#######################################################################

                             Luigi Auriemma

Application:  Gamespy cd-key validation system
              http://www.gamespy.net
Games:        The amount of games that use this system is really huge,
              a small list (maintained by me) is available here:
                http://aluigi.altervista.org/papers/gshlist.txt
              An official list of games that use the Gamespy stuff (so
              not only the cd-keys) is available here:
                http://www.gamespy.net/partners/
Versions:     the bug will be corrected on the master server, in the
              moment I'm writing the bug still exists
Bug:          players can use the same cd-key online at the same moment
Exploitation: remote
Date:         04 May 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) An example of real life
4) The Code
5) Fix


#######################################################################

===============
1) Introduction
===============


The Gamespy cd-key validation system is a toolkit used by a HUGE number
of multiplayer games and is needed to allow the verification of the
cd-keys used by the players when they want to join an online game
server.

Some of the most famous and played games that use this toolkit are
Halo, Battlefield 1942 and Vietnam, Men of Valor, Painkiller, Star Wars
Battlefront, Star Wars Republic Commando, Tribes: Vengeance and many
others between those listed here:

  http://www.gamespy.net/partners/


#######################################################################

======
2) Bug
======


The problem is very simple: two or more players can use the same valid
cd-key at the same moment on different servers.
Naturally this situation is avoided by default for the right reasons
that anyone knows (playing online with pirated games for first).

That is possible because exists a specific command (\disc\) used by the
game servers to free the cd-key of the users that leave the match
hosted by them.
In fact when a player joins a server his cd-key becomes "in use" and
nobody can use the same cd-key online at the same time.

The \disc\ and \uoff\ commands plus the "no reply" are the mechanism
used to free a cd-key in use and the game server is the only one to be
able (and to have the right) to use it.

The \disc\ command is transmitted in an UDP packet (like any other
command) and contains the following parameters:

  \pid\ = the Gamespy PID, a number that identifies any multiplayer
          game
  \cd\  = the MD5 hash of the user's cd-key
  \ip\  = the IP address of the client

The following section contains some details and a possible scenario for
the usage of this flaw.


#######################################################################

==========================
3) An example of real life
==========================


Two friends have just bought the game Halo in a nice games shop in
their town, finally they can kill the little Covenants on the Halo's
ring.

Each one has paid half of the full price (they are not rich but
fortunately are friends and respect the work of the developers), and go
quickly to their home for playing online with this nice game using the
same valid cd-key.

The first guy (X) joins a server without problems while the second (Y)
receives a "Cd-key in use" error in any server he tries to join.
Unfortunately Y didn't know this mechanism.

But X knows that Halo uses the Gamespy cd-key validation system and
knows also that this mechanism is affected by some implementation flaws
so decide to definitely solve the problem of his friend.

X creates a tool that automatically sends a spoofed \disc\ packet to
the master server using the source IP and port of the server in which
he joins .
He can do it enough easily because he knows the PID of his game (793
for Halo) and naturally knows both his cd-key (or directly the MD5
hash) and his public IP address used by the server to authorize him.

So when X joins a server, he sends a spoofed \disc\ command and his
cd-key is no longer in use.

Now Y can play on Internet in the same moment that X is online without
problems and on any server.
The only limitation is that they cannot play on the same server because
it rejects the players with the same cd-key without the need of
contacting the Gamespy master server.

The problem is that if two friends can do that, the same can be made by
10, 100 or 1000 people and this is not a very good thing.
Someone can say that this is already possible through the usage of
modified servers but almost all the Internet servers are regulars and
accept only the players with valid cd-keys.


#######################################################################

===========
4) The Code
===========


Note: this bug will be fixed on the Gamespy master server so also if is
      still possible to test it in the moment I'm writing this paper,
      in the next days will be no longer possible to test it with
      success.
      In short, if your tests fail it's because the bug has been fixed.

The proof-of-concept is available here:

  http://aluigi.altervista.org/poc/gskeydisc.zip

it is a simple UDP spoofer that works on Linux and requires the
following parameters:
- server    the hostname or the IP of the game server
- port      the port of the server
- pid       the PID of the game
            http://aluigi.altervista.org/papers/gspids.txt
- cd-key    the cd-key in use or its MD5 hash
- client_ip the IP of the client that owns the cd-key


First practical usage
---------------------
Launch a dedicated server of your favourite game and join it with your
client (the game must use the Gamespy cd-key validation toolkit
naturally).

Verify that your cd-key is in use with the following tool or manually
trying to connect another client to a different server:

  http://aluigi.altervista.org/papers/gskeycheck.zip

Now launch the proof-of-concept gskeydisc (it works only on Linux but
can be ported on any other OS that supports raw sockets, like Windows
XP) specifying the public IP and port of your game server, the PID of
the game, your cd-key and the IP used by your server to identify the
client (usually 127.0.0.1, it's the same IP you have inserted to select
your local dedicated server, use GsHsniff to solve any doubt).

Now relaunch gskeycheck: the cd-key should be no longer in use.


Second practical usage
----------------------
Launch my "Cd-key in use" proof-of-concept using an authorization
request previously captured with GsHsniff:

  http://aluigi.altervista.org/papers/gshsniff.zip
  http://aluigi.altervista.org/poc/gskeyinuse.zip

If you know the original cd-key launch gskeycheck to be sure that it is
really in use, otherwise launch another instance of gskeyinuse using a
different local port.

Launch gskeydisc specifying all the needed parameters visualized by
gskeyinuse.

Relaunch gskeycheck or gskeyinuse to verify that the cd-key is no
longer in use.


#######################################################################

======
5) Fix
======


Gamespy has been contacted and is working for a solution.

FYI, naturally Gamespy was aware of this problem from many years since
it was visible during the engineering of the cd-key validation system,
but this is another story...

The fix will be implemented on the master server probably through the
sending of an \ison\ command when \disc\ is received.
Anyway is possible that the fix has been already implemented when you
will read this paper.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org