Preventing steam id changing? - Developers

Shot in the dark here, but could we use something like what advanced duplocator does? By this I mean the downloading and uploading of text files, we could store an ID in there. Don't rate me dumb, I am not sure of the restrictions of this.

[QUOTE=Shane;20655749]Shot in the dark here, but could we use something like what advanced duplocator does? By this I mean the downloading and uploading of text files, we could store an ID in there. Don't rate me dumb, I am not sure of the restrictions of this.[/QUOTE] I don't really see this working well.. If we rely on storing something on the client for ban detection then nothing is stopping them from removing it and rejoining.

[QUOTE=aVoN;20627563]It's not that simply. Clients get a hash allocated which is valid for 24 hours and the whole steamid allocation works by checking the hash against one in the database of the steamservers. I heard Serenity works that way that there are fake servers. As soon as someone joins them, the hash is stolen and put into a database. Then when someone logs in into Serenity, they get allocated a random hash from the database so they can spoof the steamid by sending this hash instead of their own. Note: I just got these information from several rumours. So they might not be all over correct. Further investigation has to be done. But if this is true, all valve could do about it is checking the account with the hash clientside - But even that is exploitable.[/QUOTE] based on my knowledge of the vulnerability, it's nothing like this. [editline]08:17PM[/editline] all of this "fake server" and "auth packet" shit is wrong. do your research first.

[QUOTE=majorlazer;20656068]based on my knowledge of the vulnerability, it's nothing like this.[/QUOTE] Well I believe the Eiffel Tower is completely made of cheesecake. [sp]The point is, you don't say someone is wrong unless you prove them wrong[/sp] [editline]07:19PM[/editline] [QUOTE=majorlazer;20656068]based on my knowledge of the vulnerability, it's nothing like this. [editline]08:17PM[/editline] all of this "fake server" and "auth packet" shit is wrong. do your research first.[/QUOTE] [img]http://nctritech.files.wordpress.com/2008/11/tcpip_punch1.jpg[/img] [highlight](User was banned for this post ("Image macro/abusing spoiler tags" - SteveUK))[/highlight]

[QUOTE=Gbps;20656190]Well I believe the Eiffel Tower is completely made of cheesecake. [sp]The point is, you don't say someone is wrong unless you prove them wrong[/sp][/QUOTE] i don't want to prove it because i'll have to reveal the whole vulnerability (which is nothing like what people have been describing the past few days), resulting in people making hacks for dumb children to use.

[QUOTE=majorlazer;20656239]i don't want to prove it because i'll have to reveal the whole vulnerability (which is nothing like what people have been describing the past few days), resulting in people making hacks for dumb children to use.[/QUOTE] Well, if you actually know it and are not a troll, then you aren't making anything better. You're simply denying the people trying to protect their own servers by keeping such a thing a secret. But I suspect there is a 99% chance you're a troll.

[QUOTE=majorlazer;20656068]based on my knowledge of the vulnerability, it's nothing like this. [editline]08:17PM[/editline] all of this "fake server" and "auth packet" shit is wrong. do your research first.[/QUOTE] I told you, the informations was not ensured to be correct. It was rumors I heard. I've been told, prior versions of steam-id spoofing worked by connecting to a fake server which handled the necessary authentication with the steam network. The IP in the auth-package was set to the actual IP of the server you were going to connected to. So the autpackege got validated throug the fake-server which allowed you connecting to the real server now with a different steamid. Still these aren't assured facts. It's just what I have been told and I've interpreted. If you know more about the intel, tell us more. And anyway: If you don't modify the auth-package, you can't spoof the steamid. You have to modify the authentication to a server in order to spoof the id.

[QUOTE=Gbps;20656263]Well, if you actually know it and are not a troll, then you aren't making anything better. You're simply denying the people trying to protect their own servers by keeping such a thing a secret. But I suspect there is a 99% chance you're a troll.[/QUOTE] i'm working on a module that can protect servers from this vulnerability. [editline]08:28PM[/editline] [QUOTE=aVoN;20656293]I told you, the informations was not ensured to be correct. It was rumors I heard. I've been told, prior versions of steam-id spoofing worked by connecting to a fake server which handled the necessary authentication with the steam network. The IP in the auth-package was set to the actual IP of the server you were going to connected to. So the autpackege got validated throug the fake-server which allowed you connecting to the real server now with a different steamid. Still these aren't assured facts. It's just what I have been told and I've interpreted. If you know more about the intel, tell us more. And anyway: If you don't modify the auth-package, you can't spoof the steamid. You have to modify the authentication to a server in order to spoof the id.[/QUOTE] it has nothing to do with an "auth-package". it's a complex exploit in the server code.

[QUOTE=majorlazer;20656316]i'm working on a module that can protect servers from this vulnerability.[/QUOTE] Then post your idea about it. I'd see how you are going to prevent it. All posts in this thread so far were about [list] [*]"No, I'm not the author of serenity or similar tools" - VoiDeD [*]"Oh gawd, someone has to do something against it" - common folks [*]"It's all useless what you try against it" - SteamID spoofers [/list]

[QUOTE=majorlazer;20656316]i'm working on a module that can protect servers from this vulnerability.[/QUOTE] Sounds good to me, we should probably leave you to it while we continue to argue pointlessly.

[QUOTE=majorlazer;20656316]it has nothing to do with an "auth-package". it's a complex exploit in the server code.[/QUOTE] When you connect to a server, you send an authentication package. It includes your steamid in an encrypted or at least "obfuscated" way, so the server knows with what player he is dealing with. This is, where the steamid spoof is intercepting, modifying the package so the server thinks "you are someone else". Still I'm not denying it's complex. Anyway, you make the server believe, you are someone else - By 99.9% chance modifying the authentication-package (I've got my sources too from people, who were "guinea pigs" for the first "steamid"-spoofing method by Chrisaster).

[QUOTE=aVoN;20656359]Then post your idea about it. I'd see how you are going to prevent it. All posts in this thread so far were about [list] [*]"No, I'm not the author of serenity or similar tools" - VoiDeD [*]"Oh gawd, someone has to do something against it" - common folks [*]"It's all useless what you try against it" - SteamID spoofers [/list][/QUOTE] it's simply a small patch that prevents some really weird overflow stuff with how steamids are stored. expect it soon.

[QUOTE=majorlazer;20656421]it's simply a small patch that prevents some really weird overflow stuff with how steamids are stored. expect it soon.[/QUOTE] Then tell more about it than just posting "nah it's just different". Anyway, it's about "fucking with steamid-authentification". If it's an overflow-exploit in the code or just simply a way of modifying the auth-package by reverse engineering the package-data and setting it to anything you want: It is still about fucking around with the authentication which was my point.

[QUOTE=aVoN;20656483]Then tell more about it than just posting "nah it's just different". Anyway, it's about "fucking with steamid-authentification". If it's an overflow-exploit in the code or just simply a way of modifying the auth-package by reverse engineering the package-data and setting it to anything you want: It is still about fucking around with the authentication which was my point.[/QUOTE] hush.

[QUOTE=majorlazer;20656421]it's simply a small patch that prevents some really weird overflow stuff with how steamids are stored. expect it soon.[/QUOTE] Ofcourse, if only steam ids weren't stored as 64-bit ints, that will never fit in an 32-bit register!

You know, I heard that there's a server blacklist in serenity so all your attempts to prevent it can probably be replaced just by getting added to the list.

[QUOTE=CombineGuru;20673112]You know, I heard that there's a server blacklist in serenity so all your attempts to prevent it can probably be replaced just by getting added to the list.[/QUOTE] So......we pay them to add us to their blacklist and pray they dont take our money and give us the finger? Trust the hackers not to hack us........thats a good one.

I think there's a difference between the serenity team and the people who use it. Business is business I suppose?

[QUOTE=CombineGuru;20673483]I think there's a difference between the serenity team and the people who use it. Business is business I suppose?[/QUOTE] ok so what happens when you pay to have your server blacklisted but some player comes along and pays MORE to have it unblacklisted? Somehow I doubt these "businessmen" will so willingly refund your money.

Blacklisted servers have paid the owners money to get taken off the possible server list.

[QUOTE=Gbps;20676309]Blacklisted servers have paid the owners money to get taken off the possible server list.[/QUOTE] Honestly I sick of having Hackers visit my servers I usual ban them. They never come back. If you know which way I ban them then you know it's alot more "secure" then the usual way.

[QUOTE=LombaxPE;20673995]ok so what happens when you pay to have your server blacklisted but some player comes along and pays MORE to have it unblacklisted? Somehow I doubt these "businessmen" will so willingly refund your money.[/QUOTE] Its true I know people who bought baconbot off avaster then some kid came along and paid him $50 to remove him from it. Luckly I was nice enough to supply them with a cracked copy of baconbot

[QUOTE=blackops7799;20289872]Not a bad idea. Check if their name on their profile page, if it even exists, matches their in-game name? Incase anyone wants to try. [lua]local function ConvertToCommunityID( steamid ) local x, y, z = string.match( steamid, "STEAM_(%d+):(%d+):(%d+)" ) if ( x and y and z ) then local friendid = string.format( "765%0.f", z * 2 + 61197960265728 + y ) return friendid else return steamid end end[/lua] Taken from one of Deco's old releases I believe.[/QUOTE] [quote] This may bore everyone, but I just figured out how to do it and wanted to share.. lol You get the person's SteamID.. like STEAM_0:1:123456 Take off the first part, so you are just left with 1:123456 multiply the second set of numbers by two (123456 * 2 = 246912) now add the first number of the SteamID to the result (246912 + 1 = 246913) now add 76561197960265728 (246913 + 76561197960265728 = 76561197960512641) So the persons community page will be [url]http://steamcommunity.com/profiles/76561197960512641/[/url] (Thats not a real SteamID, so the page doesn't exist lol) My Source: [url]http://forums.alliedmods.net/showthread.php?t=82328&highlight=community[/url] [/quote] [url]http://forums.clearnetdeluxe.co.nz/index.php?action=printpage;topic=9593.0[/url] I don't know if people what to know how you did that so here's an example.

[URL]http://code.devicenull.org/index.php?title=Misc:HL2_Exploits[/URL] Just another exploit for Source/GMod which can be added to the list.

[QUOTE=Terabit;20680235][url]http://forums.clearnetdeluxe.co.nz/index.php?action=printpage;topic=9593.0[/url] I don't know if people what to know how you did that so here's an example.[/QUOTE] I implemented somehting similar. Also bans people by IP once they are banned by steamid so steamid changing becomes pointless without restarting the internet-connection in order to get a new IP. [url]http://www.facepunch.com/showpost.php?p=20646692&postcount=176[/url]

Then just restart the internet? I mean lol.

[QUOTE=-The-Razor;20680804]Then just restart the internet? I mean lol.[/QUOTE] You can't restart the internet. You can restart/reboot your modem, router and/or PC. And that doesn't change the IP with lots of people.

[QUOTE=Ywa;20681005]You can't restart the internet. You can restart/reboot your modem, router and/or PC. And that doesn't change the IP with lots of people.[/QUOTE] Most people have dynamic IP's that change dayly anways.. [code] [iG]Mark<TAB>82.12.213.224:27005 -- Banned SteamIDs: STEAM_0:0:20005251, -------------- [iG]Mark: Yes? Deluvas: SteamID spoofers? [iG]Mark: What about them Deluvas: Proxies? :< [iG]Mark: may i ask [iG]Mark: who the fuck are you. [iG]Mark: Exuse me if im being rude. Deluvas: I was playing on ZS green [iG]Mark: Ok Deluvas: and saw people talking about you .. [iG]Mark: Are you an admin? Deluvas: No [iG]Mark: Ok [iG]Mark: What can i do for you. Deluvas: Can I have some of your fancy steamID spoofers :> ? [iG]Mark: Yes [iG]Mark: At a price [iG]Mark: If you are willing to pay. Deluvas: How much would the price be? [iG]Mark: 50 dollars for a year or 20 dollars for 2 months Deluvas: Hmm ..Interesting offer. I'll think about it :D Anyways, I'd give anything for one of those olo [iG]Mark: Hmm [iG]Mark: I can lower the price to 40 dollars if you want Deluvas: Good. That's Nice [iG]Mark: for a year [iG]Mark: Just because im bored. Deluvas: Ok, I'll talk to you tomorrow .. when I get some money [iG]Mark: Ok.. Deluvas: Bye [iG]Mark: Uhm.. and dont ask for proof [iG]Mark: You just got proof [iG]Mark: Lo. [iG]Mark: He banned me then i got tired =] Deluvas: :< [iG]Mark: Uhm and also [iG]Mark: if you spoof someones steamid [iG]Mark: you can get all whats on their account [iG]Mark: eg [iG]Mark: darkrpcash/if they are admin or not Deluvas: :o [iG]Mark: as these are by steamid Deluvas: Awesome [iG]Mark: If your not stupid enough to knows this XD [iG]Mark: anyway [iG]Mark: http://privateaddress/99606/Serenity.Client.rar [iG]Mark: link for it [iG]Mark: Don't try and use it now, as it requires a password. [iG]Mark: Don't tell anyone about this, its secret for now. Deluvas: Ok [iG]Mark: Once you pay me ill enable acsess for you [iG]Mark: And [iG]Mark: it can never be patched [iG]Mark: valve dont patch it because it isnt their game garry owns it [iG]Mark: and garry wont ever [iG]Mark: be able to [iG]Mark: so. Deluvas: Uber nice :D [iG]Mark: Yes [iG]Mark: indeed. [iG]Mark: Anyway, its really fun for everyone [iG]Mark: Theres 2 options [iG]Mark: you can select a steamid, of someone you know THEY MUST NOT BE ON THE SERVER [iG]Mark: or you can pick a random one off steam [iG]Mark: IF IT SAYS DOES NOT HAVE GAME just dc and reconnect [iG]Mark: IF IT SAYS ITS ALREADY LOGGED ON ANOTHER COMP JUST dc and reconnect [iG]Mark: got it? Deluvas: Yep Deluvas: I'll talk to you about details tomorrow .. Kinda tired now [iG]Mark: Ok [iG]Mark: That's fine Deluvas: Night [/code] Source: [url]http://www.mr-green.nl/results/lol.txt[/url]

[QUOTE=Ywa;20681005]You can't restart the internet. You can restart/reboot your modem, router and/or PC. And that doesn't change the IP with lots of people.[/QUOTE] every time i reboot my router i get a new ip k

[QUOTE=CombineGuru;20681110]every time i reboot my router i get a new ip k[/QUOTE] But then you don't restart the internet. Right? And it changes because your router has a dynamic MAC address. Most routers got a static one. @ The-Stone: I already read that. Do you really think Deluvas was interested in it? :')