just something i was thinking about before
with all of the (fantastic) reverse engineerings and restorations going on lately. I was wondering why nobody has created Hunter License and server address spoofing via dreampi yet?
I'd assume all PSO needs for the Hunter License is "HL CHECK OK", shouldn't be too hard to create a Dreampi module that sends the needed Hunter License check response required to connect to the server
I think it would go a long way to eliminate the patch disc requirement for PSO. being able to just pop the disc in and play
would also be cool if this hypothetical module allowed changing between servers like SCHTack and Sylverant (albeit controversial)
what do you guys think about this?
PSO: Dreampi Spoofing Overdue?
Moderator: pcwzrd13
- DR TEAMCAST
- Uber
- Posts: 1025
- Dreamcast Games you play Online: All
- Location: New Jersey
- Contact:
PSO: Dreampi Spoofing Overdue?
Forum for Dreamcast and Saturn browsers http://bb.dreampipe.net
Media, News, Events and more for your Sega Dreamcast internet browser at http://dreampipe.net
- pcwzrd13
- Seen Any Sailors?
- Posts: 7108
- Dreamcast Games you play Online: All of them! I'm able to connect with dial-up or broadband.
- Location: USA
- Contact:
Re: PSO: Dreampi Spoofing Overdue?
I've asked BlueCrab about this previously and he seems to think it would be very difficult to do.
BlueCrab wrote:The hunter's license check is done over HTTPS with a very specific hard-coded certificate chain that is included in the game binary. It would probably be rather difficult to circumvent in software in the DreamPi, unfortunately.
The PSO Patcher disc literally takes the first two instructions of the function that is used to run said check in the game and patches them to be as follows (in SuperH assembly):That's equivalent to making the function look something like this in C:Code: Select all
rts mov #0, r0
Thus, it never even tries to connect to the HTTPS server -- it simply returns success from the function immediately. This is, unfortunately, impossible to do on the server side without some sort of HTTPS/SSL vulnerability. I've never looked for anything like that in the PSO implementation of HTTPS, since it was much easier to just do what I did.Code: Select all
int hl_check(...) { return 0; /* Most of the rest of the function's code is still here, but it will never be reached. */ }
PSO Characters:
Teal'c - lvl 119 HUcast - GC# 11666
Alto - lvl 39 FOnewm - GC# 12964
YouTube Channel : Dreamcast Live
Teal'c - lvl 119 HUcast - GC# 11666
Alto - lvl 39 FOnewm - GC# 12964
YouTube Channel : Dreamcast Live
- Xiden
- Developer
- Posts: 2225
- Dreamcast Games you play Online: All the DC games!!
Re: PSO: Dreampi Spoofing Overdue?
Wonder if something could just be changed/added serverside to assume all incomming connections have a hunter licence.
I personally use the ives release which is nice due to it being prepatched
I personally use the ives release which is nice due to it being prepatched
- DR TEAMCAST
- Uber
- Posts: 1025
- Dreamcast Games you play Online: All
- Location: New Jersey
- Contact:
Re: PSO: Dreampi Spoofing Overdue?
hmm, i disagree. it is possible to disassemble the binary, find what the game wants as "HL CHECK OK" and create a local spoof server on dreampi
blue crab described what his patch does, NOPs out the function in memory. which is a memory hack. i'm saying someone should investigate if "HL CHECK OK" is a simple return packet after the client sends the hunter license to the server, or there are multiple layers ontop of that
the HTTPS\SSL vulnerability is moot, you can buy a year for a cheap linux box to just host a webserver isolated from everything. if the game is spoofed into connecting to an HTTPS IP address instead of resolving to a domain name, then it'd be near impossible to get indexed by crawlerbots. only malicious intrusion by somebody specifically targeting the PSO server. which i don't think anyone really cares enough to go through all of that to get a bunch of people's dreamcast passwords. hopefully nobody is stupid enough to use their bank account passwords on PSO lol
edit: w8 a local spoof would have zero security vulnerabilities, but my point is still valid if was not hosted locally
blue crab described what his patch does, NOPs out the function in memory. which is a memory hack. i'm saying someone should investigate if "HL CHECK OK" is a simple return packet after the client sends the hunter license to the server, or there are multiple layers ontop of that
the HTTPS\SSL vulnerability is moot, you can buy a year for a cheap linux box to just host a webserver isolated from everything. if the game is spoofed into connecting to an HTTPS IP address instead of resolving to a domain name, then it'd be near impossible to get indexed by crawlerbots. only malicious intrusion by somebody specifically targeting the PSO server. which i don't think anyone really cares enough to go through all of that to get a bunch of people's dreamcast passwords. hopefully nobody is stupid enough to use their bank account passwords on PSO lol
edit: w8 a local spoof would have zero security vulnerabilities, but my point is still valid if was not hosted locally
Forum for Dreamcast and Saturn browsers http://bb.dreampipe.net
Media, News, Events and more for your Sega Dreamcast internet browser at http://dreampipe.net
- DR TEAMCAST
- Uber
- Posts: 1025
- Dreamcast Games you play Online: All
- Location: New Jersey
- Contact:
Re: PSO: Dreampi Spoofing Overdue?
thats just fancy talk for it needs a few packets that i don't feel like deciphering in SH4 ASM and bluecrab would probably agree. once you figure out what packets it wants, its only one mini operation compared to the entire PSO server or really anything that's been restored so farvery specific hard-coded certificate chain that is included in the game binary
Forum for Dreamcast and Saturn browsers http://bb.dreampipe.net
Media, News, Events and more for your Sega Dreamcast internet browser at http://dreampipe.net
-
- Anarki
- Posts: 87
Re: PSO: Dreampi Spoofing Overdue?
now im no programmer but when he says sepsific ssl cert i'm guessing it will only talk to the https server that has that cert id, so buying a legit or even selfsigning a cert be useless without first patching the game to accept a diff or any cert, making it a pointless exercise as instead of bypassing the challange by just returning it 0. u would patches so runs the challange n the auth system will let it use a diff https cert. both end in the same needing to patch the game and the running challange be more working out how to than just bypassing it
reason he was saying would need to find a vuln in the ssl setup pso on dc uses, which could be possible as it would be a near 16yr old build.
not sure bout how the gc pso exploit worked but i remember playing round with that in early gc scene days before a disc based solution was found, might be something to look into how that exploit worked n if useable for this case.
reason he was saying would need to find a vuln in the ssl setup pso on dc uses, which could be possible as it would be a near 16yr old build.
not sure bout how the gc pso exploit worked but i remember playing round with that in early gc scene days before a disc based solution was found, might be something to look into how that exploit worked n if useable for this case.
-
- Anarki
- Posts: 87
Re: PSO: Dreampi Spoofing Overdue?
had a bit of digging into how gc exploit worked, wasnt too documented but found some info on gc linux page.
http://www.gc-linux.org/wiki/PSOload
once again no real programmer or even have any knowledge on how pso n its servers run.
http://www.gc-linux.org/wiki/PSOload
assuming the dc version also looks for an update in same way(it may very well not or even at all as i dont no jack bout pso on dc) then u could think this same method could be used to upload an payload to run the patch making it do it on the fly connecting. something to look into if hasnt been thought of before.It works by tricking a game called Phantasy Star Online (PSO) into downloading code from the network. PSO tries to connect to a central server if you want to play an online game, and the network protocol provides the facility to download an updated version of the game executable. By providing a fake server on the local network this mechanism can be used to upload arbitary code to the GameCube.
once again no real programmer or even have any knowledge on how pso n its servers run.
-
- Anarki
- Posts: 87
Re: PSO: Dreampi Spoofing Overdue?
tho if someone can confirm that dc does look for an update then i can setup some packet dumping of me running the psoload to see how it takes over, might be able to work out how it works by myself n just release info on how to inital loading dol or payload but dont reckon i will be able to code a patch to load the private servers. worst case i cant work out how it does it from the packet dumps n just up the dump of it in action for someone else to reverse. but really no point to look into it if dc pso doesnt look for an update on connect, which honestly i think will be the case.
- DR TEAMCAST
- Uber
- Posts: 1025
- Dreamcast Games you play Online: All
- Location: New Jersey
- Contact:
Re: PSO: Dreampi Spoofing Overdue?
no you don't need to do any packet dumps. the only way to create a hunter license spoofer is by disassembling the binary and figuring out the return packet(s) it wants by reading the ASM code
as i said, very minor compared to everything else that's been done so far
as i said, very minor compared to everything else that's been done so far
Forum for Dreamcast and Saturn browsers http://bb.dreampipe.net
Media, News, Events and more for your Sega Dreamcast internet browser at http://dreampipe.net