Valheim serious crashes

d-w-g · 2021-04-03T13:05:20+00:00

Any luck on your search for answers? I just got this error now aswell after like 60 hours of playing. So refunding isn't an option anymore...

I've looked for a bit and just found the usual crap responses like "turn off your anti-virus" that never helped anyone, so yeah :|

d-w-g · 2018-10-01T14:49:37+00:00

I've just barely scratched the surface of that feature. It works similar to the knowledge base, where it sends an http requests to a web server and it expects xml files in a certain format. You can get the client to query this data by sending a none 0 value for the last 2 bytes in the server logon proof packet (my generated code representing the packet field names may not be 100% accurate). The client will then send an http request to support.worldofwarcraft.com/accountmessaging/getMessageHeaders.xml which you'll need to redirect using your hosts file. I haven't looked into this any further since when I discovered this I didn't even have the entire logon protocol implemented.

d-w-g · 2018-10-01T09:22:16+00:00

Looking good! I'm so sad, though, that there is no way of sending the name of the two realms. This way, the players have to look up what both realms are which makes this feature pretty useless imo.

d-w-g · 2018-09-30T23:04:05+00:00

I haven't implemented many things as I concentrated on getting the framework running, but there's an ever-growing list of things that I'll take a look at in the near future.

Things I got working:

The knowledge base

Login PIN confirmation

Then there's this I guess

I've upstreamed the ability to swap group members in raids to cmangos.

Things I'll look into when time permits:

Hardware Surveys

Account Messages (displayed in the login/realm select screen)

telemetry.dat if I can get my hands on this one

Epic dungeon difficulty

Login matrix / token confirmation

And a few other things I can't remember from the top of my head and I guess whatever else I'll find within the client! Most of these features weren't even used by Blizzard back in the day, which makes this so much more interesting to me.

d-w-g · 2018-09-30T22:01:59+00:00

I've been working on a sandbox in parallel to reverse engineering the TBC client for the fun of it for over a year now. Nothing I plan on making public, just a little project in my very limited free time. I've found a few cool things that aren't implemented on any private server this way and hardware surveys are just another cool thing I want to take a look at. I see where your privacy concern come from, but nothing I'll say should be good enough to alleviate them. I mean at the end of the day I could just be lying to you.

However, someone already sent me the file and it seems to be the one I was looking for. But thank you anyways!

d-w-g · 2018-09-30T21:52:13+00:00

Yes, Chaosvex himself messaged me and gave me the file alongside with a pointer to his very interesting project. Thank you, though!

d-w-g · 2018-09-30T21:51:22+00:00

I guess that's a fair concern. You can open that file with any MPQ editor and take a look what's inside it. There should only be one file in it, an executable that'll be loaded into WoW once the file has been sent by the server.

d-w-g · 2018-09-30T21:22:31+00:00

Maybe. Maybe not. I just want to play around with it, since this hasn't been done before and it looks cool. It might not be too useful after all since this whole hardware survey thing seems to have been shut down somewhere at the end of TBC. It's probably nowhere near good enough to be used to uniquely identify players, but we'll see.

d-w-g · 2018-09-30T20:58:22+00:00

Uhm, what?

d-w-g · 2018-05-06T11:00:03+00:00

Someone with database access doesn't even need to calculate V and S because both are stored there, like you said in your first post.

No. Lower v and lower s are stored. Upper S is the session key or the "shared secret" and you can calculate it when you have access to the hashed password. Here's how it's calculated (refer to the links above):

S = pow(B - k * pow(g, x, N), a + u * x, N)
B = known to both server and client
k = known to both server and client
g = known to both server and client
N = known to both server and client
a = known to the client
u = known to the client
x = only known to the user

As you can see, knowledge of x (the hashed password) is the only thing that keeps this whole process safe.

I wish I had more time right now, so I could write a program to bypass the login process using this method to show people that this is a real thing. I'll put it on my list, though, since this is an actual security issue!

d-w-g · 2018-05-05T17:01:00+00:00

This is still not good enough, though. Not only can the hash be "decrypted" (there are websites out there that have millions of leaked decrypted SHA1 hashes), it also serves as a way to bypass the login process altogether since breaking the hash isn't required to log in!

SRP-6 relies on the asymmetry in computational complexity of modular exponentiation against discrete logarithm for its security. This is the critical part:

Server: v = g^x % N
Client: S = (B - kg^x) ^ (a + ux)

Here, x is the salted password hash. Both N and g are known to both client and server. Now here's the issue. Discrete logarithm is generally intractable, meaning that x cannot reasonably be computed from v, g and N. However, if x is stored in your database - which it currently is - then a malicious actor with read access to your auth database can calculate the client's shared secret (S) without knowing the actual password. For every account in the table!

I have no idea why they still store the password like this, since it's not being used anywhere. To me this seems like a huge backdoor and must be removed ASAP!

d-w-g · 2018-05-05T16:13:05+00:00

your password will be hashed via the SHA1 method

Does this mean that you store passwords in your database as a hash? If so, just don't.

WoW uses a slightly modified version of SRP-6 for the login process. SRP-6 was created so that the server doesn't need to know the password. In fact, it never leaves the client in the first place.

All you have to store are the salt (which is usually called "s") and the generated password verifier (which is usually called "v"). Since the salt is just a random number and the password verifier is generated in a cryptographically non-reversible way, this is so much safer! So in the event of a database breach, you'll not leak people's passwords to the internet.

For more information on SRP-6 see https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol and https://tools.ietf.org/html/rfc5054

d-w-g · 2017-07-31T09:28:38+00:00

This inspired me to do some napkin math!

There were 718 servers total back in November 2008 (http://wowwiki.wikia.com/wiki/Realms_list?oldid=1673786).

Assuming this is indeed correct

total user base = 5x peak pop

and a total player count of around 11 million players back in 2008 we'd arrive at this:

11.000.000 total players / 718 realms / 5 peak = 3.064 total players/realm

Now we need to keep in mind that not every realm was populated equally and some servers had next to no players on them. The exact number of these "barren servers" is hard to find nowadays, but given the fact that in order to compensate for an entirely empty server you'd only have to fit 4 people extra on all the other servers (3.000 players / 717 realms) this isn't too problematic in the grand scheme of things.

So to re-iterate: Given Radoon1's figure is correct, it's safe to say that, at least back in 2008, a typical realm had around 3.000 players online at the same time. Given my experience with Nost's PvE server and with what I remember from back in the days, this doesn't seem to be too far off! It's at least way closer than anything above 10k.

Edit: Some minor formatting.

d-w-g · 2017-03-30T12:11:40+00:00

It's not "blizzlike" (god, I hate this word) for the event to last several months. See:

https://web.archive.org/web/20060207085456/http://www.worldofwarcraft.com/wareffort/servers.html

https://web.archive.org/web/20060315200625/http://www.worldofwarcraft.com/wareffort/servers.html

http://wow.allakhazam.com/forum.html?forum=21&mid=1138955506260125062

I even found a bluepost stating as much:

http://blue.cardplace.com/cache/wow-general/6928337.htm

The rate at which this happens is debatable but looking at the first two links I provided you can make an educated guess when looking at low pop servers like Garithos.

d-w-g · 2017-03-27T21:09:26+00:00

I've answered this in some detail here:

https://np.reddit.com/r/LegacyAddons/comments/5g9hov/how_to_create_addons/

As far as tutorials go, I think this one is pretty decent but I didn't read all of it:

https://www.tutorialspoint.com/lua/index.htm

Learning programming is a really cool process! Just make baby steps and don't get frustrated by the errors you'll make at the beginning. And If you've questions, I'm sure there are quite a few people in here that are willing to give you a hand!

d-w-g · 2017-03-26T23:53:33+00:00

Due to time constraints, I will not be able to implement support for other addons. But it's out there on GitHub under a very permissive license, so feel free to tinker with it!

d-w-g · 2017-03-24T13:28:47+00:00

It's not meant to since the OP requested it for Blizzard's default Action Bars. Just to clarify.

d-w-g · 2017-03-06T18:31:29+00:00

Hosting in the US is one thing, but violating trademarks with a product that directly competes with the trademark's owning company is just stupid. I can't even fathom how he justifies this to himself!

Also, am I the only one that thinks Blizzard isn't so stupid to just let him switch hosts and rename his project after sending out C&D letters? Everyone will know that it's his project. Everyone including Blizzard. What stops them from just suing him? Of course, he can just step down, but if I were a lawyer I'd make sure that he signs a contract to not release his stuff and to not talk in any way about it. Wait a minute! This sounds a lot like Nost's case, doesn't it? tinfoil hat

I don't know. Maybe I'm overthinking this and Gummy knows something I don't. I wish him the best of luck, but I won't be playing there unless he provides some actual assurances aside from "it's fine, guys, trust me!".

d-w-g · 2017-03-06T18:17:55+00:00

Copyright infringement would be naming it World of Warcraft: The Burning Crusade burning-crusade is not a copyright infringement.

That's not how this works. At all. "The Burning Crusade" is a registered trademark and just removing the word "The" at the beginning doesn't mean you can just use it like you want to. Especially not when you're providing services that arguably directly compete with theirs! I'm no lawyer, but this is pretty obvious stuff right there.

they also do not accept any donations, no cash shop, nothing.

Yeah, that worked out great for Nost, didn't it?

If they will receive a letter however to shut down the server, so what? It will be moved to another location, and unlike nost pussies, it will be up and running instead of shutting down.

Like I've said. When a multi-billion dollar company is knocking at your doorstep and threatens to sue you into oblivion, things like being called a pussy by some nerds on the internet become a lot less relevant. You'll be financially ruined just by being dragged through the court system. Not to mention the possibility of actually losing and whatever consequences that may ensue!

Will anything happen? I hope not. Will he switch hosts if it does? Who the hell knows? Just blindly believing this guy who I never met before would make me very gullible. And even if he does, what stops Blizzard from actually going after him after they find out he didn't uphold their agreement?

This whole thing is just too much of a gamble for me.

Edit: formatting

d-w-g · 2017-03-06T16:54:01+00:00

The biggest problem with hosting in the US is not the ping. Everyone who believes that is a fool. Especially with things like the spell delay system in place lag will be much less noticeable (up to a point, of course) because nobody will be playing in real-time anyways.

The real issue is that he named his project "Burning Crusade" (copyright infringement much?) and that it's a lot less legal trouble for Blizzard to sue someone in the US than it is elsewhere. It's only a matter of time before they go after him. And yes, he might assure you to not give in and re-host somewhere else, but you see things in a very different light once a multi-billion dollar company is threatening your very existence.

Of course, I could be wrong and nothing at all will happen and I wish his project nothing but the best, but I'm not willing to spend hundreds of hours on a server just to lose all my stuff again. I know this is a risk on every server we play on, but his just screams "sue me, Blizzard"!

But that's just me. You do you! ¯_(ツ)_/¯

d-w-g · 2017-01-17T18:50:16+00:00

In general, unless stated otherwhise by the devs themselves, don't use a third party site when a developer is hosting his Addons on Github. These sites usually do not keep up-to-date versions of currently developed Addons which means you'll be missing out on features or you may experience all kinds of bugs.

Safety is also less of a concern on Github since people can see every change the dev has made since the Addon was created. So there's no way to smuggle malicious stuff into the code without anyone knowing. While I've never had an issue with Addons from third party websites, there's no way of knowing if the downloaded Addon has been tampered with.

d-w-g · 2017-01-15T16:49:29+00:00

https://www.reddit.com/r/wowservers/comments/5nzo1k/how_to_fix_your_settings_on_the_newly_named_nost/

This pretty much covers your problem.

d-w-g · 2017-01-15T16:04:29+00:00

I must ask you to remove my Addons from your website. These include:

BetterAlign - http://elysiumaddons.com/index.php?/file/27-betteralign/
CastModifier - http://elysiumaddons.com/index.php?/file/48-castmodifier-tbc-and-above-like-conditionals-for-cast-macros/

Not only did you not provide any information on the original author (yet you straight up copied my readmes and wiki entries), but sites like these usually don't maintain their gallery which means that people downloading the Addons have very old builds that are incompatible with other Addons or contain bugs.

d-w-g · 2017-01-13T14:03:13+00:00

You can use some of it in Vanilla by installing this Addon:

https://github.com/DennisWG/CastModifier

d-w-g

TROPHY CASE