Trying to figure out the space time continuum programmatically…
im serious what are you doing with the jar exactly
The SCE .jar? Or the Minecraft .jar? (in the middle of making dinner)
what is sce doing to minecraft.jar
SCE is simply keeping players from modifying the main MC .jar. In its current state, it’s installed just like any other client mod (such as NEI, minimaps, etc.), just drop the .class into the .jar, delete Meta-inf and you’re done. It does nothing else to the .jar other than adding a new .class file. When he joins the server, and if the server has approved of his client, then he is allowed to join. If he player installs something that was not approved of by the server (such as Nodus, etc.), then the player is kicked. Matter of fact, if the player makes any change to the file at all, any change that is not approved of, he’ll be kicked. Even adding one letter to a config file in the .jar will cause the player being kicked. All approved client are permissions based, and can be changed on the fly. But that’s an old version, and I stopped updating that 6+ mo. ago.
The Forge version will work like this (working on this version):
The server owner will specify all mods that a player is allowed to use. He will take a copy of all .jars approved, and will simply drop it into the /approved folder. He will add the SCE server mod into the /mods folder, and the server side is set up. By using a modpack, it’ll make things even easier. The only need is to copy the SCE mod into the /mods folder and you’re done. If the server owner decides that other client side mods are ok for the player to install, then he will add that to the /approved folder as well. For instance, if he wants players to have a choice between 2 minimaps, he can do that by simply copying those mods into the /approved folder. If within the modpack the server owner doesn’t like the fact that its players are using NEI and wanted to deny them access from using it, then he’d simply set the permissions to either grant or deny him access. In it’s current state, all approved files are permissions based.
On the client side, if the player is playing on a server that is using a modpack, then all he has to do is copy the SCE client mod to the /mods folder, and he’s done. If the server owner has given the player the option of 2 specific minimaps, and NEI (or any other client mods), then the player can copy and use those mods down as well.
So all the talk above is regarding SCE and its hackability… being able to bypass SCE. It’ll be hacked (my new stance 
) but with the changes I made based on Hidendra, hopefully it’ll slow them down a bit. The code itself is gonna be maddening in trying to understand (I think), so its the “workarounds” that make it fun. Even if it is, I’m enjoying working on it and I’ve learned a lot about cryptography in the process.
tl;dr - It makes no changes to the .jar other than adding it’s own class file.
hwy not obfuscate jarfile every time the player joins
The SCE class files are highly obfuscated as is. There is no need to obfuscate the remaining MC classes in the jar.
A late reply regarding the points I made.
- Modifying the graphics card driver. This is actually doable across a wide range of hardware as there is aproximately 2 graphic card drivers out there: one for nvidia cards, and one for amd cards. Not only that, but these kinds of cheats do appear in the wild for other high profile games. Some even go as far as to rootkit the OS to prevent anti-cheat solution from detecting them.
- Modification to the JVM can’t be countered, only evaded with increasing sophistication. The end game is a JVM that replaces all your code on the fly.
- I agree that bugs and glitches is more for a NC+ like plugins.
- A transparent proxy is a proxy that intercepts the communication between a server and a client without either knowing about it. Essentially it steals the packets going between the two parties and replaces them with it’s own. While the Minecraft protocol is encrypted, that alone will not stop such a proxy. A Public Key Infrastructrure is needed in addition to effectivly counter it.
I don’t think there is any effective way to counter the first and last item above. They attack weak spots that are very hard to detect without a lot of resources. The second one can be made sort of difficult. But these are just 4 examples on the top of my head. There is probably heaps and heaps of other weak spots in the system.
At the same time I really wished something like this would work. Fair and square game without having to solve an impossible task. At the very least you should be verifying what is actually running, use FML and java reflection and what else there is to to find out as much as possible about what is running instead of trying to read the mods from the filesystem.
(When I think about it. What would happen if the user puts a banned mod in the mods folder, start the client, and then remove the banned mod from the mods folders after it is loaded but before SCE is loaded?).
I’m at work so my reply might have a bunch of typos and broken English (trying to type fast 
).
- Ok, so maybe this cant be countered but sure it works best when using with an already proven anticheat. So something like this I guess would still be left up to other AntiCheats, AntiXray, Ore Obfuscators (still pretty effective).
- Actually, this can be done via class transformation / interception. (I have it working fine, but still learning the whole concept and tweaking it)
- Agreed.
- All packets going to and from the server, either way, is all random (I need to randomize it even further). So even if someone were to intercept the data, they wouldn’t know what to do with it. Right now, I think I could improve the traffic as is, and make it even more “random”, so I think I’ll have to make that a priority.
If you were to ask me what the weakest link is, I’d have to say the JVM. Before Hidendra used this method, I knew about it (never attempted trying to prevent that part), but underestimated anyone actually going about that route. So to me, the JVM is probably the weakest link… which I’ve countered what he did via transformation, but im sure that will be countered as the client will have the advantage.
As far as the packets and code itself, I think its pretty secure. It’s going to take someone some time to get around that portion, but even if someone did get around it, I simply change up the logic, reobfuscate, and they’d have to start all over again. I have taken note of what someone above said that you should never design a product with making security patches in mind due to someone countering, but in this case, its effective.
And no, I’m not a pro, just someone who is learning, and enjoying the whole process along the way.
I have one version on a schedule to where it’ll rescan every so often (configurable by the admin), can repeat so many times, etc., or can be done manually via a command if someone is suspected of hacking. There is also an /sce inspect command that will inspect a clients current status and report it back to the admin, which I can easily add a report on all mods to be reported back as well. ← and this is where im sure people are going to have a problems with this mod. Gathering information and reporting it back, but, the “Lite” version doesn’t have this functionality so its completely optional.
Hmmm an obfuscated jar…
“Nope” as in what? Not sure I understand…
What did you use to obfuscate this thing? o_0
the simplest way it could have been done, is by obfuscating the already obfuscated code multiple times using different algorithms to ensure randomization…pointless, but effective.
Sorry I’ve been gone for a while I haven’t had time to explain the attack I used which got through. Which is completely different than the one @Hidendra used. The attack I used had to deal with simple packet interception. The fact is your Network security needs work. (Then again no one does it well in the MC community from what I’ve seen. Simply because no one really attacks it which is a shame). Anyway it was fairly simple to go through it.
The problem is your trying to start up a secure packet stream from my side. As long as I do a little sleuthing I can find out what key/password your using to start up your encrypted stream, and modify from there. Even if you add in RSA, or some other Encryption method. I will always be able to modify my own packet which is all I need to do. Also I have the advantage of being able to do it outside of the JVM completely. As long as I can can encrypt my own traffic I can always bypass your security. For example let’s take RSA because that seems to be your gun-hoe response any time somebody brings up exploiting through packets.
(Example)
I look through deobfuscation such as @Hidendra did, and see your using SHA-256, and your encrypting the traffic with an RSA public key which is in the jar. So I take a SHA-256 of all the files in my legal jar, as well as the legal jar itself. I perform the RSA public key encryption on all these hashes. I tell wireshark to alert me when one of these hashes go through. (With a simple filter). I log into an SCE server with the legal jar, recording the traffic with wireshark. Boom I see that say the 4th, and 5th packets sent are authenticating bcw.class, and bce.class. So I save those packets core data (which supposedly has the correct hash, and auth scheme). I then take the SHA-256 of bcw.class, and bce.class from my illegal jar. I encrypt those with wireshark. I set up a simple packet filter saying whenever you run into these illegal signatures being sent to SCE replace that with the legal signatures being sent.
Really your fighting a losing battle. Your too trusting in some gun-hoe encryption to protect you. When the simple matter is as long as I can send data, I can also send false data. I have the final say in my packets, and you have to trust them. Your trusting people won’t know what to do with it, but it would still be extremely simple to release an automated jar that does this bypassing for you.
Even if you made a unique RSA key each time, and sent SHA-256 of different class files/jar files each time. All I have to do is a little more work making sure to grab the RSA key at startup, and make sure I have a SHA-256 of all possible files to do a simple replacement.
3 Likes
This made me lol 
As a network security guy I wonder why people don’t do this haha. Glad someone found it humorous 
Hey there! I would guess that most people don’t enjoy breaking their stuff… but I do! . I enjoy researching and finding a solution to those types of replies (and yes, I do know the client has the upper hand).
So I understood exactly what Hidendra was doing and how he used his back door JVM method of getting in (which I’ve corrected), but your approach confuses me. Yes, I do use RSA, and SHA-256, but with how you are explaining how you used that doesn’t make sense. The reason I say that is because with doing the things you mentioned above to the files / packets as you said is not the method im using, so I’m just curious as to the details of how you are going about it.
You can send / receive all the traffic you want to and from the server, but unless you know the logic, the server is gonna kick (just by your explanation). For instance, lets say that I have one file that I have gotten the SHA hash from, then I encrypted it with a public/private RSA key. Now, I have a hashed “string” representing the encryption. But, if I took that string, and jumbled it all up, how are you interpreting it as an RSA string? If you saw that a string was being sent over the channel with “fd6sfgh89sfgd7sfgh5fg4sfdg7sfgd89fgh8s67349534jh3498uj0fhu89f05nh7y24d057”, how are you determining that that is an RSA key, or just some whimsical combination of random numbers and letters without first understanding how that string was created? Not only that, but for all you know (and as an example), I’ve added the phrase “My brown shoe has a bunch of crusties in the bottom of the sole and really makes the room stink when I take it off!” into the SHA hash (before it was encrypted) and if the server does not see the SHA hash, does not see the RSA keys, and finally doesn’t see the other logic that I’ve added, like that brown shoe phrase, then its gonna kick.
Other than RSA and SHA, I don’t see how you know what other stuff I’m sending is (by your example). If the server doesn’t get that other stuff, then its gonna kick.
But, in the next version those packets will be virtually randomized (not that hard to interpret right now), and will not reply on any RSA or SHA encryption / hashing. Possible counter to what you mentioned above?
Also, its hard to pick up on the correct “tone” with some of these replies, so please don’t take it as negative or argumentative.
Re-reading your reply in case I missed something…
Haha good. Sorry as a security professional i try to dumb things down and that makes it more obscure. True the method I was explaining was an example hence the “(EXAMPLE)”. I was just showing an example.
Let me explain a bit better.
Lets say you take a SHA-3 Hash of a jar and it turns out as:
0x0eab42de4c3ceb9235fc91acffe746b29c29a8c366b7c60e4e67c466f36a4304c00fa9caf9d87976ba469bcbe06713b435f091ef2769fb160cdab33d3670680e
(Keccak hash of nothing for my example). Lets say this is a correct SHA3 of the client jar.
Then lets say the SHA3 of my jar is:
0xa69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26
So by decompiling your SCE I follow the logic that for example you receive an RSA key on the 3rd Packet sent, and you encrypt it and send an RSA encrypted SHA3 on packet 5.
So your core packet is:
[Header 32bytes]
[Body NBytes]
So I start up a version of SCE that should pass the correct client traffic. I log the 3rd, and 5th packet the one determined by decompiling was the actual packet where my hash was sent. So I take a hash of every possible valid file that you could be taking a hash of. Because At this point I just know your sending a Hash I don’t know yet which file. I know the 3rd packet is the RSA encryption key, and encrypt all valid hashes, and compare. Then I compare the encryptions to see which one you see. I find out that the SHA3 of minecraft.jar encrypted with the RSA key sent int packet 3, matches Packet 5’s data. Meaning I’ve now determined multiple things.
- You send an RSA key packet on packet 3.
- You send A SHA3 Of minecraft jar on packet5.
So how can we bypass that?
- Intercept the key on packet 3.
- Encrypt the SHA3 of a valid minecraft.jar and replace the body of packet 5.
Even if you add in randomness. It has to be set. You can say have all random bits from 0-8, and I can tell my filter to ignore that, or add it in.
Basically I can decompile the client. See how it sends its auth. And then replace packet data with “legal” packet data as it goes out.
2 Likes
Ah, the details! Ok, I’ll pay attention a bit more next time around! 'preciate the reply!
Decompiling in real-time as its running and actually seeing the packets in RT, or decompiling and manually looking through the code to understand the logic?
I need to take another look at my SCE code, because I am not sending hashes or keys over separate packets… almost positive. Matter of fact, by the time I send data via packet, its no longer a hash or key… just a bunch of jumbled up combination of junk numbers and characters… that’s what’s being sent over the channel.
So is this still all theoretical, or did you actually bypass it? The reason I asked is because you mentioned SHA3, which i’m not using, and there were a couple of what if scenarios. However, I made a “Lite” version so maybe I’m thinking of that… maybe. Need to check over the holidays.
I might need to start up Wireshark to see if I can duplicate it on my end.
Anywho, as they say… cheers!
So you need to install this before joining a server and this makes sure the client isn’t hacked?