Blizzard encrypted their installer with a code that's not generated by any means and the only way to get that code was to connect to their website to get it directly from Blizzard. Their website wouldn't release the code until the game was released.
The reason this worked was because people only had a week to try and brute force (randomly generate) the key... Which was a pretty long key so it could take quite a while to do. By the time someone could of done it, the game would be released so it was pointless to work on brute forcing it. I also believe they had a different key for each Battle.net region.
It just wasn't worth the effort with only a week. I am sure some tried but didn't even come close to getting the right key in only a week...
It could work for banks but seems like more work then it's worth. Each map would need it's own code for one. But if bank signatures work properly then I wouldn't expect anything more for it.
Now what they could do is have space (MB's) on each Battle.net account just for banks, so the bank files are uploaded to Battle.net instead of locally and loaded from the person's Battle.net account instead of locally. Might be more work then they are willing to do as well though.
... I was quite surprised when Blizz released SC2 they let us download it ahead of time. I was shocked, guessing some random dude would crack it open before 'official' release. So what did they use to protect their data? And why can't we do the same in a bank file? (FYI I'm asking genuinely... i don't know).
It's better for blizz to release, so they control what they release... especially in regards to the marketing
@OneTwoSC: Why hello again :) You probably don't remember me - we met in a game of OneTwoTD, I showed you some game-breaking bugs, then we talked about Computer Science for a while.
Quote from OneTwoSC:
Also, as 'unprotected' as any client-side data is... I was quite surprised when Blizz released SC2 they let us download it ahead of time. I was shocked, guessing some random dude would crack it open before 'official' release. So what did they use to protect their data? And why can't we do the same in a bank file? (FYI I'm asking genuinely... i don't know).
Normal (symmetric) encryption requires only one thing to encrypt or decrypt data - the key. A key is just a very large number - usually 128 or 256 bits - that you must know exactly in order to perform the encryption or decryption. (256-bits may not sound like a lot, but it is actually enormous - consider that it would only take a 265-bit key to give one key to every atom in the known universe. Even 128-bits is HUGE, more than a super-computer could likely brute force in any reasonable amount of time.)
So if someone simply sends you some encrypted data using a decent encryption algorithm (AES has become the de-facto standard, and is likely what Blizzard chose), but doesn't send you the key, you won't be able to decrypt it until you get the key (on release day).
The reason this won't work with bank files is that, in order for your computer to encrypt/decrypt the bank file, the key needs to be on the computer. And if the key is on the computer, it is completely possible for some hacker to find it and use it for himself.
What would be possible would be for Blizzard to actually sign the bank-files, so that anyone can verify the signature but no one can forge it. However, I very much doubt they do this, because:
Blizzard couldn't just accept bank files and sign them - then anyone could get any bank files signed. The only secure way would be to run the games on their servers, and just send the valid bank file when the client requests it. I don't know if the games are currently run on Blizzard's servers, but I am pretty certain they are not (that is, one player is chosen to act as the server when the game starts).
Signing is a pretty expensive operation, and would be a burden on their servers.
This would mean that no one could test or play custom maps offline.
Likely what they actually do is just take a bunch of data (bank file, map-name, user-name, publisher-name, etc.) and hash it. Then later, to verify, they take all that same data and hash it again. If they match up, it's a valid signature; if not, it's not.
Quote from OneTwoSC:
I put a really confusing trigger in my prisoner rebellion map to save out your wins to losses as something like "SDHA*34Hada"... and the trigger itself was so poorly organized no one could read it if they opened the map haha.
Actually, just before Blizzard added BankVerify(), I had set my Prisoner's Rebellion win/loss ratio to 1337/0. It only took about an hour :)
@BlueRajasmyk: Go
Sorry BlueRajasmyk, you are wrong at that point. The BankVerify option is just useless, because there are other bigger weaknesses in sc2.
The bank signature is just fortifying the main entrance, but the backdoor is still open. ;)
ZHRPG, Nexus Word Wars - both use signatures (NWW since today on EU), but can be hacked.
hmm you guys are weird
all you have to do is CODE the Account name like = A = 5 B = 4
Ex: get any information in your Bank file like: Vitality = 2
and now, you do some math!
Account name= AB = 54 X 2 = 108
When you load the map, if the number 108 have change (cause the guys want to boost his vitality exp: Vitality = 10), the map do the formula 54 x 10 = 540, and realise its NOT the same number of the bank file, make a trigger and compare 108 to 540, that mean he try to hack the bank file, cause it suppose to be 108 = 108, end game.
enjoy :)
Way to lazy to read all the posts, but I will tell you guys how I block stuff.
Steps:
1. Make Map
2. Save map in My Documents
3. Rename Map
4. Save map in My Documents as new file name
5. Realize that what you just did is completely pointless and a waste of time
6. Realize that no matter what you do your map can be easily hacked
7. Go cry in a corner (Or at the border of the room, if the room is a circle or oval)
That is what I do, although I hear Starcode works too.
Well, cyphering (like, hashing) is actually what you said, but methods they are talking about are more complex than simple 1 line formula.
no need to be complex, everyone have a BNET account name linked with CD-key, this IS your unique ID, just have to use it correctly. You cant change your Account name in a bank file, so why waste time with crypting, just use the account name as a ID.
good luck but my bank file is save and if anyone try to change his bank file to cheat, the map just End and that it, go buy another cd-key or get back the old info of the bank if you want to play my map
hmm you guys are weird all you have to do is CODE the Account name like = A = 5 B = 4 Ex: get any information in your Bank file like: Vitality = 2
and now, you do some math! Account name= AB = 54 X 2 = 108
When you load the map, if the number 108 have change (cause the guys want to boost his vitality exp: Vitality = 10), the map do the formula 54 x 10 = 540, and realise its NOT the same number of the bank file, make a trigger and compare 108 to 540, that mean he try to hack the bank file, cause it suppose to be 108 = 108, end game. enjoy :)
What are you storing in the bank file and what are you checking against? Also, when did it become possible to check account names? I don't think what you're doing works but you haven't explained it well enough for me to tell you exactly why.
What are you storing in the bank file and what are you checking against? Also, when did it become possible to check account names? I don't think what you're doing works but you haven't explained it well enough for me to tell you exactly why.
idk how to explain it, it work in my map and we will see how secure it is when its release. I will be very impress if someone find a way to edit his bank file cause it compare the last time he quit the map with the next gamem diffirent code = map not load.
The key is here; USE ACCOUNT NAME, its unique!
EXAMPLE:
EGODOUT BANK FILE MAP:
OPEN BANK
Hero lvl 1
Vitality = 3
SAVE
((Trigger)) = E = 4 G = 3 O = 3 TOTAL = 10
10 x 3 (vit) = 30
OPEN BANK
CODE = 30
SAVE
QUIT MAP
LOADING MAP AGAIN BUT I HACKED THE BANK FILE :
Hero lvl 1
Vitality = 1337
CODE = 30
EGODBOUT START THE GAME:
(trigger) Its EGO = 10 10x1337 = 13370
ERROR ERROR, CODE SHOULD BE 30!
END GAME FOR PLAYER 1
Thing is, the hacker have no idea what is the ACCOUNT NAME CODE YOU GIVE TO LETTER !, he have to find it and its impossible with a good formula.
Not sure, what you mean here. Player names? They are not unique and you cannot even get them as non-text.
Quote:
Thing is, the hacker have no idea what is the ACCOUNT NAME CODE YOU GIVE TO LETTER !, he have to find it and its impossible with a good formula.
Any hacker has access to your map, a "locked" map can be hacked in about 10 seconds. He can just look up the code or even modify the map and create a new bank with it.
Not sure, what you mean here. Player names? They are not unique and you cannot even get them as non-text. Quote:
Thing is, the hacker have no idea what is the ACCOUNT NAME CODE YOU GIVE TO LETTER !, he have to find it and its impossible with a good formula.
Any hacker has access to your map, a "locked" map can be hacked in about 10 seconds. He can just look up the code or even modify the map and create a new bank with it.
you can get any player name in a bank and compare with the current player name, and for the code, he have to change the formula and checking hard in the trigger map, GL to find that, i have around 2000 triggers.
Like i said, i would be very impress if someone can cheat in my map, we will see
the problem with the encryption methods and everything is the triggers, the galaxy file, is available to everyone
for someone to play the map, they have to have the galaxy script
no matter what encryption method/algorithm you use. someone can open the script and look at the the steps involved to convert a player score into a bank file
and then they can replicate that process to create whatever score they want and put it through the same algorithms and use the same encryption key and everything.
the only way to secure this is to have something like the map MPQ or even JUST the galaxy file encrypted, using an encryption key generated by battle.net and stored on battle.net. but even then, you could probably still use some memory reading process to extract the script out of the game.
this ofcourse probably would make it impossible to play maps offline
@egodbout:
GL to find that, i have around 2000 triggers.
so all it'll take is time? thats not security at all.
the thing is.
to protect your map from 99% of players, all you need is basic encryption. bank signature, or simple starcode.
to protect your map from the 1% who are skilled programmers/reverse engineers or whatever, the steps we have available to use are not adequete in the slightest. you can spend weeks even months developing huge confusing algorithms and you would simply be wasting your time. you wont be stopping anymore people cheating your map than with something simple.
The thing is, you have an encryption system without a key (so, you have just an algorithm). If anybody gets the algorithm you have created, he can convert any password to its original state. So, to hack your map, people just need to obtain the map file, open it, see the algorithm. The next thing to do is to manually rewrite passwords or to create a program that does it. So then you can safely change "vitality" and insert new passwords. Simple. You want me to hack your map? :D
Rollback Post to RevisionRollBack
To post a comment, please login or register a new account.
@OneTwoSC: Go
Blizzard encrypted their installer with a code that's not generated by any means and the only way to get that code was to connect to their website to get it directly from Blizzard. Their website wouldn't release the code until the game was released.
The reason this worked was because people only had a week to try and brute force (randomly generate) the key... Which was a pretty long key so it could take quite a while to do. By the time someone could of done it, the game would be released so it was pointless to work on brute forcing it. I also believe they had a different key for each Battle.net region.
It just wasn't worth the effort with only a week. I am sure some tried but didn't even come close to getting the right key in only a week...
It could work for banks but seems like more work then it's worth. Each map would need it's own code for one. But if bank signatures work properly then I wouldn't expect anything more for it.
Now what they could do is have space (MB's) on each Battle.net account just for banks, so the bank files are uploaded to Battle.net instead of locally and loaded from the person's Battle.net account instead of locally. Might be more work then they are willing to do as well though.
It's better for blizz to release, so they control what they release... especially in regards to the marketing
@OneTwoSC: Why hello again :) You probably don't remember me - we met in a game of OneTwoTD, I showed you some game-breaking bugs, then we talked about Computer Science for a while.
Normal (symmetric) encryption requires only one thing to encrypt or decrypt data - the key. A key is just a very large number - usually 128 or 256 bits - that you must know exactly in order to perform the encryption or decryption. (256-bits may not sound like a lot, but it is actually enormous - consider that it would only take a 265-bit key to give one key to every atom in the known universe. Even 128-bits is HUGE, more than a super-computer could likely brute force in any reasonable amount of time.)
So if someone simply sends you some encrypted data using a decent encryption algorithm (AES has become the de-facto standard, and is likely what Blizzard chose), but doesn't send you the key, you won't be able to decrypt it until you get the key (on release day).
The reason this won't work with bank files is that, in order for your computer to encrypt/decrypt the bank file, the key needs to be on the computer. And if the key is on the computer, it is completely possible for some hacker to find it and use it for himself.
What would be possible would be for Blizzard to actually sign the bank-files, so that anyone can verify the signature but no one can forge it. However, I very much doubt they do this, because:
Likely what they actually do is just take a bunch of data (bank file, map-name, user-name, publisher-name, etc.) and hash it. Then later, to verify, they take all that same data and hash it again. If they match up, it's a valid signature; if not, it's not.
Actually, just before Blizzard added BankVerify(), I had set my Prisoner's Rebellion win/loss ratio to 1337/0. It only took about an hour :)
Looks like there is not one unhacked map? Or is there?
@TimSin112:
i doubt it
rodrigo goes to great lengths to encrypt and create confusing triggers for nexus word wars
people still cheat it.
@TimSin112: All maps which use the new BankVerify() function (including SplitTD, and I believe all OneTwoSC's maps) are unhacked, to my knowledge.
@BlueRajasmyk: Go Sorry BlueRajasmyk, you are wrong at that point. The BankVerify option is just useless, because there are other bigger weaknesses in sc2.
The bank signature is just fortifying the main entrance, but the backdoor is still open. ;) ZHRPG, Nexus Word Wars - both use signatures (NWW since today on EU), but can be hacked.
But i will take a look on SplitTD :)
SplitTD is kind of unpopular on EU :( So i tried it in singleplayer, but there it seems there are no banks saved...
What about Starcode? Are there well protected maps with starcode?
hmm you guys are weird all you have to do is CODE the Account name like = A = 5 B = 4 Ex: get any information in your Bank file like: Vitality = 2
and now, you do some math! Account name= AB = 54 X 2 = 108
When you load the map, if the number 108 have change (cause the guys want to boost his vitality exp: Vitality = 10), the map do the formula 54 x 10 = 540, and realise its NOT the same number of the bank file, make a trigger and compare 108 to 540, that mean he try to hack the bank file, cause it suppose to be 108 = 108, end game. enjoy :)
Well, cyphering (like, hashing) is actually what you said, but methods they are talking about are more complex than simple 1 line formula.
Way to lazy to read all the posts, but I will tell you guys how I block stuff.
Steps:
1. Make Map
2. Save map in My Documents
3. Rename Map
4. Save map in My Documents as new file name
5. Realize that what you just did is completely pointless and a waste of time
6. Realize that no matter what you do your map can be easily hacked
7. Go cry in a corner (Or at the border of the room, if the room is a circle or oval)
That is what I do, although I hear Starcode works too.
Great to be back and part of the community again!
no need to be complex, everyone have a BNET account name linked with CD-key, this IS your unique ID, just have to use it correctly. You cant change your Account name in a bank file, so why waste time with crypting, just use the account name as a ID.
good luck but my bank file is save and if anyone try to change his bank file to cheat, the map just End and that it, go buy another cd-key or get back the old info of the bank if you want to play my map
egod
What are you storing in the bank file and what are you checking against? Also, when did it become possible to check account names? I don't think what you're doing works but you haven't explained it well enough for me to tell you exactly why.
idk how to explain it, it work in my map and we will see how secure it is when its release. I will be very impress if someone find a way to edit his bank file cause it compare the last time he quit the map with the next gamem diffirent code = map not load.
The key is here; USE ACCOUNT NAME, its unique!
EXAMPLE:
EGODOUT BANK FILE MAP: OPEN BANK Hero lvl 1 Vitality = 3 SAVE
((Trigger)) = E = 4 G = 3 O = 3 TOTAL = 10 10 x 3 (vit) = 30 OPEN BANK CODE = 30 SAVE QUIT MAP
LOADING MAP AGAIN BUT I HACKED THE BANK FILE : Hero lvl 1 Vitality = 1337 CODE = 30
EGODBOUT START THE GAME: (trigger) Its EGO = 10 10x1337 = 13370 ERROR ERROR, CODE SHOULD BE 30! END GAME FOR PLAYER 1
Thing is, the hacker have no idea what is the ACCOUNT NAME CODE YOU GIVE TO LETTER !, he have to find it and its impossible with a good formula.
Not sure, what you mean here. Player names? They are not unique and you cannot even get them as non-text.
Any hacker has access to your map, a "locked" map can be hacked in about 10 seconds. He can just look up the code or even modify the map and create a new bank with it.
you can get any player name in a bank and compare with the current player name, and for the code, he have to change the formula and checking hard in the trigger map, GL to find that, i have around 2000 triggers.
Like i said, i would be very impress if someone can cheat in my map, we will see
As in compare text? That doesn't work, does it? Or did they include the get player name as string option?
@egodbout: Go
The thing is, you have an encryption system without a key (so, you have just an algorithm). If anybody gets the algorithm you have created, he can convert any password to its original state. So, to hack your map, people just need to obtain the map file, open it, see the algorithm. The next thing to do is to manually rewrite passwords or to create a program that does it. So then you can safely change "vitality" and insert new passwords. Simple. You want me to hack your map? :D