Client Side AntiCheat
Ever since I installed antixray on the server, my players have been getting more and more creative with how to xray, some using hacked clients such as wurst or fabric mods to freecam their way into caves and locating ores, is there any chance that I can prevent player side hacks/freecams?
I could possibly get them to install a client side mod pack if thatโs the last resort, just needed ideas.
Server:
Fabric 1.21 (with mods)
185 Replies
Thanks for asking your question!
Make sure to provide as much helpful information as possible such as logs/what you tried and what your exact issue is
Make sure to mark solved when issue is solved!!!
/close
!close
!solved
!answered
Requested by _.dominic#0
Lmao straight up no.
Client side anticheat will just get spoofed.
Why serverside anticheat works is because players have little data to reverse engineer from if you do it right.
You can hide from a client side AC, you can only delay server side.
Now one thing you can do is identify cheaters and allow them to cheat on their own private instance. Put all of the cheaters together, let 'em.
I have some dum players xd
Iโm providing them with a list of mods to download in order to be compatible with the server mods
There are 60+ jar files in the pack (including optimizations)
Itโs definitely possible for me to just disguise this as a library mod and include it in the pack
Well client side is already my last resort, I donโt think there are good anticheat engines on the server side (especially fabric) thatโs able to catch out freecam uses
The few cheaters and freecam-ers are making things worse for the ones who just wanted to have fun
https://modrinth.com/mod/inertiaanticheat
Does something like this look viable?
All anticheat can be spoofed.
Tbh I'd just start handing out bans.
Well itโs a server between friends, I do know who the cheaters are, but it would make things ugly for everyone if I just outright bans someone
Sounds pretty simple a solution to me.
"Stop cheating, I know you're cheating and here's some proof, keep doing it and I'm going to ban you because nobody else is having fun"
If they feel like cheating then they've won a Darwin Award, so to speak.
Iโve already thrown the following announcement into the discord we have:
Iโve always been trying to avoid banning people for toeing the line, however, if this introduces the idea of โoh yeah I can cheat, he wonโt ban meโ, then Iโm afraid actions will have to be taken. Please just refrain from using unauthorized client QoL (or hacks) mods so I donโt need to make it ugly for everyone.
However the server side does not have anticheatsโฆ so they could just be quiet about what they are doing and get away with it
They're already pushing you. Now it's time to just hand out a week ban or something.
I have no way of knowing what happens next
If they wanna cheat in the most nondisruptive way possible, something like permalight, then sure whatever.
But they're already pushing, it's time to hit back.
Think Iโm already nice enough to allow invasive minimaps, full bright, and whatever other qol mods they may have
Well, sounds like they're already getting the carrot and still demanding more.
Time for 'ol stick to show up.
Sure isโฆ
You donโt think I should try out inertia?
Try it if you want, but bare minimum I'd hand out a 3 day ban and a public example.
Thanks for the heads up, will try out inertia first and see how that goes, if they are complaining then I should hang the rabbit
As they say...
Yup :alot:
At least Iโm confident that none of them are smart enough to go decompile a jar file
Here's hoping.
Just script kiddies using publicly available hacks like wurst or meteor
This checks.
Still wanted to keep the nice face for friends, wouldโve been bans for a public server.. however if they just keep wanting more then I guess that leaves me no choice
Be kind about it, but let there be no mistakes, ruining the fun for the rest of the group gets you punished.
Thanks for your time, will update how inertia goes after implementation
No, not easily at least
Youโd be amazed, so very amazed.
alright, blacklisted all the freecam mods that clips through walls, some unfair minimaps, wurst, meteor, and liquidbounce for now
at least 1.21 is a fairly new version, not a lot of mods/hacks exist for it
no
"Youโd be amazed, so very amazed."
modrinth does not fucking allow hack clients
i know i know, im just trolling you
creating a mod whitelist/blacklist ruins the experience for the genuine players, and only adds 2 extra minutes to get a spoof mod (or modifying the fabric.json) for the actual hackers. Itโs not something you should ever do.
im just trying, its a blacklist, not whitelist
Yes, and Iโm saying itโs extremely comical how easy it is to bypass the blacklist
ยฏ\_(ใ)_/ยฏ
So now if u have players who want to use mods in a proper way, (like free cam, or a minimap) without using it to xray, now they canโt.
Modrinths version of free cam prevents the player from clipping thru the wall unless they are OP
There a mods/plugins u can install server-side that lets u control minimap settings, (so genuine players donโt accidentally do something they shouldnโt)
nop i didnt blacklist all the freecam mods
theres one that I even provided the download link to my players that does not clip through walls
same goes for minimap
im not yet dumb enough to ruin the fun for genuine builders trying to use freecam to inspect builds
adds 5 extra minutes to get a spoof mod for the actual hackersno
do you think someone who has never coded before can bypass this
yes it is extremely easy
but you need knowledge of fabric / other stuff beforehand
ur right, forgot google doesnt exist
please find me a mod that does what you described
find something someone already made to bypass this please
(hint: it doesn't exist)
i googled "minecraft fabric spoofer" first reddit post had a post saying theres an addon for the meteor client where u can spoof stuff. you can use meteor with fabric mods
then googling "minecraft meteor client" there is a website with a detailed docs on host to set it up.
weird only took me a less than a minute to google. ur right. not 5 minutes
That won't work
this is all meteor gives you
you can't bypass it with that
that mod doesn't use the client brand. meteor only gives you the option to spoof your brand and block plugin channels
to bypass this you'd need to send a custom payload during the handshake, with a hash of your mods
or just this lmao. 2nd reddit post. 2 minutes.
I've asked the developer of InertiaAnticheat to implement getting the hash of the mods actually, not the hash of the fabric.mod.json
not sure if he did
but if he did that also won't work
doubt it
yeah okay I guess
but again, the mod still does its job
combat script kiddies
ill update my message from 5 minutes to 2 minutes. thanks for correcting me
the mod does its job
2 minutes of googling, 2 hours of debugging
ยฏ\_(ใ)_/ยฏ
2 hours of debugging x d
oh
i read the top comment not the bottom one
still ยฏ\_(ใ)_/ยฏ
doesnโt matter if theyโre your friends. tell them they can stay in the server if they get banned but any further cheating will result in their stuff getting wiped, so even if you tempban they have a reason to stop
I'll consider
@QarthO
I just checked and he did implement it
so your "method" won't work
it gets the hash of the actual file, not the fabric.mod.json
interesting
IAC can take upwards of 4 mins to negotiate a player logging in
yeah then that means he did implement it lol
wtf is it trying to check
getting the hash of every mod
which is resource intensive
md5 isnt that slow??
cool, we can just keep googling and finding another method, 2 miuntes? 5 minutes? who cares. its still super easily bypassable
go on
nah u can do ur on research
this time it's not that easy lmao
you need to send the packets yourself
congrats now ur wasting everyones time for ur anticheat thats easily bypassible
might be easier if i just clarify that my players does not know i implemented this
it's not something a mod that already exists can do
you'd need to write your own
i promise it is lmao
no it isn't
i also promise
feel free to prove me wrong tho!
sir
you do u my g
it registers its own packets
and sends the hashes in chunks
also does a sanity check before you even join
not sure how an existing mod can do that
true, clients cant make/customize packets
yes
you need to write your own
or a mod can!
no
yes.
there isn't a mod that lets you tamper with packets on the fly
if this is the hill u wanna die on
go for it man
^
u got it bro keep going
lmfao
feel free to prove me wrong
bro guys relax
nah he's really good at doing personal attacks
the best you can get is a packet logger, which I even have installed rn
idk still searching
haven't found one that lets you register custom packets with custom data types and shit
very helpful!
ah, so sad such mod doesn't exist
disappointing!
would be funny if I had told you this before
omg bypassed!!! packet manipulatorrr $$$
think i can use this for 2 days or so, then silently remove it from the server side to speed up negotiation times
then everyone will be happy, faster connection (placebo) and no cheats
i love spreading misinformation!!!
reddit is so helpful!
2 minutes of googling, right?
2 minutes of googling!?!....
idk it feels to me such thing doesn't exist
because you're not meant to do that and make your own mods
ah, so sad it doesn't magically let you send packets with custom data types, choose when to send it, and all that stuff...
this mod is actually โค๏ธ btw, i love it
it's the most useful thing ever to debug all sorts of issues
i also just checked, changing the mod id, does change the hash. so the original 2 minute method works!
Also using a different version of a mod also works! same mod, but different version (even minor version), has a different hash. so blacklisting is kinda pointless
How IAC compares checksums of mods, which the author has built a website to generate checksums of the file. when a client joins the server, it has to generate the checksums of all the mods on the client, and compare that with the servers (to see if any of them are blacklisted)
different version should work, but you can always use a whitelist
OP said specifically they are using a blacklist
a blacklist will never work for something like this
weird... almost like ive been saying this ๐
feel free to do ur research urself nextime instead of spreading miss information
Heres the webapp where u generate the checksums
https://iac.diffusehyperion.com/
and the code of IAC is open sourced
InertiaAntiCheat Helper
Web site created using create-react-app
the client calculating the checksums doesn't use the mod-id
i'm pretty sure
its based on the jar itself
Changing any contents of the change will change the checksum
including the mod-id
yes
so, a whitelist will fix this
i'm not sure why you'd use a blacklist either way
yeah, but then u have my original problem
it ruins the experience of the genuine/honest players
you can add soft whitelisted "optional" mods
they can contact the admins to get their mods added
what happens if they want their own mod, (ie. a mod to change the textures of clouds) or have a different version of mod.
now ur making all this extra effort to have this annoying push/pull back and forth between players and admins just to get new mods added
this is the only way if they want to achieve this
and it wont be perfect, and still bypassable
looks like IAC is only checking once on join. if you figure out what payload ur sending to the server on join (when u have the correct mods) you can just easily get a mod that will replace the clientside IAC to mirror the same payload)
Yes now this will take more than 5 minutes. You are very right on this. and its not simple for a pleb. But it is simple enough that a pleb could ask on a reddit/discord and get a solution, (which would just be a fork of IAC that has the hardcoded payload that'll take minutes for somone like me or you to do if needed)
nothing is unbypassable or foolproof
looks like IAC is only checking once on joinyeah i mean this isn't foolproof either way
im saying its just not worth it
you can inject too, or use a remote debugging client
you can just add a jvm argument to inject a cheat with JDWP lmao
ur hurting the honest players to be a little "annoying" for the few hackers
is there any other solution though?
there aren't any anticheating software for fabric
not for fabric no. best method is to vet your players, and to be proactive and punish those that do cheat.
seems like this specific case since its not a large public server, but merely a small server for friends... thats its a problem with trust between friends lying and cheating
to stop you two from nuking each other ive removed iac (for now), until further issues arise
the issue is the lack of cheating prevention on fabric
but with fabric you have an advantage: you have access to the players' clients
why not use that
i what?
the downsides do exist but there's no alternative
you can make them use mods
so get a mod that prevents them from joining (process all client side) if they have an illegal mod precompiled in the jar file?
which can do anything your heart desires
I mean
you can do that yes
is there a public mod that does that? no
so what is your idea then?
right...
so ill learn fabric modding
to me /ban is easier :minecraftTroll:
we actually came to a peaceful end ๐
you can use inertia if you want
plot twist, i am jenkins
watch he will finish my
sentence
๐ณ
I donโt know if a 4 min negotiation time is normal
Probably not
How many mods do you have?
you could try enabling the debug option to see where it gets stuck at
Server side about 20 or so
on the client
Clients may have upwards of 90
oh uh
i'm not sure how efficient md5 hashing in java is
if the mods are big that'll take a while
Should I try sha256 then?
that'd be worse
yeah, IAC will have to generate the checksums for each of the mods, then send it to the server, so more mods = longer login time
sha1 should have comparable performance to md5
this is just what it does
no response = disconnected
Probably doesnโt help if the players are using a potato does it ๐
gonna look at the code real quick to see if they're sending the jars to the webapp, or if they're generating the checksums locally
locally
I mean
I could try to port the mod to a faster algorithm/library
the default java cryptography modules are kinda slow (or at least the algorithms used in the mod are)
Iโll be waiting :minecraftTroll:
md5 is just bad/slow overall though
looks like ur able to just use modnames, might be better to skip that whole process
less effective? definitely. but ur already at a 0
Yeah I donโt think my players will bother to rename mods
we already went over, renaming mods changes the checksums
Would probably take them ages
so ur not getting any benefit from a blacklist using checksums vs modnames. legit none.
So ig modify IAC to check names instead of generating checksums?
there should be a config option
or maybe not
At least I didnโt see one
its called "friendlyblacklist"
beatmetoit
my guess is since blacklist is pointless for checksums, this is why this exists
Does it check for precise names?
yes
So if I have something like:
wurst client 1.21
In the blacklist, but the player is using
wurst-client 1.21
It wonโt work?
you'll need to get the mod id of the mod, its very precice
yes it wont work
Well thatโs kinda dumb
Iโll have to get the version right โ ๏ธ
which is why i've been saying this whole time, its pointless to use this
and u said it urself /ban is much easier
I guessโฆ
At least they unknowingly preserved the client side IAC
So in case itโs needed in the future, Iโll just need another on the server side
Why doesnโt there exist more up to date ACs for fabric ๐ญ
also for xraying, this mod doesnt do anything, (if they're using an xray texture pack)
I have a standalone anti X-ray mod on the server
if they have the world seed, anti xray is pointless
I donโt believe they do
Unless they are able to get it by some means
I donโt disclaim seed, nor do they have /seed
GitHub
GitHub - 19MisterX98/SeedcrackerX
Contribute to 19MisterX98/SeedcrackerX development by creating an account on GitHub.
in season 9 of hermitcraft, they intentionally didnt tell any of the hermits the seed for the server, however some viewers were easily able to crack the seed based off of a single clip from on of their vids by looking at a small section of bedrock formation
:pepecross:
Well now thatโs not funny anymore
You think world gen mods might help?
We have terralith, better end and better nether
yeah, those can definitely make it harder, just not impossible
(significantly harder)
especially if ur not using the defaults
I guess im good with that
Nothing is impossible, it just needs to be hard enough for my players
Oh well, have it their way I guess, I do have access to server side vanish to occasionally check on players hacking too obviously
Iโm done dealing with this crap, cheaters can do whatever they want, until they start to bother regular players
Just gonna hop back in here and say the actual solution is to hand out a short ban and set an example that cheating in the friend group is a quick way to find out.
Understood. Thanks for everyoneโs time
!solved
post closed!
The post/thread has been closed!
Requested by _.dominic#0