Eve Online Source(client side) Code

As title says... =)



Guy asked to spread it, why not? =)



History:



[20:16] So. Talking with Arkanon wasn't fruitful.

[20:17] <[IA]Morpheus> Not quite, what are you trying to achieve?

[20:17] Make CCP confirm some things they are refusing to confirm ...

[20:18] Make intelligent approach to fixing bugs and perfomance issues instead of messing with game balance

[20:18] at least

[20:18] <[IA]Morpheus> You have no idea how we even work, theres 350 employees working at CCP and you don't know the slightest about our processes.

[20:18] I don't know HOW you work

[20:19] i see the RESULT of this work

[20:19] and UNDERPANTS of it

[20:19] I have enough experience researching MMO's

[20:19] eve isn't first

[20:19] and won't be last

[20:20] so if you want to tell i don't have the understanding of CCP infrastructure related to eve - you are somewhat wrong

[20:20] but question isn't about this

[20:20] from what i know previous sourcecode leak

[20:20] was couple years ago

[20:20] and from what i see, nothing changes in terms of quality

[20:21] neither things, allowing people to exploit eve (for botting) - were fixed

[20:21] is that how 350 people (i doubt if at least 1/5 - 1/7 of them are programmers)

[20:22] work?

[20:22] Customers without in-depth knowledge will not notice this

[20:22] but what if somebody will explain the situation for them?

[20:23] or you consider USD14.95 people pay you every month aren't enough to be fair with them?

[20:26] <[IA]Morpheus> This is the wrong way to go about things and will not lead to a revolution in how CCP does things internally.

[20:26] <[IA]Morpheus> Sorry if thats what you were after.

[20:26] I'm not looking for revolution

[20:27] Do you know such term as "Proof of Concept"?

[20:27] It's only enough it to get into hands of people who consider themselves to be programmers

[20:28] Currently eve don't have any clientside (and i'm 100% no serverside, except logs) routines to detect bots :)

[20:28] Even stupid ones, using OCR and called Macroses

[20:28] :)

[20:29] Won't the wave of intelligent bots make CCP work at least in the direction of securing the engine?

[20:29] :)

[20:29] <[IA]Morpheus> Of course it will, that's obvious.

[20:29] Nice

[20:29] that's at least part of the plan

[20:29] <[IA]Morpheus> If thats what you want to achieve then congratulations, we are always working on improving security and plugging holes. If you want to help with that, try a normal approach like say sending us an email with suggestions.

[20:30] No, you are lying :)

[20:30] Security wasn't improved since last theft

[20:30] except some CryptoAPI and zlib

[20:30] so don't try to fool me

[20:31] <[IA]Morpheus> Security is always being worked on, I trust you know programming takes a lot of time and effort.

[20:31] <[IA]Morpheus> You say we have no ways to detect bots, yet we continue to ban thousands of exploiters who sell ISK and so forth.

[20:32] And that's all?

[20:32] And what if people start using some hypothetic people2people trading service

[20:33] that will avoid of using sellers who are constantly monitored via logs?

[20:33] so there will be signle and not interconnecting trades

[20:33] <[IA]Morpheus> Then we'll pick up on that and fix it..?

[20:33] that's how Blizzard can't do anything with such theme

[20:33] don't think you will manage

[20:33] they are losing more than you

[20:33] Why not to add client-side routines to detect bots?

[20:34] Why using petitions?

[20:34] People can lie, people can put a bucket of dirt on player who never violated eula

[20:35] And he will be banned, if petition will contain only right details describing the things you will never log, but that are surely be bot's actions

[20:36] EVE Clientside is enough to put bot-detecting routines there

[20:36] you can even use

[20:36] your spyware approach

[20:36] similar to when downloading PC identification python object during authentication as payload

[20:37] <[IA]Morpheus> Let it all out, I'll be sure to forward the conversation to all of our programmers, if thats what you want.

[20:37] No, your programmers are just following the plan

[20:37] they aren't that bad guys who caused all this anarchy

[20:37] <[IA]Morpheus> Care to tell me who did?

[20:38] Those who plan eve development and/or who decide the priority of client upgrades to be implemented.

[20:39] Currently Shiny Features have more priority than solidifying security and fixing bugs, from what i see

[20:40] Or how else you can explain the ability for the bots to use same approach to exploit eve engine as when previous sourcecode leak was?

[20:41] Nothing changed to prevent this?

[20:41] But we've got tons of content patched

[20:41] but still lagging jita and deadly lagging blobs

[20:41] but from patchnotes i see that these things aren't your priority

[20:42] <[IA]Morpheus> I see that your intentions are good but this isn't playing out nicely for either parts.

[20:43] Guys, theres no other way that will play better.

[20:43] You simply ignore community requests to fix the core of eve, rather than add new coats to it, to make community forget about the bugs.

[20:43] <[IA]Morpheus> I despise bots and hacks over everything, but this is also a business, we've got developers designing content and EVE needs to grow. I know for a fact that there are programmers working on security, more than that I can't really say.

[20:43] <[IA]Morpheus> If you think we are releasing new content to make you forget about bugs then I'm not sure what I can say to convince you.

[20:44] <[IA]Morpheus> Patches have always been 50% bug fixes 50% content or so.

[20:44] Could you certainly say me what your programmers did to secure clientside from exploiting Eve?

[20:44] what's certainly

[20:45] I don't have anything against content makers - their ideas are good, really good

[20:45] I have full eve sourcecode, so you know what's did, and what's not;)

[20:46] From all security i saw - were ROLE permissions for logins with priviliges higher than usual player, and some minor things in relation to prevent some remote service calls (some with potentially bad payload)

[20:46] nothing else

[20:47] is that called "programmers working on security"?

[20:47] <[IA]Morpheus> Are you cruising for a job or something?

[20:47] Nah

[20:47] neither job, neither anything else

[20:47] you may think of in such direction

[20:48] Digging the situation to uncover the truth :)

[20:49] You may compare me to fox mulder from x-files series

[20:49] it's the best description of why i do this

[20:49] <[IA]Morpheus> Ah, well, nice to meet you Mr Mulder.

[20:50] So... would you like to answer what AWESOME ccp programmers did in relation to client/server security (at least for client?)

[20:51] <[IA]Morpheus> No, we won't respond to blackmail. If you think we don't care or aren't working on improving security you are sadly mistaken.

[20:51] IA

[20:51] did you saw the code yourself?

[20:51] <[IA]Morpheus> Yeah, and?

[20:51] or you are just telling me someone else's words?

[20:52] <[IA]Morpheus> Nop, I'm all alone.

[20:52] And where do you see security fixes or bot catching routines in client?

[20:52] <[IA]Morpheus> I wouldn't know, I'm not a programmer.

[20:52] YAY

[20:52] <[IA]Morpheus> If you think we are gonna tell you everything we've done or are going to do then I've got a bridge to sell you.

[20:53] so how you can tell if there are security pathces?

[20:53] Morpheus, i have a client sourcecode

[20:53] and have a people who can supply me with updates

[20:53] of each new version

[20:54] (where my python decompiler won't be able to handle optimized bytecode)

[20:54] <[IA]Morpheus> There's probably more to it than meets the eye, Fox Mulder.

[20:54] so in relation to client i have the same about of knowledge as you

[20:55] So you insist that security patches are applied to client and client is secure and non-exploitable?

[20:55] Maybe i should release a small hack with portion of eve sourcecode to eve forums that will exploit something?

[20:55] or you will continue to talk that everything is fine?

[20:56] <[IA]Morpheus> Heh, I'm not saying there aren't exploits, don't be naive..

[20:56] o

[20:56] there's 1 big exploit )

[20:56] <[IA]Morpheus> There are and probably will always be, however we will continue to work against them. What else do you want?

[20:56] and tons of small ones

[20:56] not the ones requiring people to do queue of actions ingame to achieve the result

[20:57] <[IA]Morpheus> And you want this fixed?

[20:57] i'm talking about the ones, that are coming to light when you are exploiting eve python engine (oh god they said me it's impossible)

[20:57] Easiest way was to start using c++ and completely rewrite the code some time ago

[20:57] but i assume it's too late

[20:58] so you will not get rid of python injections

[20:58] <[IA]Morpheus> Time will tell, I suppose.

[20:58] but you can think of coding anti-bot routines

[20:58] I wonder if your programmers and qa know at least 1/20 of they ways possible to use to inject the code

[20:59] starting from most stupid approach

[20:59] and ending with ring0 injector

[20:59] trust me

[21:00] you can try

[21:00] ugh

[21:00] you COULD try

[21:00] but nothing was done in this direction for years :)

[21:00] i know people who are safely botting (first with ocr, then on python code bots) from early years of eve

[21:01] and they also agree nothing was changed in terms to stop or make the bots function wrong

[21:02] <[IA]Morpheus> You know, if you want that to stop you should let us know exactly how those bots function instead of threatening to leak source code.

[21:02] only if i will have public guarantess and confirmation that certain list of things will be fixed

[21:03] confirmation on each exploit

[21:03] otherways - there's no sense

[21:03] i'm not only want to see these things fixes

[21:04] it also requires CCP to confirm that these bugs existed (and exist) over years

[21:04] you understand what i mean

[21:05] i'm thinking of some patching for trinity graphic engine

[21:05] to show that it's possible to make client show much more fps

[21:06] at least in space, during large fights :)

[21:06] (and that's one more stone to the window of your programmers, who must be forgot of such thing as level of details)

[21:07] there are many things - some interesting constants, that should be controlled by server, but they are not; ability to faster change sessions, unloading unnecessary services in runtime when they are not required

[21:08] truth on some strange session roles like viplogin :)

[21:08] 10 megabytes of code are enough to find a lot of things that should be there

[21:10] *should not

[21:11] And How these bots are functioning?

[21:12] Executing python code inside of eve python interpreter

[21:12] :)

[21:12] Or calling python api (these are less intelligent ones) to call objects, methods from eve python

[21:14] Untile eve uses python, there's no way to prevent these bots from using it too

[21:14] Untile=>*While

[21:15] It's possible to catch them, but not prevent from appearing and being more and more intelligent.

[21:15] In near perspective, other people who also have eve sourcecode (not from me) - will be able to release the bot that will be able to keep in control every single in-game activity usual player can do ingame.

[21:16] So only way (if you are not going to stop using python) - is to implement a bot catching routines on clientside

[21:22] <[IA]Morpheus> Well, thanks for all the advice.

[21:23] so

[21:23] i assume there will be no public excuse and to do list of bugs to fix from CCP?

[21:27] <[IA]Morpheus> Not quite, however, we are prepared to talk if you want your EVE Accounts reopened. This would also be a chance for you to give and receive feedback on the horrible bugs and exploits you know about.

[21:27] I'm not interested in my eve accounts

[21:27] The ones you closed

[21:27] weren't involved in testing :)

[21:27] <[IA]Morpheus> Then we have nothing more to discuss, thank you for your time and have a good day.

[21:32] It's was nice you agreed to talk with me.

[21:32] Personal thanks for your patience, Morpheus.

[21:32] Have a good day.

[21:32] <[IA]Morpheus> Sure thing. Farewell.



<[IA]Morpheus> Hi, give me a few minutes to reply to your mail.

Sure

<[IA]Morpheus> Do you have a list of bugs and exploits, the ones that you want us to fix?

1. List of exploitable clientside things.

2. Description of ways to exploit python engine (with examples)

3. Ways to detect the bot(-s)

but

only in case terms i listed during our last discussion yesterday

*case of accepting

<[IA]Morpheus> Can you list them again please so I can run this by some people?

1. List of places in clientside code that allows to code small client-side hacks.

2. Descriptions of the ways to intrude in EVE python engine and execute arbitary code there

3. Ways to detect existing bot(-s) (at least know 1 serious enough)

4. General ideas to improve EULA.