Patch bots [Plus Emulator]

[The General]

Seriously? You think this is going to prevent any bots from popping up in your hotel?

They just have to modify their program so it sends the external_variables.

Why aren't you guys smarter. Why not put a time limit on how long the SSO can stays valid. The SSO gets updated in the users table once the client loads and then it connects to the emulator.
About 20 seconds tops.

There are other ways to verify if the client is a bot or not. MUS / RCON for example.

Think out of the box and not any hardcoded stuff.

[AKllX]

Asking an user a simple question using the Habbo Poll system on every login is enough to avoid 100% of the current bots mechanisms. It's easy to patch, but still.

[Rush Retros]

Asking an user a simple question using the Habbo Poll system on every login is enough to avoid 100% of the current bots mechanisms. It's easy to patch, but still.

Sry to going off topic lol but do u still develop or did u completly stop ?

[AKllX]

Sry to going off topic lol but do u still develop or did u completly stop ?

I work/study 12 hours a day. Althrough I enjoy reversing Habbo, I'm 20 yo already, the game itself is for teens. I only played it for the girls. I didn't stop but my free time is very limited. I'm planning something cool for my next vacation. On my last one I revised Plus Emulator. I don't really do release a lot of useful material but the ones I make proved to be well accepted. Looking foward for the next one

[EvilCoder]

Seriously? You think this is going to prevent any bots from popping up in your hotel?

They just have to modify their program so it sends the external_variables.

Why aren't you guys smarter. Why not put a time limit on how long the SSO can stays valid. The SSO gets updated in the users table once the client loads and then it connects to the emulator.
About 20 seconds tops.

There are other ways to verify if the client is a bot or not. MUS / RCON for example.

Think out of the box and not any hardcoded stuff.

I said it was a small fix. I did not said it was a permanent fix. This is just temporarily. I also posted that the noobs are entering your hotel with these bots. They don't know how to fix this. Unless somebody posts another bot which has this prevented. In that case I will find something else. I don't really care. I can have other fixes posted for example only 2 session per ip. Or re-create the ipban. Which then will kill all the clients with the ip also, instead of just banning them. It really does not matter, like I said it was a temp fix.

- - - Updated - - -

You also need to add

Code:

internal static void ClientVars(GameClientMessageHandler handler)
        {
            handler.ClientVars();
        }

to your sharedpacketlib.cs

Thanks I forgot this.

- - - Updated - - -

Not sure if the original hotel was also using this as a security measure, but you could get around it, by just doing the exact same thing the client would do:


Of course, you'd need to adjust it to the hotel's 'ext_vars' link. There really isn't a way to patch these types of bots, but you could make it harder/troublesome for the user by hiding this type of information from the user.

There is another packet which checks your user_agent. Don't seem to remember which one that was. Could you also fake that one? You probably can right? Because the client is sending the user_agent to the emulator. What the client can do the bot program also can do.

[Emily]

There is another packet which checks your user_agent. Don't seem to remember which one that was. Could you also fake that one? You probably can right? Because the client is sending the user_agent to the emulator. What the client can do the bot program also can do.

Just saying, you can't protect it by any packet, since a good packetlogger/scripter can send packets to the server. That way, it can easily be bypassed :) You can always fake packets. It's for the emulator developers to find a way to protect false data from being used.

[Arachis]

There is another packet which checks your user_agent. Don't seem to remember which one that was. Could you also fake that one? You probably can right? Because the client is sending the user_agent to the emulator. What the client can do the bot program also can do.

Habbo uses a ping/pong system to check whether the client is alive, you can have the server send a packet to the client and wait for a certain callback. If the client doesn't respond with 'x', then disconnect the client. This can also be simulated by a 3rd party, but the only thing you can really do is make it more annoying to the attacker.(Or you can allow 1 active session per IP like you've stated.)

[The General]

How about you encrypt the SSO and send the encryption key via MUS so you can decrypt it.

His cheap bot tool cannot connect to MUS so it can never spoof it or log it.

[MrPudding]

How about you encrypt the SSO and send the encryption key via MUS so you can decrypt it.

His cheap bot tool cannot connect to MUS so it can never spoof it or log it.

Or 1 gameclient per IP.., that could also be a small fix

[Kristophers]

Oor would this be possible as soon as you sign in the cms it triggers the enum (0,1) 0 mean off the cms and 1 meaning on and run the check every 3 mins and if you are signed out it will disconnect you. Or add code into the emulator to run the check upon entering client? Or say fuck retrolist and add a captcha on the client file to enter the client?

[Emily]

How about you encrypt the SSO and send the encryption key via MUS so you can decrypt it.

His cheap bot tool cannot connect to MUS so it can never spoof it or log it.

It doesn't matter. There's always a way to bypass it. With a few edits the bot tool can be working even with the solution you posted. But well, I guess for a short time it's pretty useful then :)

[EvilCoder]

Such a pitty that people are abusing some functions...

[AKllX]

I might be wrong but Habbo recently changed their key exchange method. Their RSA keys exchange now prevent you from injecting custom keys for which you already know the asnwer. Such as the pair Joopie once generated or %1 used by NovoFatum. The struggle is real as even Sulake is having a hard time with bots, but every hotel having it's own secret key pair and Primes randomly generated is a way to go. The 'Quiz' method is the most popular method for game I already developed like Ragnarok. You can also require your user to use a local launcher that scans for malicious programs, like MU Online. But that's even illegal I guess.

[Rush Retros]

I work/study 12 hours a day. Althrough I enjoy reversing Habbo, I'm 20 yo already, the game itself is for teens. I only played it for the girls. I didn't stop but my free time is very limited. I'm planning something cool for my next vacation. On my last one I revised Plus Emulator. I don't really do release a lot of useful material but the ones I make proved to be well accepted. Looking foward for the next one

Ok sounds really amazing, and im glad u didnt stop :D

[maritnmine]

I wonder why it is so hard for you to protect your server from bots. Although it is pretty funny when you get tons of generic bots in your server yelling "pools closed", it could on the other hand be pretty annoying.
However, I wouldn't say this "fix" is the way to go to "solve" the bot problem, even temporarily.
- All servers should have a working captcha upon registration. Make sure this works. This is the first layer of protection against bots and is the source to where hotels gets flooded with hundreds of thousands of registrations.
- If this is not enough, we have Cloudflare that got browser verification built-in so in general you don't really need any additional code in the cms or the gameserver.
- And if the bots are still getting into the server, make sure they don't get around Cloudflare by having your real server IP. Add firewall rules to your firewall that only allows connection from Cloudflare IP ranges (see https://www.cloudflare.com/ips)
- Add a limit per IP as the origin most normally have a short limit on IPs they can send bots from. Setting this limit to one is not a good idea as there are often more than one (legit) user trying to access the server simultaneously.
- What about RSA? I thought many hotels had RSA going these days to avoid scripting and such.
- The last step would be to add captcha when users sign in. One thing to keep in mind is that users hate captcha as it takes time and effort to enter the almost unreadable letters. Consider this as a last effort when it comes to mitigating a bot attack.
- Consider reporting the IP where the attack is originating from. If it originates from a hosting company, they would be more than happy to help you. Just make sure you have proof such as logs from your web-server that proves that the IP is generating malicious traffic on your server. Had someone running a TCP flood attack to a MySQL server back in the days. Grabbed a log-file and sent an email to the OVH abuse email as the attack came from an OVH server. Shortly after, the IP where it came from was taken down :)

I don't get why this has to be so hard for you kids. Didn't we learn from the time when hotels got flooded with bots from avalanche (or whatever that program was called)?