Patch bots [Plus Emulator]

[Emily]

There is another packet which checks your user_agent. Don't seem to remember which one that was. Could you also fake that one? You probably can right? Because the client is sending the user_agent to the emulator. What the client can do the bot program also can do.

Just saying, you can't protect it by any packet, since a good packetlogger/scripter can send packets to the server. That way, it can easily be bypassed You can always fake packets. It's for the emulator developers to find a way to protect false data from being used.

 

[PeanutButterHam]

There is another packet which checks your user_agent. Don't seem to remember which one that was. Could you also fake that one? You probably can right? Because the client is sending the user_agent to the emulator. What the client can do the bot program also can do.

Habbo uses a ping/pong system to check whether the client is alive, you can have the server send a packet to the client and wait for a certain callback. If the client doesn't respond with 'x', then disconnect the client. This can also be simulated by a 3rd party, but the only thing you can really do is make it more annoying to the attacker.(Or you can allow 1 active session per IP like you've stated.)

 

[The General]

How about you encrypt the SSO and send the encryption key via MUS so you can decrypt it.

His cheap bot tool cannot connect to MUS so it can never spoof it or log it.

 

[MrPudding]

How about you encrypt the SSO and send the encryption key via MUS so you can decrypt it.

His cheap bot tool cannot connect to MUS so it can never spoof it or log it.

Or 1 gameclient per IP.., that could also be a small fix

 

[Kristophers]

Oor would this be possible as soon as you sign in the cms it triggers the enum (0,1) 0 mean off the cms and 1 meaning on and run the check every 3 mins and if you are signed out it will disconnect you. Or add code into the emulator to run the check upon entering client? Or say duck retrolist and add a captcha on the client file to enter the client?

 

[Emily]

How about you encrypt the SSO and send the encryption key via MUS so you can decrypt it.

His cheap bot tool cannot connect to MUS so it can never spoof it or log it.

It doesn't matter. There's always a way to bypass it. With a few edits the bot tool can be working even with the solution you posted. But well, I guess for a short time it's pretty useful then

 

[EvilCoder]

Such a pitty that people are abusing some functions...

 

[AKllX]

I might be wrong but Habbo recently changed their key exchange method. Their RSA keys exchange now prevent you from injecting custom keys for which you already know the asnwer. Such as the pair Joopie once generated or %1 used by NovoFatum. The struggle is real as even Sulake is having a hard time with bots, but every hotel having it's own secret key pair and Primes randomly generated is a way to go. The 'Quiz' method is the most popular method for game I already developed like Ragnarok. You can also require your user to use a local launcher that scans for malicious programs, like MU Online. But that's even illegal I guess.

 

[Rush Retros]

I work/study 12 hours a day. Althrough I enjoy reversing Habbo, I'm 20 yo already, the game itself is for teens. I only played it for the girls. I didn't stop but my free time is very limited. I'm planning something cool for my next vacation. On my last one I revised Plus Emulator. I don't really do release a lot of useful material but the ones I make proved to be well accepted. Looking foward for the next one :blush:

Ok sounds really amazing, and im glad u didnt stop

 

[maritnmine]

I wonder why it is so hard for you to protect your server from bots. Although it is pretty funny when you get tons of generic bots in your server yelling "pools closed", it could on the other hand be pretty annoying.
However, I wouldn't say this "fix" is the way to go to "solve" the bot problem, even temporarily.
- All servers should have a working captcha upon registration. Make sure this works. This is the first layer of protection against bots and is the source to where hotels gets flooded with hundreds of thousands of registrations.
- If this is not enough, we have Cloudflare that got browser verification built-in so in general you don't really need any additional code in the cms or the gameserver.
- And if the bots are still getting into the server, make sure they don't get around Cloudflare by having your real server IP. Add firewall rules to your firewall that only allows connection from Cloudflare IP ranges (see

You must be registered to see links

)
- Add a limit per IP as the origin most normally have a short limit on IPs they can send bots from. Setting this limit to one is not a good idea as there are often more than one (legit) user trying to access the server simultaneously.
- What about RSA? I thought many hotels had RSA going these days to avoid scripting and such.
- The last step would be to add captcha when users sign in. One thing to keep in mind is that users hate captcha as it takes time and effort to enter the almost unreadable letters. Consider this as a last effort when it comes to mitigating a bot attack.
- Consider reporting the IP where the attack is originating from. If it originates from a hosting company, they would be more than happy to help you. Just make sure you have proof such as logs from your web-server that proves that the IP is generating malicious traffic on your server. Had someone running a TCP flood attack to a MySQL server back in the days. Grabbed a log-file and sent an email to the OVH abuse email as the attack came from an OVH server. Shortly after, the IP where it came from was taken down

I don't get why this has to be so hard for you kids. Didn't we learn from the time when hotels got flooded with bots from avalanche (or whatever that program was called)?

 

[Nasty35]

ServerMessage vars = new ServerMessage("340");
vars.writeUTF("haha fail");
vars.writeUTF("external_variables.txt");
vars.send(socket);

sorry...

Try again

--
If you never send this packet (340), never does this check

 

[EvilCoder]

I wonder why it is so hard for you to protect your server from bots. Although it is pretty funny when you get tons of generic bots in your server yelling "pools closed", it could on the other hand be pretty annoying.
However, I wouldn't say this "fix" is the way to go to "solve" the bot problem, even temporarily.
- All servers should have a working captcha upon registration. Make sure this works. This is the first layer of protection against bots and is the source to where hotels gets flooded with hundreds of thousands of registrations.
- If this is not enough, we have Cloudflare that got browser verification built-in so in general you don't really need any additional code in the cms or the gameserver.
- And if the bots are still getting into the server, make sure they don't get around Cloudflare by having your real server IP. Add firewall rules to your firewall that only allows connection from Cloudflare IP ranges (see

You must be registered to see links

)
- Add a limit per IP as the origin most normally have a short limit on IPs they can send bots from. Setting this limit to one is not a good idea as there are often more than one (legit) user trying to access the server simultaneously.
- What about RSA? I thought many hotels had RSA going these days to avoid scripting and such.
- The last step would be to add captcha when users sign in. One thing to keep in mind is that users hate captcha as it takes time and effort to enter the almost unreadable letters. Consider this as a last effort when it comes to mitigating a bot attack.
- Consider reporting the IP where the attack is originating from. If it originates from a hosting company, they would be more than happy to help you. Just make sure you have proof such as logs from your web-server that proves that the IP is generating malicious traffic on your server. Had someone running a TCP flood attack to a MySQL server back in the days. Grabbed a log-file and sent an email to the OVH abuse email as the attack came from an OVH server. Shortly after, the IP where it came from was taken down

I don't get why this has to be so hard for you kids. Didn't we learn from the time when hotels got flooded with bots from avalanche (or whatever that program was called)?

I am using cloudflare. But since when does this have something to do with cloudflare.

You manually register 5 accounts on a retro, paste it in the text file. After that you can simple connect the bots to the emulator ip.. >,>

 

[maritnmine]

I am using cloudflare. But since when does this have something to do with cloudflare.

You manually register 5 accounts on a retro, paste it in the text file. After that you can simple connect the bots to the emulator ip.. >,>

They got browser verification so you can avoid bots entering your website. You might wanna check it out

 

[duckietm]

What more ideal is that you start using SSL and to build a check that can verrify if the SSL is the right domain name / serial number / tumbprint etc. etc.
that last part is a challange but that is to make sure they don't load other poop
for example :

You must be registered to see links

 

[EvilCoder]

They got browser verification so you can avoid bots entering your website. You might wanna check it out

I know. But.. You can still manually register the bots and put the text in the files. People are really sad enough to do so.

 

[maritnmine]

What more ideal is that you start using SSL and to build a check that can verrify if the SSL is the right domain name / serial number / tumbprint etc. etc.
that last part is a challange but that is to make sure they don't load other poop
for example :

You must be registered to see links

That won't protect you from bots. Anyone who knows what SSL is knows that it doesn't protect/mitigate you against automated bot registrations and/or logons.

 

[Beny.]

Or you can just create a TCP Client, send messages to the emulator with it and make a login with SSO ticket *cough cough*

 

[EvilCoder]

That won't protect you from bots. Anyone who knows what SSL is knows that it doesn't protect/mitigate you against automated bot registrations and/or logons.

Agreed.

But for the users who don't know:

You must be registered to see links

Or you can just create a TCP Client, send messages to the emulator with it and make a login with SSO ticket *cough cough*

And what makes you say the the program can't send the same message *cough cough*. While it clearly reads the client file *cough*. And there are a lot of packet sniffers *cough*

They got browser verification so you can avoid bots entering your website. You might wanna check it out

You manually register 5 accounts on a retro, paste it in the text file. After that you can simple connect the bots to the emulator ip.. >,>

 

[Quackster]

This fix is completely redundant, my bot program doesn't even request this packet so it's useless.

 

[Moogly]

This fix is completely redundant, my bot program doesn't even request this packet so it's useless.

I think he meant to check if the packet wasn't requested, but he kind of failed.