Slashdot Mirror
EverQuest/Sony Fights Code Wars With Latest Expansion
The most recent expansion for EverQuest (Planes of Power) adds a lot of problem-solving quests to the game, so Sony beefed up the (long-since broken) encryption that they used for the client protocol. The expansion has been a major hit, pleasing some of the most critical voices in the EverQuest world, but one week later, the anonymous development team of ShowEQ had broken the new encryption. Read on for details of the ongoing battle over keeping secrets in plain sight.
First, the skinny on the latest EverQuest expansion, Planes of Power (PoP). Because this is an expansion chock-full of content for only the highest level characters in the game, Sony added some features that everyone would want (and thus, pay for): the ability to progress to level 65 (60 was the cap before); a new zone called the Plane of Knowledge which allows characters to moved freely to all of the old game areas and a feature that allows large groups to coordinate more easily. That's the carrot for the lower-end users, but really this is the first expansion to lock out even moderately experienced players in favor of large, strong in-game guilds.
Even so, the response has been almost all positive. Some players complain about the last-minute changes (especially the changes that made monks and druids less powerful in the high-end game), but those who are taking advantage of the new game areas are happy with the reduced time required for encounters and the fact that the game rewards strategy more than ever.
Planning, attention to detail and a fanatical focus on getting past every challenge that Sony presents are important in-game, but Sony is less than pleased by programmers who are just as happy to approach those challenges from outside of the game. Using Linux and Qt, ShowEQ is a packet sniffer that watches the EverQuest client protocol and displays a map of everything that the Windows client is privy to, but may not disclose to the player. Years ago, the ShowEQ developers discovered a weakness in the encryption that the client uses, and they have been able to reliably interpret the data ever since.
With the PoP release, Sony improved the encryption so that it used a larger key which was more securely chosen. At first, the talk on the ShowEQ IRC forum was gloomy and the normally secretive developers cloistered themselves off from the the group, returning only rarely to proclaim the difficulty of breaking this new scheme. The protocol is not unlike that used by ssh or SSL. A public key is sent from Sony to the client, and the client uses that key to encrypt a random session key and send it to Sony. Theoretically, this approach is open to only a limited number of attacks, all of which run the risk of being detected by the client.
A former ShowEQ developer who was hired by Sony was reported to have said it's over, "you'll never break this"... One week later, the new version of ShowEQ was available via CVS and was working again. The new keys were vulnerable, it seems, to an even simpler form of analysis and the result was simply that ShowEQ worked significantly faster. In many ways, this seemed to simply be a "bonus quest" that Sony threw into the PoP expansion, and it had been beaten.
On Thursday, October 31 ShowEQ broke once again. The protocol now compresses key data to prevent the analysis that was limiting the keyspace that has to be searched. As of this writing, ShowEQ no longer works passively, but this escalation is not over. The latest version allows a user to input the key directly, and developers are hard at work, trying to find further weaknesses in the key generation and/or exchange. The developers are even starting to question the long-held, unwritten truce that they maintained with Sony. The idea was that if Sony did not make decryption require a Windows-side component, there would never be a Windows version, limiting the use of ShowEQ to those capable of getting ShowEQ working under Linux. Now, the party line is, "there is absolutely, positively no reason not to have a WinSEQ."
The technical details are interesting, but the social and legal details may take center-stage for a while. The seq team is trying to figure out what they could put on the client-side without being detected and that brings into question the legality of Sony scanning running processes and reporting back. There's also the matter of Sony's rather astoundingly harsh EULA that tries to preclude activities like this in every way that it can (though the legality of click-through EULAs is still a hot topic).
One problem with this escalation is that, like another product (TiVo, which is partially backed by Sony) the very people subverting the product and making it more than the creator wants it to be are the best customers. In terms of EverQuest, they are often the ones maintaining several accounts and/or spending extra money for the "Legends" service. How does a company contend with a market where your best customers are also your most resourceful? With the TiVo, there was an uneasy understanding between the company and its modders. Sony has broken that balance with EverQuest.
Now that Sony has crossed this Rubicon, it is quite likely that ShowEQ will be ported to Windows and hundreds if not thousands of new users will be introduced to it. Was that Sony's goal? Certainly Prof. Felton showed us that such a battle is ultimately futile. Why does Sony want to fight it again on yet another front (remember that they are an RIAA member)? Is there any financial justification, here? Does mapping software really threaten the game more than the many in-game exploits that the high-end encounters suffer from?
PoP is a finely crafted fantasy gaming experience, but Sony has once again chosen to spend extra time and money hurting themselves and their market. Perhaps their competition will not make the same mistakes.
It's a big MMORPG. IIRC someone killed themselves a while ago because of losing something on it, so I'm guessing it's pretty addictive.
A very well written and informative article. I'm intrigued by the story of ShowEQ -- and the fact that Sony seems to want to protect their system by deciding what users can and can't run on their computers. It reminds me of the video player that uninstalled Ad-aware automatically, claiming that running it wasn't allowed under its license. I don't believe that such things are really legal -- are they not an invasion of privacy and an illegal search? (Alas, the Constitution's protections against this in the US are only applicable to the government itself, but such practices, I feel, are going too far) Sooner or later, I think, Sony will be dragged into court over this and sued. What if, for example, they use their little spy applet to suck data off someone's computer that gives them an advantage (a competitor's computer that had confidential information, for example?).
I am, though, a little surprised to see that the ShowEQ people haven't been sued under the DMCA. And I'm glad they haven't, because what they are doing is reverse engineering and they are not actually hacking into the client or the server, so it is legal. They are not trying to pirate the game. They are merely trying to see what exactly their computer is saying to the server and what it is receiving from it. A perfectly fair thing to do, I think, because it IS their own property and the owner of it has the right to know what exactly is happening, so they can choose whether or not to run a given application instead of having to trust the programmers. Checks and balances.
Note: I don't play Everquest. I call it EverCrack, actually. I don't play games that I have to pay a monthly fee for. I prefer to play single-player games, or sometimes multiplayer, offnetwork, with people I already know.
i am a soviet space shuttle
In EverQuest, the license agreement must be accepted each time you start up the game.
/played time, you've seen that license hundreds of times. Whether or not you've read it is illrelevant, but you've willingly clicked yes to it hundreds, if not thousands of times.
No auto-yes option. No "I understand and agree, don't tell me again" option. You [b]must[/b] click "I Accept" every time the game EXE is called.
If you've accumulated any significant level or
I'd say that makes it pretty binding.
I hear all of your posts, about how they should get a life, blah blah blah.
I myself played everquerst for about 18 months on and off. I averaged 15-40 hours a month, depending on the month and how I felt.
Everquest "zoned" me, to another world. In our(Non-eq) reality, it left me behind a computer, with closed curtains, fighting and sweating while in battle.
When I was 17, I robbed a firestation, got a drinking and driving minor, and sold adderol (Meds for ADHD) to my school peers.
By the time I was caught I had 30 felonies(Possession with intent to distribute in a drug free (school) zone.), and 50 years in prison staring me straight in the face.
I lost my license and was on house arrest for over 4 months.
About a year later, I was accepted and attended one of the top engineering schools in the nation.
Now, my question to you, is: If I can't spend my time playing EQ, and raising my daughter, do you want me selling a perscription legal meth to your brothers and sisters?
Don't get me wrong, I'm well past that stage, but I'm sure if I did not have habits that keep me home, or somewhat entertained, I'm sure I could find something to do outside in a city of ~3 million people.
I have not done drugs in 6 years, and have drank about 24 beers since I was 16.
I save TONS of money, $15 a month is a lot for EQ sure.
But consider what it saves you.
If I'm spending 40 hours of afterwork/weekend time on this game, I'm not eating with my friends, I'm not buying gas driving around.
I'm not doing anything that will harm you.
Sure some people will kill themselves over this game, just like some willl spend $9000 on a character on ebay. But that's evolution. If they killed themselves prior to reproduction, we won't have to worry about those genes surfacing for at least a little while, but hopefully they will be rid of just as fast.
I'd rather have joe schmo killing himself(maybe a few others) because of distress from the game, than driving with his drunk buddies at 1:00 at night while I am on my way to drop off my daughter at her mother's house.
It is more probable Joe kills me while driving drunk than if I was an innocent bystander near his EQ game.
The client has to know certain things to run. To alter what it knows would to make a thin client game even thinner, and would alter the balance of the client/server load. If the servers are picking up slack for the clients (or the sole purpose of players not sniffing that info), then the servers have to be redesigned and beefed up. Not likely, I say.
Because 3 years ago they decided how much information they were going to allow the client to see of the world. There solution, break the whole world up into zones and only let the client see what is happening in that zone. To change this would require more effort than they are willing to do.
Have you *ever* played EQ? Do you even know what you're talking about?
SEQ was used primarily in the beginning to aid people in finding out how your odds of hitting changed with certain gear, and how much mana you had (something EQ never told you). It quantified all kinds of things that players really needed to know, but were never published anywhere with the game or from any official source.
Ever.
SEQ allowed players to critically evaluate how the game was calculating things, and you know what? That started huge dicussions on Verant's OFFICAL message boards between Verant and customers on what changes the customers wanted. There are mana calculators everywhere online, but they were all developed from info gathered from SEQ. Players use them all time.
The most recent changes to meditation, spell behavior, and damage checks were all a result of the community gathering info using SEQ and bringing the data to Verant and saying "This isn't right!". And Verant listened and changed it.
Cheating?? I think not. It was the community stepping in and filling a gap for the better of the players and the developers.
None of this can be said of Aimbots, or wallhacks in Q3, UT, or CS.
Although I have played EQ off and on for the last 3 years or so, and have heard of ShowEQ, i never really knew what it was used for. I dont have a Linux box, so it didnt make much difference for me. What does concern me about this is that with a windows version, the program can and will become far more widespread. I would compare it to the recent developments in the diablo II community.
There has always been trade hacks, and this hack, and that hack, but to execute them, you usually need packet sniffers, have to understand how the program works, and basically know what you are doing. Every once in awhile, one would come along that was easy to use with some fancy UI and mass chaos would ensue.
Anymore, most players use Pindlebots or Mephisto bots, to just endlessly kill those bosses over and over for hours on end, hoping for some uber item to drop, and in the meantime racking up exp. They are extremely easy to use, just run the executable, configure the config for your character, and it does everything else for you with zero interaction. Now, you can't create a game without having to wait in line on the USEast Realm, and you can get just about any item you want in the trading channels.
I ran pindlebot for two weeks, and in that time, i got alot of the best equipment in the game. It seemed nice, to have this great character, but ultimately it ruins the game, because you have the best equipment, theres no challenge, theres no point in playing the game anymore.
If ShowEQ does get ported to Windows, I can only imagine similiar situations like this arising. The masses start using the program, and ultimately the legitimate players become too frustrated and leave, and the players with the cheat / hack / dupe / whatever ultimately become bored with the game, and a game that was once a great way for people to pass time becomes the playground for the people have ruined the game.
The Man in the Middle attack is one of the oldest and still most effective attack on public key encryption.
I don't know all the details, unfortunately. They may very well have tried this already.
Every MMORPG I have played has started out not nearly as thin as it had to be, and nearly all have had to undergo significant redevelopment to rectify this matter.
EQ can be forgiven for not knowing this at its start (it was one of the earliest MMORPGs) but it's had a long time to learn from its own experiences and those of its competitors.
Assuming that everything known by the client will be known and exploited by the players using it would seem to be the safest rule.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
Asheron's Call has been like this for years. There's a program called Decal that intercepts and can forge packets between the client and the server. It exposes them through COM to a plugin architecture, allowing people to easily create plugins that interact with the game.
On the one hand it could considered cheating, but at this point, most people seem to run it and it's made some fantastic things possible. For one thing there's a plugin called ACArm which allows figures out how to switch between armor profiles at the touch of a key, much more easily than figuring out the right order and dragging and dropping manually. There's another called Robochef that automatically does crafting. And one of the oldest and best known, Sixth Sense which can scan for items/monsters/players etc. is almost required for some challenges in the game. (Find random spawn monster somewhere out in the wilderness.) It takes much of the tedium out of a game that's supposed to be fun.
The down side, though, is that people have come up with money making trade skill macros where you just load up your character with enough starting cash and some of the ingredients, and it crafts a bunch of items, sells them at a profit, buys more ingredients and continues. That inflates the economy a bit, though not much it seems. Worse, some people have made combat macros that automatically camp a spot and kill all the monsters. It's very annoying to be running around in a dungeon and finding a mage perched in a corner stealing your kills. (Combat macros are now a bannable offense under the CoC, however. Also, the Decal devs are very anti-combat macros.)
Anyway, I know that's AC and not EQ, but I just thought I'd mention that as an existing example of where this can lead. It's got its down sides, but it's mostly been a good thing for the game.
There are many things that the client MUST know, for performance and usability reasons.
:-)
Every request the client makes for information means another round trip access to the server. Another complex decision by the server whether the client should be allowed that information. When you have 100K users online, making requests like that dozens of times a second, it can get JUST A TINY BIT LAGGY.
To alleviate these issues, the server sends some information to every client. The game map. The nearby creatures that the client may need to render at any moment. The current statistics of all the players equipment. All this information the client NEEDS to know.
Here is an example of one thing people often think the client does NOT need to know... creatures that are behind a hill, or not in the players cone of view. However, what if the player whips around to look behind them? How disorienting and unplayable would it be if every time you turned it took half a second before you saw ANYTHING other than terrain? As for obstructed creatures, would you want to go around a corner in a dungeon and not see anything for half a second until the server caught up? Not to mention the exhaustively difficult math required to accurately determine whether you have line of sight to something or not.
Thin clients DON'T WORK. At least, not in MMORPG's. Works for MUDs though. If you don't mind, I'll be going back to my DikuMUD now.
"I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
You might be thinking of old MUDs like DartMUD, where when you died, you had to start completely over from 1st level again. EQ (and DAOC, and most, if not all, other MMORPGs) are not like this. Nothing kills a player-base faster then that kind of system. Trust me, I've seen it happen in some MUDs.
Now, what offsets the "newbie" syndrome in EQ, DAOC and other MMORPGs is that not every "high level" character is going to be played forever, as people retire characters all the time. Also, a lot of players with high level characters give away a lot of stuff.
And EQ seems (alas) to be doing just fine.
Kierthos
(Okay, I'm biased. I hate EQ. But they aren't in danger of drying up and blowing away any time soon.)
Mr. Hu is not a ninja.
Hmmm, you must not peruse the various EQ related boards very often, as cheating as how you described (run speed, duping, etc) has occurred quite often over the course of EQ's lifetime.
Granted, most dupe methods are found out after a time, but those that were able to take advantage of them while they lasted (and avoided getting caught) contributed to damaging the game economy by introducing many rare drops that generally wouldn't have been in the game.
Most of what you say about ShowEQ's benefits not being that great are true. Tracking, See Invisible, and a map program like Xylobot will get you most of the functionality that ShowEQ gives.
Personally, I wish Sony Online wouldn't spend so much time fighting ShowEQ. What I believe is _truly_ hurting the game is the use of automated macroing programs to gain money at a ludicrous rate.
Currently there's a program called Macroquest on sourceforge which allows you to control most everquest actions via scripts. Industrious folks have been able to find special tradeskill recipes that, when automated, can generated 6000-35000 platinum pieces an hour. For those that don't play the game, I belive 10k pp goes for $100 or so on playerauctions.com (check the web site for real numbers).
So what happens is you get these asshats that have 10-15 computers & accounts all running macros generating hundreds of thousand of plat an hour, and then they go to playerauctions.com and sell it to other people for big $$$.
This _huge_ influx of money into the game economy KILLS it for everyone else. When someone spends $250 to get a massive amount of platinum and can overpay for uber-item #10123 in the bazaar, those of us who don't cheat and only have 2k in the bank are screwed.
Sony Online needs to spend the couple of days it takes to remove/modify the tradeskill recipes that sell for more than the component cost. This only has to be done for vendor buyable items, since those are the only ones that can be macro'd easily.
The reason you see the spells you need for 10's of thousands of plat (C3 for 35k?!) is because people will pay for it.
Yw
The main difference between them is that 99.5% of players in EverQuest don't give a crap if someone else is using ShowEQ. There isn't a huge and overwhelming advantage vs. other players if someone's using ShowEQ. (There is on PvP servers. However, no one plays on the PvP servers because Everquest's PvP system sucks. And it has nothing to do with cheaters.)
I used SEQ when I still played Everquest. All of my friends knew I used ShowEQ. My entire guild knew I used ShowEQ. About 2/3 of the people I got experience with knew I used ShowEQ. No one ever said to me, "Dude, that's fucked up. You're ruining the game for other people." Know why? Because I wasn't.
I hate cheaters in half-life and its mods, and in quake and it's sequels and mods, but that's because the act of cheating ruins other peoples' enjoyment of the game which is an enormous difference IMO.
iirc, the "Big Deal" wasn't that you couldn't use your modchip while playing on Live, it's that MS banned you for life if your X-Box had a modchip in it, even if it's not enabled while playing on Live. It also did not discriminate between legitimate uses of modchips (playing imports, linux on X-Box- though that's not really legitimate in MS's eyes. ;)) and the ones who used it for cheating.
There is also the little issue about unscrupulous modders changing the codes on their X-Boxes and banning codes that could very well that of a customer with a non-modded box.
When I used to play on normal blueservers, I would use it all day long and it didn't bother me. There was many places where I just got lost running through it. No matter what I did, I got lost, so seq was my guide.
Well, 4 months ago, I got bored of the blue servers, and headed towards PvP. (Sullon Zek) I was using seq as a basic idea of where PKs where and such, or knowing someones level when I zoned it, to know if I am gonna be screawed. But, right before PoP was released it started getting insaine. PKs would zone in, they knew where you where, how your HPs was (if there kinda close to you, around the corner, where you can't see em) Suddenly, you didn't know what hit ya.
Each zone has some nice hidding spots, which can only be found by a druid, ranger or bard. (Those with a tracking skill) Its kinda funny how a wizard comes running from across the zone to that spot where you are. Durring which time, I shout hey, hows seq working for ya ?
Since its more or less broken now, requires you to run some programs on your windows box that are very risky, very few people are using it. People have to use there real game skill. Honestly, its much nicer that way. Belive it or not, I really hope they find an even tougher form of encryption for it.
Those who flame me from carebear servers, go try PvP before you open your mouth. You will soon learn how harsh of an enviorment it is. Things like seq make it really suck.
until (succeed) try { again(); }
the asheron's call developers LIKE decal, and quietly communicate with each other
and hey, they even let you use alt-tab and windowed mode, and don't just hijack your computer! personally, i refuse to play a game that disables alt-tab
decal provides player run vendors and portal summoning bots, spam filtering, streamlined combat messaging, afk tell recording, tradelist generation, etc
plus several plugins were incorporated into the game client after they became widely popular
like he said, Decal is com based, so you can do a plugin in nearly any language you want
AND Decal is opensource with the Devs always looking for contributors
http://decaldev.sourceforge.net/
There's already a server emulator out, it doesn't do everything that the current SOE/UbiSoft (Euro) servers do yet, but it's close. Easy to install/configure, etc.
Of course, no one I know has the bandwidth to host more than a six person group or so, but.. eh.
I'll be the voice of smiling acceptance and agree with you.
;)
Compared to many other games, EverCrack is quite cheat-robust. You don't hear about it much unless you troll on message boards, and in reality, it doesn't affect the average player.
It's far from cheat proof, of course. But if anyone remembers Sega's attempt at entering the multiplayer adventure genre, it met with dismal failure. Why? Everyone was a bloody cheater. You couldn't swing a dead cat without hitting rare items that only 1% of the playing population should've ever seen. You couldn't walk five steps without fearing for your character's life, thanks to the ability of cheaters to corrupt your character's data. You want a top level character? Just a few minutes, a switched disk, and your there.
Compared to that, EverQuest is remarkably cheat proof. The cheating that does happen doesn't affect other players that much. Sure, you see people with top-level gear on their level 5 n00b, but no one complains when they're grouped with that guy. *chuckle* The reason is, that guy, possibly legitimate (depending on if you view twinking yer alts legit) and possibly not, can't harm your character. He can't corrupt your data. He can't steal your equipment. Thus, it's a null issue for the greater part of the playerbase.
But now for a slight disagreement. Fun?
Paul H. Muad'dib, if I ever see another Sarnak again in my lifetime, I'll probably storm the headquarters of Verant Inc., guns blazing. But maybe I'm just burnt out from nearly a decade of mudding.
bitch, bitch, bitch.
Geez!
To the "It's ok to cheat!" group (Group One):
No it isn't. If it were, it wouldn't be called "cheating".
To the "cheating is bad" group (Group Two):
no shit. But someone will always cheat. This isn't the simple, clear cut right-and-wrong thing that some people make it out to be though. It would be if everyone was Dudly Do-Right, but they're not and they never will be.
If it were automatic for everyone to do-the-right-thing, banks would not need safes and locks and guards and all else. There is always, in human nature, the struggle between what society says you should do and what you actually want to do. Note that things get even more confused because certain elements in society will say that it's okay to do what you want to (i.e. Group One). For some people, some of the time, there is a temptation to cheat.
Suppose, for example, that you and I are playing a game of cards. Now suppose you've got to get up and leave the room for a bit. I stare at your hand lying face down on the table. Do I look at it and see what cards you've got? In my case, no I don't because I have a certain ethic about cheating in games (that have human opponents--when the opponent is a computer, whether I cheat depends on how much respect I have for the game and other factors) and I'm pedantic and I want to try to play by all the rules. So no, I don't look at the cards.
But another person might look at the other guy's cards and rationalize it as being a "more technically advanced style of play". Note that it becomes easier to rationalize cheating when you don't actually see the person that you're screwing over. It also becomes more tempting when there's money on the line. Don't people still pay big bucks on eBay for high-power EQ chars?
When you look at it that way, it's easy (for me anyway) to start to see the EQ "cheaters" as "power users", even though I know they're not. It becomes easier to lie to myself, because it becomes increasingly tempting to become on of them so I can set myself up a nice little business on eBay and make money (this is human nature in action, folks) out of little bits of data and other people's gulibility. :-) But making money off of people's gulibility always leaves a bad taste in my mouth (so to speak). That's why I'll never be a politician or a lawyer.
But the point, Group Two, is that there is no need to let Group One get away with so much in this situation. The server could, perhaps, be better written to give away less information. That would be a perfect example of doing the Right Thing. (But also note "deserves to lose". I suppose this is where some of the Group One people are coming from.) Yes, unfortunatetly, that might require some rewrites and it might increase the required bandwidth, but... Think of the Children!! (sorry, couldn't resist. ;-) )
So how can we get to that point? What would get Sony to rewrite the code some more so that the client has less info to go on? Simple. Release WinSEQ. Then they won't have much choice.
This is not a new battle. It's just the age-old war of access to information being played out AGAIN . Other examples include: illegally copying mp3s, application programs, games programs, ALL programs. Where do YOU draw the line? What level of information access do you think is okay, and what do you think is wrong? Does your philosophy have any contradictions? Are you aware that arguing for illegalization of spam whilst also arguing for legalization of file trading implies that your right to privacy is greater than the right of copyright? But copyright is explictiy referred to and defined in the Constitution and, AFAIK, the right to privacy is not. Have you ever thought about the implications of that? How many more times will we have to go through this, I wonder? A hundred times? A million?
I think fifty years from now, people will look back on this age of poorly defined/handled information access rights and laugh. Heck, I live in this time and I already laugh at it!
Furry cows moo and decompress.