So thanks to recent developments, executable code can now be run in a map with no 3rd party programs.

This kind of like nuclear fission, nearly unlimited energy generation, and potential for mass destruction. We can do anything we want to our maps, like include fully featured mods, but the potential for abuse such as distributing viruses and opening popups also exists; as such it seems a poor idea to rush into anything irreversible.


Some of our options include:

1. Direct integration with maps - this is quite dangerous as it involves teaching people exactly how to run executable code, this would also have a very high difficulty level for mappers, and add significant startup time and would add ~500kb to every map.

2. Tethered patch map - this would make changes to the game, such as enabling EUDs and loading graphics and other files from the map, all these changes would be undone when StarCraft is restarted - there is still some danger as these maps can be de-compiled, but no abusive hacker gets a nice easy time - we would do everything in our power to make it well protected and difficult to understand, and hopefully it would be protected with additional SEN rules, the theory for creating these maps could be kept tightly under-wraps with a few select mappers.

3. Tethered/Un-tethered combo patch map - this would have the option to just run the tethered version, or install the changes/uninstall the changes, installed changes could be made only relevant to maps with certain tags built into the map (so maps that require the patch to play could run things like multicommand, no latency, etc), or universal, such as code that prevents host hack, astat flood, and drop hack - same risks as the tethered patch map.

4. Bury it, pretty sure only me and yoon figured it out, could just forget we ever found it.

5. (your idea here)



Possible general patch feature list:
    - EUDs Enabled
    - SCMLoader Enabled (load your own graphics, AI files, etc. that are included in the map)
    - Networking Local EUDs (so they can be used for global actions)
    - Anti-ASTAT flood
    - Anti-Host Hack
    - Anti-Drop Hack
    - General Hack Detection
    - (your idea here)

Features for maps that REQUIRE the patch (or features that require everyone in the game to be patched)
    - No Latency
    - Multi-Command
    - (your idea here)


Case Studies:
    - EUDs, could easily have been abused, no incidents that I know of occurred.
    - The overflowed map stats function pointer, this lead to the whole op hacker/Frost incident, taking bnet down for weeks at a time, was abused, though StarCraft notably lived through it.
    - The Halo Series, executable code launching is all over its history, and still works in Halo for PC, has had an extremely positive influence on the game with fantastic mods and has no abuse problems that I know of.
    - (your suggested case study here)


Leave your opinion on what you think we should do, and if we do patches, what should be included (personally, I favor #3).

Post has been edited 11 time(s), last time on Aug 2 2014, 6:33 pm by jjf28.

Arbitrary .exe's can be used for good, sure. And we can talk about those good usages of .exe's. Doesn't matter though in the end, because it only takes one running instance of a malicious .exe for one to get screwed over. This is why the only ultimate solution is to protect yourself using a "hack", or maybe it should be called an "anti-hack", or rather a "security patch" that prevents this overflow in the first place.

In the future, if people still care, we could handle this how people with sense handled arbitrary .exe's in general: open source your maps that execute code, and don't trust maps without open source.

I'll be releasing a tool (and open sourcing it) that applies the above security patch in the near future.

Map that requires some kind of map to be played before it :

Scenario)
A, B, C, D, E play 'tether.scx'
A, B, C, D, E play 'X.scx'. Great.
E left. F joins.

1. A, B, C, D, F play 'tether.scx'?
2. A, B, C, D, F play 'X.scx'? (Which would certainly drop F)
3. F runs 'tether.scx' as he starts Starcraft. 'tether.scx' became another EUD Enabler.exe, which has to be run explicitly. No advance from ChaosLauncher days.

Repeat for every new user. Players change through each game session in b.net. That's how b.net works.
Same for Tethered/Un-tethered. DLL has no advantage over ChaosLauncher, which nobody seems to be using here.



+ Ideally, Blizzard will block DLL as they blocked EUD. So DLL will be allowed only inside private servers,
where lockdown.dll can be deployed fairly easily and safely (controllable)
So I think that per-map DLL isn't really needed. We need a single framework for everything.




I don't think it as easy. It's easy if you know that there is such a thing called 'STR section' having RWX access, but maybe only if also.

Post has been edited 1 time(s), last time on Aug 2 2014, 6:46 pm by trgk.

This is assuming we're playing a public game, with clans and friend groups it's usually friend X who doesn't feel like grabbing CL since they're lazy, don't like 3rd party programs, or think it's too difficult to use, now he can just enter one map (like how many people do lat breaks) then play the modded map with everyone else, and ideally people gradually choose the untethered-patch, when they're tired of applying the tether; if a few private communities get addicted to maps using the patch then games might start going public, and the patch map could be publicly hosted 24/7 so other people can get in on the games.


This helps hardcore techies stay safe, but for 99% of bnet the code would mean nothing, in light of that, open sourcing would just help spread the executable methods to script kiddies.

Post has been edited 5 time(s), last time on Aug 2 2014, 7:00 pm by jjf28.

Option 5: release hell upon Battle.net with tons of malicious maps, forcing Blizzard to either patch the game or allow SC1 to die.

The patch would only fix the vulnerability and then all of our eud maps would be useless. Though that would mean hacks need to be updated as well and since no one is around to update them, this could possibly be a good option

Korea has lot of EUD maps since over 70% of users use a kind of EUD Enabler. (aka wDetector)
EUDA is just a kind of common triggers here.
We don't want EUD to break; We don't want blizzard patch SC again.
EUD has been utilized so much since blizzard stopped patching SC.


cf) wDetector is an auto-updated antihack.

Post has been edited 5 time(s), last time on Aug 3 2014, 2:18 am by trgk.

Could this be used to get around Bnet's dependance on open ports and put an end to laggy games?

The map needs to be downloaded and run first before anything can even happen. If the host's ports are closed then no one will be able to join anyways and lagginess is often caused by ip conflicts or poor internet performance.

To the OP and yoonkwun:
I'd like to write an antihack for some maps and get them published right away. Please PM me

+ Private servers can use lockdown.dll (aka Warden) to devise their own patches.
Fish server used these techniques to enable(even w/o enabler)/disable(even with enabler) EUD.

this dll file seems to be loaded by battle_snp.dll

lockdown.dll isn't actually Warden, it's called CheckRevision. Also, it isn't easy to create your own dll files to send from your pvpgn server, we need RSA keys to sign some files.
Due to the language barrier, I haven't been able to contact Fish administrators to ask for the RSA keys.

If maps executing code became popular, script kiddies will find out anyway. Even if we employed some cryptographic methods on the maps, the nature of it limits how much we can "protect" the method.


This can be used to rewrite any and all aspects of StarCraft. Though, none of us here except probably Heinermann could do that effectively.


PM me source code for a dll/exe/bat then I can adjust the map to execute it easily.

Again, all of this conversation is pointless because it only takes one instance of a malicious exe for the entire merit of this exploit to be gone. The only way is to protect yourself of this exploit, and perhaps the protection thing could include a list of "trusted" maps that it temporarily turns off for.

Unless of course you want to continue running unknown exe's, but I don't think people really understand the gravity of it. Oh, and if a malicious exe (that tries to hide itself) does get run on your computer you would have little to no way of knowing.

Thought i'd take a moment and discuss what kind of protection I had in mind if we were to go the road of patch-maps. First the basics, stuff that keeps the map from opening in map editors, makes it harder to get Scenario.chk out, but those aren't the protection really, just a door with a $10 padlock, the tricks are in the 50mi branching tunnel system which makes finding the guarded secret take nearly the same amount of time required to recreate it.

Salting - adding additional unnecessary units, triggers, sprites, etc, a lot of changes to "promising areas" that yield nothing, stuff that undoes itself with other overflows
Spreading - no more than two-four opcodes are found together, spread out in all sorts of places to be imported by code or overflowed in, many of the spread opcodes are just salt
Bubbling - a small amount of opcodes bring in another couple, and erase the previous, jumps to a new area, and so on (from spread out locations), many opcodes could be determined by stuff like reversing hash values.

I think with this we have a chance of keeping out all but those that would be determined enough to recreate the theory from scratch, and really that's all we can hope for.


Your strong desire to use it immediately and without hesitation is why i'm waiting, apologies but we are handling nuclear devices here


Agree'd, I don't think anyone hates themselves enough to destroy battlenet, but they may create botnets, try to steal personal info, or simply force you to re-install your operating system, high risks accompany the rewards here.


There's some truth to this, regardless of what course we take determined individuals may eventually find the way on their own, if that's the case, then perhaps it's up to us to try and protect who we can using patch-maps; or by contacting blizzard (for which I would urge also providing maximum details on how to fix ASTAT flood, hosthack, and drophack) before a malicious individual gets a hold of it.

Post has been edited 4 time(s), last time on Aug 3 2014, 3:36 pm by jjf28.

Does anyone from blizzard ever come around on SEN? If so, or maybe just to decrease the likelihood of other people discovering what you have, should you maybe like.. not discuss this so openly? Like maybe (if sen can do this) make it so that only those invited can see what you're talking about here? I'd hate for blizzard to patch this stuff away (if they could.. I don't know) before anyone gets the chance to use it.

This is too non-insighted; you're assuming you know all the RE techniques out there, and this does relatively nothing to what I personally would do if I was to try and RE a map containing this exploit.


Destroying battle.net is nothing compared to installing spyware on people's computers.

Not assuming that, i'm always open to suggestions/criticisms, moreover this is musings, not a final list of things i'll be doing

Maybe modify the triggers to run a very small exe which will contact a master server to download and run approved files. It's vital that the exe already in the map is small because of how slow uploading maps are in SC so it will download via http to take advantage of all the networking speed available.

1. Who approves exe? jff? yoonkwon? or you?
2. One has to run unapproved exe first. (One in the map)
3. Even the most complex dll to be injected into the map is small. (<100kb)



+
Actually I don't need to reverse your map to create my own DLL injector map. There are so much information already available in SEN already.
Others who can reverse dll map will also think the same. There are so much information around SEN that no reversing is needed at all.

I suggest hiding this article temporarily before DLL maps are fully discussed : http://www.staredit.net/topic/16427/
To much boilerplate is already available here, such as DeathTableAddon.scx
It would be hard to develop DLL map independently without this. It is fairly easy to create one based on these maps.

Post has been edited 3 time(s), last time on Aug 4 2014, 1:30 pm by trgk.

Anyone and everyone could if these were online rather than obfuscated in a map.


True, you would have to question whether i'm evil >=D (or whoever else would take up such a task), though anyone else in the loop could also have a look and approve it.


I'm more fond of this idea than teaching others how to run exe code, but it still runs the risk of others secretly opening more security vulnerabilities so they can run their own arbitrary code.

Post has been edited 1 time(s), last time on Aug 4 2014, 1:58 pm by jjf28.

Whoever that can upload files to the server that the exe in the map file points to