[solved]player.hidePlayer(Player) can still be seen by a modified client?

Discussion in 'Plugin Development' started by CorrieKay, May 8, 2012.

Thread Status:
Not open for further replies.
  1. Offline

    dsmyth1915

    on the other players login, it loops through the online players, and checks to see if any of them are hidden. If anyone is hidden, then it reiterates the hide code for the logged in player
     
  2. Offline

    ZachBora

    There is 3 events, Player join, login and prelogin. Maybe put the code in one of the other ones? Whichever gets called first.

    But, if the player is hidden why does the server still send the packet to new players hmm...
     
  3. Offline

    CorrieKay

    oh my god youre right.

    line 158.. i forgot my else statement...
     
  4. Offline

    dsmyth1915

    Those cheeky else statements...
     
  5. Offline

    CorrieKay

    aaaaaaaaaaaaaa i feel so stupid :'(

    ah well, i confirmed that that is indeed the issue, and i fixed it now :p
     
  6. Offline

    ZachBora

    Good job
     
  7. My name isn't v10tracker :p but anyway:
    Doxygen has a search, if I search for hidePlayer I get this: http://jd.bukkit.org/doxygen/d5/d74...Player.html#ab93da1df9aed2d570e91127b4ab0c9cd
    And if you want source codes: https://github.com/Bukkit/CraftBukk...kkit/craftbukkit/entity/CraftPlayer.java#L588 ;)
     
  8. Offline

    Komak57

    After hours of searching, I have your answer:

    Hack/Grief client for 1.2.5 ... while they are on your server, they can prevent you from stealthing from them...
     
  9. Offline

    ZachBora

    I don't think you understand how hiding works.
    The server tells the player that this person is no longer online and also stops sending player movements. You can't see what you don't know.
     
  10. Offline

    Komak57

    I am fully willing to download and test this client on your server to see what and what the player can and cannot detect.
     
  11. Offline

    ZachBora

    My server uses NoCheat+, you won't be able to stay long. mc.pwegoable.com
     
  12. Offline

    Komak57

    None of the hacks listed on that client pinged your NoCheat+... spead, fly... I could see all players within about a 100-200 block radius with a wire-frame line going to them... I would need an actual mod online to see if it worked for that or not...
     
  13. Offline

    CorrieKay

    you actually trusted a modified client download?
     
    V10lator likes this.
  14. Offline

    Komak57

    You have a problem, I'm testing it :p don't complain, let's get this figured out?
     
  15. Offline

    CorrieKay

    Well actually, i figured the problem out this morning, so im fine ^ ^

    however, im curious, does that client have any sort of item spawning exploit in it? we had to ban a guy last night because he had over ten stacks of diamond blocks, two stacks of diamonds, and over two full inventories of diamond swords, and logblock said he only ever broke 20 diamond ore :p
     
  16. Offline

    Komak57

    This one doesn't seem to have an item spawn, though I surely don't know all the functions of it. Some of the things it DOES have, is x-ray vision for chests, you can turn on xray and see all your desired blocks. He may have looted unprotected chests to get some of them. Fly hack IS pinged by my server and it will boot you, but you can quickly reconnect. It holds a list of proxies, so you can't IP ban the user. It can climb-hack as a flying alternative, and the / button will "velocity" throw the player, not pinging the fly hack. My block protect plugin is pretty sturdy stuff, and I can't break while i'm not following it's rules. Seems to have a 'step' hack that gets seeds from grass without manually breaking it, also obtains torches in the same manner (accidently damaged some of my town with it XD)
     
  17. Offline

    ZachBora

    That's strange, guests aren't supposed to be able to fly. Will retest that tonight. Anyhow it's the invisibility that is important.
     
  18. Offline

    Komak57

    ZachBora Indeed. I didn't spawn as guest though, I spawned as builder >_>.

    CorrieKay Using this hack on my server, I found a train-mine dungeon and decided to search around. Found a few chests which he could have used to get ores and such. It'd take him forever to harvest the quantities you suggested.
     
  19. Offline

    ZachBora

    I think builder is the name of the current guest rank. I'll check tonight.
     
  20. Guys, a hint: There is no known, functionally minecraft SMP hack. If you really think about using such a "hack" for yourself, give it to some coder first... You'll get the reply: "All that this client does is sending your username and password to some curious website..." people who uses such "hacks" are the people that are hacked... Cause every griefing team will know your username + password in a few minutes to hours... If they are able to google your servsers IP, well, you know the rest of the story... :p

    Hint: Write a small plugin that logs every command that's able to give out items and that tracks item drops for creative players... I wrote such small plugins for a few servers with the same problem... It was always a VIP/op/mod/admin/... giving out free items to some "friend"...
     
  21. Offline

    ZachBora

    I've seen 1 working way of "hacking" and it's to break multiple blocks at once, placing multiple blocks at once and breaking blocks further than you can reach. But there's server mods to stop that.
     
  22. Either that or decompile the client, do a diff with a decompiled version of vanilla, see how it does what it does and fill a bug report. ;)
     
  23. Offline

    ZachBora

    Well it's just like those fly and speed hacks. It's just the mod sending more packets than it should. Nothing that can be fixed about it other than making what Nocheat does into bukkit itself.
     
  24. I see... Such no-cheat detection really belongs into bukkit/vanilla itself, especially when it comes to block break (simple to check, highly attracting for griefers).
     
  25. Offline

    ZachBora

    I think one of the reasons this isnt in right now is to compensate for lag. A lot of game work the same way.

    Take Starcraft 2 for instance, resources are calculated both client and server side. Server only validates. This is to let you spend resources when they should have arrived instead of waiting for a packet from the server that says you got more resources.

    So in minecraft, you could have lag of which you break 3 blocks, they reappear on your screen because of lag, then they go away because server received your break packets.
     
  26. Offline

    dsmyth1915

    Omg, I haven't been on Pwego in forever. Anyway, Glad to see it's solved. Keep up the good work Corrie!

    Regarding the "testing your server with a hacked client and getting hacked yourself" just put up a testserver with all your plugins of you main server, set that server to offline, then loginto minecraft on the modded client as player and see how much you can do on the offline server. you can also whitelist the test server but add "Player" and log in the same way. Voiding the option of ever giving the chance to take your username + password.
     
  27. Offline

    ZachBora

    even if the server is offline, the hacked client is still connected to the internet
     
  28. Offline

    Komak57

    erm, that client actually had a hack that would make a fake identity that could fly around, through walls, and still break blocks far away from the character, but wouldn't trip securities... I think there's just too much a client hack could do to falsify information after it's recieved info from the server that you just can't protect against. There WILL be master griefers. It's best to just weed out the typical methods and then do roll-backs on damage caused by the hard-cores. Possibly block all the known proxy ips? Just damage control really. Not like things aren't rebuildable. It's either that, or ensuring all the people who join your server are authorized before entry, at which point you seriously degrade the enjoyment of the idea of a public server >.<
     
  29. dsmyth1915 But if you saved your password all the hacked client has to do is to read/parse the .minecraft/last_login file. There's no need for you to play in offline mode. Also, like ZachBora told: It's till connected to the internet. That means it may even download and execute other software.
    It's a bid weird to see how many people trust a piece of software that some guy wrote and that he try to spread as much as he can... If it really does what it should do (cheat in SMP) do you really think the author would spread it that much? No, he would try to keep it hidden in a small community to prevent NoCheat and others from detecting its actions.


    NoClipping is done at that server and there's no way for the client to work around it...
    It's the old story: Security vs. user friendless. Blocking all proxys? Hell no! Some people sometimes really need that proxys (break out of a protected LAN, for example) and griefers will just find unblocked ones... They may try to access your server from a few thousand proxys in max. a minute (multithreading + socket timeout...). So just go the normal security steps: No op/permissions/creative for random people, a anti cheat plugin, a rollback plugin, extended logging, ...

    //EDIT: BTW: I think (correct me if I'm wrong) Dinnerbone offered a service where you could send over a hacked client and he would check if it really does what it should and if so checks if it's preventable in bukkit and if not handle it over to the anti cheat plugin developers.
     
  30. Offline

    CorrieKay

    Hmm this makes me wonder something.

    Do we have any idea what its like to the server when the player is holding an item with their mouse?
     
Thread Status:
Not open for further replies.

Share This Page