DreamBot costs a lot.
At least for me. If I can use my programming skills to get it for free, that's great. The client is free with paid VIP features, but they are just locked behind an account status, which can be spoofed. Even just on the client-side with some byte code patching.
Their script trial makes me able to get my hands on the script jar. That's not good security. After sniffing and downloading the jars, I can put them up on my own server implementation, and even set the trial duration to... owned.
A lot of the code that scripts use to verify whether you actually own their script can also be bypassed (as seen in the hooks to ScriptManager).
One thing I find funny is that the packets MIGHT be stored as obfuscated on their server side, due to ALL OF THEM being valid java class names, whereas the rest get obfuscated to start with a digit.
The tooling derives the hardware ID. The RNG secret is
stored in .anonymize_secret to prevent fingerprinting by DreamBot owners.
As long as that file is kept, the same username will have the same, random, HWID.
The client also downloads the official client, and runs some of its code to extract data, like the version. This is as secure as running the official client. You have to trust DreamBot at some point anyway.
Make an account on their website and try some scripts. This allows them to be downloaded.
Running the client requires you
to set the environment variables USERNAME, PASSWORD.
Currently, DreamBot is moving to logging in with emails.
Setting USERNAME to the email works.
Keep in mind the autogenerated HWID will be different for the same account if using both the username and email.
The client will download the scripts and output them into the current working directory,
The folder structure it creates is perfect for running the server.
You can add config.json there (see below).
When you run the client revision.txt will be automatically downloaded into a new folder in the current directory called output.
That contains everything necessary for the server setup.
Make sure to set the correct path in downloaded config files or copy them to the server working directory.
Make a file config.json for the server config. Yes, the filename is important.
{
"revisionFile": "revision.txt",
"scriptConfigDir": "configs/",
"serverUrl": "http://localhost:6666/"
}Replace serverUrl in case you want to use your own webserver, obviously.
The config directory contains config files, also autogenerated by the client. They contain metadata about the script; you can probably guess how that works.
The options/_.txt files are also generated, not sure what they're trying to protect by doing that.
Change the server options in the server main file,
make sure the NETTY_PORT matches the one in the agent.
And that the HTTP_PORT matches the domain above.
The recommended server structure looks like this:
├── config.json
├── configs
│ └── Script_Name.json
├── jars
│ └── Script_Name.jar
├── options
│ └── Script_Name.txt
└── revision.txt
To run the server set the environment variable CONFIG_DIR to the directory with the config.json file.
java -jar /path/to/server.jarTo run the client, you can either download and run the loader once,
which will place the client.jar file in <user home>/DreamBot/BotData/client.jar,
or you can download the JAR file directly from https://downloads.dreambot.org/dreambot-latest.jar.
Then you can connect to your own server with:
java -javaagent:/path/to/agent.jar -jar /path/to/dreambot.jarIf everything works, you should be connected and get the SPONSOR role. There are logs on the server, so take a look at that in case issues emerge.