Monday, January 30, 2012

Subspace/Continuum Netbans

Last Update Feb/1/2012
Criteria
Game Nickname
IP Address
Registry Key Entries
Windows Username
Computer Owner name
Computer Organization
Volume ID
Mac Address

MAC Address
The MAC Address or Media Access Control address is most often assigned by the manufacturer of a network interface card (NIC) and it's stored in the hardware. Which is why the only way to get a new MAC address is to buy a new NIC card. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet. While a MAC Address can not be changed, it can be spoofed. 'Spoofing' means to forge, to imitate, or conceal the identity of something.

A 28k or 56k modem will not have a MAC address. 

Method One
Use the following programs
SMAC or TMAC v6

Method Two
Manual Spoof of MAC Address
  1. Open Network and Sharing
  2. Change Adapter Settings
  3. Right click your adapter and go to properties
  4. Click Configure
  5. Go to Advanced
  6. Select in the List Locally Administered Address
  7. Enter your new MAC Address manually

Caution: Changes in the MAC address used by this network adapter. The address is a 12-digit hexadecimal number in this range: 0000 0000 0001 - FEFF FFFF FFFF.
  • Do not use a multicast address (least significant bit of the high byte = 1).
    For example, in the address 0y123456789A, "y" cannot be an odd number. (y must be 0, 2, 4, 6, 8, A, C, or E).
    •  
    NIC Card
    A network interface controller (also known as a network interface card, network adapter, LAN adapter and by similar terms) is a computer hardware component that connects a computer to a computer network.

    Volume ID
    A volume serial number is created based on a fairly complex combination of the year, hour, month, second, and hundredth of a second that the drive was formatted. You can check what your current volume ID is by opening CMD and typing 'vol'

    Example
    C:\Users\Administrator>vol
     Volume in drive C has no label.
     Volume Serial Number is 5239-179B

    Currently the only method to change your Volume ID is to use the program HardDiskSerialNumberChanger
    *This program is safe to use and does no harm to your hard drive. It is the only method listed at this time to change your Volume ID without a reformat. 

    *Information on how to change your volume ID manually without a format of your hard drive, will be added later. 

    Computer Organization and Computer Owner Name 
    Your Computer Owner Name is the name you entered for your computer when you installed Windows. If your name is John for example. Your computer Owner name would be John-PC Administrator. Where the second half  'Administrator' would fall under your Windows Username.

    To change your Computer Owner Name

    Method One
    1. Open windows Start Menu
    2. In the search field type Sysdm.cpl
    3. Click Change
    4. Enter your new Owner Name

    Method Two
    1. Open windows Start Menu
    2. In the search field type Regedit
    3. Follow the path
    4. HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\Current Version
    5. Look to the right Panel Display
    6. Registered Owner
    7. Modify the value
    8. Registered Organization
    9. Modify the value
    10. Restart Computer

    Windows Username
    Your windows Username is the name of the account you use to login to Windows. This can be the Guest account, Administrator account, User account, or even the Windows 7 hidden Administrator account. It depends what you are using.

    Typically one way to create new username is to create a new user account, copy your Library over to it, (My documents, Pictures, etc) and delete the old User account. However this is time consuming. As well if you enabled the windows 7 hidden admin account, and are using it, it is not a Username you can change by going to the Control Panel, User accounts section. (where an option to change the account name exists in normal circumstances)

    So to change your user account in the fastest way possible, that will work in every situation.

    1. Open Windows Start Menu
    2. In the search field type secpol.msc
    3. You should now be in the Local Security Policy (if not open it)
    4. It will be named in the top left on the bar opposite of the minimize maximize and close button.
    5. In the left Pane fine Local Policies then Security Options.
    6. In the right Pane, Under the Policy Tab
    7. Look for all headings starting with 'Accounts'
    8. Select the one with Rename Administrator Account
    9. Right click it, select properties
    10. And rename your Windows account

    Tracking Registry Values and Files
    First download and install ZsoftUninstaller

    Zsoft Uninstaller is a program that improves upon the normal Windows uninstallation methods; it helps you remove all traces of the installed program, including registry changes and left over files. However, I am not telling you to download Zsoft Uninstaller for its ability to uninstall programs. I am telling you to download Zsoft Uninstaller because of its feature to analyze installations.

    Zsoft tracks not only file changes, but also registry changes; it will tell you exactly where a new file is added, or from where a file was deleted. Same thing with the registry.
    1. Run/start Zsoft uninstaller. Click on the 'Analyze' button up top:
    2. In the window that pops up, make sure "Analyze an installation" is selected and hit "Next":
    3. Select the C: Drive
    4. This will start a scan of your computer. Wait for the scan to finish.
    5. After the scan is finished leave this window open and normally install your program.
    6. After that, open up the Zsoft window and hit "After installation":
    7. You will then be prompted with a window to enter a name for the software you installed
    8. Zsoft will again start to scan your computer.
    9. Zsoft will automatically compare the two scans and try to find the differences.
    10. Click on the "Analyzed Programs" tab
    11. Right click on the program you previously named and click on "Show Recorded Info"
    A window will open up that will list all the changes that were made to your computer during the installation of that program you have selected. The changes include file changes and registry changes both.

    *Later I will detail specific Continuum/Subspace registry changes and file locations. And catalog what each one is for.

    MERVBOT.COM SUBSPACE (outdated source)


    MacId spoofing 
    MachineID is the volume serial number of drive C:. This is proved in MERVBot, which uses the MacId of the machine it is running on minus one. However, this "MachineID" is easily hackable for three reasons. 1) You are able to see it in the game. 2) It is unencrypted in memory. 3) It is generated when you first load SubSpace and whenever you leave a zone. Therefore, changing it was as easy as it was for Sage386 to hack the Permission ID on /*kill X Mod/SMod bans. It took 5 minutes to change my MacId in memory with WinHack 2 by reading it out of /*info as a SysOp and searching for it with WH2. Thus, it would be simple to change the MacId to that of a zone SMod and ban them as well, just as some cheaters had done with the Permission ID! TimeZoneBias = your time zone ID - 30, as shown in MERVBot this was also stored unencrypted in memory. Now, the problem cannot be ignored and hopefully TGS or PriitK will fix it. 

    The memory offsets for these ID tags are shown in Unban. Note that there is a lot of code commented out. If you can get it to work again, that is the code that  turns your SS client into a flying bot, which zeroes in on the second player on  your player list. 

    As a side note, Infantry's Ban IDs are encrypted in memory or generated on demand. Infantry is JeffP's new game. I know this because one can apply the same methods used to hack SubSpace's protocol in Infantry. 
     

    Here's a packet log from Infantry to prove it:

SEND-> 0000   00 01 02 00 BD 03 8E 02                           ........

RECV-> 0000   00 02 BD 03 8E 02 00 00 00 00                     ..........

SEND-> 0000   00 03 00 00 00 00 00 01 00 43 61 74 69 64 00 00   .........Catid..
SEND-> 0010   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
SEND-> 0020   00 00 00 00 00 00 00 00 00 PW PW PW PW PW PW PW   ................
SEND-> 0030   PW 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
SEND-> 0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
SEND-> 0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
SEND-> 0060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
SEND-> 0070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
SEND-> 0080   00 00 00 00 00 00 00 00 00 E5 15 73 29 4D 2D F6   ...........s)M-.
SEND-> 0090   58 00 00 00 00 4C 00 00 20 78 18 51 65 00 00 00   X....L.. x.Qe...
SEND-> 00A0   00 00 00 00 00 00 00                              .......

RECV-> 0000   00 0B 00 00 00 00 00                              .......

    All the unencrypted BanIDs in the password packet are nowhere to be found in memory. Notice how similar the protocol is? Only minor differences in the login packet and encryption. I suppose everyone was right when they said SubSpace was merely a tech test.

    SubSpace memory PlayerList 
    SubSpace stores the player list in a constant location in memory, in the order it appears in the game (can be sorted, your name is not always on the top). It is at offset 4702840 as provided by Twister. Each 4 bytes after that address contains a pointer(location in memory, an offset) where you can find the player data including name, shiptype, frequency and all that other good stuff. In SubSpace login packets your name may be changed. In fact, you are part of the playerlist sent by the server. This is managed by a separate packet which designates which player you are on the list. The number is an integer somewhere in memory. Sage386 did not know this when he wrote Twister, instead he compared the first item on the playerlist to the first item at a different offset: 4900712 

    ie.if 
    (not ReadProcessMemory(ProcessInfo.hProcess, ptr($47C278), @addr1, 4, bloaded)) 
    (not ReadProcessMemory(ProcessInfo.hProcess, ptr($4AC768), @addr2, 4, bloaded)) 
    (addr1 <> addr2) then abort;

    Since when subspace.exe removes a player from the Playerlist, data at the end is not NULL terminated, it is assumed that SubSpace.exe keeps a player count. MERVBot works the opposite way by keeping a static list of player information, indexed by the player Id sent by the server. 

    ie.
  For I = 1 to TotalPlayers
    'SubSpace's method
  Next

  For I = 0 to MAX_PLAYERS
    If Plist(i).SSName <> "" Then
      'My method
    EndIf
  Next

    A bot MUST know the offset at which this count is stored to keep an accurate list of players in the game. I moved on to packet bots before discovering the address, and for brevity I'm not going to look for it now. Take a look at ShipBot for a good example of this kind of bot. Note that instead of searching for the "Ticked name:" window handle (HWnd), the bot reads the HWnd from SubSpace memory.

    Billing Servers 
    SubGame and SubBill go hand-in-hand to serve SubSpace games. However, the billing server's function goes largely unnoticed. Firstly, there is a way to communicate with SubBill through SQL (It may be something else, I just saw something familiar while browsing the disassembly) in order to read scores, shut down and recycle servers, etc. Secondly, the server may rename users explaining how BanG renames cheaters to ^Banned and is reinforced by the fact that both MacId and IP are sent to the biller. Yes, BanG only sees your IP and MacId and Name and TimeZoneBias. I know TimeZoneBias because when PriitK tried to patch my SSUnban program he instead relied on invalid TimeZoneBias, and the "patch" was handled by BanG on the SSC biller. SubBill servers send packets unencrypted, making them the most insecure part of SubSpace login. All passwords get sent unencrypted to SubBill (Read: Sniff packets between SubGame and SubBill to steal passwords. This is way too easy and must be fixed). SSC has a SubBill that sends encrypted packets. How do I know? I tried to connect a server to their biller and noticed that the SubBill traffic was encrypted. This is not how to protect user passwords though. Instead, steps must be taken to insure that the SubGame server encrypts passwords using the SubBill method before forwarding them to SubBill. This SubBill password encryption is included in SSBilling and the standalone form by Coconut emulator.

    Login Trace
    One of the most confusing parts of the SubSpace protocol is the complicated login procedure. In this section I will provide an annotated login attempt between a client and SubGame v1.34.9. All reliable headers have been stripped. 

    SubSpace Client sends his Password packet 
    C2S > Field Length Description
      0     1      Type byte: Packet #9
      1     1      New user? 1 = true, 0 = false
      2     32     Name
      34    32     Password
      66    4      MachineID (volume C: serial number)
      70    1      Magic number: 0
      71    2      Timezone bias (time zone)
      73    2      Magic number: 0x6f9d
      75    2      Client version (134)
      77    4      Magic number: 444
      81    4      Magic number: 555
      85    4      PermissionID (random number in registry)
      89    12     Zero'd out

SubGame sends his Password Response packet
S2C > Field Length Description
      0     1      Type byte
      1     1      Accept response meaning
      2     4      Server version
      6     4      ?
      10    4      EXE checksum
      14    4      ? unused
      18    1      ? boolean
      19    1      Boolean: Request registration form
      20    4      ? checksum changes when subspace.exe changes
      24    4      News checksum (0 = no news file)
      28    4      ? time/date
      32    4      ? time/date

SubGame sends a go-ahead flag
S2C > 31

SubSpace Client sends an Arena Change request, typically to arena ''

C2S > Field Length Description
      0     1      Type byte
      1     1      Ship type
      2     2      Allow audio? 1 = true, 0 = false
      4     2      X resolution
      6     2      Y resolution
      8     2      Main arena number
      10    16     Arena name
    ... At this point the client is logged in far enough that it can start playing.

    Encryption 
    SubSpace uses encryption. Encryption means to obscure the true meaning of a
    message using a numerical pattern. 

    When SubSpace connects to a SubGame game server, it firsts completes a key exchange. 
    00 01 KK KK KK KK VV VV
00 05 SS SS RR RR
00 06 SS SS RR RR TT TT TT TT
00 02 ~K ~K ~K ~K
'KK = Random number (must be negative)
'VV = Encryption version (1 for SubSpace, 16 for Continuum)
'SS = Number of connections since last recycle
'RR = Random number
'TT = Local time
'~K = Session key (must be unary -KK)
    There is some protocol that goes along with these packets: 
    00 01 gets resent until 00 02 is recv'd.
If KK >= 0, then a proper SubSpace server will not acknowledge your connection.
00 05/00 06 isn't used in older SubSpace servers, it's recommended you take this
into account while designing your own stack. Up until the 00 02 response, 
    no other packet types (should be) accepted by the server.

    Why we use 00 05/00 06:
    A few years ago I discovered that sending a massive load of 00 01 packets to a SubGame would effectively create a Denial of Service condition; PriitK patched it by masterfully recoding the connection protocol for SubGame to ignore requests until it gets an 00 06 response to SG's 00 05. It is therefore a fix for a nasty problem. 

    Why we use packets limited to 520 bytes: 
    For both bandwidth reasons and, interestingly enough, the hard fact that SubSpace's encryption uses a buffer of 520 bytes - anything longer cannot be decoded. 

    There are some ways to disable encryption: 
    Send a KK field of 0. 00 01 00 00 00 00 01 00 The server must respond with a NULL key (no encryption). Custom SubSpace stacks may ignore this. 
    Encryption may be disabled server-side if the key you send is the same as the key you get back. 

    But if you want to use encryption: 
    The lengthy DOC by Coconut emulator explains how he ripped SS encryption to a DLL file with SoftICE for use in VB programs. MERVBot contains C++ code which encapsulates all aspects of maintaining a SubSpace session, including encryption. 

    Security of the encryption: 
    This method of encryption is very weak to a chosen-plaintext attack, and tends to share every fourth byte of the keystream with other connections established within ~48 hours. 

    For example, SECRET_KEY ^ PLAINTEXT -> CIPHER_TEXT, if you know PLAINTEXT then PLAINTEXT ^ CIPHER_TEXT = SECRET_KEY. In short, do not trust any personal data on a logged connection to SubSpace. Continuum, on the other hand, has military-grade encryption =))



    MERVBOT.COM BANG (outdated source)

    BanG, and other famous ban systems these days have several layers:
    (In proper order of checking) 

    PermissionID ban
    "Moderator alert" For the record, only subgame servers even look at Permission ID, but this is still important. Mods and SMods use a different *kill ID, Permission ID. Both Machine and Permission ID's may be found in the registry, incidentally, as keys D1 and D2, in that order, under LOCAL_MACHINE/Software/ Both MachineID and PermissionID must be different or else online moderators will get big red warning messages whenever you enter the zone. 

    Change in memory with PokeDWORD(4914080, NewPermissionID);
    PokeDWORD(4915000, NewPermissionID); 

    Password packet floods 
    Initially, you are given a grace period and once it is exceeded, the message "The server is busy processing login requests..." is returned. After this period (intentional?), connections from your IP are restricted to about 3 times a minute, to any zone on the network.

    Invalid names 
    You cannot enter with the name ^Banned, for instance. Printable characters, exclusively, are allowed. Spaces are clipped from the end of your name. 

    Invalid TimeZoneBias ^Banned ID #0 
    The TZB must be: 
    + Divisible by 30. 
    + Greater than or equal to -720. 
    + Less than or equal to 720. 
    TZB may be changed via the system tray or by PokeWORD(4911604, NewTZB); 

    Invalid MachineID ^Banned ID #0 
    Machine ID must be a positive number greater than 0. 
    '*1337' may or may not be declared invalid.

    UserID ^Banned 
    Once you are banned, you cannot use that name ever again. 

    MachineID ^Banned 
    Same as IDBlock.txt
    Machine ID is your volume C:\ serial number, pre-computed every time you start subspace or leave a zone. Some argue JeffP wrote this flaw intentionally to make it easy to unban yourself. He definately wrote the CD-check to be hacked: he disagreed with the CD-check, and has said so repeatedly. Machine ID, therefore, may be PokeDWORD(4923356, NewMachineID); SysOp *kill bans use this ID.

    IP [range]^Banned 
    Same as IPBlock.txt 
    Your IP is assigned to you when you connect to the internet. Your ISP will assign you this number from a small range of values, which leaves the possibility to tag players by their internet connection. To get around this, sign up for NetZero or AOL for free. If you cannot do this on your computer, set up a subspace proxy on another machine with a dial-up connection. 

    Registration form hostname ban
    "It looks like you are getting in, then it kicks you" 
    This was my idea. You use the registration form-provided hostname to identify IP-banned players. It cannot be spoofed client-side with a process patcher unless you modify the client's code in memory. It is overcome with a custom-coded proxy server or some truly elite client hacking. 

    NetBIOS hostname ban
    "It looks like you are getting in, then it kicks you" 
    This one is a bit of a stretch in my opinion, but BanG queries your machine for a NetBIOS name. It is overcome with a firewall such as ZoneAlarm. 

    Ban updating
    There are also some additional features, like updating the IP range when players trigger the registration form hostname ban, etc. To get around this, be sure that every one of these checks has been passed before logging in. 

    Tricks 
    Using a really long name or a confusing one like 'the mod', will make it more difficult to trace you. Furthermore, hopping arenas by macro'ing ?go %freq%selfname%red etc may help. Alias checks are now possible on SSC, after a lot of prodding, so if you want to keep your scores be sure that your Machine ID, TZB and IP do not match any of your other names.

    When you enter as ^Banned with a generic check (they don't know WHICH cheater you are), that reads "BanID # 0", you are getting close - randomize everything again and double-check the generic checks. 

    Future bans 
    While I offer ways around existing bans, new ones may appear; for instance, I proposed a design earlier this year where timestamps sent to zones would be stored for 24 hours, and players banned in that period would need to reboot in order to unban themselves. This check would have to be bypassed with a proxy, or some SpeedCheat derivative.

    I am unaware of any other alternative ban schemes, and with the arrival of Continuum it is doubtful that any more attention will be paid to SubSpace's ban problems. When you are hacking other games, or Continuum or whatever, please note that ban ID's tend to reside near the login packet with your name and password; they also LOOK random, but they will not change between sessions with the server. Okay!

    Now that you see how advanced ban capability has become these days, certainly you will recognize the difficulty in getting around any serious block. This has become almost a hobby for me, since the first time I developed a MacID randomizer. And I hope that by quenching the thirst for this kind of documentation, players will play more legally and respect the staff a bit more..

    Posted by Falconeer at 10:53 PM

    0 comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)