Halo 1 & 2 for PC
This topic has moved here: Subject: Halo PC NEW EXPLOIT
  • Subject: Halo PC NEW EXPLOIT
  • Pages:
  • 1
  • 2
  • 3
  • of 3
Subject: Halo PC NEW EXPLOIT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

I understand your argument Garniso..But why?? HaloPC is a game that Im sure he knows has no support team currently in place anymore. So I can see no other reason to do this but malice.

  • 07.04.2008 6:40 PM PDT

H1 and Halo Custom edition name: madkiller92
xfire:madkiller92

The bad part is, this may never be fixed, or could end up something that can ruin halo pc. The aimbot wasn't intended to be bad, but it was found,used, updated, and helps to ruin the game now.
Who knows if this could end up as bad.

  • 07.04.2008 6:42 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Its like the bitterbanana and the aimbot. Even though halo didn't have an anti-cheat system it was only a matter of time before someone discovered how to make an aimbot for halo. With the haloboom, it was only a matter of time before someone figured out how to expliot the loophole in the game. Its better that this comes out now so that it can be fixed then later on when we might not be able to get someone to help us.
Posted by: CV STEEL
HaloPC is a game that Im sure he knows has no support team currently in place anymore.

Au contraire, thanks to Luigi we now have Roger. And we pray to him as a god. Im currently ordering mini statues of his likeness with the words "Our Halo Lord And Savior." I plan on putting it next to my bed.

  • 07.04.2008 6:51 PM PDT
  •  | 
  • Exalted Legendary Member
  • gamertag: Btcc22
  • user homepage:

This exploit was already around, and Roger was already aware of it.

Thanks for posting it on a public forum though </sarcasm>.

  • 07.04.2008 8:10 PM PDT

FTW

I've been reading this thread for the past few minutes and I'm just completely frustrated at the bashing going on (without much basis i assume). Luigi is a hacker; one who solves complex problems relating to programming and such. If it weren't for hackers, our society would never advance. They are the ones pushing advances in security and messy code, so that programmers will write code that's even harder to exploit. We cannot blame Luigi for our losses when it is almost unrelated to his work. Regardless of the source, the fact that Luigi released it to the public is not a bad thing. Think about it, if he were to keep it in private and perhaps exploit it himself, then he IS TRULY to blame. If he were to only show it to the companies responsible, then he would have to wait for months at a time to get the message through. To be honest, he couldn't give a bigger crap for Halo (which I doubt he plays himself). That is why he releases it to the public, so that the ones who care take action. So that the people at loss get their fix.

(brag) thanks to my publicity of the exploit elsewhere (on many clan/Halo-related forums), Bungie has finally taken action towards fixing this hole addressed by Luigi. In the end, all we can do is wait for the fix.

[Edited on 07.04.2008 10:46 PM PDT]

  • 07.04.2008 10:46 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

well someone must have found a legal hole, that aluigi was performing illegal activities.. because his site is shutdown.

  • 07.05.2008 2:54 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

I, Luigi Auriemma, usually don't reply in forums on which people talk about my research in fact the only time I did it was when I posted the links to my haloboom and haloloop patches for 1.04 in the Gearbox forum (yes I'm the author of these patches which move all the servers on which you play with your 1.04 versions, surprised?).
But in the last week I have had the occasion to read so much stupid comments, idiocies and other wrong and absurd things about me and my research that was impossible to ignore them.

I will go in order and this post will be long, so would be useful if you want to link it EVERYWHERE there is a direct or indirect discussion about my stuff.

First would be useful to stop to define "exploit" my research, the fact that not all the people have the technically skills and the background to understand something (and security is not something easy to understand) doesn't mean that they must offend the others.

These codes with these strange names are just open source GPLed proof-of-concepts which in full disclosure are required for demonstrating a vulnerability or an idea about a possible problem and are usually used by the other people in my same field (security/bugs researching) for confirming and consequently indexing the vulnerabilities and naturally by the same admins or the people who use one of the vulnerable products to test if and how much critical is the problem.
Just FYI I have found hundreds of vulnerabilities in any game and non-game software (Apache, MySQL, Emule, Utorrent and so on), everything is documented on my websites and the hundreds of mirrors and security websites everywhere in the world.

Like anything in the world (for example the knives you use to cut your food) also my research can be used in malicious way and naturally I can't control this. That's why in my field is important to be neutral and thinking only to my research moreover if there is the experience that help to understand what is good and what isn't.

Now, about "halofp" probably if instead of wasting your time in useless comments you had a bit of brain you had the occasion to search on Internet and see that:
- the fake players is a type of bug (not really a security vulnerability but a design bug) which has been found and researched by me since the 2003 and is highly documented with informations about what causes this problem and how to solve it
- the so called "halofp" exists from the 15th April 2005

Yes the far 2005, but probably nobody of you heard about me just because Bungie has never credited me in its patches they released for the vulnerabilities I found in the past and which were reported to them BEFORE the releasing of my public advisories.
But why I have spent time to contact the developers and waiting months before the releasing of informations about a security vulnerability found by me without being credited if some idiots think that I want to "ruin" their community?
And moreover why I need to ruin a game that I don't have?
I have played Halo only on Xbox with a friend of mine many years ago and was very funny, probably the best FPS I have played on this console.

The strange thing is that was enough to search on Internet something about the person who found these security vulnerabilities to know the answers to these questions but as usual the lazy people prefer to insult the work of the others instead of spending one minute on Internet and using their brain.
Anway I can do nothing except writing this post which probably these same people will never read.

Now, why all these old research has becoming so (in)"famous" only now?
The fact is that seems that someone had the ehmmm "great" idea to spread the words about the malicious usage of my research with links to my primary website... the only good things I see in this is that at least he credited me (credited for something showed as bad is not a nice thing) and naturally that the "haloloop2" bug has been fixed in less than a week.

I have talked about primary website since all my research is decentralized on some official mirrors and hundreds of security websites located in any part of the world (packetstorm and its mirrors for example), and I'm in the security scene by over 6 years ever on the same websites (feel free to check on http://www.archive.org/web/web.php) just to show you the genuinity of my research and my experience in this field.

I have read about people talking about shutting down my website (what of them???) but, trust me, nobody can be so stupid to try something similar first for the reason I have explained before, then because it's only a personal page written in a technical way (for people in my same field) and last because I don't want that all the Halo community must pay for the actions of some stupid individuals (moreover because I personally know some Halo admins and players which are very very good people) and although I can promise that I will never react to such actions I must also alert you that exist other critical vulnerabilities not yet disclosed which have been found by me in Halo.
I repeat, I have NEVER and NEVER will abuse of my stuff since I do only research but I'm human like any of you...
I hope my message is clear and anyone has understood it clearly and, consequently, wants to spread the word.

About the new vulnerabilities I was talking: some minutes after the releasing of the new 615 hotfix I have found a new loop vulnerability and I have quickly contacted Roger Wolfson about it and he has the new proof-of-concept in his hands (NOBODY else has informations about this bug).
Unfortunately he is now travelling and he will be able to put the hands on a new possible fix only after one month.
Naturally I will wait the releasing of the hotfix for releasing these informations, so don't ask about details.

If something is not clear feel free to contact me or you can continue the discussion here or on the thread on my forum opened just for the discussion about the Halo loop vulnerability:

http://aluigi.freeforums.org/haloloop-again-t404.html

I would also be happy to comment technically the vulnerabilities (moreover halofp which is very interesting, for example why someone without a valid cdkey can fill a Halo server?) and how to protect yourself and consequently taking actions versus who is exploiting them, but it's all up to you so let me know if you are interested and I will continue my discussions here.

And remember that knowledge and true informations are the only things in which you must trust and which can help since the disinformations which some ignorants (admins, attackers and players) are doing causes only worst effects.

  • 07.05.2008 6:02 AM PDT

So you have this program good for you, know I have no problem with it until you were stupid enough to give it to the public where tool and trools and just straight up pricks can access it, good job

[Edited on 07.05.2008 6:35 AM PDT]

  • 07.05.2008 6:35 AM PDT

H1 and Halo Custom edition name: madkiller92
xfire:madkiller92

I have no problem with it until you were stupid enough to give it to the public where tool and trools and just straight up pricks can access it

  • 07.05.2008 7:58 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

"Its like the bitterbanana and the aimbot. Even though halo didn't have an anti-cheat system it was only a matter of time before someone discovered how to make an aimbot for halo."

The thing that seperates Bitter from Luigi was the fact that Bitter's aimbot was actually leaked and the fact that the bot was not intended to be used for cheating believe it or not. His aimbot was actually meant to be used for a mod (the Legend of Zelda mod back when it was still being worked on) on Halo Custom Edition. From what I understand, Bitter was going to program the bot only to function for that mod. However, he gave the bot to a trusted friend (it was something about researching a code I believe) who at the end leaked it.

  • 07.05.2008 8:08 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Posted by: STLRamsFan1k
The thing that seperates Bitter from Luigi was the fact that Bitter's aimbot was actually leaked and the fact that the bot was not intended to be used for cheating believe it or not. His aimbot was actually meant to be used for a mod (the Legend of Zelda mod back when it was still being worked on) on Halo Custom Edition. From what I understand, Bitter was going to program the bot only to function for that mod. However, he gave the bot to a trusted friend (it was something about researching a code I believe) who at the end leaked it.

True, which is the point i was trying to get across. People tend to hate the people who do legit work with a legit purpose instead of those who take that work and do evil with it.
Posted by: TRCXFIRE
well someone must have found a legal hole, that aluigi was performing illegal activities.. because his site is shutdown.

His site didn't get shut down, it got DDoS'd. Next time get it right.

[Edited on 07.05.2008 10:33 AM PDT]

  • 07.05.2008 10:31 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

well sorrrrrrrrrrrrrrrrrryyyyyyyyyyyyyyyy......

didnt mean to hurt your feelings, you know i am human ya know. and people make mistakes. its extremely common dont you know.

stop trying to flame garniso, your not helping anyone or anything by doing it. (even though it was a suttle insult)

  • 07.05.2008 10:44 AM PDT

FTW

sry to flame you again trcxfire, but learn to spell
xD

-- other than the point ---

I have a feeling people still do not understand the conclusion here. You all should be bashing at the turds actually EXPLOITING his research. It is not Luigi's fault, nor is he in any position to care about how his programs are used. Obviously, he is not an active player that wishes to ruin the game, he is a legit hacker that stands as the pillar of advancement for many other programmers.

Just cuz you all are pissed at the fact that Halo is being ruined by his programs, YOU have no right to even start bashing him (albeit this is a forum). All we can do is blow off steam at the company, Bungie, that made messy codes (so they can patch it of course).


---

Quote Aluigi:
Now, why all these old research has becoming so (in)"famous" only now?
The fact is that seems that someone had the ehmmm "great" idea to spread the words about the malicious usage of my research with links to my primary website... the only good things I see in this is that at least he credited me (credited for something showed as bad is not a nice thing) and naturally that the "haloloop2" bug has been fixed in less than a week.

you gotta admit, if i didnt publicize as i did now, then the situation would've been under covers like 3 years ago (referring to the WWK vs PRO feud). That would've created more problems within the community, so I just decided to spill the beans.

[Edited on 07.05.2008 11:07 AM PDT]

  • 07.05.2008 10:56 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

lol dam j00 :P

  • 07.05.2008 11:03 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Luigi thanks for responding..But have you stopped for one second to think about the people that actually play this game and pay a chunk of money every month to keep this game alive?? Have you stopped to think about the havoc that it causes for the server admins that have to fight these idiots that use your "toolz". What if Bungie or Gearbox just say "screw it" and decide not to fix the holes that you so proudly have found. What about the thousands of people that actually play the game. We are to suffer because of your need for fame?? Well I feel and I'm sure plenty of others in the Halo community feel that its pretty selfish of you to enable a bunch of fools to be able to ruin the game for us that have been playing it for years. Why don't YOU release a fix for the problem....Why don't YOU be constructive and release something for the people that YOU claim to be helping.

[Edited on 07.05.2008 12:29 PM PDT]

  • 07.05.2008 12:28 PM PDT

H1 and Halo Custom edition name: madkiller92
xfire:madkiller92

What if Bungie or Gearbox just say "screw it" and decide not to fix the holes that you so proudly have found.
I guess he didn't think of this, we're actually quite lucky to get one.
Why don't YOU release a fix for the problem
He just wants to point them out and let everyone use them, I guess he thinks some good will come of it, IF the game developers even decide to release a patch.

  • 07.05.2008 1:46 PM PDT
  •  | 
  • Exalted Legendary Member
  • gamertag: Btcc22
  • user homepage:

I've been aware of him and his work for many years, and I have to say it's a difficult issue.

On one hand his work has potentially solved problems that could have developed down the line, and on the other hand his work has created problems too.

I guess he deserves both thanks and blame for what he's done. Thanks for the issues he's raised and had fixed before somebody with less than honourable intentions found out, and thus improved the quality of games, and blame for the problems he's caused (the Haloloop2 being one of them).

While his intentions may have been good, he still made an exploit public for a game that hasn't been supported for around two and a half years, and to me intentions aren't important. It's naive to think that releasing these things to the public won't cause problems. He deserves the blame for the problems (slightly less so if he went to the developers first before releasing it) and not providing any solutions, not Gearbox or whoever somebody earlier tried to blame. Most software has bugs in it, and it's just not possible to catch them all, even with extensive testing. Things slip through even with the best of developers.

As for whoever tried to compare this to the aimbot leak, I'd have to put the blame on Bitterbanana for that, as well as who leaked it.

What I'm trying to say is, is that it's not black and white, but he can't just pass the blame on by claiming it's not his fault it was used to cause damage. It is, even if indirectly.

[Edited on 07.05.2008 3:32 PM PDT]

  • 07.05.2008 3:29 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

sry but I stoped reading that -blam!- after the 3rd paragraph. you call this -blam!- helping but we all know that your just some -blam!- dead beat hacker with no life. even if you did this to ''help'' then you sure did help by posting this in a public forum and giving it to the most -blam!- up halo play ever zagan that kid is so -blam!- up its not even funny. I heard on xfire that you and zagan are facing jail time. hope you enjoy getting raped in prision I am sure you both will make good prision -blam!-es.

  • 07.05.2008 3:39 PM PDT
  •  | 
  • Exalted Legendary Member
  • gamertag: Btcc22
  • user homepage:

Posted by: cmx
sry but I stoped reading that -blam!- after the 3rd paragraph. you call this -blam!- helping but we all know that your just some -blam!- dead beat hacker with no life. even if you did this to ''help'' then you sure did help by posting this in a public forum and giving it to the most -blam!- up halo play ever zagan that kid is so -blam!- up its not even funny. I heard on xfire that you and zagan are facing jail time. hope you enjoy getting raped in prision I am sure you both will make good prision -blam!-es.


Or quite possibly whoever this Zagan guy is got it from the developer's website like pretty much everybody else?

It's just that there are so many fame seekers in the community, and so many ignoramuses that will believe anything they hear.

Jail time for crashing some Halo servers? I'm sure. I won't even bother going into how unlikely it is anybody can prove anything. Do you think game server providers log all their connection information? Even if they did, it would mean nothing without the actual packets that were sent and analyse of those packets. I won't even go into how hard it'd be for somebody to face jail time so soon after such a thing, as I guess you wouldn't understand the process anyway.

[Edited on 07.05.2008 3:49 PM PDT]

  • 07.05.2008 3:47 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

its in his -blam!- guestbook the instructions on how to use it and where to download it. and he also said in his guestbook that he is facing jail time. zagan/proh1's guestbook that is

[Edited on 07.05.2008 3:51 PM PDT]

  • 07.05.2008 3:51 PM PDT
  •  | 
  • Exalted Legendary Member
  • gamertag: Btcc22
  • user homepage:

Posted by: cmx
its in his -blam!- guestbook the instructions on how to use it and where to download it. and he also said in his guestbook that he is facing jail time. zagan/proh1's guestbook that is


Posted by: Btcc22
It's just that there are so many fame seekers in the community, and so many ignoramuses that will believe anything they hear.

  • 07.05.2008 3:53 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT


Posted by: RaidenKilla
you gotta admit, if i didnt publicize as i did now, then the situation would've been under covers like 3 years ago

forcing the developers to release a fix depends ever by the same developers.
for example all the games based on the Quake 3 engine use my work-arounds since their developers no longer support them although the bugs are known and publics by years.

Posted by: CV STEEL
But have you stopped for one second...

as already said in my post, I'm in the scene from over 6 years (the first vulnerability found by me is dated 2001 and was in the Apache webserver) so I know perfectly the pros and cons of bug researching and full disclosure better than anyone else.
I repeat: pros and naturally cons.

pay a chunk of money every month to keep this game alive??
and why don't you get support from the people you pay?

the havoc that it causes for the server admins that have to fight these idiots that use your "toolz"
in the last years the web vulnerabilities (SQL and PHP related) are the most diffused and exploited since they are easy to find and trivial to exploit, in fact it's required only a web browser like the Internet Explorer, Firefox or Opera you are using in this moment to watch this post.
A browser has the main purpose of surfing on internet but can be used also by malicious people to exploit web vulnerabilities for defacing or get control of vulnerable websites.
A proof-of-concept has the main purpose of allowing the people in the security field like me to confirm a vulnerability and the users to test their softwares but can be also used by malicious people to exploit these vulnerabilities for causing problems to vulnerable hosts.

If your website or forum gets defaced you will not blame Microsoft or Mozilla... this is the simplest example to which I can think, if you are not able to understand it it's useless to continue to talk since I don't know other ways to explain things that are so logical to understand.
You can't agree but it's impossible that you can't understand.

What if Bungie or Gearbox just say "screw it" and decide not to fix the holes
the publisher and the developer have decisional power about continuing or not the support of a product.
many games released less than 6 months ago are already no longer supported.
I'm not Bungie, not Gearbox, not Microsoft and not one of the people you pay for your dedicated server.
I'm only an external person who has found some bugs affecting the software developed by these companies and has documented them.

We are to suffer because of your need for fame??
can you list here all the advantages and the "fame" I have gained from the releasing of my advisory of the 29th June 2008?

Well I feel and I'm sure plenty of others in the Halo community feel that its pretty selfish of you to enable a bunch of fools to be able to ruin the game for us that have been playing it for years.
finally you have said a good thing: fools ruin the game.
I don't have nothing else to add since you have already confirmed what I was trying to say in my posts, but as usual the people who are not able to indentify the source of their problems (attackers) are lazy and prefer to point their finger on the first person that they can identify, although completely unrelated to what happened... it's normal and humanly comprehensible but it's totally wrong.

Why don't YOU release a fix for the problem....Why don't YOU be constructive and release something for the people that YOU claim to be helping.
My patches and work-around are used in thousands of servers of any game, so much servers that all the players of Halo are nothing compared to this number.

Then as far as I know me and Omega have been the only to have tried to create an unofficial fix.

And what about YOU?
What about YOU and all the other people?

There are so much people (admins and players) in the Halo community that nobody except me and Omega has tried to find a solution.
Thousands of people, most of which use a cracked version of Halo that they have never paid to Bungie (that's why 1.04 is still so used but this is not the point of this post), which are ONLY able to cry and making disinformation or, like in your case, opening useless threads with scary subjects like "Halo PC NEW EXPLOIT" which create only panic and consequently wrong informations.
Except for a very limited number of admins who have personally contacted me asking for details and support about the recent haloloop2 vulnerability (before the releasing of the hotfix) nobody else has tried to ask something like "probably if this guy has been able to find all these vulnerabilities in our preferred game he has also ideas about how to solve them or details which can be useful to us"... people have preferred to hear what they wanted or was more easy to hear.

Have you ever thought that probably you can do something?
Just to make a simple example, the people who exploit the fake players bug are easy to identify and track, so when you have the IP of these people you can take the needed actions (from the blocking of the IP or IP range on the firewall to the contacting of the abuse of their ISP).

But if you prefer to cry without doing nothing as all the thousands of players are doing, well this is your choice but don't blame the others for your lazyness and moreover for your problems.
Personally if I was an Halo player or admin the first thing I would have tried was to open fake public servers for tracking the attackers (moreover because I have the knowledge and the instruments to do it and which are all public on my websites), but again this is not the point of this post.

Naturally the "YOU" I have used in this post is not ever referred directly to you (CV STEEL), but I'm referring in general.
So nothing personal (for the moment)

YOU claim to be helping.
Anything has good and bad sides, what can be helpful for you can't be for me and viceversa.

I understand perfectly what you feel but this doesn't allow you to point your rage in the wrong direction.

[Edited on 07.05.2008 3:55 PM PDT]

  • 07.05.2008 3:53 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

http://www.halo3forum.com/halo-1-discussions/206570-regarding -halo-patch-haloloop-halo-fake-players-exploits.html

I dont know if this works but my friend that plays halo 1 pc told me that this could be a possible fix.

  • 07.05.2008 3:58 PM PDT

FTW

...... That patch has been out for a while (relative to the loop release)..

---

tbh, I don't see how Luigi is at fault here (nor is he the one to blame)...

Example: We created knives to cut foods. Fools may use them to kill people
Related: Luigi created proofs to advance cleanliness in coding. Fools may use them to ruin other people's gaming experience.

[ luigi, PM me if I got that example wrong.. lol ]

---

You claim that thousands of players play Halo, so why would Bungie back out on support when the majority demand it? Halo PC is still relatively popular, and I highly doubt Bungie would back out if a mass of the community takes action (cough cough, luigi, i am referring to my publication)

  • 07.05.2008 8:11 PM PDT
  •  | 
  • Exalted Legendary Member
  • gamertag: Btcc22
  • user homepage:

Pretty bad example, sorry.

You can't compare knives to security research for games, even if I understand your point. I'm fairly sure knives are useful tools, whereas a working example of an exploit for an unsupported game is, well, not useful.

I'm sure there are loads of exploits left to be found in the server, but does that mean somebody needs to go reveal them all? No. What's being gained by revealing them for HPC inparticular? Nothing, since nobody would bother with the game anyway, and nobody supports it anymore. No lessons are being learnt here.

As for game support, I summed up some of my feelings about it at http://gbxforums.gearboxsoftware.com/showpost.php?p=1337394&a mp;postcount=12.

[Edited on 07.05.2008 8:27 PM PDT]

  • 07.05.2008 8:19 PM PDT

  • Pages:
  • 1
  • 2
  • 3
  • of 3