PacketRegistry.INSTANCE::sendToServer();

Question

PacketRegistry.INSTANCE::sendToServer();

shinyafro opened this issue 5 years ago · 5 comments

shinyafro commented 5 years ago

Minecraft version & Mod Version:
1.12.2

Single player or Server:
server

Describe problem (what you were doing / what happened):
exploit

Crash log (if any):
n/a

(If this is a suggestion and not a bug report, delete all this and just write your suggestion!)
While reverse engineering a hack i found they are calling the following line of code to spawn in items.
PacketRegistry.INSTANCE.sendToServer(new InsertMessage(1, 0, itemStack));
it appears for whatever reason to not check if the client has permission to recieve the items, creating a backdoor to allow clients to hack servers and get any item they want, even such debug items that may cause massive stability issues and griefing.

shinyafro · Answer 1 · 2020-03-13T06:02:57.000Z

Right, probably should have provided more detail. Basically someone recompiled JEI with some hacks in it and distributed it publicly on their youtube. I basically decompiled the cracked JEI and found some methods into how they are doing it, Though this one's the main one they use to give items (They replace jei to when you click on an item, it calls this method rather then failing to do anything.)

    private static void giveStackStorageNetwork(ItemStack itemStack) {
        PacketRegistry.INSTANCE.sendToServer(new InsertMessage(1, 0, itemStack));
    }

which is called from here

            } else {
                amount = GiveMode.INVENTORY.getStackSize(itemStack, mouseButton);
                sendStack = ItemHandlerHelper.copyStackWithSize(itemStack, amount);
                Container container = player.field_71070_bA;
                if (Loader.isModLoaded("storagenetwork") && container instanceof IStorageContainer) {
                    giveStackStorageNetwork(sendStack);
                    player.func_145747_a(new TextComponentString(TextFormatting.GREEN + " Sent: " + sendStack.func_77973_b().func_77653_i(sendStack) + "\n" + TextFormatting.GREEN + " Amount: " + amount));
                    return;
                }

                giveStackVanilla(itemStack, amount);
            }

Which is the new bit of code added to their click handler, where iirc it checks if they can give themselves the item, if not they just use the cracked method.

Lothrazar · Answer 2 · 2020-03-13T03:52:24.000Z

What is "they" ?

Update: OK after re-reading this, so someone made a client-side-only mod that calls this?

Lothrazar · Answer 3 · 2020-03-13T03:57:39.000Z

Which mod version are you using? InsertMessage does not take itemstack as an argument, It just takes the button Id and then the server grabs the itemstack from the players hand

https://github.com/Lothrazar/Storage-Network/blob/develop/src/main/java/mrriegel/storagenetwork/network/InsertMessage.java#L25

Lothrazar · Answer 4 · 2020-06-27T17:36:08.000Z

Ok well theres nothing i can do about that. Just tell people not to use hacked mods lol

TheBlocky · Answer 5 · 2020-06-02T17:13:55.000Z

Can I know the full code to this modified version, I don't see where this is in the code, trying to recreate this.

Share to