PSO: Dreampi Spoofing Overdue?

[1nick9]

yeah got bit carried away with idea of implementing gc style exploit for it to load a patch as was on the beers last night hahah.
like i said no programmer so not up with it all tho just wondering how would get a return packet across an https connection if it will only accept the hardcoded cert??? just with my base understanding dont think theres really away to spoof that if the game is coded to only talk to that cert. i could be very wrong like i said no expect just got me wondering.

[colgate]

It's not that easy to create a valid cert for a domain you don't own. I'm sure the game checks if the cert is valid or not.

Sent from my Moto G Play using Tapatalk

[DR TEAMCAST]

was on the beers last night hahah.

we've all beer posted man haha

It's not that easy to create a valid cert for a domain you don't own. I'm sure the game checks if the cert is valid or not.

i really don't think the hunter license key is an HTTPS\SSL certificate. it probably sends unique user data to the server, server checks if the user has an active hunter license, sends a return packet(s) equivalent to "HUNTER LICENSE OK", and the server connection process proceeds as normal. but in this case, the spoofer wouldn't care what data is sent, it will always send "HUNTER LICENSE OK"

as i said "specific hardcoded certificate chain" is just bluecrab using fancy wording. I'm sure its not different at all from the Dreamarena authentication which Kazade cracked for Toy Racer, and as a result all PAL games. which more or less does the same thing, although 'under the hood' could vary a bit

[1nick9]

was on the beers last night hahah.

we've all beer posted man haha

It's not that easy to create a valid cert for a domain you don't own. I'm sure the game checks if the cert is valid or not.

i really don't think the hunter license key is an HTTPS\SSL certificate. it probably sends unique user data to the server, server checks if the user has an active hunter license, sends a return packet(s) equivalent to "HUNTER LICENSE OK", and the server connection process proceeds as normal. but in this case, the spoofer wouldn't care what data is sent, it will always send "HUNTER LICENSE OK"

as i said "specific hardcoded certificate chain" is just bluecrab using fancy wording. I'm sure its not different at all from the Dreamarena authentication which Kazade cracked for Toy Racer, and as a result all PAL games. which more or less does the same thing, although 'under the hood' could vary a bit

sweet so i wasn't just rambling useless points, see what your getting at now. still PSO very well could use a ssl cert to check license, one it was a game that required keys unlike rest and 2 it was a subscription service unlike the rest of the dc library to my knowloge so one would think sega would take extra steps to protect the subscription service due not wanting it to be easily hacked so ppl could just get online for free or stealing others hunter credentials by mim style ease dropping. once again assumptions based off not looking closely at how the servers run etc. also would only appear to be implemented in the pso v2 jap n usa which is odd for em not to implement in all versions seeing all could play online via subscription.

reason i got so excited with the gc style exploit if it does look for game update as that would be able to patch the game on fly well trying to connect n the dreampi just has the "update" waiting to be sent well spoofing the servers to go directly to that. seems much easier route than spoofing a vaild ssl cert it'll talk to if needs it. but the ssl system in the game be 15+ yrs old so very well could have a much simpler vuln to spoof a cert.

[Aleron Ives]

There's one key problem with all of your speculation: nobody is going to spend time trying to spoof the SSL process for HL verification when it's so much easier to just disable the game function that runs the check.

If you dislike having to change discs, then use a CD-R where the check is already disabled, and you'll also get the benefit of fast loading.

If you can't live without that GD-ROM feeling, then import the PAL version, since it doesn't need a boot disc and can connect automatically via DNS spoofing, just like GC.

[DR TEAMCAST]

There's one key problem with all of your speculation: nobody is going to spend time trying to spoof the SSL process for HL verification

ye, i was never questioning that. i was just saying, with all thats been done in a very short time i view it as the weak link in the lineup. i think being able to just boot up my retail disc would go a long way. but you're right

[BlueCrab]

i really don't think the hunter license key is an HTTPS\SSL certificate. it probably sends unique user data to the server, server checks if the user has an active hunter license, sends a return packet(s) equivalent to "HUNTER LICENSE OK", and the server connection process proceeds as normal. but in this case, the spoofer wouldn't care what data is sent, it will always send "HUNTER LICENSE OK"

as i said "specific hardcoded certificate chain" is just bluecrab using fancy wording. I'm sure its not different at all from the Dreamarena authentication which Kazade cracked for Toy Racer, and as a result all PAL games. which more or less does the same thing, although 'under the hood' could vary a bit

It is a specific HTTPS certificate chain you would need to have and it is done over HTTPS -- not just some silly thing using the PSO server encryption (as PSOGC does). It is not anywhere near as easy as some people are making it out to be. As has already been said in here, you can't just sign your own certificate and expect it to work -- it's expecting certain things on the certificate to be exactly as the game wants.

You would need to have an exploit in SSL to do so. While PSO is using a very old version of SSL (probably SSLv3, possibly SSLv2), it is still not an easy task to do so and to get a certificate that the game is expecting. If it was easy, I'd have just done it that way on Sylverant, thus making the patcher disc irrelevant. Making the patcher (which was plenty of work on it's own) was easier than finding and using an SSL vulnerability in the way PSO handles the HL check.

Also, for whoever suggested using the update functionality of the game. Yes, PSOv2 has that functionality. No, it's not useful. You can't trigger from externally until after the HL check has passed (the game does that check before it ever tries connecting out to a regular server).

[1nick9]

i really don't think the hunter license key is an HTTPS\SSL certificate. it probably sends unique user data to the server, server checks if the user has an active hunter license, sends a return packet(s) equivalent to "HUNTER LICENSE OK", and the server connection process proceeds as normal. but in this case, the spoofer wouldn't care what data is sent, it will always send "HUNTER LICENSE OK"

as i said "specific hardcoded certificate chain" is just bluecrab using fancy wording. I'm sure its not different at all from the Dreamarena authentication which Kazade cracked for Toy Racer, and as a result all PAL games. which more or less does the same thing, although 'under the hood' could vary a bit

It is a specific HTTPS certificate chain you would need to have and it is done over HTTPS -- not just some silly thing using the PSO server encryption (as PSOGC does). It is not anywhere near as easy as some people are making it out to be. As has already been said in here, you can't just sign your own certificate and expect it to work -- it's expecting certain things on the certificate to be exactly as the game wants.

You would need to have an exploit in SSL to do so. While PSO is using a very old version of SSL (probably SSLv3, possibly SSLv2), it is still not an easy task to do so and to get a certificate that the game is expecting. If it was easy, I'd have just done it that way on Sylverant, thus making the patcher disc irrelevant. Making the patcher (which was plenty of work on it's own) was easier than finding and using an SSL vulnerability in the way PSO handles the HL check.

Also, for whoever suggested using the update functionality of the game. Yes, PSOv2 has that functionality. No, it's not useful. You can't trigger from externally until after the HL check has passed (the game does that check before it ever tries connecting out to a regular server).

sweet man i was trying to pay u some credit. i mean if u reversed the whole pso server to setup private doubt ya would spit out bs cause lazy.....

shame bout the update idea seeing ran after hunter license, thought it was good idea if hadn't thought of it before but honestly figured if that simple would have already been done. due to it being ran after HL check that would suggest gc pso ep1+2 doesn't do ssl HL check seeing psoload can spoof the dns..... odd to implement a secure option then omite it i think. not saying disagree just not understanding segas logic in doing that.

[Aleron Ives]

gc pso ep1+2 doesn't do ssl HL check

That's correct. The level of security in PSOv2 is excessive and unnecessary: before the game will even try to connect to the game server, it connects over HTTPS to the HL server and asks it to verify that your serials are associated with a paid account. If they are, the HL server sends an encrypted response that tells PSO it's allowed to connect to the game server. If they aren't, the reponse immediately throws PSO to an error message saying that you need to create an account, renew your subscription, or whatever. If PSO can't reach the HL server, it aborts the connection process and displays a cryptic message saying the line was disconnected due to "network errors". It never even tries to contact the game server, so server-side patching to disable the HL check is impossible, as BlueCrab said.

In GC, Sega handles all of this within the game server. You connect to the game server, transmit your serials, and then the game server is responsible for verifying that your serials are associated with a paid account. If they aren't, the game server sends an error code that disconnects you and tells you that you need to register/pay/renew/whatever. All of this happens over the standard PSO protocol, so going online with GC is easy: Sylverant simply allows everybody with registered serials to connect and doesn't charge a fee at all. It is possible for Sylverant to transmit error messages associated with failure to pay the HL fee, but since Sylverant is free, there is no mechanism for ever sending those packets to any clients.

Apparently Sega realised that the security measures on DC were overkill and decided to simplify the authentication system for GC, and it's lucky for us that they did, since you can't just stick a boot disc in an unmodified GC the way you can on a DC to patch the game at runtime.

[1nick9]

gc pso ep1+2 doesn't do ssl HL check

That's correct. The level of security in PSOv2 is excessive and unnecessary: before the game will even try to connect to the game server, it connects over HTTPS to the HL server and asks it to verify that your serials are associated with a paid account. If they are, the HL server sends an encrypted response that tells PSO it's allowed to connect to the game server. If they aren't, the reponse immediately throws PSO to an error message saying that you need to create an account, renew your subscription, or whatever. If PSO can't reach the HL server, it aborts the connection process and displays a cryptic message saying the line was disconnected due to "network errors". It never even tries to contact the game server, so server-side patching to disable the HL check is impossible, as BlueCrab said.

In GC, Sega handles all of this within the game server. You connect to the game server, transmit your serials, and then the game server is responsible for verifying that your serials are associated with a paid account. If they aren't, the game server sends an error code that disconnects you and tells you that you need to register/pay/renew/whatever. All of this happens over the standard PSO protocol, so going online with GC is easy: Sylverant simply allows everybody with registered serials to connect and doesn't charge a fee at all. It is possible for Sylverant to transmit error messages associated with failure to pay the HL fee, but since Sylverant is free, there is no mechanism for ever sending those packets to any clients.

Apparently Sega realised that the security measures on DC were overkill and decided to simplify the authentication system for GC, and it's lucky for us that they did, since you can't just stick a boot disc in an unmodified GC the way you can on a DC to patch the game at runtime.

sweet makes sense now, once again my idea was based off assumption would look for update in same manor as gc. thanks for explaining filed in alot of my assumptions.