| View previous topic :: View next topic |
| Author |
Message |
weldieran
Joined: 05 Aug 2005
Posts: 71
|
 Posted: Sat Aug 16, 2008 16:04 Post subject: lifeless hackers are back - nwn highly vulnerable |
 |
|
I'm rather surprised there has not yet been discussion in the nwn community about this...
There is some software that is getting distributed that allows people DM-like access as a player. The symptoms we've seen so far is that the hacker can steal gear right off the other player's back, and can even run some sort of script that takes all items from another player all at once.
These hackers have hit several servers, and I'm sure many more are getting hit, but the hackers are more smooth about it, as to fly under the radar.
Now that bioware has ceased support for nwn, the only possible line of defense is nwnx.
Anyone have any news on this?
My players are getting hit quite often now.
Creating a mess.
(affects both 1.68 and 1.69) |
|
| Back to top |
|
 |
FunkySwerve
Joined: 02 Jun 2005
Posts: 377
|
| Posted: Sat Aug 16, 2008 17:48 Post subject: |
|
|
Do you have dm cd verification in your oncliententer event? That stopped our problems with this three or four years back.
Funky |
|
| Back to top |
|
|
weldieran
Joined: 05 Aug 2005
Posts: 71
|
| Posted: Sat Aug 16, 2008 21:56 Post subject: |
|
|
| FunkySwerve wrote: | Do you have dm cd verification in your oncliententer event? That stopped our problems with this three or four years back.
Funky |
We do not, no. But will this stop this particular issue? I have been there, online, while this hacker was raping our players. Logs show do not show any game master joining. I've seen a screenshot of the hacker, which was a naked level 1 player.
So if they aren't triggering the "Game Master has joined" message in the log files, then is cdkey verification of all DMs gonna solve this one? Perhaps they are two diff issues? I do not think this particular hack software was available 3-4 years back. I've been running our server for 6 years now, and was hit only just recently (july 1-5th) then again just a couple days ago. |
|
| Back to top |
|
|
FunkySwerve
Joined: 02 Jun 2005
Posts: 377
|
| Posted: Sat Aug 16, 2008 22:13 Post subject: |
|
|
It doesn't sound any different than the old stuff. Only way to find out for sure is to add it. It's very easy to add. Just collect the keys of your dms, and if GetIsDM on login, and GetPCPlayerCDKey doesn't match one of the authorized keys, boot em.
Funky |
|
| Back to top |
|
|
Abraxsis
Joined: 24 Jun 2008
Posts: 14
|
| Posted: Sun Aug 17, 2008 8:59 Post subject: |
|
|
I'm a developer for Richterm's Retreat, and I have seen and corrected this hack on our server.
The player is using a second character as a DM Wand. He is hacking the character on creation to add the string 'dmwand' to the PC's Conversation RESREF. If you copy over the hacked character and view it with LETO you'll see he has entered a value into the Conversation RESREF field.
This allows him, and any player, to use 'Talk To' from the quick bar to start a DM Wand conversation by talking to the hacked character. I found you can do this with any conversation script. So I had to go though and add GetIsDM tests to all of our DM only conversation activated scripts in the mod.
This hack bypasses the GetIsDM tests when the wand item is used and directly initiates the conversation scripts.
The code I added to the begining of all our DM only conversation activated scripts such as dmw_test_dialog0.nss
| Code: |
// Added by Abraxsis Aug 04, 2008
// Is the speaker a DM?
object oPC = GetPCSpeaker( );
if( GetIsDM(oPC ) != TRUE ) {
object oPCTest = GetFirstPC( );
string sTestPCName = GetPCPlayerName( oPC);
int nFound = FALSE;
while( GetIsObjectValid( oPCTest) && ( ! nFound)) {
if( GetPCPlayerName( oPCTest) == sTestPCName) {
if( GetIsDM( oPCTest)) {
nFound = TRUE;
} else {
SendMessageToPC( oPC,"This is too much power for mere mortals!");
return FALSE;
}
}
oPCTest=GetNextPC( );
}
}
// End Is the speaker a DM?
|
We have some fairly advnaced character checking on character creation, but I've found no function to be able to check to make sure a character's Conversation RESREF is nul.
I'd like to be able to reject anyone with a value in the character's 'Conversation RESREF'. |
|
| Back to top |
|
|
FunkySwerve
Joined: 02 Jun 2005
Posts: 377
|
| Posted: Sun Aug 17, 2008 9:46 Post subject: |
|
|
Interesting, never seen that. But then, I use SIMTools, not DMFI.  Still, probably prudent to add checks to any convo you don't want them having unlimited access to, perhaps just a simple check to ensure that gettag of the owner isn't blank. But then, they could always up a non-blank field, I suppose. Best to leto it clean for new characters, I suppose.
Funky |
|
| Back to top |
|
|
Abraxsis
Joined: 24 Jun 2008
Posts: 14
|
| Posted: Sun Aug 17, 2008 10:09 Post subject: |
|
|
I'm not as familiar with nwnx_leto, least not yet. I wasn't able to find a function to check the new character's Conversation RESREF field.
Is there a better way of checking new characters with nwnx_leto?
A couple other tricks I've seen lately...
The hacker used the tag STRING character field for one hack.
The hacker has also tried creating characters using the same name multiple times. I'm asuming this is to try to confuse which .bic file gets checked for a specific character name. |
|
| Back to top |
|
|
FunkySwerve
Joined: 02 Jun 2005
Posts: 377
|
| Posted: Sun Aug 17, 2008 12:24 Post subject: |
|
|
Use this to check it:
| Code: | string GetConvoResRef (string sBicPath) {
string sLeto = "%bic = q<" + sBicPath + ">; print /Conversation; close %bic;";
string sName = LetoScript(sLeto);
return sName;
} |
You can just boot any character for whom that field is not blank. Note that you have to input the bicpath, however you're getting it on your mod.
The multiple name creation is a trick used to avoid antiexploits. Characters with the same name spoof the engine, so you can logout one, create a new one, and have it appear where the old one logged out, instead of at the start point for new characters - potentially bypassing your antiexploits. In fact, we just banned Makazasky for trying to take advantage of such a 'feature' of the engine today. He'd been picked up by our logs using other exploits before, but he actually stuck around to play this time. Buh bye. Watch for him trying it on your server - he apparently gets around a fair bit. They have all the same local vars associated with them as the last character, when they do this, which you can use to your advantage. This is also a method to potentially double up subrace edits, depending on the system you are using, especially if you allow deletion. If you want more specific details on how to prevent it, you should probably pm me, since the only foolproof way we could think of involves a custom engine hack, and Makazasky does frequent these boards.
Not sure what good the tag field would do them, depends on what you are using it for, since it's typically blank. In our mod, it's used as an unspoofable link between character and database, by setting a unique id in it. The default nwnx database setup is subject to spoofing by using a same-named character in the same playername, which can also be problematic depending on what you are using the database for.
Funky[/code] |
|
| Back to top |
|
|
weldieran
Joined: 05 Aug 2005
Posts: 71
|
| Posted: Sun Aug 17, 2008 15:58 Post subject: |
|
|
| Abraxsis wrote: |
| Code: |
// Added by Abraxsis Aug 04, 2008
// Is the speaker a DM?
object oPC = GetPCSpeaker( );
if( GetIsDM(oPC ) != TRUE ) {
object oPCTest = GetFirstPC( );
string sTestPCName = GetPCPlayerName( oPC);
int nFound = FALSE;
while( GetIsObjectValid( oPCTest) && ( ! nFound)) {
if( GetPCPlayerName( oPCTest) == sTestPCName) {
if( GetIsDM( oPCTest)) {
nFound = TRUE;
} else {
SendMessageToPC( oPC,"This is too much power for mere mortals!");
return FALSE;
}
}
oPCTest=GetNextPC( );
}
}
// End Is the speaker a DM?
|
|
Wow nice! THANK YOU for the answer!  Would've taken me a long time to figure that one out.
I'm curious, however, what is the purpose of the PC loop in the code above? Would not that first check on GetIsDM (GetPCSpeaker()) not be sufficient? |
|
| Back to top |
|
|
Abraxsis
Joined: 24 Jun 2008
Posts: 14
|
| Posted: Sun Aug 17, 2008 16:31 Post subject: |
|
|
| The while loop checks to see if it is a DM controlling a npc/monster. |
|
| Back to top |
|
|
Asparius
Joined: 18 Sep 2007
Posts: 52
|
| Posted: Sun Aug 17, 2008 20:29 Post subject: |
|
|
| Wouldn't it be simpler to use GetIsDMPossessed()? |
|
| Back to top |
|
|
weldieran
Joined: 05 Aug 2005
Posts: 71
|
| Posted: Mon Aug 18, 2008 0:46 Post subject: |
|
|
| Asparius wrote: | | Wouldn't it be simpler to use GetIsDMPossessed()? |
thats what i was thinking... ?? |
|
| Back to top |
|
|
Abraxsis
Joined: 24 Jun 2008
Posts: 14
|
| Posted: Mon Aug 18, 2008 6:50 Post subject: |
|
|
GetIsDMPossessed() will return FALSE if oNPC is the DM character.
To determine if oNPC is a DM character use GetIsDM()
This was the basis for my decision to use the while loop. |
|
| Back to top |
|
|
weldieran
Joined: 05 Aug 2005
Posts: 71
|
| Posted: Mon Aug 18, 2008 16:12 Post subject: |
|
|
| Abraxsis wrote: | GetIsDMPossessed() will return FALSE if oNPC is the DM character.
To determine if oNPC is a DM character use GetIsDM()
This was the basis for my decision to use the while loop. |
| Code: |
if (GetIsDM(oPC) || (GetIsDMPossessed(oPC) && GetIsDM(GetMaster(oPC))))
return TRUE; // all is good
else
return FALSE; // you've been a bad bad boy
|
|
|
| Back to top |
|
|
Arvirago
Joined: 17 Nov 2006
Posts: 15
|
| Posted: Fri Nov 28, 2008 11:28 Post subject: |
|
|
Each day I think it a better idea to use only servervault.
And again, there are not so many spanish servers, so the idea of getting your cdkey banned forever discourages a lot that hacking stuff. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
