| Pages: [1] 2 :: one page |
|
|
| Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Chaddy
   |
Posted - 2006.07.15 11:54:00 -
[1]
So, i have been watching some of the "the making of eve" videos. And you talked about the game using large parts of stackless python. I fully agree on that this, by that time, was a very good idea(Beside that i dont like python really). But since this is very easy to inject into a process like eve, this HAVE created some very bad security holes, that have a HUGE effect on the game economy!
I do remember a BoB post on missions, saying that you are moving all the missions away from python, and redoing them in C++ i think it was - GREAT! But this isn't enough. We really need to remove(Maybe this is a thing that should come with the new unicode client?) all python, and no more code can be injected. This will likely stop most macromining(I know theres some other ways to do it, but they work worse compared to what you can do in python.
Are you gonna outfase all the python, and save us from all the macrominers?
|
Dark Shikari
Caldari
|
Posted - 2006.07.15 11:58:00 -
[2]
Stackless python is nearly entirely used server-side, to handle the millions of operations at once that the servers need to do. Client-side it isn't as important. And it doesn't help the macroers much, either.
Any game can be macroed: stackless python isn't going to make it much easier.
--Proud member of the [23]--
-WTS Nanotransistors, Heavy Electron II, 100mn AB II- |
HippoKing
Caldari
|
Posted - 2006.07.15 11:59:00 -
[3]
I don't know about how much is server side, but there is a lot of uncompiled python in the game folder.
|
MysticNZ
GoonFleet
GoonSwarm
|
Posted - 2006.07.15 12:04:00 -
[4]
 Originally by: Dark Shikari
Stackless python is nearly entirely used server-side, to handle the millions of operations at once that the servers need to do. Client-side it isn't as important. And it doesn't help the macroers much, either.
Any game can be macroed: stackless python isn't going to make it much easier.
All bot scripts are written in python, directly using objects in game.
-=====-
|
MysticNZ
GoonFleet
GoonSwarm
|
Posted - 2006.07.15 12:06:00 -
[5]
What's worse is you can use the eve log manager to get a list of the objects in the game... the eve logger is what is used to debug these scripts :P
-=====-
|
Dark Shikari
Caldari
|
Posted - 2006.07.15 12:10:00 -
[6]
Originally by: MysticNZ
Originally by: Dark Shikari
Stackless python is nearly entirely used server-side, to handle the millions of operations at once that the servers need to do. Client-side it isn't as important. And it doesn't help the macroers much, either.
Any game can be macroed: stackless python isn't going to make it much easier.
All bot scripts are written in python, directly using objects in game.
And?
I know a friend with a World of Warcraft bot that works directly with objects in game, and it can do basically anything you want: you can tell it to start off at level 1 and grind you to 60, and it'll do that.
Ragnorak Online has similarly powerful bots. Diablo 2 has bots that can kill bosses thousands of times in a row and store the best loot.
Python isn't necessary to make bots.
--Proud member of the [23]--
-WTS Nanotransistors, Heavy Electron II, 100mn AB II- |
MysticNZ
GoonFleet
GoonSwarm
|
Posted - 2006.07.15 12:12:00 -
[7]
Originally by: Dark Shikari
Originally by: MysticNZ
Originally by: Dark Shikari
Stackless python is nearly entirely used server-side, to handle the millions of operations at once that the servers need to do. Client-side it isn't as important. And it doesn't help the macroers much, either.
Any game can be macroed: stackless python isn't going to make it much easier.
All bot scripts are written in python, directly using objects in game.
And?
I know a friend with a World of Warcraft bot that works directly with objects in game, and it can do basically anything you want: you can tell it to start off at level 1 and grind you to 60, and it'll do that.
Ragnorak Online has similarly powerful bots. Diablo 2 has bots that can kill bosses thousands of times in a row and store the best loot.
Python isn't necessary to make bots.
Sorry, my point is that anyone can load up the evelogger program, log the exefile.exe, get the objects and write their own script.
Just how easy it is, is my point.
-=====-
|
gfldex
|
Posted - 2006.07.15 12:34:00 -
[8]
Originally by: Dark Shikari
stackless python isn't going to make it much easier.
You are wrong here decompyle makes it a lot easier. A good optimized c++ program dont got much objects left. It's basicly harder to understand c. Python, as a dynamic language, has to keep all symbol names. It's like reading a open book.
--
$ perl -n -e 'print "Stop blameing pirates! Oveur is the root of all evil!\n" if m/podkill|lost my ship|gank|gate camp|Verone/;'
|
Dark Shikari
Caldari
|
Posted - 2006.07.15 12:36:00 -
[9]
Originally by: gfldex
Originally by: Dark Shikari
stackless python isn't going to make it much easier.
You are wrong here decompyle makes it a lot easier. A good optimized c++ program dont got much objects left. It's basicly harder to understand c. Python, as a dynamic language, has to keep all symbol names. It's like reading a open book.
Simple solution: Use a python obfuscator 
While I can just log on and type "decompyle" and decompile any compiled python program, it won't help me if the code is completely obfuscated.
--Proud member of the [23]--
-WTS Nanotransistors, Heavy Electron II, 100mn AB II- |
Tachy
|
Posted - 2006.07.15 12:37:00 -
[10]
If you want you can even design your own client for EVE.
You don't even need to know in what language the client is coded.
The change on the missions is a change of the way the missions are built. They move it from manual coding to a framework. They're basically using a toolbox, and it doesn't matter in what programming language the stuff's coded in the end. The mission scripts are running on the server, not on the client.
To stop the macroing, ccp had to remove the client's access to the servers ...
--*=*=*--
Even with nougat, you can have a perfect moment. |
|
|
Jim McGregor
Caldari
|
Posted - 2006.07.15 13:02:00 -
[11]
I would just like a new GUI. Imagine Eve with a really fast, quick cool-looking, futuristic GUI... would be very nice. Maybe something thats coming in Eve Vista.
---
Eve Wiki | Eve Tribune | Eve Pirate |
Ather Ialeas
Occam's Razor Combine
Interstellar Starbase Syndicate
|
Posted - 2006.07.15 13:10:00 -
[12]
Originally by: Dark Shikari
Simple solution: Use a python obfuscator
While I can just log on and type "decompyle" and decompile any compiled python program, it won't help me if the code is completely obfuscated.
Granted that if formula like "wtfbbq = DPS * guns" is obfuscated to "fwako = wakma * wioa" is harder to read, it just takes a few moments to hack that by changing the variable names to some random ones like "bunny = fluffy + gray" and then it's just about looking what values "fluffy" and "gray" variables have over time.
Obfuscation is vaporware and doesn't actually help at all.
________________________________________________
My signature exploded :/ |
Dark Shikari
Caldari
|
Posted - 2006.07.15 13:16:00 -
[13]
Originally by: Ather Ialeas
Originally by: Dark Shikari
Simple solution: Use a python obfuscator
While I can just log on and type "decompyle" and decompile any compiled python program, it won't help me if the code is completely obfuscated.
Granted that if formula like "wtfbbq = DPS * guns" is obfuscated to "fwako = wakma * wioa" is harder to read, it just takes a few moments to hack that by changing the variable names to some random ones like "bunny = fluffy + gray" and then it's just about looking what values "fluffy" and "gray" variables have over time.
Obfuscation is vaporware and doesn't actually help at all.
In a complex program with millions of lines of code, obfuscation is quite effective.
Proper obfuscation makes it so that it takes a great deal more work to hack the code. Its not just a matter of grabbing the variable names: one has to understand how the code works. If the macro-maker has to manually figure out what everything does, its going to take him 100s of hours if not thousands.
--Proud member of the [23]--
-WTS Heavy Electron II, 100mn AB II, Medium Warp Bubbles- |
Ather Ialeas
Occam's Razor Combine
Interstellar Starbase Syndicate
|
Posted - 2006.07.15 14:10:00 -
[14]
Originally by: Dark Shikari
Proper obfuscation makes it so that it takes a great deal more work to hack the code. Its not just a matter of grabbing the variable names: one has to understand how the code works. If the macro-maker has to manually figure out what everything does, its going to take him 100s of hours if not thousands.
Granted that you have a point there...although at the moment obfuscating would be kinda pointless since they already know how the game works.
________________________________________________
My signature exploded :/ |
Virida
Mindstar Technology
United Confederation of Corporations
|
Posted - 2006.07.15 15:09:00 -
[15]
Originally by: Dark Shikari
Originally by: Ather Ialeas
Originally by: Dark Shikari
Simple solution: Use a python obfuscator
While I can just log on and type "decompyle" and decompile any compiled python program, it won't help me if the code is completely obfuscated.
Granted that if formula like "wtfbbq = DPS * guns" is obfuscated to "fwako = wakma * wioa" is harder to read, it just takes a few moments to hack that by changing the variable names to some random ones like "bunny = fluffy + gray" and then it's just about looking what values "fluffy" and "gray" variables have over time.
Obfuscation is vaporware and doesn't actually help at all.
In a complex program with millions of lines of code, obfuscation is quite effective.
Proper obfuscation makes it so that it takes a great deal more work to hack the code. Its not just a matter of grabbing the variable names: one has to understand how the code works. If the macro-maker has to manually figure out what everything does, its going to take him 100s of hours if not thousands.
What is good code to work with, is good code to macro with. simple as that. Id leave 5 millions of non named scrambled toothpase like gooish "spagetti code" of python for you to debug, id personally prefer to code in C++/C than that.
|
Luc Boye
Evolution
Band of Brothers
|
Posted - 2006.07.15 15:45:00 -
[16]
Originally by: Chaddy
So, i have been watching some of the "the making of eve" videos. And you talked about the game using large parts of stackless python. I fully agree on that this, by that time, was a very good idea(Beside that i dont like python really). But since this is very easy to inject into a process like eve, this HAVE created some very bad security holes, that have a HUGE effect on the game economy!
I do remember a BoB post on missions, saying that you are moving all the missions away from python, and redoing them in C++ i think it was - GREAT! But this isn't enough. We really need to remove(Maybe this is a thing that should come with the new unicode client?) all python, and no more code can be injected. This will likely stop most macromining(I know theres some other ways to do it, but they work worse compared to what you can do in python.
Are you gonna outfase all the python, and save us from all the macrominers?
Yeah, lets use visual basic.
|
lemay
|
Posted - 2006.07.16 06:41:00 -
[17]
Originally by: Dark Shikari
Originally by: Ather Ialeas
Originally by: Dark Shikari
Simple solution: Use a python obfuscator
While I can just log on and type "decompyle" and decompile any compiled python program, it won't help me if the code is completely obfuscated.
Granted that if formula like "wtfbbq = DPS * guns" is obfuscated to "fwako = wakma * wioa" is harder to read, it just takes a few moments to hack that by changing the variable names to some random ones like "bunny = fluffy + gray" and then it's just about looking what values "fluffy" and "gray" variables have over time.
Obfuscation is vaporware and doesn't actually help at all.
In a complex program with millions of lines of code, obfuscation is quite effective.
Proper obfuscation makes it so that it takes a great deal more work to hack the code. Its not just a matter of grabbing the variable names: one has to understand how the code works. If the macro-maker has to manually figure out what everything does, its going to take him 100s of hours if not thousands.
Obfuscation isn't all that useful, you can still just watch what's happening in memory.
I used to do application code auditing, and blackbox reverse engineering of applications. Quite often we didn't even notice that the developers had oh-so-cleverly obfuscated their interperted laguange. A good debugger shows you what's going on in memory. No software will be really safe from reverse engineering or modification until we get some kind of hardware keying solution like Palladium or wtf ever that trusted computing crap is called these days.
|
Nifel
Caldari
|
Posted - 2006.07.16 07:43:00 -
[18]
Originally by: Luc Boye
Originally by: Chaddy
So, i have been watching some of the "the making of eve" videos. And you talked about the game using large parts of stackless python. I fully agree on that this, by that time, was a very good idea(Beside that i dont like python really). But since this is very easy to inject into a process like eve, this HAVE created some very bad security holes, that have a HUGE effect on the game economy!
I do remember a BoB post on missions, saying that you are moving all the missions away from python, and redoing them in C++ i think it was - GREAT! But this isn't enough. We really need to remove(Maybe this is a thing that should come with the new unicode client?) all python, and no more code can be injected. This will likely stop most macromining(I know theres some other ways to do it, but they work worse compared to what you can do in python.
Are you gonna outfase all the python, and save us from all the macrominers?
Yeah, lets use visual basic.
I was thinking COBOL.
"When I die I want to die peacefully in my sleep like my grandpa. Not yelling and screaming like the passengers in his car."
RKK Ranking: (MIN14) |
Krissala
|
Posted - 2006.07.16 08:07:00 -
[19]
Wow... just wow...
First of all, obfuscation will help stop the day-to-day, DIY botmaker. However, for an actual programmer that knows what they're doing, obfuscation, nor a language change, will prevent bots. Look at what Blizzard did with World of Warcraft. The better macroing/botting tools wrote directly to WoW's memory space to make changes to character location, to monitor what was occuring to your character, et cetera. Blizzard then developed the Warden program to counter it. Warden, for those that don't know, is really just a basic rootkit that watches for other applications to try to change WoW's memory space. If the Warden program is not running, you cannot successfully connect to WoW servers. While this is a very harsh method, and one that was not looked nicely upon, it's currently the MOST effective (and still not 100%) means to prevent tampering with an online gaming experience that's available.
So, in short, there is no perfect solution, regardless of client or server language, obfuscation or any other means of changing the code. This has been a public service announcement.
|
Valeo Galaem
InterGalactic Corp.
Imperial Republic Of the North
|
Posted - 2006.07.16 08:11:00 -
[20]
Edited by: Valeo Galaem on 16/07/2006 08:11:39
CCP started encrypting the python files in the client with the Chinese 'Dragon' code branch. You will find that the .py and .pyo files normally found in the 'lib' directory are now gone, replaced with a few .ccp (as in CCP, not C++) files. I don't know enough about python or any interpreted languages to know if this will help against these problems or not. But I'm sure CCP is doing this for a mix of security and legal reasons.
They have already started to merge the Dragon code branch and the current Shiva code branch, and it might be done before Kali 1 is released. Details on how to test the Dragon client can be found in the Game Development forum.
Thar be Pirates
You are not authorised to hack into CONCORD's mainframe
Your Wallet has been emptied!
CONCORD Encryption |
|
|
Locke DieDrake
Port Royal Independent Kontractors
Imperial Republic Of the North
|
Posted - 2006.07.16 08:21:00 -
[21]
Since when do a bunch of players now more about coding than CCP?
Just curious.
___________________________________________
The deeper you stick it in your vein, the deeper the thoughts there's no more pain.
___________________________________________ |
Sharadar
|
Posted - 2006.07.16 08:33:00 -
[22]
When a bunch of players are professional programmers?
|
Chaddy
|
Posted - 2006.07.16 08:37:00 -
[23]
Originally by: Sharadar
When a bunch of players are professional programmers?
QTF.
Just because Eve is the only game in the world, it doesn't mean that the guys at CCP are the only developers(At least not yet, before they manage to make Eve so addictive, that everybody loose their job, and play eve 24/7)
|
Locke DieDrake
Port Royal Independent Kontractors
Imperial Republic Of the North
|
Posted - 2006.07.16 08:40:00 -
[24]
Originally by: Sharadar
When a bunch of players are professional programmers?
Oh? so you have a few MMO's under your resume then?
No? I didn't think so.
A "Professional" coder would not post a code based weakness on the forum. Glorified script kiddies post about these things. Proffesional coders send a private email and hope the company takes it seriously.
In fact, there are entire coder communities where the ethics of publicily posting weaknesses or flaws has been argued to death. Legally and ethically, the consensus is that you don't publicly reveal this information without first granting the actual coders a chance to fix it privately.
But if you really were a professional programmer, you already knew that.
___________________________________________
The deeper you stick it in your vein, the deeper the thoughts there's no more pain.
___________________________________________ |
Hellcore
Minmatar
|
Posted - 2006.07.16 08:45:00 -
[25]
Ofc, no-one ever hooked into game DLLs, injected code directly into executables or anything ever, did they? Also ofc it is impossible to write trusted code in interpreted languages too, right? 
Blame the workman, not the tools.
|
Chaddy
|
Posted - 2006.07.16 08:47:00 -
[26]
Edited by: Chaddy on 16/07/2006 08:50:20
Originally by: Locke DieDrake
Originally by: Sharadar
When a bunch of players are professional programmers?
Oh? so you have a few MMO's under your resume then?
No? I didn't think so.
You dont need to have done a MMO to know about programming. So what is your point? Its all just 1's and 0's. So your points is kinda invalid.
Originally by: Krissala
The better macroing/botting tools wrote directly to WoW's memory space to make changes to character location, to monitor what was occuring to your character, et cetera. Blizzard then developed the Warden program to counter it. Warden, for those that don't know, is really just a basic rootkit that watches for other applications to try to change WoW's memory space. If the Warden program is not running, you cannot successfully connect to WoW servers. While this is a very harsh method, and one that was not looked nicely upon, it's currently the MOST effective (and still not 100%) means to prevent tampering with an online gaming experience that's available.
So, in short, there is no perfect solution, regardless of client or server language, obfuscation or any other means of changing the code. This has been a public service announcement.
I think Warden was the only real thing to do, to be honest. Rootkits are bad, when they are used incorrect(Hi Sony!). But i think it this case, its a good thing. I see no problems.
|
HippoKing
Caldari
|
Posted - 2006.07.16 08:52:00 -
[27]
Originally by: Locke DieDrake
Since when do a bunch of players now more about coding than CCP?
Everyone is an expert on the internet
|
Locke DieDrake
Port Royal Independent Kontractors
Imperial Republic Of the North
|
Posted - 2006.07.16 08:52:00 -
[28]
Originally by: Chaddy
Originally by: Locke DieDrake
Originally by: Sharadar
When a bunch of players are professional programmers?
Oh? so you have a few MMO's under your resume then?
No? I didn't think so.
You dont need to have done a MMO to know about programming. So what is your point? Its all just 1's and 0's. So your points is kinda invalid.
My point is that professionals don't disclose code based weaknesses to the general public.
Hackers and children do. Also people that think they are alot more important than they are. (these fall under children)
Let me simplify it for you.
If Code=hackable then
loop
send email
endloop
end if
Make more sense for you?
___________________________________________
The deeper you stick it in your vein, the deeper the thoughts there's no more pain.
___________________________________________ |
Crunch Hardiron
Caldari
|
Posted - 2006.07.16 08:57:00 -
[29]
Originally by: HippoKing
Everyone is an expert on the internet
Especially Senator Stevens.
|
Kaylana Syi
Minmatar
|
Posted - 2006.07.16 09:24:00 -
[30]
The only problem with stackless python is that we don't know if they are using the lastest version ( 2.4.3) on their servers. Hopefully they do and I would hope, from them being some serious geeks like me, they have.
As long as they keep those updates and not break anything... they don't need to do jack.
Team Minmatar |
|
|
|
|
| |
|
| Pages: [1] 2 :: one page |
| First page | Previous page | Next page | Last page |