[Update] XenoBot Apophis v14.11.19.893 [Protocol 10.72]

[bit311]

Ive got problem cause I cant login into Xenobot and my Xeno cent automaticaly update.

[DarkstaR]

Ive got problem cause I cant login into Xenobot and my Xeno cent automaticaly update.

Remove the crack you were using.

[Pageypeo]

Remove the crack you were using.

haha, also had this problem, but i had the old client open and about 20 bots

but good comeback if this is true :P

[Boomtune]

Thanks mate.

[kimse]

The assumption is that anybody who understands it (e.g. you) can make their own decision. As it stands, though, CipSoft has been handing out bans to accounts that have never been botted, simply because they are associated with bot accounts.

[begin speculation]
Also, they have the option to use Google Authenticator. That means, regardless of what authenticator you choose to use, it will likely go through the OAuth protocol. If you read the OAuth 2.0 specification, you'll see that responses contain a field called userid. If I've read the spec correctly, this is a constant that will be the same when given to any application (or any different accounts for the same application) that can be used to identify a single user across multiple apps. This means the only solution is to use completely separate authenticator apps and hope that the Google OAuth server doesn't have a way of correlating them. And, since this is Google we're talking about, it probably does.

Multiple devices (virtual desktops could be an option?) sounds like the only answer, if you wanna use the auth on bot chars and still be safe.

[DarkstaR]

Multiple devices (virtual desktops could be an option?) sounds like the only answer, if you wanna use the auth on bot chars and still be safe.

Yeah, but who wants to set up multiple VMs just to launch an auth program?

The better option may be just to run the accounts in different VMs, as nearly nobody focused on hacking Tibia has the technical expertise to intercept passwords that are inside of a VM from the host machine. It's actually potentially much harder to do than intercepting the auth token from host if the clients aren't virtualized(though I haven't researched it). Also, another thing that I failed to mention before is that running the authenticator on the host leaves the credentials vulnerable to being copied/read by the same facilities used to read Tibia account and password.

Bottom line is that, unless you feel like spinning up multiple VMs, this is only secure in cases where your account/password gets disclosed by means other than a virus on your host computer. And, since Tibia implements secure assymetic encryption over the wire, disclosure in other events is rare unless you're handing it out to people.

Don't get me wrong, I'm a huge fan of 2FA, but I'm worried about CipSoft's motivations. In 18 years, they've never addressed the hacking problem (short of adding RSA in like 2006, which is more of an anti-bot measure than anything, considering nobody ever used MITM to grab Tibia accounts), even though preventing most hackers is as simple as dropping the account and password from memory (or storing it in a non-plain-text format). So why would they implement it now, in a time where them having an easy way to link multiple accounts is, statistically speaking, more detrimental to botters than the threat of being hacked?
[tinfoil removed]

[Relius]

DarkstaR pls. Gibe Login Function and Framerate Changer.

[marcin252]

DarkstaR what about vps bug? Did u fixed that?

[marcin252]

@DarkstaR

[Unuke12345]

Getting debugs/client crashes quite a lot recently, anyone experiencing the same?