Curse

CHunterX · Oct 12, 2007, 05:23 PM // 17:23

Heh, this reminds me of packet sniffing on Runescape to make bearded ladies back in the day... lol.

Yanman.be · Oct 12, 2007, 05:39 PM // 17:39

^^^^^hahah....autorune ftw

Mineria · Oct 12, 2007, 05:40 PM // 17:40

Quote:

Originally Posted by impression

I have read and understand the authorization method (I think :P). The method relies in the fact that both the player and the server administrator will run "clean" versions of both the emulator and the "verification software". What I mean is, a player can modify the "verification software" to tell the server that he has everything unlocked or, a server administrator can modify their server copy to unlock everything to all players.

Have fun,
impression

Quote:

Originally Posted by Josh

Erm, no - not quite. That's not even possible as far as I know..

It's called reverse engineering, and fully possible.
And I can assure you that when the emu server slips out, there will be people ready to decrypt it and hacking the authorization method, so that people who never payed for a GW access key can play on it.

Quote:

Originally Posted by Gaile Gray

... Our view on this project is that it must assure that the emulator can only possibly be used by people who own a legitimate copy of Guild Wars and that those using the server emulator have access only to the content that they have purchased. For instance, users should not be able to access maps, professions, skills, or any other content from a campaign they do not own. ...

So how will the project assure that only people that own a legitimate copy can enter the server , and only content purchased from Anet can be played, when the server is released to the public?

Senrath · Oct 12, 2007, 07:13 PM // 19:13

The server won't be. Only access to the server will.

Ajaala · Oct 13, 2007, 12:05 AM // 00:05

Hey guys, just to let you know - with the latest update the zoneID logging no longer functions. It'll work again soon, and I'll let you know when. We appreciate any help you've offered so far.

-Ajaala

Chthon · Oct 13, 2007, 01:04 AM // 01:04

I've put further thought into the issue of user verification and I've come to the conclusion that the problem is intractable.

Quote:

Originally Posted by GWLP Project Leader

That said, we plan to implement an authorization system that allows players access to only the content they have purchased. The authorization system will run in the background when you log into your official account, it will monitor incoming packets and read what you have access too on your account. It then encrypts this information and sends it to the server you wish to play on, the server immediately stores it in the database and allows you to use only the content that you own. The data that is gathered for authorizing a player can in no way be used to find that person's official account.

This system will not work. It has three flaws, each of which is fatal of its own force, two of which can be fixed, and one of which is, unfortunately, unsolvable.

The first flaw is that you're giving the user a copy of the encryption key. Sure, it's buried in compiled code, but that's by no means foolproof security. The user can debug and observe your compiled code, decompile your code, hook your process, or simply brute force it since he has access to both input and output. Once he has the encryption key, he encrypt his own certificate that says he owns all 4 games.

The second flaw is that the user can simply spoof the input to your validation system. It has no way of knowing if you're talking to the real GW server or a fake server (or loopback) designed to accept any user/password combo and declare any comer to own all 4 games.

(FYI: These first two flaws could be fixed by convincing a-net to generate the certificates using an asymmetric encryption scheme and send them to the users. That would prevent a user from figuring out the key and writing his own (problem 1) or forcing your validation binary to write one for him using spoofed input he provides (problem 2).)

The third flaw is fundamental. There's absolutely nothing you can do to stop User1, who owns all 4 games, from copying his certificate and distributing it to User2, who does not won GW at all, (as well as to User3, User4, User5,..).

If "I own all 4 games" is all User1's certificate says, it's literally a copy/paste operation to circumvent your system. Adding additional information to the certificate does not make circumvention significantly more difficult.

You could, for example, make the certificate say: "I own all 4 games and a hash of my system's hardware profile is XYZ." But that won't stop piracy. A user who does not own GW at all can still get access through a PC shared with someone who does own GW, through wireless cafes (the ultimate shared PC's) or simply by inviting a friend who owns GW over to log in once. (Worst case scenario, the "friend" isn't a flesh and blood person but one of those "public" GW accounts.) Moreover, as we learned when Microsoft and Starforce each tried this sort of verification, you can spoof your system hardware profile if you really want to.

Instead of trying to tie the certificate to the specific machine, you could try to tie the certificate to the specific GW account, as in "I own all 4 games and my CD keys are W, X, Y , and Z." First off, no matter what bit of info you use to tie it to the account, it has to be the exact sort of account info you should not be permitted to use for security and privacy reasons. Second, this sort of system is likely to bugger up when confronted with a legitimate user who plays from more than one computer. Third, it doesn't stop piracy. Even if you perfectly tied User1's certificate to his GW account, User1 can play on Server1 and also give a copy of his certificate to User2 to go play on Server2.

GW gets around this problem specifically by having only one server. There's a huge disincentive not to share your identifying info because it means you can no longer play yourself. With the possibility of multiple servers, I don't see any way around this problem for you.

I think the bottom line is that this third problem is unsolvable. If User1 wants to help User2 masquerade as User1, there's no disincentive to prevent him from doing so and technical tools that let you stop him.

Now, where that leaves us: You can't get verification working since it's not possible. Without working verification, as soon as you have PvP working, you'll have piracy. Once you have piracy going on, a-net seems quite happy to shut you down. Thus, I choose not to throw my time into your very cool, but very doomed, project.

I do really hope I'm wrong here. I'd love to see you come up with something that satisfies a-net on the piracy issue. (And, if you did, I would thereafter be willing to help.) Sadly, though, I don't believe it's possible.

Antheus · Oct 13, 2007, 01:10 AM // 01:10

Quote:

I do really hope I'm wrong here. I'd love to see you come up with something that satisfies a-net on the piracy issue.

It can be done if Anet allowed private servers to use official login servers.

For obvious reasons, they won't do that.

Ajaala · Oct 13, 2007, 01:34 AM // 01:34

False alarm guys the logging tool still works with the latest update.