[Guide] PT Server & Client security

[SmexyBoyR]

[Guide] removed

;p ;p ;p

 

[bobsobol]

Very cleanly written, with a slightly different angle on what is basically the same idea as ABs guide. So if you don't get ABs guide you can try this one.Thank you.

Some points, if you are keen to maintain this post.

Then go to your server's hotuk and change the 111111111 to 769007025.

Notice that 769007025 is only an example, you will have other checksum.

To explain... this number will (should) change if you make any alteration to the code, or data in your game.exe. When I say "should" check for your self what happens when you change information in an added section, like the common PTTrans or GFantesy sections. Some clients DO change the checksum, because these sections are added well, but I've seen some that don't, so watch out for that.

6. Pack your game.exe. There are many softwares for this. I suggest ASPack, Link :

You must be registered to see links

We all know I recommend you DON'T do this, especially using ASPack. However... some exe packers will make the CLSAFE_CODE change even in sections that aren't covered, and some modified UPX encryptions are pretty good.

If you REALLY feel you need this, don't download a packer and use it... download the source for one, modify and rebuild it, then use that... always make sure you cannot download an unpacker and just use that to reverse the process. There are thousands of un-ASPackers.

3. IP Block system - Download this software to block any IP (or range ip's). it blocks the IP from any port.
Link :

You must be registered to see links

This is the new version of PeerGuardian, which is no longer in development. I have been trying to persuade the PeerBlock programmes to allow us an API to add IPs from a program which scans our logs, or from web script.

Right now, you have to edit the list manually. I hope you can see the advantage an API would give, and will also lodge your own ideas with the PB team.

*RECORD COPIED ITEM
*RECORD COPIED ITEM IN WAREHOUSE
They work... but TBH I think that is more of a problem on Diablo II. XD There was a time-out bug that allowed people to sell and item, and log off really quick so they got the cash for the sale and still had the item to sell... but usually it happens because a GM /@get's an item from LogItem... but this will record the fact that it happened.

*SERVER_RECORD_MEM 1, (IMS) just logs how much memory your server is using, so you can see memory spikes, which may cause buffer-overruns, DDoS or just server restarts.

*CLIENT_CHECK_FUNC checks a game clients data tables against the .DAT file in funcbox. If you change your level tables or such you may get disconnections with this enabled if you don't delete the .dat file that matches your game version number. Eg. QF 1873 matches "funcbox\1873.dat" The first client which connects to your server with a specific version number creates the .dat file with the function table checksums.

*RECORD_JOBCHANGER Logs Tier quests completed IMS.

*CLIENT_CHECK_PROCESS_TIME 30 & *CLIENT_PROCESS_TIME_OUT are either how frequently the client checksums are requested, or how long you can stand in town idling before your get disconnected, which protects town lag somewhat... though it worked better before personal shops. funcbox checksum packets are quite sizeable, so checking too often creates a lot of TCP/IP traffic (= laaaag) but if you only check every 30mins (ridiculously high figure) that's half an hour for hackers to trash your server before it kicks them. XD

 

[SmexyBoyR]

From my own experience when i tried unpack my game.exe after i packed it, it couldnt log to the server more. it gets unable to connect after you unpack it. also not anyone is like you bobsobol. most of the ppls dont have idea about unpack and all that. and 1 more reason to use ASPack is because froggPT used it too and lunarPT too. and it was probally gregoo who did for them and if gregoo did, it's good.

P.S
I updated the topic with more security ways.

 

[bobsobol]

most of the ppls dont have idea about unpack and all that.

Most players and server devs don't. Pretty much anyone who is likely to even try to attack your server will be much more conversant than I.

and 1 more reason to use ASPack is because froggPT used it too and lunarPT too. and it was probally gregoo who did for them and if gregoo did, it's good.

lol... Someone asked me to look into "how Luna PT did" something or other, and after 5 days solid trying to get the exe readable I had to give up and admit that I just couldn't read the file, let alone find one specific modification in it. So if it was based on ASPack they did a very good job of modifying it.

And that's the bigger point. If you do it, know what you are doing, don't just go with a generic packer. In fact, the recommendation that you use ASPack is more scary to me than that you pack. If you hunt out the rarest one, or make your own, it's all good. UPX and y0da are freely available in open source versions, and if you hit the underground there are many many more. If you build your own it should loose the signature that Anti-Virus don't like, and it's highly unlikely to work with any generic unpacker.

I only know what I know from trying to get back to where I came from with packing with my own programs. My conclusion has always been that it's a waste of time, because I've spent hours trying to find one I can't reverse, and days trying to reverse it before I'm reasonably happy it's safe only to have it cracked 4 hours after release. (not PT, another program)

Anyway... I can give some very good reasons to do it:-
a) Hide you IP (a bit)
b) Hide your clan ASP urls. (a bit)
c) Protect against using altered sections (if your packer changes your CLSAFE_CODE... just make sure it does.)

I can also think of better ways to do all of these things, but not as simple as getting the y0da source modifying the algorithm a bit, building it and packing your exe with it. And some where it is not so useful:-
a) Incompatibility with Anti-Malware programs.
b) Incompatibility with various current, and future OS versions.
c) Packet tracing will show many of these things anyway.

If gregoo did it, he probably did it properly, which is what makes it good. This one is anti-septic for a bleeding gash... you have to go the whole hog or it will hurt like hell for nothing, and you still loose a limb.

On the updates... it's looking really good.

12. Change internal version of game.exe and then add *VERSION to your server's hotuk. example :
*VERSION 6350

6350 = your internal version in game.exe. only example...

I've tried it, it's good and once you know how to do it, you should do it each time you make major changes to you client (especially item, level, aging, mixing etc tables)... this automatically creates a new checkfunc\*.dat file, without destroying the one for the older client.

13. Backup - Backup ANYTHING every some time, before you modify/edit things. backup everything and always save a backup somewhere.

This is excellent advise, espcially back up your SQL database and user, character, item files regularly.

If a hacker does trash your server, you can at least roll-back. It sux, but not as much as expecting everyone to re-register and play from 6 months ago.

8. Use SQL 2008 and NOT SQL 2005 or 2000. It works with PT Server 100%.
--------------------------------------------------------------
9. Disable remote connections to SQL. You can find it on Options/Settings of the SQL.

These are too hard for me. I've tried SQL 2008, and it just doesn't work, at all, EVER. And I've tried disabling remote SQL connections, and then I can't log in. XD

not anyone is like you bobsobol.

Agreed, most are much more skilled.tt1:

Oh yes... BTW, if you want GMs to access only via IP, and they have dynamic IP, try setting up a VPN tunnel for GMs. Yes, I know Hamachi is an arse, but

You must be registered to see links

is pretty fast and secure. That's just an example, there are other VPN solutions. What you end up with is a virtual NIC on your server and a virtual NIC on their PC. The connection (cable) is plugged in either end of the internet, with encryption over every packet while it's in the wild. To their PC, and your server it looks like they are on the LAN with your server, so they get allocated a LAN IP, and you can set that as a static one or use your own DHCP server to issue them a static IP.

 

[SmexyBoyR]

Thanks bobosobol for all the information.
I would like to ask you/anyone who know if you know how to make these commands work :
*CLSAFE_CODE 111111111
*DISCONNECT_CLSAFE_CODE 1

111111111 only an example.

When I used these commands I got disconnect after a while in-game. i checked the logs and I got some memory or something logs and it had a code there. i tried this code and still got dc's. also i tried the checksum code and still dced.

So if anyone can explain here how to make them work properlly, pleaese tell in this topic and i will update the first topic.

 

[Gregoo]

if gregoo did, it's good.

I laughed at that but seriously, no. It's not because I made something that it is good.

8. & 9. contradict. If the server cannot be accessed from the outside, the sql server isn't faulty if an attack is successful.
It comes from somewhere else.
People shouldn't try to change their sql server if it's working.

One thing you can add, is having a log reader to ban accounts producing weird lines but that can also access the Windows TCP/IP stack to send RST packets to the IP. This way, when someone is caught hacking, he's immediatly disconnected from the server.

 

[SmexyBoyR]

which log reader would be good to it ? or you mean build one self ?

 

[35hit]

i make pack my game.exe and now cant login to server...

 

[zaharavn]

Check your connection with CPort.... You check it has connect to server ?...

 

[SmexyBoyR]

Updated. added some information + CLSafe Protection.

 

[bobsobol]

which log reader would be good to it ? or you mean build one self ?

You can prototype pretty easily with tail and clean through with grep or even sed. That sounds like Linux? Yea, it's actually core POSIX tools from the Unix world, most non-Windows OS have them, because they are just to useful not to have.

To be more Windows-ish, more GUI and less command line scripting, I've used

You must be registered to see links

, but

You must be registered to see links

now has BareTail graphical versions. More classic Unix tail, grep and sed tools can be found in Windows binaries (no emulation, posix layer etc) from

You must be registered to see links

or

You must be registered to see links

When the only thing that shows in your log is stuff you want to ban, you can either continue to grep/sed till that log looks like a PeerBlock block list, and send the output to your PeerBlocker, or other firewall IP blacklist, or you can write an equivelant program in your preferred language. If you used grep, the regex expressions should be the same for most regex libraries, and almost every programming language has a regex library that uses / can use grep syntax.

I wouldn't share mine, as the only hacker on my LAN is me, and you have to be on my LAN to access my server(s). It would take someone with real world logs to have any idea what hacks actually happen, in the wild.

Some time ago, a thread was started where people posted "This line is a hacker {code}{/code}?" where others could say "Yes!", "No.", "Maybe, but only if..." etc. The trouble is that many custom items change the game so much that what is definitely a hack on one server, could just be a high level with uber gear on another.

Many people use some variant of DarkKnights PT-Protector, but it needs updating to handle modern attacks (as I understand it) and others use some form of Quantumfusions BASTERD program... the trouble with that is that he was "selling" it, so there is no source, and it can't be updated. I've also heard people trying to buy it from him recently, and failing to get any contact with him, so it seems to be pretty much closed source abandonware. : But both are excellent starting points if you don't feel up to programming, or scripting your own.

I say programming or scripting, because you can see that bash, or the Windows Command line (.bat / .cmd) files can do the tracing of hackers and if they can be linked to your firewall or SQL blackuser list, they will ban just fine. Perl, Python, PHP, AutoIT, AuthHK, Windows Script Host or Microsoft Power Shell etc should be better.

 

[35hit]

hi agot problems why he give me every time Memory Function Code Error random? like this Memory Function Code Error ( 723124800 )( 1 ) then i add code in server hotik log again and giv eme nother Memory Function Code Error ( -723124800 )( 2 ) and again i add this to hotuk i log ing ame got dc i chekc logs and see again nother Memory Function Code Error ( 723124800 )( 3 )?

Thanx

 

[bobsobol]

"Memory Function Code Error" is related to the code for that version client in FuncBox folder I believe... NOT the code in Hotuk.ini.

You should have a different memory checksum (set of them for different memory tables TBH) in FuncBox\ for each client version allowed to run on your server.

Server allows MinVersion - MaxVersion... lets say MinVersion is 1821 and MaxVersion is 1824... you should have checksum files for 1821.dat, 1821.dat, 1822.dat, 1823.dat and 1824.dat in FuncBox.

Each client will store slightly different tables in slightly different locations... thus their checksum will be different. It should still match the checksums stored in these data files, otherwise it looks like someone has modified the executable or the memory while the game is running.

 

[35hit]

i hawe only 2 1957 1995 in funcbox

he still give me dc in game i check logs he show me Memory Function Code Error XXXXXXXX (1) i add this code to server hotuk in *CLSAFE_CODE XXXXXX then i log again and dc again i check logs and see Memory Function Code Error XXXXXXXX (2) i again add this to server hotuk log in game dc again , i chekc again and see Memory Function Code Error XXXXXX (3) and same same ....

can tell me please why?

 

[bobsobol]

The question is not which FILES are in FuncBox... but what is in them, which Version(s) your clients are using, and what version range is set in the server hotuk?

That's one that should be on the list actually.

*VERSION		1955	1997

should allow clients of version 1.95.5, 1.95.6 and 1.95.7. Apparently none of your users have managed to get hold of client version 1.95.5 (which is a risk) otherwise there would be a 1996.dat in FuncBox. But if a player tries to log on with version 1.95.4 or 1.95.8 they will DC. You may only have *VERSION 1997 in which case version 1.95.6 is no longer a threat, and users with version 1.95.5 clients will DC too. You may have no *VERSION line at all... in which case there is no point in enabling any of these securities because all a hacker has to do is connect with 1509 or 1873 or anything but 1955 or 1957.

Anyway... if you change (hex or olly etc.) anything (anything in the checked tables... levels, items, mixes and ages IMS) in Game.exe without changing the version number your server will NOT accept that as an official unaltered client any more... the player DCs.

That's the point of the check. The VERY FIRST time a client connects with that version number, a new .dat file is made in FuncBox and it's functions are sealed forever... you must not edit the game.exe beyond that point, unless you change the version number again first, or delete the file for that version client from FuncBox.

To fix, then, change the version number in your client again, or delete the .dat file with that version number and immediately connect (IE before any dodgy players do) with a KNOWN GOOD client WITH THAT VERSION NUMBER.

I'm not talking about just changing the string that displays at start-up either, I'm talking about the actual checksum checked internal version number which the client transmits to the server with the rest of the checksums in those .dat files.

 

[35hit]

Thanx bob i will try and let u know

---------- Post added at 02:23 PM ---------- Previous post was at 01:33 PM ----------

ok i try and got dc when i make a client protection in themedia then i got dc every time :S

Fixit Thanx

 

[bobsobol]

"themedia" OMG!
I think you mean Themidia, which is a PUP (potentially unwanted program) which acts as professional and commercial spyware. It lives in several versions of nProtect, GameGuard and XTrap and is detected and blocked by AVG and Avaast (and probably others) preventing players of GunZ, PristonTale, FlyFF, CombatArms etc who use Themidia "infected" security systems from playing without disabling or creating an exception for those games.

Why are you running Themidia "infected" security on your client? The "Call home" information it sends to them is only retrievable if you have a legitimate account with Themidia themselves... that would suggest a non-private server. XD

 

[35hit]

yea bobi i know alredy it thanx anway

 

[tnrh1]

Add this to your guide:
You will never get the checksum error while using client side hotuk so you have to rename it or remove it before logging in.