########################################################################

Title:  Once upon a time the love story between me and Gamespy
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org

########################################################################


This document has been written to finally explain all the story happened
between me and the company Gamespy (http://www.gamespy.com) from the end
of May 2003 until the 12th November 2003.

First of all I wanna thanx Jean-Philippe Gaulier of
http://www.transfert.net for the idea about writing this full report you
are reading now.

The good news for the anti-DMCA people is that I'm so "lucky" (yeah I
like to be ironical) to have seen the 2 most sadly famous effects of the
DMCA about:

1) reversing/algorithms
2) bug research

But let's go with the fable:

Everything starts at the end of May 2003.
I don't remember how I find the program called RogerWilco MkId3 2001
(http://www.rogerwilco.com) but it seemed a good program to test for
possible bugs and learning something of new and interesting.

Well I was very happy just because I quickly found 2 very interesting
bugs and after a couple of days of tests and debugging I signaled them
to Gamespy.

I was in contact with one of the programmers called Jason (aka
Lumberjack, a nice guy) and after some days he was able to fully patch
the program and he sent me a beta version that was ok.

In the meantime I gave a better look to RogerWilco and I was very
interested to the method used by this application to receive the list of
online servers from the central master server master.gamespy.com.
Note that this method is the same used also in third party games, and I
have just some of these games.
Practically it is a method composed by a very simple challenge-response
algorith that Gamespy calls "authorization" (probably Gamespy doesn't
know what is a real authorization or they are very ironicals).
Unfortunately all the Gamespy software used to get the online servers'
list of games is not available on GNU/Linux or other systems but only on
Win32 and moreover don't exist clones that emulate them as already exist
for other closed source applications (Edonkey for example).
Well in half morning I was able to create an open-source version of the
challenge-response algorithm used by the master servers based on this
protocol. It was nothing more than a training excercise.
I was incredibly happy just because a lot of people hate the Gamespy's
bloatware and an open-source version is ever accepted and needed.

An important note about this so called "algorithm" is that it has not
needed special skill or a real reversing... I have made a simple
"conversion" from Assembly to C, the same thing happening in a
traduction from english to italian for example.
I quickly write also a program to retrieve online game'servers just
using this simple algorithm and I put all the stuff on my website
(naturally with full source code and freely downloadable as everything
I do).

There are 2 important things to say about the algorithm:

1) the algorithm is used by all the Gamespy's software: freeware,
   shareware and registered without differences in these 3 categories.
   And as already said, this so called algorithm is used also in other
   games that I own and are NOT developed by Gamespy.

2) the algorithm is based on a string sent by the master server and a
   string specific for each game.
   The master server'string is public because it is send by the same
   master server.
   And also the specific game'string is public because it is available
   on the Gamespy's webserver. I repeat: they are public data on
   public servers for public, have you understood?

As you can see with your eyes, EVERYTHING is public and is not needed
an authorization or a password to access these informations.
What Gamespy calls "authorization" is NOT an authorization.
Take it in mind because it is important for the next facts.


After a lot of days was finally released the official public version of
RogerWilco using the version number 1.4.1.2.
I was near to prepare my advisory and my proof-of-concept after one week
from the public release when a "special gift" was sent by Gamespy.

The gift was a mail by the Gamespy's lawyers having as target the
company I "worked for" (in reality it was not a real work but a simply
partnership) containing an incredibly big PDF document attached.
And what was the argument of the document?
It was just the open source algorithm and realative program I had on my
site.
They invoked the DMCA's violations and other USA's only things 8-(

Well the first DMCA's effect is just that: no reversing, no emulators,
no clones and no portings to other systems... nothing!
As already said I wasn't the direct target of the mail so I did nothing
and "my" company removed the stuff in silence.


Returning to the advisory (remember? the new RogerWilco has been just
released), my company asked me to not release the advisory and I follow
their request releasing the advisory some weeks later.


But I had a surprise testing the new version... one of the bugs patched
in the beta version sent me by Jason was not really patched.
Practically it was a buffer-overflow so the problem in the previous
version was in the usage of a too long string of about 516 bytes while
in the new version the buffer-overflow happened with the double of
bytes.

Well, also if Gamespy didn't do a good thing with me, and my company
asked me to interrupt all the contacts with Gamespy, I decided to not
mix the legal fact and the bug research but considering them 2 different
things.
I quickly recontacted Jason but... no answers 8-(
I sent some other mails and then I temporary abandoned the bug research
on RogerWilco.

After some weeks I decided to retry contacting Gamespy newly because a
newer version (1.4.1.6) released a week befoure had another bad
surprise.... follow me.

The 1.4.1.2 version caused tons of problems to the RogerWilco's users,
and when I say "tons" I just mean an incredible amount of problems that
are documented in the official RogerWilco's forum:

http://www.forumplanet.com/rogerwilco/

Practically this version had a lot of compatibility problems and the
1.4.1.6 version can be considered a "return to the past".
The 1.4.1.6 was a modified 2001 version containing in fact some of the
bugs I found in that very old 2001 version!
You cannot imagine how much unhappy I was... I spent my time and my
research finding bugs and they instead of patching the signaled bugs
released the old program with the same bugs... shame, shame and shame
again!!!


Ok I was a bit "shocked" but I reopen my mail client and I sent some
mails to Jason and the Gamespy's "heads" and "finally" I received an
answer from Jason:

"thanks, we have received your info and we are acting on it."

Good! That means they have received my mails 8-) (but why they have not
answered me before???).

I replied to the mail first of all asking why they have not answered me
before and reporting a new bug affecting the new version of RogerWilco.
A crash caused by a nickname of ONLY 33 bytes! (yes it is not a typing
error, it is just a very small number).

Ok now I must only wait their reply... but what reply? the mail sent by
Jason is the LAST of this story, I will never see other mails by Gamespy
so by now I will have only a one way communication with Gamespy
(one way = only my mails) made of bug reports.

In the meantime I found also another bug that can be considered the most
dangerous because it affects all the RogerWilco's versions, both
dedicated and not dedicated servers and all the platforms supported.

What I have done?
I think you already know what I have done and have I received a reply
from Gamespy?
Naturally not!

Simply they don't want or are not able to patch the bugs, my resources
are finished, I don't know what to do or which other person to contact.
It's arrived the moment to letting know the world how Gamespy considers
the security and the 08 September 2003 the latest bugs and the updated
proof-of-concept are finally publics.


Do you think the story is finished? Oh not we have another bug and the
best gift from Gamespy, so sit down and continue to read 8-)

The latest bug of this story was found in Gamespy 3D and is not so much
dangerous.
The bug is not dangerous because it is a bit hard to exploit and it is
not stuff for script-kiddies.
Due the low risk of exploitation/effects (note, risk of exploitation,
not the effects) of the bug and the ugly experience with Gamespy after
2 weeks waiting for an answer I have released everything publicly.


And finally we arrive to our days, the present, where a nice day I
wanted to dedicate to research becames a full day of legal mails, mails,
senseless affirmations, lies and everything you have seen.
Gamespy's lawyers sent me another C&D (Cease and Desist, the document)
this time talking about my bug research stuff, yes all the stuff I have
released a lot of months before.

The funny thing is that instead of using all this time to patch they
incredibly bugged software (we could call them "bugware" or "holeware")
they have spent time and money to use lawyers.
Leave lawyers and get programmers!

I want to add only that in the list of stuff to remove by my site
(programs and document already available on Internet by long time) they
have included also a program called gsinfo that simply contacts the
games'servers (NOT Gamespy'server) asking informations using the public
protocol commonly called Gamespy query protocol, a public protocol that
all the gamers and programmers in the gaming scene know and use all the
days.
It is just the protocol that uses data as "\info\", "\status\" and so
on and it is available here: http://unreal.epicgames.com/IpServer.htm


That lets us to see how much stupids are the people who have included
gsinfo in the list of the stuff to remove and what is their attention's
level.


Well I think to have said all about this story that now is finally
finished because I will no more lost time with Gamespy's
"bloat-bug-ware".


The conclusion is that these facts have been useful to me and probably
to other people too: don't trust in companies, don't trust in DMCA and
other stupid laws, use only free software and naturally...

Have phun!!!




########################################################################