V3ct0r 2,117 Report post Posted May 22, 2016 Protect your GM Commands Thanks to @c0d3x for translate from Russian Hello! Let's pretend as if your server has been hacked and the hacker received access to the GM account afterwards. In this thread I'll try to explain how you can secure GM commands and make the hack nearly pointless. Attention! You must pay the most attention to &lua and &lua_all commands(!). If you have got them enabled on your server and somehow hacker manages to get into a GM account, he could get control over every thing, including your root folder; rdp access and so on and so forth. You can read more about those commands HERE. Be as safe as you can, and after reading this thread try Not to use the same commands as I'm gonna use as an example! 1st way. No GM commands - no problems! If you either use commands rarely or don't use them at all, then complete removal makes sense. You could edit characters or give them items using third party software or manually via database. To disable GM commands you should do some edits in GameServer.exe Version | Size (KB) | Address --------+--------------+------------ 1.36 | 2 040 | 0x000DE1E8 1.38 | 2 088 | 0x000E6852 2.0 | 3 000 | 0x00161349 Open GameServer.exe in any HEX editor and goto the address from the table above. I will be working with 1.38 GameServer.exe using HxD editor. Replace 23 bytes starting from this address to 0x90. Save your edits and make sure GM commands don't work in game. 2nd way. Rename gm commands. The hacker will not be able to use GM commands if he doesn't know their names. So, you have to change every command's name. Takes time but it's worth it To change GM command name, open GameServer.exe in any HEX editor. Find GM command and then change its name. New command's name length must be the same as the older one had (keep the same size!). For instance, let's rename &make to &give. Please note that 'make' and 'give' have the same length (they both have 4 symbols). Open GameServer.exe in HEX editor and find a string "make": You will find more strings that contain "make" in it ("MakeItem", "make failed!", "GMmakeLog" and such - we do not need them!). Simply ignore them and continue searching. When you find the needed one you'll see another GM commands' names there, too: Change it to "give": Save current edits. Do the same procedure for another GM commands. UPDATE! You can use this program: GM command address list GameServer.exe version 1.36 (2 040 KB): Скрытый текст (0x001A7018) lua (0x001BD05C) itemvalid (0x001BD158) addkb (0x001BD160) setpinginfo (0x001BD16C) senddata (0x001BD18C) getping (0x001BD1A4) setping (0x001BD1AC) lua_all (0x001BD1C8) delitem (0x001BD248) skill (0x001BD250) forge (0x001BD280) seeattr (0x001BD288) light (0x001BD290) itemattr (0x001BD310) attr (0x001BD3E4) make (0x001BD404) setcesslevel (0x001BD434) addcess (0x001BD470) addsailexp (0x001BD4A8) addlifeexp (0x001BD4B4) addexp (0x001BD4BC) addmoney (0x001BD4E8) kill (0x001BD50C) summonex (0x001BD534) summon (0x001BD550) pet (0x001BD56C) isblock (0x001BD5B4) misclear (0x001BD5C0) missdk (0x001BD60C) delmission (0x001BD65C) clearmission (0x001BD6C0) addmission (0x001BD71C) clearfalg (0x001BD784) setflag (0x001BD7DC) clearrecord (0x001BD840) setrecord (0x001BD84C) reload_ai (0x001BD858) misreload (0x001BD864) harmlog=0 (0x001BD870) harmlog=1 (0x001BD8B0) updateall (0x001BD8BC) gamesvrstop (0x001BD8C8) call (0x001BD8D0) qitem (0x001BD8D8) qcha (0x001BD8E0) relive (0x001BD92C) reload (0x001BD934) kick (0x001BD93C) goto (0x001BD944) unhide (0x001BD94C) hide (0x001BD954) notice (0x001BD998) move (0x001BD8E8) reload monsterrefresh (0x001BD8F8) reload iteminfo (0x001BD904) reload skillinfo (0x001BD910) reload characterinfo (0x001BD920) reload alltable GameServer.exe version 1.38 (2 088 KB): Скрытый текст (0x001B4114) lua (0x001C7818) itemvalid (0x001C78A4) addkb (0x001C78AC) setpinginfo (0x001C78B8) senddata (0x001C78E4) getping (0x001C790C) setping (0x001C7914) lua_all (0x001C793C) delitem (0x001C7964) skill (0x001C796C) forge (0x001C7994) seeattr (0x001C799C) light (0x001C79A4) itemattr (0x001C79F0) attr (0x001C7AC4) make (0x001C7AEC) setcesslevel (0x001C7B1C) addcess (0x001C7B44) addsailexp (0x001C7B70) addlifeexp (0x001C7B7C) addexp (0x001C7BA4) addmoney (0x001C7BD0) kill (0x001C7BF8) summonex (0x001C7C24) summon (0x001C7C4C) pet (0x001C7C90) isblock (0x001C7CB8) misclear (0x001C7CC4) missdk (0x001C7D0C) delmission (0x001C7D58) clearmission (0x001C7DA8) addmission (0x001C7DF4) clearfalg (0x001C7E40) setflag (0x001C7E88) clearrecord (0x001C7EB4) setrecord (0x001C7EC0) reload_ai (0x001C7ECC) misreload (0x001C7ED8) harmlog=0 (0x001C7EE4) harmlog=1 (0x001C7F10) updateall (0x001C7F1C) gamesvrstop (0x001C7F28) call (0x001C7F30) qitem (0x001C7F38) qcha (0x001C7F40) relive (0x001C7F8C) reload (0x001C7F94) kick (0x001C7F9C) goto (0x001C7FA4) unhide (0x001C7FAC) hide (0x001C7FB4) notice (0x001C7FF8) move (0x001C7F48) reload monsterrefresh (0x001C7F58) reload iteminfo (0x001C7F64) reload skillinfo (0x001C7F70) reload characterinfo (0x001C7F80) reload alltable GameServer.exe version 2.4 (3 000 KB) Скрытый текст (0x0027069C) lua (0x002709C8) opencrystal (0x00270E4C) CloseMapEntry (0x0028E9F0) closecrystal (0x0028EA00) CheckMapState (0x0028EA10) CloseMap (0x0028EA1C) OpenMap (0x0028EA24) OpenMapEntry (0x0028EA34) playsave (0x0028EA80) itemvalid (0x0028EB0C) addkb (0x0028EB14) setpinginfo (0x0028EB20) senddata (0x0028EB4C) getping (0x0028EB74) setping (0x0028EB7C) lua_all (0x0028EBA4) delitem (0x0028EBCC) skill (0x0028EBD4) forge (0x0028EBFC) seeattr (0x0028EC04) light (0x0028EC0C) itemattr (0x0028EC58) attr (0x0028ED2C) make (0x0028ED54) setcesslevel (0x0028ED84) addcess (0x0028EDAC) addsailexp (0x0028EDD8) addlifeexp (0x0028EDE4) addexp (0x0028EDEC) addmoney (0x0028EE18) kill (0x0028EE40) summonex (0x0028EE6C) summon (0x0028EE94) pet (0x0028EED8) isblock (0x0028EF00) misclear (0x0028EF0C) missdk (0x0028EF54) delmission (0x0028EFA0) clearmission (0x0028EFF0) addmission (0x0028F03C) clearfalg (0x0028F088) setflag (0x0028F0D0) clearrecord (0x0028F0FC) setrecord (0x0028F108) reload_ai (0x0028F114) misreload (0x0028F120) harmlog=0 (0x0028F12C) harmlog=1 (0x0028F158) updateall (0x0028F164) gamesvrstop (0x0028F170) call (0x0028F178) qitem (0x0028F180) qcha (0x0028F188) relive (0x0028F1D4) reload (0x0028F1FC) kick (0x0028F204) goto (0x0028F20C) unhide (0x0028F214) hide (0x0028F258) notice (0x0028F260) move (0x0028F190) reload monsterrefresh (0x0028F1A0) reload iteminfo (0x0028F1AC) reload skillinfo (0x0028F1B8) reload characterinfo (0x0028F1C8) reload alltable 3rd way. GameServer.exe with HandleChat(), GetGmLv() and SetGmLv() functions. To use this way you have to use modified GameServer.exe which has the functions above in it. Function HandleChat(userdata role, string message) works out when a character writes messages into local chat. Since all GM commands are being written into local chat, too, you can create a script that will control their execution. Like, you can make so that GM commands work only if the character, who executes them, has a specified ID or name. In addition to this, you can make so that the character has to be in a specified guild, where only administrators and/or GMs could enter. It all depends on your fantasy! To find out if character is a GM, use function GetGmLv(userdata role). Using function SetGmLv(userdata role, number level) you can edit account's gm level to which the character is attached to. Also, using the same function you can set GM level to 0 (ordinary player) in HandleChat() function in case the character hasn't passed the verification. Let's make a simple system to control GM commands: 1) GM commands can be used only if your name is: "V3ct0r", "pkodev" or "Administrator". 2) If the character is GM and he/she hasn't passed the verification, set GM level to 0, kick the character and send the message for Administrator to the GameServer.exe console. Firstly, let's create an array inside variable.lua with characters' names that could use GM commands, we'll call it PlayerCanUseCmd: PlayerCanUseCmd = {} PlayerCanUseCmd["V3ct0r"] = 1 PlayerCanUseCmd["pkodev"] = 1 PlayerCanUseCmd["Administrator"] = 1 Then let's make a script inside HandleChat() in functions.lua: -- Local chat handler function HandleChat(role, message) -- Check whether the character is a gm or not if (GetGmLv(role) > 0) then -- Check if the character has executed the command if (string.find(message, "&") == 1) then -- Check character's name local cha_name = GetChaDefaultName(role) if (PlayerCanUseCmd[cha_name] ~= nil) then -- The character can use the command return 1 end -- The character isn't allowed to use the command -- Set GM level to 0 SetGmLv(role, 0) -- Kick it from the server KickCha(role) -- Send a message to the console print("Player [" .. cha_name .."] tried to use GM command!") -- Don't let the character execute the command return 0 end end return 1 end To kick a character we have to add a KickCha() function, add it anywhere into functions.lua: function KickCha(character) local pkt = GetPacket() WriteCmd(pkt, 1505) SendPacket(character,pkt) end Thread is open for the further discussion. You're welcome to ask questions or give ideas in the comments. Thank you and best of luck! 1 Quote Some useful links / Полезные ссылки Tips for making a topic in 'Questions & Help' / Рекомендации по созданию тем в разделе "Помощь" Server Advertising Section Rules / Правила раздела "Реклама серверов" Available e-mail domains for registration / Допустимые e-mail домены для регистрации User groups / Группы пользователей User ranks / Звания пользователей "Broken" pictures on the forum / "Битые" изображения на форуме Beware of scammers! / Осторожно, мошенники! My developments / Мои разработки Mods for client and server / Моды для клиента и сервера PKOdev.NET website for Tales of Pirates Server / PKOdev.NET веб-обвязка для сервера Пиратии I do not provide any help in private messages and outside the forum. Use 'Questions & Help' section please. Thank you for understanding! Я не оказываю какую-либо помощь в личных сообщениях и вне форума. Пожалуйста, используйте раздел "Пиратия: Помощь". Благодарю за понимание! Share this post Link to post Share on other sites
Yomazu 20 Report post Posted May 22, 2016 Very good guide. And this protect against os.execute hacks? Quote Share this post Link to post Share on other sites
V3ct0r 2,117 Report post Posted May 22, 2016 7 минут назад, Yomazu сказал: Very good guide. And this protect against os.execute hacks? Yes. It can protect from &lua and &lua_all. Via these commands hacker can call os.execute function. &lua os.execute("format c") Please do not use quotation for such long messages. 1 Quote Some useful links / Полезные ссылки Tips for making a topic in 'Questions & Help' / Рекомендации по созданию тем в разделе "Помощь" Server Advertising Section Rules / Правила раздела "Реклама серверов" Available e-mail domains for registration / Допустимые e-mail домены для регистрации User groups / Группы пользователей User ranks / Звания пользователей "Broken" pictures on the forum / "Битые" изображения на форуме Beware of scammers! / Осторожно, мошенники! My developments / Мои разработки Mods for client and server / Моды для клиента и сервера PKOdev.NET website for Tales of Pirates Server / PKOdev.NET веб-обвязка для сервера Пиратии I do not provide any help in private messages and outside the forum. Use 'Questions & Help' section please. Thank you for understanding! Я не оказываю какую-либо помощь в личных сообщениях и вне форума. Пожалуйста, используйте раздел "Пиратия: Помощь". Благодарю за понимание! Share this post Link to post Share on other sites
DevMorgan 6 Report post Posted May 22, 2016 I use the files 1:36 lucky gameserver which should I use? Quote Share this post Link to post Share on other sites
V3ct0r 2,117 Report post Posted May 23, 2016 @DevMorgan Don't undersatnd you. Which what? GameServer or way to secure GM commands? 1 Quote Some useful links / Полезные ссылки Tips for making a topic in 'Questions & Help' / Рекомендации по созданию тем в разделе "Помощь" Server Advertising Section Rules / Правила раздела "Реклама серверов" Available e-mail domains for registration / Допустимые e-mail домены для регистрации User groups / Группы пользователей User ranks / Звания пользователей "Broken" pictures on the forum / "Битые" изображения на форуме Beware of scammers! / Осторожно, мошенники! My developments / Мои разработки Mods for client and server / Моды для клиента и сервера PKOdev.NET website for Tales of Pirates Server / PKOdev.NET веб-обвязка для сервера Пиратии I do not provide any help in private messages and outside the forum. Use 'Questions & Help' section please. Thank you for understanding! Я не оказываю какую-либо помощь в личных сообщениях и вне форума. Пожалуйста, используйте раздел "Пиратия: Помощь". Благодарю за понимание! Share this post Link to post Share on other sites
DevMorgan 6 Report post Posted May 23, 2016 6 hours ago, V3ct0r said: @DevMorgan Don't undersatnd you. Which what? GameServer or way to secure GM commands? I want to protect GM commands I used the 1:38 V3ctor GS but it works not correctly in files 1:36 clean the lucky all GM can use command I wanted commands released only to authorized GM Quote Share this post Link to post Share on other sites
Foxseiz 138 Report post Posted May 24, 2016 5 hours ago, DevMorgan said: I want to protect GM commands I used the 1:38 V3ctor GS but it works not correctly in files 1:36 clean the lucky all GM can use command I wanted commands released only to authorized GM Why bother making them a GM if you're not authorizing them to use your commands? Quote Share this post Link to post Share on other sites
DevMorgan 6 Report post Posted May 24, 2016 4 hours ago, Foxseiz said: Why bother making them a GM if you're not authorizing them to use your commands? I want only to GM name on a list to use commands! You see ? Quote Share this post Link to post Share on other sites
abdoelghoul 4 Report post Posted June 11, 2016 Very useful! Thank u v3ct0r Quote Share this post Link to post Share on other sites
InuYasha 4 Report post Posted July 8, 2016 Thanks You Professional 1 Quote Share this post Link to post Share on other sites
Vasil 71 Report post Posted July 8, 2016 What about if you have already another HandleChat function , should i mix them both? Quote Share this post Link to post Share on other sites
V3ct0r 2,117 Report post Posted July 11, 2016 В 08.07.2016 в 14:49, Dimitrov сказал: What about if you have already another HandleChat function , should i mix them both? Sure. You can check if character have GM access at the beginning of the function 1 Quote Some useful links / Полезные ссылки Tips for making a topic in 'Questions & Help' / Рекомендации по созданию тем в разделе "Помощь" Server Advertising Section Rules / Правила раздела "Реклама серверов" Available e-mail domains for registration / Допустимые e-mail домены для регистрации User groups / Группы пользователей User ranks / Звания пользователей "Broken" pictures on the forum / "Битые" изображения на форуме Beware of scammers! / Осторожно, мошенники! My developments / Мои разработки Mods for client and server / Моды для клиента и сервера PKOdev.NET website for Tales of Pirates Server / PKOdev.NET веб-обвязка для сервера Пиратии I do not provide any help in private messages and outside the forum. Use 'Questions & Help' section please. Thank you for understanding! Я не оказываю какую-либо помощь в личных сообщениях и вне форума. Пожалуйста, используйте раздел "Пиратия: Помощь". Благодарю за понимание! Share this post Link to post Share on other sites
GummyBear 6 Report post Posted July 17, 2016 (edited) @V3ct0r Could you reupload modified GameServer.exe? Thanks in advance Edited July 17, 2016 by GummyBear Quote Share this post Link to post Share on other sites
V3ct0r 2,117 Report post Posted July 17, 2016 1 час назад, GummyBear сказал: Could you reupload modified GameServer.exe? Thanks in advance Here you are GameServer.zip 1 Quote Some useful links / Полезные ссылки Tips for making a topic in 'Questions & Help' / Рекомендации по созданию тем в разделе "Помощь" Server Advertising Section Rules / Правила раздела "Реклама серверов" Available e-mail domains for registration / Допустимые e-mail домены для регистрации User groups / Группы пользователей User ranks / Звания пользователей "Broken" pictures on the forum / "Битые" изображения на форуме Beware of scammers! / Осторожно, мошенники! My developments / Мои разработки Mods for client and server / Моды для клиента и сервера PKOdev.NET website for Tales of Pirates Server / PKOdev.NET веб-обвязка для сервера Пиратии I do not provide any help in private messages and outside the forum. Use 'Questions & Help' section please. Thank you for understanding! Я не оказываю какую-либо помощь в личных сообщениях и вне форума. Пожалуйста, используйте раздел "Пиратия: Помощь". Благодарю за понимание! Share this post Link to post Share on other sites
GummyBear 6 Report post Posted July 17, 2016 @V3ct0r Emm I dont know what I'm doing wrong but when I login to the game - server is bugged, every item in my inventory looks like with 0 durability and every character stat points are just 5.. What I did: 1. Change my old game server to [BS HandleChat & GetGmLev & Party Search Fix] GameServer.exe 2. Inside variable.lua I wrote: PlayerCanUseCmd = {} PlayerCanUseCmd["GummyBear"] = 1 3. I just copy ur HandleChat() and KickCha function to the end of my function.lua When I delete HandleChat() function - ur gameserver operates normally Quote Share this post Link to post Share on other sites
V3ct0r 2,117 Report post Posted July 17, 2016 @GummyBear Check if any errors while GameServer.exe is loading. Also you can notice that forum replaced some code: if (GetGmLv(role) > 0) then should be if (GetGmLv(role) > 0) then and if (string.find(message, "&") == 1) then should be if (string.find(message, "&") == 1) then 1 Quote Some useful links / Полезные ссылки Tips for making a topic in 'Questions & Help' / Рекомендации по созданию тем в разделе "Помощь" Server Advertising Section Rules / Правила раздела "Реклама серверов" Available e-mail domains for registration / Допустимые e-mail домены для регистрации User groups / Группы пользователей User ranks / Звания пользователей "Broken" pictures on the forum / "Битые" изображения на форуме Beware of scammers! / Осторожно, мошенники! My developments / Мои разработки Mods for client and server / Моды для клиента и сервера PKOdev.NET website for Tales of Pirates Server / PKOdev.NET веб-обвязка для сервера Пиратии I do not provide any help in private messages and outside the forum. Use 'Questions & Help' section please. Thank you for understanding! Я не оказываю какую-либо помощь в личных сообщениях и вне форума. Пожалуйста, используйте раздел "Пиратия: Помощь". Благодарю за понимание! Share this post Link to post Share on other sites
GummyBear 6 Report post Posted July 17, 2016 28 minutes ago, V3ct0r said: @GummyBear Check if any errors while GameServer.exe is loading. Also you can notice that forum replaced some code: if (GetGmLv(role) > 0) then should be if (GetGmLv(role) > 0) then and if (string.find(message, "&") == 1) then should be if (string.find(message, "&") == 1) then Server is not bugged anymore but every GM character still got access to commands Quote Share this post Link to post Share on other sites
InuYasha 4 Report post Posted July 17, 2016 Same Here Quote Share this post Link to post Share on other sites
DnA 3 Report post Posted July 18, 2016 PlayerCanUseCmd = {} PlayerCanUseCmd["V3ct0r"] = 1 PlayerCanUseCmd["pkodev"] = 1 PlayerCanUseCmd["Administrator"] = 1 @V3ct0r V3ct0r, pkodev, Administrator, this Accunt/ID or Name Character? Quote Share this post Link to post Share on other sites
V3ct0r 2,117 Report post Posted July 19, 2016 20 часов назад, DnA сказал: PlayerCanUseCmd = {} PlayerCanUseCmd["V3ct0r"] = 1 PlayerCanUseCmd["pkodev"] = 1 PlayerCanUseCmd["Administrator"] = 1 @V3ct0r V3ct0r, pkodev, Administrator, this Accunt/ID or Name Character? V3ct0r, pkodev and Administrator are names of characters who can use GM commands. @InuYasha, @GummyBear This means that the condition "if (PlayerCanUseCmd[cha_name] ~= nil) then" does not work. Try replace it to "if (PlayerCanUseCmd[cha_name] ~= 1) then". Also it is only example how you can implement protection in HandleChat() function Quote Some useful links / Полезные ссылки Tips for making a topic in 'Questions & Help' / Рекомендации по созданию тем в разделе "Помощь" Server Advertising Section Rules / Правила раздела "Реклама серверов" Available e-mail domains for registration / Допустимые e-mail домены для регистрации User groups / Группы пользователей User ranks / Звания пользователей "Broken" pictures on the forum / "Битые" изображения на форуме Beware of scammers! / Осторожно, мошенники! My developments / Мои разработки Mods for client and server / Моды для клиента и сервера PKOdev.NET website for Tales of Pirates Server / PKOdev.NET веб-обвязка для сервера Пиратии I do not provide any help in private messages and outside the forum. Use 'Questions & Help' section please. Thank you for understanding! Я не оказываю какую-либо помощь в личных сообщениях и вне форума. Пожалуйста, используйте раздел "Пиратия: Помощь". Благодарю за понимание! Share this post Link to post Share on other sites
InuYasha 4 Report post Posted August 2, 2016 Same Bugg Quote Share this post Link to post Share on other sites
Vasil 71 Report post Posted October 23, 2016 On 19/07/2016 at 1:50 PM, V3ct0r said: V3ct0r, pkodev and Administrator are names of characters who can use GM commands. @InuYasha, @GummyBear This means that the condition "if (PlayerCanUseCmd[cha_name] ~= nil) then" does not work. Try replace it to "if (PlayerCanUseCmd[cha_name] ~= 1) then". Also it is only example how you can implement protection in HandleChat() function Sorry to revive topic , but maybe you guys should try replacing 1 to "true" Quote Share this post Link to post Share on other sites
V3ct0r 2,117 Report post Posted October 23, 2016 5 минут назад, Vasil сказал: Sorry to revive topic , but maybe you guys should try replacing 1 to "true" 1 and 'true' are the same 1 Quote Some useful links / Полезные ссылки Tips for making a topic in 'Questions & Help' / Рекомендации по созданию тем в разделе "Помощь" Server Advertising Section Rules / Правила раздела "Реклама серверов" Available e-mail domains for registration / Допустимые e-mail домены для регистрации User groups / Группы пользователей User ranks / Звания пользователей "Broken" pictures on the forum / "Битые" изображения на форуме Beware of scammers! / Осторожно, мошенники! My developments / Мои разработки Mods for client and server / Моды для клиента и сервера PKOdev.NET website for Tales of Pirates Server / PKOdev.NET веб-обвязка для сервера Пиратии I do not provide any help in private messages and outside the forum. Use 'Questions & Help' section please. Thank you for understanding! Я не оказываю какую-либо помощь в личных сообщениях и вне форума. Пожалуйста, используйте раздел "Пиратия: Помощь". Благодарю за понимание! Share this post Link to post Share on other sites
InuYasha 4 Report post Posted October 23, 2016 4 hours ago, Vasil said: Sorry to revive topic , but maybe you guys should try replacing 1 to "true" hahahahaha Quote Share this post Link to post Share on other sites
Vasil 71 Report post Posted October 28, 2016 On 23/10/2016 at 6:25 PM, V3ct0r said: 1 and 'true' are the same Yes , i know. Here on my GameServer i guess, Sometimes if i put true it works. If 1 then it returns nil. Quote Share this post Link to post Share on other sites