change mmoloader exe name to EQPlayNice?

[xantan]

is this possible?

thanks in advanced

 

[Kodilynn]

is this possible?

thanks in advanced

Uh, what? Why? No?

 

[JimJohnson]

probably an emu server doing process check hes wanting to avoid detection.

 

[xantan]

ill donate more if this is possible

thx

 

[Fry]

We may be able to randomize the process name, or name it something very generic. Would need to randomize byte size too so it's not detectable that way.

This is really only a question htw can answer. Is this to do with the p1999 suspensions?

I heard they were able to detect MySEQ, ShowEQ and MQ2, so process detection seems like the likeliest way.

 

[Kodilynn]

Active hacks are still gonna get you nailed...

 

[JimJohnson]

Active hacks are still gonna get you nailed...

its not even active hacks. They are hitting for just having vanilla mq2 loaded

 

[Kodilynn]

Active hacks are still gonna get you nailed...

its not even active hacks. They are hitting for just having vanilla mq2 loaded

Oh, well that's messed up then yeah process altercations ahoy!

 

[xantan]

i think they check in memory for macroquest2.exe, mmoloader.exe, showeq.exe myseq.exe, etc -- they can see the path of the exe running so if it looks unlike a normal eq folder or eqplaynice (a accepted software for this server) then you get flagged and banned or suspended.

 

[dewey2461]

why not just restart on the mmobugs emu server and call it a day ?

 

[Fry]

why not just restart on the mmobugs emu server and call it a day ?

Because I pulled it last month since nobody was using it =p

Truthfully I think it's a decent idea as it could save us issues with SoE down the road.

 

[Dealings]

like when they shut off all the lights and power down, that type of down the road?

 

[brainiac]

their detection method has absolutely nothing to do with the process name.

 

[JimJohnson]

why not just restart on the mmobugs emu server and call it a day ?

Because P1999 has a good sized community already. If MMOBugs had 300 average playerbase more people would stick around on it.

 

[Kodilynn]

Borrowed from another site, but it's relevant to this (as to it's accuracy I'll let a Dev chime in):

Regarding P99...

After evaluating the 08/14 patch, I can say that if you have further interest in playing on Project 1999 you should be made aware of a few things:

* Your user name that is logged into Windows is being disclosed
* Your IP table, exposed
* Your paths to your running processes, exposed

If you’re alright with that level of compromise on your system, or if the trade-off of your privacy is worth it, I suggest making a new account on your computer specifically to play on Project 1999 to remain safe from future nefarious behavior. I suggest you change your password on any site you’ve used your Windows login name, as there is no telling how the EQEmulator login server stores your passwords (I’d guess they’re hashed) and there have been compromises in the past.

I’ve sent out a two different patched eqgame.dll to a few testers without banned accounts, to see if Project 1999 falls for false information being provided, only time will tell which action I’ll end up taking in regards to defeating this protection method.

ShowEQ is still safe. MySEQ on the other hand, which uses the same injection methods as MacroQuest2 to gather client data is NOT safe.

To those of you that have sent me messages asking about the legality of this patch on Project 1999:

By loading any third party program in relation to Sony’s client, you’re violating the end user license agreement that you click “Agree” to every time you load EverQuest. If you are not playing on an official Sony EverQuest server, you’re in a grey area. Even if you (as an individual) were to have some type of government clearance and challenge this software as leaking trade secrets, you had to install and run this program on a secured system to begin with. No password information was leaked and I’m sure the login server stores your passwords at least hashed, so it’s not like Rogean could use your windows user name, and your login server password to brute force your E-Mail — unless you were completely oblivious to good password security policy. You would have to study case law in the country that you feel your rights have been violated to be certain, but here in the US unless you can provide evidence of loss or potential loss, you have no real case against Project 1999. I think your best course of action, is to submit the entire patch for analysis to all of the big anti-virus vendors, and get the signature flagged as malware for the behavior it exhibits.

 

[Itchybottom]

Even if developers here took the same route as me on fixing it, we have lurkers and even someone here with a different agreed upon agenda with Rogean (according to Rogean anyway.) It's going to be a quick tug of war battle, you patch it, you release a fix, some jobless guy hitting refresh on MMOBugs at Project 1999 changes eqgame.dll again. It's difficult to compete and a simple battle of time spent, nothing more.

As far as verification of my blog post, wsock32.dll hooks user32.dll under standard circumstances, win32 allows for certain behavior when this happens. user32.dll takes queues from the gdi framework, and basic system runtime gives you access to trivial system information -- like a windows user name. wsock32.dll is expected to be used for network traffic, so once you're dealing with that you're also opening more library access by default operation. That hook is present in eqgame.dll, by design, under the same credentials. My initial peek at the patch (the 13th) I did a quick once over and determined it was just standard externs, nothing to worry about given original author (Secrets, whom I consider a friend.) I should have actually traced runtime. I started receiving reports about their petition forum giving people locations of their MacroQuest installation. People have also been unsuspended due to running it on "another server" and leaving it loaded accidentally, hurray for timestamps. It's pretty smart releasing something like this, you don't even have to write a SEH overflow temporarily then later fix it as a "patch" to mine for data. Your users will just outright trust you.

Given the maturity of the person that hosts Project 1999, and their primary GM (Rogean, and Uthgaard in that order) when it comes to personal information in the past: people should run, not walk away from this server when something like this goes down. Hot heads running anything is always a recipe for disaster. There are plenty of other servers to play, and quite a few "classic" projects in the public that with enough contributors could compete inside of a year.

Digressing, you could probably come up with a permanent fix via MMOLoader running as administrator, where as I'm totally reliant on Plazmic's loader and staying in user-land. I don't however think your member base is large enough on the emulator side of things to devote time to fixing it. Time is after-all, more valuable than money. You can always make more money, but time on the other hand...

 

[JimJohnson]

whats your blog link?

 

[brainiac]

their detection method has absolutely nothing to do with the process name.

stfu

 

[Kkthnx]

their detection method has absolutely nothing to do with the process name.

stfu

Wtf?

 

[brainiac]

their detection method has absolutely nothing to do with the process name.

stfu

Wtf?

sorry it was on the wrong order. let me try again.


their detection method has absolutely nothing to do with the process name.

stfu!