[Req] Client Class Data Finder [AntiHacking][Spout]

Discussion in 'Archived: Plugin Requests' started by emericask8ur, Oct 22, 2011.

  1. Offline


    waiiit look we can even go on to another game, call of duty mw2 for example, number one hacked game, but after a while they sent a patch to all clients and this patch blocked most of any modded files, why cant we do the same
  2. Offline


    Alright, this is just a guess, but I'll take a shot at it.

    Call of Duty MW2 is closed source, meaning no one but developers at Infinity Ward have access to the source code. That allows them to do things like update the server and the client to use a different communication method, thus forcing all clients to update if they want to play on the servers. They also have a lot of money on the line, and money motivates them to expend massive amounts of effort making sure everyone plays fairly and pays for the game.

    In the case of Minecraft/Bukkit/Spout, that monetary motivation is absent. It doesn't matter how great the idea is, it would take a lot of effort to execute it properly, and no one's paying these developers. Furthermore, anything of this nature would require BOTH a server AND a client mod. So anyone connecting to your server would have to be using the special client that makes sure they're not hacking. If you do this via spout, it would be easier, but as many people have said, there's nothing stopping someone from simply altering the client to say it's a clean client, when in reality it's not. (This is the case regardless of whether spout / spoutcraft is used)

    In any case, protection schemes of this nature are arms races, and we have limited resources. The moment a scheme like this is put in place, hackers will work until they break it. Once it's broken, we'll have to patch it back up. Then they'll break it again. No one wants to work on a project like this because it becomes perpetual work just to keep it secure, and they're not being paid. You also end up creating a server where all your players have to download a different client just to play on it. You'll lose most of your players up front for this reason.

    Combine all of this with the fact that there are purely server side solutions for most client hacks.

    Flying, speedhacking, fall damage hacks, chat spam, etc: NoCheat, a few others
    Xray: Ore To Client Obfuscation, XRay Informer, several others
    Quit Packet Spam: LeaverBuster, LogStopper
    Griefing: LogBlock, HawkEye, others

    With the right cocktail of plugins, you can make life hell for client hackers, and they'll just find another server to pester. No need to expend a huge amount of time on a protection scheme that requires perpetual effort just to maintain.

    The question is not whether something like this is possible. It is possible. The question is whether it's practical.
    minecraftYord and Top_Cat like this.
  3. Offline


    I have got into the Files myself though for Mw2,
    FearGrump and ZNickq like this.
  4. Offline


    Oh the irony, thats exactly what they would do to the client mod. Because you are talking about storing this stuff of the HACKERS COMPUTER, the server has no control over those, and the client can send whatever message it wants. And someone could just create a file that pretends that the client has the patch, when reality it doesn't.

    You are forgetting the fact that the server has no control in this situation, while the client and modder has everything.
  5. Offline


    No one seems to have said "CFBanner" he got into zombe's class files and CBJ's mod class files, and blocked them.
  6. Offline


    No he didn't.. They both have checks for a certain combination of color codes, if the mods find these color codes, it disables itself.
  7. Offline


    He didn't, the two mods have a switch which the server can control, and all he did was activate that switch.
  8. Offline


    At the same time you have to consider that alot of modders are actually copying amateurs. Most modder either download the pack from somewhere or have watched a guide specifically on how to do it. With that in mind, YES there are many players smart enough to remove/override the check. This is an issue with all client security is it not? Still, the method that OP wants can have decent success against the amateur modders. How many people download a modded spout client to join one server? Doubtfully many. That is until the plugin becomes more common, and many users start to download the already 'fixed' client. I'm no expert with client modding nor java in general, but I say its possible to have some success with this method.
  9. Offline


    I guess the server could check against copies of original classes, but then again a haxord copy could send clean copies instead of the haxord ones.
  10. Offline


    The server cannot check the class files against copies of the original, since the client does not ever send the class files to the server.
  11. Offline


    You can never trust the client to tell you anything true.

    I ask for a hash of all the client's classes, what is to stop the client from prehashing the classes from a 'legit' client and sending those?
    Daniel Heppner likes this.
  12. Offline

    Daniel Heppner

    If nothing was impossible, wouldn't that make it impossible for something to be impossible? Your logic in flawed.

    Anyway, OP, this is impossible. How do you propose you're going to check client code from the server? Obviously, no one is going to use a mod that will prevent them from using their hacked mods if they want to use their hacked mods. >_>
  13. Offline


    If you added it you could.
  14. Offline


    we would use it lol.
    emericask8ur likes this.
  15. Offline


    The server sends instructions for modifying the classes, before hashing. You could for example add a session id before you hash. In order to get around this you would need to keep copies of the original files around so that you can use them to create the hash.
    This becomes more difficult if you hash the classes loaded into the JVM. As always, the client is capable of circumventing this, but the circumvention would need to be more complex than you are making out.
    emericask8ur likes this.
  16. Offline

    Daniel Heppner

    If I wanted to go fly on a server, why would I install a mod that stops me from flying? *scratches head*

    You don't get what I'm saying at all.

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
    Last edited by a moderator: May 20, 2016
  17. Offline


    Your a plugin developer - why are you requesting a plugin, and then arguing over what's possible and what's not?
  18. Offline


    Because as you cN see it's Very difficult!
  19. Offline

    Daniel Heppner

    No, it's impossible.
  20. Offline


    well you would get permission nodes to fly? lol
  21. Offline


    A server cannot check what is loaded into the JVM on the client.
  22. Offline


    Of course it can't - the client side mod would do that. The whole point of doing this is to make it difficult to run a client side hack. No one thinks that you can ensure that the client is not hacked.

    If you force the hacked client to run a clean client next to it in order to pass verification checks, you have already made it very difficult for them.

    The idea is to use the vanilla classes as a 'pre-shared secret'. Yes, these measures can be circumvented by keeping a copy of the vanilla classes on hand.

    If it is possible, reading the loaded classes directly from the JVM is a better option in my mind than off the disk. In the end, if someone is determined they will get around it.
  23. Offline


    This is only as impossible as you require it to be secure. If you demand perfection, of course it is impossible. To say "but it can be bypassed" is redundant. The real question to ask is this: Would it be effective?

    As has been stated, this would provide a significant deterrent to many; which won't make it perfect, but I would wager to say would make it effective.

    For a server that is already requiring a certain set of client mods, such as Spout; such a plugin would be effective at preventing a good number of modified clients from entering the server.
  24. Offline


    if you want to find out if someones a hacker just tell them to type a period! most hack clients use that. if they cant you can kick ban them. it doesentALWAYS work tho
    DirtyStarfish likes this.
  25. Offline


  26. Offline

    Pixel Bandit

    "Impossible is just a big word thrown around by small men who find it easier to live in the world they've been given than to explore the power they have to change it. Impossible is not a fact. It's an opinion. Impossible is not a declaration. It's a dare. Impossible is potential. Impossible is temporary... Impossible is nothing"

    Well that's what my Adidas shirt says so its clearly possible :D!!!
  27. Offline


    Nope. This is impossible.
    Pixel Bandit likes this.
  28. Offline


    'More Difficult' is totally irrelevant. It takes 1 person to do a difficult task, then they can turn around and sell it to script kiddies and you are still fucked.

    Even greater is that you cannot trust the JVM either. OpenJDK can run minecraft with a bit of tweaking, and you can just download the source code for it and modify it.

    The main issue is that the server doesn't quite respond to movement and block place right. The server trusts the client in many ways to do what it says it's doing (this can be seen with a laggy environment and world protection...worldgaurd an area and induce 500ms+ lag. You can jump over 2 block high walls by placing the block and jumping over the wall before the server says the block doesn't actually exist).

    Additionally, don't send the client blocks they can't see (yes, this involves building world update packets for each player). That fixes xrays. Don't let the client tell you where the client is. Take input and simulate what that input would do on the server (fixes flyhacks). put a rate limit on user input per second (fixes nukers).
  29. Offline


    having a plugin where everyone is forced to type a . everytime they join isnt impossible...
  30. Offline


    Not all hacked clients have .commands. Even if they did, it's not hard to use their spam command to spam 1 period.

Share This Page