I was just about to vouch for this except I would be more than happy to show my CISSP, or Security+ certs. @saki2fifty this seems like a good idea, but this is a horrible implementation. I was able to find a multiple holes in your networking side. From reading all traffic, reversing login info, and so forth.
Edit: Login info being your checks and all that when a player logs in.
3,000 lines of code, and written entirely in Java...
Thats not how you motivate me, fellow programmer 
. It would be better
Removed 3000 lines out of Minecraft, and made it 100% hack proof
or
Very compact 100% hack proof solution
Its a good thing you know how to make entrance like a hacker … . You maded a post that looked like how team lixo announced their client: “45000 lines, ultimate social griefing hacking client”. Although it was forbidden to RAT on that forum. So forget it, nobody will download a client from a site you own, especially if you serve it on this way.
Although I think your motivations are “friendly”, I don’t think the people here will use it. (reading from the posts)
Also just wondering, the client tries to emulate the world from the server. Why do would we need a security client to protect us? I feel perfectly save with a normal minecraft client. If their are so many bugs on it. Could you give us an example of one?
Right, it takes even less than 30 seconds for other decompilers. Anything decompiled is semi-intelligible, but it really makes no sense as to the logic. Try recompiling it as is and see what happens.
Ok, so what I did is I changed the original thread to not read 100% hack proof (I even mentioned I might had been over zealous wayyyyy up the thread in saying its near 100%). So I acknowledge my fault, and I adjusted.
Can you repost the video? Link doesn’t work. That Lite version is a way dummied down version and I never finished working on it. Thanks for actually testing it! As far as you bypassing the check, do you feel you hacked it, or do you feel that my logic wasn’t correct? I’d like to see the video.
Yeah, the non-Lite version works completely different.
I’ve linked the .jar’s for the full version at the top.
I’m not sure sure what is meant by your first sentence, so if I offended in some way about certs, then my apologies.
I didn’t write the networking portion, I am simply using packets just like everyone else on here does. What holes are you referring to? If there are security holes, its probably due to the nature of MC in general.
Ok, thanks…
That is my own personal website. I’m not trying to prove a point, it is what it is… 3000 lines of code. One third of that is Hidendra’s mcstats.
??? Not sure what you mean. This mod does not “emulate” the world (not sure what that means), it simply prevent people from modifying their clients. So for instance, if you don’t want someone using Nodus, it’ll prevent that.
Just don’t talk about lines of code, its a wrong term… .
??? How will a client “prevent” a player from using nodus on a server? You mean you are reverse hacking nodus Oo. With reverse hacking a mean this:
Hacker attacks player with forcefield. player has your client and it basicly doges all the attemps of hacker to kill him.
I guess I totally misunderstand this… . If you have code that can detect nodus, wouldn’t it be easier to implement this in the server ???
Ok, point taken. I’ve removed my comments regarding how many lines of code. Thanks, I’ve adjusted.
[quote]??? How will a client “prevent” a player from using nodus on a server? You mean you are reverse hacking nodus Oo. With reverse hacking a mean this:
Hacker attacks player with forcefield. player has your client and it basicly doges all the attemps of hacker to kill him.
I guess I totally misunderstand this… . If you have code that can detect nodus, wouldn’t it be easier to implement this in the server ???[/quote]
SCE will not prevent a player from using Nodus like NoCheat+ does. NoCheat+ (or other anti-cheat) works by looking at what a player does while in game. SCE works by preventing mods from being installed on the client (server owner chooses what is, or is not installed).
It’s a simple concept. On the server you have a list of “approved” clients. So for instance, I want my players to only use NEI on their client… nothing else is accepted. So what I do is I take a 1.6.4 client and I install NEI, then I take that client (the client .jar), put it into the “approved” folder on the server and anytime that a player tries to connect, it’ll compare the approved file with the file the player has. If it doesn’t match, then it kicks (or a variety of things the server owner wishes… jail, burn, etc.)
How do you get the file (or md5) from the player? I mean if I was a hacker this would be my target lol. Anyway I am sorry that I misunderstood this, the title confused me a bit 
.
^Not a problem!
This is a client / server mod. So when i’m done with the Forge / Sponge version, you drop the mod .jar into your /mods folder on the server, and the player drops the client mod into his /mods folder. Simple as that. Also on by using Forge, it can check the entire /mods, /coremods and /config folders to ensure the player hasn’t installed extra mods into his /mods folder, and nothing less. Can also check the config files to ensure its in sync with the servers config files.
It works just like every other Forge based client mod (NEI for example).
It’s alright I think I misunderstood one of your previous statements.
A series of holes, mostly doing with the checking procedure. You say
I just wanted to prove that it wasn’t getting past your layer wasn’t tough. It was a piece of cake. Also you should redo the way you server side plugin works. There may or may not be a vulnerability for remote downloading server files from a client.
Yeah, it was still in beta when I got sidetracked with RL stuff, so there are still some things I need to addressed. And its not perfect, I admit that. I was overly optimistic with my original post… but I’ve been humbled a bit, and I’ve adjusted.
It’s not an end-all mod to security, but for the 10-30 players that a server owner has on average, i’m thinking it has some good use for that small player base and keeping them from hacking with common Fly / Xray / etc. tools. I’m thinking that with those 10-30 players, most aren’t true hackers.
Anywho…
It’s a webm/mp4 so your browser may not support if it didnt show it I guess. Link is the file itself 
Some of the things you did at the very least did seem pretty interesting (e.g. string encryption using the callee’s class + method name), but the decryption method was pretty easy to reproduce (so I guess that’s more of an annoyance not a deterrence?). As already mentioned I’m far far from a hacker/whatever 
when I mentioned “encrypted” classes in my first post, I just used a similar idea and it’s nothing extraordinary, although maybe a bit creative.
I don’t have much to compare to (experience-wise) so I’m not able to really comment on how easy or hard it was. If the same method works on non-Lite then I believe it can be improved, yes
I was going to see if I could easily bypass that one, but it doesn’t seem to work for me. Does the jar still work ok on 1.6.4? When I try to join the server with SCE_Client_Beta_v.0.001.jar added to a plain vanilla 1.6.4 jar it crashes with:
Exception in thread "Thread-13" java.lang.NoClassDefFoundError: iIIIiIIiII
at bcw.<init>(b:1889)
at bcz.run(SourceFile:42)
I see a iIIIiIIiII_7.class but not iIIIiIIiII
Yeah, I finally was able to see the video. I’m thinking on 1.7 my logic was a bit off, but its nothing I cant fix.
Server side should appear as:
Client side should appear as:
If you are not seeing _1, _2, _3, etc. then you didn’t install it correctly. Kinda tricky in getting those .class files copied to the client. Once on Forge, this wont be a problem.
I need to work on the encryption part a bit more then. I had RSA in at one time, so I might have to reintroduce it. So I take it you are hitting it from the packet side… trying to decipher that, correct? If so, then I need to strengthen that.
Oh, you cant reuse that 1.7.x jar (not sure if that’s what you were asking). You’ll need to create a new 1.6.4 client jar, then copy the client files to that.
Also, if you are by chance trying to use a different launcher (Magic Launcher, etc.), it’ll block those. It only accepts Vanilla. (there’s a permission to allow however)
I’m using a fresh Vanilla 1.6.4 jar downloaded using the official MC launcher. I did install it correctly as far as I know as all of the files are showing inside the 1.6.4 jar:
Ok, let me run through it on my side. It’s been a long time since messing with it.
…
Ok, so what I did exactly is this (I know, you already know all this, just showing my steps):
No approved clients set, and got the below:
Instead of using 7zip, IZArc, etc. use WinRAR. Use WinRAR to open both. Other ones wont work.
Still no bueno even with winrar.
When you say 1.6.4.jar, are you editing .minecraft/versions/1.6.4/1.6.4.jar? Because the launcher will redownload the jar because it was modified (I didn’t see anywhere to disable the version check.) I had to create a new version (just copied the folder and edited the filenames & id in the json) for it to not do that.
If it isn’t being redownloaded by the launcher, are you able to just send me your jar file so I could see if it works for me as well?