Halo 1 & 2 for PC
This topic has moved here: Subject: Halo PC NEW EXPLOIT
  • Subject: Halo PC NEW EXPLOIT
  • Pages:
  • 1
  • 2
  • 3
  • of 3
Subject: Halo PC NEW EXPLOIT
  •  | 
  • Exalted Heroic Member
  • gamertag: [none]
  • user homepage:

Hey everyone there's a gun in that box over there. No one has known about it for nearly 5 years, but I think it's time everyone knows that there's a distinct possibility that someone could take that gun and do something dangerous. By the way, the only people who can access the box are the people who built that box in the first place, or people who have experience in bypassing security. I'm just letting everyone know, for I wish to throw the burden of responsibility and high expectations on the one long-gone person who can safely remove the gun.

Luckily that one person did show up, but seriously, your analogy does suck.

  • 07.05.2008 10:17 PM PDT
  •  | 
  • Exalted Heroic Member
  • gamertag: [none]
  • user homepage:

Reality is just a crutch for people who can't cope with drugs.
X-Fire: new420

Not only that, but he basically loaded, cocked, and handed the gun to a lot of immature kids who either take a game too seriously and want revenge (zagan) or just like -blam!-ing with people over the internet because they know they can't be punched through the screen (yet). So yea, aluigi, you are at fault here, it doesn't matter what your intentions were.

[Edited on 07.05.2008 10:56 PM PDT]

  • 07.05.2008 10:54 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

I strongly agree.

You keep claiming to be in the security field. Did someone pay you to find this bug? Was your sponsor Bungie? The first answer is a maybe and the second answer is a no. I'm going to go ahead and tell you to stick to your job. You have breached security for the purpose of attention. If you think these bugs are so important, you can seek employment with Bungie and get paid to fix them, or you can send them your documentation out of the goodness of your heart. Clearly, you'd rather start drama, make a lot of angry players, and then complain that it isn't your fault that people are immature. You knew that from the beginning and released these exploits to the public. The weight is on your shoulders.

On another note, the website cannot be legally shut down unless it violates federal law. Even then, he can just host the site in a foreign domain. There's not much anyone can do about it.

  • 07.05.2008 11:12 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Posted by: n357
Damn it. Yes, this exploit works with the new patch.
maybe if we're lucky everyone will move to H2vista now?

  • 07.05.2008 11:37 PM PDT

Posted by: Hells Janitor117
Posted by: n357
Damn it. Yes, this exploit works with the new patch.
maybe if we're lucky everyone will move to H2vista now?

I'll reestablish the Soviet Union and the Triple Alliance and move mountains and oceans before most will play Halo 2 Vista

  • 07.06.2008 12:07 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

some random quotes:

Example: We created knives to cut foods. Fools may use them to kill people
perfect example

You claim that thousands of players play Halo, so why would Bungie back out on support when the majority demand it?
lazyness, time, desire, contract... anything not technically related.
as stated by Roger, he simply got the machine on which was located the Halo source code, applied the fix, compiled and distribuited it.
as you can see the operation looks nothing hard or long (nothing which can take months or years to do) and this is the same for any other game or software which is affected by vulnerabilities, but for some reasons sometimes or often these vulnerabilities remain there without a technical reason.

I'm fairly sure knives are useful tools, whereas a working example of an exploit for an unsupported game is, well, not useful.
what is useful for you can't be useful for me and viceversa.
it's only your personal point of view.

but he basically loaded, cocked, and handed the gun to a lot of immature kids
the "gun" (as you drammatically call it) has been placed on public security websites only (I have already stated that I don't play Halo and so I have never been in this community).
immature people have found it and have spread the word to other immature people about how to use it maliciously and versus who.
that's why on Halo has happened all this chaos which, as far as I remember, has never happened for any other vulnerability I have found... for sure NEVER the same day of the releasing of my advisory.

I underline the "I" since when similar situations happened on other games was because the people who found the bugs intentionally released them to other people privately (if this happens you can declare the death of Halo or any other game because there is no way to know what causes the bug and so cannot be fixed) or with the intention of making damage posting them on game or clan related websites.

Is the primary job of any admin and user on the earth to check if the own software is at risk or not because bugs exist and will ever exist, so probably if instead of generating useless panic you followed some security news and informed the other players you could limit the problems caused by these "immature people".
for sure this was better than genereting the panic has happened in these days

Did someone pay you to find this bug?
I'm an indipendent researcher, I do all for free.
such information is public in my About section... it's stupid to talk with someone without having searched informations about him:

http://aluigi.org/about.htm

You have breached security for the purpose of attention
just as I stated before... seriously, avoid to talk about what you don't know and you will avoid to be ridiculous.

If you think these bugs are so important
I have never said that they are vital or important, but if many people open useless threads about something related to my research you already have the answer

you can seek employment with Bungie and get paid to fix them
another children who has "experience" in how to find jobs.
I want to see your face when you go to Bungie and say "pay me for these bugs!"... blackmailer.

or you can send them your documentation out of the goodness of your heart
ehmmm, seriously, if I need to lost time with idiots who don't read my posts is better if you tell me it now so I close this account and avoid to continue this useless and uninteresting discussion.
I don't want to repeat what I have already said and which is already confirmed in documents and informations publics from many years ago and (yes, read the changelogs) confirmed also in the same patches relased by Bungie in the past.

Anyway words, words and words but still no facts.
Then I still don't know what's the problem since the 615 hotfix fixes the haloloop2 vulnerability and the new vulnerability I have found will be disclosed only after the next patch.

If you refer to the "fake players bug" it makes me laugh a bit for the following reasons: first for what I said before (gives you the possibility of easily tracking and banning the attackers), then because doesn't have effects on the server (a server can't crash for having players in it, so I suggest you to check your configuration if something similar happens), can't be used in master server based mass attacks (who wants to fill your server do it versus you for personal reasons with you) and many others.

The design bugs in Halo which allow the "fake players bug" are the following:
- lack of an option to limit the number of players from the same IP (for example a sv_maxip set to 2)
- as I wrote in my first post must be not possible that the players slots are filled before cdkey authentication (where available naturally, so not in cracked servers), but this is exactly what happens in Halo and is wrong

naturally the sv_maxip idea is ever the most simple and best idea and in fact it's the only way to stop or limit the "fake players bug".

the discussion can continue from this point, any other comment about my research or why and how I did it will be just ignored since already discussed (I know that the majority of people here are kids since Halo is a game but at least I have tried it, then who wants to understand understands)

[Edited on 07.06.2008 7:11 AM PDT]

  • 07.06.2008 1:34 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

This would all be really helpful if the support team was in place to correct the vulnerabilities that you find, but the sad truth is there is not. Sure Roger has came to the rescue this time and so I suppose in your perspective it's a job well done but as simple as some of your findings are, I'm not sure he has the time to fix everything you find. Anyone with half a brain realises that you're not trying to ruin our game, we realise your intentions are good but this is an old game now and although as it has been proven this week that there are malicious players out there, I really don't think they have the know how to unearth these exploits on their own. I thank you for posting though Luigi, it was nice to hear things from your perspective but I'm not sure this is helping the game. The only thing I can suggest is why not work with Roger on this? Perhaps it's a long shot but I think this would be a lot more beneficial to us all.

  • 07.06.2008 5:00 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

as written in my first post I'm already in contact with Roger (although his original mail address I had for contacting him in the 2005 no longer exists, I found his personal one on internet) for the new loop vulnerability and there is no problem for that one since he has already assured me that will work on it when he will return at home within one month and no details will be released before the patch.
So you can forget any problem for any future bug.

The fake players bug instead is a completely different thing which is not considered a normal security vulnerability or a bug (and consequently it cannot be reported to the developers) and that's the reason why there is no trace of it in my Advisories section but an entire section a part dedicated to this type of problem which is referred to almost any client-server game.
the original idea is public from the 2003 (although in reality the first report is dated 2002):

http://seclists.org/bugtraq/2002/Jun/0254.html
http://seclists.org/bugtraq/2003/Nov/0096.html

Anyway it's absolutely not critical for the server (to be honest it's worst for the attacker which, depending by the game, could be flooded by the packets of the servers), it's just like opening some clients in your own machine and the proof-of-concepts are most like client emulators to learn the proprietary protocols of the games.

That's the main reason why the creation of this thread about the fake players bug surprised me.

[Edited on 07.06.2008 7:05 AM PDT]

  • 07.06.2008 6:58 AM PDT
  •  | 
  • Elder Legendary Member

Yes, I am a hypocrite, and I'm sorry. I really do mean well, but I'm not running on all cylinders.

Everytime someone buys a copy of Halo 2 Vista, a puppy dies.

You know what does work around this issue? Halo 2 and Windows Live. LOL

[Edited on 07.06.2008 9:50 AM PDT]

  • 07.06.2008 9:50 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

it doesnt matter if his intentions were good if you stay home all day and just exploit games then you have no life and obviously no common sense because you released your program to the -blam!- public. seriously who cares if there is 1030234234 exploits in halo 1 I sure dont care and WE dont need you finding them and releasing programs like this. when I buy a new game I dont think I WONDER HOW I CAN HACK THIS your ''work'' as you like to call it is hacking and your not helping anyone.

  • 07.06.2008 10:46 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Posted by: cmx
it doesnt matter if his intentions were good if you stay home all day and just exploit games then you have no life and obviously no common sense because you released your program to the -blam!- public. seriously who cares if there is 1030234234 exploits in halo 1 I sure dont care and WE dont need you finding them and releasing programs like this. when I buy a new game I dont think I WONDER HOW I CAN HACK THIS your ''work'' as you like to call it is hacking and your not helping anyone.


You might not think "I wonder how I can hack this" but some people do. Some people do it for the right reasons (security) and some people do it for the wrong reasons (maliciousness).

Whatever aluigi intentions were when the program became public are irrelevant now. Bungie DID come out with a patch. I was skeptical at the beginning when some random guy started posting about it. And I also never believed Bungie would never come out with a fix. Well they did and I am truly astounded by that fact. I got pwnd by Bungie itself and it was epic. <---You dudes should sig this.*

It's both fortunate and unfortunate that an updated verson of the hack came out so quickly though. If aluigi hadn't have bypassed it as quickly as he did, or at all, someone else would have done it eventually. And if that had happened Roger or anyone else at Bungie might have felt the problem didn't warrant another fix we'd be just as screwed as before. I'm sure by the end of the month there'll be a more secure fix circulating about.

  • 07.06.2008 12:37 PM PDT

Posted by: TUI_Obi_Wan
I got pwnd by Bungie itself and it was epic.


Quoted FTW?

[Edited on 07.06.2008 1:06 PM PDT]

  • 07.06.2008 1:05 PM PDT

FTW

T_T wow, imo.... everybody opposing Luigi as of now is just epically retarded....

he obviously proved you all wrong (with much stated), yet you just constantly rebute with the same goddam argument (that he just won)....

i think this discussion is as good as closed

  • 07.06.2008 3:59 PM PDT

My own website and clan
http://www.xgclan.com

hej i got an anti ddos function in my router.
but idk how to configure it so people can still join my halo server and i have ddos security.
doesn't this guy just overloads the server?
but to do that he needs an faster computer than the server i guess?

u wont get our quad core servers!!

btw: looks like ded server cant be hacked with this

[Edited on 07.07.2008 7:02 AM PDT]

  • 07.07.2008 5:49 AM PDT

Posted by: Nessy

The bungie.net community is the halo PC community that is renowned for being unbelieveably sucky.

Can you explain more about the "fake player bug" please?

  • 07.07.2008 1:54 PM PDT
  •  | 
  • Elder Legendary Member

Yes, I am a hypocrite, and I'm sorry. I really do mean well, but I'm not running on all cylinders.

Everytime someone buys a copy of Halo 2 Vista, a puppy dies.

It just connects multiple times as though a bunch of players were joining. It keeps real clients from logging on.

  • 07.07.2008 2:32 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

A short explanation is available here:

http://aluigi.org/fakep.txt

while the following is the first document I wrote many years ago:

http://aluigi.org/fakep/fakepintro.txt

[Edited on 07.07.2008 2:36 PM PDT]

  • 07.07.2008 2:35 PM PDT

Posted by: Nessy

The bungie.net community is the halo PC community that is renowned for being unbelieveably sucky.

Interesting, thank you.

  • 07.08.2008 10:56 AM PDT

Maps I've worked on:
The Dead
Fortress

Gametypes I've worked on:
Apocalyspe

My Fileshare for more cool stuff.

I'm so confused right now... Is this why I get a "Invalid CD key" error message every time I try to join a game?

All of this stuff is breaking my balls... I'd love to get into PC gaming, but this is the stuff that forces me back to console gaming, where Bungie inserts a forge budget limit in every -blam!- corner they can find. Console gaming has be all clean and limited, while PC gaming is open so anybody can screw around with it. I'm sick of this bullcrap...



[Edited on 07.09.2008 9:51 AM PDT]

  • 07.09.2008 9:42 AM PDT

FTW

you're illegally playing halo. that has nothing to do with server crashing O_O

  • 07.09.2008 11:00 AM PDT
  •  | 
  • Exalted Legendary Member
  • gamertag: Btcc22
  • user homepage:

Posted by: Kamikazi Kat
I'm so confused right now... Is this why I get a "Invalid CD key" error message every time I try to join a game?

All of this stuff is breaking my balls... I'd love to get into PC gaming, but this is the stuff that forces me back to console gaming, where Bungie inserts a forge budget limit in every -blam!- corner they can find. Console gaming has be all clean and limited, while PC gaming is open so anybody can screw around with it. I'm sick of this bullcrap...



Stop crying about how you can't get into PC gaming, and go buy a legit copy and make a start.

  • 07.09.2008 5:19 PM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

I've not seen you have to defend your work before Luigi, perhaps this is a first. I respect what you are doing and am glad to see the research presented to the public so that we are aware such exploits exist and can properly defend ourselves and even fix the problem at the source. In any exploits or bugs I have found in software I have employed a similar philosophy in notifying the software developers of the problem. I was once even offered recompense for my help. Far be it from the users of this forum to do anything but whine, but at least now they may realize there is another side to the story and the PoC was not released simply to cause hardships for server admins.

Anyways, good luck with your research, I look forward to reading your updates!

  • 07.10.2008 6:57 AM PDT
  •  | 
  • Exalted Legendary Member
  • gamertag: Btcc22
  • user homepage:

Odie.

You're the guy that did his best to spread the bot, and ripped off sections of Bitterbanana's code and tried to pass it off as his own, right?

Aluigi may find some understanding here, but I don't think you will.

[Edited on 07.10.2008 10:13 AM PDT]

  • 07.10.2008 10:03 AM PDT
  • gamertag:
  • user homepage:
  • last post: 01.01.0001 12:00 AM PDT

Different Odie. Note the number of threes at the end. I've been trying to clear up this misconception for years.

  • 07.10.2008 10:18 AM PDT

  • Pages:
  • 1
  • 2
  • 3
  • of 3