Haha. I remember I opened your map as well, OneTwo. I was debating using it as one example, but I took a look at the save function and I didn't want anything to do with it. xD I loved playing your map and was going to try to make my wins/losses 1337 or something stupid. :P
@avogatro: Keep in mind most of the point I am making isn't in the weakness of the encryption method itself (AES is good, Starcode not so much but still ok for our purposes). It's more about how the user uses it than anything else. If you wield it like a blunt object, you'll fail miserably, whereas if you are aware of it's flaws and weaknesses and only use it in ways that it excels in security, you're fine.
We still have to see how extensively that works. It could be something very basic and crackable, like their map "Locking." Nobody really knows for sure yet.
As you can see, just because there are open source encryption libraries such as Starcode out there, does not mean they make your work secure! You still have to use them properly (the author in this case should've used a hash rather than encrypt functions like this. But even StarCode's hash is fairly vulnerable to brute source attacks).
That's why people should change their encryption alphabet ;)
Not that this would give you unbreakable security, but at least it'd make programs like these not work until you retrieve the new alphabet. not that this would take much time :p
Why would I NOT do that? It's the easiest thing. That's like saying "Please test my new anti-burglar system - oh but don't go in from the back, that's it's weak point."
The idea is NOT to attack the encryption itself.
AES or StarCode would require a lot of time and iterations to figure out encryption and saves values. You'd need to be a CIA or whatnot specialist to do so.
@MotiveMe: Go patch 1.2 note
New trigger functions:
Verify Bank - used to verify that a bank’s signature is intact.
New trigger actions:
Bank Option - used to change options for banks including adding a signature.
How can it possibly be save when this hash is stored INSIDE the bank?
UNLESS it doesn't only hash the stuff in the bank but also something from the map (like a unique ID).
How can it possibly be save when this hash is stored INSIDE the bank?
UNLESS it doesn't only hash the stuff in the bank but also something from the map (like a unique ID).
I just tested bank signatures. They're a load of crap. It's just a formula run on the data inside the bank that verifies essentially that StarCraft (or something that knows the hash format) wrote it.
So it took all of about 5 minutes to get a bank that my map would believe is "valid" and test it.
Summary: Don't bother using signatures alone. Encrypt everything if you're going to save it, still. Then use signatures to boot.
Wow, if MotiveMe is right, my maps can still be hacked in minutes. You just have to copy the map, modify the score, play it, and replace banks.
I just hope Bank signatures also crypts the map maker login; otherwise, blizzard wasted time implementing them because it won’t even make 1 minute harder to hack.
Better mappers know the risks of using a bank and can act accordingly, than some people know and make use of it, and others keep dancing around the same flawed protection techniques. :P
How can it possibly be save when this hash is stored INSIDE the bank?
UNLESS it doesn't only hash the stuff in the bank but also something from the map (like a unique ID).
Even if it hashes a unique ID, that can still be broken. Blizzard needs to sign the hashkey (only possible during online play) for it to be secure. Encryption is bullshit without a trusted signature.
That wouldn't happen unless they modified the banks, or you modified the banks w/o setting the signature option.
No, randomly in between games the banks invalidate and in my map it resets their values back to null if it finds an invalid signature. It seems to happen rarely, I'm talking about people who dont even know wtf a bank is, it seems to happen 1:100 signatures just dont validate.
The validation check algorithm is fucked up somewhere. I can't think of anything else that would cause this error because the only way for their PSR to reset is if the validity check fails. This has happened to him twice now, both times we were playing games back to back and it would just happen randomly. Also it only happened to one guy, since all 6 players played in both games. I've had it happen to my own score a couple of times now.
The validity check is really not reliable I think.
If you still have this problem mephs you could possibly try validating it 3 times in a row before wiping thier bank.... at least that would get you past the random fails...
Rollback Post to RevisionRollBack
Skype
KageNinpo = SN
My Libraries
DialogLeaderboard & TeamSort
My Projects
SPACEWAR Tribute
Infinite TD
Blizzard needs to sign banks with a unique map key that changes each game, then convert it to MD5, then when map is played check it against their server.
OR THEY COULD I DONT KNOW ALLOW YOU TO SAVE BANK INFO PER CUSTOM MAP ON THE SERVER NOT LIKE ITS THAT HARD OR COST HEAVY TO DO I MEAN ITS NOT LIKE THEY DONT ALREADY SAVE YOUR ENTIRE FUCKING MATCH HISTORY FOR THE LAST 20 YEARS ALREADY
Rollback Post to RevisionRollBack
To post a comment, please login or register a new account.
Haha. I remember I opened your map as well, OneTwo. I was debating using it as one example, but I took a look at the save function and I didn't want anything to do with it. xD I loved playing your map and was going to try to make my wins/losses 1337 or something stupid. :P
@avogatro: Keep in mind most of the point I am making isn't in the weakness of the encryption method itself (AES is good, Starcode not so much but still ok for our purposes). It's more about how the user uses it than anything else. If you wield it like a blunt object, you'll fail miserably, whereas if you are aware of it's flaws and weaknesses and only use it in ways that it excels in security, you're fine.
@MotiveMe: Go patch 1.2 note
@avogatro: Go
We still have to see how extensively that works. It could be something very basic and crackable, like their map "Locking." Nobody really knows for sure yet.
That's why people should change their encryption alphabet ;)
Not that this would give you unbreakable security, but at least it'd make programs like these not work until you retrieve the new alphabet. not that this would take much time :p
Why would I NOT do that? It's the easiest thing. That's like saying "Please test my new anti-burglar system - oh but don't go in from the back, that's it's weak point."
The idea is NOT to attack the encryption itself.
AES or StarCode would require a lot of time and iterations to figure out encryption and saves values. You'd need to be a CIA or whatnot specialist to do so.
How can it possibly be save when this hash is stored INSIDE the bank?
UNLESS it doesn't only hash the stuff in the bank but also something from the map (like a unique ID).
I dont have the new patch yet. i wii test it.
@avogatro: Go
I just tested bank signatures. They're a load of crap. It's just a formula run on the data inside the bank that verifies essentially that StarCraft (or something that knows the hash format) wrote it.
So it took all of about 5 minutes to get a bank that my map would believe is "valid" and test it.
Summary: Don't bother using signatures alone. Encrypt everything if you're going to save it, still. Then use signatures to boot.
@MotiveMe: Go
Darn :(
@MotiveMe: Go
wow u are fast :D
Wow, if MotiveMe is right, my maps can still be hacked in minutes. You just have to copy the map, modify the score, play it, and replace banks.
I just hope Bank signatures also crypts the map maker login; otherwise, blizzard wasted time implementing them because it won’t even make 1 minute harder to hack.
@MotiveMe: Go
dont tell it anyone.D
Better mappers know the risks of using a bank and can act accordingly, than some people know and make use of it, and others keep dancing around the same flawed protection techniques. :P
Even if it hashes a unique ID, that can still be broken. Blizzard needs to sign the hashkey (only possible during online play) for it to be secure. Encryption is bullshit without a trusted signature.
@SexLethal: Go
Cool story, seems like signatures randomly invalidate. I'm having people randomly lose their banks.
That wouldn't happen unless they modified the banks, or you modified the banks w/o setting the signature option.
No, randomly in between games the banks invalidate and in my map it resets their values back to null if it finds an invalid signature. It seems to happen rarely, I'm talking about people who dont even know wtf a bank is, it seems to happen 1:100 signatures just dont validate.
The validation check algorithm is fucked up somewhere. I can't think of anything else that would cause this error because the only way for their PSR to reset is if the validity check fails. This has happened to him twice now, both times we were playing games back to back and it would just happen randomly. Also it only happened to one guy, since all 6 players played in both games. I've had it happen to my own score a couple of times now.
The validity check is really not reliable I think.
Yep, I have noticed the same thing. Validation is broken... >,<
@Mephs: Go
If you still have this problem mephs you could possibly try validating it 3 times in a row before wiping thier bank.... at least that would get you past the random fails...
Validation is broken? that would be a disaster for me.
Blizzard needs to sign banks with a unique map key that changes each game, then convert it to MD5, then when map is played check it against their server.
Anything else is a fking waste of time.
OR THEY COULD I DONT KNOW ALLOW YOU TO SAVE BANK INFO PER CUSTOM MAP ON THE SERVER NOT LIKE ITS THAT HARD OR COST HEAVY TO DO I MEAN ITS NOT LIKE THEY DONT ALREADY SAVE YOUR ENTIRE FUCKING MATCH HISTORY FOR THE LAST 20 YEARS ALREADY