Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Private Parallel JavaScript WebSocket connection

Newbie Spellweaver
Joined
Sep 22, 2012
Messages
27
Reaction score
4
I'm posting this to the General Discussion, instead of the development section, because I'm not sure whether or not I'm going to release this. The code is too unclean to really be released, as I'm still just learning. I'm interested in hearing other peoples thought on the idea, which is why I'm creating a thread.

I've created a parallel WebSocket connection in PlusEmulator, where the connection is authorized and tied to a user. This allows for creating new features, while still keeping the Flash client and without needing to recode Habbo.

I have already made a piano, where other people in the room can hear what you are playing too. Similar to the Playable Piano addon in Garry's Mod. You just need to use a furniture with the interaction type set to piano while standing near it.
gVFVbvG - Parallel JavaScript WebSocket connection - RaGEZONE Forums

High resolution image:

You could also reimplement features such as trax, or make a completely custom interface.

The WebSocket connection does make it a lot easier to script, since you can do it through the Developer Console. As an example, in my code, you can make your avatar wave forever with this simple bit of code:
Code:
setInterval(function() {
	HabboEnvironment.GetConnectionManager().SendMessage( AvatarActionComposer(1) );
}, 1000);

I haven't been able to find anything similar, and I am wondering why this hasn't been created before. Does anyone know why?
 

Attachments

You must be registered for see attachments list
Developer
Developer
Joined
Dec 11, 2010
Messages
2,955
Reaction score
2,685
Awesome, so when can we expect Wobble Squabble or Lido diving? :wink:

Both are actually very simple actually, all you need to do is rip the images from the CCT files to recreate it.
 
Joined
Sep 10, 2011
Messages
778
Reaction score
138
This is a great idea, however I'm curious. You said running this code inside the developer console (client side) is able to run Java interactions basically directly from the client and then it's parsed in the emulator.

There is a lot of security vulnerabilities here, I mean a massive amount. It would be better to make a white list of available things to run.
 
Joined
Jun 23, 2010
Messages
2,318
Reaction score
2,195
This is a great idea, however I'm curious. You said running this code inside the developer console (client side) is able to run Java interactions basically directly from the client and then it's parsed in the emulator.

There is a lot of security vulnerabilities here, I mean a massive amount. It would be better to make a white list of available things to run.

How... just how, why do you say that? What do you mean with Java interactions? What is parsed in the emulator.. :soconfused:
 
Joined
Sep 10, 2011
Messages
778
Reaction score
138
How... just how, why do you say that? What do you mean with Java interactions? What is parsed in the emulator.. :soconfused:
He stated you can put this in the developer console, (client-side javascript)

Code:
setInterval(function() {
    HabboEnvironment.GetConnectionManager().SendMessage( AvatarActionComposer(1) );
}, 1000);
That is clearly going to be parsed on the emulator side and run that code. Now just imagine if they decided to give themself credits, promote themselves, etc. I actually can't think of any way secure events the end user should be able to have direct access to, maybe just navigating rooms and getting basic user or group data?
 
Joined
Jun 23, 2010
Messages
2,318
Reaction score
2,195
He stated you can put this in the developer console, (client-side javascript)


That is clearly going to be parsed on the emulator side and run that code. Now just imagine if they decided to give themself credits, promote themselves, etc. I actually can't think of any way secure events the end user should be able to have direct access to, maybe just navigating rooms and getting basic user or group data?

As far I'm aware of that snipped is only client side. It sends a avatar action to the server via a custom written JavaScript library. Eventually, just like any packet, the server should validate it; the avatar action if it's a valid packet and if the user has been given rights to do so.

I do not see any reason to believe you can access code, or can execute self written code on the server.

Just because you can enter JavaScript in the development console to do funky stuff doesn't mean it's going to be executed at the server, lel. In fact: how is this different from doing calls to the webserver, or altering the Habbo.swf?
 
Joined
Sep 10, 2011
Messages
778
Reaction score
138
As far I'm aware of that snipped is only client side. It sends a avatar action to the server via a custom written JavaScript library. Eventually, just like any packet, the server should validate it; the avatar action if it's a valid packet and if the user has been given rights to do so.
Just because you can enter JavaScript in the development console to do funky stuff doesn't mean it's going to be executed at the server, lel. In fact: how is this different from doing calls to the webserver, or altering the Habbo.swf?

As far as you are aware, our level of understanding of this guy's work is zero because he doesn't show any source code. The only code is a snippet of a direct function that would be executed inside of the emulator.

I said that it should be validated on the server side, you said the same thing so where this misunderstanding is at is the real question.

But, I highly doubt that this is already whitelisted or being ran similar like packets are on an emulator. This looks to be like it's going to send a websocket event that does call the function directly upon being executed in the server. If that is indeed his own javascript library on the client that's doing parsing similar to how Habbo handles events, he really should learn the fundamentals of javascript regarding naming, function names and so forth.
I do not see any reason to believe you can access code, or can execute self written code on the server.
 
Newbie Spellweaver
Joined
Jun 3, 2014
Messages
25
Reaction score
4
As far as you are aware, our level of understanding of this guy's work is zero because he doesn't show any source code. The only code is a snippet of a direct function that would be executed inside of the emulator.

I said that it should be validated on the server side, you said the same thing so where this misunderstanding is at is the real question.

But, I highly doubt that this is already whitelisted or being ran similar like packets are on an emulator. This looks to be like it's going to send a websocket event that does call the function directly upon being executed in the server. If that is indeed his own javascript library on the client that's doing parsing similar to how Habbo handles events, he really should learn the fundamentals of javascript regarding naming, function names and so forth.
I do not see any reason to believe you can access code, or can execute self written code on the server.
Users are already able to send whatever packet they want to the server using packetloggers such as Tanji. What the websocket connection does is that it allows them to send the packets without the need for a packetlogger; they can just send the packet with some Javascript. So it isn't such a huge security issue imo. The emulator is already implementing certain checks on every packet, otherwise script kiddies would have already wrecked havoc in most retros with Tanji.
 
Joined
Feb 22, 2012
Messages
2,100
Reaction score
1,271
Users are already able to send whatever packet they want to the server using packetloggers such as Tanji. What the websocket connection does is that it allows them to send the packets without the need for a packetlogger; they can just send the packet with some Javascript. So it isn't such a huge security issue imo. The emulator is already implementing certain checks on every packet, otherwise script kiddies would have already wrecked havoc in most retros with Tanji.

I agree, there’s no security vulnerability as I can see. I probably would’ve done it differently, but there’s actually some benefits while doing this, as you can implement any packet you want with an websockets hook.

If there’s any vulnerability, it’d be on the server itself .

But you might agree that’s easier to make a bot this way, especially if it has a response, so you’d just need to write a javascript function to mod the client. How is the authentication? Depending how it’s done (I’m not sure how you are doing so I’m giving a shot), you could invoke the JS functions for a certain user without even logging in flash (it’s not a vulnerability per-se, though).

You should also be extra careful now against XSS though.



Also, imagine people creating scripts and executing in Console, publishing around, etc.
 
Elite Diviner
Joined
Apr 5, 2014
Messages
464
Reaction score
223
I haven't been able to find anything similar, and I am wondering why this hasn't been created before. Does anyone know why?

Lots of hotels are (and have been for many years) using websockets to add custom functionality, especially RP's.

As to why almost none of it is released; I guess it's because when people make it, it's not done with a release in mind, so it usually ends up being hard/time consuming to release only the needed components + who'd really want it if they have to make lots of changes to their own emulator to get it working?

Here's a gif from waay back when Habbo released the magic stacktiles. We didn't know how to get it working properly, so we made a custom interface for it with ws:
kU8kHOn - Parallel JavaScript WebSocket connection - RaGEZONE Forums



Here's an early attempt at implementing the old hand in newer clients using ws:
KN4Fbh4 - Parallel JavaScript WebSocket connection - RaGEZONE Forums
:
 

Attachments

You must be registered for see attachments list
Last edited:
Newbie Spellweaver
Joined
Sep 22, 2012
Messages
27
Reaction score
4
As far as you are aware, our level of understanding of this guy's work is zero because he doesn't show any source code. The only code is a snippet of a direct function that would be executed inside of the emulator.

I said that it should be validated on the server side, you said the same thing so where this misunderstanding is at is the real question.

But, I highly doubt that this is already whitelisted or being ran similar like packets are on an emulator. This looks to be like it's going to send a websocket event that does call the function directly upon being executed in the server. If that is indeed his own javascript library on the client that's doing parsing similar to how Habbo handles events, he really should learn the fundamentals of javascript regarding naming, function names and so forth.
I do not see any reason to believe you can access code, or can execute self written code on the server.

I do know the Javascript naming conventions, but as this was mainly just a test, and I prefer to write it object oriented code, I decided just to use the naming convention that I prefer. What's most important with code is that you stay consistent in the naming, at least in my opinion. However, since I started this project I have learned about TypeScript from a friend, which is what I'm going to use if I develop this any further.

However, that doesn't mean that I'm claiming that my code is clean, and it's certainly not written well enough to be released, at least according to my own standards. When I created this post, I was more interested in hearing a conversation around it, and perhaps someone more qualified could make something proper to be released, if it is worth it. I'm still learning just by looking at publicly released emulators and other projects.



I agree, there’s no security vulnerability as I can see. I probably would’ve done it differently, but there’s actually some benefits while doing this, as you can implement any packet you want with an websockets hook.

If there’s any vulnerability, it’d be on the server itself .

But you might agree that’s easier to make a bot this way, especially if it has a response, so you’d just need to write a javascript function to mod the client. How is the authentication? Depending how it’s done (I’m not sure how you are doing so I’m giving a shot), you could invoke the JS functions for a certain user without even logging in flash (it’s not a vulnerability per-se, though).

You should also be extra careful now against XSS though.



Also, imagine people creating scripts and executing in Console, publishing around, etc.

It requires the Flash client to be connected before it accepts WebSocket connections from that user, and in case any of the two clients disconnect, the other client is forcefully disconnected too. The external flash interface is used to know when the WebSocket is supposed to connect. I have chosen to make the WebSocket connection mandatory, because it would be easier later on, if core game mechanics are moved to the WebClient. However, it doesn't have to be that way of course. The single sign-on key works exactly the same way as the normal one for the Flash client.
 
Back
Top