Gift Script: Trainer Protection System

[Gambet]

Well, seeing as how the folks down at the new Graal hacking site (which I won't mention the name nor the URL) have been releasing their trainers publically, so I figure the Graal developers should make some trainer protection public as well, for every server to be able to use to work on and implement into their own protection systems against players that only wish to cheat in this game and make things hard on the staff and players. I took the liberty of coding this system both in GS1 and GS2, for both the servers that are GS2 enabled and those that are not.

NOTE: I can only post once every 8 hours, so if anything, look back at this post for any edits that I make have for replies to anyones comments. Any notes of improvement and so forth would be appreciated, seeing as how this is something for everyone to be able to derive and hopefully make their servers as trainer-proof as possible

NOTE #2: Special thanks to Liren for helping me debug some checks to make sure that the protection wouldn't call you a hacker if you weren't actually hacking (I.E using trainers).

NOTE #3: This will protect against any and all types of trainers that deal with warping the player from one spot to another, so as long as that spot involves warping the player to a spot inside the current level of that player.




GS1 Version:

PHP Code:

// NPC made by Gambet
if ( actionserverside ) {
 if ( !strequals( #p(0),triggered ) {
   sendtorc [Trainer Protection] #a is attempting to bypass the triggeraction for the trainer protection NPC!;
 } else {
   sendtorc [Trainer Protection] #a is using a postion-warping trainer!;
   //You can insert auto-jail functions here and before the else statement.
   //Also note that the above sendtorcs may spam RC, so you would want to
   //either add an auto-jail function, auto-ban function, auto-dc function,
   //or simply a check so that it doesn't spam RC multiple times. I'll leave
   //that part up to you since it's very simple, and it really depends on
   //how your server works.
  }
}
//#CLIENTSIDE
if ( created ) {
  timeout = 0.05;
}
if ( playerenters ) {
  setstring this.lastplayerx,#v(playerx);
  setstring this.lastplayery,#v(playery);
  setstring this.playerx,#v(playerx);
  setstring this.playery,#v(playery);
}
if ( timeout ) {
  if ( !strequals( #s(this.playerx),#v(playerx) ) || !strequals( #s(this.playery),#v(playery) ) ) {
    setstring this.lastplayerx,#s(this.playerx);
    setstring this.lastplayery,#s(this.playery);
    setstring this.playerx,#v(playerx);
    setstring this.playery,#v(playery);
  }
  if ( strtofloat( #s(this.lastplayerx) ) + 3 <= strtofloat( #s(this.playerx) ) || strtofloat( #s(this.lastplayery) ) + 3 <= strtofloat( #s(this.playery) ) ) {
    triggeraction 0,0,serverside,WEAPONNAME,triggered;
  }
  timeout = 0.05;
} 


GS2 Version:

PHP Code:

// NPC made by Gambet
function onActionServerSide()
{
 if ( params[0] != triggered ) {
  sendtorc( "[Trainer Protection] " @ player.account @ " is attempting to bypass the triggeraction for the trainer protection NPC!" ); 
 } else {
   sendtorc( "[Trainer Protection] " @ player.account @ " is using a postion-warping trainer!" );
   //You can insert auto-jail functions here and before the else statement.
   //Also note that the above sendtorcs may spam RC, so you would want to
   //either add an auto-jail function, auto-ban function, auto-dc function,
   //or simply a check so that it doesn't spam RC multiple times. I'll leave
   //that part up to you since it's very simple, and it really depends on
   //how your server works.
  }
}
//#CLIENTSIDE
function onCreated()
{
 setTimer(0.05);
}
function onPlayerEnters()
{
  this.lastplayerx = this.playerx;
  this.lastplayery = this.playery;
  this.playerx = player.x;
  this.playery = player.y;
}
function onTimeout()
{
 if ( this.playerx != player.x || this.playery != player.y ) {
  this.lastplayerx = this.playerx;
  this.lastplayery = this.playery;
  this.playerx = player.x;
  this.playery = player.y;
 }
 if ( this.lastplayerx + 3 <= this.playerx || this.lastplayery + 3 <= this.playery ) {
  triggeraction( 0, 0, "serverside", name, "triggered" );
 }
 setTimer(0.05);
} 


Feel free to use the above code as you please. The more protection that is implemented to the servers on Graal, the more fun the players can have while playing, without having to worry about hackers and trainer users.


Final NOTE: The above detection system will detect also when staff warp around the level or if any server has any teleporting spells/npcs which allow the player to go from one spot in the level to the next. For the staff warping problem, I would suggest setting up an array containing staff guilds and/or staff accounts in which this system will disregard and won't call them a hacker for warping around. For the special spells/npcs problem, I would suggest editing them to fit this system, so as to not have players get in trouble for trainer using, when in fact they did not.


Enjoy.

[Skrobo2]

The trainer has the player hold down the control key before clicking. You could do a check to see if that key is pressed so it's not as easy to set off.

[Chris]

Quote:

Originally Posted by Skrobo2

The trainer has the player hold down the control key before clicking. You could do a check to see if that key is pressed so it's not as easy to set off.

And if there is a dramatic change in xy coordinates.

[Gambet]

Quote:

Originally Posted by Skrobo2

The trainer has the player hold down the control key before clicking. You could do a check to see if that key is pressed so it's not as easy to set off.

My system records your current coordinates and your previous coordinates and then goes about comparing them. If you moved more than three tiles from your previous coordinates (since each time you move, you only move +0.5 x/y, so 3 would be a nice number. Of course, you could change the 3 to whatever number you'd like), then it will assume you are using a trainer.

This system would protect against any type of warping trainer, so you don't need to use any mousedown methods for click warpers, since my system will protect against that. I wanted to make a system that would ultimately protect against any type of warping trainer, without the need of creating a bunch of different methods for a mouse warper, then a bunch of different methods for an x/y warper, and so forth. This is more of an all-in-one type of system.

If you restrict the detection based on a keydown method, then that will only protect against the mouse warping trainer, and thus, you would have to add a different system for x/y warping. Really, all you need to do is check to see how many coordinates the player has moved, and if it exceeds your allowed amount, then they would be using a trainer to have moved so far, thus, you could implement auto-jail / auto-ban / auto-dc methods so that they are automatically punished for using such trainers.


Keep in mind, I made this system so that any trainer that is designed to warp you from one spot to another (so as long as the designated spot of warp is inside the current level) would be detected, thus, would protect against any future trainers that do this, and would also protect against any changes in the key-combination that a trainer may have. This is more universal.

[ZeLpH_MyStiK]

Quote:

Originally Posted by Skrobo2

The trainer has the player hold down the control key before clicking. You could do a check to see if that key is pressed so it's not as easy to set off.

Some people have the source, and have been modifying the keys to shift key and etc.

[Chris]

Also Sky. You should just log everything dealing with the detections. You will miss a few accounts if you don't. Plus it is proof of the activity. Gets the players to shut up when they lie to you and you have proof.

[Angel_Light]

Thank-you Gambet! ^o^

[Gambet]

Quote:

Originally Posted by Chris

Also Sky. You should just log everything dealing with the detections. You will miss a few accounts if you don't. Plus it is proof of the activity. Gets the players to shut up when they lie to you and you have proof.

Yes, we keep logs on Maloria. But, nonetheless, you wouldn't miss any accounts if you have an automatic punishment system implemented for those that trigger the trainer protection. I released this public system as a basic blueprint, in which you could modify as you'd like to fit your server.

Quote:

Originally Posted by Angel_Light

Thank-you Gambet! ^o^

You're welcome. I hope this will encourage servers to try new things to better their security!


EDIT (To Omini's post right below this one): Yes, it's player.account, not #a. Sorry about that, I must have not noticed that I used #a in the GS2 version. Thanks for pointing that out, I edited my first post with a fix.

[Omini]

GS2 version of #a is player.account

PHP Code:

sendtorc( "[Trainer Protection] " @ " #a is attempting to bypass the triggeraction for the trainer protection NPC!" ); 


would be

PHP Code:

sendtorc( "[Trainer Protection] " @player.account@ " is attempting to bypass the triggeraction for the trainer protection NPC!" ); 


Unless I'm mistaken?

[Divided]

have fun spamming rc with people lagging?

[KuJi]

warpto 30 30

BANNT

[100Zero100]

Gambet, I hope you excuse me for correcting you, as I don't mean to be a jackass, but there are several things in your script I would like to inform you on for a stronger detection system in the future.

1. Don't use setstring whatever,#v(playerx); then a strequals() later. In artmoney, a person could easily edit out "setstring" (or better yet, strequals()) with a VERY LITTLE impact in the gameplay. Keep in mind, in Artmoney you can edit any command you want to break it. Therefore, if you edit "strequals" or "setstring" they no longer work. However, if you do variables (this.playerx=player; this.lastplayerx=this.playerx; whatever) then just do assignment checks (this.playerx==this.lastplayerx or whatever) it's much harder to get rid of by highly ordinary measures. In artmoney you can't really edit out "=", which is why. Then again, the whole method fails if they edit "timeout" but imagine other NPCs that would break, hackers would have no fun on the server in such a scenario anyway.

2. Your movement check is flawed. This is addressed in a graal hacker's thread, as well. Look:

NPC Code:

---

strtofloat( #s(this.lastplayerx) ) + 3 <= strtofloat( #s(this.playerx) )

---

A: I was on 30 30 (my lastplayerx = 30).
B: I hack and move 10 tiles to the left (my playerx = 20)
C: 30 + 3 <= 20? Certainly not.

This means that, even with your system, people can move up and to the left freely as many tiles as they choose. You're checking it poorly, you COULD use absolute values (I say could because there's an even better method).

Also, forgive me, I'm going to put this in shorthand. I'm not typing out strtofloat(#s()) over and over, or even this, but you'll still understand what I'm typing.

NPC Code:

---

if (abs(lastplayerx-playerx) >=3)

---

A: I'm on 30 30 (my lastplayerx = 30)
B: I hack 10 tiles left (my playerx = 20)
C: abs(30-20) >= 3 <-- True. The detection system would pick up on it where yours wouldn't.

For the next matter of business, someone can move 2.999999 tiles right and 2.99999999 tiles down simultaneously and not be picked up, diagonally, they moved ABOUT 3*2^.5 tiles. That is CERTAINLY more than 3 tiles man.

However, to fix this we could use an even BETTER check that takes into account negative distances AND diagonal movements. You would also need only one check instead of two with an || in between or using a for ().

NPC Code:

---

(((strtofloat(#s(this.lastplayerx))-strtofloat(#s(this.playerx)))^2+(strtofloat(#s(thi  s.lastplayery))-strtofloat(#s(this.playery)))^2)^.5>=3)

---

A: I am on the 30 30 (lastplayerx = 30)
B: I move 10 tiles left (playerx = 20)
C: Below-

((30-20)^2+(30-30)^2)^.5
Breaks down to:

((10)^2+(0)^2)^.5
Breaks down to:

(100+0)^.5
Breaks down to

100^.5 -> 10

10 is most certainly greater than or equal to 3, therefore it works perfectly.

To test diagonals, you would do this:

A: I am on the 30 30 (lastplayerx = 30)
B: I move 2.5 tiles left (playerx = 27.5) and 2.5 tiles up (playerx = 27.5)
C: Below-

((30-27.5)^2+(30-27.5)^2)^.5
Breaks down to:

((2.5)^2+(2.5)^2)^.5
Breaks down to:

(6.25+6.25)^.5
Breaks down to

13^.5 -> 3.605.... (neverending)

Is 3.605 greater than or equal to 3? YES. They moves 2.5 tiles up and 2.5 tiles right, and your system wouldn't have detected them, but in reality they moved 3.605 tiles diagonally.

Final point:

This is your code slightly enhanced:

NPC Code:

---

//#CLIENTSIDE

if (created) {

 Assign();

 timeout = 0.05;

}

if (playerenters) {

 Assign();

}

if (timeout) {

 if (((this.lastplayerx-playerx)^2+(this.lastplayery-playery)^2)^.5 >= 3) {

  triggeraction 0,0,serverside,WEAPONNAME,triggered;

 }

 Assign();

 timeout = 0.05;

}

function Assign() {

 if (((this.lastplayerx-playerx)^2+(this.lastplayery-playery)^2)^.5 != 0) {

  this.lastplayerx = playerx;

  this.lastplayery = playery;

 }

}

---

You didn't need a this.playerx-- playerx works just fine if you do it in the right sequence. You also should have done the pythagorean theorem, and since you are assigning similar code so much I just made it a function. I hope that helps a little.

Ah and I almost forgot, the conversion to GS2 is very simple.

NPC Code:

---

//#CLIENTSIDE

function onCreated() {

 Assign();

 setTimer(0.05);

}

function onPlayerEnters() {

 Assign();

}

function onTimeOut() {

 if (((this.lastplayerx-player.x)^2+(this.lastplayery-player.y)^2)^.5 >= 3) {

  triggeraction(0,0,"serverside",WEAPONNAME,"trigger  ed");

 }

 Assign();

 setTimer(0.05);

}

function Assign() {

 if (((this.lastplayerx-player.x)^2+(this.lastplayery-player.y)^2)^.5 != 0) {

  this.lastplayerx = player.x;

  this.lastplayery = player.y;

 }

}

---

I hope that helps anybody.

[Gambet]

Quote:

Originally Posted by 100Zero100

Stuff

Yes, I made a simple mistake. Take note that I made this at 2 am, so I was half asleep. I was thinking of movement at the time, not about coordinates in the sense that you could move negative coordinates. I only added protection against positive coordinate movement, thus only positive coordinate movement would be detected. Of course, correcting this problem is far from difficult. You didn't need to break everything down, though I thank you for that may help others, but you just needed to remind me that you could move negative coordinates and I would've noticed what you meant . Anyways, I'll correct my original post shortly.


Well, it doesn't let me edit the original post anymore, but you can view the post above for just about the same update I was going to make, except I was going to use a different calculation method.

[killerogue]

Isn't that NaS?

[Rick]

Quote:

Originally Posted by 100Zero100

1. Don't use setstring whatever,#v(playerx); then a strequals() later. In artmoney, a person could easily edit out "setstring" (or better yet, strequals()) with a VERY LITTLE impact in the gameplay.

Not anymore with GS2-only servers.

[100Zero100]

Quote:

Originally Posted by Rick

Not anymore with GS2-only servers.

Even with GS2 servers you should stick with assigning strings and not using "setstring(,)" - but on GS2 servers strings and variables are both assigned, and if you're talking about that I don't even understand your reasoning in mentioning it, because the value should be held as a float anyway.

Yes, Killerrogue, I am NaS.

Also, Gambet, I know what you meant to do, and the fix would be as simple as using abs(). However that still doesn't account for diagonal distance movements and the script would have really long lines with ||'s in them, the pythagorean theorem makes it a cool cat.

[excaliber7388]

I have a similar system on Dark Rival, however it has a larger range, and counts how many times they warp, that way it wouldn't be just one level that does it. I like the idea of checking the parameters, I will add that to mine.

[Malinko]

New trainer protection, won't be needed.

Thanks to all who reported faults in the old system. I think Maniaman is probably the one to thank most of all, since he did a lot of protection on Maloria.

[xAndrewx]

Nas pretty much cleared up the mistakes, Malinko o-o

[Rick]

Quote:

Originally Posted by 100Zero100

and if you're talking about that I don't even understand your reasoning in mentioning it,

GS2 scripts are compiled, so there are no scripts to edit text out of in memory.

[Gambet]

Quote:

Originally Posted by Malinko

Thanks to all who reported faults in the old system. I think Maniaman is probably the one to thank most of all, since he did a lot of protection on Maloria.

Mania did what?

You might want to check your sources >_>

[Twinny]

Can get annoying when people use horses / skateboards / other speed enhancers. Hackers could use these NPC's with trainers to enhance speed and such

[KuJi]

Quote:

Originally Posted by Twinny

Can get annoying when people use horses / skateboards / other speed enhancers. Hackers could use these NPC's with trainers to enhance speed and such

I walked out on the gmap and I got jailed on my own server ;(

[calani]

Quote:

Originally Posted by Malinko

Thanks to all who reported faults in the old system. I think Maniaman is probably the one to thank most of all, since he did a lot of protection on Maloria.

Like delete the anti-hack script I wrote to patch one of the biggest holes in the server? hmmm


Anyways, we're getting off topic.
Speed-enhancing scripts arne't that hard to secure.
check the movement speed every few seconds serverside to make sure nothing was edited - could even add a required trigger like on my prison control: if inmates don't send a trigger to the DB once every 8 seconds (sent every 2) it warns them for triggerhacking and increases their jailtime by 10% or so. 10% every 8 sec adds up quickly too. anyway, you could add something like that to your skateboard (seems a bit much, but hey) and if their trigger ticktime expires, disable the skateboard (possibly remove it after three infractions?)
you get the idea.

making your scripts mess with hackers is fun

[100Zero100]

Quote:

Originally Posted by Malinko

New trainer protection, won't be needed.

Thanks to all who reported faults in the old system. I think Maniaman is probably the one to thank most of all, since he did a lot of protection on Maloria.

Lol let me just point something out to you, Malinko, and quite possibly some others (ones like you who said G4 was unhackable, basically).

G4 wasn't unhackable.
G4 isn't unhackable.
G4 will not be unhackable.

How many people coded G4? I bet you could give me a number and I bet it would be lucky to be >=10.

How many people coded WoW, Rakion/GB, Diablo II, WC3, Ragnarok Online, etc? Hundreds, hundreds of professional coders worked their asses off. Hell, hundreds of professional coders spend years making codes for THE PURE PURPOSE of anti-hacking. GameGuard? nProtect? Exactly, MANY coders worked for YEARS to make nothing BUT a hacker-protection system.

Yet, these games always get hacked anyway. How so? It's so because it's literally IMPOSSIBLE for something to be unhackable.

I dislike this new attitude people are starting to have, that new Graal4 or new GS2 are unhackable. They aren't and they never will be. There are more people who are more talented pouring more time into the same thing and failing.

Quote:

Originally Posted by Calani

if inmates don't send a trigger to the DB once every 8 seconds (sent every 2) it warns them for triggerhacking and increases their jailtime by 10% or so.

So basically if someone reconnected the first second of this 8 second interval, took 6 seconds to reconnect, and came back during the 7th second of the 8 second duration, the server would have never picked up their trigger and therefore they would get +10% time? Sounds like you're taking chances, there are better ways to prevent the edit of triggeraction.

For example, just do a triggeraction when the player logs on, do it in an NPC that does if (created) {}. The Control-NPC can check if (actionplayeronline) { and call a weapon on that player. The weapon would give them X seconds for the trigger to be submitted and then it would check if they're still online (Call the player, set a var, if the var wasn't set they've logged off). If the player IS online and no trigger was received, the player edited trigger (or has >= X*1000 ping). Also, if the player reconnects, the actionplayeronline will re-set their timeout to 10, and therefore will not be unfairly detected (although they wouldn't be detected anyway, considering it's initiating on created, and all of the scripts would have taken place in under .1 seconds anyway-- it takes more than .1 seconds for your screen to fully show, let alone reconnect).

This also works more effectively than your check because it's placed on ALL players, not just ones in jail, but doesn't need an annoying constant timeout of 8 and triggers being sent every 2 seconds.

[calani]

If the player is offline, the script doesn't require a trigger - when the player logs on, it sets their ticktime to 8 sec, if they miss the trigger, it warns them - if the player is offline, the warn doesn't go through.

I've already accounted for everything that you've suggested.

Anyways, that is off-topic.


Quite often when there is more than one person working on a project, the different pieces don't mesh together properly and don't work quite as well as either person intended - you'd know this if you were ever part of a large development team.
One person working on everything is usually the best way to go as far as making sure everything works properly - though a team is best for having additional idea of how to do things better.
Its amazing, you're both right and wrong at the same time.

[ApothiX]

Quote:

Originally Posted by Gambet

Yes, I made a simple mistake. Take note that I made this at 2 am, so I was half asleep.

Don't use that as an excuse. Especially if you are releasing scripts that you want people to use for the security of their servers.


And NaS, you really have no place to be talking about the efficient way of doing things. Last I recall, when we were converting UN to gscript2 you were doing **** like initializing arrays with: this.mykewlarray = "\"One\",\"Two\""; just because you thought it made you look 'l337er.'

[Skrobo2]

Quote:

Originally Posted by ApothiX

Don't use that as an excuse. Especially if you are releasing scripts that you want people to use for the security of their servers.


And NaS, you really have no place to be talking about the efficient way of doing things. Last I recall, when we were converting UN to gscript2 you were doing **** like initializing arrays with: this.mykewlarray = "\"One\",\"Two\""; just because you thought it made you look 'l337er.'

This is a little off topic, but we were having dissucsion about that on RC a while back. I'm no expert on GS2, so I have a questopn for you Okie. Is it wrong to do like this.blah = {"blah","blah","blah","blah"};? NaS said the proper way to do it was like you stated "this.mykewlarray = "\"One\",\"Two\"";".

[Skyld]

Quote:

Originally Posted by Skrobo2

This is a little off topic, but we were having dissucsion about that on RC a while back. I'm no expert on GS2, so I have a questopn for you Okie. Is it wrong to do like this.blah = {"blah","blah","blah","blah"};? NaS said the proper way to do it was like you stated "this.mykewlarray = "\"One\",\"Two\"";".

NO NO NO NO NO!

You should not be initializing arrays using this.baz = "\"foo\",\"bar\"";.

You should use the this.baz = {foo, bar}; method, not least for cleanliness and editability/comprehension reasons.

[Skrobo2]

Quote:

Originally Posted by Skyld

NO NO NO NO NO!

You should not be initializing arrays using this.baz = "\"foo\",\"bar\"";.

You should use the this.baz = {foo, bar}; method, not least for cleanliness and editability/comprehension reasons.

HA! I was right and NaS was wrong.

[xXziroXx]

Quote:

Originally Posted by Skyld

NO NO NO NO NO!

You should not be initializing arrays using this.baz = "\"foo\",\"bar\"";.

You should use the this.baz = {foo, bar}; method, not least for cleanliness and editability/comprehension reasons.

You go girl!

[ApothiX]

Quote:

Originally Posted by Skrobo2

HA! I was right and NaS was wrong.

It's not really an amazing feat to be smarter than NaS.