[Feature Request] Filter habitual offenders instead of just implicitly rejecting all requests about socialclub-notification-blocker HOT 9 CLOSED

You raise several valid points. It isn't necessarily the legality of this project that I'm worried about, but also whether people would be comfortable with what it's doing. Even though I don't agree with how you've abused these sorts of exploits in the past, I appreciate the pointers and will take a much harder look at the payloads tonight and try to figure out what's going on. Even if R* fix this specific exploit there's probably several others lurking that use similar vectors.

from socialclub-notification-blocker.

Filter 3 was intended to use more specific heuristics to perhaps identify incoming messages that contained session invites or even just malicious invites but it never got completed. I didn't get time to have a good look at how the payload is structured; I can only see the headers and from what I can tell the payloads are encrypted?

Here's the full HTTP conversation (with a couple elements redacted). Maybe I just haven't looked at it hard enough but it seems like the payloads are encrypted, and reverse engineering how it's encrypted so I can decrypt to extract the information is starting to cross legal and ethical boundaries I'm not comfortable with.

POST /gta5/11/gameservices/Presence.asmx/GetMessages HTTP/1.1
Host: prs-gta5-prod.ros.rockstargames.com
ros-SecurityFlags: 239
ros-SessionTicket: [REDACTED]
ros-Challenge: [REDACTED]
ros-HeadersHmac: b2DLkViWsL8e9tcu1V03LqjVbI8=
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Transfer-Encoding: chunked
User-Agent: ros [REDACTED]

eb
.f.hY9b
.].......7
...    e-gG..|w..bfH.........M..*h.%.}=w..\.?........d.\....;..|...>......W........s.|...@.;[.......6.jH
................s.8...S...j.h.$........W..f....Kf.*_......&..f.>\.8.......\#K.;.....5\bcg..(.........I....q3...|..
23
...!p>..w..dN.w....\......C...s.ygk
0

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
SCS-RequestId: [REDACTED]
ros-HeadersHmac: 3sosaKOjX+qQ2qSYouisfnoU3X8=
Date: Mon, 28 Feb 2022 05:53:22 GMT
Content-Length: 530

G.N..%M..w.........2z!p....]E.o#A..._..~q=..{y.?G..
{+..)..N-r..M.E..>H;.\.8o..../..o..t)o......[...U..2L...u.    ...F=R.ET    <.....    Z...T..s.O....!.%......C2..q3{.....P.o0....G.....x.W.a}...6d.N.......r].......#R..&[email protected].\-.... ..B.....O....B
.y(,...,..F][email protected] ....D. K..j....RD...........qE.n.f..._.4).|}',M....b.Z.1.0. ..#.fp...`5....a..N...4..|.t..&@~.7.E.N$...i.1x.nl....R....B4..Y`A[...I.t.9.O:.;.U....Dut.....8.p.5.q|.~.u...'i.-...-[x..o~.z.G..L.K.U....2.........rXj{J....Y..Q...IGo.)oz.....,...&.I.Gu..,...%

Not going to close this issue yet because enhancing the filters is still a good idea, I just don't know if it would be possible to filter specifically on SCIDs like that.

from socialclub-notification-blocker.

@Speyedr Your cautious optimisms are well placed considering how your country treats thoughtcrimes, but I think you are not doing anything illegal doing Rockstar's fucking job for them. Considering they paid 10G to the guy who sped up load times, I don't think they go after white hats. And also considering I shit-canned their SCAPI for almost 4 years banning random people using various exploits and they never came after me other than banning the accounts and sending mean worded E-Mails, I think you're in the clear. Despite what they put in their stupid black legal mumbo jumbo intro screen, it is not a crime to RCE a game. http://www8.austlii.edu.au/cgi-bin/viewdoc/au/legis/cth/consol_act/ca1968133/index.html#s10
Now I'm not a lawyer, and from what I read, you're protected under what is considered "non-infringing copyright." Don't take my 2 second opinion for it though, if you feel uncomfortable cracking their shit encryption I would be more than happy to do it for you. I'd have to dust off the ol' copy of IDA and I don't have a recent dumped copy of the EXE so you'd have to hook a brother up, know what I'm saying? IIRC, it's not encrypted, you're just trying to look for ASCII patterns in the POST request which is a novice mistake bro. Investigate the hexadecimal patterns and look for the SCID in any way you can in some from of either hex or octal. It would make NO SENSE why they're fucking encrypting shit in the packet level, but not using HTTPS! Rockstar is NOT THAT SMART BRO! You're talking about the game company that literally had 6 RCEs in the game, FFS.

from socialclub-notification-blocker.

@Speyedr I think your concerns are well placed, but at the same time, you're not releasing a VMProtected binary and asking people to trust you at face value, you're releasing a JIT compiled language that's easily auditable. I left the cheating scene a long time ago, so I'm not in any of the private chats under pseudonyms anymore to know what they're up to, but the list of presence events and what they can do will make your head spin. That's just presence events. If you want to spend your days being proactive in security, you might as well throw the whole game into the trash, you'll never think of every possible attack vector. Basically "how i stopped worrying and love the bomb" kinda stuff. You have to wait for a new attack to come out to defend against it. Otherwise you'll just spend your entire time defending against attacks that may never even occur. Keep me posted please, I'd love to see what you find in the packet.

from socialclub-notification-blocker.

@Speyedr Hey man. What's the update on this? Has Rockstar done anything about this? Have you had time to look for patterns in the packet? I would at least hope they've banned the two accounts doing this at least.

from socialclub-notification-blocker.

@Speyedr Hey man. What's the update on this? Has Rockstar done anything about this? Have you had time to look for patterns in the packet? I would at least hope they've banned the two accounts doing this at least.

Rockstar patched the spectator exploit, but I hear this was done by simply disabling the feature / "flag" which could be set to trigger the behaviour. I haven't had time to play recently but the invite spam is still there, although I don't know if it's ballstorture anymore, I think it's mostly links to twitch streamers that the trolls want to "raid".

I've been trying to look at the payloads ethically but so far I haven't come up with anything interesting, mostly because I'm way out of my league now. I want to try and "guess" how the payloads are encoded without having to pull the game apart to keep my ass safe in case a legal event occurs. I'm guessing with a bunch of different pieces of data but so far I've got nothing. Will keep trying, haven't been able to give this part of the project a lot of time yet.

The only thing I can "see" so far is how the client's POST payload is chunked, and that's it. I'm looking at what seems to be the exact same request that occurred during the same session I played in and the payloads are both garbled in different ways, but I still have a bunch of ideas on how to approach this. For example, I haven't taken a look at how each value in the header relates to the payloads.

Obviously I could pull the game apart but I'd much rather get this done as ethically as possible.

from socialclub-notification-blocker.

Just as I say this, I think I might have found something, but it's going to take a couple of days to chew through...

Didn't need to decrypt or decompile anything; these were literally contained in a zipped folder that was renamed to a .pak extension. Hopefully these can help me understand how communications are actually being handled within the overlay. I don't think even Australia's draconian copyright and anti reverse-engineering laws can prevent me from reading through files on my own computer, lol.

from socialclub-notification-blocker.

Alright, this is definitely what I'm looking for, however it appears that socialclub.dll is the backend and those javascript files are the frontend (duh). If I do decide to disassemble it, obviously socialclub.dll would likely contain all the answers I'm looking for (as long as I'm competent enough to find them, lol).

Even then, I'm almost positive that those payloads are encrypted. If I do decide to take socialclub.dll apart and find that those payloads are indeed encrypted, SCBlocker will not be going down a route that involves decrypting that data as that's another ethical can of worms relating to how you "attack" the cryptography that is securing SocialClub communications that I just don't want to get in to.

from socialclub-notification-blocker.

Alright then, closing the issue.

from socialclub-notification-blocker.