ID:277622
 
I'm just trying to find out what is and isn't possible to have done to a BYOND game while it's running. I've heard a couple of stories that I haven't quite believed, and wanted to find out what was possible. (Not because I want to start hacking BYOND games)

Anyways, try to answer without causing any problems. (Like posting too much information that might cause problems)

Various rumors I've heard:
1) Getting src files from host files. I've heard certain programs can break into the files and get the source.

2) General in game hacking. Short of abusing bugs, is it possible to give yourself verbs, or just genrally cheat?

3) Use a virus or something to crash the server or worse. (Damage the host computer)


Anyways, I suppose this is a dangerous topic, but I've heard many rumors about this stuff
You want a short answer?
1) hell yes its been done before

2) yes, I tested out a packet editor on mystic Journey and it worked (if your not gonna cheat dot wask what it is)

3) im not really sure. get a BYOND guru to tell you.
Chessmaster_19 wrote:
I'm just trying to find out what is and isn't possible to have done to a BYOND game while it's running. I've heard a couple of stories that I haven't quite believed, and wanted to find out what was possible. (Not because I want to start hacking BYOND games)

Anyways, try to answer without causing any problems. (Like posting too much information that might cause problems)

Various rumors I've heard:
1) Getting src files from host files. I've heard certain programs can break into the files and get the source.

With the current leak of the resource extractor, people could easily extract your resource files, like graphics and sounds and such, but that doesn't include your program files. There is in fact a source extractor for BYOND, but even Tom admits that most of the source file is so hard to read and full of crap it is close to useless. So in other words, don't worry about it.

2) General in game hacking. Short of abusing bugs, is it possible to give yourself verbs, or just generally cheat?

This depends on what you want to do. You could use a hex editor to cheat on a game and give yourself infinite hp or whatever. It is a little more complicated then people try to make it sound though and can be a pain in the butt. I don't think many BYONDers actually do this. As for hacking verbs and stuff, I don't know, I suppose it is possible. I'd like to add any game (even word of warcraft) is open to this kind of abuse, not just BYOND.

3) Use a virus or something to crash the server or worse. (Damage the host computer)

Viruses do that anyways. A virus can destroy your computer, the best defense is a good firewall and a good virus scanner. This isn't a BYOND danger it is a computer owner danger. You could though, use the .ping command (used in BYOND to measure the amount of lag on a server) to spam the server until it crashes, it takes a lot of work and I honestly don't think it is worth it, but I heard it can be done.

Anyways, I suppose this is a dangerous topic, but I've heard many rumors about this stuff.

Most of these rumors not only apply to BYOND, but they also apply to anyone who uses a computer (except question number 1). How new are you to using a computer and the interwebs and not knowing this?
1 - Only in a very loose sense. As Rev has mentioned, there are programs around that can extract the icons/sounds/etc. from rsc files into a usable format, but as far as I'm aware, they're not really used very often.

There also is a DM decompiler that was written a while ago by a BYOND member. That could take a .dmb file and give you source code that would then compile to that .dmb file.

It did not give you the original source code - that's impossible. Instead, it gave you a nearly-unreadable assembly-languageified-DM, essentially. Basically, it's full of 'ifs' and variables called 'var123'. Plus, the member who wrote it is responsible and never actually let the program out of his grasp, and is highly unlikely to decompile something for someone untrustworthy.

2 - It depends. Some games are written particularly badly, and can be abused by using something called a 'packet sender'. For example, if your attack verb looks like this:

mob/verb/attack(mob/m in view(1))
m << "[name] attacked you!"


Then it is possible to use a packet sender to attack someone on the other side of the map. If, however, it looks like this:

mob/verb/attack(mob/m in view(1))
if(m in view(1)) m << "[name] attacked you!"


the game is immune to this sort of tinkering.

Considering how most of the games on the hub were written, you could probably do this to most games on the hub. If you're writing your own game, remember the cardinal rule - Never trust user input. Ever.

As for giving yourself verbs, etc., probably not possible (Unless the game has some sort of hole similar to the attack verb above), unless you're the host (in which case you can use a memory editor to do essentially anything with the game. Unless it's well secured. And even then, only until the host cracks it), or if there's client-side saving (Once again, only if the savefile isn't well secured, and the security hasn't been broken).

As for 3? BYOND does not, as currently known, open your computer up to these kinds of threats. People can get your IP address by inspecting packets sent to your BYOND server, or various other things, but this will generally not matter. Keep your OS up to date (particularly if it's windows), run some firewall program (or work behind NAT - if you have a router, or had to port forward to host, you are behind NAT), you'll be fine. You're more likely to get a virus by downloading programs off the interwebs.
In response to Jp
Jp, packet sender's no longer work with BYOND 3.5+. Lummox changed something with the network so they wouldn't.(They just increase in size or something)
In response to Dark_Shadow_Ninja
I'm willing to bet there are still ways around that.

Plus, some people don't use 3.5.

Doubleplus, it's still a good idea to never trust user input.
In response to Revenant Jesus
Revenant Jesus wrote:
word of warcraft


neat idea for a game! mine! mine! mine!

*runs off to develop the idea*
In response to Jp
Packet spoofing is next to impossible with the latest versions, you'd have to be more than your average user to pull it off, and people with that kind of skill generally have better things to do than cheat in a poorly programmed game.
In response to Nadrew
Nadrew wrote:
Packet spoofing is next to impossible with the latest versions, you'd have to be more than your average user to pull it off, and people with that kind of skill generally have better things to do than cheat in a poorly programmed game.
See? Why can't you do this with the .rsc?! =)
In response to Flame Sage
Because that would require recoding the entire resource handling system, which is no trivial job.
Chessmaster_19 wrote:
1) Getting src files from host files. I've heard certain programs can break into the files and get the source.

Icons, sounds etc are all able to be stolen from the rsc file. A resource extractor for this does exist.

There was a source code extractor, and contrary to popular belief, it did produce a readable source code. The only difference was, variables etc weren't named the same. Instead of "MyVar" it'd be named "Variable1". With a little reading, it wouldn't take long to produce a perfectly readable source code. Only two of these extractors exist, and they are both under lock and key.

2) General in game hacking. Short of abusing bugs, is it possible to give yourself verbs, or just genrally cheat?

Give yourself verbs, I'm not so sure. There is probably a way, but no one has decided to try it out. If a verb takes advantage of Topic() it'd be easy for the user to check the BYOND Cache, find the proper link and take advantage of it.

3) Use a virus or something to crash the server or worse. (Damage the host computer)

The game would have to come packaged with the file itself, and the server would have to be ran in "trusted" mode for it to execute the virus file (using the shell() command I believe). Either way, it can't be included inside the BYOND executable unless it's infected before transmission. And then, if your virus protector is competent, it'll detect the virus when it reaches your computer.

--

There isn't much to worry about. Only BYOND's best of the best could pull most of this stuff off successfully. And they're far too busy with other things to care about hurting others computers.
Chessmaster_19 wrote:
1) Getting src files from host files. I've heard certain programs can break into the files and get the source.

Nope. The original source is as secure as your computer itself. People lose source code most often by giving it out to the wrong people.

Resources, however (icons, sounds; not maps), are exposed. There aren't too many ways around that, as anyone can take screenshots, etc.

2) General in game hacking. Short of abusing bugs, is it possible to give yourself verbs, or just genrally cheat?

Under some circumstances, yes, for the host in particular. The host has some options like modifying savefiles, which are often stored on their computer. Memory editors are also fashionable for this, and they're hard to defend against, although there are things you can do to thwart them.

For players it's a different matter. Most games don't give them enough access to do any harm, but some store savefiles on the clients' computers. If they do this, the savefiles need to be protected with hashing to prevent (or rather detect) modification.

3) Use a virus or something to crash the server or worse. (Damage the host computer)

I would say this just isn't possible, except if you download a game and run it in trusted mode, and it happens to come packaged with an infected file. In 4.0 this is more difficult as .bat and .exe files are not allowed to run() at all.

Anyways, I suppose this is a dangerous topic, but I've heard many rumors about this stuff

The truth is far less disturbing than the rumors, trust me. Overall BYOND is quite secure and you shouldn't have anything to fear from hosting or playing games with it. Cheating is a different issue, but even there most of the power to do that lies with the host. If you don't trust the host to run an honest game, then you shouldn't connect to their server.

Lummox JR
In response to Lummox JR
Lummox JR wrote:
Cheating is a different issue, but even there most of the power to do that lies with the host. If you don't trust the host to run an honest game, then you shouldn't connect to their server.

This reminds me....I've actually seen a command executed by a host that crashes a single person's Dream Seeker. The host was the game owner so he could use the code to make such things happen with a verb. So yeah....most dangers are with the host.
In response to Evil-Inuyasha
Evil-Inuyasha wrote:
Lummox JR wrote:
Cheating is a different issue, but even there most of the power to do that lies with the host. If you don't trust the host to run an honest game, then you shouldn't connect to their server.

This reminds me....I've actually seen a command executed by a host that crashes a single person's Dream Seeker. The host was the game owner so he could use the code to make such things happen with a verb. So yeah....most dangers are with the host.

On Majins and Mystics Remastered we had a command called "Spam", basically if you were the target of it, you were spammed until you either managed to somehow shut down your client, or it crashed, either one. We could also use images and text. It was a fairly annoying and decent way to make people behave. Hit with it once or twice and they didn't want to have it happen again.
In response to Tiberath
Tiberath wrote:
There was a source code extractor, and contrary to popular belief, it did produce a readable source code. The only difference was, variables etc weren't named the same. Instead of "MyVar" it'd be named "Variable1". With a little reading, it wouldn't take long to produce a perfectly readable source code. Only two of these extractors exist, and they are both under lock and key.

And it's probably likely only one works, seeing as how Dan's was made a while ago, and might not account for certain modifications.