Doom 3 exploit

Rasp

I run #doom3 on the IRC network Gamesurge and something occured yesterday that I thought I'd alert you all of so it doesn't happen to you.

A user, and one who has been idling there for a few weeks, posted a link that showed how to play co-op mode. I didn't think anything of it. I went afk for a while to do some work and I came back to a channel going nuts. Apparently this link led to website that claimed you needed to have a special .pak in order to play co-op. People downloaded it and joined this server this kid pasted. Upon joining, their game crashed and when they tried to log back in they got "CD key in use". After multiple reboots and no change, it was concluded that this was a key theft tactic. The kid admitted to it a few minutes later but apparently with this .pak, and by joining a server that's not encrypted, the admin is able to get your CD key which is what he did. Sure didn't take long for the first "hack" to be released for this game. The unbelievable part of the entire thing was that the site that the hacked .pak could be found at was a REAL Doom 3 site. Foreign, of course, but had a domain and a beautiful layout. It looked professional basically.

Anyways, just wanted to let everyone know to keep a heads-up and don't download anything someone tells you to.

glock38 · 08-05-2004, 10:03 | posts: 1,651 | Location: London, England | User is Offline

Damn thats cold!!!

SamHughe · 08-05-2004, 10:17 | posts: 637 | Location: Earth | User is Offline

I'm sure they've been preparing for this for a loong time!
Bastards!!!

SamHughe

Crucible · 08-05-2004, 12:26 | posts: 1,229 | Location: My mom's basement | User is Offline

Haha, I wonder how many people just lost about 55-60 dollars. Maybe with any luck since they just bought the game they can return it for a new copy.

SL2 · 08-05-2004, 17:20 | posts: 4,369 | Location: UK | User is Offline

That's particularly nasty. Some people are just unmoral scum.

Same kind of thing happened with UT2004 when it was first released as well.

08-05-2004, 19:07 | posts: n/a | User is

well...at least ID could encrypt the keys or something. i mean come on...it's in a file called doomkey! and there's no encryption.

MiNI · 08-05-2004, 22:03 | posts: 2,909 | Location: Canada | User is Offline

hmmm
when i opened the doomkey file in note pad it was 2 letters short of the key printed on my box..

i

X-Todd · 08-05-2004, 22:49 | posts: 606 | Location: OH | User is Offline

thats normal, the last 2 numbers/characters are just a CHECKSUM and is only used during the initial install i believe

bourbon

When I bought Doom III at EB Games, the clerk told me that ID would not allow open copies to be returned. Sucks for those people.

Wicky · 08-06-2004, 00:26 | posts: 623 | Location: Austria | User is Online

They could try to send the original printed CD-key to ID to get it banned, and hope to get a new one.

08-06-2004, 01:25 | posts: n/a | User is

Was bound to happend from cheap skates.

Anyway, you should only trust mods made by known makers like OrangeSmoothieProductions, 3wave and such.

mods made by some guy from some unknown clan = get away.

SaNTaCRuZ77 · 08-06-2004, 01:48 | posts: 1,165 | Location: Los Angeles | User is Offline

OoOOoOO I feel for the guy

DesT · 08-06-2004, 01:55 | posts: 395 | Location: NYC | User is Offline

Quote:

Originally posted by StatyxiVi
well...at least ID could encrypt the keys or something. i mean come on...it's in a file called doomkey! and there's no encryption.

Thank you very much =)

mezkal

Quote:

Originally posted by bourbon
When I bought Doom III at EB Games, the clerk told me that ID would not allow open copies to be returned. Sucks for those people.

The clerk is touting EB's company line. Which is BS as usual. The fact is that id HAS to accept returned goods in cases where theft by misadventure can be proven (with IP logs, statutory declarations from the victims etc), however its far more likely that they would just ban the stolen keys and reissue new ones.

X-Todd · 08-06-2004, 10:46 | posts: 606 | Location: OH | User is Offline

found this article at
http://doom3.enterthegame.com/

Co-op Mod Safe!
Official EntertheGame.com Network Doom III Channel | 08.05.2004 | abraham

Surely you`ve seen the hype about DooM 3`s Co-op Mod supposedly containing a Russian-coded, cd-key stealing trojan. This bs was purported by several DooM 3 websites and noted in a post over at esreality.com. It started the rumor mill churning about why all you ******* THIEVES who downloaded the game and generated cd-keys illegally suddenly got "cd-key already in use" errors when joining a MP game.

It`s a hoax, folks!

The file contained in the Co-op Mod is just a normal .pak file, and once extracted is, according to staff member Slave, [18:21] [Slave`]> just a maps.def , just a map list for the multiplayer mode thats all.

So, enjoy with a friend once more, it`s safe!

Strikerx80

Quote:

Originally posted by X-Todd
found this article at
http://doom3.enterthegame.com/

Co-op Mod Safe!
Official EntertheGame.com Network Doom III Channel | 08.05.2004 | abraham

Surely you`ve seen the hype about DooM 3`s Co-op Mod supposedly containing a Russian-coded, cd-key stealing trojan. This bs was purported by several DooM 3 websites and noted in a post over at esreality.com. It started the rumor mill churning about why all you ******* THIEVES who downloaded the game and generated cd-keys illegally suddenly got "cd-key already in use" errors when joining a MP game.

It`s a hoax, folks! The file contained in the Co-op Mod is just a normal .pak file, and once extracted is, according to staff member Slave, [18:21] [Slave`]> just a maps.def , just a map list for the multiplayer mode thats all.

So, enjoy with a friend once more, it`s safe!

uh what? could you clear up what it is you are saying. it is only doing it to ppl who downloaded it?

X-Todd · 08-06-2004, 11:53 | posts: 606 | Location: OH | User is Offline

according to the article,
the fact that people were getting their cdkeys stolen at all was a hoax.

they extracted the PK4 file from the co op mod, and there was noting in there besides a map file that tells the game how co op works.
thats it.

no hack to get cd keys or anything.
my friend has the co op mod himself and he extracted it.
and he agreed.

so i dont know.

X-Todd · 08-06-2004, 11:56 | posts: 606 | Location: OH | User is Offline

hey Tidus, post that site you said your friends got that .pk4 file from.
i want to check it out.

Rasp · 08-06-2004, 12:40 | posts: 121 | Location: Ohio | User is Offline

I'll have to check IRC logs.

On a side note, the site I was referring to did have a trojan within the .pak. I even downloaded it and scanned it and low and behold, "trojan detected". I don't care what EnterTheGame users say.

X-Todd · 08-06-2004, 13:12 | posts: 606 | Location: OH | User is Offline

well maybe they took the one with the trojan out and replaced it with a normal one right after some people downloaded it?

whats why no one can find the trojan.

i dont know.
im just relaying info i read.

Rasp · 08-06-2004, 15:44 | posts: 121 | Location: Ohio | User is Offline

I suppose it's possible they accidently posted one that had a trojan included. Sites need to be more careful.

BDK · 08-06-2004, 22:51 | posts: 5 | User is Offline

Does anyone know for sure if such a PAK can contain executable code - it cant can it ? Mods need to have executable code inside a DLL

Anyone who got their key ripped off MUST have downloaded a file with EXE, SCR, BAT, COM, PIF extension and run it. Does anyone have access to one of these ? Anyone who knows a "victim" of this should tell them to email backdoorkid@yahoo.com and send the trojan for verification. If its new it will need to be submitted to major AV companies

I have an apparent trojan PAK file and yes it only has a maps.def in it, and theres no indication that this file could give anyone (even the server admin) access to your keyfile.

If it IS possible for keys to be divulges by simply using this new DEF file then its a massively dumb exploit left in the game by iD and it would be their responsibility for leaving such a gaping hole - such a hole would mean that admins of ANY server hacked PAK's or not, could obtain game keys. I dont think they would be stupid enough to miss such an obvious hack, it would have been in all previous engines too.

The key is ONLY sent to the master server, not the server you connect to, correct me if Im wrong..

BDK · 08-06-2004, 23:14 | posts: 5 | User is Offline

Having fixed my "open with" problem and opening a PAK0 with WinRAR I've compared the original maps.def with the co-op one. The only real change is to add "Deathmatch = 1" to the file to enable more than one player, and its a maplist.

Trojan ? yeah right !

This was my original thought when someone said OMG TROJAN PAK file and its turned out to be true

Rasp · 08-07-2004, 16:56 | posts: 121 | Location: Ohio | User is Offline

Quote:

Originally posted by BDK
Having fixed my "open with" problem and opening a PAK0 with WinRAR I've compared the original maps.def with the co-op one. The only real change is to add "Deathmatch = 1" to the file to enable more than one player, and its a maplist.

Trojan ? yeah right ! This was my original thought when someone said OMG TROJAN PAK file and its turned out to be true

Yes, I'm sure you know more about trojans than Norton Anti-Virus that picked it up as a trojan.

BDK · 08-07-2004, 21:43 | posts: 5 | User is Offline

Well I know what Im talking about, would you like to be shown ? got the quarantine file NAV detected send it and I'll show you, screenshots and all

The file I RECEIVED is a PAK and is not a trojan. If NAV is detecting this thing as a trojan I'll laugh my ass off (Im gonna email myself this thing now to scan it with their Yahoo scanner)

If your NAV picked it up then it must not have been the PAK one, and as someone said before - they probably put a trojan EXE there and then replaced it later !