[Naruto_Emilio]

Hello guys, I would like to understand how does the dialog hack works, I have been noticing in my server that some people uses cheat engine to add/edit some items that are stored in inventory using dialog hack, I have tried to search for it in the internet, but I found nothing. does anyone has an idea about it?

[Ahmad45123]

Umm... I dont think they are able to do that at all..

Even if they succeed and edited the dialog text.. That would be just a 'text edit' and will never change its functionality.

Actually to be more detailed...
A hack like that will require to change the source of the script which will require accessing the host..
And even if they got access to the host, The AMX file codes can never be changed...

[Mencent]

Hello!

You can't edit the default values of a script with a hack.
Sorry if I understood your question false.

Mencent

[Jimmy0wns]

There used to be an exploit that allowed people to manipulate a dialog in some sort of way and there's always SQL Injection which could be applied if you haven't secured your inputs correctly.

[Naruto_Emilio]

my inventory system is not a MySQL system, its using .txt instead, heres a video that shows how they do it:

https://www.youtube.com/watch?v=qG-OJrcVhcg

[Sledgehammer]

Not to sure about Dialog Hacking, but I heard you could spoof them.

Edit: Ignore this post. This doesn't appear to be the issue.

[Emp3r0r]

Quote:

Originally Posted by Naruto_Emilio my inventory system is not a MySQL system, its using .txt instead, heres a video that shows how they do it: https://www.youtube.com/watch?v=qG-OJrcVhcg

That video seems fake. Like others stated above, this would be impossible.
Plus, Cheat Engine can't edit servers.

I believe that it's his server, and the "Bandage" is already a Med kit.
So what he did, is just changed the name to Med kit, to make it seem he changed the item itself, and just spawned it.

[T-N-Z]

I had similar issue on my server, a couple of players somehow managed to buy houses that wasn't for sale, and they have been owned by other players, after some research I found out that somehow they accessed the dialogs which was only meant for admins to be shown, I added some checks OnDialogResponse to see if player was an admin and that solved the issue. It had nothing to do with SQL.
I think there was/is a hack that can call any dialog id you want, or something like that. I am not sure.

[Abagail]

Yeah, you should ALWAYS have checks for stuff like that anyways so your script is prepared for exceptions, and things such as this. But you should NOT ban if you detect someone who may not be allowed access as they have honestly gotten there by a script error and or mistake, just deny access.

[Ahmad45123]

Quote:

Originally Posted by Naruto_Emilio my inventory system is not a MySQL system, its using .txt instead, heres a video that shows how they do it: https://www.youtube.com/watch?v=qG-OJrcVhcg

Ok I watched the video and this is imposible...
He edited the client side text... He just changed the "Bandage" text to "Medkit" while in the server its still a bandage... Cheat engine can't do that and either any tool...

And if someone replys and says that the video proofs it...
IDK really... He got some nice video editing skills.

[Naruto_Emilio]

guys its not fake ffs, players does that ingame, if you have nothing to help here, then just dont waste your time and mine...

[Abagail]

Add protection to your dialogs, and make sure that they haven't spoofed the dialog ID. I believe aswell as provide better dialog management, the easydialog include by Emmet_ fixes the spoof vulnerability within dialogs.

[BHTMestre]

this works really managed to create the items by the same I cheat engine do it when Emilio server is full of hackers killing general

[MP2]

So it seems this 'hack' is possible because the server's OnDialogResponse is parsing 'inputtext' to determine what was selected. This is sent by the client. You should use the 'listitem' variable instead.

For example, instead of

pawn Код:

if(!strcmp(inputtext, "Med Kit"))

you should do

pawn Код:

if(listitem == 1)

or a switch.

And as people already mentioned, you should keep track of dialog IDs internally with a variable so they can't be spoofed, and for added security check they are allowed to access that dialog in their current situation, e.g. check if they are admin before letting them respond to an admin dialog.

On another thought, would it be possible to add a new item to the list with hacking? Could still be detectable server-side though.