Once the siphoning happens on the same machine your client is running on it's easier to detect through anti-cheats at least. If it can run on a completely separate machine it seems like it'd be essentially impossible to detect except through changes in how a user acts like only going directly to the mobs with the juicy loot and ignoring the trash but that's really tough to detect.

It would also help to not send the high-value information to the client until required. Especially loot drops!

I also fell into my first programming experience with DAoC! I worked on fixing some very simple bugs/exploits on an emulated server (C#) back in 2005.

There's a ton of fascinating stories coming out in the last decade around hacking/exploits/etc of games of that era; DAoC, UO, Shadowbane (this one was real bad).

I'd highly suggest checking out these two episodes of this podcast - https://darknetdiaries.com/episode/7/

iirc, eqemu reverse engineered the server based on the traffic. I remember being impressed.

If you don't encrypt your network traffic, you can quite easily decrypt it on another PC (as you can just set promiscuous mode on your 2nd PC NIC), giving you undetectable read-only hacks like "radar", where you basically have a map of the game with the enemy positions, health, gun, ...

If you encrypt it, this is no longer possible. If a cheater wants to decrypt it, he has to get access to the decryption key, which usually is send over an TLS encrypted connection (with certificate pinning in place) [Or in some cases self made encryption :/].

Therefore he has to either reverse the game to get the certificate or has to attempt to read it while the game is running. In the first case the game developers (and the Anti-Cheat providers) will try there best by obfuscating the specific regions. And the 2nd case is basically what AC is all about, and therefore difficult for modern Anti-Cheats.

You need to hack the client for that vs just binding to a network port, or at least have access to a decryption key.

It doesn't, we are just in 90's security mindset. We even have the typical idiot here chiming in, "it doesn't have to be perfect". Meanwhile in adult software engineer world, we know we can just not send the state of the entire world to every player and that would also save costs.

Decompiling (in a meaningful way) an optimized binary generated from C without debug symbols is much harder than what the author has shown in C#. It is not impossible, but probably very time consuming.

Versus just reading clean packages from a network.

It's not about finding a 100% solution. It's about deterring as many people as you can.

> Neither app has ever been able to show what loot a mob has except for visible pieces.

ShowEQ definitely showed drops at some point. I vividly recall farming lightstones from Willowisp and using ShowEQ to ignore the ones with burned out lightstones.

I would suspect "modern" has a lot more impact than "browser" (notably, aside from more developer awareness of cheating, I would suspect TLS is far more common now, though that can of course be worked around when you control the client). Browser traffic isn't any different from any other type of traffic, the standard packet sniffing tools (tcpdump, wireshark, mitmproxy, etc.) work just fine.

His point wasn't that an MTG bot should be easy to run, his point was that it shouldn't be any easier/cheaper to run server-side than client-side.

But to address your point, while that is true, Sparky itself plays with very basic decks, and plays even those very poorly. The goal of Sparky is to introduce players to the rules, not to be a competitive MtG agent; playing badly is intended. I wouldn't be surprised if Sparky's code is actually just a bunch of very simple heuristics (maximize your mana utilization this turn, attack with any creature that can trade evenly or better, etc).

The sample code plus walkthrough sounds like "things people can run on their computers". :)

> "it is difficult to write a program that can play a legal action in every situation"

This is trivial (just forfeit).

The hard part is figuring out the best possible action to select from. MTG is particularly hard at this because: * Some actions are only allowed in certain conditions (e.g. in response to, in a specific phase, etc) * Actions vary significantly not only in their effects but also in their inputs (some require targeting a creature, a player, an opponent, a card in hand, a card in exile, a name of a card that could exist). Some have a varying list of inputs (target many creatures). This variance makes it hard to encode the action space. * The state space is huge. It is not only determined by the cards in play, but is also affected by the meta-game (to play optimally players have to play in a specific way to avoid getting countered by a card that could be in play by the opponent, because that card is legal to play and is commonly used by decks that look like what the opponent is playing). * Technically the state space is also infinite because you can create infinite loops that keep creating more and more triggers/creatures/etc.

The rules explicitly address infinite loops and forbid players from forever taking actions that create one. If one would occur anyways, the game ends in a draw.

https://mtg.fandom.com/wiki/Loop

Turing machines? Not really. Infinite loops[0]? All the time. The designers generally try to avoid those being legal in "Standard" unless it's extremely unlikely to happen (only the most recent few years of cards are legal in tournament play. In casual play anything can be legal if your group is okay with it).

A common trope is to have a card that allows you to create mana, and then a way to infinitely bring that card back from the discard pile, allowing for infinite mana. Then you play a card that says something like "spend X mana to deal X damage" and you deal a trillion damage.

[0] the above commenter is correct that a true infinite loop is not allowed. But you're allowed to create a scenario where an infinite loop happens according to a repeating choice you can make (essentially a while loop) and repeat as much as you want within the match timer while still allowing time for your damage card. The general etiquette is just to say "I can do this a billion times and so I deal a billion damage".

I've actually been at a local (mostly informal) tournament where someone with an Elf deck managed to pump their life into the thousands (you start with 20 or 40 depending on the ruleset), and his opponent with a Goblin deck got an infinite combo for infinite damage. But the Elf player refused to accept "I can do this infinity times" and made him actually try to perform his card combo over a thousand times before the round timer ran out. Goblin deck did not win.

Here's a paper on creating a Turing machine in Magic:

https://arxiv.org/abs/1904.09828

Let us listen to the sweet stories of Sherazad...

https://gatherer.wizards.com/pages/card/Discussion.aspx?mult...

It's not that easy. There are strategies but they depend on the game format (standard, legacy, modern, etc) and on a deep understanding of the game meta. You cannot devise a strategy that works under any conditions. Lookup the rules + understand that new abilities and cards are introduced all the time.

I'm not sure what level of complexity you're looking for, but there are some pretty complex combos that have been viable over the years, even in formats that don't use some of the older "broken" cards. One popular strategy for a while in the "Modern" format, which doesn't allow cards for the first 10 years or so of the game, used a mechanic called "Storm" where a spell would be copied for every spell you previously cast in the same turn. A card called Grapeshot had this ability and did 1 damage, so the deck played creatures that made your spells cost less mana and spells that gave you extra mana or draw cards, and the goal was to cast 19 spells and then grapeshot your opponent for their entire starting life total of 20, often as early as on their fourth turn. It was consistent enough that it was a staple in the format for at least a few years (although I haven't kept up with the meta as much for a few years now). Another higher variance but potentially even faster combo used a creature called Griselbrand, which let you pay 7 life to draw 7 cards, a bunch of mana "rituals" like storm, and used a card called Nourishing Shoal to let you exile certain cards from your hand to gain life. The win condition was typically to draw at least 7 lands and cast a creature that let you discard a land to do 3 damage, and it could potentially do this on the very first turn, although eventually one of the cards that was necessary for it to function got banned in modern, although by then Griselbrand decks weren't really ever played due to there being far more consistent options with better ability to deal with an opponent trying to thwart their game plan. If you include Legacy (which allows cards from any point in the history of the game but still with a custom ban list) or Vintage (where all cards are allowed but some are "restricted" to only one copy instead of the typical 4 per deck), there are even more powerful combos you can take advantage of.

Combo decks have always and likely will always be a part of the meta for most formats, although to varying degrees depending on how many cards the format has available and how effective it happens to be in the current meta. It's considered one of the three main deck archetypes along with "control" decks that attempt to shut down what the opponent is trying to do and slowly build an advantage over time and "aggro" which use a more straightforward approach of just attacking the opponent with creatures or spells (or both). Not everything cleanly fits into one of those strategies of course, and even a deck that has a win condition that fits into one archetype might dip into the other as a backup plan (e.g. a combo deck with control elements that help it buy time if it can't get off the combo as quickly as it would prefer, or a control deck with some efficient creatures that it can use for a surprise attack if the circumstance makes sense), but even in a setting like playing a few games at a card shop on a Friday night, seeing a combo deck with the level of complexity described above isn't really uncommon at all.

That said, I've read that a lot of the hardest cards to program tend to be the ones that subvert the basic expectations of the game. One infamous example that comes to mind is a creature that after being cast added an extra turn after yours where you controlled your opponent, after which they took their regular turn and the turn order resumed its previous alternation. Programming that would require adding in the ability to show one player's hidden game state to the other, let them make any sort of decisions using their cards that the player would normally do (short of literally conceding the game) and inserting an extra turn in the order with that weird control mechanism...all just for one card out of tens of thousands! Obviously most cards are not that complex, and Arena specifically doesn't attempt to support literally every card in existence and instead supports cards going back to its initial stable release along with explicitly chosen cards added to special Arena-only sets in order to introduce them, but when its an explicit rule that the text on the card overrides the normal rules of the game when they disagree, it very quickly gets to the point where you need to consider that there will likely be an edge cast for almost any possible state transition.

Arena's rule engine was explicitly not based on Duels; this was a big selling point when it first launched to replace Duels, and they've gone into some detail since then describing how it works. See https://magic.wizards.com/en/news/mtg-arena/on-whiteboards-n... for instance.

The AI player just casts the first card it has the mana to cast, regardless of if any normal player would do it. As an example Sparky will gladly cast a kill spell on their own creature if the opponent has none, or cast protection spells on the opponents creatures if it has no creatures itself. This is far different than duels of the planewalkers.

14-15 years ...

Yes, I agree. And we don't own them. I find it a very stimulating intellectual exercise to construct a deck without those cards and still perform great. Those powerful cards have several points and only 7 points total are allowed in your deck. For example I currently choose to play Sol Ring instead of 2 of the moxes.

You can get professionally printed proxies [1]. I've been told there's often a "don't ask, don't tell" policy around many unofficial mtg tournaments regarding proxies. It obviously upsets some people, but others see it as requirement for new players to enter legacy format (and keep it alive).

[1] https://old.reddit.com/r/bootlegmtg/wiki/index

> Proxies are allowed. We encourage the use of easily recognisable proxies as long as they are undetectable under sleeves and are easily recognizable and nicely made, but no counterfeits!

A proxy can be as simple as a basic land with Sharpie writing on it, so this format is by definition as affordable as Magic can ever be.

Official MTG tournaments "allow" proxies, cost is not and never has been a prohibitor to any paper magic.

WoTC as a card distrubtor on the other hand, does not agree with this. Thankfully they have no input on the matter. And is why they push the online avenues as much if not more than paper.

IIRC it was added to the game because of serial leavers (and cheaters, which is funny with this exploit) and then sometime later applied to deal with server instability issues.

Thanks for this simple explanation! I got distracted by the [FULL VERSION] Magnus Carlsen Blind & Timed Chess Simul at the Sohn Conference in NYC (https://www.youtube.com/watch?v=xmXwdoRG43U) video and now I'm late for dinner!

Ah, makes sense. I guess they just assume that any client who is requesting to sit in that seat is authorized to.

Yes, I had my desktop version of MTGA hang and when I connected to the match with my iPhone it immediately disconnected the desktop.

What is the Twitter post for? I'm assuming this was not you "disclosing" it to them, but it's basically some kind of advertisement for yourself? You did contact them via a proper, private channel to disclose and make sure they fixed it before the Twitter post, correct?

What was the process like disclosing the bug to them? One part of your post that you left out and I was curious on. Was it friendly/straightforward? Were they surprised at all that this was possible?

There is mtgatool, an open source app to read the logs and generate a history of played games and some statistics: https://github.com/mtgatool/mtgatool-desktop

I think a lot of people explicitly do not want to bother with playing essentially paper magic, because it requires quite a bit more concentration if your board state is complicated to not miss any triggers or phase change too far accidentally.

This is what I was looking for, thanks. Gonna give it a spin with friends.

My understanding is that at the start of a game, the system shuffles and draws three hands for you, and then selects one of them to be your actual starting hand. I don't know what heuristics it uses for which of the three to select, but typically in real life you would be hoping for three lands as a baseline, ideally that can tap for the colours of the spells in your hand as well.

I believe this only applies in best of 1 matches, but not best of three matches.

Unfortunately I don't have a credible source for this.

Does MTGA not have any kind of Mulligan mechanics that would solve the initial bad hand?

MTGO does not use the same shuffler as MTGA