Announcing GWLP

No, what I mean is, if it prevents you from playing content you haven't paid for, what can you play, since the official content won't be available and I doubt the online store is going to start stocking codes for home-grown content...

Does it mean it's just a matter of the maps, keeping you from going to GWEN maps if you don't own the expansion, for instance? See what I'm saying?

It would just be the same as offical GW.
If you don't have an authorized Factions key, then you cannot use Factions skills/content.

At least that's how I'd envisage it.

Maybe make a way that you have to login with your excisting login name, that Anet controls?
So you can handle fraude with players, but i hope that "Names" and "Passwords" wont be visible while playing?
So if there is a file called users.txt
Because alot of players use the same passwords for everything, and if a friend is hosting a private servers to "Cheat alot" he can people login and then steal the accounts >.>

Reading data from other users data/connection or intercept data between User and GW should not that be Illegal action?

Note for ANet, by the so called "implement an authorization system" from GWLP Project, it shows that there will be a need to improve data encryption between GW Server and Client. Meaning that *collecting* other users data from third party is possible hence it should be fully encrypted informations and not visible for third party to intercept.

its not illegal cause Anet said it isnt, k

Random comments/opinions:

1. The entire Guild Wars client (chapters + expansion) is publicly available and downloadable from the official website. What you're buying is the box, the manual, and the cd-key that allows you to play on their server. In short, you buy a lifetime license that allows you to make use of a service, rather than a software license.
2. To develop a server emulator, you must do one or both of the following: reverse engineering (debug/trace/dump), packet sniffing. This area is kinda shady, I don't know the legislation in the US but I think the former is not legal; not sure about the latter.
3. As ANet stated several times, Guild Wars runs most of its stuff server side and the client is no more than a dumb piece of software that shows the player what the server tells him to. I highly doubt the GWLP will ever replicate a full GW campaign, as that would be a humongous work these guys won't do. They'll have their hands more than full with trying to make skills work.

I certainly wrote something wrong somewhere, but as I stated these are mere assumptions.

You do not understand our authorization system. It does not record your username and password at any time, all it does is wait for you to log into a real account and identify the packets that say "Ok! Ajaala owns chapter 2!" and so on, it then sends that information "Ajaala owns chapter 2" to the GWLP server, which lets you use chapter 2 content. At no point does it use your username, password, or any other personal information. The only info it looks at is what you own. There is no security risk and Anet does not need to modify their login system.

That is not our aim, more information in the original post and subsequent posts.


We do not need Anet's help to verify users own certain content, nor will anyone's account or security be risked whilst doing so.

Very much possible, I've been flying around presearing as Kuuanavang for a while now

Once the skill scripting system is finished it should be relatively easy, now remember I said relatively - it won't be point and click, there will be real scripting involved. But it's something anyone who puts the time in could learn.


Whilst the majority of GWLP content, in terms of quests etc will be unique. I'm sure there will be some crossover from the live servers in terms of skills. Skills are actually not part of the Guild Wars client, they're server side - meaning you have to pay to access them. We do not want to allow you to access those skills for free, so authorization will be required to do so.

Because, in a sence you are still playing "guildwars". because the content that GWLP uses is provided to anyone by ANet for free (you can download the entire game without owning an account, all the account does is grant you access to the game). GWLP would allow anyone to play it, including people who never bought guildwars, so they have the authentication process running in the background to make sure you are able to log onto guild wars, and thus have already paid arenanet. If they didnt do this, then GWLP would be undermining guildwars, and anet would shut it down pretty quickly, im sure.

Ajaala, if this post is wrong, tell me and its gone

I can read, was just further remarking the point for those that are still going on about it.

I don't explicitly saying you will saved the informations (but you might, because it is closed sources and there are no full support from ANet), but what I said, intercept data between user and GW by a third party without full authorization from both party is not legal. (even if it's use for a good purpose, without both authorization it still not legal)

My point: GWLP Authorization System should be evaluated by ANet developer or have full support from them~

Note: This project playing with someone else account/investment in this case Guild Wars account (directly). By any means if something happen, GWLP will not able to prevent damage that might happen not or asking support from GW (because there is no full support from ANet/NCSoft for third party)

Hello again, as promised I'm here to keep you updated with goings on in the GWLP camp, as well as post some fun media for you all. As many of you know, last week Gaile from Arenanet posted in one of my threads to let us know that as long as GWLP didn't allow players who do not own Guild Wars to use a GWLP server, Anet sees no immediate reason why the project can not continue.

Which is why this week I'm introducing to you the

Auth System

The auth system works as follows: (warning, technical explanation!)

What this essentially means is, the GWLP utility finds out what content you're entitled to use on the Guild Wars servers, and restricts access to anything but that content on the GWLP servers. At no point does the GWLP program read, record, or use your username and password, or any other information that could damage the security of your Guild Wars account. Whilst we're aware the community is very vigilant regarding key loggers and account stealing programs, this is a long way from release anyway, and in the future we'll try to get people YOU trust to verify that these programs are harmless before we release them for use.

The following is an image I took upon joining the GWLP server and forgetting to run the auth program:





Miscellaneous Updates

Despite the auth system being the main focus of today's update, there has been some progress in other areas.

The ability to access maps no longer available on live has been worked on, allowing us to explore test maps and previously unseen terrain.





The new Ascalon recruits gather to honor the first rank 12 GWLP player!




This one exceeds explanation





As always, any concerns, doubts, queries or questions, PM me or ask in the thread and I'll respond as soon as possible.
I hope you enjoy the continued progress.

Ajaala

Visit Us!
http://gwlp.mgcorp.org

Yeah, i'm curious to what this is actually. Looks very interesting.

I dont really like that authorization expiring thou ... my hopes for gwlp are to play it even after oficial servers went dead

What's to stop me ("me" being the Troublesome User, not me personally) from spoofing these packets in the first place? Can't I just direct the client to another phony server (or just a loopback to my own machine) that will send the "right" packets in pretty much the same way that you direct the client to the GWLP server?

I'm not following you on this second hash. What exactly is the input that you're hashing? GW.exe? GW.dat? Some more game data? What?

Depending on what it is, I'm worried that I could spoof it too, using input trivial enough to allow me to reverse the second hash, which would, in turn, allow me to reverse the first hash via brute force. (It's only 2 bytes after all.)

If this is meant to be a security measure against me, then you really shouldn't be giving me the encryption key, even if it's obscured by being in a post-compile binary. Encryption is fundamentally a security measure against third parties. Trying to use encryption to keep one of the parties privy to the message in the dark inherently relies on the dubious assumption that that party lacks the ability to crack open the black box that you've given them.

Apropos of encryption, what kind of encryption are you using? I might suggest using an asymmetric key here. That way, once I determine the encryption key, although I can encrypt spoofed auth data, at least I will remain unable to decrypt and read legit auth data. (Not that there's a whole slew of different messages the auth data can contain.)

Timestamp? Where'd that come from? Both in the sense that "you now mention verifying it, but you never mentioned creating it," and in the sense of
"what data source are you using to tell the time?" Unless the official GW server is kind enough to tell you the time, I can just spoof it on you.

More importantly, what's going to stop me from duplicating my auth data for all my friends? Unless I missed something, none of the information that you describe the GWLP server as collecting uniquely identifies either my PC or my GW account. (Moreover, if it did uniquely identify my GW account, I'd have a real big problem with it.) I am getting the impression that two users with identical GW installations and identical GW access rights who authenticated at the same time would generate identical auth data. That's not hard to fake. (I might add (parenthetically) that the history of uniquely-identified-PC security is one of near-utter failure, so going in that direction is probably not a solution.)

As I said before (and was apparently ignored), I don't believe there exists a way to accurately authenticate users so long as you do not look at the sort of GW-account-specific data that is properly forbidden for you and users have no incentive to refrain from helping their friends log in as pirates. (I might add that GW's official auth system only works (in principle, if not in current implementation,) because there's a huge incentive not to give your auth data (aka login+passord) to your friends.)

(All of that said, considering the HUGE hole in GW's authentication that you guys (supposedly) just found, I think a-net complaining about your authentication being inadequate would be "the pot calling the kettle black.")

Scroll up.

Your phony server would have to have access to the GWLP server's database to affect authorization in any way. Also, if you tricked the client into being authorized client-side, you still would be rejected by the server when trying to play.

The computer information used for reconnecting is used.

No, the first hash is not of only two bytes.


The same encryption instruction Guild Wars uses.

When the server receives the authorization data the time stamp is created. You can spoof it regardless, a time server can be emulated.

Neither party (authorization client and server) can be trusted. So there isn't a secure solution to this problem. The authorization client and server can both be cracked. All that can be done is hinder the amount of time cracking the software takes.

Pablo24 found the exploit just over the course of a day. The only relation the exploit has to the GWLP is that he is a staff member. Whether you believe me or not doesn't change the validity of my statements.

Looks good.
Given that I could examine the authentication program, I would be willing to test it.
Thanks for updating anyway.

Let's try this again. I run your little utility and launch GW. The utility sniffs incoming packets from the official GW server, right? And it's looking for a couple of bytes that denote my ownership rights, right? Then it gift wraps them and ships them off to the GWLP server, right? Now, let's go back a step. How does your utility know that those packets it's sniffing are really coming from the official GW server?

I'm imagining something like this: I create Server A. Sever A speaks the encryption the the GW client is expecting, shakes hands, accepts any user/password combo, shoots back "you are authorized to play all 4 games," maybe mimics the real login server a bit longer, then discos. Now, I redirect my GW client to Server A in place of the official GW server. So, now, when I run your auth util, then run the GW client, the util sniffs "you are authorized to play all 4 games," gift wraps that, and ships it off to your server, allowing me to play all 4 games for the next 10 hours.

I do not see anything in Ajaala's description to prevent this sort of chicanery.

That's not terribly forthcoming, but at least it's more than Ajaala explained. I think I've stated my reservations about the effectiveness of using a hardware profile to identify a user before, so let's skip that for now. How do you deal with the legitimate user with variable hardware? If I authenticated desktop, logging in from my laptop (or my desktop after some hardware upgrades) is going to fail, isn't it? Unless, you let me re-authenticate from the laptop. But that would defeat the whole purpose of using a hardware profile to uniquely identify me; if all one has to do is precede gameplay with an auth session, there could be any number of "me's" doing so.

Ajaala said "It hashes these two bytes." I took him/her (?) at her word there. Apparently, "plugged into a special pattern" is vague-speak for "we take the two bytes, pad it with garbage, then hash." I'll admit that makes me feel a little better about your method here.

I'm sorry. I incorrectly assumed this was an effort to keep the end user from learning how to spoof their own auth data. I completely forgot that you also have to protect against third party attacks. In that case, go-go hardcoded encryption. Query: Is there a reason that you must use GW's encryption scheme for a communication between the auth util and your server? I'd assume you could use any scheme you wanted between your own program and your own server, so you could use something stronger.

OK, so the timestamping is purely serverside to keep track of the 10-hour limit?

Good point.

If you can see this, why don't you see the possibility of an emulated "real" GW server spoofing the input your auth util is sniffing?

That is entirely my point. I'm glad you see it that way too. The important question that follows is then: Is this level of insecure-but-annoying enough to satisfy a-net so that they won't shut the project down once it reaches a playable level of functionality and people start trying to play beyond their access rights? This goes back to my original comment on the topic (in the other thread): While I'm excited about the GWLP project, I'm not going to dedicate time to it if it's ultimately doomed; get an official statement that a-net is satisfied with your authentication system and then I'll be willing to help. If GW were my game, I would not be satisfied with your auth system, and I would cite the impossibility of a secure solution as my reason for shutting you down. Fortunately for you, it's not. Perhaps a-net is less demanding than I. Go press for that official statement and see.

I was not suggesting in any way that GWLP has anything to do with this exploit. I accept that it's a mere coincidence. My point was that a-net's own auth system is apparently so poor that it would be hypocritical of them to ask much more from yours. It was a compliment about the comparative quality of your auth system; you should have taken it, said thanks, and run with it

While a great idea, I"m betting anet is going to put the wraps on this now~

Chthon: It's likely that the GWLP development team is deliberately not being forthcoming with information in order to limit the ability of people to spoof the auth. packets.

Just a question - is there anything in the packets from the ANet servers that identifies them as unique?

There is nothing that I know of that would stop this from being a problem.

The system prevents authorizing different accounts using one computer. However, if those computers are imitating the real computer those accounts will be authorized. The consequences of sharing your real account still apply although it is certain people will share with their friends. But the reason for sharing would be to play together which can be prevented only if the accounts were authorized on the same computer. In addition, banned and suspended accounts cannot be used to authorize.

In short, it can't be prevented while allowing free roam for the user. Even then, not in absolution.

Simplicity. Perhaps if trouble occurs I can always use something better.

Yes, it is.

I've been able to see that problem from the start.

An official statement stating that the project is permissible is beyond hope. The most that can be hoped for is ArenaNet stating they will refrain from legal action unless blah, blah, and blah.


If you mean as in for sure from ArenaNet...no, there isn't. The only thing that uniquely identifies the packets as being from ArenaNet are the opcodes. Which can be emulated.

Keep this civil. Any insults to an individual or the community as a whole will be deleted. Sarcasm is included in that. You don't want this thread closed, now I took the time to delete out all the insults and keep the q&a and information flowing but next time I will just delete the entire post.

Hmm, this looks interesting. So basically this is a World Editor for Guild Wars? I've been thinking about that for some time, it would be great to have an editor in which you could create your own maps/instances, create new skills, just to test fun stuff or whatever but not influencing your own GW account. And now it appears there is such a project in development! Great stuff!

As for the security, I doubt it will really be a problem in the end. Seeing what they've done already, I'm sure that together with Anet's support (if necessary) they will find a foolproof solution eventually.

Is there a date when GWLP will be public? It's kinda hard to log in right now..

I've been wanting some kind of app/hack that would let me test different PvE builds easily without actually costing me any money, and just to generally piss about with PvE things in Guild Wars.

Will this allow me to do that, or will the skills, items, everything be different?

I stumbled upon this after reading the Oct 20th Crash dealie.

I can't wait for this to actually go live. I've always wanted to see those Aaxtes drop ectos for once.... Most times they're too cheap.

Still in closed alpha.
Quite some time.

[ I made this post before, but I feel inclined to make it again for emphasis since the question was never answered]:


So.... could you... perchance...

... Make some sort of program along these lines with bluescreen / variable backgrounds to allow us to "test" out different armour / weapon skins on characters and see how they look or for specialist screenshot art purposes?

One thing Guild Wars SERIOUSLY needs is some sort of try-before-you-buy system for armour and the like to see how it looks. The amount of cash I've wasted in the past buying armour I thought would look cool only to find that it looked awful is.... well.... disheartening.

I am hoping that this sandbox concept will be used in the furture by Anet themselves IF they opt to abbandon GW 1 in favor of GW2 exclusivity. Which I am starting to expect...

That way we can host GW servers for our characters to play in with friends much as the WoW beta Free realm servers once did prior to the Anet folks leaving Blizzard, and blizzard having the change of heart on the concept prior to going live. This scenarios would be only a LAST case situation if the GW servers ever went off line forever... I don't expect that any time soon. but if GW1 popularity falls to 0, I would hardly expect them to maintain servers for the old game would you? But in the same since I would not want to loose the ability to play a game I have legitimately purchased either.

My anticipation WAS that Anet would develop GW2 and maintain GW1 with expansions for both biannually. But this is not looking like a popular concept that they like. Which means eventually GW1 will die. and this seems to be an eventual future for GW1 content, while Anet moves on to bigger and better things. My only hope is that Anet themselves make this choice for GW1 at its retirement and not force the community to do it illegally...

The prime use for this I can see right now is for Movie making... I know some people have used secondlife to make GW movies using GW models in that game illegally. This takes it to the next level using the GW engine properly...



BTW I am assuming this is using the GW.exe -server ###.###.###.### command client side? Like we do for access to the alpha server?

That's EXACTLY why I want to play GWLP. For example, I don't know with Black Ancient Armor looks better than White Norn Armor, but I don't want to waste cash... Or if I can make a Mesmer build that will work nicely in UW.

the main thing i'm worried about is whether us as players of GWLP is that whether we'll be able to play things that other players have made (i.e. downloading and installing or whatever we might need to do)

How's that worry you?

The worst thing that can happen is players create mods for others to use..

Exactly, thats how people get keyloggers into their none protected systems.
Take World of Warcraft as an example.
Modding was allowed from day 1, so all kind of mods showed up that made the game much easyer.
New content had to be added, the developers had to adjust those to the mods, else it would get to easy.
So now its an endless circle where new content has to be thougher then the mods.
The real bad sides about this, players are forced to install such mods (the mods got checks to see if everyone in a party has the mod, if not it shows the name of those who don't).
Ok then all got to update their mods all the time, which is even more often then using Windows Update.
Some choose to take a package with all they need, since it can be sort of a mess setting everything up for each patch.
And boom the keylogger was in a mod.

This leads my mind back to: Everything that can go wrong will go wrong.

I'm worried that I won't be able to play the new levels/mini-games or whatever that are made by other people, because I know that I won't have any idea how to make anything unless it's oversimplified.

@Shadowfrost: Mods would most likely be easy to use/install. If you can't figure it out, I'll do it for you sometime.

@Mineria: I foresee one of two possibilities.
Either mods will be required to play on a server or they will be optional.

If they are optional, then problem solved - players do not need to download them immediately, they can wait for feedback from others ingame to help them make a decision.

If they are required to play on a server then players who do choose to play on that server should only download them from a link given by the server admin (as is currently the case with GWLP).
People who don't want to download the software could easily find another server to play on (this is assuming the server pack is released to the public)

I think that answers what you were saying.

The content would be hosted server-side and if needed the client will download custom content from the server. As for server-side content that will require the server operator to place the files in the appropriate directory.

We are intent on making things as simple as practical.

The server software will be released to the public when it is ready.

Just for fun heres an AI script: (Only executed if an admin types /guide on the server.)

Hey, I'd be happy to help test this out. Just send me a pm or something sometime and tell me what i need to do

Looks good I want to make the Lich control an army of black moad to kill abbadon >

I am absolutely giddy with anticipation about this project!! I have a question, once this reaches a "workable" state, would there be a chance that the code, minus authentication and whatnot be released for public alteration? Sort of like with RunUO (the most popular of the Ultima Online emulators), where you can create custom monsters if you wanted to, or even custom armor or classes.

I love playing around with RunUO, and something like this... For Guild Wars?! ZOMFG!! If this comes thru, I will personally hug the dev team and give them all cookies!

Now that's cleared up, I'm really, really looking forward to trying this out!

That makes me think... How many level 1 Warthogs does it take to kill Abaddon/Lich King/Shiro?

Well, considering you would need a team of 8 regular players at level 20... Id guess somewhere on the order of 160 or so... Of course, theres always the random incident... So maybe 160-200 or so... So basically, an assload.