PDA

View Full Version : Une idée for retreive the key on windows !



A_Sound_Voice
11-02-2002, 08:48 AM
Ok, j'ai reflechis un peux concernant la methode de reception la plus adaptée en interaction avec Windows.

A. La première solution serais d'utilisé un serveur SNMP sur windows, il me semble qu'il est possible de scanner la ram d'un PC distant au moyen de la couche SNMP de windows. Avec cette solution, verant serais incapable de distinguer la requete faite dans la RAM pour sortir la clef de cryptage. A partir de la c'est ShowEQ qui consulterais le resultat de la recherche au moyen du protocol SNMP.

B. La second solution serais de faire un script en PERL, et au moyen de fonction avancé de PERL, de prendre cette clef de la placé dans une database mysql ou autre, puis ensuite de consulter de manière régulière au moyen de ShowEQ, cette database pour voir s'il y a modification de la clef. Je pense que la même chose doit être fesable au moyen de PHP ASP ou .NET.

L'avantage de ces deux solutions, c'est qu'il ne serais pas possible de determiner la difference entre un processus standard, d'un client dédier à l'extraction de la clef sous windows. Rien ne peut prouver que le joueur utilise un software qui scan la ram de sa machine. Un virus ou un software d'optimisation de ram fait la même chose.

PS : Anyone can traduct my post please, thanks ! :)

Tyrvidarus
11-02-2002, 09:10 AM
Here's a translation, not sure what he means though, because I don't know not because of the translation. :) Courtesy of Babelfish.

Ok, I have reflechis one can concerning the method of reception the most adapted in interaction with Windows. A. The first solution of would be used a waiter SNMP on Windows, it seems to me that it is possible of scanner the RAM of a distant PC by means of layer SNMP of Windows. With this solution, verant would be unable to distinguish the requete made in the RAM to leave the key encoding. From the EC is ShowEQ which would consult the result of research by means of protocol SNMP. B The second solution would be to make a script in advanced Perl, and by means of function of Perl, to take this key of placed in a database mysql or other, then then to consult in a regular way by means of ShowEQ, this database to see whether there is modification of the key. I think that the same thing must be fesable by means of PHP ASP or NET. The advantage of these two solutions, it is that it would not be possible of determiner the difference between a standard process, of a customer to dedicate to the extraction of the key under Windows. Nothing can prove that the player uses a software which scan the RAM of its machine. A virus or a software of optimization of RAM makes the same thing.

seqseq
11-02-2002, 09:18 AM
He has a point... if you make it look like a virus scanner, for example, what could they do? Not a damn thing.

EnvyEyes
11-02-2002, 09:19 AM
Okay, my french is really poor, but what I'm getting out of this is he's recommending a couple ways to make a 'sniffer' program virtually undetectable. [Both sound extremely inviting to me] I'm paraphrasing here, as I'm not trying to translate word for word.

First solution: Create an SNMP trap on the Windoze machine and using this trap, SEQ would be able to 'poll' the Windoze system without VI being able to prove anything was scanning for just the key.

Second one: Using advanced Perl, write a script that grabbed the key and wrote it into a database. Have SEQ query the database for the key regularly. Again, VI can't really prove squat.

The advantage of these two solutions is that it would not be possible to determine the difference between a standard process of a customer to one dedicated to the extraction of the key under Windows. Nothing can prove that the player uses software which scans the RAM of its machine. A virus or software to optomize RAM does the same things.

[Again, this is just what I'm getting from my kinda rough translation]

[Edit: man I type slow, haha.... not a single reply when I started mine... oh well, hope it helps]

EQDoze
11-02-2002, 09:58 AM
The problem remains the same. This "virus scanner" would have a fingerprint. VI does not have to have any grounds for banning. It's their game. You people seem to forget that one simple fact.

If they start seeing this common fingerprint accessing memory (specifically EQ's memory) on EQ players' machines, they can (not necessarily "will") start banning based on this common fingerprint.

When you get your e-mail it'll simply say you were banned on suspicion alone.

This is not a novel idea, it was suggested. The only way to keep them out of your machine is if they can't detect process memory accesses -- and that's just not possible.

The process that does the scan would literally have to be a polymorphic virus, one that has no common fingerprint among many EQ players simultaneously. Of course, this is a possibility, but that opens an entirely new can of worms. I, personally, don't want polymorphic source code being distributed so widely among a user-base that has proven to be vindictive and reactionary. Furthermore, I would never run someone elses compiled code on my machine -- if I didn't have the source to fiddle with myself, compile myself, and install myself -- I won't use it.


Be smart.

homer
11-02-2002, 10:49 AM
Well, there is one problem with what you said about fingerprints. There are a hell of alot of them.

As someone who regulary goes into people's homes (cable tech) and works on modems and computers, I see MANY MANY MANY customers that play EQ and one thing I have noticed is a majority of them have no less then 10 icons down in their systray. A few are the standard virus scanners, printer status, etc. But there are many that I would not allow to run on my computers. The 'spyware' programs and such. Don't most of these themselves sit there and scan memory? Looking for certain processes to be run which triggers them also?

Alot of people also have these Memory Wipers which I know do scan memory, and have seen a few that would tell you what is there if you wanted to know.

Sorry if I am wrong on any of that, just posting what my expierence and obverstations have been with dealing with many different systems.

Cheers.

A_Sound_Voice
11-02-2002, 11:10 AM
And if you make an alternate "fingerprint" in the software that's change the name and the crc when it's started ?

Pour information si verant utilise le client everquest à des fins de piratage, ou simplement pour observer ce que les joueurs lance comme software. C'est une violation de la sphère privée, même si leur software à une policie qui dis qu'il se reserve le droit de faire ce qu'il veulent, vis à vis de la loie au USA il est absolument interdit de violer la sphère privée ! enfin je crois :). Maintenant je doute fortement que SOE veuille se voir mettre en proces comme Microsoft pour des problèmes de violation de la sphère privée !


And if SOE ban all player who use showeq, everquest it s empty :)

Paramnesiac
11-02-2002, 01:36 PM
Non-babelfish personal translation of the second message, because I'm bored:

To inform/for information, if Verant were to use the EverQuest client to end pirating, or were to simply to observe that the players start software... It's a violation of the private sector, same as their software license which says that it reserves the right to make (any decision) that [Verant] wants, just like the law in the US, it is absolutely forbidden to violate the private sector! .. or so I believe. Now I strongly doubt that SOE would like to see themselves endure a process like Microsoft has endured for their problems with private sector violation.

-----

Think it's pretty accurate.

Si non, je suis desolé, A_Sound_Voice. Je suis absolument fatigué maintenant :P

baelang
11-02-2002, 01:56 PM
Keyscanner fingerprints can be pretty hard to detect if done correctly.

This assumes, of course, that the code is compiled locally. all we have to do is distribute source code with a few nonsence constants and computations using those constants in the code near the memeory scan.

these nonsence constants and computations can be changed by every user before they compile. even if the rest of the program is unchanged the "fingerprint" is changed.

there would be literally thousands of different fingerprints they would have to look for.

the more serious problem is that the memory read can be detected. i am not sure how we can get past that.

Gullork
11-02-2002, 03:11 PM
I'm not a programmer, I'm just trying to help if possible.

Is there any way to match the fingerprint of a currently in use and very popular virus scanner? If so, is there a way to have the sniffer access more than just the one area in eq memory to act like a virus scanner?

I guess the first question is the big one. I doubt that even SOE could stand the loss of every customer that runs <insert most popular virus scanner here>. So long as all memory is accessed in a manner similar to the way a virus scanner would work, they might not be able to tell the difference and would be in a pickle.

But again, I'm not a programmer. If the first question is like md5 and unable to be done, then this whole message is a waste of space.