PSO: Dreampi Spoofing Overdue?

Online games, how to get online, and anything involving Dreamcast online can be discussed here.
User avatar
DR TEAMCAST
Metallic
Posts: 809
Contact:

PSO: Dreampi Spoofing Overdue?

Post#1 » Thu Sep 28, 2017 6:46 pm

just something i was thinking about before

with all of the (fantastic) reverse engineerings and restorations going on lately. I was wondering why nobody has created Hunter License and server address spoofing via dreampi yet?

I'd assume all PSO needs for the Hunter License is "HL CHECK OK", shouldn't be too hard to create a Dreampi module that sends the needed Hunter License check response required to connect to the server

I think it would go a long way to eliminate the patch disc requirement for PSO. being able to just pop the disc in and play

would also be cool if this hypothetical module allowed changing between servers like SCHTack and Sylverant (albeit controversial)

what do you guys think about this?
ImageImage
Forum for Dreamcast and Saturn browsers http://bb.dreampipe.net
Media, News, Events and more for your Sega Dreamcast internet browser at http://dreampipe.net

User avatar
pcwzrd13
Seen Any Sailors?
Posts: 4984
Contact:

Re: PSO: Dreampi Spoofing Overdue?

Post#2 » Thu Sep 28, 2017 7:32 pm

I've asked BlueCrab about this previously and he seems to think it would be very difficult to do.

BlueCrab wrote:The hunter's license check is done over HTTPS with a very specific hard-coded certificate chain that is included in the game binary. It would probably be rather difficult to circumvent in software in the DreamPi, unfortunately.

The PSO Patcher disc literally takes the first two instructions of the function that is used to run said check in the game and patches them to be as follows (in SuperH assembly):

Code: Select all

    rts
    mov #0, r0


That's equivalent to making the function look something like this in C:

Code: Select all

int hl_check(...) {
    return 0;
    /* Most of the rest of the function's code is still here, but it will never be reached. */
 }

Thus, it never even tries to connect to the HTTPS server -- it simply returns success from the function immediately. This is, unfortunately, impossible to do on the server side without some sort of HTTPS/SSL vulnerability. I've never looked for anything like that in the PSO implementation of HTTPS, since it was much easier to just do what I did. ;)
PSO Characters:
Teal'c - lvl 119 HUcast - GC# 11666
Alto - lvl 39 FOnewm - GC# 12964

YouTube Channel : Dreamcast Live

User avatar
Xiden
Rank 9
Posts: 973

Re: PSO: Dreampi Spoofing Overdue?

Post#3 » Thu Sep 28, 2017 9:37 pm

Wonder if something could just be changed/added serverside to assume all incomming connections have a hunter licence.

I personally use the ives release which is nice due to it being prepatched :)

User avatar
DR TEAMCAST
Metallic
Posts: 809
Contact:

Re: PSO: Dreampi Spoofing Overdue?

Post#4 » Thu Sep 28, 2017 11:18 pm

hmm, i disagree. it is possible to disassemble the binary, find what the game wants as "HL CHECK OK" and create a local spoof server on dreampi

blue crab described what his patch does, NOPs out the function in memory. which is a memory hack. i'm saying someone should investigate if "HL CHECK OK" is a simple return packet after the client sends the hunter license to the server, or there are multiple layers ontop of that


the HTTPS\SSL vulnerability is moot, you can buy a year for a cheap linux box to just host a webserver isolated from everything. if the game is spoofed into connecting to an HTTPS IP address instead of resolving to a domain name, then it'd be near impossible to get indexed by crawlerbots. only malicious intrusion by somebody specifically targeting the PSO server. which i don't think anyone really cares enough to go through all of that to get a bunch of people's dreamcast passwords. hopefully nobody is stupid enough to use their bank account passwords on PSO lol

edit: w8 a local spoof would have zero security vulnerabilities, but my point is still valid if was not hosted locally
ImageImage
Forum for Dreamcast and Saturn browsers http://bb.dreampipe.net
Media, News, Events and more for your Sega Dreamcast internet browser at http://dreampipe.net

User avatar
DR TEAMCAST
Metallic
Posts: 809
Contact:

Re: PSO: Dreampi Spoofing Overdue?

Post#5 » Thu Sep 28, 2017 11:25 pm

very specific hard-coded certificate chain that is included in the game binary

thats just fancy talk for it needs a few packets that i don't feel like deciphering in SH4 ASM and bluecrab would probably agree. once you figure out what packets it wants, its only one mini operation compared to the entire PSO server or really anything that's been restored so far
ImageImage
Forum for Dreamcast and Saturn browsers http://bb.dreampipe.net
Media, News, Events and more for your Sega Dreamcast internet browser at http://dreampipe.net

1nick9
lithium
Posts: 37

Re: PSO: Dreampi Spoofing Overdue?

Post#6 » Fri Sep 29, 2017 5:57 am

now im no programmer but when he says sepsific ssl cert i'm guessing it will only talk to the https server that has that cert id, so buying a legit or even selfsigning a cert be useless without first patching the game to accept a diff or any cert, making it a pointless exercise as instead of bypassing the challange by just returning it 0. u would patches so runs the challange n the auth system will let it use a diff https cert. both end in the same needing to patch the game and the running challange be more working out how to than just bypassing it

reason he was saying would need to find a vuln in the ssl setup pso on dc uses, which could be possible as it would be a near 16yr old build.

not sure bout how the gc pso exploit worked but i remember playing round with that in early gc scene days before a disc based solution was found, might be something to look into how that exploit worked n if useable for this case.

1nick9
lithium
Posts: 37

Re: PSO: Dreampi Spoofing Overdue?

Post#7 » Fri Sep 29, 2017 6:02 am

my impression of his explanation anyway

1nick9
lithium
Posts: 37

Re: PSO: Dreampi Spoofing Overdue?

Post#8 » Fri Sep 29, 2017 6:28 am

had a bit of digging into how gc exploit worked, wasnt too documented but found some info on gc linux page.

http://www.gc-linux.org/wiki/PSOload

It works by tricking a game called Phantasy Star Online (PSO) into downloading code from the network. PSO tries to connect to a central server if you want to play an online game, and the network protocol provides the facility to download an updated version of the game executable. By providing a fake server on the local network this mechanism can be used to upload arbitary code to the GameCube.


assuming the dc version also looks for an update in same way(it may very well not or even at all as i dont no jack bout pso on dc) then u could think this same method could be used to upload an payload to run the patch making it do it on the fly connecting. something to look into if hasnt been thought of before.

once again no real programmer or even have any knowledge on how pso n its servers run.

1nick9
lithium
Posts: 37

Re: PSO: Dreampi Spoofing Overdue?

Post#9 » Fri Sep 29, 2017 10:00 pm

tho if someone can confirm that dc does look for an update then i can setup some packet dumping of me running the psoload to see how it takes over, might be able to work out how it works by myself n just release info on how to inital loading dol or payload but dont reckon i will be able to code a patch to load the private servers. worst case i cant work out how it does it from the packet dumps n just up the dump of it in action for someone else to reverse. but really no point to look into it if dc pso doesnt look for an update on connect, which honestly i think will be the case.

User avatar
DR TEAMCAST
Metallic
Posts: 809
Contact:

Re: PSO: Dreampi Spoofing Overdue?

Post#10 » Sat Sep 30, 2017 5:48 am

no you don't need to do any packet dumps. the only way to create a hunter license spoofer is by disassembling the binary and figuring out the return packet(s) it wants by reading the ASM code

as i said, very minor compared to everything else that's been done so far
ImageImage
Forum for Dreamcast and Saturn browsers http://bb.dreampipe.net
Media, News, Events and more for your Sega Dreamcast internet browser at http://dreampipe.net

  • Similar Topics
    Replies
    Views
    Last post

Return to “Online”

Who is online

Users browsing this forum: No registered users