Could hackers destroy NPC and hide it from map?

[Nemar]

So i've been running a small v62 beta server based on odin, sometimes it gets 5 people online and it's been running for 3 months, never had an issue during that period.

Now this month, there's someone who keep registering accounts after being banned multiple time. It seems that he has the ability to exploit and abuse a bug, which enables him to completely hide very important NPCs at the training camp from the main map. Once he does that the NPCs vanishes remain as a green point on MiniMap only.

My question how can that be possible? Is there anything I can do server side to prevent it from happening. I suspect he is sending some kind of "Destroy Data" packet to the NPCs through a packet editing method but I am not sure. Any help or clues would be much appreciated. :

 

[ahnlab]

Well, when a player opens up a maplestory client, the server must send the spawnNpc packet in order to make the client show the npc.

Now, MapleMap class stores the objects that in the map (npcs, players, mobs etc..) so when a player enters a map, all of the objects are sent to the client (their spawn packet), so the client will know what objects it has (it doesn't know). so for each client the server sends those packets.

Npcs, mobs and reactors, are loaded into map instances once you load the server (MapleMapFactory). so when you enter the map, these are the "default" objects it sends. (sorry if I explain wrong facts, correct me please)

What you describe is a quite odd, I never heard of it, but in order to make this bug, the hacker must abuse a bug within your source code that causes the server send wrong packets data or not send them at all. a hacker can't manipulate others client (as I'm aware of).

What would I do? I would print the spawnNpc packet variables (objectid, npcid, pos, etc) but only when this bug occurs. so just set a boolean flag in your server constants or w/e, and make a command in your admin commands that sets it to true/false, so you would be able to print it only when the bug occurs and not the whole time. then just enter the map and see what you get. (Oh and I recommend to print it before the bug and after, to see any differences)

I hope that helped you

 

[Meteorite]

It sounds like one of your npc handlers has a PE exploit that's causing the NPC to despawn.
You might want to look over them, and maybe add checks to make sure the data being received is valid/legal, because asanhlab said, (in general) a hacker can't manipulate other people's clients in the way you're describing.

 

[Tsundere]

So, I think there are misunderstandings. If I logged onto GMS, loaded a PE, and sent something like a SpawnReactor packet, it will spawn a reactor to the server. If someone sends a RemoveNPC packet to the server, yes, I believe it will remove an npc. Now, this is suspicious activity and should be bannable on GMS. However, on a private server, it all depends on what you're monitoring and if you have a check in place to stop PE's from being able to send a valid packet to do what they want on the server. You should disable spawn/remove packets if they are not sent via a proper handler. Please let me know if I'm wrong though.

 

[swordiemen]

So, I think there are misunderstandings. If I logged onto GMS, loaded a PE, and sent something like a SpawnReactor packet, it will spawn a reactor to the server. If someone sends a RemoveNPC packet to the server, yes, I believe it will remove an npc. Now, this is suspicious activity and should be bannable on GMS. However, on a private server, it all depends on what you're monitoring and if you have a check in place to stop PE's from being able to send a valid packet to do what they want on the server. You should disable spawn/remove packets if they are not sent via a proper handler. Please let me know if I'm wrong though.

There's no client -> server packets that spawn anything server side (at least afaik), just server -> client. But OP, I'd check where your removeNpc packet gets called from, and track down the ones that are able to (indirectly) get the server to remove an npc.