Graal Forums  

Go Back   Graal Forums > Development Forums > NPC Scripting > Code Gallery
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Search this Thread Display Modes
  #16  
Old 02-12-2010, 10:17 PM
scriptless scriptless is offline
Banned
Join Date: Dec 2008
Location: N-Pulse
Posts: 1,412
scriptless is a splendid one to beholdscriptless is a splendid one to beholdscriptless is a splendid one to beholdscriptless is a splendid one to behold
I normally stay AWAY from ganiscripts. Most people dont fully understand, ganis are downloaded from the server. If you have the gani it usually ignores it (or has in the past). And you can use scripts in ganis maliciously. I saw people do it on N-Pulse, UN, and gk. =/

Yah I really don't recoment doing it the way I showed but I was just showing a example of something that worked. o_o

It would be alot easier if we could just use findplayer("player").clientr.value =/ but that doesnt work clientside. and I thought cleintr. was readable by client and server?
Reply With Quote
  #17  
Old 02-12-2010, 10:23 PM
DustyPorViva DustyPorViva is offline
Will work for food. Maybe
DustyPorViva's Avatar
Join Date: Sep 2003
Location: Maryland, USA
Posts: 9,589
DustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond repute
Send a message via AIM to DustyPorViva Send a message via MSN to DustyPorViva
Quote:
Originally Posted by scriptless View Post
I normally stay AWAY from ganiscripts. Most people dont fully understand, ganis are downloaded from the server. If you have the gani it usually ignores it (or has in the past). And you can use scripts in ganis maliciously. I saw people do it on N-Pulse, UN, and gk. =/

Yah I really don't recoment doing it the way I showed but I was just showing a example of something that worked. o_o

It would be alot easier if we could just use findplayer("player").clientr.value =/ but that doesnt work clientside. and I thought cleintr. was readable by client and server?
Err... what? Ganiscripts haven't been abused since they were first released. That was quickly patched up. Gani's with scripts downloaded don't even use the gani files, they use encrypted .code files.

If they were that dangerous, all you'd have to do is input ganiscript into any gani like idle or walk, and have it run. Whether or not you have a ganiscript has no bearing on how available the function is.

Also, client vars are readable by server/client, but it's not data sent to other players. Data shared between players is a very specific set of vars, as to not chew up a lot of bandwidth.
Reply With Quote
  #18  
Old 02-12-2010, 10:55 PM
scriptless scriptless is offline
Banned
Join Date: Dec 2008
Location: N-Pulse
Posts: 1,412
scriptless is a splendid one to beholdscriptless is a splendid one to beholdscriptless is a splendid one to beholdscriptless is a splendid one to behold
Quote:
If they were that dangerous, all you'd have to do is input ganiscript into any gani like idle or walk, and have it run. Whether or not you have a ganiscript has no bearing on how available the function is.
That is what I ment. Foogles showed me this a few years back. It seems to work for a very long time, so long that I was unaware it was even patched. And I assume the .code files are the .code files I see on my computer? Wonder how long it takes for someone to break the encryption :o Graal v2-5 have already had there packet encryption broken (several times).

Thanks for informing me on the client vars. so player.attr[] vars would be the best way? I was just wondering cuz if a noob opened a memory editing tool and changed there attr, would this effect show for all other players? seems unfair if 1 player changes his size to 20+ and just stomps you to peices.
Reply With Quote
  #19  
Old 02-12-2010, 11:03 PM
DustyPorViva DustyPorViva is offline
Will work for food. Maybe
DustyPorViva's Avatar
Join Date: Sep 2003
Location: Maryland, USA
Posts: 9,589
DustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond reputeDustyPorViva has a reputation beyond repute
Send a message via AIM to DustyPorViva Send a message via MSN to DustyPorViva
Quote:
Originally Posted by scriptless View Post
That is what I ment. Foogles showed me this a few years back. It seems to work for a very long time, so long that I was unaware it was even patched. And I assume the .code files are the .code files I see on my computer? Wonder how long it takes for someone to break the encryption :o Graal v2-5 have already had there packet encryption broken (several times).

Thanks for informing me on the client vars. so player.attr[] vars would be the best way? I was just wondering cuz if a noob opened a memory editing tool and changed there attr, would this effect show for all other players? seems unfair if 1 player changes his size to 20+ and just stomps you to peices.
I doubt the encryption is the only form of security backing them up. It probably checks modification time as well.

As for player.attr[]'s, even if a hacker were to change the attr of another player it'd all be clientside. That means the only person who would see the change is the player doing the hacking. Also, there's a reason my system is not dependent on zoom. I use a separate, more secure(ideally, though I mainly leave that up to whomever uses it to implement) variables and zoom is only a visual representation. In fact, the zoom was the last thing I added.
Reply With Quote
  #20  
Old 02-12-2010, 11:41 PM
scriptless scriptless is offline
Banned
Join Date: Dec 2008
Location: N-Pulse
Posts: 1,412
scriptless is a splendid one to beholdscriptless is a splendid one to beholdscriptless is a splendid one to beholdscriptless is a splendid one to behold
Quote:
Originally Posted by DustyPorViva View Post
I doubt the encryption is the only form of security backing them up. It probably checks modification time as well.

As for player.attr[]'s, even if a hacker were to change the attr of another player it'd all be clientside. That means the only person who would see the change is the player doing the hacking. Also, there's a reason my system is not dependent on zoom. I use a separate, more secure(ideally, though I mainly leave that up to whomever uses it to implement) variables and zoom is only a visual representation. In fact, the zoom was the last thing I added.
Correct me if im wrong but you set your clientr. variables twice on the oncreated() for serverside and clientside. I thought only client. variables could be set clientside, and clientr. was read-only on clientside.

This is all good information to know then. We should all hope that graal checks other forums of security. Altho modification time would be useless as I can modify those dates from Borland Delphi 2005 (yes i use outdated version).

Checksum of the files might work. Tho collisions are easy to generate now
Reply With Quote
  #21  
Old 02-12-2010, 11:44 PM
WhiteDragon WhiteDragon is offline
Banned
Join Date: Feb 2007
Posts: 1,002
WhiteDragon is a splendid one to beholdWhiteDragon is a splendid one to beholdWhiteDragon is a splendid one to beholdWhiteDragon is a splendid one to beholdWhiteDragon is a splendid one to behold
Quote:
Originally Posted by scriptless View Post
Checksum of the files might work. Tho collisions are easy to generate now
I'd like to see you generate a collision on any random given file without a large array of GPUs and serious programming knowledge. Also, why in the world would anyone go to those lengths for Graal?

Also, sorry for derailing. :P
Reply With Quote
  #22  
Old 02-12-2010, 11:51 PM
coreys coreys is offline
N-Pulse Assistant Manager
coreys's Avatar
Join Date: Mar 2005
Posts: 2,180
coreys has a spectacular aura about
Send a message via AIM to coreys Send a message via MSN to coreys Send a message via Yahoo to coreys
Scriptless, I think you're over analyzing security a bit lol
Reply With Quote
  #23  
Old 02-13-2010, 12:39 AM
scriptless scriptless is offline
Banned
Join Date: Dec 2008
Location: N-Pulse
Posts: 1,412
scriptless is a splendid one to beholdscriptless is a splendid one to beholdscriptless is a splendid one to beholdscriptless is a splendid one to behold
Quote:
Originally Posted by WhiteDragon View Post
I'd like to see you generate a collision on any random given file without a large array of GPUs and serious programming knowledge. Also, why in the world would anyone go to those lengths for Graal?

Also, sorry for derailing. :P
Sure? I recommend google tho. There are freely available programs to do so. There is a good example (if you have source) to make 2 programs (1 good, and 1 malicious) and they bot have the same filezise, checksum, and what not but do completly different tasks. And this information was easily avalible in 2007 when I tested it. Work has been done with standards and I believe a new SHA algorihtm is already in production to address the flaws in the current hashing algorithms.

Erm, I am not overanyalising security at all. I will fully admit, I am iwir3d. I have been playing graal since 2002 and I have been responsible for several trainers being released. My best trainer I made allowed 2.220 and priror to go form offline mode to online mode and inject scripts onto a server. Here I will link you to some damage I did on GK back in 2005.

http://forums.graalonline.com/forums...light=bloodpet (pictures at bottom and top of 2nd page)

I have since then tried to move my abilities to more productive things but having this knowledge that allows me to do this helps me acheive a greater understanding on BOTH sides of scripting in the efforts for better security.

If you guys want you can do a full search on me
Here are my other names I have gone by: mewtoo18, toybox, dbug, shadow_deathstorm, bloodpet, scriptless, nibnub. And I think that may be it. Oh and ofcourse "iwir3d".

I once read in a book that you should never assume that a bug will not be exploited and you should never assume that any small bug does not esculate into a even bigger bug (as my unethical work has clearly shown).

*sorry for going off topic a little (needed to show how critical security can be).
Reply With Quote
  #24  
Old 02-13-2010, 03:49 AM
WhiteDragon WhiteDragon is offline
Banned
Join Date: Feb 2007
Posts: 1,002
WhiteDragon is a splendid one to beholdWhiteDragon is a splendid one to beholdWhiteDragon is a splendid one to beholdWhiteDragon is a splendid one to beholdWhiteDragon is a splendid one to behold
Quote:
Originally Posted by scriptless View Post
There is a good example (if you have source) to make 2 programs (1 good, and 1 malicious) and they bot have the same filezise, checksum, and what not but do completly different tasks.
Sure, if you have the source you can compile the program down with junk data to match the MD5 checksum, but the point in this case is that would be entirely impossible with format that is binary-encoded and can't be easily reverse-engineered.

The complexity of an MD5 collision is still 2^32, and with the added complexity of the format you are trying to engineer a hack into, I stand by my original statement.
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 11:10 PM.


Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright (C) 1998-2008 Linux cyberjoueurs All Rights Reserved.