Anti Hacked Client

Discussion in 'Archived: Plugin Requests' started by HarrisAz, Feb 8, 2013.

Thread Status:
Not open for further replies.
  1. Offline


    Enforce spout, problem fix.
  2. Offline


    Once again, With minecrafts current implementation, there are way to bypass. Yea you might have significantly less hackers, but also way way way less players
  3. Offline


    Since you missed the implicit meaning of my reply, my point is that by relying on obscurity your solution only works so long as you are the only one doing it. It's not a magic bullet for hacking by any means and limits your player base substantially in this case. It's not a large scale solution, and frankly isn't even a very good small scale one.

    That line I used "out of context" succinctly summed up your naive views on security.
  4. Offline


    Of course that could still be bypassed. It's impossible to make anything that you can't bypass. But, You could certainly make it difficult for them. Manual obfuscation would do a lot..
  5. Offline


    You dont even have to look at the src, just watch the packets going out and imitate it.
  6. Offline


    Errrrm... If you mod modifies "The main class of Minecraft", then I would probably assume you used MCP to recompile that mod of yours. I can then go ahead and use MCP on my end, and decompile it, and get the full source, and modify it as I like. MCP does obfuscate, using Notch's obfuscation for compatibility, but MCP also deobfucates it.
    thefiscster510 likes this.
  7. Offline


    Go get any mod and try it then. You will see what I am referring to. My mod currently when I decompile it, it has around 3780 errors, if someone would like to fix them all be my guest, but the next time I update, which I said is often, they will have to redo it all again. I also notice with custom mobs, the IDs break, so they would have to guess which ID I used for my 30 or so custom mobs, because if one is wrong, they can't join, and if they do, the second they see that mob, they crash. With no single player option, or joining other server option, they have to test it on my server, and if I see someone get kicked more then a couple times in a row for 'missing' mods, when I know they shouldn't be because my client handles it for them, I will ban them.
  8. Offline


    So, It's not purely an authentication client. It's also a game client. Which means, It most likely isn't an authentication client at all. It's just like playing on a Feed The Beast Server.
  9. Offline


    who exactly? if you have a bukkit server then youre probably at least 12 years old, other then that kids are just too retarded for that..
  10. Offline


    Ok, guys. Which file to change to broke every hack clients? Which file is very important to can hack works?
    I mean which file from MCP.
  11. Offline


    This has been "patched" in latest state of NoCheatPlus and our test are showing positive behavior of our new godmode check. So the next NoCheatPlus release build will include this check that hopefully gets rid of those old godmode exploits.

    You can modify, obfuscate, encrypt or destroy the client as much as you want.
    If you have to give it to the public then you can be sure that someone will still be able to cheat on your server by using it. Its not required to have the source to be able to cheat on a minecraft server. There are a lot of different ways to cheat without having to know the source code.

    CheatEngine: You can modified parts of the client while its running with this program. So I basically could move 2x-3x-4x-unlimitedX times faster but I still use your client and I didn't touch the source code of it to do this. I just edited stuff that was in my memory.

    Injecting code: Hackers could inject code to your client to make some strange stuff work on it even if you don't want to support it.
    Some game mods such as MentalOmega (one of my favorite ones) use this method to do huge modifications on the game without needing the source of it. [Kinda Like CheatEngine]

    Packet control: The user of your client has full control about what he/she wants to send to your server. He/She can basically grab the packet before it gets sent, then modify it and send it to the server to do some cheats/hacks on it.

    Yea but if you make a mod using MCP then your players kinda have to "create" a custom client by implementing your mod to their clients. So its kinda the same... Also if you check over packets they can just record that packet you sent to the server and fake it so they can exploit that to still join with hacked clients on your server but your server still thinks that those player are "legal" players because they sent the right packet.

    Its not the implementation of Minecraft that makes such cheats/hacks possible. Minecraft uses the client-server logic which every game uses also.
    The problem here is that the Minecraft server doesn't really care what the client tells it to do. The client can basically just say: "Hey server let me kill this guy with 1 hit!" And the server says: "Yea. Here you go." Without even checking if that request from the client was "invalid" or not.
    Minecraft leaks on server security compared to other games.
    Plugins such as Orebfuscator and NoCheatPlus/AntiCheat try to fix this issue as much as possible.
    (Minecraft/CraftBukkit has some inbuilt protection of course to prevent the biggest hacks such as modifying the text on already placed and written signs and more)

    Spout is also not 100% secure and hack proof... Some hackers just grabbed spout added their hacks in it and launched the griefing journey over the spout servers.

    Scetch says that he only made Nodus to hopefully make Mojang fix such security holes in Minecraft but It didn't work out as planned...
    So that might be the reason why Scetch didn't try to use any sneaky methods to confuse NoCheatPlus/AntiCheat in any way. I guess he just wanted to show whats possible in vanilla Minecraft.

    @EveryoneThatTriesToFixHacksAndCheatsOverTheClient (<--- Don't register that name or I punch you [Its too long anyways]) You are viewing this from the wrong perspective. You all are so focused on modifying the client somehow to kill hack clients but you totally forget about the server side. Only because the client wants to fly on our server doesn't mean that we are forced to allow it to fly on our server.

    Example with block breaking (Fastbreak check):
    Server without NC+/AC:
    Client: Hey Server let me mine this block 4x faster then normal because I'm too lazy to wait!
    Server: Yea sure. Go ahead and do it.

    Server with NC+/AC:
    Client: Hey Server let me mine this block 4x faster then normal because I'm too lazy to wait!
    Server: NOPE. Here are your possibility's: You mine this block at normal speed or I kick with my kick boot! (actions are configurable on both plugins)

    As you see: We don't need to try controlling the client because we simple can deny its invalid requests (That's what NC+/AC do in a very simple explained way). If the client denies to follow our rules that we setup with AC/NC+ then we can take actions against it.

    Example with and without Orebfuscator:
    Without Orebfuscator:
    Client: Hey server send me those chunks there please I need to load them.
    Server: Sure! *Sends the full chunks will all the ORE locations and treasures in them*
    Client: *Uses sneaky xRay to cheat and find those things*

    With Orebfuscator:
    Client: Hey server send me those chunks there please I need to load them.
    Server: Sure! *Sends the full chunks will all the ORE locations and treasures in them*
    Orebfuscator: *Grabs the chunks and fakes all OREs etc. in them*
    Client: *Turns on xRay and thinks that it is rich! But actually its just a fake vision :confused: <SadFace>*

    We can decide if we want to accept the requests of the client or not and we can also control the server by telling it to what is allowed to be transferred to the client and what not (Vanish, PlayersInCubes, ...).

    Its simple: The server is on our side and we can whatever we want to do with it. Its the client that plays on the server not the server that plays on the client.

    Tips to be save against hackers: Don't install any infected or unknown plugins (only use DevBukkit), use online-mode=true, only op those "friends" that are really friends, keep yourself (your system) and your server uptodate, don't install any key-loggers on your system, use the latest security updates for you and your server, use strong passwords, make backups of everything and the hackers wont be able to do anything to you.
    thefiscster510 likes this.
  12. Offline


    What he said.
  13. Offline


    Decompile your custom .jar add custom hacks because the hacker knows java. Hack on server. Can a admin block this thread already no way to stop hackers from joining a server.(Currently)

  14. Offline


    What you're asking for isn't possible. It is possible to block some hacked clients, but not detect anyone that has them. There are many solutions to this issue, but this request isn't going to get filled. Closed.
    thefiscster510 likes this.
Thread Status:
Not open for further replies.

Share This Page