Game Updater

Talk about anything here...

Moderators: Darobat, RecursiveS, Dante Shamest, Bugdude, Wizard

Game Updater

Postby Invictus » Sat Dec 04, 2004 6:49 am

I brought this up a week ago but the topic faded. Here is what I have decided to do so far. Hopefully you guys will bring any problems or better ideas to my attention.

    1) The client runs the game exe.
    2) The game program connects to the server and received an index of all the resource file names.
    3) The client makes an md5 hash of each file and sends it to the server.
    4) The server compares the md5 hashes with the correct md5 hashes for the good resource files.
    5A) If they all match the server sends back an ok message and proceeds to login.
    5B) If they do not match then the server sends back a fail message and the game shell executes the updater and then closes.
    6) The updater connects to the server then makes and sends the hashes again .
    7) The updater receives a list of files that are old or corrupt.
    8) The server sends the new files and the updater replaces the old ones.
    9) The updater shell executes the game then closes.
    10) The game will make and send the hashes again and if all went ok with the update they will be correct now and you can proceed to login.


What do you guys think?
User avatar
Invictus
 
Posts: 3054
Joined: Tue Oct 21, 2003 12:59 pm

Postby bbposter » Sat Dec 04, 2004 9:01 am

Cold Flame wrote:5A) If they all match the server sends back an ok message and proceeds to login.

This is a frequent, and fatal, flaw in many softwares' attempts to secure and ensure the validity of their game files. Many times the server will simply send back a static message such as 1 for OK and 0 for not OK. All I would simply need to do is find what address your server is attempting to connect to in your EXE/DLLs, replace it with 127.0.0.1, and create my own dummy server to spit out the same OK message your's does. Of course, I could simply NOP the server authentication section out and set the variable to whatever I want towards the end. If you're serious about securing your game files, you'll need to do some research on google about anti-debugging and secure authentication. Of course, it's not possible completely secure any game, but you can at least make it noob-proof.
bbposter
Secretary of Administration
 
Posts: 900
Joined: Tue Sep 23, 2003 9:01 am

Postby bbposter » Sat Dec 04, 2004 9:06 am

On a side note, how about you start just one thread to discuss your game rather than close to a dozen; when I want to reply to one, I get confused which one it is. :?
bbposter
Secretary of Administration
 
Posts: 900
Joined: Tue Sep 23, 2003 9:01 am

Postby r4nd0m » Sat Dec 04, 2004 11:06 am

Where ya bin, Ben? Haven't seen ya for a while.

CF, I know you know stuff about encryped programs and cracking and stuff. You should be really good at figuring out ways to stop it, or at least beginners.
Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand -- strawberries in the other screaming WOO HOO!
User avatar
r4nd0m
 
Posts: 1851
Joined: Tue May 11, 2004 7:43 pm
Location: Edmonton, Alberta, Canada

Postby Beer Hunter » Sat Dec 04, 2004 3:48 pm

Ben wrote:All I would simply need to do is find what address your server is attempting to connect to in your EXE/DLLs, replace it with 127.0.0.1, and create my own dummy server to spit out the same OK message your's does.
The real game server won't allow the user to log in unless he validates the files.
The real problem, then, is making sure that the user is submitting the MD5 hashes of the same data files he's actually using…
User avatar
Beer Hunter
 
Posts: 912
Joined: Sat Dec 13, 2003 7:12 pm
Location: Australia

Postby Invictus » Sat Dec 04, 2004 6:35 pm

r4nd0m: I was going to say that. I know alot of tricks (And I don't mean IsDebuggerPresent(), lol...). All my best hacker friends I have already challenged to crack my game when the beta is ready and then we will figure out how to secure it once they do.

There is no security wrisk in sending back an ok or fail message. If the client edits the packet to give them an ok message instead of a fail it will continue but they will get an error because they aren't connected to the server. Ben, there is no wrisk in someone making another server. What would that possibly accomplish? An ok and fail message are the best way to go about client requests.

The only way for someone to crack the updater would be to first figure out wichever of my custom file formats, lets say 3d. I would go about this by finding the loader in IDA because the debugger isn't gonna work. Then I would reverse the code. You would have to successfully figure out that the first 12 bytes hold the number of vertices, faces, and texture coords in the file. Set each 4 bytes to 0 so the model loads no mesh but still loads. Then you would have to have the exact same md5 hasher that I used in my game and make hashes of the good files. Then you would have to edit the outgoing packets of the game to send theses md5 hashes instead of the bad ones extracted from the resource files. All of this is almost impossible to do especially in the dark with nothing but assembly. And all that it could accomplish is making a crack to walk through walls because collision detection is client side. But still it wouldn't work to hurt other clients because when you move, you send the x and y position you click. This is then broadcasted to all of the clients in range of you and then you are moved to that location. So if you are walking through walls. It would only be client side. The other players would still have you stop.

Can anyone tell me how to shell execute with linux and mac?
User avatar
Invictus
 
Posts: 3054
Joined: Tue Oct 21, 2003 12:59 pm

Postby Invictus » Sun Dec 05, 2004 1:49 am

Code: Select all
/**********************************************************************************
Server Messages for Client
**********************************************************************************/

#define SMSG_OK         0   // Request Permited
#define SMSG_FAIL      1   // Request Rejected
#define SMSG_CHAT_RECV   2   // Received a Chat Message
#define SMSG_CHAR_SEE   3   // A new character in sight.
#define SMSG_CHAR_MOVE   4   // Move a Character
#define SMSG_CHAR_GONE   5   // A character has left your sight.
/**********************************************************************************/


/**********************************************************************************
Client Messages for Server
**********************************************************************************/

#define CMSG_LOGIN         1   // Login Request
#define CMSG_NEW_ACC      2   // New Account Request
#define CMSG_DEL_ACC      3   // Delete Account Request

#define CMSG_MOVE         4   // Notify Move
#define CMSG_ATTACK         5   // Notify Attack
#define CMSG_BLOCK         6   // Notify Block

#define CMSG_CHAT_WHISPER   7   // Send a chat message to another player.
#define CMSG_CHAT_TALK      8   // Send a chat message to all player's neerby.
#define CMSG_CHAT_SHOUT      9   // Send a chat message to all player's on map.

/**********************************************************************************/
User avatar
Invictus
 
Posts: 3054
Joined: Tue Oct 21, 2003 12:59 pm

Postby r4nd0m » Sun Dec 05, 2004 11:04 am

Looks good. When you send those messages, are you going to send "parameters", kinda like windows does?

Ex:
send SMSG_CHAR_MOVE
send x / y / z of new move
Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand -- strawberries in the other screaming WOO HOO!
User avatar
r4nd0m
 
Posts: 1851
Joined: Tue May 11, 2004 7:43 pm
Location: Edmonton, Alberta, Canada

Postby bbposter » Sun Dec 05, 2004 7:40 pm

I'm not entirely familiar with your game. Sorry, I didn't realize the client was dependent on the server. I thought you were just trying to make some kind of file validity checking for the client to run and when it was complete the client would run (a bit like HL2).

From your description, it sounds like once the client has been authenticated the server will simply stop checking the file validity. If this is so, a similar concept still applies. First, log on to the server legimately and monitor everything that is sent to the server for a valid connection message to be sent back. Then, it would be fairly simple to make a front end loader that sends your server all the MD5 hashes it wants and establishes a legitimate connection. Then, as described earlier, I would replace your servers IP (in the client app) with 127.0.0.1. The client acts completely normal, logs on, sends everything to the front end loader, the loader ignores it all and says, "OK, you're accepted" and sets up a port tunnel to the client (think proxy). The actual server and client now communicate seamlessly with one another.

This is probably the cleanest way to do this, I would hardly need to mess around with the client's binary at all.

Hope this helps.
bbposter
Secretary of Administration
 
Posts: 900
Joined: Tue Sep 23, 2003 9:01 am

Postby Invictus » Sun Dec 05, 2004 9:08 pm

r4nd0m wrote:Looks good. When you send those messages, are you going to send "parameters", kinda like windows does?

Ex:
send SMSG_CHAR_MOVE
send x / y / z of new move

Obviously.
I programmed my server to work with a callback that notifies everything.
Code: Select all
void ServerProc(int msg, int cid, void *param)
{
   switch(msg)
   {
   case SERVER_START:
      cout << "Server Started - port: " << *(int*)param << endl;
      break;

   case SERVER_CONNECT:
      {
         num_clients++;
         cout << "Client Connected - id: " << cid << "ip: " << *(char*)param << "\ntotal clients: " << num_clients << endl;

         for(int i=0; i < num_clients; i++)
         {
            if(i != cid) // If it isn't you
            {
               server.SendInt(SOCK_OUT, i, SMSG_CHAR_SEE);
               //server.Send(SOCK_OUT, i, &pos, sizeof(pos));
            }
         }
      }
      break;

   case SERVER_RECEIVE:
      {
         switch(*(int*)param)
         {
         case CMSG_LOGIN:
            {
               LoginData data;
               server.Recv(SOCK_IN, cid, &data, sizeof(LoginData));

               // Process login
               char path[255];

               sprintf(path, "%s%s.char", ACCOUNT_DIR, data.name); // Make the path.
               FILE *file = fopen(path, "r");   // Open the character file.

               char password[32];               // The good password md5 hash.
               fscanf(file, "%s", password);      // Get the good password hash from character file.

               if(strcmp(data.pass, password) == 0)   // Compare the request password with the good password.
               {
                  // Successfull login
                  server.SendInt(SOCK_IN, cid, SMSG_OK);
                  players[cid].Load(path);
               }
               else
               {
                  // Failed login
                  server.SendInt(SOCK_IN, cid, SMSG_FAIL);
               }
            }
            break;

         case CMSG_NEW_ACC:
            {
               NewAccount data;
               server.Recv(SOCK_IN, cid, &data, sizeof(NewAccount));   // Receive the new account data.

               char path[255];
               sprintf(path, "%s%s.char", ACCOUNT_DIR, data.name); // Make the path.

               FILE *file = fopen(path, "w");

               if(file != 0)
               {
                  server.SendInt(SOCK_IN, cid, SMSG_FAIL);
                  break;
               }

               // Write data to file.
               fwrite(&data, sizeof(NewAccount), 1, file);

               fclose(file);
               server.SendInt(SOCK_IN, cid, SMSG_OK); // Successfully created account.
            }

         case CMSG_DEL_ACC:
            {

            }
            break;

         case CMSG_MOVE:
            {
               float pos[2];
               server.Recv(SOCK_IN, cid, &pos, sizeof(pos));

               for(int i=0; i < num_clients; i++)
               {
                  if(i != cid) // If it isn't you
                  {
                     server.SendInt(SOCK_OUT, i, SMSG_CHAR_MOVE);
                     server.Send(SOCK_OUT, i, &pos, sizeof(pos));
                  }
               }
            }
            break;

         case CMSG_ATTACK:
         //   for(int i=0; i < players[cid].quad->players.size(); i++)
         //   {
         //      server.SendInt(SOCK_OUT, players[cid].quad->players.at(i), MSG_ATTACK);
         //   }
            break;

         case CMSG_CHAT_WHISPER:   // Send message to a specific player.
            {
               int to = server.RecvInt(SOCK_IN, cid);
            }
            break;

         case CMSG_CHAT_TALK: // Send message to everyone in range.
         //   for(int i=0; i < players[cid].quad->players.size(); i++)
         //   {
         //      server.SendInt(SOCK_OUT, players[cid].quad->players.at(i), MSG_ATTACK);
         //   }

         case CMSG_CHAT_SHOUT: // Send message to everyone in map.
         //   for(int i=0; i < players[cid].quad->players.size(); i++)
         //   {
         //      server.SendInt(SOCK_OUT, players[cid].quad->players.at(i), MSG_ATTACK);
         //   }
            break;
         }
      }
      break;

   case SERVER_DISCONNECT:
      num_clients--;
      cout << "Client Disconnected: " << cid << "total clients: " << num_clients << endl;
      break;

   case SERVER_STOP:
      cout << "The server has shutdown.";
      delete [] players;
      //FILE *log = fopen(log.txt);
      break;

   case SERVER_ERROR:
      break;
   }
}
User avatar
Invictus
 
Posts: 3054
Joined: Tue Oct 21, 2003 12:59 pm

Re: Game Updater

Postby psncodes1 » Tue Apr 25, 2017 3:56 am

I bet you can't scroll down after listen online working hack for the free imvu credits online and it is good there is no need to do further for get it.
psncodes1
 
Posts: 5
Joined: Sun Jul 17, 2016 3:26 am


Return to Open Discussion

Who is online

Users browsing this forum: No registered users and 3 guests

cron