Don't take this the wrong way, I encrypt my own map's bank data as well, but let's be realistic here, you can encrypt your bank data all you want, SHA512 it, whatever, but someone intelligent enough is still going to be able to destroy it. I don't need to reverse your encryption algorithm to engineer my own bank file to suit my needs, I just need to extract your MapScript.galaxy (with Blizzard's lax protections this is cake), change my player data to whatever I want (this is in plaintext) and then use your own save routines to make my encrypted bank file for my use. No amount of hackery on your end will ever stop this.
Which brings me to my next point: a significant number of people try to put admin systems into their map. Please, for the love of God, design yourself a good encryption system that doesn't take someone like me 5 seconds to break into and gain admin access. If you're going to add that kind of feature, secure it so that it can't be abused. Keep a public hashed password in the map, and then have it read your bankfile, run a hash on it, and compare it to what the map knows. Even this isn't perfect but it's better than some of what I've seen.
In summary:
Banks are client-side data. No matter how much you encrypt or obfuscate it, client-side data can NEVER be trusted. Ever. Say it with me, I do not trust client-side data.
Starcraft 2 Maps are an inherently insecure medium, and you can guarantee that given enough time, a good number of individuals will attack your map and discover things you potentially don't want them to.
Yes, there are assholes like me that deprotect your maps just to find admin information. Beware. (Sidenote: In the flawed systems I did discover, I contacted the authors to render a fix)
Actually these completed protection systems that have been popping up are a gold mine for hackers. Most people just use them as they are and since the systems are openly available it's easy as cake to hack them. When you're using them - at least change their encryption alphabets! (most have one, but not everytime they're publicly available)
I found out that a somewhat popular map used Starcode to save it's stuff. It took me 45 minutes to identify every saved value and write a sample map to change everything to my liking.
Of these 45 minutes I needed 20 minutes to actually find the map on my HDD -.-
And don't add admin stuff for you in online maps. Just don't. Play your game like every other guy. Or else, at some point, every other guy will play the game like you.
It took me about 15 minutes to come up with the ultimate savefile for the popular NOTD map, out of boredom to see if it was worth getting.
After a million XP and 2200 player rating all I got was shit. :P
On one hand, I get that authors want to discourage cheating but on the other, if I had wasted all those man-hours grinding XP on their map I'd feel so ripped off, so I'm glad I didn't. Having said that though, I did enjoy playing their map and it's extremely well-made, especially compared to other popular maps.
But the process was fairly simple, use fseventer (OS X ftw) to detect which .s2ma is being downloaded, extract the MapScript.galaxy, add a few lines to the save function, run a test map, then copy the new bank to the Battle.net area and run with it.
So any idea if the built-in bank signature thing will at least (much more) difficult to hack banks? I removed encryption and hashing for my map completely to reduce some processing. Only reason I still use starcode is for string compression, which is very nice.
So any idea if the built-in bank signature thing will at least (much more) difficult to hack banks? I removed encryption and hashing for my map completely to reduce some processing. Only reason I still use starcode is for string compression, which is very nice.
I wouldn't worry about the processing of Galaxy that much. Compared to the other stuff going on in the game it's not much.
As for the map signature... that remains to be seen with how Blizzard handles 1.2. :)
But I'll certainly be experimenting once it's live.
I just need to extract your MapScript.galaxy (with Blizzard's lax protections this is cake), change my player data to whatever I want (this is in plaintext) and then use your own save routines to make my encrypted bank file for my use. No amount of hackery on your end will ever stop this.
How do u extract MapScript from BattleNet MapFile? I really want to know that. How do Blizzard protect the file?
Maps aren't secured at all. Your just have to find the place where they're saved to your harddisk and open them with a MPQ editor. They're only protected against directly opening them in the editor (and even this protection lacks).
And I'm sorry but your strong encryption is useless. Yes, it will encrypt your bank, but no one will hack your bank. They'll all hack the map that uses the bank. It's faster and easier. And you can't encrypt the map itself.
It also takes about 30 seconds to undo the protection that prevents the Editor from opening a map. You simply have to reconstruct one file, which takes about five seconds. I keep a copy of one that works on pretty much any US map and I can import it and it's basically plug and play from there.
I won't provide details, for fear of less experienced and morally ambiguous people making use of this thread, but it's all very easy to do with the right knowhow.
copy and paste the hash function works well. Just tested it on Starbattle.
Will work on my map too.
people just need to read the password. and use my lib to encrypt it.
I decided to make a point last night and write a program to demonstrate one of the attacks someone can do on for example, Starcode, after I saw a popular map attacked.
Since I don't like doing Galaxy if I can help it, I wrote a program in C# that would undo a popular map's mechanic by figuring out the encryption key it used.
Essentially, it stored the encrypted and plaintext versions of a string in it's source, and lets the admin supply the key that connects the two.
Anyone who's remotely touched cryptography can see the problem already. This is easy to reverse.
If you look at the DecryptKey method it uses the differences in ordinals to find a solution for the key variable.
Thusly, in under a second once the "run" button was hit on my test application, the secret key was found and the encryption broken.
I made a demonstration with different values to protect the map from being exploited to high hell.
publicstaticvoidTest(){Starcodesc=newStarcode();Stringoriginal="HelloWorld";Stringkey="SC2Mapster";Stringresult=sc.Encrypt(original,key);Console.WriteLine("Encrypted {0} with key {1}. Result: {2}",original,key,result);Console.WriteLine("Calculating key from plaintext and encrypted values: {0}",sc.DecryptKey(original,result));}
Quote from Output:
Encrypted HelloWorld with key SC2Mapster. Result: 8Qn?y[QUzE
Calculating key from plaintext and encrypted values: SC2Mapster
As you can see, just because there are open source encryption libraries such as Starcode out there, does not mean they make your work secure! You still have to use them properly (the author in this case should've used a hash rather than encrypt functions like this. But even StarCode's hash is fairly vulnerable to brute source attacks).
You might argue that the work involved for something like this (psh who's going to do all this for a map) is somewhat high, but to anyone experienced this is a walk in the park.
In general, unless you want to spend time worrying about these things, don't add them to your map. Better to be safe.
This is a good post. In prisoner rebellion i just wrote your wins and losses as numbers to the bank... signifigant cheating went on... so I converted it to save wins and losses as a certain distance along a string such as %@(*#@(GSIOWEn) and thus 5 wins would appear in the bank as #. Then I did some other random stuff like saving 2 times your wins in this fashion as well, saving like 10-20 different things that were random within a range... and this instantly stopped all messing around to my knowledge.
However, like you Motive, I knew some random guy would probably figure it out... so I made the wins/losses and admins in my map give and have 0 priviledges outside of flashy icons and stuff... nothing that affects the ingame :D
Edit:I also saved each digit as a separate key in the bank, and my trigger is so messy even i have trouble going back to read it... so all in all it's pretty annoying for anyone to hack...
Don't take this the wrong way, I encrypt my own map's bank data as well, but let's be realistic here, you can encrypt your bank data all you want, SHA512 it, whatever, but someone intelligent enough is still going to be able to destroy it. I don't need to reverse your encryption algorithm to engineer my own bank file to suit my needs, I just need to extract your MapScript.galaxy (with Blizzard's lax protections this is cake), change my player data to whatever I want (this is in plaintext) and then use your own save routines to make my encrypted bank file for my use. No amount of hackery on your end will ever stop this.
Which brings me to my next point: a significant number of people try to put admin systems into their map. Please, for the love of God, design yourself a good encryption system that doesn't take someone like me 5 seconds to break into and gain admin access. If you're going to add that kind of feature, secure it so that it can't be abused. Keep a public hashed password in the map, and then have it read your bankfile, run a hash on it, and compare it to what the map knows. Even this isn't perfect but it's better than some of what I've seen.
In summary:
Actually these completed protection systems that have been popping up are a gold mine for hackers. Most people just use them as they are and since the systems are openly available it's easy as cake to hack them. When you're using them - at least change their encryption alphabets! (most have one, but not everytime they're publicly available)
I found out that a somewhat popular map used Starcode to save it's stuff. It took me 45 minutes to identify every saved value and write a sample map to change everything to my liking.
Of these 45 minutes I needed 20 minutes to actually find the map on my HDD -.-
And don't add admin stuff for you in online maps. Just don't. Play your game like every other guy. Or else, at some point, every other guy will play the game like you.
@s3rius:
Omg did someone hack your account and change your avatar;p;p? Wtf is that?;p
Edit: Ah, missed the fine/bold print at the end...
A user has approached me and told me my avatar would creep him out. So I thought I'd give him a day or so of peace so he can regain his nerves :D
Also: this is a flying rocket cat! With stars as eyes!
Cookies for those who know what series this figure comes from :D
Your new avatar is much much creepier IMO.
It took me about 15 minutes to come up with the ultimate savefile for the popular NOTD map, out of boredom to see if it was worth getting.
After a million XP and 2200 player rating all I got was shit. :P
On one hand, I get that authors want to discourage cheating but on the other, if I had wasted all those man-hours grinding XP on their map I'd feel so ripped off, so I'm glad I didn't. Having said that though, I did enjoy playing their map and it's extremely well-made, especially compared to other popular maps.
But the process was fairly simple, use fseventer (OS X ftw) to detect which .s2ma is being downloaded, extract the MapScript.galaxy, add a few lines to the save function, run a test map, then copy the new bank to the Battle.net area and run with it.
@s3rius: Go
Just put a why so serious face on and you should be fine. You're gone and I still cant beat your post count.
Har har har!
Mu har har har!
Well, I'm doing my best to spam and give you nightmares with my avatars.
MotiveMe, you're 100% right. That's why I never let admins reward players and I let players vote kick admins , to avoid abuse.
So any idea if the built-in bank signature thing will at least (much more) difficult to hack banks? I removed encryption and hashing for my map completely to reduce some processing. Only reason I still use starcode is for string compression, which is very nice.
I wouldn't worry about the processing of Galaxy that much. Compared to the other stuff going on in the game it's not much.
As for the map signature... that remains to be seen with how Blizzard handles 1.2. :)
But I'll certainly be experimenting once it's live.
How do u extract MapScript from BattleNet MapFile? I really want to know that. How do Blizzard protect the file?
U want strong AES128 with random salt + sha256? U can have it.
http://www.sc2mapster.com/maps/kyrptlib/
@avogatro: Go
Maps aren't secured at all. Your just have to find the place where they're saved to your harddisk and open them with a MPQ editor. They're only protected against directly opening them in the editor (and even this protection lacks).
And I'm sorry but your strong encryption is useless. Yes, it will encrypt your bank, but no one will hack your bank. They'll all hack the map that uses the bank. It's faster and easier. And you can't encrypt the map itself.
@s3rius: Go Thx.
@s3rius: Go
It also takes about 30 seconds to undo the protection that prevents the Editor from opening a map. You simply have to reconstruct one file, which takes about five seconds. I keep a copy of one that works on pretty much any US map and I can import it and it's basically plug and play from there.
I won't provide details, for fear of less experienced and morally ambiguous people making use of this thread, but it's all very easy to do with the right knowhow.
@MotiveMe: Go
Just extract all file and repackage it?
copy and paste the hash function works well. Just tested it on Starbattle.
Will work on my map too.
people just need to read the password. and use my lib to encrypt it.
I decided to make a point last night and write a program to demonstrate one of the attacks someone can do on for example, Starcode, after I saw a popular map attacked.
Since I don't like doing Galaxy if I can help it, I wrote a program in C# that would undo a popular map's mechanic by figuring out the encryption key it used.
Essentially, it stored the encrypted and plaintext versions of a string in it's source, and lets the admin supply the key that connects the two.
Anyone who's remotely touched cryptography can see the problem already. This is easy to reverse.
http://pastebin.com/AiJKDHft
If you look at the DecryptKey method it uses the differences in ordinals to find a solution for the key variable.
Thusly, in under a second once the "run" button was hit on my test application, the secret key was found and the encryption broken.
I made a demonstration with different values to protect the map from being exploited to high hell.
As you can see, just because there are open source encryption libraries such as Starcode out there, does not mean they make your work secure! You still have to use them properly (the author in this case should've used a hash rather than encrypt functions like this. But even StarCode's hash is fairly vulnerable to brute source attacks).
You might argue that the work involved for something like this (psh who's going to do all this for a map) is somewhat high, but to anyone experienced this is a walk in the park.
In general, unless you want to spend time worrying about these things, don't add them to your map. Better to be safe.
@MotiveMe: Go why dont u hack my AES lib? :D
http://www.sc2mapster.com/maps/kyrptlib/ pls don't extract the map and read the key.
This is a good post. In prisoner rebellion i just wrote your wins and losses as numbers to the bank... signifigant cheating went on... so I converted it to save wins and losses as a certain distance along a string such as %@(*#@(GSIOWEn) and thus 5 wins would appear in the bank as #. Then I did some other random stuff like saving 2 times your wins in this fashion as well, saving like 10-20 different things that were random within a range... and this instantly stopped all messing around to my knowledge.
However, like you Motive, I knew some random guy would probably figure it out... so I made the wins/losses and admins in my map give and have 0 priviledges outside of flashy icons and stuff... nothing that affects the ingame :D
Edit:I also saved each digit as a separate key in the bank, and my trigger is so messy even i have trouble going back to read it... so all in all it's pretty annoying for anyone to hack...
@OneTwoSC: Go
I would save your SC2bank, play it reset the bank, replay it 10 times. make sure all my stats are the same in game. And see which values is changed.