EverQuest/Sony Fights Code Wars With Latest Expansion

Perlmonkey has written a summary on the latest Everquest Expansion, and Sony's efforts to thwart those who might wish to to tap into the packets and do things that maybe aren't exactly fair to other players. Or they just want a map that should have been in the first place. In anycase, hit the link below to read his piece on the subject.

The most recent expansion for EverQuest (Planes of Power) adds a lot of problem-solving quests to the game, so Sony beefed up the (long-since broken) encryption that they used for the client protocol. The expansion has been a major hit, pleasing some of the most critical voices in the EverQuest world, but one week later, the anonymous development team of ShowEQ had broken the new encryption. Read on for details of the ongoing battle over keeping secrets in plain sight.

First, the skinny on the latest EverQuest expansion, Planes of Power (PoP). Because this is an expansion chock-full of content for only the highest level characters in the game, Sony added some features that everyone would want (and thus, pay for): the ability to progress to level 65 (60 was the cap before); a new zone called the Plane of Knowledge which allows characters to moved freely to all of the old game areas and a feature that allows large groups to coordinate more easily. That's the carrot for the lower-end users, but really this is the first expansion to lock out even moderately experienced players in favor of large, strong in-game guilds.

Even so, the response has been almost all positive. Some players complain about the last-minute changes (especially the changes that made monks and druids less powerful in the high-end game), but those who are taking advantage of the new game areas are happy with the reduced time required for encounters and the fact that the game rewards strategy more than ever.

Planning, attention to detail and a fanatical focus on getting past every challenge that Sony presents are important in-game, but Sony is less than pleased by programmers who are just as happy to approach those challenges from outside of the game. Using Linux and Qt, ShowEQ is a packet sniffer that watches the EverQuest client protocol and displays a map of everything that the Windows client is privy to, but may not disclose to the player. Years ago, the ShowEQ developers discovered a weakness in the encryption that the client uses, and they have been able to reliably interpret the data ever since.

With the PoP release, Sony improved the encryption so that it used a larger key which was more securely chosen. At first, the talk on the ShowEQ IRC forum was gloomy and the normally secretive developers cloistered themselves off from the the group, returning only rarely to proclaim the difficulty of breaking this new scheme. The protocol is not unlike that used by ssh or SSL. A public key is sent from Sony to the client, and the client uses that key to encrypt a random session key and send it to Sony. Theoretically, this approach is open to only a limited number of attacks, all of which run the risk of being detected by the client.

A former ShowEQ developer who was hired by Sony was reported to have said it's over, "you'll never break this"... One week later, the new version of ShowEQ was available via CVS and was working again. The new keys were vulnerable, it seems, to an even simpler form of analysis and the result was simply that ShowEQ worked significantly faster. In many ways, this seemed to simply be a "bonus quest" that Sony threw into the PoP expansion, and it had been beaten.

On Thursday, October 31 ShowEQ broke once again. The protocol now compresses key data to prevent the analysis that was limiting the keyspace that has to be searched. As of this writing, ShowEQ no longer works passively, but this escalation is not over. The latest version allows a user to input the key directly, and developers are hard at work, trying to find further weaknesses in the key generation and/or exchange. The developers are even starting to question the long-held, unwritten truce that they maintained with Sony. The idea was that if Sony did not make decryption require a Windows-side component, there would never be a Windows version, limiting the use of ShowEQ to those capable of getting ShowEQ working under Linux. Now, the party line is, "there is absolutely, positively no reason not to have a WinSEQ."

The technical details are interesting, but the social and legal details may take center-stage for a while. The seq team is trying to figure out what they could put on the client-side without being detected and that brings into question the legality of Sony scanning running processes and reporting back. There's also the matter of Sony's rather astoundingly harsh EULA that tries to preclude activities like this in every way that it can (though the legality of click-through EULAs is still a hot topic).

One problem with this escalation is that, like another product (TiVo, which is partially backed by Sony) the very people subverting the product and making it more than the creator wants it to be are the best customers. In terms of EverQuest, they are often the ones maintaining several accounts and/or spending extra money for the "Legends" service. How does a company contend with a market where your best customers are also your most resourceful? With the TiVo, there was an uneasy understanding between the company and its modders. Sony has broken that balance with EverQuest.

Now that Sony has crossed this Rubicon, it is quite likely that ShowEQ will be ported to Windows and hundreds if not thousands of new users will be introduced to it. Was that Sony's goal? Certainly Prof. Felton showed us that such a battle is ultimately futile. Why does Sony want to fight it again on yet another front (remember that they are an RIAA member)? Is there any financial justification, here? Does mapping software really threaten the game more than the many in-game exploits that the high-end encounters suffer from?

PoP is a finely crafted fantasy gaming experience, but Sony has once again chosen to spend extra time and money hurting themselves and their market. Perhaps their competition will not make the same mistakes.

More information on the story...

[Valen0]

According to the Sony developer that everyone talked to, the changes that Sony makes to the encryption only takes 20 minutes or so. I believe that part of that time included remaking about 5 different binaries with the new code. Sony just has to change the 5 or so #define's on the encryption and everything breaks. Also, according to the same developer, Sony will not spend much time on breaking ShowEQ until management decides otherwise.

How ShowEQ is fighting back is very interesting. Encryption information is stored at a preset offset in the client. About a month ago, SOE changed it so that, on NT/2000/XP boxes (this didn't effect Win 9x), other programs (even on accounts with "Administrator Access") couldn't read that memory space. However, ShowEQ developers eventually got around the limitation by making the key reader run as a service on the NT LocalSystem account. This service can then send the key information to the decoding system.

As for WinShowEQ, I have sources that have told me that WinShowEQ is an easy port to make. If they are serious about making it and releasing it, expect to see it sometime soon.

That's the proper solution

[Perianwyr+Stormcrow]

Years ago, Ultima Online had a pretty egregious cheating application called UOExtreme. It let you do all kinds of special stuff- run faster than normal, see hidden people, get an automatic readout of damage you did to players, and have general interface improvements that allowed you to play the game more efficiently.

Well, people got banned for UOE use for quite a while, but the thing that killed it was that the UO dev team simply emasculated it and made it no more than a device for the delivery of trojans.

How did they do this? Clever engineering and greater awareness of the needs of their playerbase.

Fastwalk was fixed by making walk packets require a response from the server before moving the player.

See hidden was fixed by just not telling non-GM clients where hidden players were, and disallowing attacks and other operations on hidden characters. Invisibility was handled in a pretty slipshod way beforehand- the server just told the client, "hey don't show this guy."

The automatic damage readout was just integrated into the client, with the addition of Starcraft-style health bars showing the damage level of your current target.

The interface improvement issue was solved by the legalization of a similar program called UOAssist. Many operations in UO rely on an extremely clumsy interface requiring many mouse clicks and movements for actions that should be far simpler. UOAssist changes this, offering somewhat of an "expert interface" for the game. UOAssist's author sends all program changes to UO's developers to be examined before release.

Come to think of it, you probably know all this stuff already...

It's not as though it's a new problem

[Rogerborg]

Netrek figured this out about fifteen years ago. The source is open, so it was assumed from day 1 that clients couldn't be trusted. Attempts at client authentication were added later, but those were add ons (and could be and were subverted), they weren't the prime means of preventing cheating.

The strength of the Netrek model is that the game was designed from its infancy to send exactly and only the information that each client needs to display what it's supposed to be displaying. For example, cloaked units are supposed to be shown as unidentified contacts and on the galactic window only, with erratic position and irregular updates. One of the first things a hacked client developer will do is to display them on the tactical window as well, and there's nothing that the design can do to stop that. Also, it's not perfect; an ID is sent for the cloaked units, so the client can show what they really are. However, the server does only send irregular updates, and it flat out lies about the position, heading and speed of the unit, so the client can only show so much.

One of the most controversial design decisions involved torpedo weapons. The servers sends "start" and "end" packets, but instead of sending speed and heading and letting the client handle movement of the weapon, it sends regular "position" updates, with a jitter built in. This increases the bandwidth requirement significantly, but it means that the client doesn't know the exact speed and heading of the weapon, so can't make an easy calculation about how to dodge it.

The Netrek model is replete with decisions like this. There are a few snafus (like the cloaked ship ID), but in general there is very little that a client can display that it's not supposed to. And believe me, I tried.

The reason for this tight design is simple if you think about it. Netrek, like XPilot and Xfire, was originally an X-display game. The server handled both mechanics and display. When Netrek moved to a TCP(later UDP)/IP based model, that model was preserved and the server took on a lot of responsibility for culling information that each client shouldn't know.

It never fails to amaze me that commercial games developers never seem to learn the lessons that open source projects can teach them. I know (from bitter experience) that there's a huge rush to get results on screen, but hey, guys, do it right, don't do it twice.

Re:Ha ha ha.

[cwebster]

(not anon, and i am a seq dev)

>SOE (or Verant previously) *has* removed lots of data from the client-side. For example, a long time ago, the client used to be aware of every "mob's" (monster's) loot.

ShowEQ has never been able to tell you a monsters loot. Ever.

You could deduce what they might drop from things hey have on them (the old favorite was telling which wisps had lightstones, not because we could tell thier loot, but because you could tell what level of light they gave off).

ShowEQ has never known loot.