Jump to content

Money Hack


TiTawN

Recommended Posts

Hi Guys, I'm a scripter and I saw something creepy in my server!
There was a use that had more than 99,999,999 Money in his server's bank account!
Even I can't have more than 99,999,999 in my server!
How did he do that? Does anyone have any idea?
My guess is that he's using a pannel or something like that.
But I'll be thankfull if anyone could help me!

A part of my code:

function buy( root )
    if getPlayerMoney(root) >= 100000000 then
        -- My Code
    end
end 

How this condition become true: if getPlayerMoney(root) >= 100000000 then?

11 minutes ago, TiTawN said:

Hi Guys, I'm a scripter and I saw something creepy in my server!
There was a use that had more than 99,999,999 Money in his server's bank account!
Even I can't have more than 99,999,999 in my server!
How did he do that? Does anyone have any idea?
My guess is that he's using a pannel or something like that.
But I'll be thankfull if anyone could help me!

A part of my code:

function buy( root )
    if getPlayerMoney(root) >= 100000000 then
        -- My Code
    end
end 

How this condition become true: if getPlayerMoney(root) >= 100000000 then?

There was a user that ...

  • Like 2
Link to comment

Not enough information, really. By "server's bank account", do you mean some money system separate from the money that's shown in the HUD? I assume you might be using element data to store money, and since setElementData allows the client to modify the element data as seen by the server, cheaters can fabricate it and set it to whatever they want. If that is the problem you're having, you have to detect when the element data gets modified by a client using onElementDataChange and reset it to the old value. It would look something like this:

function undoMoneyChangeByClient(theKey, oldValue, newValue)
    -- if the variable 'client' is set, that means the element data change was done by a player
    if client and theKey == "money" then
        setElementData(source, theKey, oldValue)
    end
end
addEventHandler("onElementDataChange", root, undoMoneyChangeByClient)

It's the same kind of thing as "Validating client setElementData" section in the page that @The_GTA posted a link to.

  • Like 1
Link to comment
14 hours ago, TiTawN said:

Hi Guys, I'm a scripter and I saw something creepy in my server!
There was a use that had more than 99,999,999 Money in his server's bank account!
Even I can't have more than 99,999,999 in my server!
How did he do that? Does anyone have any idea?
My guess is that he's using a pannel or something like that.
But I'll be thankfull if anyone could help me!

A part of my code:

function buy( root )
    if getPlayerMoney(root) >= 100000000 then
        -- My Code
    end
end 

How this condition become true: if getPlayerMoney(root) >= 100000000 then?

There was a user that ...

<< Tip >>

Note that: I mean the server bank account means the same money in the pocket

  • Like 2
Link to comment
3 hours ago, TiTawN said:

I think it does this from the in-game panel or the miscellaneous panel

Because it does not use the command

Can I see his page during the operation?

And then it calls triggerServerEvent to pass the player's actions to the server? Perhaps passing the amount of money to be given/taken as well (I've seen people put things like that in their scripts)? If so, that's just another thing the cheaters can falsify. When the client triggers an event on the server, the only data you can trust is client variable.

  • Like 1
Link to comment
1 hour ago, Reyomin said:

And then it calls triggerServerEvent to pass the player's actions to the server? Perhaps passing the amount of money to be given/taken as well (I've seen people put things like that in their scripts)? If so, that's just another thing the cheaters can falsify. When the client triggers an event on the server, the only data you can trust is client variable.

Well, I also trust the client variable and use getPlayerMoney to get paid, but when a player's money does not exceed 99,999,999
 

if getPlayerMoney(root) >= 100000000 then
   -- My Code
end


Why is this code true?

 

  • Like 1
Link to comment
24 minutes ago, Reyomin said:

What do you mean? The reason it evaluates to true is because, well, the player has at least that much money. But this code doesn't tell how the player got that money in the first place. Money is a server side thing, so it must have happened because of setPlayerMoney or givePlayerMoney call in a server side script.

How did he raise his money to 99,999,999 with givePlayerMoney or setPlayerMoney? Did he do this with spam?

  • Like 1
Link to comment

How would I know? You didn't show any of the code that changes the amount of money the player has. All I can guess is that the client triggers some event from the GUI code using triggerServerEvent and passes some value that the server then uses in givePlayerMoney or setPlayerMoney. At least that's what I've seen other scripters do. If this is the case, then cheaters who trigger fake events with their cheating tools can pass whatever value they want to get the server to give them an arbitrary amount of money. But without seeing what's in your code, I can't know what's really going on.

Link to comment
2 minutes ago, Reyomin said:

How would I know? You didn't show any of the code that changes the amount of money the player has. All I can guess is that the client triggers some event from the GUI code using triggerServerEvent and passes some value that the server then uses in givePlayerMoney or setPlayerMoney. At least that's what I've seen other scripters do. If this is the case, then cheaters who trigger fake events with their cheating tools can pass whatever value they want to get the server to give them an arbitrary amount of money. But without seeing what's in your code, I can't know what's really going on.

They could even overwrite the "getPlayerMoney" clientside function. I have no idea because that guy does not show any code. This conversation is really frustrating to us and funny to the detached observer...

Edited by The_GTA
  • Like 1
Link to comment
20 minutes ago, The_GTA said:

They could even overwrite the "getPlayerMoney" clientside function. I have no idea because that guy does not show any code. This conversation is really frustrating to us and funny to the detached observer...

I agree. I was expecting it to be easy even without the code because there are few ways for cheaters to falsify the variable values. Turns out I thought wrong.

Link to comment
  • Moderators
15 hours ago, TiTawN said:

How did he passed 99,999,999$?!

How did you verify that he actually passed that amount? Modifying screenshots or ingame textures is very easy to do. Make sure you verify it based on serverside data.

You said you checked his bank account? What do you consider somebody his bank account? getPlayerMoney / getAccountData / other database ?
getAccountData / other database are not restricted to 99,999,999.

Also I am not sure if setPlayerMoney is restricted to 99,999,999, it is surely displayed as a negative value, but I am not sure how MTA handles that behinde the scenes (only way of knowing is to test or check the source code).

Link to comment
Forget bank account. He has more than 99,999,999 in his pocket! 
Watch this code :
if getPlayerMoney(root) >= 100000000 then
   outputDebugString("Player :"..getPlayerName(root).." bought the vehicle with $100,000,000)
end

You can see that outputDebugString ran and the result seen in the MTA San Andreas 1.5\server\mods\deathmatch\logs\server.log

Link to comment
  • Moderators
34 minutes ago, TiTawN said:
if getPlayerMoney(root) >= 100000000 then

Using the root prefixed variable in your code is a bit tricky. Better not using it.

But never the less. Since it is serverside code, it looks like the resources you are using either has an exploitable bug (likely), backdoor (likely) or is missing some security. Don't you keep more money logs?

 

function onPreFunction( sourceResource, functionName, isAllowedByACL, luaFilename, luaLineNumber, ... )
    local args = { ... }
    local resname = sourceResource and getResourceName(sourceResource)
    outputDebugString( "preFunction"
        .. " " .. tostring(resname)
        .. " " .. tostring(functionName)
        .. " allowed:" .. tostring(isAllowedByACL)
        .. " file:" .. tostring(luaFilename)
        .. "(" .. tostring(luaLineNumber) .. ")"
        .. " numArgs:" .. tostring(#args)
        .. " args:" .. inspect(args)
        )
end
addDebugHook( "preFunction", onPreFunction, {"setPlayerMoney", "givePlayerMoney"} )

https://wiki.multitheftauto.com/wiki/AddDebugHook

(recommended to write the logs to a different file)

Link to comment

Thanks a lot for the help with your codes for log, I hope the problem I have will be found ❤️

Is it possible to have a log for the keys (keyboard keys) to show? (For example: any keyboard keys that player uses is game, it saves in log)

And also can you tell me more about hookType?

Link to comment
  • Moderators
1 hour ago, TiTawN said:

Is it possible to have a log for the keys (keyboard keys) to show

yea, that is possible.

https://wiki.multitheftauto.com/wiki/OnClientKey

Useful for detecting command exploits:

https://wiki.multitheftauto.com/wiki/GetBoundKeys

https://wiki.multitheftauto.com/wiki/GetKeyBoundToCommand

But in mind to respect privacy and how it will impact the user his network.

 

 

1 hour ago, TiTawN said:

And also can you tell me more about hookType?

  • preEvent
  • postEvent
  • preFunction
  • postFunction

Timing:
pre = before it happens
post = after if happens

Type of capture:
event = hooks in to the event system
function = hooks on to the MTA function calls (afaik it only supports MTA functions, at least that is what I make up about the wiki)

And you might also want to remove this hook when you figure out the issue, since it is bad for performance. Instead use exports to a single resource and log there.

 

 

Link to comment
15 minutes ago, IIYAMA said:

onClientKey is in the client How to save on server?

18 minutes ago, IIYAMA said:

And you might also want to remove this hook when you figure out the issue, since it is bad for performance. Instead use exports to a single resource and log there.

addDebugHook weakens the server? I mean, should I disable it after the problem is found?

Link to comment
  • Moderators
12 minutes ago, TiTawN said:

onClientKey is in the client How to save on server?

You will have to communicate that with the server. There is no server variant.

 

 

13 minutes ago, TiTawN said:

addDebugHook weakens the server? I mean, should I disable it after the problem is found?

It uses more resources than normal as mentioned on the wiki. But not how much is too much.

Money given / set functions are probably not used every 1 second, so it should be a big problem to keep it on. (except when your server needs all resource to keep running)

Link to comment
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...