[Release][DEV] Server Event Security Tokens - Anticheat

SaltyGrandpa · 2018-08-02T15:13:56.285Z

manups4e:

A few questions… hope you can answer them
if a server script triggers another server event… must the token be passed there via server?

and What if a Client Event is triggered?

in an environment like ESX if i trigger a server event that is in another script… what should happen?

how do i do for those script with server only lua files?

As long as the events aren’t a registered net event, and they’re only being triggered server side, there is no need to add tokens to them.

If you need to trigger a server event in another resource, the easiest way would be to trigger a server event that is in your current resource, that in turn triggers the appropriate server event from the server side.

SaltyGrandpa · 2018-08-02T15:17:58.829Z

Update 8/2/2018

Obfuscated resource names are now passed to the client using a unique ID to further mitigate the ability to listen for keys. Now, even if someone were to script a utility to listen for an event to get the obfuscated resource name and create listeners based on that, they would have no way to correlate a token with a resource.
Added the ability to toggle verbosity for client and server consoles. NOTE: Client Verbosity should be DISABLED in production as it exposes the security token. This is good for debugging.
Added check when a token was generated to ensure it is unique. The likelihood of having a token collision with a random string of 24 characters is extremely low, but now it properly handles it.
Added the ability to adjust the delay between when the client deploys the obfuscated listeners to when the server sends the tokens. 250ms seems like a sweetspot, but this can be adjusted accordingly.

Sid · 2018-08-13T15:05:31.055Z

Hello, I’m pretty new in this whole fivem server moding thing ^^ Simple question, if I paste files to my resorces add it to config it will work, or I have to add things that you wrote to server code?

Sorry for bad English.

SaltyGrandpa · 2018-08-15T16:39:54.585Z

You will need to modify the server code. Both the client script and server script get an event listener (as shown in the OP), and then you add an if statement to the server events.

I’ll eventually make more thorough documentation.

Drage1 · 2018-08-16T11:47:52.988Z

Could you explain me, how to install this into my resources?

Drage1 · 2018-08-16T11:52:37.231Z

So, i have to edit every resource on my server and copy paste “Usage” into client/server?

SaltyGrandpa · 2018-08-16T12:13:11.206Z

Drage1:

So, i have to edit every resource on my server and copy paste “Usage” into client/server?

Yes, that’s correct. I’ll make a more in depth how-to when time allows. It’s pretty simple. Turn on verbose for client and server so you can see what it’s doing (turn off when in production).

I also have some improvements coming to the script.

Drage1 · 2018-08-16T12:21:35.069Z

Thank you a lot. I have a some question:

Have i add to client side this line: TriggerServerEvent(‘anticheat-testing:testEvent’, securityToken)? or that is optional?
Have i add to server side this lines:

RegisterNetEvent(‘anticheat-testing:testEvent’)
AddEventHandler(‘anticheat-testing:testEvent’, function(token)
local _source = source
if not exports[‘salty_tokenizer’]:secureServerEvent(GetCurrentResourceName(), _source, token) then
return false
end
print(“Authenticated”)
end)
?

(GetCurrentResourceName() about this, should i put resource name like: (GetCurrentResourceName(esx_policejob) ? or just leave that as is?

SaltyGrandpa · 2018-08-16T12:47:00.658Z

That’s an example of it being implemented into a resource. You will go through and modify the existing TriggerServerEvent functions and add securityToken to them to be passed to the server.
This is, again, an example. You will go through your existing server events and add token to be received from the client.
Leave that as is. It is a native function that will get the resource name automagically.

Drage1 · 2018-08-16T12:54:39.651Z

Thank you again. That’s a great recource!

SaltyGrandpa · 2018-08-16T19:20:15.690Z

Update 8/16/2018

Added support for restarting resources protected by security tokens. If a resource is restarted, it will no longer be protected but will not kick players. Previously, any restarted resources would kick players since the security token would be invalid (nil).
Refactored the code a bit to be neater.

Note: This is a seamless update. No changes will be needed to your resource(s) protected with this resource.

Battle_Boy · 2018-08-16T19:25:30.992Z

does it work for vRP?

SaltyGrandpa · 2018-08-16T19:26:16.886Z

Battle_Boy:

does it work for vRP?

It’s independent of any framework. It will work on any resource you implement it with.

Battle_Boy · 2018-08-16T19:26:53.174Z

SaltyGrandpa:

It’s independent of any framework. It will work on any resource you implement it with.

Can you give me support on how to install it? Discord: Boy # 9382

SaltyGrandpa · 2018-08-16T19:30:16.995Z

The OP has details on how to implement it, it’s pretty simple. When time allows, I will make a more thorough guide.

Battle_Boy · 2018-08-16T19:38:53.639Z

How does this script help against AntiCheat?

SaltyGrandpa · 2018-08-16T19:43:24.011Z

It adds security tokens to server events that are untraceable. So even if someone decrypts your resource, the security token is not revealed. This prevents unauthorized triggering of server events and detects cheaters that attempt to trigger protected server events.

As an example, one of my resources is salty_jobmanager, which handles players switching jobs, etc. I don’t want hackers to be able to switch jobs without going through the proper steps in game. This means that I protect the server event that handles job switching. When I start up my server (with Verbose enabled in the salty_tokenizer config), you can see the events be generated:

> > > S A L T Y _ T O K E N I Z E R  < < <
Generated token for resource salty_jobmanager: Fj9QEMwBMuVJb3RcCjKUCFvR

Connecting: Salty Grandpa
Obfuscated Event for Player ID 1: Original - salty_jobmanager Obfuscated - 4u2Sg5MjUaTCZ95XQvZYnr7H
Player ID 1 loaded.
Sending token for salty_jobmanager (Event: 4u2Sg5MjUaTCZ95XQvZYnr7H Token: Fj9QEMwBMuVJb3RcCjKUCFvR) to Player ID 1.

A breakdown of what’s going on:
Generated token for resource salty_jobmanager: Fj9QEMwBMuVJb3RcCjKUCFvR - Anytime a protected event in salty_jobmanager is triggered, the Fj9QEMwBMuVJb3RcCjKUCFvR security token must be provided.

Obfuscated Event for Player ID 1: Original - salty_jobmanager Obfuscated - 4u2Sg5MjUaTCZ95XQvZYnr7H - The security token will be sent to a client event using 4u2Sg5MjUaTCZ95XQvZYnr7H as the event name, which is different everytime a player joins. This is a one time event.

Sending token for salty_jobmanager (Event: 4u2Sg5MjUaTCZ95XQvZYnr7H Token: Fj9QEMwBMuVJb3RcCjKUCFvR) to Player ID 1. - 4u2Sg5MjUaTCZ95XQvZYnr7H has been triggered, and sent the security key, Fj9QEMwBMuVJb3RcCjKUCFvR

Battle_Boy · 2018-08-16T20:00:35.817Z

How do I make the hacker not able to make money and use noclip or admin menus

SaltyGrandpa · 2018-08-16T20:02:13.950Z

Battle_Boy:

How do I make the hacker not able to make money

Secure your server events with my resource.

Battle_Boy:

use noclip or admin menus

Use better admin resources or disable them. These are both client side issues.

SaltyGrandpa · 2018-08-30T20:46:36.931Z

Update 8/30/2018

Added new server export that allows you to get the security token for a specified resource. This is only accessible from the server side. This can be used to validate client-side events to ensure that they were actually triggered by the server. Please note that sending the token to the client may have some security implications and allow an attacker to retrieve the token for a resource, if they know the event to sniff. This should be used in a “worst case scenerio” for validation. Again, just never trust the client
- Example usage: exports['salty_tokenizer']:getResourceToken(GetCurrentResourceName())