[Discussion] Playng around with Login / Auth packets

Discussion in 'Plugin Development' started by Ziden, Jul 25, 2011.

Thread Status:
Not open for further replies.
  1. Offline


    I'll try to Translate Later :)
    And Wait, I think you may be able to do something with SpoutCraft Soon, as it has it's own Client. I'm learning Java, And Soon, I think I can use Spoutcraft or something to Bypass "Bad Login".
    I'll find something soon! (Maybe you can request help from them, Spout, With your Idea of a Online/Offline Server, Checking All People not on the List, allowing some Members to join without Premium, rest does.)
  2. Offline


    Im still a noob at everything here but i know my way around server coding. If I am getting you right you want all users including free users to be able to join correct? The way around this is very simple! All you need to do is capture and log the packets you send and receive from mc.net from both you and the server. You will need to do this with multiple accounts to identify the packets that authenticate your login to the server. Then all you need to do is cloak each user that connects to something that generates a correct packet that sends that to mc.net to authenticate the user. It should return true and allow the user. It sounds complicated but you could probably get the first part done in one day and the other in like 3-5 days. However good you are at coding this. You may need to re-code some base files here, which ones im not sure. Im a noob at coding plugins and cant even make one work, That doesnt mean i dont know my shit here :) Don't call it on me if it doesn't work 100% but should be the basic on how to get it working.
  3. Offline


    Actually, I'm not able to Translate it well. My dad (Who Knows a lot of Java) is refusing to help me. Curl is just an HTTP Request type thing. You'll need to find a way to fill a command similar to Curl In Java.
    I think the way to go is a Custom Client.
  4. Offline


    A solution in a client mod i dont think its a good solution. A solution in a bukkit-source , its an good solution and a solution in a plugin, is the perfect solution.
    This line, specially, in Shell-Script, is what im tryng to figure it out. Im thinking on re-posting this in a different topic , something like Shell to Java so people with understandings could help.

    I can understand what curl does, sends http request, grab responses. I belive a curl in java would be this:

    URL url = new URL((new StringBuilder()).append("http://www.minecraft.net/game/joinserver.jsp?user=").append("bla").append("&sessionId=").append("bla").append("&serverId=").append("bla").toString());
    BufferedReader bufferedreader = new BufferedReader(new InputStreamReader(url.openStream()));
    String answer = bufferedreader.readLine();
    Now, i cant figure out why that shell has 4 variables, and where does the least 2 come from ! And whats the

    set -- `curl -d "user=$user&password=$pass&version=9999" https://login.minecraft.net/`
  5. Offline


    Version 9999 is the current version it uses, so no need to change that variable. And the Session ID may be random. Trust me, I doubt it means anything.
    And that line, I'm not sure. I'll test it on my Mac and Find out. I'll report to you in a bit.

    Figured out a Method! :)
    There will be a list. The list will show who is not premium, and will require everyone else to be premium. The people who are not on the list must type in their Minecraft.net Password to successfully Auth the MC account, and then give the player their permissions to build and use commands back, and Kicks them if they get the password wrong.
    The Data would be sent to login.minecraft.net

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: May 17, 2016
  6. Offline


  7. Offline


    No! No no no! I'll calm down and explain. I'll namechange myself with that plugin, and then.... I can show up as any Premium person. That code will NOT work. It doesn't Authenticate, It simply sees if the playername has paid, not the player on the server.
    You need something that sends Credentials to Minecraft.net, For login.minecraft.net
    Heck, I'll decompile their launcher and find it myself for you.

    public class MinecraftUtils
    /*    */ {
    /*    */   public static String[] doLogin(String user, String pass)
    /*    */     throws BadLoginException, MCNetworkException, OutdatedMCLauncherException, UnsupportedEncodingException
    /*    */   {
    /* 15 */     String parameters = "user=" + URLEncoder.encode(user, "UTF-8") + "&password=" + URLEncoder.encode(pass, "UTF-8") + "&version=" + 13;
    /* 16 */     String result = PlatformUtils.excutePost("https://login.minecraft.net/", parameters);
    /* 17 */     if (result == null) {
    /* 18 */       throw new MCNetworkException();
    /*    */     }
    /* 20 */     if (!result.contains(":")) {
    /* 21 */       if (result.trim().equals("Bad login"))
    /* 22 */         throw new BadLoginException();
    /* 23 */       if (result.trim().equals("Old version")) {
    /* 24 */         throw new OutdatedMCLauncherException();
    /*    */       }
    Sorry about the /*, Notepad++ adds that. But I think it is somewhere in that. I'll give you the files too. (Transformed to TXT)

    Attached Files:

    Last edited by a moderator: May 18, 2016
  8. Offline


    Notepad++ doesn't add the /* */. It's probably your java decompiler :p
  9. Offline


    Im going to do it using hasPaid page, and forcing non originals to use a [P] before its nickname. Thanx for your help =] I think its not the 'coolest' solution but its simple and works. Ill be releasing the plugin later.

    Thx alot.
  10. Offline


    But it isn't going to work Ziden. It doesn't really Auth you, and it doesn't check the person. It just sees if the User is Premium. I can login to a server as you and it will act as if I were you. You could do that, or you could try doing the Login.Minecraft.Net, and if you use it correctly (Like Spout Does), It will find if the user is real. The only thing that is bad about this is that you have to type your password in on the server. But it checks with MC.net to see if the User is premium.
    Sorry if I seem like a Whiner.

    Guess it is. Well, It still found what I needed.

    Here's the Normal MC Launcher thing.
    public void login(String userName, String password) {
        try {
          String parameters = "user=" + URLEncoder.encode(userName, "UTF-8") + "&password=" + URLEncoder.encode(password, "UTF-8") + "&version=" + 13;
          String result = Util.excutePost("https://login.minecraft.net/", parameters);
          if (result == null) {
            showError("Can't connect to minecraft.net");
          if (!result.contains(":")) {
            if (result.trim().equals("Bad login")) {
              showError("Login failed");
            } else if (result.trim().equals("Old version")) {
              showError("Outdated launcher");
            } else {
    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: May 17, 2016
  11. Offline


    All you need is to let the server run in offline mode and check each player to see if they are legit. In offline mode, you can log in with a non modified client if you also run your client in offline mode (just make a typo on your password and you can easily do it). Then from there you could add a bunch of random numbers on the end of Player and have a /auth command so that they could register local usernames. That way it works just like normal for paid players but pirates would have to go through the extra /auth command.
  12. Offline


    checking username premium status is damn stupid, there are 3kk usernames paid, you may choose mostly any popular nickname like and it will be paid.
  13. Offline


    I agree with that. Just more... politely. Namechangers. You need the Login.Minecraft.net thing, where you type in the password when you connect to the server and it is sent to MC.net, and if it doesn't say Bad Login, it knows it is real.
Thread Status:
Not open for further replies.

Share This Page