Jump to content
dayzdeadmeat

Server admins stealing GUIDs for spoofing

Recommended Posts

To even say that the game wasn't paid for that Rocket and DayZ crew shouldn't make hacking a priority says volumes that they must be the hackers and are scared they might actually have to work for what they earn. Thats just fkn stupid to even say that they shouldn't bother with it is retarded. People are already closing servers because of this, yet if this isn't addressed you think people would actually go out and purchase Dayz knowing of this problem. I don't support hackers and I wouldn't support a game that doesn't address this major issue, this has to be the most important thing that Rocket and crew needs to fix before it becomes the death of DayZ.

  • Like 2

Share this post


Link to post
Share on other sites

"False" is a argument bro, if you can't back it up then you're speaking out the ass.

I have not taken a side in this thread all I said was that GUID's can be spoofed.

So no arguments from me, I say again, take a pill.

Share this post


Link to post
Share on other sites

I'm not a leetsauce hacker, but I do write software for a living. I can't see how you could spoof a GUID (unless you owned a server, then you probably could).

Presumably the GUID isn't generated on the client, if it were, the system would be terrible. The GUID has to be a one way hash based off some client-side verification (your CD-Key). So you provide some credentials (your CD-key) to some kind of auth server which gives you a response (probably also a one way hash) which you then send to the server you want to play on, then the server uses it and does some fancy math to hash it to your GUID. The only way another client could spoof your GUID would be if they stole your CD-Key, which isn't something anyone has access to, not even server admins.

Thinking about it though, a truly malicious server admin could probably get people banned if they grepped out GUIDs of players on their server, then hacked the Battleye process on their server to always report the GUID for their player name as the stolen GUID. This would be a very non-trivial thing to do, would require being a server admin, and would also require having a host where you have full control over the host machine (not just a way to manage the DayZ application).

So, to clarify, GUID spoofing ought to be feasible, but not by script kiddies. You'd have to be a legitimate hacker, and you'd have to be a server admin on a fully manageable server. Also, I'm guessing the guys who write code for Battleye aren't idiots. There are probably ways to mitigate this napkin hack that I've handwaved through that I just haven't thought of.

TL;DR: I think GUID spoofing isn't quite impossible, but its certainly not a widespread problem the way that scripting is.

  • Like 2

Share this post


Link to post
Share on other sites

Maybe. That's pretty interesting though. Lots of people in those threads have no clue though, specifically the people saying it's a keygen. There's no chance in hell that a keygen is going to produce a retail key. The number of actual retail keys is a grain of sand in the ocean of keys that the installer will accept just for install. Basically there's just a math function that runs on your CD-Key when you go to install it that determines whether or not the "syntax" of your key is correct (there are a huge number of "keys" where the syntax is correct), but if you go to play online with that key it won't let you because it's not an actual key (the auth servers have a list of actual legit retail keys, a tiny tiny fraction of syntactically acceptable keys).

It's probably more likely though that a lot of people just have malware on their computers and got their actual CD-keys stolen from the registry. My idea for a server admin GUID stealing spoofer was nothing more than that, an idea. It's at least an educated idea, but I don't know enough about the inner working of BE to know how plausible it really is.

Could also be likely that these people buying retail copies from a store are buying resealed copies and the workers there are selling the keys on the side on the black market.

Edited by Wutangrza

Share this post


Link to post
Share on other sites

Hey look, another "server admins are the devil" thread...

  • Like 1

Share this post


Link to post
Share on other sites
IMHO, hacking is the single most important development issue right now.

One thousand times THIS.

Share this post


Link to post
Share on other sites

"#beclient players"

why would you need admin rights to see everyones GUID

Share this post


Link to post
Share on other sites

It is possible to spoof GUIDs. That is all I will say. Some legit players are getting banned. The info is out there and the proof if you are willing to look around. I will not link any sites here as it is strictly against the rules. If you wish to go around naive to the fact some people have figure out how to potentially hack with 0 consequence than I hope its your GUID that is stolen next.

Share this post


Link to post
Share on other sites

They have people working on this regularly and are working on fixes for the game, taking time away from Arma 3 Development, as well as the many iterations of their engines, including large government contracts around Viritual Battlefield Simulator 2.

Due to its origins as a Battlefield Simulator used by soldiers, and professionals who have no inclination to hack, nor the need to, the engine has started and still remains to be very trusting.

Just to nitpick a little and derail a lot, Operation Flashpoint was their first product and it allowed modding which made it live for a long time. Bis made some add-ons to it and even allowed a 3rd party add-on (Red Hammer I believe). Based on that success they were contacted by someone in the US military I believe or possible Australia to make it for them where VBS came from. They earned their beans here and got more contracts, continued development and VBS has their own team. They "expanded" by making a game of the VBS which again was based on OFP. Arma was like an OFP+ or 1.5 if you want, to keep the fans happy while Arma2 was the true sequel. Most features, like FLIR and equipment are "stolen" from VBS2 but adapted to the arma-code base.

http://www.nytimes.com/2011/05/02/technology/02gameside.html?_r=1&src=busln

And as a sidenote, Codemasters - the OFP publisher, owned the OFP name and made two OFP games on their own, that were horrible and buggy. And CM dropped the support after 6 months with critical bugs intact.

Share this post


Link to post
Share on other sites

That's your hangup then. I can pay for warcraft 3 just to play dota, but I have no right to complain about dota using the "I payed for this game so i expect a certain experience" argument. Are there legitimate issues that need fixed in DayZ? YES, but you should not complain about how you spent 17-20-30 dollars and you want your money worth because you didn't spend that much on dayz, you spent that much for the plethora of released features ARMA2 and OA offers. You just happened to get access to DayZ as a result. Those are the facts. If you came here to complain that you wasted your money on an alpha version of a mod for a released game, then go somewhere else because nobody cares.

Credit card companies won't care what 'the situation' is when their customers ask for a chargeback. Players will just say 'I bought this game last month, and it is unplayable due to low quality'. So however correct you are that people should not complain about an alpha mod, the fact is that consumer protection allows anyone to claim their money back for their Arma II purchase.

Share this post


Link to post
Share on other sites

You cannot do anything with GUID since it's generated server side as far as I'm aware of. Your CD key in your registry is in hex - as you join server BE (assumtion) or arma 2 OA server will generate the hash and push to BE(checking if its legit key) so if you spoof GUID (replace with your CD key in registry) the server will kick you for invalid key since the hash of the hash != the hash :D ..right?

Edited by straw

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now

×