####################################################################### Luigi Auriemma Application: Gamespy cd-key validation system http://www.gamespy.net Games: The amount of games that use this system is really huge, a small list (maintained by me) is available here: http://aluigi.org/papers/gshlist.txt An official list of games that use the Gamespy stuff (so not only the cd-keys) is available here: http://www.gamespy.net/partners/ Versions: the bug will be corrected on the master server, in the moment I'm writing the bug still exists Bug: players can use the same cd-key online at the same moment Exploitation: remote Date: 04 May 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) An example of real life 4) The Code 5) Fix ####################################################################### =============== 1) Introduction =============== The Gamespy cd-key validation system is a toolkit used by a HUGE number of multiplayer games and is needed to allow the verification of the cd-keys used by the players when they want to join an online game server. Some of the most famous and played games that use this toolkit are Halo, Battlefield 1942 and Vietnam, Men of Valor, Painkiller, Star Wars Battlefront, Star Wars Republic Commando, Tribes: Vengeance and many others between those listed here: http://www.gamespy.net/partners/ ####################################################################### ====== 2) Bug ====== The problem is very simple: two or more players can use the same valid cd-key at the same moment on different servers. Naturally this situation is avoided by default for the right reasons that anyone knows (playing online with pirated games for first). That is possible because exists a specific command (\disc\) used by the game servers to free the cd-key of the users that leave the match hosted by them. In fact when a player joins a server his cd-key becomes "in use" and nobody can use the same cd-key online at the same time. The \disc\ and \uoff\ commands plus the "no reply" are the mechanism used to free a cd-key in use and the game server is the only one to be able (and to have the right) to use it. The \disc\ command is transmitted in an UDP packet (like any other command) and contains the following parameters: \pid\ = the Gamespy PID, a number that identifies any multiplayer game \cd\ = the MD5 hash of the user's cd-key \ip\ = the IP address of the client The following section contains some details and a possible scenario for the usage of this flaw. ####################################################################### ========================== 3) An example of real life ========================== Two friends have just bought the game Halo in a nice games shop in their town, finally they can kill the little Covenants on the Halo's ring. Each one has paid half of the full price (they are not rich but fortunately are friends and respect the work of the developers), and go quickly to their home for playing online with this nice game using the same valid cd-key. The first guy (X) joins a server without problems while the second (Y) receives a "Cd-key in use" error in any server he tries to join. Unfortunately Y didn't know this mechanism. But X knows that Halo uses the Gamespy cd-key validation system and knows also that this mechanism is affected by some implementation flaws so decide to definitely solve the problem of his friend. X creates a tool that automatically sends a spoofed \disc\ packet to the master server using the source IP and port of the server in which he joins . He can do it enough easily because he knows the PID of his game (793 for Halo) and naturally knows both his cd-key (or directly the MD5 hash) and his public IP address used by the server to authorize him. So when X joins a server, he sends a spoofed \disc\ command and his cd-key is no longer in use. Now Y can play on Internet in the same moment that X is online without problems and on any server. The only limitation is that they cannot play on the same server because it rejects the players with the same cd-key without the need of contacting the Gamespy master server. The problem is that if two friends can do that, the same can be made by 10, 100 or 1000 people and this is not a very good thing. Someone can say that this is already possible through the usage of modified servers but almost all the Internet servers are regulars and accept only the players with valid cd-keys. ####################################################################### =========== 4) The Code =========== Note: this bug will be fixed on the Gamespy master server so even though is still possible to test it in the moment I'm writing this paper, in the next days will be no longer possible to test it with success. In short, if your tests fail it's because the bug has been fixed. The proof-of-concept is available here: http://aluigi.org/poc/gskeydisc.zip it is a simple UDP spoofer that works on Linux and requires the following parameters: - server the hostname or the IP of the game server - port the port of the server - pid the PID of the game http://aluigi.org/papers/gspids.txt - cd-key the cd-key in use or its MD5 hash - client_ip the IP of the client that owns the cd-key First practical usage --------------------- Launch a dedicated server of your favourite game and join it with your client (the game must use the Gamespy cd-key validation toolkit naturally). Verify that your cd-key is in use with the following tool or manually trying to connect another client to a different server: http://aluigi.org/papers/gskeycheck.zip Now launch the proof-of-concept gskeydisc specifying the public IP and port of your game server, the PID of the game, your cd-key and the IP used by your server to identify the client (usually 127.0.0.1, it's the same IP you have inserted to select your local dedicated server, use GsHsniff to solve any doubt). Now relaunch gskeycheck: the cd-key should be no longer in use. Second practical usage ---------------------- Launch my "Cd-key in use" proof-of-concept using an authorization request previously captured with GsHsniff: http://aluigi.org/papers/gshsniff.zip http://aluigi.org/poc/gskeyinuse.zip If you know the original cd-key launch gskeycheck to be sure that it is really in use, otherwise launch another instance of gskeyinuse using a different local port. Launch gskeydisc specifying all the needed parameters visualized by gskeyinuse. Relaunch gskeycheck or gskeyinuse to verify that the cd-key is no longer in use. ####################################################################### ====== 5) Fix ====== Gamespy has been contacted and is working for a solution. FYI, naturally Gamespy was aware of this problem from many years since it was visible during the engineering of the cd-key validation system, but this is another story... The fix will be implemented on the master server probably through the sending of an \ison\ command when \disc\ is received. Anyway is possible that the fix has been already implemented when you will read this paper. UPDATE 01 Sep 2005: No fix has been implemented yet UPDATE 21 Nov 2007 No fix yet, better for the players which can play with the same cdkey #######################################################################