I’m currently working on a script that is trying to eliminate problems with missing or changing identifiers by saving them in a database and every time a user joins it will run them through a whole lot of functions to see who that person really is.
I was thinking about implementing a “points” system, eg. every matching identifier is worth a certain amount of points. Here’s what I came up with so far:
Identifier
Points given
Reason
Name
1 Point
Uses Steam name. Or, iirc, the PC's name.
Steam
1 Point
You can always make a new account.
license
3 Points
If I recall correctly, this is connected to R*, so hopefully somewhat secure.
Xbl
2 Points
Possibly affected by using a local Windows account.
Live
2 Points
No points if it changes when 'Xbl' changes too, no reason in giving double the points for one change.
Discord
1 Point
You can always make a new account.
Fivem
1 Point
I believe you can easily log in with a new account.
License2
0 Points
Identical to 'License', just seen it pop up checking my own identifiers.
IP
1 Point
Most IP's are non-static. As an example, mine changes daily.
GUID
4 Points
It should be fairly secure, right? Or is it unreliable in this case?
GUID
0 Points
Is not persistent: Seems to change every time it's checked.
So am I correct with my assumptions of how persistent each identifier is? Is there maybe a better way to identify someone?
Also, I’ve played around with Tokens a bit. In the docs it says they’re specific to a server, but what exactly is meant by that? Do they change when using a different server license key or even if the server IP changes?
license2 is the token for that particular server one is connected to iirc, so giving it 0 points is low as such a token is very unique to only that player on that server. Very good for bans for example
I’ve joined two different servers (both hosted on the same machine, using different license keys though) and both of them reported that my license and license2 identifiers are identical, which is why I gave license2 0 points.
If someone would be able to change their license2 identifier, the license identifier would be likely to change too (unless it’s permanent somehow?), essentially making one small change twice as effective, which could introduce a whole load of problems.
I personally store steamid, license, xbl, discord and IP. When the player is banned, I make sure it bans all of those.
This way, they would have to:
make a new steam account
login to a new socialclub account that has gta 5
login to a new microsoft account
login with new discord account
change their ip address
Most players are actually unaware that FiveM grabs discord and even xbl.
So for someone to ban evade they would need the technical knowledge to know they need to change all the above, purchase new account and actually go to the effort to do all the above so it is fairly secure to be honest. Most people when they get banned will just go play another server lol
Using Steam, the License, Xbl, Discord and their IP is already pretty secure, I’ll give you that! You would have some real dedicated people if they buy a new copy of GTA V every time they get banned.
Even better is continuing to ban them when there’s a match of 1 or more identifiers but not all. Example, person buys new GTA account, creates new Steam account but forgets to switch out Windows account thus still have same live and xbl. You would then start the license and steam identifier with the same ban
That plus also adding fivem and license2 will make it a very big nuisance to evade a ban. One can also add a KVP value to the client right before banning for an extra nuisance.
That’s a really good idea! I thought of updating the old one whenever someone tries to change their identifier, but carrying the ban over to new accounts seems way more effective.
How exactly do you mean that?
For ease of use I’d probably just insert a new row into the database containing one identifier per field, as opposed to multiple identifiers per field in a json format. That way I can simply just select everything from the database with any match in certain fields.
Never heard of that native or used it so I quickly did some research and found an old update thread from March 2017.
If I’ve understood it correctly, it stores a value (string, float or integer depending on the native used) on the clients computer which can be accessed using GetResourceKvp... using the key the original value was stored with, meaning that in practice I could store a value on the clients PC (eg. an integer with ‘0’ being not banned and ‘1’ being banned) then request that every time they try to join. If that’s the case then I would probably generate ‘tokens’ of some kind and hash them before storing them as a string, because I’m paranoid like that…
Also I assume those values can deleted by the client clearing the cache?
Either way, that’s another layer of added security!
Almost a week later and I’ve got some results. None of the identifiers or even tokens seem truly 100% reliable, but using them all together including resource KVP values results in a pretty secure setup. Of course, another step would be to try and get some device UUID’s (eg. using the NVML API to get the GPU UUID) but I don’t know if this is possible and I’m definitely not about to learn a whole new language to find out.
Anyways, I’ve written something that will search the database, filter results and look for KVP values when joining. This is not finished yet and there are still some things to do to the logic for it to actually work properly, but this is the base of it:
Update: Didn’t think I’d finish it this quickly, but I’ve uploaded the working thing to Github.
It actually seems that license2 is the second rockstar account connected in social club. I have multiple rockstar accounts, and I recently logged into the second account, which is when the license2 changed.
