search

Pryaxis / TShock

☕️⚡️TShock provides Terraria servers with server-side characters, anti-cheat, and community management tools.
GNU General Public License v3.0
2.4k stars 377 forks source link

SSC item smuggling, bruh #2115

Open Walter-o opened 3 years ago

Walter-o commented 3 years ago
  1. Login to an SSC server
  2. Drop an item the moment you join ASAP
  3. Have a friend stand there to pick it up ASAP

0 plugins Server runs on Raspberry pi 2 B+ so can be a bit slow sometimes during saving

Credits to KnightEix and Hyper for finding this

MarauderKnight3 commented 3 years ago

Something to think about when addressing this issue is that this sort of stuff is hard to prevent. You can stop unregistered players from dropping items as soon as a plugin is created for it, but that may not prevent the whole problem. People who patched their client can spawn items while they are in game. Afaik it's possible to make an item tracking plugin to discern counterfeit (e.g. the server remembering all items a player picked up and judging players who have something they never picked up), but it sounds like a nightmare to accomplish.

I believe controlling this is most likely going to be a project never to be completed.

bartico6 commented 3 years ago

@MarauderKnight3 It is indeed a nightmare and a bunch of plugins have made a reasonable attempt at doing it but they are either private (Phantasm by me, NoCheat edit by Commaster) or unfinished, abandoned or otherwise underdeveloped (original NoCheat by MarioE)

I would recommend picking up MarioE's anticheat as a base to understand one of the possible approaches and working from there. But yes, this most likely won't be fixed in tshock, it's a much wider issue that we can't afford to bandaid.

Walter-o commented 3 years ago

bruh look, imma keep it real.

SSC off = people can bring any modded / overpowered items without client modifications SSC on = people can bring any modded / overpowered items without client modifications

y'all be trippin if u think i am an anti-cheat developer with 0 tracked issues and ya hella high if u think i boast about being owner of just an (under construction) domain.

but you might be on some yeezy's if you think i'm abandoning this T ship.

No offense to the T-shock open-source developers tho, my respect

Quinci135 commented 3 years ago

Simple prevention can be done by setting LogonDiscardThreshold in ssconfig.json to a few seconds of time (this is in milliseconds) so then tshock will reject items thrown within this time after joining. Only for throwing, not some full-fledged anti-cheat.