+- Mirage Source (https://mirage-engine.uk/forums)
+-- Forum: Mirage Source (Nostalgia) (https://mirage-engine.uk/forums/forumdisplay.php?fid=61)
+--- Forum: Archive (2006-2011) (https://mirage-engine.uk/forums/forumdisplay.php?fid=18)
+---- Forum: Resources (https://mirage-engine.uk/forums/forumdisplay.php?fid=49)
+---- Thread: Server Sends Check To Client Tutorial (/showthread.php?tid=886)
Server Sends Check To Client Tutorial - JokeofWeek - 19-04-2007
Alright, since I have often wondered about the potential dangers of people connecting with a different client to my game to hack it, I decided to come up with a way for the server to check whether the player was using a proper client.
Basically, what this does is sends a packet & a string to the client as an 'acknowledgment' packet and a string attached to it, to make sure the client isn't just sending back a wrong 'received' packet.
The server gives the client 15 seconds to reply (15 seconds for reasons such as lag, slower computers, etc.) and if isn't received, it boots the player!
So basically, add this to your AccountRec :
Code:
LoginTimer as doubleIn the local non-saved variables section.
In modConstants, add this :
Code:
Public Const ACK_KEY as String = "6594sdfsd9r3"Add this to the ClearPlayer sub :
Code:
Player(index).LoginTimer = 0Now, in modGeneral, in the GameAI Sub add this :
Optimization Tip : Add the High Index to speed up the loop
Code:
For i = 1 To MAX_PLAYERS
If GetTickCountNew > (Player(i).LoginTimer + 15000) And Player(i).LoginTimer 0 And Player(i).Login "" Then
Call HackingAttempt(i, "Invalid Client!")
End If
Next iNow, in modHandleData, in sub HandleData, add this anywhere (preferably near the top) :
Code:
' :::::::::::::::::::::::::::::::::::
' :: Acknowledge has been received ::
' :::::::::::::::::::::::::::::::::::
If LCase$(Parse(0)) = "ackrc" Then
if trim(parse(1)) ACK_KEY then
Call HackingAttempt(i, "Invalid Client!")
Exit Sub
end if
Player(index).LoginTimer = 0
Exit Sub
End IfAs you can see, this checks to make sure you got the right key, if not invalids you. Now, look for the "login" packet, and near the end of the if case, right under :
Code:
Call SendChars(index)Add this :
Code:
' Show the player up on the socket status
Call SendDataTo(index, "ackps" & SEP_CHAR & ACK_KEY & SEP_CHAR & END_CHAR)
Player(index).LoginTimer = GetTickCountNow, that's it for the server code! Very simple code on the client side. Near the top of sub HandleData, just add this :
Code:
' ::::::::::::::::::::::::
' :: Acknowledge Packet ::
' ::::::::::::::::::::::::
If LCase(Parse(0)) = "ackps" Then
Call SendData("ackrc" & SEP_CHAR & trim(parse(1)) & SEP_CHAR & END_CHAR)
Exit Sub
End IfAnd there you go
Should work perfectly ^_^ If you have any questions or comments, just say/ask 
- JokeofWeek - 20-04-2007
Dave Wrote:I hate to say it, but this wont stop anyone. It's a worthless addon that just adds 15 seconds to the login time.
If someone has the skills to reverse engineer your packets (which is EASY with MS), they will notice you send the "ack" packet and tip them in.
This is just the basics. There are many ways you can build upon this tut, and one of the most obvious ones would be changing the packet name to a more obscure one, such as playerinfohash or something along those terms, making the player think that the key is not an acknowledgment key, but more something like a key for player stats or something. And other options could be encrypting your packets.
Sorry if that playerinfohash thing didn't make sense, it's getting late xD
- Da Undead - 20-04-2007
Wouldn't it be best just to use the SEC_CODE tut somewhere?
- JokeofWeek - 20-04-2007
Da Undead Wrote:Wouldn't it be best just to use the SEC_CODE tut somewhere?
Yeah, but it's easy to get sec codes, you just look at the login packet
Although you can still look at this packet, not that many people think about it.
- Da Undead - 20-04-2007
how do u look at a packet o-O, mines like 100 characters long :p
- Robin - 20-04-2007
Da Undead Wrote:how do u look at a packet o-O, mines like 100 characters long :p
Add a debug.print in send data or load up your packet sniffer in string mode.
- Da Undead - 21-04-2007
clients can do that o-O?
So how do u make them non-hackable :p
- JokeofWeek - 21-04-2007
Da Undead Wrote:clients can do that o-O?
So how do u make them non-hackable :p
lol, they can't debug.print, but they can sure as hell sniff your packets. And it's kind of hard to detect :wink:
- Da Undead - 21-04-2007
is there any tut or code that fixes all holes and loops? : x
- JokeofWeek - 21-04-2007
Da Undead Wrote:is there any tut or code that fixes all holes and loops? : x
Nope, and I don't think there ever will be, considering anyone can just use a simple packet sniffer + memory editor.
- Da Undead - 21-04-2007
:\ hmm k
- ShadowLife - 21-04-2007
Heres an idea, instead of checking at login to match a key in the client to the one in the server, have it check often. Have a list of keys, all under the same packet name, that the client randomly picks to verify itself to the server. The server simply checks to see if the key sent to it matches any of its stored keys, if not its a boot.
- Da Undead - 21-04-2007
Thats good idea, but still crackable. But it'll just make it harder for them :p
Re: Server Sends Check To Client Tutorial - Bradyok - 02-08-2007
Best way is to have the server randomize numbers/letters, save it to the playerrec, and make the client encrypt it back. I'll maybe post a tutorial on this if someone wants it.
Re: Server Sends Check To Client Tutorial - ShadowLife - 14-08-2007
Erm, I may not understand what you mean, but it doesnt sound any different than the rest of the ideas in this thread.
You are just sending a packet to the client, and the client sends it back with an encryption. Anyone who has toyed with a sniffer more than a couple times will notice an out of place packet of randomness. Sounds like because you are saving it to the playerrec makes this a 'l33t' idea.
You want some added protection from packet-sniffing noobs. Lock the use of the client while a packet-sniffer is active. I'm sure everyone here knows all of the most common sniffers, choose your method to block them.
Also everything in this thread stops someone from using a completely random client to access your server, but nothing has been said about altering your client... anything in this thread that will stop that?
Re: Server Sends Check To Client Tutorial - Bradyok - 25-09-2007
Yeah, I'm saying it's a randomized packet.. Not just the same packet every couple seconds, so they couldn't do it unless they had your encryption key. Might also want to block WPE Pro so they don't modify existing packets, and compress your game so that it can't be decompiled and modified.