Jump to content

WARNING : ROOM HACKING


Guest Pierrousss

Recommended Posts

Guest Pierrousss

hi there, i will just copy paste my message of the original forum, 

 

http://3dxforum.com/index.php?/topic/6193-warning-room-hacking/

 

 

is someone from here releasing a tool allowing to steal rooms ? i want to know who is pathetic enough to release or do this.

 

SO DEVS !!!

 

WHEN THE HELL YOU WILL PUT SOME SECURITY IN YOUR F*UCKING GAME !!!

 

i knew it was possible to steal the rooms of others a moment ago... but never happened to me ! especially since the new wolrd editor been released !

 

so a girl named  Heden, stole and opened my room for all this afternoon, with her alt FionaX 

 

---> http://3dxforum.com/...er/6068-heden/ 

 

 

https://imgur.com/a/oLzgB

 

 

Anyways, for those who still want to party at the real WPB reopening, topic is here :

 

http://3dxforum.com/...-thursday-1801/

 

 

AND BE CAREFUL YOU ALL GUYS, YOUR ACCOUNT IS NOT SECURE, ESPECIALLY YOUR ROOMS.

 

 

WAKE UP DEVELOPPERS, CODE YOUR GAME CORRECTLY ! THIS PERSON RUINED THE MORE 3 WEEKS OF WORK FREELY.

 

ps : LET ME KNOW IF THERE IS A TOOL WHO ALLOWING THIS ON HERE AND WHO MADE IT, TY

Link to comment
Share on other sites

hmm....I wonder if Alex can write a mod in the code to decrypt the .world files to a specific user?  or specific acct? that way no one will be able to copy and if they try to load can just crash the game all together on there end every-time they try and load the ripped off venue. Hope this makes sense.... 

Link to comment
Share on other sites

Guest Pierrousss
1 minute ago, AlexRyder said:

There is already a topic about that...

 

 

Alex, Icarus made this topic cause i was advertising everyone on world chat, giving the name of that person who stole my room and opened it for all. and the real opening is thursday lol... you have no idea how i feel raped and how im sad now. even if the person is banned, she/he will make another account and stole all your rooms. she is on your forum here, her name is Heden, so she has all your names and probably will use your pseudos to check on your rooms....

 

im pissed off

Link to comment
Share on other sites

Alex,

Can you think of something security wise that can be written? some how protect the server and local copies of the .world files?

Link to comment
Share on other sites

  • Modz Gold Member

I've replied you on the 3dx forums about it.

You don't even need a 3dxChat account to get a person't room, it's accessible via an url like you would access any web site. Well, a tiny bit more complicated than that because you need to perform a POST request instead of a GET, but other than that pretty much the same.

 

Link to comment
Share on other sites

  • Modz Gold Member
Just now, MasterXavier said:

Alex,

Can you think of something security wise that can be written? some how protect the server and local copies of the .world files?

Nothing without modifying the server side code first, and this still will not prevent people from dumping the data while accessing the room normally.

Giant media corporations like Adobe can't make their streams secure with rtmp and stuff, what do you expect from a small company like SGD? )

 

Well, I can add password protection to the uploaded zip file, but then no one will be able to open it at all xD

 

Link to comment
Share on other sites

Alex,

Just to confirm, you are not aware of any tool on our forum that does something like this in an automated way correct? 

I have no knowledge, because most of our tools are simple related additions to 3DX and nothing to the point of ripping

off rooms. Again confirm.  

 

Also explain the way his room may have gotten ripped off, but do not have to go into indepth details.

Link to comment
Share on other sites

  • Modz Gold Member

I'm not really checking all the stuff that gets on the forum, but I don't think so.

Once again, you don't need an "automated tool", I can do that in Firefox with a single line request, for example. And any programmer will be able to write a simple one-button tool for that in a few minutes, I guess.

Link to comment
Share on other sites

Alex,

I checked all the mods, its not here, nor Rochi's code would enable this. I think like you said maybe a Grease Monkey addon to firefox to automate it.

Link to comment
Share on other sites

Just informed that Rochi's code may have been altered to do this type of work? not sure where or what line would be altered to do this.

Link to comment
Share on other sites

  • Modz Gold Member

Rochi's is pretty much the same vanilla dll with a few insertions and replaced variables, people probably base off on it because they like the added features, other than that it is not different from basing off the vanilla one.

Link to comment
Share on other sites

45 minutes ago, AlexRyder said:

Well, I can add password protection to the uploaded zip file, but then no one will be able to open it at all xD

 

I would do this Alex for protection. Also as far as server side, I would definitely let Gizmo know, maybe straighten there asses out with some lines of code they can use server side. I know its posted already over there, but you know the devs and there spaghetti code and garbage.

Link to comment
Share on other sites

  • Modz Gold Member

If I let people use their own passwords, only people knowing the password will be able to join the room (and they will have to type it in every time they join). If I hardcode a password in code, this will make zero sense since it's easy to decompile the dll and find it.

And in any case this will just crash the vanilla clients since they won't be expecting any password protection.

Link to comment
Share on other sites

So what needs to happen here? basically Yell at Gizmo and the team to change things on the server side? shit that not a bad idea password protecting the rooms...

Link to comment
Share on other sites

  • Modz Gold Member

I find it quite fun and a bit ridiculous (or the reverse) to ban my account here and leak my email address to Pierrousss...

1) As I said to Pierrousss and xRosa: I did not do that for the bad and I apologized several times. To be honest, if I wanted to make that for the bad, I would have simply downloaded rooms without showing me anywhere (I don't need to enter rooms to get them), then upload the best ones online with monetized download links. I didn't do that because I wanted a reaction from devs, not to get anything from it. I know what I did is not nice for the authors, but that's probably the best way to make devs react (everybody know they don't even read forum anymore for years!).

2) Email addresses are private data. Forum like yours should never leak email addresses to anyone. Especially to angry people who threatened me physically (like Pierrousss did on chat in game)...

3) I did not use any existing DLL, but injected my own code in vanilla DLL. I firstly wanted to see if this shit was possible after reading a post on this forum. I don't want to get the rooms of others. I have mine, and most knows I spent a lot of time on it and I'm very happy with it!

 

The best way to secure the DLL is described here after (in case 3DX Devs can read and don't know):

Everyone should know first that because Unity code is C#, it's hard to secure it (C# is compiled as DLL in IL code which is basically Instructions that can be easily decompiled) but it can be made so complex to hack that very few would spend time studying how to decompile.

 

Here are some ways to secure a lot rooms and DLL:

1) Obfuscation! Obfuscation is good for commercial games and it's also possible to obfuscate with uncommon characters that most decompilers can't deal with.

2) IEnumerator! Put sensitive methods in IEnumerator methods. Most decompilers can't fully decompile IEnumerators.

3) Encrypt! Currently data are download without any encryption, just pure json gzipped... The Zip should at least have a password (encrypted in DLL).

4) No generic method! Avoid generic methods to download world files

5) Restricted Access! Do not allow WORLD files to be downloaded when owner is offline

Link to comment
Share on other sites

  • Modz Gold Member
28 minutes ago, LetMeAnswer said:

Here are some ways to secure a lot rooms and DLL:

1) Obfuscation! Obfuscation is good for commercial games and it's also possible to obfuscate with uncommon characters that most decompilers can't deal with.

2) IEnumerator! Put sensitive methods in IEnumerator methods. Most decompilers can't fully decompile IEnumerators.

3) Encrypt! Currently data are download without any encryption, just pure json gzipped... The Zip should at least have a password (encrypted in DLL).

4) No generic method! Avoid generic methods to download world files

5) Restricted Access! Do not allow WORLD files to be downloaded when owner is offline

 

  1. This is the most obvious solution (though I'm not looking forward to it for obvious reasons XD). Also, Unity obfuscators are usually less harsh than generic .Net ones due to the way Unity needs to work with the assemblies.
  2. dnSpy can handle them nicely since v4 (which is awesome!), and they were not that hard to fix after decompilation even when they are in "raw" decompiled format.
  3. There was an "encryption" for pre-world-editor files with ridiculous keys stored in plain text in the dll :)
  4. Not sure what you mean here exactly.
  5. This sounds like a reasonable measure, but it only narrows down the "window of opportunity".

In any case a user will still be able to grab the room data by joining it when it's shared (encrypted or not, that's another matter).

There is also an ultimate IL2CPP solution on the newest versions of Unity, but I really hope this never happens in 3dx O:)

 

Link to comment
Share on other sites

  • Modz Gold Member
1 hour ago, AlexRyder said:

Uhm, I didn't ban anyone or give out anyone's e-mails O_o

My first account "Heden" has been banned here and the attached email address leaked to pierrousss. I don't care but that's not cool...

Then my second account to answer has been removed.

I just wanted to have a chance to explain a bit things.

 

Anyway, compiled C# will never been 100% secured but with all those (simple) methods applied, the game will be a lot more "safe".

For the 4) I am talking about simple methods like for example "Download(string nameOfDataToDownload)". This is so obvious to spot and easy to modify... There is no security at all in such method, nothing controlled, not permissions or rights management.

Edited by LetMeAnswer
Link to comment
Share on other sites

  • Modz Gold Member
1 hour ago, LetMeAnswer said:

My first account "Heden" has been banned here and the attached email address leaked to pierrousss. I don't care but that's not cool...

Then my second account to answer has been removed.

I just wanted to have a chance to explain a bit things.

There is probably too many admin accounts for a single site, apparently someone got trigger happy :S

 

1 hour ago, LetMeAnswer said:

Anyway, compiled C# will never been 100% secured but with all those (simple) methods applied, the game will be a lot more "safe".

For the 4) I am talking about simple methods like for example "Download(string nameOfDataToDownload)". This is so obvious to spot and easy to modify... There is no security at all in such method, nothing controlled, not permissions or rights management.

Well, to be fair, 3dx uses a sort of a native obfuscation, sometimes referred to as "spaghetti code" ;) 

I'm pretty sure it's been "zero security" approach since day one, they can just add it to the EULA and be done with it, I think :D

 

Link to comment
Share on other sites

  • Modz Gold Member

Hey there,

I know that downloading works, as I tried it myself in my modz, but I removed it again, especially due to not give people the options to steal rooms.

But the rooms must be downloaded and scanned by the local clients to be interpreted. Soeveryone with a bit of programming skills, can add that.

Securing this? Make the game in C#? then you could also use hard coded security things as they can't be directly read out of the code?

 

Tamara

Link to comment
Share on other sites

Guest Pierrousss

LOL .. i am dreaming... they deleted my thread on the forum and look what gizmo throw here...

 

image.thumb.png.3d2bb1dabc59308f9b22ca7535779e25.png

 

 

wtf ? ... so this means we can all hack everyone, its totally normal for him and also he is proving the entire community that nothing is secure on their server lol.. well well 

Link to comment
Share on other sites

  • Modz Gold Member
53 minutes ago, Pierrousss said:

they deleted my thread on the forum and look what gizmo throw here...

 

53 minutes ago, Pierrousss said:

wtf ? ... so this means we can all hack everyone, its totally normal for him and also he is proving the entire community that nothing is secure on their server lol.. well well 

I think this is how it's been since day 1 anyway? xD

I sorta expected an answer like that, making secure code is hard xD

 

13 minutes ago, TamaraX said:

At least not room data.

Hm, what do you mean?

Link to comment
Share on other sites

  • Modz Gold Member

Room data could be secured (at least a bit) and DLL could be locked (at least a bit).

 

Something I forgot in suggestions to secure game is to do a hash check on the compiled DLL (that's what I do on the software I'm working on). After compilation, the DLL hashes are crypted and stored in Unity assets (which are quite hard to access the content). Then on launch the game checks what DLL has been modified and reacts depending on which DLL has been modified (in my case I close software without warning).

 

The whole method(s) to check the DLL hash is obfuscated, in IEnumerator and not obvious to spot (like in a Monobehavior class).

 

Removing the thread on 3DX forum is dumb and just proves game developers don't care about game development.

Edited by Heden
Link to comment
Share on other sites

  • Modz Gold Member
5 minutes ago, Heden said:

Something I forgot in suggestions to secure game is to do a hash check on the compiled DLL (that's what I do on the software I'm working on). After compilation, the DLL hashes are crypted and stored in Unity assets (which are quite hard to access the content). Then on launch the game checks what DLL has been modified and reacts depending on which DLL has been modified (in my case I close software without warning).

That would be pretty easy to fix once you have figured out where the hash check is (there are even ways to use a code debugger with a compiled game, so shouldn't be impossible even for an obfuscated dll), I have done this with unmanaged binaries, and I'm a complete C++ and ASM noob xD

Also, may be tricky to do this with Unity since it recompiles all the dlls on game builds, but is probably doable, can't say since I haven't digged into it. And there also ways to browse and patch serialized Unity assets, UABE is a nice example :)+

 

11 minutes ago, Heden said:

The whole method(s) to check the DLL hash is obfuscated, in IEnumerator and not obvious to spot (like in a Monobehavior class).

Can be detected with a debugger.

 

11 minutes ago, Heden said:

Removing the thread on 3DX forum is dumb and just proves game developers don't care about game development.

I think they're not very fond of complaints in general. Though I'm kinda fine with this "zero security" approach and just accept it, fortunately all the banking data is handled by a specialized company xD

 

The more secure way would probably be to create a native C/C++ security and networking dll and access all the sensitive data via native api calls.

Link to comment
Share on other sites

  • Modz Gold Member
6 minutes ago, AlexRyder said:

The more secure way would probably be to create a native C/C++ security and networking dll and access all the sensitive data via native api calls.

 

Oh yes, I did not said that the methods I suggested are 100% sure but all of them put together are probably the best way to "secure" a C# binary and will prevent most developers from modifying the game. That worked well for the software I worked on.

 

And yes, native DLL to authentify, login, chat and access rooms (all exchanged data in fact) would be the best (and still not 100% secure). Especially for a game which has never been released on MacOS (or Linux)...

Edited by Heden
Link to comment
Share on other sites

  • Modz Gold Member

I still dont get it. At other games with a mmorpg function/setup I can design or even get a special weapon skin and even rooms or furnitures. And it is not possible to steal or download my stuff. 

Link to comment
Share on other sites

  • Modz Administrators
11 hours ago, Pierrousss said:

LOL .. i am dreaming... they deleted my thread on the forum and look what gizmo throw here...

 

image.thumb.png.3d2bb1dabc59308f9b22ca7535779e25.png

 

 

wtf ? ... so this means we can all hack everyone, its totally normal for him and also he is proving the entire community that nothing is secure on their server lol.. well well 

 

Hi Pierrouss

Thank you for sharing this post with us here on the Modz forums.

One of the reasons I support the Modz forums is it allows for frank, open and adult discussions about 3DX....that are not heavily censored. :)

 

Gizmos response is not a surprise. I am pretty sure he has known about all these issues for a long while, but as I said above. The game is developed in a basement (being a metaphor for a low tech company that creates this game on the weekends)

As Alex has said, this issue of being able to copy someones build file without them knowing has been around since Day one. Its just taken until now for it to happen publicly and I am sorry its happened to the White Palace.

 

I very much doubt there will be anything done about it by the Devs.

The Smart Modz developers here might be able to come up with a way to stop it via a Modz....but I assume it would require all players to have this Modz to work.

I think what you have done is the best way to prevent this in the future and that is by Calling it out when it happens.

We will see less of it if the 3DX community supports the builders and their wonderful creations...and if room stealing happens it needs to be made public very quickly through forums like this.

 

Link to comment
Share on other sites

  • Modz Gold Member
18 hours ago, Ayon said:

The game is developed in a basement (being a metaphor for a low tech company that creates this game on the weekends)

 

 

Looks like.And I miss something different. There is no official statement it is forbidden to hack or steal rooms. There are no rules regarding it. There is no official "ban"-statement. Just nothing. Like russian wild-west xD

Link to comment
Share on other sites

Guest Pierrousss
On 17/01/2018 at 6:36 PM, Heden said:

Mods should be officially supported like most modern indie games are. ;)

 

and you are still here ? lol, how much account do you will create and how much rooms you will continue to steal ?

Link to comment
Share on other sites

  • Modz Gold Member
5 hours ago, Pierrousss said:

 

and you are still here ? lol, how much account do you will create and how much rooms you will continue to steal ?

None, I'm totally authorized to be here... but you can't understand.

Edited by Heden
Link to comment
Share on other sites

Guest Pierrousss
8 hours ago, TamaraX said:

Pierrouss, mods do not mean stealing rooms....

Mods means extending the game somehow. Typically by addons.

 

what do you mean tamarra ? this person stole my room before i throw the real opening of it, and she colored it and opened it for all. the day before me and my girl were helping her cause she didnt even was able to add sinks in her room. so ?

 

she can steal your room too, or ayon or asher rooms or any good builder's room etc, pretty sure she already done, with a simple dll, thats all.  so good luck guyz

Edited by Pierrousss
Link to comment
Share on other sites

  • Modz Gold Member

If someone wants to steal my romm, ok, bad for me. But my friends know, what I build and how.

And not all modz devs steal rooms. This "download" options (and it is not more, beleive me) exists since long time.

And modz exists for a long time for 3dx. 

Without modz, many cool rooms would even not exist.

Link to comment
Share on other sites

  • Modz Gold Member

Maybe I am looking at this differently.  Everyone wants to add security on the server, and that would be great.

 

Wouldn't an object that I could add to the room that is part of a "signature" that when deleted cleared the room be easier to create? or couldn't be deleted or moved at all.

 

For instance,  I sign my room "Keely" with this marker.  Thief steals said room and deletes my marker (signature) then the whole room deletes.  they can restore it of course but they cant remove my signature.  Making it immovable would be even better so that when its placed...it can not be moved....so even when hidden its still there.  Or maybe make it so the marker once deleted destroys the room or corrupts the file.  Sure they can get it again but its just something to complicate their pathetic life.

 

FOr me I have added my name in at least 20 places - many times a lot more in every creation so that I can prove it is mine.  That way if they wanna  erase me as the author...they have to work for it and as we all know these are degenerates who couldn't build a room for themselves in the first place.

 

 

Link to comment
Share on other sites

  • Modz Gold Member

even if its a coded, server-based object? like a watermark?

 

So that my credentials are added to it so that its acts as a key to allow only me to open or host my room (even for editing)?

 

There has to be a differentiation between the host and the guests to the room.  People can join the room when its open but not everyone can host the room without the appropriate key tied to an object.  this object, if not placed, would allow me to share the room with anyone, but when its there only I can host it or edit it.

 

this just seems like a simple, credential tied object that would take some coding but not impossible....

Edited by keely kat
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Google Translate

×
×
  • Create New...

Important Information

By using and viewing this site, you agree to our Terms of Use.