Ok, this is a very simple tutorial. It should be one of the first things you add to your source code OR anybody can easily crash your server.. and you wouldn't know what hit you .. So....
The fix is for both the client and the server as you wouldnt want any children emulating a server with your client ... ...
First thing to do is get rid of all of the following:
On Error Resume Next
The above line is a 100% bad coding practice. Nobody ever uses that unless they are asking for trouble. Sure it would help one some problems, but not really. It's like putting off cleaning your room until you have no room left (full of clothes, boxes and such).
Now go into your HandleData routine...
After:
' :::::::::::::::::::::
' :: Location packet ::
' :::::::::::::::::::::
If LCase(Parse(0)) = "requestlocation" Then
If GetPlayerAccess(Index) < ADMIN_MAPPER Then
Call HackingAttempt(Index, "Admin Cloning")
Exit Sub
End If
Call PlayerMsg(Index, "Map: " & GetPlayerMap(Index) & ", X: " & GetPlayerX(Index) & ", Y: " & GetPlayerY(Index), Pink)
Exit Sub
End If
Insert:
Call HackingAttempt(Index, ".")
Exit Sub
The above will say, if anybody sends any packets that are not supported by the server (IOW attempting to hack the server with a hacked client), it should boot them.. Make sure to ban their butts as well..
Next, look at all of the array comparisons...
You must check the Ubound of the array BEFORE you do anything else with the array (including reading)! This is very important! I will do one command as an example, it is up to you to do the comparisons on all other commands...
Find:
' ::::::::::::::::::::
' :: Social packets ::
' ::::::::::::::::::::
If LCase(Parse(0)) = "saymsg" Then
Add After:
If Ubound(Parse) <> 1 Then
Call HackingAttempt(Index, "Packet Hack!")
Exit Sub
End If
Now, if you do not do the above. Someone can run a custom proxie or a fake client, connect to your server, login, and attempt to crash your computer, just by sending "saymsg" SEP_CHAR END_CHAR and that's it. Your server is gone :) This will make sure that there are the correct amount of items in the array before checking against the array items.
Now that is not all. What if you are expecting a number in a certain array item, but the hacked client sends a text or some such?
Well, after you check the ubound of the array, you should go through and find out what kind of data are you expecting from an item before you use it. For example....
Find:
' ::::::::::::::::::::::::
' :: Warp to map packet ::
' ::::::::::::::::::::::::
If LCase(Parse(0)) = "warpto" Then
' Prevent hacking
If GetPlayerAccess(Index) < ADMIN_MAPPER Then
Call HackingAttempt(Index, "Admin Cloning")
Exit Sub
End If
' The map
n = Val(Parse(1))
Add Before:
n = Val(Parse(1))
With:
If IsNumeric(Parse(1)) = False Then
Call HackingAttempt(Index, "Packet Hack!")
Exit Sub
End If
This will check the packet first, if it is an invalid packet, get rid of the hacker.
One last thing for this tutorial..
With the vanilla code, people can connect to the server and send any message they like, BEFORE logging in! This is obviously bad as they can send flooding and the like. Like those nice long blank lines the BHcrap love doing, so ...
Add a member to your player type called "State as Byte".
On clear player, make sure State = 0.
What I am going to show you is a very simplistic way of preventing this (more or less, of course you would have to expand this to prevent other abuse...)
Find:
Sub JoinGame(ByVal Index As Long)
' Set the flag so we know the person is in the game
Player(Index).InGame = True
' Send an ok to client to start receiving in game data
Call SendDataTo(Index, "LOGINOK" & SEP_CHAR & Index & SEP_CHAR & END_CHAR)
Add after:
player(index).state = 1
Find
' ::::::::::::::::::::
' :: Social packets ::
' ::::::::::::::::::::
Add Befre:
If player(index).state <= 0 then
Call HackingAttempt(Index, "Script Kiddy Alert!!")
Exit Sub
End if
And that's all folks..
|