14 August 2013

Just For Fun: Hacking Your Minecraft Server


WARNING: If you don't play Minecraft, administer a Minecraft server or have a kid who does, you probably want to stop reading right now. This is going to get nerdy and technical very, very fast!

Okay, so this has absolutely nothing to do with information security and everything to do with what happens when your son comes to you with a “huge” problem... Like a lot of kids his age, he is hugely addicted to playing Minecraft and his addiction doesn't stop with just playing the game. He has been running his own Minecraft server (currently CraftBukkit 1.52R-1.0 deployed on Ubuntu 12.04LTS) for nearly two years now and experimenting with just about every server extension (“plug-in”) you can imagine. For my part, I have supported his Minecraft addiction by giving him hardware, teaching him some basic Linux skills and helping him debug when things didn't go as planned.

About a week ago, my son, enterprising young man that he is, determined that he would solicit donations to help defer the cost of running his Minecraft server. In exchange for real world monetary donations, he would award the donating players virtual currency with which they could purchase enhanced permissions and other virtual goods within the context of his Minecraft server.

In order to accept real-world monetary donations, several things were needed. First, he needed a PayPal account. No problem there-- I hooked him up with that. Next, he needed to create an “economy” on his Minecraft server that allowed players to have accounts with monetary balances and to buy and sell things, exchanging virtual currency in the process. For this purpose, my son deployed the BOSEconomy plugin. Once he had the economy plug-in working, he needed the ability to modify user permissions, so another plug-in was needed: enter PermissionsEx. Finally, to accept donations via PayPal and translate the real-world donations into virtual currency, he deployed BuyCraft.

After a couple of hours of work, he had things working. One could donate real money and receive virtual currency on his server. At this point, there was just one problem: How can people who donated money spend their virtual currency? My son had an idea: Create a few little booths to allow players to choose what they want to buy (typically enhanced in-game permissions) by pressing a button. Command blocks, activated by the button, would then award the item to the user and decrement the users account balance.

Great idea, but then he encountered his “huge” problem. Command blocks can only be configured to take a series of actions: add the permission, take the money... with no logical dependency between the actions. Since BOSEconomy allows negative account balances, the net effect was that users could "buy" anything regardless of their account balance. They could run an unlimited negative balance, sort of like the U.S. Government, but without fear of negative consequences. Unrealistic, right? Even though a lot of American politicians don't seem to think so, my son does. And I happen to agree. So when he asked me to help him fix it, I thought, sure, why not?

So, we wrote a custom Java plug-in that corrects that problem by guaranteeing that users have a balance sufficient to pay for the item they are purchasing and, if not, disallow the purchase. How did we do this? By using the Bukkit API and integrating the APIs of BOSEconomy with PermissionsEx with some custom Java code. We called the resulting plug-in cmdShop and you can see the results here. We tested with craftbukkit 1.5.2R1, BOSEconomy 0.7.6.3 and PermissionsEx 1.19.6.   

Feel free to use the code as a template for your own plug-in.  Of course, you will need a Java development environment and various other bits and pieces...  And, if you really need someone to hold your hand (like I did, LOL!), there is always this video and several others like it to help you get through the process.  Yes, they were probably made by a 12-14 year-old kid... but they aren't half bad!  (And, yes, I feel super old right now...) 

Some other good resources are:
Bukkit Plugin Tutorial
Bukkit API Docs
Buycraft
BOSEconomy
PermissionsEx