|
|
|
Member 1435 posts
Registered: Jan 2006
and security module here:
[ http://ezQuake.SF.net/security/ ] ... has been cracked. Here for a quick summary of the old "security" module. Here for a modified Ezquake client with a working security module and here for the readme. And there is finally ez-styled conback and icon! You forgot to remove the Fuhquake version number from the window title in the GLX client I have to admit that this is a convincing (for me) proof that security (in its present state) does not make any sense.
Thank you very much for proving that, bigfoot.
With the highest respect, Good work Bigfoot. right
firstly i have to put the following disclaimer:
"I am not talking for the rest of the ezQuake team, all comments are my own personal opinion etc."
secondly
i would suggest a moderator cuts bigfoot's post and def's reply and this reply and moves them into another topic entitled 'ezQuake cracked?'. I feel it is in poor taste to post this on the 'NEWS' topic for the ezquake release and discussions should be kept seperate.
next i would like to point out some points of the 'crack' that bigfoot has released, having assessed it myself
i'd like to make emphasise a few things
just to make it clear again The implementation notes apply to release 1144.
my analysis may be wrong, but the 1517 'crack' relies on unix symbolic links and tricking the checksum in the .so, so that it passes the checksumming using the original exe and yet the hacked version is running
so it should be also clarified that in its current form, bigfoots proof of concept only applies to the unix version - and this simple hack would be preventable. It is not the same as previous hacks he mentioned in the other topic.
however, this is not to say that it could not be extended to work on windows, or could not be made to work without symbolic links
Yes this is a security failing in the current implementation, but it is not quite the 'shock horror ezquake hacked' claim that is made here and it does not match with the claims made in the 'security dll is never secure' notes that are posted here also
Member 811 posts
Registered: Jan 1970
my analysis may be wrong, but the 1517 'crack' relies on unix symbolic links and tricking the checksum in the .so, so that it passes the checksumming using the original exe and yet the hacked version is running Quite right. But the file it's referencing in the first place is a symbolic link as well. BTW, instead of getpid() and /proc/%i/exe, you can use /proc/self/exe, saves some code But since that seems to bother you, here's a patch which doesn't require setting up symlinks or keeping the original binaries around: SourceReadmeso it should be also clarified that in its current form, bigfoots proof of concept only applies to the unix version Darn right, but if you keep up this pestering, I might do the Windows version as well, just for you. and this simple hack would be preventable. Sure. Move 1 byte and it's "prevented". What a hollow statement. Tell me, how exactly are you planning on preventing users from reading, understanding and modifying files you give them? It is not the same as previous hacks he mentioned in the other topic. Right again. This one is a bit more userfriendly, but far less versatile. If it's of interest to you, the thing I originally used for Fuhquake and Ezquake 1144 worked for this version of Ezquake as well without a single modification. however, this is not to say that it could not be extended to work on windows, or could not be made to work without symbolic links Hm, right again Yes this is a security failing in the current implementation, And concept. It can't work as long as you're giving binaries to users. It's like giving random people a lock and assuming noone is ever gonna be able to open it. Sooner or later you're gonna give the lock to a locksmith, and then what are you gonna do? but it is not quite the 'shock horror ezquake hacked' claim that is made here Then what is it? FYI, I have made the work that means that I can make any client auth as Ezquake 1144 without using the original security module (see the damn text file). Does the fact that I haven't pulled out the order of the hashed data and the algorithm from the new module _yet_ mean that I haven't cracked it? I can run a modified binary which validates, this surely means that it has been cracked, yes? and it does not match with the claims made in the 'security dll is never secure' notes that are posted here also How do you prove logic? How do you prove that 2+2=4? To you that seems impossible. It can _never_ be secure to rely on a client telling if it is cheating or not. It's so damn simple pure logic that how this manages to escape you is completely beyond me.
Member 116 posts
Registered: Mar 2006
Bigfoot, do you see any possibility of making a client safe?
Member 1011 posts
Registered: Feb 2006
Just to clarify, I personally havn't written a single line of code in the security module btw, so your attempts at mockery "BTW, instead of getpid() and /proc/%i/exe, you can use /proc/self/exe, saves some code " should be directed elsewhere. It can _never_ be secure to rely on a client telling if it is cheating or not. It's so damn simple pure logic that how this manages to escape you is completely beyond me. You should use boundary values for all these wild statements you make I agree it can _never_ be 100% secure (I don't see where I ever claimed otherwise), as I have always said, and continue to do so, it is good enough for our needs. With a sufficiently hard to break clientside security implementation that is updated regularly (so as to invalidate any released hacks) it is perfectly acceptable for it to be relied on for our the needs of league admins. There is always an element of trust in quakeworld - its not like £1 billion is being competed for after all. As I mentioned in the old post, something is better than nothing. Perhaps we should coin a phrase after PGP, Pretty Good Security (PGS). If we can make the clientside security sufficiently hard to crack/break/modify then it will become more difficult to achieve than than the result is worth. I don't see why you must continue moaning about how 'security module is never secure'. As a final point. I like how your 'morals' can change so quickly overnight. In the previous post you claimed a moral high ground of refusing to release any code, examples or modified client because you didn't want such things to spread. Despite numerous requests to send your examples to the EZQuake dev team so they could examine them and decide on the best course of action - you refused, continously claiming the above. Now you suddenly decide its a good idea to smear a 'NEWS' release by handing out your hacked code to anyone who wants it? Perhaps a dissociative identity disorder is at work here...
Member 811 posts
Registered: Jan 1970
Just to clarify, I personally havn't written a single line of code in the security module btw, so your attempts at mockery "BTW, instead of getpid() and /proc/%i/exe, you can use /proc/self/exe, saves some code " should be directed elsewhere. I'm sure you can pass it on for me Just wondering as the old module did use /proc/self/exe. It can _never_ be secure to rely on a client telling if it is cheating or not. It's so damn simple pure logic that how this manages to escape you is completely beyond me. You should use boundary values for all these wild statements you make I'm not the one making the wild statement that it's secure. I agree it can _never_ be 100% secure (I don't see where I ever claimed otherwise) Oh really? as I have always said, and continue to do so, it is good enough for our needs. With a sufficiently hard to break clientside security implementation that is updated regularly (so as to invalidate any released hacks) it is perfectly acceptable for it to be relied on for our the needs of league admins. Enter my old hack. Every single update cracked in 0.14151 seconds There is always an element of trust in quakeworld - its not like £1 billion is being competed for after all. Indeed, just play, be happy, quit taking the game so damn seriously. As I mentioned in the old post, something is better than nothing. Not when that something induces a false sense of security. Perhaps we should coin a phrase after PGP, Pretty Good Security (PGS). If we can make the clientside security sufficiently hard to crack/break/modify then it will become more difficult to achieve than than the result is worth. The difference being that PGP _is_ pretty good. The security module, or even the idea, isn't all that good. I don't see why you must continue moaning about how 'security module is never secure'. Because you keep moaning about how "the security module is secure. Prove otherwise!" As a final point. I like how your 'morals' can change so quickly overnight. In the previous post you claimed a moral high ground of refusing to release any code, examples or modified client because you didn't want such things to spread. Despite numerous requests to send your examples to the EZQuake dev team so they could examine them and decide on the best course of action - you refused, continously claiming the above. I'll still refuse to release the old hack, because it would mean an end to the false security you seem to like so much. The impact of what I've done is minor. You can just make a minor change and continue to spread out to the world how secure it is. This is just to show that it doesn't take a rocket scientist to break it. Anyone could have used the hexeditor to modify that string. And I wouldn't be surprised if someone had done it in the past as well. Now you suddenly decide its a good idea to smear a 'NEWS' release by handing out your hacked code to anyone who wants it? Perhaps a dissociative identity disorder is at work here... Here we go again. Smearing? Nice diagnose, BTW. Why don't you next tell everyone that I'm the antichrist and work for the bad, evil FTE agency? Oh, wait, you already did that. My bad.
Member 811 posts
Registered: Jan 1970
Bigfoot, do you see any possibility of making a client safe? No. It can never be so. The best you can do is try to make it a bit harder to crack than a quick change with a hexeditor and hope that noone will bother cracking it.
Member 1011 posts
Registered: Feb 2006
well this is just descending into a punch and judy 'its good enough', 'no it isn't', 'yes it is' back and forth afaik qizmo employed client side security and hasn't been cracked in 10 years or so, i personally believe it is perfectly feasible to validate modern clients using clientside authentication - the current ezquake implementation has some flaws but these can be corrected and it will be good enough if it never gets to a point where people stop cracking it? well we can always go back to qizmo+qw233
Member 129 posts
Registered: Mar 2006
Calm down ladies, go find ursels a server n duel it out
Member 811 posts
Registered: Jan 1970
afaik qizmo employed client side security and hasn't been cracked in 10 years or so Are you sure? If so, it's more a testament to how people can't be bothered to cheat in QW. i personally believe it is perfectly feasible to validate modern clients using clientside authentication How about just appending the string: "I have not been modified" to the f_version output and let that be that? the current ezquake implementation has some flaws but these can be corrected and it will be good enough And when do you think it's good enough? if it never gets to a point where people stop cracking it? well we can always go back to qizmo+qw233 Or you can always stop taking QW so damn seriously and just enjoy playing.
Member 811 posts
Registered: Jan 1970
Calm down ladies, go find ursels a server n duel it out I'm up for it, but there's a good chance I'd lose
Member 129 posts
Registered: Mar 2006
Calm down ladies, go find ursels a server n duel it out I'm up for it, but there's a good chance I'd lose Make sure you do a demo, have to make sure there's no cheating arf arf
Member 1011 posts
Registered: Feb 2006
afaik qizmo employed client side security and hasn't been cracked in 10 years or so Are you sure? If so, it's more a testament to how people can't be bothered to cheat in QW. i think a lot of people spent a lot of time trying to crack it - at the height of qw popularity when qizmo was required. The fact that it was shareware and made udpsoft money meant they put a lot of effort into making it uncrackable so they could get registration fees. if it never gets to a point where people stop cracking it? well we can always go back to qizmo+qw233 Or you can always stop taking QW so damn seriously and just enjoy playing. league admins are the ones who (quite rightly imo) demand security - direct whine at them
Member 811 posts
Registered: Jan 1970
Calm down ladies, go find ursels a server n duel it out I'm up for it, but there's a good chance I'd lose Make sure you do a demo, have to make sure there's no cheating arf arf Better just do an f_version check
Member 811 posts
Registered: Jan 1970
"i think a lot of people spent a lot of time trying to crack it - at the height of qw popularity when qizmo was required. The fact that it was shareware and made udpsoft money meant they put a lot of effort into making it uncrackable so they could get registration fees."
i made a quick kernel module a few years ago that redirected the exec syscall to load whatever client i wanted, took about 15 minutes..
Member 811 posts
Registered: Jan 1970
i made a quick kernel module a few years ago that redirected the exec syscall to load whatever client i wanted, took about 15 minutes.. Couldn't you just have overridden the C function? Or did it call the kernel directly? In any case, there it is
Member 811 posts
Registered: Jan 1970
i made it for other uses tbh, but it worked like a charm.. and i think qizmo is statically linked, not sure tho
Member 811 posts
Registered: Jan 1970
i made it for other uses tbh, but it worked like a charm.. Indeed, doesn't have to be hard, eh? and i think qizmo is statically linked, not sure tho bigfoot@potatohead:~/qizmo$ nm -D qizmo | grep exec U execv bigfoot@potatohead:~/qizmo$ ldd qizmo linux-gate.so.1 => (0xffffe000) libm.so.6 => /lib/tls/libm.so.6 (0xb7f38000) libc.so.6 => /lib/tls/libc.so.6 (0xb7e00000) /lib/ld-linux.so.2 (0xb7f6c000) At least it imports execv
News Writer 493 posts
Registered: Jan 2006
I think the point everyone is missing is that security module gives people a false sense of security. It also outacasts other clients (mqwcl, zquake, FTE).
I feel we should completely ban the security module. Not only will it save ezquake developers coding time which they could use to put useful code into the client, but it will also make for faster releases. Currently, the ezquake cvs hasn't been updated in 3 weeks. I suspect they have just been waiting for the security module to be released. Was it worth it? I don't think so. The client could have been released 3 weeks ago and it would have been just as good.
Fear and suspicion is always good. Without those two, you won't be able to find cheaters. If you do a simple validate_clients and everyone seems okay, you won't think twice about that player's fantastic aim.
Another reason the security module isn't needed is because there are hardly any tourneys with money around anymore. So who cares? It's a 10 year old game, ffs. Play and enjoy. If someone is cheating, you'll find them the old-fashioned way - LQQKING.
Member 1011 posts
Registered: Feb 2006
Currently, the ezquake cvs hasn't been updated in 3 weeks. I suspect they have just been waiting for the security module to be released. incorrect, sourceforge 'viewcvs' has been broken for 3 weeks - activity has been high and development time is unrelated to security module. Only disconnect works on the sec module gotta catch a train now but will respond to your other comments when i'm home
Member 693 posts
Registered: Jan 2006
']I think the point everyone is missing is that security module gives people a false sense of security. It also outacasts other clients (mqwcl, zquake, FTE).
I feel we should completely ban the security module. Not only will it save ezquake developers coding time which they could use to put useful code into the client, but it will also make for faster releases. Currently, the ezquake cvs hasn't been updated in 3 weeks. I suspect they have just been waiting for the security module to be released. Was it worth it? I don't think so. The client could have been released 3 weeks ago and it would have been just as good.
Fear and suspicion is always good. Without those two, you won't be able to find cheaters. If you do a simple validate_clients and everyone seems okay, you won't think twice about that player's fantastic aim.
Another reason the security module isn't needed is because there are hardly any tourneys with money around anymore. So who cares? It's a 10 year old game, ffs. Play and enjoy. If someone is cheating, you'll find them the old-fashioned way - LQQKING. No thanks. I don't want to turn this QW community into the CS community where everyone is paranoid and accusing everyone that makes a lucky shot of cheating.
News Writer 493 posts
Registered: Jan 2006
No thanks. I don't want to turn this QW community into the CS community where everyone is paranoid and accusing everyone that makes a lucky shot of cheating. So you're saying you want to keep the QW community ignorant in order to prevent mass-hysteria and paranoia? Don't you think you're underestimating the QW community? And if this really is what admins want, wouldn't a security module which always prints cheat-free do the job just as well?
Administrator 2058 posts
Registered: Jan 2006
']I think the point everyone is missing is that security module gives people a false sense of security. It also outacasts other clients (mqwcl, zquake, FTE).
I feel we should completely ban the security module. Not only will it save ezquake developers coding time which they could use to put useful code into the client, but it will also make for faster releases. Currently, the ezquake cvs hasn't been updated in 3 weeks. I suspect they have just been waiting for the security module to be released. Was it worth it? I don't think so. The client could have been released 3 weeks ago and it would have been just as good.
Fear and suspicion is always good. Without those two, you won't be able to find cheaters. If you do a simple validate_clients and everyone seems okay, you won't think twice about that player's fantastic aim.
Another reason the security module isn't needed is because there are hardly any tourneys with money around anymore. So who cares? It's a 10 year old game, ffs. Play and enjoy. If someone is cheating, you'll find them the old-fashioned way - LQQKING. No thanks. I don't want to turn this QW community into the CS community where everyone is paranoid and accusing everyone that makes a lucky shot of cheating. maybe the CS community behaves in such a way due to the low average age of the players? I sure know that when I suspect someone of cheating, I don't give a rats ass about his f_modified/f_version.
Member 1011 posts
Registered: Feb 2006
i think gaz, like most league admins, would rather see the security improved rather than scrapped altogether
probably the mainstream leagues will fall apart unless this happens and people will end up just playing with friends
News Writer 493 posts
Registered: Jan 2006
Again, I feel you are underestimating the QW community's cohesiveness. This isn't CS, ten/eleven year olds don't go to the store to buy quake 1, they don't even bother downloading it for free of torrents or sites we provide. As I see it, there are 3 types of people playing quake 1:
1) People who have been here for a while. (90%?)
2) People who came for a better FPS experience
3) People who came because of close friends.
In either case, I just don't see such immature, young people playing quake. Not many people are cheat today - especially in a community which most members know each other. and I *especially* don't see havoc being caused by the lack of a (useless) security module. If we can make better security, then GREAT. I'm all for it. But for now, we are k i d d i n g ourselves.
Member 1435 posts
Registered: Jan 2006
']I feel we should completely ban the security module. Then we can also throw away ruleset smackdown. Anyone can lookup ruleset.c and comment out a block of code and compile (the compiling phase is the hardest one in ezQuake ) Features ruleset Smackdown restricts are undectable by watching demo (cl_fakeshaft / truelightning). Also expect packet command and smart team auto-timing proxies to appear. I'm not saying it's bad. It just would be different. And try to say "remove ruleset smackdown" in the presence of some div1-2 league admin. He will rip you apart. On the other side try to say it in presence of usual player. I think he wouldn't care. He also wouldn't try to avoid that ruleset I think. But would he get upset when he finds out (which is hard to do) that somebody was using something he couldn't use? ']Currently, the ezquake cvs hasn't been updated in 3 weeks. That's not true. Probably you are watching the web page (produced by sourceforge.net) which doesn't get updated anymore. But yes. It was quite a lot of work and time which we could spend to bring something more useful. ']Fear and suspicion is always good. Without those two, you won't be able to find cheaters. If you do a simple validate_clients and everyone seems okay, you won't think twice about that player's fantastic aim. Agreed. But you have to redefine 'cheat' to 'unpretty things discovered by observing the player or watching the demo'.
News Writer 493 posts
Registered: Jan 2006
']I feel we should completely ban the security module. Then we can also throw away ruleset smackdown. Anyone can lookup ruleset.c and comment out a block of code and compile (the compiling phase is the hardest one in ezQuake ) Features ruleset Smackdown restricts are undectable by watching demo (cl_fakeshaft / truelightning). Also expect packet command and smart team auto-timing proxies to appear. I'm not saying it's bad. It just would be different. And try to say "remove ruleset smackdown" in the presence of some div1-2 league admin. He will rip you apart. On the other side try to say it in presence of usual player. I think he wouldn't care. He also wouldn't try to avoid that ruleset I think. But would he get upset when he finds out (which is hard to do) that somebody was using something he couldn't use? Johnny, admittedly I'm not too familiar with the ruleset since I haven't ever been in a real deathmatch competition (I'm a TF player and now play DM for fun). AFAIK, ruleset sd prevents loading new models and such (which don't pass f_modified) right? Ruohis' new models which will be coming out soon(ish) will be more than a great replacement for faithful models, and I was planning on asking ezq team to crc check them to pass f_modified. But to answer your question, I'm not sure how secure ruleset smackdown is. It just ties back with the security module. ']Fear and suspicion is always good. Without those two, you won't be able to find cheaters. If you do a simple validate_clients and everyone seems okay, you won't think twice about that player's fantastic aim. Agreed. But you have to redefine 'cheat' to 'unpretty things discovered by observing the player or watching the demo'. Agreed. There will be false alarms. But I'm sure systems could be put in place to reduce the level of annoyance/time spent for admins (this is quite easy to do). ']Currently, the ezquake cvs hasn't been updated in 3 weeks. That's not true. Probably you are watching the web page (produced by sourceforge.net) which doesn't get updated anymore. But yes. It was quite a lot of work and time which we could spend to bring something more useful. Sorry, my mistake (offtopic question: what's the new site for ezquake's cvs page? also did you guys switch to svn?))
Member 1011 posts
Registered: Feb 2006
']In either case, I just don't see such immature, young people playing quake. Not many people are cheat today - especially in a community which most members know each other. and I *especially* don't see havoc being caused by the lack of a (useless) security module. Just look at the accusations of cheating (and possibly some actual cheating) occurring in the LGC tournament to see what happens when you try to rely on trust. And that tournament was just intended to be a fun "lets see who can get the highest LG %" tournament. ']Johnny, admittedly I'm not too familiar with the ruleset since I haven't ever been in a real deathmatch competition (I'm a TF player and now play DM for fun). AFAIK, ruleset sd prevents loading new models and such (which don't pass f_modified) right? Ruohis' new models which will be coming out soon(ish) will be more than a great replacement for faithful models, and I was planning on asking ezq team to crc check them to pass f_modified. ruleset smackdown prevents the setting of certain aliases (e.g. fakeshaft, rollalpha), prevents rj scripts, limits cl_clock (this one may have been lifted) and more. It is essential in a number of leagues. I do not believe replacement models are prevented in it, but use of them will obviously fail f_modified as usual. As mentioned by Johnny, without security these could all be freely enabled - resulting in gaz becoming a furious red faced admin! ']Sorry, my mistake (offtopic question: what's the new site for ezquake's cvs page? also did you guys switch to svn?)) if you use the actual cvs repository (http://sourceforge.net/cvs/?group_id=117445) then you would be able to monitor developments. Its just the viewcvs.cgi (browse the repository) interface that hasn't been updating. A move to svn may happen in the future.
Member 151 posts
Registered: Feb 2006
if it never gets to a point where people stop cracking it? well we can always go back to qizmo+qw233 those were the days.......
Member 3 posts
Registered: Sep 2006
FO I still dont know how to use qizmo without a lot of fumbling about in menus (slow to react, slow on the uptake)
|
|
|
|