[PROJECT] Gold Coin based Single Currency & Banking System

[Zupa]

Its a variable that is linked with a character. like: 

 

_characterID = _character getVariable ["CharacterID","0"];

 

But then for money.

 

In every script thats needs it, it fills up a local var from the character Variables

 

If you somehow can acces these variable and change the content u can give yourself alot of money.

[mgm]

MGM,

 

Thank you for helping get this sorted. I have been so busy with work the past week i have hardly been on. It is also nice to see a community come together to help each other out.

 

Lets keep at it.

Thanks Goatlol, continuing from your thread, going good so far - hopefully we will achieve our goal with everybody's help & Zupa's immense contribution.

 

 

I only have limited scripting knowledge sadly. So I would not be suited for that role on this project. However I have a dedicated machine, on which I am testing various constellations of the Arma2NetMysql scripting. Does your script have a lot of open publicvariables etc which can be accessed? Other than that, I don't know how you can hack or abuse it.

Defent if you can work on this with Zupa & somehow do safety checks, and if you can ensure us that the current code is secure, we will actually COMPLETE the project now as Zupa has it all.

The above sentence is out of sync [and pretty meaningless at this point], please read my big update below then it'll make sense. I will provide any help I can but I know nothing about it lol

 

 

Ok guys, talked with mgm, and ill join in as developer on the project. 

 

Basicly the only real issue is seccurity against scripters/hackers

Continuing from TS, massive thanks again Zupa. I'm posting the summary below shortly after which your huge contribution will be visible.

[mgm]

Have I got good news for you!

 

 

 

 

 

 

 

Special thanks to Gr8Boi who dropped Zupa's name in a PM, opening a big door of opportunity for all of us.

 

 

 

 

Before we get on with the rest of this long update, please take a look at the below quote, which is not an actual quote, just a summary...

What you see below is my understanding - any corrections please do post below.

 

 

 

POSSIBLE METHODS OF READING/WRITING TO MYSQL DATABASE (from an Epoch setup)

• Method #1: Accessing the database using a custom HiveExt.dll.
  This appears as the best option however in our project it is unlikely to happen as we do not have a Visual C++ developer in project team.
  (This method seems to be the most difficult one to implement!)
   
• Method #2: Accessing the database using a using 555 500-505 calls. 
  Am I right to think this is the second best? Looks like this is what we will be focusing on.
   
• Method #3: Accessing the database using Arma2MySQL.
  As has been reiterated several times, this "Will work. Not too difficult either".
  Still, not the best option as it will be usable only by dedicated server owners and according to Sven2157's post, it will exclude all Linux based hosting servers which apparently is the biggest portion of game hosting servers.
   
• Method #4: Accessing the database using 999 calls. Worst option because it is not safe at all. [Note: For a closed, in-house project, it might just do the job if you accept the illusive security through obscurity.]

 

 

 

TODAY'S AUDIO CHAT UPDATE (participants: mgm & Zupa)

During our discussion, Zupa confirmed that he has a working "Gold Coin based Single Currency & Bankig System" which he coded himself.

This is not an alpha project - it is active on his server & was used by full server of players (~50) for more than 3 months with no major issues.

 

You might wonder "As we all read above, there are other people who have the same so what's the big deal?"... Well, I'm glad you asked. 

It's a big deal because Zupa is willing to share his hard work with the rest of the world for free. As far as I know there's noone else doing this <-- if I'm wrong, please do post below.

 

So, is this the end of project?? Thanks to Zupa, since we now have access to what we wanted, are we packing & going home?

Not exactly.

Unfortunately the method Zupa implemented (Method #4) is fully working yet insecure & might get hacked relatively easily.

Just to clarify: a hack/glitch/exploit/whatever has not occured on the actual production server but we will need to keep on mind:

( 1 ) This was running only on one single server and 

( 2 ) The code was not publicly available.

 

Should Zupa post the code now, obviously keen eyed amongst hacker/cracker/glitcher/and-other-bad-guys crowd will have access, probably find a way & start resetting bank account balances on all our servers.

It might take a few week/months for them but it might very well happen. <-- This assumption is based on Epoch developer's view of (something along the lines of) "999 is insecure hence not recommended, instead use 555 500-505 calls". <-- I'm not quoting here but it's the gist of the post(s) I read. Once again, please do post below if I'm off course here.

In the light of the above, we would like to completely fast forward the potential tears and take the safer way from the beginning.

 

 

 

SOOOO WHAT'S NEXT?

Zupa, having already designed & implemented a working copy of what we want, will help us get a fully working version, using the safer Method #2.

ETA: Unknown (to be announced by Zupa in this thread).

 

 

 

SINCE WE DON'T HAVE A CODE TO DOWNLOAD (you can't even give an ETA) AT LEAST GIVE US SOME DETAILS? WHAT ARE WE GONNA GET?

Before we serve the Appetizers a quick clarification....

 

PLEASE NOTE: What Zupa has already developed [let's call it OldVersion] and what he will be developping for us [creatively let's call it NewVersion] are two different things.

He will be focusing on reusing as much code as possible in order to deliver a working version 1.0 of the project as soon as possible but still there will be differences between the two.

We need your comments in this thread, please kindly start posting whatever you think should be included/excluded with the planned system.

 

 

Since we all know what is listed below is NOT what we will get [ we'll get an even better one, right, Zupa? :) ], please take a look at the OldVersion implementation notes below...

 

 

 

NOTES ON "Zupa's fully working Gold Coin based Single Currency & Banking System" a.k.a. OldVersion

• Map Change:
  Zupa used map editor to add "ATM site"s to Chernarus, there are 5 of these all located in big cities, with a small safezone around them.
    
   
• Interaction with Bank:
  ( 1 ) Player uses the MouseWheelOptions when looking at the laptop in ATM area to view balance & deposit/withdraw coins to the bank account (via selfactions file).
  ( 2 ) When any lockbox or safe is unlocked by the player, a MouseWheelOption appears to view balance & deposit/withdraw coins to the bank account. I guess we could simply think of it like an electronic direct link between your lockbox/safe to your bank.   
   
   
• Bank Account Limit or lack thereof
  Bank account is unlimited (e.g.: you can have 500.000.000.000 or more gold coins in your bank) so there is no requirement to buy/sell gold bars to store your wealth which couldn't make into a limited bank account.
   
   
• On the same matter:
  There is a need to sell gold, e.g.: when you get gold bar reward from AI missions.
  
  Just to reiterate
  ( 1 ) Even though there is no "need" for it, one can buy gold bars/gold 10ozbars/briefcases if he wishes so.
  ( 2 ) Since there is a need for it, selling is also allowed.
  ( 3 ) These purchase/sell actions can be done at any trader. Original Epoch gold items (GoldBar, 10ozGoldBar) are still in game.  To buy/sell them you will obviously need to use the new money (gold coins).
   
   
• To display "Carried Gold Amount (on Player's Body)":.
  A new row was added to the custom debug monitor, which displays gold coin amount on player body. Zupa has also mentioned that it is possible to display this in the main screen (outside debug monitor) in neighborhood of hunger/thirst icons.
    
   
• Player's Interaction with Dead Player Bodies:
  MouseWheelOption when looking at a dead body titled "Check Wallet"; which could be titled "Take all the gold from dead body and transfer it to my personal inventory (Player's Body)".
   
   
• Player's Interaction with Alive other Players:
  MouseWheelOption -man I'm tired typing all this, if you're still reading reply with 999 lol- when looking at another player titled "Transfer Coins"; which transfers money from PlayerBody to RecipientPlayerBody (personal inventory).
   
   
• To change trader item prices:
  Zupa used the usual method (SQL db modification on relevant table) & changed the price field (for example a gun which cost 2 10ozGoldBars can be now priced 20000).
   
    
• Smelting of gold bars to gold coins:
  Zupa mentioned he did not feel such a need & therefore did not program such a "goldBar-to-coins & coins-to-goldBar smelting feature" but he added "it can be done easily". 
   

 

 

SCREENSHOTS

As we discuss his implementation, Zupa has been kind enough to share some screenshots to help me understand better. In fact he invited me to the server to try it out but I haven't had a chance yet.
Anyway, here are the screenshots: SCREENSHOT GALLERY SHOWING ZUPA'S CURRENT IMPLEMENTATION

 

 

 That's all for now, thanks for your patience to read this all!

 

 

 

 

Edit - As per Zupa, post edited & "555 calls" corrected as "500-505 calls"

[Defent]

Moving the variables to another file and execute them from there without a publicvariable, could that prevent the spoofing? I'm not too experienced with the flaws of 999 calls sadly. 

Also, that's some really nice screenshots!

[Sandbird]

Moving the variables to another file and execute them from there without a publicvariable, could that prevent the spoofing? I'm not too experienced with the flaws of 999 calls sadly. 

Also, that's some really nice screenshots!

 

If using Arma2net the SQLs have to be inside dayz_server files...so decompiling mission pbo will not show the SQLS to the 'hacker'.

By using puclicvariableserver + pbvclient commands you send the request to the server and get the result back without exposing any SQLs in the mission files.

Its like the addactions...you just sent the parameters then the server file gets them...does the sql and sends back the result to the client.

Förstår du ? :P

[mgm]

If using Arma2net the SQLs have to be inside dayz_server files...so decompiling mission pbo will not show the SQLS to the 'hacker'.

By using puclicvariableserver + pbvclient commands you send the request to the server and get the result back without exposing any SQLs in the mission files.

Its like the addactions...you just sent the parameters then the server file gets them...does the sql and sends back the result to the client.

Förstår du ? :P

Sandbird is the db access methods quote in my big update in line with your understanding?

Also do you know anything about 555 calls (or do you know anyone who worked with them & knows this stuff)?

 

Thanks

[Defent]

I see (καταλαβαίνω). Google translate? ;)

 

But yea, I see what you mean. Wouldn't it be possible to add those as a restriction or log warning to the battleye filters? I don't believe that the regular player has knowledge of how you decompile pbo files and even less how you execute the public variables in order to get an unfair advantage. 

[mgm]

I see (καταλαβαίνω). Google translate? ;)

 

But yea, I see what you mean. Wouldn't it be possible to add those as a restriction or log warning to the battleye filters? I don't believe that the regular player has knowledge of how you decompile pbo files and even less how you execute the public variables in order to get an unfair advantage. 

Personally I have no technical info whether BattlEye can help secure 999 calls.

However, just from what I read, I am under the assumption it cannot (otherwise Epoch developers would tell us so) - they said don't use 999 period so that's that.

 

The other question is, do you know anyone who worked with 555?

It looks like not many know/use 555....

[goatservers]

Maybe posting around some other dayz forums might get a response from people who know how to use 555 calls, or even better, do the hiveext.dll thing

[Gr8]

this project should be on git. Have a website for accepting donation. Its own forums for ideas suggestions, gettting more developers. :P

[TacticalStealth]

Guys im new here, everyone is aware. im not good at coding or mysql im here to offer help with a website and a teamspeak, i have a website http://www.PimpinDayz.enjin.com/ a teamspeak: 162.250.123.59 . And an overpoch server: 162.250.123.59:2302 . All of which i am more then happy to lend to you guys. The Overpoch server is hosted off a VPS, the teamspeak is too. Website is from enjin.com. So if you guys got a lot of donators and everything. We can make a big community, and get some good developers, and some servers. All of it. Just post on the forums of the website or check for me on the teamspeak, ill be somewhere most of the time. Talk to you later guys, hopefully we can get this project done :)

[Defent]

BattlEye filters are not supposed to protect the hive calls directly. They are more for protecting and logging unwanted usage of variables. In one of Saidbirds posts, he mentions the use of PVDZE_something variable. These are usually something you wish to protect from outside usage or log the usage of. However, I could also be wrong. 

Epoch does not use 999 calls directly, however there is a few modded versions and beta versions of the HiveExt.dll file which has 999 calls enabled. Some are in need of compiling and some are already compiled.

[Zupa]

Just a remark. If i said 555 calls, i meant 500-505 calls. There was a talk fast/think slow situation saying it in english ( My native language is Dutch) ^^

 

ANyways, im starting to experiment with the 504. I see that it's updated abit.

[Zupa]

BattlEye filters are not supposed to protect the hive calls directly. They are more for protecting and logging unwanted usage of variables. In one of Saidbirds posts, he mentions the use of PVDZE_something variable. These are usually something you wish to protect from outside usage or log the usage of. However, I could also be wrong. 

Epoch does not use 999 calls directly, however there is a few modded versions and beta versions of the HiveExt.dll file which has 999 calls enabled. Some are in need of compiling and some are already compiled.

 

I got those dll's with 999 btw, i use it for my working version.

[TacticalStealth]

So this will get released publicly?

[Zupa]

Doesn't Arma2Net require a Windows based system to work? This leaves out servers hosted on a Linux system; which are 99% of the rented game servers.

 

DayzEpoch server requires Windows as operating system. It's build on dll's. SO Epoch needs Windows anyways. BUT if u rent from for example DAYZ.st you cant install arma2net and stuff like that.

500-505 makes this the best solution ( IF i or someone else can figure out how to WRITE data ( which call and syntax).

[mgm]

Maybe posting around some other dayz forums might get a response from people who know how to use 555 calls, or even better, do the hiveext.dll thing

Sure, I don't know any good ones though. If you do know, please PM me (not sure Epoch forum admins allow hyperlinks to other forums) I will go post there.

 

 

 

 

this project should be on git. Have a website for accepting donation. Its own forums for ideas suggestions, gettting more developers. :P

Yes, good idea.

Zupa - I guess this one is for you, when you have some code ready to release :)

 

 

 

Guys im new here, everyone is aware. im not good at coding or mysql im here to offer help with a website and a teamspeak, i have a website http://www.PimpinDayz.enjin.com/ a teamspeak: 109.236.89.157 . And an overpoch server: 109.236.89.157:2302 . All of which i am more then happy to lend to you guys. The Overpoch server is hosted off a VPS, the teamspeak is too. Website is from enjin.com. So if you guys got a lot of donators and everything. We can make a big community, and get some good developers, and some servers. All of it. Just post on the forums of the website or check for me on the teamspeak, ill be somewhere most of the time. Talk to you later guys, hopefully we can get this project done :)

Thank you for this, I will update the 1st post with your TeamSpeak offer.

I do not think we will need a web site as Epoch forums is good enough for discussion and GitHub would be good enough for hosting/managing code. Let's keep as much keep traffic as possible here, if anything bring other people to Epoch rather than take traffic away :)

 

 

 

Just a remark. If i said 555 calls, i meant 500-505 calls. There was a talk fast/think slow situation saying it in english ( My native language is Dutch) ^^

 

ANyways, im starting to experiment with the 504. I see that it's updated abit.

It's could be my mistake also,  since it's cleared it doesn't matter at this point I guess. I will update the Daily Summary post above to reflect the correction.

 

 

 

So this will get released publicly?

Yes, as per 1st post, our goal is: Gold Coin based Single Currency & Banking System, publicly available for all Epoch server admins for free, without sacrificing humanity system.

[TacticalStealth]

If anything i can try to help develop after tomorrow. Idk what i can accomplish but i can take a look at it and try to fix some stuff up. All i would need is the coding we already have done,

[Sandbird]

I see (καταλαβαίνω). Google translate? ;)

 

But yea, I see what you mean. Wouldn't it be possible to add those as a restriction or log warning to the battleye filters? I don't believe that the regular player has knowledge of how you decompile pbo files and even less how you execute the public variables in order to get an unfair advantage. 

 

Nej inte GT :P, jag kan inte tala svenska så bra...men jag kan tala lite :P

 

But yeah Battleye can do nothing with mysql calls...The reason you have to add these calls to the server files is that you want to avoid "the more experienced users" aka hackers.

There are some securities reasons (especially remote sql queries) that you should rather have them 'blind' into how your tables are structured in the db, than show them exactly what is where.

I mean in the end this will be a public release so everyone could see the code .... but you dont have to have that released db structure...you could tweak the cell names a bit..so they dont know the names of the table cells.

It goes without saying that your db user SHOULD NOT have "showtables" access.

My dayz db user is strictly using the dayz db only...cant create new users or see other tables etc.....its the most minimum access account.

[mgm]

You guys have no patience, :D i haven't even setup my test server yet.

I did look at arma2MySQL and it seems fairly easy to use, al i have to do now is check if i am able to do all of this.

boyd,

Thanks for your hard work on the project. As you might have seen from the thread, there are some developments and Zupa will also be working on developing a working "500 version" of what he already has (his current implementation is using 900 calls). It would be great if you guys could collaborate somehow so please could you see discuss with Zupa when you got a minute? (This message is also sent via PM).

[Zupa]

I might propose to have someone run a stress test server for the old version (hoping it will get a decent ammount of players). This being epoch with the single currency with 999 calls.

 

This way we can double check if the  system is stable.

 

What do you guys think?

 

I can always assist in setting-up / editing excisting pbo's to the system.

 

i do NOT own an anti-hack btw.

[Defent]

Nej inte GT :P, jag kan inte tala svenska så bra...men jag kan tala lite :P

 

But yeah Battleye can do nothing with mysql calls...The reason you have to add these calls to the server files is that you want to avoid "the more experienced users" aka hackers.

There are some securities reasons (especially remote sql queries) that you should rather have them 'blind' into how your tables are structured in the db, than show them exactly what is where.

I mean in the end this will be a public release so everyone could see the code .... but you dont have to have that released db structure...you could tweak the cell names a bit..so they dont know the names of the table cells.

It goes without saying that your db user SHOULD NOT have "showtables" access.

My dayz db user is strictly using the dayz db only...cant create new users or see other tables etc.....its the most minimum access account.

Oh I see, your Swedish is still nice =)

Yea, I've done most of those things. The only thing that worried me is what kind of privileges the arma 2 server needs in order to function towards the database. Although, I restricted most connections to local only, in an attempt to block outside influence. 

 

 

I might propose to have someone run a stress test server for the old version (hoping it will get a decent ammount of players). This being epoch with the single currency with 999 calls.

 

This way we can double check if the  system is stable.

 

What do you guys think?

 

I can always assist in setting-up / editing excisting pbo's to the system.

 

i do NOT own an anti-hack btw.

I own an anti-hack and run atleast one mildly saturated server. I asked a few of the players and they did not seem very pleased with me stress testing in on the server. Although I could test it on the panthera server if it suits well. It's not much of a stress test since the server does not have a lot of players anymore. 

[boyd]

boyd,

Thanks for your hard work on the project. As you might have seen from the thread, there are some developments and Zupa will also be working on developing a working "500 version" of what he already has (his current implementation is using 900 calls). It would be great if you guys could collaborate somehow so please could you see discuss with Zupa when you got a minute? (This message is also sent via PM).

I have read the thread and seems zupa is doing a great job.

 

I might propose to have someone run a stress test server for the old version (hoping it will get a decent ammount of players). This being epoch with the single currency with 999 calls.

 

This way we can double check if the  system is stable.

 

What do you guys think?

 

I can always assist in setting-up / editing excisting pbo's to the system.

 

i do NOT own an anti-hack btw.

If you need help zupa hit me a PM, i do own a antihack to.

[TacticalStealth]

I think I put in the wrong ip for teamspeak

[Gr8]

I own infistar, i can offer to stress test but dont have lots of players. I can tho offer to test the script with the anti hack, if it works or not. I can also try to make it compatible with the antihack and write up instructions.