Hi, I would like to share some of my finding about the post https://old.reddit.com/r/DotA2/comments/qt14hf/there_is_a_highly_downloaded_dota_2_ai_bot_script/ that in my opinion, bringing very unfair towards the mentioned bot script, namely "Sirius AI 1.6.3 国际版". The reason is that there are many wrong technical analysis from the original post, not having a concrete backup source, and unable to come to a conclusion. These resulted in spreading Fear, Uncertainty, Doubt and most of all, damaging the work of the author of "Sirius AI 1.6.3 国际版".
"Sirius AI 1.6.3 国际版" is a bot script of Dota 2. I will refer it as "SiriusAI".
My goal is ONLY analyze the cloud functions of SiriusAI version 1.6.3 released on 24 Aug 2021 10:38am. This means I don't cover other parts of the bot (like playing and farming, etc.) and also won't guarantee this analysis will be true for any future of this bot.
However, I can say that from skimming through those codes, it seems that the bot only do what other bot scripts do: Play Dota as a Bot. I have not yet discover any remote execution routine in this version (in simple term: the bot cannot extract data from web and change behavior without making an update to SteamWorkshop at this version).
SiriusAI use GNU license, however, I cannot find its repository or any of its source code online. So I subscribed to Steam and copy the source code from SteamLibrary/steamapps/workshop/content/570/1801131815
. The bot seems to be a modification of "A Beginner AI", which is also a derived work of "BOT EXPERIMENT" by FURIOUSPUPPY.
This is about the script that run in the Dota 2 Server (in Coop mode or Lobby) or your local machine (in Solo mode). Skip this section if you are not interested in coding, or how the bot works internally
The main helper (or library) functions of communication between SiriusAI and 'api.alchedo.top' (I will refer to it "Alcedo") is done within the file AuxiliaryScript/HttpServer.lua
. The initiation for communication is done at mode_farm_generic.lua
. Other files will only use HttpPost
in HttpServer
to communicate with the web server, including but not limited to ability_item_usage_generic.lua
, bot_generic.lua
, GameLive.lua
.
The lib only handle formatting and sending the message to the server and not having dedicated set of functions. So I believed that the author is not very experience in designing architecture / RESTFul API, and so the it has to handle everythings from messaging (Chat, Item strategy, ability strategy) and operating (error report, delete user id, heartbeat, ….) from the same endpoint.
Authentication is done by reading HttpServer.USERNAME and HttpServer.PASSWORD from the file located at game/天狼星用户配置
. The bot do check if this file exist before using it. However, there is no code logic setting this file locally.
These values will be send to the API server on every request.
Communication is done by calling HttpServer.LocalHttpPost
(local development) or HttpServer.HttpPost
(production). Parameters are:
postData
: object
, the data that need to be posted to the server as the following JSON format
{
operation
: string
– The operation, discovered values are:
errorContent
: string
– only if operation is set to ERROR
message on error execution,bot
: string
– name of the bot requesting for getcloudkits
operation,message
: string
– if operation is set to message
, message of the player that the bot can see and send to the servergameData
: json
– if operation is set to gameEnd
, information of the game ending statistics with all players in the game. The information is "Team" (rad or dire), "Win" (if the player's team won the game), "Hero" (hero name), "Level", "MaxHealth", "MaxMana", "Gold", "kill", "Death", "Assist", "Bot" (if this player is a bot), "Item0", "Item1" …, "Item5",hero
: string
– if operation is set to kill
, 击杀信息
, death
– Hero name,kill
: string
– if operation is set to 击杀信息
– Killed hero name,}
url
: string, URL of the server, here is
api.alcedo.top:3010`
call
: function
, callback function when the server return data. it is called as call(resdata, calldata)
calldata
: object
, the data that needs to be called together with the callback function above
notUUID
: boolean
, if the UUID need to be obtained. false
to obtain UUID if HttpServer.UUID
is not set, true
to ignore missing UUID. If UUID is missing, it will be transmitted with the value local
instead (HttpServer.lua:125
)
Before sending the message above, the information need to be wrapped and send as application/json
to the server as POST
method. Here is the format body:
{
data
: object
postData – from previous section,info
: object
{
uuid
: string
UUIDgameTime
: float
DotaTime(),script
: string
constant Sirius AI
,user
: string
username from Authentication section,password
: string
password from Authentication section}
}
New UUID can be get from the request with operation set to getuuid
in the previous section. The server seems to always give UUID without any restriction. If UUID is not set (in the first getuuid
request), the value will be set as local
. The server also accept empty UUID.
I have extracted the snippet here and deleted some of the irrelevant code:
InstallChatCallback(function ( tChat )
...
elseif not closeMessage then
local postData = {
operation = 'message',
message = '"'..tChat.string..'"',
}
local allmes = not tChat.team_only
Http.HttpPost(postData, 'api.alcedo.top:3010',
function (x, t)
message = {
mes = x,
all = t
}
print('来自网络获取的消息:'..x)
end
, allmes,true);
end
end);
We can clearly see that the bot will send any chat message it can see to the backend server on the operation message
using InstallChatCallback from Valve Bot API here and here . So the bot only listen to the message that it can see that Valve allow it to. That means it won't read our allies message unless SiriusAI is playing in our team. The chat will be marked if it is allies message and send to the server.
I would like to remind that the information I posted here can be publicly discovered. I will still refrain from linking direct personal or contact information, but censoring or refuse to referring to them are nonsense for me, as these claims need to be verified publicly.
Skip this part if you don't want to know the details of the web server
Through ICANN Whois and CheckHost the server is located in China under Alibaba Cloud service (The domain DNS is hichina.com which is part of https://www.alibabacloud.com/, the server IP address is also inside Alibaba Cloud CIDR).
The service register .top domain through Alibaba Cloud (aliyun.com) .top TLDs offer cheap domain name as low as 1$ compares to .com domain pricing around 9$ minimum.
If you want to check for history of any hacking activities or abuses, this is the correct direction. Relying on Wikipedia is wrong in many ways
api.alcedo.top
seems to be resolved to 39.106.150.173
but alcedo.top
resolves to multiple addresses depends on the service so I predict that this is the result of using shared webserver. So I check both their IP and domain based on the table below
AbuseIPDB | MXToolbox | SiteChecker | |
---|---|---|---|
api.alcedo.top (39.106.150.173) | Clean | Clean | Clean |
alcedo.top (58.215.145.98) | Clean | 2/82 | Clean (and can only check for domain name) |
alcedo.top (58.216.118.225) | Reported 8 times, 0% confidence of abuse | 1/82 | N/A |
alcedo.top (61.160.228.203) | Clean | 1/82 | N/A |
alcedo.top
and api.alcedo.top:3010
does not use HTTPS
api.alcedo.top
is serving through HTTPS with HTTPS certificate from TrustAsia TLS, registered from 05/10/2021 to 05/10/2022 . That means the owner has/renewed the HTTPS certificate since October. The cheapest cert I can find from TrustAsia is 1900 yuan (300$) a year. Please correct me if I'm wrong
If I am this guy I would rather treat myself than wasting 300$ for all of this shit. Actually I lied. I will use Let's encrypt for free.
.top
TLD are commonly used for phishing and malware, but the alcedo.top
domain is not relatedlocal
getuuid
operationHttpServer.UUID
and use it in any subsequence requestshello
will response {face:14}Hello~
hello
, we can see that the response Nice to meet you
is completely different. I don't know how they are the same thing.Conclusion 2: A man made a dota 2 workshop mod and instead of giving out their API key for the chatbot service, they had to buy a very cheap .top domain that scammers typically use (hence the cheapness) to accept POST requests for the chatbot feature to as well as collect data about the performance of their bots, which is actually optional and disabled by default. The creepy responses to anti-CCP terms are a result of the service that he is using and not something he chose to put in the game. None of this is in the description and gives off terrible vibes, resulting in a loser with low MMR typing this up on a Friday Night.
But he seems not buying it "There are a lot of red flags but I don't think there are any mines. I thought it would be an interesting post to make."
Initially I distrust SiriusAI because my bias toward Chinese software development. However, upon careful review, I see that the old post is damaging someone else's hard work. Based on how the project is designed, I predict that the author is a student and a Dota player. I haven't check throughout, but from searching the usage of HTTPRequest
(from CreateRemoteHTTPRequest
) from all of my subscribed bot scripts, I believe this is the first kind of a bot aside OpenAI that has the ambitious goal of changing the bot behavior in live game. Also, The author invested his money and time into serving better content on the api server than his main personal website. If it was me I would rather not to.
I'm not buying the idea of damaging someone else hardwork, even if they are inexperience. But I have no tolerate in half-ass completed homework with the author saying loudly he has zero idea what is he talking about. This is engineering and not political so we have enough tools and need to use them to verify our works rather than spreading FUD.
TL;DR The old post is damaging a very good bot by only doing incomplete research. This post do coding analysist showing what SiriusAI v1.6.3 is doing, also addressed faulty claims.
Not being able to craft them sucks. Especially when everyone I talk to about it…
First I'd like to say I absolutely love this game it's quality. Basically I first…
Welcome to Teacher Tuesday, a thread where anyone can ask any type of question without…
I’m kind of new/returning to gwent I played beta and obviously it’s a lot lot…
Level 1 Bag (Free with Atmosphere Level 2) 6 small consumable (First Aid, Repair, Fire…