Jump to content
Forums

Lineage II - Security Update Applications to test


Recommended Posts

Corsair Utility Engine

Corsair LINK 4

Razer Synapse

razer central

aorus grafic engine

samsung magician

sond blaster x-fi

BattlePing

MSI Afterburner

Intel Extreme Tuning Utility

Killer Control Center

Blizzard App

BS.Player

Twitch

VMware Workstation 12 Player (Block) :) 

 

 

 

 

Edited by Hoffmann
Link to post
Share on other sites
  • Replies 82
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

zRanger?

1. All flavors of NC launcher/Lineage II launcher (not NCWest related) 2. GameGuard, (N)CGuard, HackShield, VAC, BattlEye, Punkbuster and other trash 3. VirtualBox, VMWare, Docker, HyperV related

all of the above and BattlePing btw with FireFox for me that's mainly youtube music for when am not using winamp ow and best also make sure it doesn't freak out our anti virus/firewalls

Hope you guys are excluding from whilelist the macro software from hardware mouse and keyboards that things are like cheats nowadays. and are not necessary to be open for harwadre to work. so pls leave it out.

 

My software list:

Windwos 10 RS4 build 1803 > yes each ms update break many things :D

Windows 10 RS3 Build 1709


AMD readeon software: Radeon Settings
                                      Wattman
                                      Performance Monitor

                                      ReLive:
                                         ReLiveOverlay

Killer Control Center

NetLimiter
Cfosspeed

CSGo, for some reason gameguard fail when i launch csgo and obvious game crash, so annoy.

 

And software that many ppl mentioned that have nothing to worry about like music players, browsers, are not intrusive so why mentioned ...

Edited by JRabbit
Link to post
Share on other sites

Belkin N52 Gamepad (Nostromo)

We used to use something like a turbo button on some gamepads to spam CP pots back in the day. The same can be accomplished with some macro keyboards but I am not going to go out and buy one to plug into my laptop when I already have my 20 year old, and perfectly good, N52.

Link to post
Share on other sites
On 7/2/2018 at 11:30 PM, Neutron said:

Hello,

With the upcoming Security update around the corner, we'd like to test commonly used programs you might run in the background while playing Lineage II

Here is an example list:

  • Steam / Steam Overlay
  • Origin
  • GOG
  • Uplay
  • Teamspeak
  • Discord
  • Ventrillo
  • OBS – Open Broadcast Software
  • Media Player Classic
  • VLC Media Player
  • Geforce Experience
  • Spotify
  • iTunes
  • Google Chrome / Youtube / Netflix / Amazon Music / Amazon Video
  • Fraps

If you have a moment, please let us know by replying below what kinds of programs you think are necessary to work to not interfere with your Lineage II game experience.

Thank You!

Hello Neutron,

This solution will not work as you have to monitor the process with Admin privileges... if the L2 is not running with admin privileges will not be able to monitor, lets say a debugger under another account. Also you have to apply white list access which is too risky as you do not know all the user oriented programs of your clients.

Also with this solution another PC can intercept the messages and forward them to your servers, so again your solution has been bypassed. 

The only way to drop any other connection is to apply SSL TCP connection from the game client along with SSL certificate pinning into the fat client. 

You may forward the above to your developers/security team in order to think about it.

Regards. 

Link to post
Share on other sites
1 hour ago, GRMajestic said:

Hello Neutron,

This solution will not work as you have to monitor the process with Admin privileges... if the L2 is not running with admin privileges will not be able to monitor, lets say a debugger under another account. Also you have to apply white list access which is too risky as you do not know all the user oriented programs of your clients.

Also with this solution another PC can intercept the messages and forward them to your servers, so again your solution has been bypassed. 

The only way to drop any other connection is to apply SSL TCP connection from the game client along with SSL certificate pinning into the fat client. 

You may forward the above to your developers/security team in order to think about it.

Regards. 

Hello GRMajestic,

1st of all, L2 runs with elevated access for a very long time now. Still, without having an own kernelmode driver, you cannot monitor a lot of things going behind the scenes.

However, let's not go into pointless detail. The client is potentially run on a hostile environment, including a VM that can feed false information to the OS itself, manipulate memory/shared memory directly (e.g. replace Win32 or NT API methods with 100% custom versions) without OS knowledge etc etc. Obviously, a tool that certifies the environment (e.g. that the entire OS kernel is as expected) would be a huge help (though it would stop the game from working after each cumulative update).

Now, the part about SSL is just ridiculous to say the least. If you want MitM, all you have to do is to replace the (client side) certificate with your own and direct the client to connect to your own server, which in turn connects to the real server with the real certificate.

Plus, the certificate based auth (endpoint verification and two-way cipher key exchange) sounds all good when used in managed networks or enterprise environments, but there they are used to make sure only authorized clients can connect (so even if they use an entirely different application to connect, this still doesn't change the fact that they ARE authorized).

In this case, the certificate is distributed to everyone. So effectively they can use it to build their own application and connect to the Lineage II servers without any issues, no Lineage II client necessary. Which is what L2W*, L2D*, L2N* and similar apps were all about.

Edited by Devoid
Link to post
Share on other sites
1 hour ago, Devoid said:

Hello GRMajestic,

1st of all, L2 runs with elevated access for a very long time now. Still, without having an own kernelmode driver, you cannot monitor a lot of things going behind the scenes.

However, let's not go into pointless detail. The client is potentially run on a hostile environment, including a VM that can feed false information to the OS itself, manipulate memory/shared memory directly (e.g. replace Win32 or NT API methods with 100% custom versions) without OS knowledge etc etc. Obviously, a tool that certifies the environment (e.g. that the entire OS kernel is as expected) would be a huge help (though it would stop the game from working after each cumulative update).

Now, the part about SSL is just ridiculous to say the least. If you want MitM, all you have to do is to replace the (client side) certificate with your own and direct the client to connect to your own server, which in turn connects to the real server with the real certificate.

Plus, the certificate based auth (endpoint verification and two-way cipher key exchange) sounds all good when used in managed networks or enterprise environments, but there they are used to make sure only authorized clients can connect (so even if they use an entirely different application to connect, this still doesn't change the fact that they ARE authorized).

In this case, the certificate is distributed to everyone. So effectively they can use it to build their own application and connect to the Lineage II servers without any issues, no Lineage II client necessary. Which is what L2W*, L2D*, L2N* and similar apps were all about.

Hello Devoid,

First of all, you are ironic in your answer. I posted just to say my opinion. 

I didn't see in your posts any solution, if you are so expert and you can deobfuscate the code, take the certificate, then create your own server with a private key which,obviously, you don't have in order to accept and decrypt the messages, please let us know who you did it or better just write a white paper!

The solution that I suggest is based on public key encryption, so before you call a solution "ridiculous" please take a look on the basics of the information security :)

Regards.

Link to post
Share on other sites

any client side solution is not going to provide any lasting benefits.. to combat this stuff you need to set it up server side and can be relatively easily be done with behavioral analytics which NC actually has.. and nothing beats good old fashion live active GM's

of course all of the above would be best so if that's what NCWest is trying to achieve then by all means ;)

  • Like 1
Link to post
Share on other sites
26 minutes ago, Draecke said:

any client side solution is not going to provide any lasting benefits.. to combat this stuff you need to set it up server side and can be relatively easily be done with behavioral analytics which NC actually has.. and nothing beats good old fashion live active GM's

of course all of the above would be best so if that's what NCWest is trying to achieve then by all means ;)

Totally agree with you, but they need an update on L2 client and server, the main code is too old and i dont think if it is able to support the latest security solutions.

Regards

Link to post
Share on other sites

Do ppl use scripts ? - probably no who would loose his toon . Are there bots in the map ? Not as many as they were before because nc updated there clients and big bots doesn’t work anymore . Are there new bots that ppl made ? Probably they are a few as somebody posted in forums erthias running around on zaken freya . What nc tryes to do here with the new update ? I think they try to test a new system that can detect any harm for the game program . Why lineage 2 ? Because probably it’s free 2 play and because not as many ppl play l2 than other games so the QQ if they fail will be in a smaller scale . Are we going to be used as expirements for there new programs ? Yes we are . Can we do something to avoid it ? No we can’t . What happened before when they tryed to introduce new security  systems ? Well servers was lagging a few months we lost instances xp and time and got compacastion a few freya scrolls . What will happen now ? More of the same I beleave . What a real solution would be to the fight against bots ? PUT A LIVE GM THAT CAN ACTUALY SUPPORT  THE GAME and ban those who cheat . 

Edited by HandsVSkills
Link to post
Share on other sites
2 hours ago, GRMajestic said:

I didn't see in your posts any solution, if you are so expert and you can deobfuscate the code, take the certificate, then create your own server with a private key which,obviously, you don't have in order to accept and decrypt the messages, please let us know who you did it or better just write a white paper!

The solution that I suggest is based on public key encryption, so before you call a solution "ridiculous" please take a look on the basics of the information security :)

Regards.

Solution? I already said, certify the environment (as much as that is actually possible). If anything indicates that the operating environment may be hostile, prevent the application from running.

As a matter of fact, some sensitive data handling apps in Android (where the end user does not have elevated access at all) will not run if runtime elevation is detected (a.k.a. 'root' access; usually acquired using exploits or development tools that were released in a too lenient form).

 

I find it ironic about you lecturing me about private/public key cryptography when you clearly don't see what the anticheat (hint: the purpose is in this keyword) system we are talking here is about.

MitM (man-in-the-middle, or the "message interception", if I were to quote your post) is about:

  1. Take the certificate with the public key that would be in the client (it will be in the memory in its original form at some point of time during execution, even if it were not visible directly in the executable)
  2. Create a keypair (same algorithm) using whatever tool (e.g. OpenSSL). Create a self-signed certificate that contains your own public key. This is what the modified client will use.
  3. Set up a simple proxy-ish server that exposes a TCP port that will use SSL with your own keypair.
    When the client connects, immediately connect to the REAL server and do key exchange (thanks to the known public key); then do key exchange with the client (decrypting with YOUR private key), decrypt client's traffic with client's key, encrypt with real server's key and send to server; decrypt server's traffic with server's key and encrypt with the client's key before forwarding to the client
  4. Modify this proxy to do whatever you want
  5. Server will successfully use its private key that you do not know nor need to know.
Link to post
Share on other sites
1 hour ago, Devoid said:

Solution? I already said, certify the environment (as much as that is actually possible). If anything indicates that the operating environment may be hostile, prevent the application from running.

As a matter of fact, some sensitive data handling apps in Android (where the end user does not have elevated access at all) will not run if runtime elevation is detected (a.k.a. 'root' access; usually acquired using exploits or development tools that were released in a too lenient form).

 

I find it ironic about you lecturing me about private/public key cryptography when you clearly don't see what the anticheat (hint: the purpose is in this keyword) system we are talking here is about.

MitM (man-in-the-middle, or the "message interception", if I were to quote your post) is about:

  1. Take the certificate with the public key that would be in the client (it will be in the memory in its original form at some point of time during execution, even if it were not visible directly in the executable)
  2. Create a keypair (same algorithm) using whatever tool (e.g. OpenSSL). Create a self-signed certificate that contains your own public key. This is what the modified client will use.
  3. Set up a simple proxy-ish server that exposes a TCP port that will use SSL with your own keypair.
    When the client connects, immediately connect to the REAL server and do key exchange (thanks to the known public key); then do key exchange with the client (decrypting with YOUR private key), decrypt client's traffic with client's key, encrypt with real server's key and send to server; decrypt server's traffic with server's key and encrypt with the client's key before forwarding to the client
  4. Modify this proxy to do whatever you want
  5. Server will successfully use its private key that you do not know nor need to know.

Devoid,

Everything you just said is right. But you missed a detail which actually is my point.

First of all i didn't say to certify the whole environment but only the client. This will not prevent the application from running even through a host machine as the same is performing as an actual machine.

The whole description above can by re-mediated via SSL Pinning as i said on my first post.

Please check this one: https://www.thesslstore.com/blog/an-introduction-to-pinning/

A malicious user cannot bypass the SSL pinning because the client will communicate only with the server who hold the private key. In order to bypass this mechanism a user should re-compile the dll file holding this mechanism and this one can be remediated through obfuscation.

Looking fordward to your feedback. 

 

Link to post
Share on other sites

Well, first of all it should work with L2.bin B| and NCSoft Laucher.

Rest:

-all OS (Win,Linux,Mac,etc)

-all Web Browser

-all antiviruses

-all programs from PC/Laptop devices(Grafic,Sound Card, etc) including Keyboards/Mouse programs

-other games(ncluding MMORPG from other providers than NCWest)

-"Work or hobbies" program ( Photoshop, AutoCad, SolidWorks, MatLab etc.)

- programs which help with connection(WTFast, BattlePing, Cfosspeed, etc.)

-programs used to communication with other ppl (Teamspeak, Ventrilo, Discord, Skype, etc.

-programs which allow to share us PC(like Teamviever)

- "music and movie" programs(Winamp, Windows Media Players, Allplayer, etc.)

 

 

Link to post
Share on other sites
1 hour ago, GRMajestic said:

Devoid,

Everything you just said is right. But you missed a detail which actually is my point.

First of all i didn't say to certify the whole environment but only the client. This will not prevent the application from running even through a host machine as the same is performing as an actual machine.

The whole description above can by re-mediated via SSL Pinning as i said on my first post.

Please check this one: https://www.thesslstore.com/blog/an-introduction-to-pinning/

A malicious user cannot bypass the SSL pinning because the client will communicate only with the server who hold the private key. In order to bypass this mechanism a user should re-compile the dll file holding this mechanism and this one can be remediated through obfuscation.

Looking fordward to your feedback.

The certificate @ the client is substituted as described above. Obfuscation does nothing, because, as stated above, at some point of the time the certificate will be in its original form in memory - that's when the substitution can be done.

Most of the bots or similar tools that the anticheat should protect against are already using memory manipulation, so doing one more change is nearly zero effort.

 

Moreover, the technique you linked only protects against someone maliciously trying to impersonate a server, which is absolutely not what is going on here. The "cheaters" will want to intercept messages and so will modify the client at will, or even create an own version of the client.

Or were you concerned about real eavesdropping? The only thing that can be extracted that is of any value is the character PIN; user credentials were already encrypted using public/private key encryption* starting from late C3 (NA) and now the launcher uses some form of OAuth (tokens) via HTTPs instead of transmitting credentials to the Lineage II server.

* - yes, without pinning, susceptible to MitM

Edited by Devoid
Link to post
Share on other sites
On 7/6/2018 at 6:27 PM, Devoid said:

The certificate @ the client is substituted as described above. Obfuscation does nothing, because, as stated above, at some point of the time the certificate will be in its original form in memory - that's when the substitution can be done.

Most of the bots or similar tools that the anticheat should protect against are already using memory manipulation, so doing one more change is nearly zero effort.

 

Moreover, the technique you linked only protects against someone maliciously trying to impersonate a server, which is absolutely not what is going on here. The "cheaters" will want to intercept messages and so will modify the client at will, or even create an own version of the client.

Or were you concerned about real eavesdropping? The only thing that can be extracted that is of any value is the character PIN; user credentials were already encrypted using public/private key encryption* starting from late C3 (NA) and now the launcher uses some form of OAuth (tokens) via HTTPs instead of transmitting credentials to the Lineage II server.

* - yes, without pinning, susceptible to MitM

Hi again,

 

I agree, at some point of the time, yes, the key will be on the memory. But if the same is being changed often, the whole process will be very difficult for the cheater. He/she should be all the time on debuggers in order to find in memory the right and then to recompile his cheating program and distribute it on his clients... as you can understand till that time NCSoft can change again the key by pushing new update on the clients.

 

On the other hand, still cannot understand how the blacklist of programs running on the background of L2.exe can help as anti-cheating program. Can you please provide more info if you know better what is going on?

 

Regards.

Link to post
Share on other sites

Maybe new security tools will be able to detect cheats or scripts but that do not solve the problem.

Maybe some pkers will have headache to do things manually and that's all.

But until L2 will continue to pretend that players endlessly grind for small % of line progress to next level problem will be still there.

Or until L2 will continue to have quests type kill ten thousand mobs witch are green or even blue to player - problem will be still there.

Its not farmers to stop as adena drop is almost not existent in this kind of quests. ( good drop if happen then it happen on dragons and there you cant do it on macro afk)

So security tools may be efficient to discover few scripts and cause few disconnections and cdt.

But most brainless quests like kill 10k mobs will be still done in afk macro mode.

And until L2 will continue to have bottleneck on some mobs for dailies problem will be still there.

So those tools do not solve nothing except to reduce your privacy to zero ( you will have to allow it if you want to play).

 

  • Like 1
Link to post
Share on other sites

Please, add Metatrader 4 (terminal.exe) & Metatrader 5 (terminal64.exe) to the list. I have both terminals running 5 days a week, 24 hours a day. These programs are important for me.

+ all kinds of PDF/fb2/epub readers and editors, like "master pdf editor", "PDF-XChange viewer", "Sumatra pdf", "Foxit reader", "Acrobat reader", etc.

+ all kinds of cloud storage

+ "Samsung settings"

And not so important, but still would be nice to have opportunity to run RAD Studio (Delphi, C#, etc). Sometimes I write programs, while my dwarfs in background are sitting on a trade.

Link to post
Share on other sites

Only thing that prevents me to log into game is avast antivirus. I have to disable whole shields to be able to launch l2. 

If I don't disable it, l2 client just gives some error message before launching and gameguard error when l2 window appears. 

Will this be over with new security? 

Link to post
Share on other sites

×
×
  • Create New...