Questions

chuckltn73 · #1 07-14-2008, 05:30 PM

Ok well, hrmmm call me crazy but i generally go with the simplest solution to a given problem, Richardo hit it on the head I believe it was and some others I think.

A simple check of a preassigned variable that only the server Op can change in the source. I think there was mention of using the variables table expansion field to this end.

I know I personally will impliment some kind of encryption, Ive already been Working on ClearLogin and the login packetmanager dll you included, well not much of work more of looking through and preparing to add the encryption and authentication.

I think there are many possibilities the serverOp could impliment, which would be the beauty of opensourcing it people would be able to share ideas, and at the same time be able to see what can work the best within those given ideas.

chuckltn73 · #2 07-14-2008, 05:48 PM

Humm seems I can not edit my post;

On the subject of encryption I wanted to touch base a bit more in depth. Something like encryption should truly be left to the serverOp to deal with, for the very simple and important reason that, a global encryption system that is predistributed will very quickly undermine, said encryption. It would basicly defeat the purpose of adding the encryption if that encryption was distributed (Did that make any sense?)

**KLS** · #3 07-14-2008, 07:46 PM

Problem with that is the variable would be easy to work around for anyone competent enough to modify the client. Simply connect with the client you want to replicate to your own server see what version it sends to the server and put that secret version in a new version of your client: tada it now has replicated the secret key.

If you add a little basic encryption it makes it harder but not impossible to replicate.

Code:

client-> RequestConnection -> server 
server -> Reply (Including secret key for this connection) -> client
*figure out patches and stuff* if it's a SC patch then:
server -> Challenge -> client
client -> ChallengeReply: SecureHash(SecureHash(variable) + SecretKey)) -> server
server compares clients version to it's own internal hashed version and if they don't match disconnects.

That's pretty basic right there but would probably be enough. Would be harder to get the variable but not impossible because well the binary is in the hands of the enemy and he can simply decompile it to see what the key is, or they could potentially brute force it as well.

I think simple things like server side checks to see if players can do this or do that when they attempt to do something will cover most cases. Collision is the only real problem as it would be difficult to detect serverside. You could put a check in the movement code to see if someone is under the world and track how often it happens, if it happens a lot odds are there's a problem with your zone or someone is cheating. That wouldn't cover all cases though as there would be situations where people would be able to travel through small walls undetected.

One thing that might be an option is using a plugin type system for the various parts of the client, for example network is handled by a network.dll and ui is handled by ui.dll and various core mechanics handled by core.dll etc etc etc, would allow the release and modification of most the client while still keeping sensitive things tucked away in the main binary. Not sure how well that would work with your code though.

chuckltn73 · #4 07-14-2008, 07:56 PM

Brilliant, KLS My compliments.

I agree completely, although I should have been a bit more clear, serverside check of the variables table, in other words the values would have to mach whats stored in the database. If it doesnt well then the client is automaticly kicked from the server.

One option for preventing decompilation is obfuscating it after compilation, but that would have to be something the serverOp does when he or she compiles the client.

I think if someone obfuscates their binary, modularizes the client as kls suggests, and also adds encryption it would probably be as secure as possible.

In truth since simpleclient comes with clearlogin, all the checks could be on via the loginserver with some simple modification. As for the cheating checks perhaps incorperating alot of the MQ additions to the recent servers would do the trick on alot of that, atleast untill SC is compatible with the most recent netcode if ever.

chuckltn73 · #5 07-15-2008, 05:10 PM

A follow up:

the reason I said do these checks loginserver side is because, the ClearLogin is a small app and easy to edit, therefore it would be a small matter to enhance it with these sorts of changes, and would keep the emu server code basicly stock, so it would cut down on the editing the serverOp needs to do in order to get it up and running

chuckltn73 · #6 07-15-2008, 07:52 PM

any chance of getting the right click look around working? would makle life alot simpler

Darkriderone · #7 07-16-2008, 01:56 AM

Well I have been interested in SC for some time, because it gives me a chance to design a world thats not based on Sony, doesn't require Eqclient in anyway and I don't have to make a copy eqserver 1001 of servers already out there.

I was joyed to be able to make new zones for people to explore, new mobs for people to see, there were enough really good eq-based servers out there. With SC I could have my own updater for files, and released new zones.

But in the end I respect Wind for the work and effort he has done with SC, I'm hoping to pitch in with help adding or pointing fixes or tweaks, and if he would like it to remain closed-source I'm willing to back him on that.

*wisper in wind's ear* opensource, opensource, opensource...

Sorry I'm no soultry siren...