Cheat Engine

Welcome in the osRose emulator Project.

Moderators: osRose dev team, ospRose dev team, osiRose dev team, Moderators

Cheat Engine

Postby AnimalCrackerz on Fri May 18, 2018 1:34 pm

So as we all know Cheat Engine has been floating around for a few years..Here recently I have had issues with my PServer turns out it was cheat engine...Players being duped.
Screenshot_4.png
here they enter the player they wish to dupe

Screenshot_5.png
they enter the player name and it appears in their character list

Screenshot_6.png
here you see the player is now on the duped char..

Once logged in on the duped char they can take all the items and place them in their own storage...
I have tried to add code to pak DoIdentify in the worldpackets.cpp on the world server but I can't get the server to make a comparison between the account username and the characters account owner.
I am asking for help here to make a working fix for this cheat..I think it is something everyone would benefit if we could do a working check so that the player is kicked and banned from the server on entry into the world server...any help would be greatly appreciated.
AnimalCrackerz
Pomic
Pomic
 
Posts: 101
Joined: Tue Apr 20, 2010 1:58 pm

Re: Cheat Engine

Postby PurpleYouko on Fri May 18, 2018 2:47 pm

I'm not quite catching what is happening here.
It looks like all that is happening is that your original character "ttttt" is being renamed to "stefan' since in the picture the original character no longer shows up in the list.
Is that simply because you didn't re-log yet?
If you did so then would you see both?

I don't know much about cheatengine but it appears that it's just modifying local memory locations to make any reference of "tttttt" appear as "stefan". If that's the case then on the server you are still logged into "ttttt" and the character "stefan" doesn't exist.
What I would like to know is how cheating the client can cause a duplicate entry of the entire character in all of the database tables in the server that are referenced in loading and saving the character.

Do other players see this cheated name? The only time the server accepts a new character name is during character creation. After that point the client never sends a packet containing the character name. It only sends client-id which is assigned at the server when you log in. If other players DO see it then it means that somehow you managed to trick the character creation code in the char server.

Have you tried recording all the packets going back and forth during the cheating process?
The hack has to be done via packets unless your cheat engine has some way to connect directly to the server. If it's doing that then we have bigger problems than adding code into do-identify.

One Possible way to deal with something like this would be to have a second character database connected to your server and have a program loop that compares the two at regular intervals and automatically rolls back unauthorized changes. Still a logistical challenge but definitely do-able.

I guess my biggest problem here is that I don't see exactly what mechanism this cheat engine is using.
Once I know precisely what that is then stopping it becomes a lot easier.
Need to lookup information on NARose items, skills, quests?
Now featuring a newly completed skill tree for all classes
Formatting fixed for different resolutions
Image

"A Gazelle is nothing but a giraffe plotted logarithmicaly"
User avatar
PurpleYouko
Rose Guru
Rose Guru
 
Posts: 4599
Joined: Fri Aug 10, 2007 2:05 pm

Re: Cheat Engine

Postby AnimalCrackerz on Fri May 18, 2018 3:08 pm

Greatly appreciated I will make short video..but what is happening in the cheat engine you open the client to character select then choose or create a character with the same number of letters in the character of another players account. So here I don't have a char stefan it is actually on another account. The cheat engine changes the char tttttt to stefan and walla! YOU log in on another players char...I hoped that you would see on the server that is shows a log message I entered into the code showing that it logs account owner (Animal) and the next is from character table showing account owner (stefan) which is the actually true account owner of the char.
Screenshot_7.png
here is the log message I created to compare account table vs character table owners
AnimalCrackerz
Pomic
Pomic
 
Posts: 101
Joined: Tue Apr 20, 2010 1:58 pm

Re: Cheat Engine

Postby Raven0123 on Fri May 18, 2018 3:16 pm

AnimalCrackerz wrote:Greatly appreciated I will make short video..but what is happening in the cheat engine you open the client to character select then choose or create a character with the same number of letters in the character of another players account. So here I don't have a char stefan it is actually on another account. The cheat engine changes the char tttttt to stefan and walla! YOU log in on another players char...I hoped that you would see on the server that is shows a log message I entered into the code showing that it logs account owner (Animal) and the next is from character table showing account owner (stefan) which is the actually true account owner of the char.
Screenshot_7.png


What this looks like is happening is that the server isnt actually checking to see what the client is sending makes sense.

From my knowledge of rose and cheat engine, changing the character name to another name would make the client tell the server you actually selected that character. But if you are saying you can change it to one you don't own, that's just a server check you should make.

EDIT: Just saw what Purple said about the client id and that would make sense. I need to look at the code again.

EDIT 2: Looked at your screenshots again. That's just wrong. 100% looks like an issue where the server is just checking the player name and not using the character ID sent. And yes I looked at the client code and it does send the character name on selecting the character.
User avatar
Raven0123
osiRose dev
osiRose dev
 
Posts: 375
Joined: Tue Sep 11, 2007 11:06 pm
Location: USA, NJ

Re: Cheat Engine

Postby Raven0123 on Fri May 18, 2018 3:32 pm

So without your source code, right before this line in the character server

https://github.com/osROSE/osrose/blob/m ... s.cpp#L160

You need to either pull out the character ID and query the DB for the character name based on that vs your username, or query the DB to make sure your account owns that character.

EDIT:
put this code right before the log on line 159
https://github.com/osROSE/osrose/blob/m ... s.cpp#L159
  1. result = DB->QStore("SELECT * FROM characters WHERE account_name='%s' and char_name='%s'", thisclient->username, thisclient->charname);
  2. if(result==NULL) return false; // Something happened when querying the db
  3. if(mysql_num_rows( result ) != 1)
  4. {
  5.   //PLAYER SPOOFED THE CHARACTER NAME BAN HIM!!!!!!!!
  6.   Log( MSG_ERROR, "User %s(%i) selected char '%s' which isn't owned by them!", thisclient->username, thisclient->userid, thisclient->charname);
  7.   DB->QFree( );
  8.   return false;
  9. }
  10. DB->QFree( );


EDIT 2: what this code should really do is instead of using the character name, it should instead use the character ID and pull the name from the DB.

The first byte (sizeof(header) + 0) of the packet data has the character ID that the player selected.
User avatar
Raven0123
osiRose dev
osiRose dev
 
Posts: 375
Joined: Tue Sep 11, 2007 11:06 pm
Location: USA, NJ

Re: Cheat Engine

Postby PurpleYouko on Fri May 18, 2018 4:01 pm

SO I'm looking at evo client source and seeing this (137 source)
  1. void CSendPACKET::Send_cli_JOIN_SERVER_REQ (DWORD dwLSVID, bool bWorldServer)
  2. {
  3. #ifdef  __VIRTUAL_SERVER
  4.     ;
  5.     _ASSERT( 0 );
  6.     ;
  7. #else
  8.     m_pSendPacket->m_HEADER.m_wType = CLI_JOIN_SERVER_REQ;
  9.     m_pSendPacket->m_HEADER.m_nSize = sizeof( cli_JOIN_SERVER_REQ );
  10.     m_pSendPacket->m_cli_JOIN_SERVER_REQ.m_dwID = dwLSVID;
  11.  
  12. #ifdef __AUTOLOGIN
  13.     if( g_GameDATA.m_dwSeq && g_GameDATA.m_szSessionKey )
  14.         ::CopyMemory( m_pSendPacket->m_cli_JOIN_SERVER_REQ.m_MD5Password, g_GameDATA.m_PasswordMD5, sizeof(BYTE)*32);
  15.     else
  16.         ::CopyMemory( m_pSendPacket->m_cli_JOIN_SERVER_REQ.m_MD5Password, m_pMD5Buff, sizeof(BYTE)*32);    
  17. #else
  18.     ::CopyMemory( m_pSendPacket->m_cli_JOIN_SERVER_REQ.m_MD5Password, m_pMD5Buff, sizeof(BYTE)*32);
  19. #endif
  20.    
  21.  
  22. #endif
  23.  
  24.     this->Send_PACKET( m_pSendPacket, bWorldServer );
  25. }

basically it's sending an 0X70B packet containing client id as a DWORD followed by password as an MD5 hash
It's not sending the character name at all in this code.

The charserver receives this packet in PakDoIdentify (From RoseZA evo client)
  1. bool CCharServer::pakDoIdentify( CCharClient* thisclient, CPacket* P )
  2. {
  3.     if (thisclient->isLoggedIn) return false;
  4.     MYSQL_RES *result;
  5.     MYSQL_ROW row;
  6.     thisclient->userid = GETDWORD((*P), 0x00);
  7.     memcpy( thisclient->password, &P->Buffer[4], 32 );
  8.  
  9.     //LMA: checking is password is ok.
  10.     if(!CheckEscapeMySQL(thisclient->password,33,true))
  11.     {
  12.         Log(MSG_WARNING,"A password contains incorrect caracters or is too long (see warnings above)");
  13.         return false;
  14.     }
  15.  
  16.     result = DB->QStore("SELECT username,lastsvr,accesslevel,platinum FROM accounts WHERE id=%i AND password='%s'", thisclient->userid, thisclient->password);
  17.     if(result==NULL) return false;
  18.     if (mysql_num_rows( result ) != 1)
  19.     {
  20.         Log( MSG_HACK, "Someone tried to connect to char server with an invalid account" );
  21.         DB->QFree( );
  22.         return false;
  23.     }
  24.     else
  25.     {
  26.         row = mysql_fetch_row(result);
  27.         strncpy(thisclient->username, row[0],16);
  28.         thisclient->channel = atoi(row[1]);
  29.         thisclient->accesslevel = atoi(row[2]);
  30.         thisclient->platinum = atoi(row[3]);
  31.         DB->QFree( );
  32.  
  33.         if(!CheckEscapeMySQL(thisclient->username,-1,true))
  34.         {
  35.             Log(MSG_WARNING,"A username contains incorrect caracters (see warnings above)");
  36.             return false;
  37.         }
  38.  
  39.     }

This code is only reading in the client id and password
The character name is being loaded in from the database

It seems as if this code is already doing it the right way or am i missing something?
Need to lookup information on NARose items, skills, quests?
Now featuring a newly completed skill tree for all classes
Formatting fixed for different resolutions
Image

"A Gazelle is nothing but a giraffe plotted logarithmicaly"
User avatar
PurpleYouko
Rose Guru
Rose Guru
 
Posts: 4599
Joined: Fri Aug 10, 2007 2:05 pm

Re: Cheat Engine

Postby AnimalCrackerz on Fri May 18, 2018 4:04 pm

TY! Thanks Raven the snippet you shared seems to work at initial testing...I will implement it on my PServer for further testing by the Wally's that keep trying to hack/dupe on my server.
Screenshot_8.png
here you see the error message that you created and it dc'd the client or rather left them perpetually waiting.

Thanks for this quick fix..going to try to add a line to it which will change the acct access level to 0 so that they are banned when they try to relog...thanks for sharing ...I am sure any server owner out there that experiences player duping and subquential server crashes from this cheat engine will be thankful for this snippet as well!
Last edited by AnimalCrackerz on Fri May 18, 2018 4:10 pm, edited 1 time in total.
AnimalCrackerz
Pomic
Pomic
 
Posts: 101
Joined: Tue Apr 20, 2010 1:58 pm

Re: Cheat Engine

Postby Raven0123 on Fri May 18, 2018 4:06 pm

its not in the join server request. It's in the
  1. CCharServer::pakRequestWorld
packet 0x715. in the client source it's in https://github.com/PurpleYouko/Wibble_W ... T.cpp#L258

  1. void CSendPACKET::Send_cli_SELECT_CHAR (BYTE btCharNO, char *szCharName)
  2. {
  3.    
  4. #ifdef  __VIRTUAL_SERVER
  5.     ;
  6.     _ASSERT( 0 );
  7.     ;
  8. #else
  9.     m_pSendPacket->m_HEADER.m_wType = CLI_SELECT_CHAR;
  10.     m_pSendPacket->m_HEADER.m_nSize = sizeof( cli_SELECT_CHAR );
  11.     m_pSendPacket->m_cli_SELECT_CHAR.m_btCharNO = btCharNO;
  12.     Packet_AppendString (m_pSendPacket, szCharName);
  13. #endif
  14.     this->Send_PACKET( m_pSendPacket, true );
  15. }
User avatar
Raven0123
osiRose dev
osiRose dev
 
Posts: 375
Joined: Tue Sep 11, 2007 11:06 pm
Location: USA, NJ

Re: Cheat Engine

Postby PurpleYouko on Fri May 18, 2018 4:22 pm

Ahh I see.

So It's not actually the login that's at fault
It has already accepted the client id and password to select the first character "ttttt"

Now it sends that character off to the worldserver with the modified name.
Need to lookup information on NARose items, skills, quests?
Now featuring a newly completed skill tree for all classes
Formatting fixed for different resolutions
Image

"A Gazelle is nothing but a giraffe plotted logarithmicaly"
User avatar
PurpleYouko
Rose Guru
Rose Guru
 
Posts: 4599
Joined: Fri Aug 10, 2007 2:05 pm

Re: Cheat Engine

Postby AnimalCrackerz on Fri May 18, 2018 4:28 pm

yes! thats why I wanted to try to do it at pakDoIdentify but this seems to work..but am having issues now with the char server freezing after the dupe..i try to log in after on diff clients/accounts and the char server doesn't load. It seems to freeze after. :P

EDIT* ok seems to work now might just have been the cheat engine..was glitching my client.
anyway made a short vid of the process and fix in action
https://youtu.be/p3xYMuCZ9U4
Last edited by AnimalCrackerz on Fri May 18, 2018 4:40 pm, edited 1 time in total.
AnimalCrackerz
Pomic
Pomic
 
Posts: 101
Joined: Tue Apr 20, 2010 1:58 pm

Next

Return to Support - OsRose Emulator

Who is online

Users browsing this forum: No registered users and 6 guests

cron