection of the game state by copying the application from memory. For more information, read Using Java Reflection. As I was still a programatuer, this task would have been an enormous undertaking.
Luckily, geniuses before me had already done it.
Due to how the Runescape client works, reflection-based bots must involve minor injection. This means that these clients aren’t completely undetectable. However, banning bots upon the detection of a modified loader (client) will result in too many false positives. Instead, Jagex’s BotWatch uses player heuristics and behavior to identify bots. Machine learning can be used to identify patterns, which is why popular script usage results in quick bans.
Other factors (i.e timing, pseudorandomness) can be used to determine whether a player is a bot. Certain bot clients use signature click-intervals that hint at a player using a script. However, most bot clients implement a humanized movement for humanized click-intervals, login/logout patterns, and other anti-ban features which factor into their detectability.
The purpose of player reports is to provide Jagex with data about accounts that seem suspicious. This feature lets the anti-cheat team spend less time searching for more problematic behavior and more time reviewing whether it has occurred. So if you are against bots, using this feature to assist Jagex is important.
Bot clients run scripts written in Java that control the mouse and keyboard (using an API). The best scripts are designed using a finite-state machine, which makes it easy for the developer to account for mistakes or random events. To me, the hardest part about developing a script was the variance in values (that memory addresses held) between actions (in a state). This variance resulted in many unavoidable conditional checks for NULL values.
I created 3 new accounts to complete the bot (see the video above). The user decides where the bot ends up after completion and whether or not the bot logs out. Thanks to this project, I learned how Runescape bots work and created one: I never used or sold the script for any other purposes.