Ingame package obfuscator.

[The_Cowboy]

The 'security' reasons to obfuscate in this case, ...

It implies your implementation is not good.
But again it is different topic altogether (with different views). I apologise for I have started to hijack the thread

[[]KAOS[]Casey]

And seriously, some ppl seems to treat the obfuscation issue like inquisitors did back in the middle ages: speak and we burn you, everyone stay ignorant!!!!

So I'm an inquisitor now? Instead of actually trying to think up an argument you just hand wave it away?

Huh.. guess UT99 is above my help. I will not be visiting this forum again.

[Feralidragon]

... because one guy in which you disagree with represents the entire UT99 community... nice to know Casey that you think like that...

Either ways, I guess it's pretty much settled by now that obfuscation is pretty much useless and rather harmless considering that even with the existence of the possibility, almost no one does it for the exact reasons Casey stated, to not mention there are actually far better ways to "obfuscate" code and which anyone with a working Ued can do so with some imagination.
Some years ago I kinda had the same stance as Casey there, but after seeing tons of tools being shared and whatnot over the years, I am still yet to see any actual harm done.
Whoever felt the real need to obfuscate code did so regardless of having public tools or not, and the list is short enough to name those developers, and you can still recover the entire thing in seconds, when they probably took days to prepare the code for obfuscation.

Furthermore, if you truly want to hide code and whatnot, and if you have an online server, here's the working recipe:

Spoiler

- build a client package (the package the client needs)
- build a server package that depends on the client package
- do all the server-side only processing from the server package (which only exists in the server itself), while the client one has the other ones it needs and the graphical resources
- ???
- profit

Obfuscation level: 0%
Security level: 99% (the only way to get the code is if someone takes the package from the server and hands it to you or if someone manages to break in your server in some way, in other words, a leak caused by lack of security caused by the admin or the machine itself, but then again, if something like that happens, the server package is the least of your worries at that stage)

So when it comes to security, some security is better than none (completely agree with Higor on that), however I disagree that you should go with whatever little security you're presented with. When it comes to security, you have to consider the layers you're going to add and their effectiveness vs performance. Obfuscation is *always* a bad security maneuver if you're trying to avoid exploits. Can't you actually prevent those exploits from the server? Is there any limitation on those?
We have always to consider that anything that affects the server, can be filtered and avoided by the server itself, after all it's the authoritative end point of the network, the central piece which controls what each machine is supposed to do (unless you're referring to client-only exploits, but then again the extent of what the client knows is a direct projection of what the server sends to it, and if it's giving too much info which can be misused, you have to narrow down that projection instead from the server).
Furthermore, if the variables are declared as private already (hence only being able to be accessed by that class alone), why do you have the need to obfuscate them? Anyone able to still compile something to access them with UScript will certainly be equally able to go around that level of obfuscation as well.

Still sounds like an interesting project to know more about native code and serialization, but as far as end objective goes it sounds like a waste of time imho.

Once again, just my 2 cents

[papercoffee]

Furthermore, if you truly want to hide code and whatnot, and if you have an online server, here's the working recipe:

Spoiler

- build a client package (the package the client needs)
- build a server package that depends on the client package
- do all the server-side only processing from the server package (which only exists in the server itself), while the client one has the other ones it needs and the graphical resources
- ???
- profit

Obfuscation level: 0%
Security level: 99% (the only way to get the code is if someone takes the package from the server and hands it to you or if someone manages to break in your server in some way, in other words, a leak caused by lack of security caused by the admin or the machine itself, but then again, if something like that happens, the server package is the least of your worries at that stage)

This concept is very interesting ...I'm not a coder but I like the idea behind it.

[MrLoathsome]

As usual, Ferali has nailed it on the head with that comment.

I mentioned early in the thread that this might be useful for security type applications, but it was correctly
pointed out that while that would make things more difficult, a determined individual would still be able
to reverse engineer it one way or another.

@Casey. Look at it this way before you toss in the towel and abandon UT99.

Higor is posting a number of advanced coding examples for people, in a working example that actually does something.
People may be able to use what they have learned from looking at these examples to do other interesting things.

I don't think Higor is advocating everybody start obfuscating everything, and as you can see, nobody seems to be charging in
that direction. (Correct me if I am wrong Higor....)


I would like to see Higor finish it all up, release it, but then use the obfuscator on the documentation so nobody
can figure out how to use it.

Don't be quite so serious.....

[JackGriffin]

Hiding code really brings out the aggravation in some people. We as dev's act like a normal playerbase group does when one of them is caught botting. "OMG! Did you see paper's new mod? He *Obfuscated* his code! Can you believe that? Damn, I thought I knew him and he goes and does this!" ....<Cue piling on by other developers>

I'll just keep creating semi-crappy mods and releasing every line of code and hope that someday it's good enough that it's used by someone else.

Hang on a bit Casey, I haven't gotten to where I can ask you to use the kTacticalEquipment beacon thingee you made. I really like that class!

[papercoffee]

"OMG! Did you see paper's new mod? He *Obfuscated* his code! Can you believe that? Damn, I thought I knew him and he goes and does this!"

Maybe I had my reasons ??!!!





Wait what?

[Higor]

- build a server package that depends on the client package
- do all the server-side only processing from the server package (which only exists in the server itself), while the client one has the other ones it needs and the graphical resources
- ???
- profit

One of the public |uK| servers is running an inventory profiler I made of that sort, all the client module does is scan the player's inventory and weapon, and the server... well thes the point of the server only package lel.
Not giving a hint about the reasons of that, it's an actual problem that can potentially harm the game for good.


Back at execCreatePackage, we now use the 8kb buffer we defined earlier and use it to serialized chunks of the file.
We will run the OBFSTART and OBFEND checks there, edit the buffer and serialize the corresponding things onto the dest file.

Code: Select all

//continued
		bool bObfuscating = false;
		for ( int i=0 ; i<Remaining ; i++ )
		{
			if ( bObfuscating )
			{ //OBFEND
				if ( Buffer[i] == 79 && Buffer[i+1] == 66 && Buffer[i+2] == 70 && Buffer[i+3] == 69 && Buffer[i+4] == 78 && Buffer[i+5] == 68 )
				{
					bObfuscating = false;
					appMemzero( &Buffer[i], 6);
					i += 5;
				}
				else
					Buffer[i] = 0;
			}
			else
			{ //OBFSTART
				if ( Buffer[i] == 79 && Buffer[i+1] == 66 && Buffer[i+2] == 70 && Buffer[i+3] == 83 && Buffer[i+4] == 84 && Buffer[i+5] == 65 && Buffer[i+6] == 82 && Buffer[i+7] == 84 )
				{
					bObfuscating = true;
					appMemzero( &Buffer[i], 8);
					i += 7;
				}
			}

			if ( i == 8191 && Size) //Looks like file is bigger than expected
			{
				Dest->Serialize( &Buffer, 8192);
				i=-1;
				Remaining = Size;
				if ( Remaining < 8192 )
				{
					Src->Serialize( &Buffer, Remaining);
					Size = 0;
				}
				else
				{
					Src->Serialize( &Buffer, 8192);
					Size = Remaining - 8192;
				}
			}
		}
		Dest->Serialize( &Buffer, Remaining);
	}

	if ( Src )		Src->Close();
	if ( Dest )		Dest->Close();
	unguard;
}

And that's pretty much the end of the function.

[Wises]

I'm on casey's side here , also Ferali's method for securing mods was my thought also.. as for siege ultimate its been ripped and hacked already.
TBH I'm over this game , and its this shit that fucks it..

Cheers.

[Higor]

TBH I'm over this game , and its this shit that fucks it..

Yet all servers run an obfuscated mapvote, ZP, NewNet... cheats fucked the game, and anth's 'obfuscated' ACE brought it back to life.

as for siege ultimate its been ripped and hacked already.Cheers.

Ppl still think I care if Siege is hacked or whatever?

Get your facts together. Also do 1+1 with the code I posted and the public headers, anyone can build a de-obfuscator out of this with the proper tools

[Wises]

And here i was thinking that it was the inability to read the code for such mods as pure/zp/mapvote that hindered ut's development.. along with shitty netcode.

Damn..

Kinda ironic though that pure/zp were pretty much bypassed several days/weeks after release.. ?

Also don't put too mutch faith in ACE as that was bypassed years ago.. including hwid x3..



I hope though that anth has patched the holes.. and one day may release the next version.. also.. ever wonder why newnet is bssed on version 7e?.. prolly because the author lost the source to version 7g and no0ne was able to decompile it... sorry... DEOBFUSCATE IT!

Also the inability to do whitelisting is another biggy.. and it needs to have antitweak integrated as well.. before it is even 50% better.. on top of this it needs to be split between client/server so that the other guys don't just smash it all over again..

Imo.

Now heres a challenge for some0ne.. fix pure and make it better without obfuscation.. ^_^ because even today just about every server worth playing on uses it for starters.

[MrLoathsome]

I dont run any of that crap.

[Wises]

No zp limits your client base.. which is kinda bummer.. as more would like to play there..
Pure is more for competative play which u have stated that you design your servers not to be competative so no need.
Ace blocks 90% of cheats.. again competative stuff.

In fact tbh ,, most ppl here are into monsterhunt type games not competative game play.

With the exception of a few.

[MrLoathsome]

No zp limits your client base.. which is kinda bummer.. as more would like to play there..
Pure is more for competative play which u have stated that you design your servers not to be competative so no need.
Ace blocks 90% of cheats.. again competative stuff.

In fact tbh ,, most ppl here are into monsterhunt type games not competative game play.

With the exception of a few.

All true.

I may take a look at ZP again. I remember trying it very long ago, after it first came out, and didnt like it at
all for some reason I can not recall.

Back on topic.....

Higor has provided an nice example of something that some developer may or may not want to use, depending
upon many variables.

Just because somebody may disagree with or disapprove of some of those possible uses, is no reason to abandon the discussion, let alone
the entire forum.

[Wises]

fair enough too sorry about that all..

I go back to what I was doing.