I’ve been on both sides of the hacking thing and everyone from idiots to experts on either side know that “hack-proof” on clientside software is a plain ridiculous claim.
1 Like
Was that rhetorical? ← that is.
You’re trying to fix an unfixable problem, what did you expect?
You have no basis for that comment. If I said that I just created a perpetual motion machine (impossible), are you simply going to dismiss it and demean the author without any grounds? Or will you check it out first, THEN demean the author for you have seen, and tested what he falsely claimed?
No way in hell I’m going to run software that
I might poke around the source code, but it’s obfuscated so not worth my time.
And yes I will happily dismiss claims of a perpetual motion machine without checking, because, as you just said, it’s impossible.
This so called negativity comes from the style of comments you are making.
You are claiming credentials and expertise in infosec without any qualifying statements.
You openly criticized the communities responses to ill-informed and poorly researched questions.
Perhaps more non-hostile communication would allow you to better achieve your desired result.
No reputable software company ever claims something is “hack-proof”. You however have.
Anti-virus software doesn’t even claim it will catch everything, but you make this claim.
Seriously mate… switch on.
2 Likes
^ Then prove me wrong. I gave you the tools, you can bring your CISSP cert.
What I have said, is that it is near 100% hack proof. Out of obvious spite specifically towards the Pompous Popeus, I changed it to “hack-proof”. Not an official claim. Oh, and i’m not a “reputable software company”, no need for a comparison.
Something is wrong with you… seriously.
GO SPONGE GO!
“Where the friendly stops here!”
unreal.
And where’s /yours/?
2 Likes
How about a cert not handed out like wrapping paper at Christmas? 
It’s all good guys. In a matter of minutes, the project went from dead, to a reincarnation, to excitement to work on it on my day off… to it absolutely being squashed by the Sponge community with their pessimistic and negative attitudes, to going back downstairs to play some COD.
Anywho… May Sponge live long and prosper.
I can’t find a DL link for your client. I want to Fernflower it.
Here : http://files.enjin.com/228976/SCE/Client/Beta/SCE_Client_Beta_v.0.001.jar (from 6 mo. ago) Client only. Sandbox it if you don’t feel comfortable with actually using it.
Tires screech
Car crashes into gas station
Gas explodes entire city block
That’s what happened in my mind when I read this.
2 Likes
Lol, you’re fine. I can be banned if it causes any harm. That’s an old build of which I can look into removing that if I decide to update it. Just Sandbox it if you feel uncomfortable.
“Used to be a hacker”
I ain’t no hacker but at least know that your obfuscation won’t work to hide it. Besides, even without deobfuscating your client mod I can just open up Wireshark and figure out what packets I need to be handling.
And, like mbaxter pointed out: if you’re going to open this up to being able to execute commands – then hell no. INB4 RATTED with Runtime#exec(String).
1 Like
[quote]“Used to be a hacker”
I ain’t no hacker but at least know that your obfuscation won’t work to hide it. Besides, even without deobfuscating your client mod I can just open up Wireshark and figure out what packets I need to be handling.
And, like mbaxter pointed out: if you’re going to open this up to being able to execute commands – then hell no. INB4 RATTED with Runtime#exec(String).
[/quote]
Deobfuscating it is going to be very hard.
Regarding “Runtime.getRuntime().exec()” I did say that I’d remove it if I decided to update it. Or, if the functionality looks like something that’ll benefit players, then sandbox the environment for testing purposes and track any changes on an io / network level. Or, I can simply remove that function. The Lite version does not have that functionality.
Packets? All data going to and from are all random. Will be hard to decipher.
are all random
What do you mean by that? If you mean encryption, then your plan is flawed still.
It took no more than 30 seconds for FernFlower to tear that jar into semi-intelligible source. Yes, it is obfuscated. No, I don’t think that’s going to stop anyone who knows anything beyond how to run FernFlower from hacking away at it. If the US government can write malware, plant it on a flashdrive, and destroy Uranium centrifuges, I think a hacker with some time can crack Bob Jones’ excessively obfuscated Minecraft client mod. I can see why Bukkit didn’t bother with it…
I toyed around with SCELite as it’s on MC 1.7. It was pretty easy to use a modded client without modifying SCE. I’m no cracker or security expert 
Remapped: 7a39fdbc92c7d11de96fedb02c2941b47beda0bb93a077d16a5412466a9444af -> 2ccddca6223cfcc83b8f0229de15215f63c734cff7963e804cb2c7230a0888ee
Unmapped: 8b287e2b9e9f1798ff3fbee2d8b9bacf575e3ab268beae03e84081853027ef87
The server had a Vanilla 1.7.2 jar modded with SCELite whitelisted. Then I added OptiFine to the client (but not the server’s whitelisted jar) so that it kicked me on login (“unapproved client”). After making my changes, I was able to log in with my illegal OptiFine client. I did not modify biv.class or the server in any way.
Does the non-Lite version work much differently or is the general idea the same?
I won’t go into much much more detail unless OP is interested.
edit: video
2 Likes