Anti-modifed jar solution.

Discussion in 'Bukkit Discussion' started by zergqq, Jan 31, 2013.

Thread Status:
Not open for further replies.
  1. Offline

    zergqq

    Would it not be possible to digitally sign the jars, allowing for the server to check for a properly signed client jar?
    Could it stop cheaters to use self-own modified jars?
     
  2. Offline

    -_Husky_-

    Can't do it.

    We cannot make something to force something upon the client
     
  3. Offline

    zergqq

    Even digitally signs? You mean technically or legally?
     
  4. Offline

    -_Husky_-

    technically.
     
  5. It could be interesting for the server verifying plugins (parts of the jars signed, different "levels"), but that is another (phone-home) topic.
     
  6. Offline

    jorisk322

    As -_Husky_- said. It's not possible.
     
  7. I am probably off topic but i meant the other "it": a system for servers verifying their plugins by query at BukkitDev.
     
  8. Offline

    Geekola

    It would be just as easy for a modified jar to send out the "correct" signature. You would just modify the jar to do so.
     
  9. Offline

    ShootToMaim

    So Jeb couldn't just sign the jars...>
     
  10. Offline

    lycano

    zergqq likes this.
  11. Offline

    agaricus

    They already are, see the signature data in the META-INF directory of Minecraft (MOJANG_C.SF, MOJANG_C.DSA).
     
  12. Offline

    ShootToMaim

    But then .jar's with mods in them wouldn't have the signature..
     
  13. Offline

    CorruptedHelix

    That's more or less the point.
     
  14. Offline

    zergqq

    Last edited by a moderator: May 31, 2016
  15. Offline

    LiLChris

  16. Offline

    TnT Retired Staff

    Mojang could do it, and single handedly kill the modding and texture pack communities.

    Be careful what you wish for.
     
    Chunkr, cMan_ and zipfe like this.
  17. Offline

    Ne0nx3r0

    zergqq
    [​IMG]

    There is a fundamental flaw in the "just verify the file" or similar theories about anti-cheating. The user will always have the advantage because the user has control of their computer. As long as that is the case, they can always inject custom code that will disrupt any attempt at verifying their system integrity.

    The closest anyone has really come to this is using something like VAC which is not only complex to develop and maintain (as in, Valve has a team of engineers that constantly analyze code/challenge response samples for cheating), but also resource/network intensive to implement. How long have we been waiting for the Minecraft API? Now imagine rewriting Minecraft to implement VAC. And oh by the way there are still hacks for Valve multiplayer games, so even this isn't a foolproof scheme.

    The practical answer for Minecraft has been, and will likely continue to be NoCheat/Orebfuscator-like plugins that block the malicious effects of mods uploaded to a safe location that verifies they have no malicious intent. It's not perfect, but it's there and it's freely maintained for you by skilled coders.


    But why would they do that? It seems counter-productive. :confused:
     
    necrodoom likes this.
  18. Offline

    drtshock Retired Staff

    I do something like this on my server for contests when we give away things. We made a plugin that checks if each player is using our minecraft.jar we signed. Works like a charm to get rid of people using nodus. We even made it so they can use rei's minimap and optifine. We just hope that players on the server aren't smart enough to fake it or add our code into their nodus.jar or something. Would be easily cheated but not on short notice for a bunch of 12 year olds that don't know what java is.
     
    chakyl and Chunkr like this.
  19. Offline

    TnT Retired Staff

    Ne0nx3r0 likes this.
  20. Offline

    Ne0nx3r0

    Yeah, that sort of thing works on a small scale, but if everyone adopted that technique, Nodus would surely follow with some form of anti-signature functions.
     
  21. Offline

    drtshock Retired Staff

    Ne0nx3r0 that's exactly why I'm not going to give it to anyone else to use for their server. It would get worked around so quickly. But it works for what we need. Just thought I'd give some input on this :)
     
  22. Offline

    bitWolfy

    drtshock You are not allowing your players to use Optifine? What the hell is wrong with you?
     
  23. Offline

    drtshock Retired Staff

    bitWolfy we are letting them use it :eek: along with rei minimap like my post says ^
     
  24. Offline

    bitWolfy

    drtshock *facepalm* I can't read. Sorry.
     
    drtshock likes this.
  25. Offline

    Shadowwolf97

    Not to mention you could always just change the code weekly, and have an autoupdating jar. Thats what im currently working on :p You should really give credit to the creator next time tehe ;P
     
    drtshock likes this.
  26. Offline

    drtshock Retired Staff

    Didn't know you were active on the forums :p
    And I did say we :)
     
  27. Offline

    Shadowwolf97

    who is 'we'? Me myself and I? ;D
     
  28. Offline

    Chunkr

    Are you willing to share this with me? i'm running several 'private' servers for some Youtubers / Letsplayers and i would love to use something like this :)
     
  29. Offline

    LiLChris

    If it gets shared eventually it will reach the community he doesn't want aware of it. :p
     
Thread Status:
Not open for further replies.

Share This Page