Check if player is cracked or not?

Discussion in 'Plugin Development' started by Baba43, Aug 25, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    Baba43

    Hey, my customer got a cracked server and I want to know if it's possible to find out if a player is using a real account or not.
     
    Baba43, Aug 25, 2012
    #1
  2. Offline

    xDrapor

    No, I have been asked this question, it theoretically will not work for this scenario, which I can explain in an example:

    Player A has bought Minecraft, and is Premium.
    Player B has not, and uses a "hacked" launcher to use Player A's Minecraft NAME.
    Player B, upon entering the server, will appear to be premium, by just using Player A's name.
    It MIGHT be possible, but I can guarantee you, that it will not at all be 100% accurate nor reliable.

    On another note, I'm not quite sure if discussion based on "cracked" servers are allowed in the Bukkit forums.
     
    xDrapor, Aug 25, 2012
    #2
  3. Offline

    skore87

    You'll want to use one of those password plugins designed for offline mode servers to give you some security.
     
    skore87, Aug 25, 2012
    #3
  4. Offline

    xDrapor

    That wasn't his question, he wanted to basically find a way to "query" whether a user is premium or not. :D
     
    xDrapor, Aug 25, 2012
    #4
  5. Offline

    travja

    I'm pretty sure if you set online mode to true and use the PlayerPreLoginEvent you could find a way to query it and allow them in if it's the right person, therefore making kindof a whitelist to you premium only server
     
    travja, Aug 25, 2012
    #5
  6. Offline

    Giant

    travja that still will fail, as your password is never send to the server. PlayerPreLoginEvent only checks against the name I believe. Therefore a cracked client might still make it in if it were to use a name of which it is certain is legal. It does however stop most cracked clients, as those never connect to minecraft.net in the first place, so you wouldn't need the event anymore, because they won't get in. And those that do get in, would probably bypass it anyhow...
     
    Giant, Aug 25, 2012
    #6
  7. Offline

    r0306

    r0306, Aug 25, 2012
    #7
  8. Offline

    Giant

    r0306 I know how it connects, however seeing how the hacked/cracked clients can kind of pick any user name they want. That method is not fool prove at all... Using online mode DOES stop allot of the hacked/cracked clients from coming in though, as most ignore minecraft.net.
     
    Giant, Aug 25, 2012
    #8
  9. Offline

    xDrapor

    FLAW: Users can use premium players names, as demonstrated in my example.
    Also, I used my username, an it returned false, although I did infact purchase Minecraft.
    All in all, I still stand by what I say, all methods regarding this will infact be flawed, until Mojang has a drastic change in their auth system.
     
    xDrapor, Aug 25, 2012
    #9
  10. Offline

    r0306

    Giant
    In that case, there's no way to check whether they are or not unless the server itself is running online mode, which brings me to a point. I've seen many servers running multiple servers on the same ip but through proxies which means that players can travel between the servers without having to disconnect from the game using portals. This means that you might be able to make them connect to a server running offline mode and then immediately force them to connect to a server running online mode on a different port. If they are rejected, that means they are running offline mode and will just stay on the first port. The rest will be connected to the port labeled as premium (the second port). That's just a concept that I thought up of in a few seconds after reading your post. I'm not sure if it will actually work or not.
     
    r0306, Aug 25, 2012
    #10
  11. Offline

    Giant

    r0306 it is indeed VERY hard to check if a client itself is premium or not, am not saying impossible, as am sure there will be ways to do so. However, you would be fighting a war you can't win as you are generally 1 step behind on the hackers. What you suggest might work, though I think that if the client doesn't get into the server running online mode, the client would get booted. As technically he would already have left the online server.

    It is also not needed to use proxies to run multiple servers on 1 ip, only thing you would need are multiple ports...
     
    Giant, Aug 25, 2012
    #11
  12. Offline

    travja

    Giant r0306 Another thing you might try is finding out how bukkit does the check for online mode, then run that in your PlayerLoginEvent.... Not quite sure though.
     
    travja, Aug 25, 2012
    #12
  13. Offline

    r0306

    Giant
    No, I believe the only way to join two servers together and allow the client to travel between the two is with a proxy.

    http://forums.bukkit.org/threads/proxy-servers-together.91946/

    travja
    I believe what happens is that when a player first tries joining the server, an authentication packet is sent from client to server containing the encrypted password that the player entered in when they first logged into their client, which is then sent from the server to the Minecraft DB, verifying the password's legitimacy. That also is why when no password is entered as in a cracked client, the server can tell if it is actually premium or not as the password is invalid.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 28, 2016
    r0306, Aug 25, 2012
    #13
  14. Offline

    Forge_User_54497078

    No, you can not.
    The first package sent from the client to the server is the handshake package, the server reacts on it with this code:
    https://github.com/Bukkit/CraftBukk...net/minecraft/server/NetLoginHandler.java#L62 - The important line is 79 cause if the client receives the key "-" from the server he won't do any Mojang authentication, so will be seen as non-premium even if he is premium. But if you send a real key and the client is in offline mode he will disconnect instantly.

    //EDIT: r0306 Tzhe client _never_ sends a password to the server. There's a complicated mojang authentication which both, the client and the server have to go through. The only server that receives the clients password is the Mojang authentication server.

    //EDIT²: Basically (in fact it's more complicated) the server sends a request to mojang containing the player name and the hash from line 79, the mojang server generates a new hash and the client connects to the mojang server, too, telling to what server he wants to connect (and the hash from line 79). Then he gets the hash from the mojang server and gives it to the server he wants to connect to. the server sends this hash to mojang and mojang tells if it's valid or not.
     
    Forge_User_54497078, Aug 25, 2012
    #14
  15. Offline

    Giant

    r0306, travja actually what happens is this:
    When you login into minecraft, your details get send to the minecraft server for confirmation. If this fails, you won't be allowed to login. Therefore, you will be "premium" when you can login. However, as hacked/cracked clients sort of skip the login part, it for them is not in effect.

    Then when you connect to a server, only the username gets send. Sending a password would be sort of a potential security risk. From there on the server does a few checks on the username at the minecraft server. Including checking if the client is actually logged in according to the database. This check is quite hard to bypass, as it would require for a hacked client to be in an active session at minecraft.net, which would leave a great potential risk of being discovered, and would require a valid username and password, and therefore is not what you want. See here for a bit more insight in this.

    If a player does not pass this initial check, the player will be kicked right away, and the event will not get fired either. The event is I believe mainly meant for plugins to disallow a player from login in.

    Also r0306 "jsp" means "Java Server Page" not javascript page :p
     
    Giant, Aug 25, 2012
    #15
  16. Offline

    r0306

    Giant
    I guess you would have to edit Bukkit's authentication code to allow the player in rather than kick them but also mark the non-premium members in the process.

    Lol. I'm new to JavaScript/Java Server Apps. Currently writing a Java Applet.
     
    r0306, Aug 25, 2012
    #16
  17. Offline

    Giant

    r0306 not only Bukkit's authentication code, but as V10lator showed you would also have to modify the base of the minecraft server, and the client possibly aswell. Seeing how when you edit the server, the client expects a different reply in the case of that packet...

    Also, don't worry about the "jsp" thingy, I used to think it as "JavaScript Page" as well :D
     
    Giant, Aug 25, 2012
    #17
  18. Offline

    Forge_User_54497078

    Giant Yes, you have to modify the client for this to work (tell him to not disconnect in offline mode when the server sends another hash than "-"). Modifying the server? Yes, but at runtime. I have a plugin lying around (not updated to 1.3) that does exactly that, that's why I know how the client handles this. ;)

    r0306 OT: JavaScript != Java:
    JavaScript was developed from the Netscape corporation 1995 while Java was developed from Sun 1991.
    (Source: http://en.wikipedia.org/wiki/JavaScript )
     
    Forge_User_54497078, Aug 25, 2012
    #18
  19. Offline

    r0306

    V10lator
    I know, I mean the concepts. The Applet was a random statement lol. Still, thanks for pointing that out.
     
    r0306, Aug 25, 2012
    #19
Thread Status:
Not open for further replies.

Share This Page