Raised This Month: $83 Target: $400
 20% 

SMAC by-pass hack?


Post New Thread Reply   
 
Thread Tools Display Modes
TheXeon
Junior Member
Join Date: May 2016
Location: GetClientAbsOrigin(Zeron
Old 09-28-2017 , 19:42   Re: SMAC by-pass hack?
Reply With Quote #21

Don't tell me ufw and iptables feel like working now ://////
__________________
~neogenesisnetwork.net~
TheXeon is offline
bobotov
Member
Join Date: Aug 2014
Old 09-28-2017 , 19:44   Re: SMAC by-pass hack?
Reply With Quote #22

Connected.
bobotov is offline
bobotov
Member
Join Date: Aug 2014
Old 09-28-2017 , 19:52   Re: SMAC by-pass hack?
Reply With Quote #23

We had a talk and he tested some stuff on me.

Looks like it ain't working. The only servers who have been able to successfully ban me was Team Cream servers.

That was long ago, though.

Edit: I tested on them again. They were able to ban me.

Last edited by bobotov; 09-28-2017 at 20:54.
bobotov is offline
bobotov
Member
Join Date: Aug 2014
Old 09-29-2017 , 01:10   Re: SMAC by-pass hack?
Reply With Quote #24

Ok so this also works on skial

When I trigger an SMAC ban on myself, the sourcebans page shows

STEAM_ID_STOP_IGNORING_RETVALS

STEAM_0:0:0

76561197960265728 <---- profile link, but it leads to nothing





Oh, and I can still join their other servers. I believe after a while I can join the one I was banned from.

Admins also try to manually ban me from the server via the Sourcebans page, but it doesn't do crap because I have no steamid in the server!

Last edited by bobotov; 09-29-2017 at 01:12.
bobotov is offline
TheXeon
Junior Member
Join Date: May 2016
Location: GetClientAbsOrigin(Zeron
Old 09-29-2017 , 01:31   Re: SMAC by-pass hack?
Reply With Quote #25

Made another "temp-fix". Invoked the glitch on myself and tried it. Below are some relevant lines that were the only thing that seemed to work.

Code:
if (!GetClientAuthId(client, AuthId_Steam2, auth, sizeof(auth)) || StrContains("STEAM_ID_STOP_IGNORING_RETVALS", auth, false) != -1) // Had to check for both
And attached is what I ended up with.

Code:
Spoiler
Attached Files
File Type: sp Get Plugin or Get Source (tempauthexploitfix.sp - 12 views - 1.5 KB)
__________________
~neogenesisnetwork.net~
TheXeon is offline
TheXeon
Junior Member
Join Date: May 2016
Location: GetClientAbsOrigin(Zeron
Old 09-29-2017 , 03:29   Re: SMAC by-pass hack?
Reply With Quote #26

The weird thing is, and I guess this is expected behavior, but Connect can get the SteamIDs just fine. I guess now we just need to figure out a way to force it on a client or something, iunno. An extension or native that would force IDs would fix a bunch of other problems too.
__________________
~neogenesisnetwork.net~
TheXeon is offline
arne1288
SourceMod Moderator
Join Date: Apr 2012
Old 09-29-2017 , 10:51   Re: SMAC by-pass hack?
Reply With Quote #27

If
Code:
GetClientAuthId(client, AuthId_Steam2, auth, sizeof(auth)
returns FALSE, then
Code:
IsAuthorized(client);
should return FALSE too according to my experiments in the past, though that was with CS:S.

If GetClientAuthId returns FALSE, and you're still using the contents of "auth", that is when when you're getting "STEAM_ID_STOP_IGNORING_RETVALS", it should not be returning TRUE at the same time as providing "STEAM_ID_STOP_IGNORING_RETVALS".

Even the very old GetClientAuthString, says the same as the newer GetClientAuthId:

Code:
Return:
True on success, false otherwise.
&&

Code:
Return Value

True on success, false otherwise.

Many years ago, I started out with some plugins here from AM, then I changed to my own plugins, and/or re-built them to suit my needs better.

Many of them was using like the above example I made in POST #5.

I ended up on having a lot of issues, sometimes with empty or invalid Steam ID's, and when I finally saw the documentaiton, I found that the plugins wasn't doing things according to the API (checking TRUE vs FALSE return value)

I then changed things from:

Code:
GetClientAuthString(client, SteamID, sizeof(SteamID));
PrintToChat(client, "Your Steam ID is: %s", SteamID);
to

Code:
new bool:bSteam32 = GetClientAuthString(client, SteamID, sizeof(SteamID));
if (bSteam32) {
  /* Do whatever I wanted to do with SteamID here */
  PrintToChat(client, "Your Steam ID is: %s", SteamID);
} else {
  LogError("Something failed here ... bla bla bla");
  PrintToChat(client, "Something went wrong when looking up your Steam ID, sorry.");
}
Since then, there was NEVER any problems retrieving the correct Steam ID any more on those third party plugins after they were re-built this way.

I don't intend to be rude, but for plugin creators, the thing is very simple - make sure to follow the documentation 100%. That worked for me when creating my plugins, as well as when fixing broken plugins created by others.

For the above "temp fix", I would rather suggest kicking people, like SMAC does, if the player hasn't validated within like 15, 30, 45 or 60 seconds - depending on what you prefer. 15 seconds should usually be enough, unless the Steam network is down.

OnClientPostAdminCheck will never be called, if Steam network is down (or STEAM_ID_PENDING / STEAM_ID_STOP_IGNORING_RETVALS), and therefore I usually suggest using that one for "on-connect" things when you need to know who they really are.
__________________
Mostly known as "DarkDeviL".

Dropbox FastDL: Public folder will no longer work after March 15, 2017!
For more info, see the [SRCDS Thread], or the [HLDS Thread]

Last edited by arne1288; 09-29-2017 at 10:53.
arne1288 is offline
bobotov
Member
Join Date: Aug 2014
Old 09-29-2017 , 13:42   Re: SMAC by-pass hack?
Reply With Quote #28

Quote:
Originally Posted by TheXeon View Post
Made another "temp-fix". Invoked the glitch on myself and tried it. Below are some relevant lines that were the only thing that seemed to work.

Code:
if (!GetClientAuthId(client, AuthId_Steam2, auth, sizeof(auth)) || StrContains("STEAM_ID_STOP_IGNORING_RETVALS", auth, false) != -1) // Had to check for both
And attached is what I ended up with.

Code:
Spoiler
Look nice. Wanna test today?
bobotov is offline
TheXeon
Junior Member
Join Date: May 2016
Location: GetClientAbsOrigin(Zeron
Old 09-29-2017 , 13:46   Re: SMAC by-pass hack?
Reply With Quote #29

Makes sense. Just did a bit of checking with below:

Spoiler

and it seemed to reach 3 consecutively. Do you know if downned Steam servers might trip up GetClientAuthId? If it does, then would kicking also false-positive?
__________________
~neogenesisnetwork.net~
TheXeon is offline
TheXeon
Junior Member
Join Date: May 2016
Location: GetClientAbsOrigin(Zeron
Old 09-29-2017 , 13:48   Re: SMAC by-pass hack?
Reply With Quote #30

Go for it. It's been live and worked for me all last night. I just am really unsure about false-positives if Steam servers are down.
__________________
~neogenesisnetwork.net~
TheXeon is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 20:11.


Powered by vBulletin®
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Theme made by Freecode