4/16/2023 0 Comments Manyland![]() I would suggest first and foremost to do the server side checks. The second thing I see is just obfuscating the code more. Now the player can super jump and the server is fine with it (verified by numerous 'holy sh !' and 'wtf!?' comments from other players). To change player jump height for example, all it would take is this piece of JavaScript: It was also easy, for the most part, to identify what certain variables did as they were in plain text. Once the player object was found, it's easy to modify the variables and the world (server side) accepts it. This name for this player object is also static for every game instance, so it's easily referred to every time. I only tested this out on the player object as a PoC, but it only takes changing a variable within the player object to modify things like player speed, mountable craft speed, etc.įor instance, while you obfuscated the name of the player object within the ig.game object, it was easily found by checking for modifications to the health variable, where another function listed it as ig.game.O1376. Probably the biggest issue I see is the lack of server side checks against changes coming from the client. I wanted to notify you guys though of some security flaws within the game. ![]() Saw this posted over on PH and checked it out, extremely impressive game and I'm sure there's a ton of dev time on this.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |