As someone who reverse engineers things for fun, and can read the C "pseudocode" generated via decompilation pretty easily, I am going to have to disagree with the assumptions made in this post.
First, there's no proof this is from Steam, I've poked around a few of the DLLs since I saw this and am unable to find anything even remotely close to what this does.
Second, this method does NOT send anything to Valve. This method grabs the DNS cache, yes. And it MD5s the entries, then it stores it. This method itself does nothing more with the hashes. For all we know VAC could be doing a LOCAL scan of the list, and comparing it to an internal list of "known" cheat subscription servers.
Until someone posts details of exactly where in Steam this is (What DLL is all that's required to verify), and the calling method that supposedly sends this information to Valve, I would take this with a very massive grain of salt.
So yeah, no proof it sends anything. It could be a local check.
This is part of the Valve anticheat system. I believe that the idea is that this sort of code is downloaded on the fly by the game client to make it harder to reverse engineer by game cheaters. What you have to do is to find some way of dumping the code that VAC pulls from the steam servers, and of course Valve tries to make that difficult for legit reasons (regardless of whether this particular snippet of code is legit).
Do you have a link to that reddit comment thread?
EDIT: here it is: http://www.reddit.com/r/GlobalOffensive/comments/1y0kc1/vac_...
The listing of decompiled code (in image form, for your pleasure) is here: http://i.imgur.com/z9dppCk.png
IMHO the fact that they seem to store the hashes in a lookup table hints that it's meant for local use, what's the point of doing that if you just want to upload it on the net? I guess they could do both though.
You could still infer things from the timings, but again, it is not always practical.
btw, help me understand the use of the DnsFree variable... why is it often exor'd with 0x23dc67e8? is that the addr of a routine and exor is faster than adding? thank you.
It get's XOR'd once after the GetProcAddress, then XOR'd back before the STDCALL invocation.
This is done for both the GetProcAddress calls, so I'm going to just guess that this is some anti-patching anti-cheat shenanigans.
http://www.reddit.com/r/GlobalOffensive/comments/1y0kc1/vac_...
http://www.reddit.com/r/technology/comments/1y4za5/steams_va...
" Yes, with some simple wireshark analysis you can see it is being sent back.
Use wireshark, join a local TF2 server, try and isolate the VAC IP address (they are not static, but use rDNS & whois the IP). Go by process of elimination. Happy to give you pointers if anyone is interested.
Use wireshark and monitor the SSL communications of VAC for the first minute. Record the total size of outgoing packets (for me, I got 1.94 MB and 1.88 MB on my two tries -- the first time you join a VAC server and when modules update it's likely to be higher as it downloads it's modules).
note: Keep everything else constant - like what windows you have open, what processes you have running, etc.
Bloat your DNS cache. (What I did was edit my hosts file, used a script to add over 20k hosts [careful actually crashed notepad when I tried to read it])
Repeat step 1 and 2. I got 2.47 MB and 2.58 MB on two tries (first min of outgoing packets). This increase seems to be twice the amount 20k of MD5 hashes would take. Maybe a bug is causing it to be sent twice?
Clear your hosts file, flush dns cache. Repeat step 1 and 2 again. I got 1.99 MB."
Look at how the Safe Browsing API accomplishes the same task: https://code.google.com/p/google-safe-browsing/wiki/SafeBrow...
It's not even what Valve and co are doing with the info, it's similar to the Sony rootkit case where the main worry would be that the rootkit could introduce security vulnerabilities.
To be banned because you visited a website is also an abusable medium. Similar to the memory and window name scanning VAC and other similar anticheats have done in the past (or continue to do). You could historically get people banned by just doing stupid things, like having an IRC title that shows up in mIRC's window name that's detected or sending someone a message via any chatting medium that has a detected substring.
Imagine you just send a tinyurl link to your opponents in an upcoming tournament. Or just embed a simple <img> tag in an otherwise harmless webpage (display: none, for example) so everyone who visits your website has that domain fresh in their cache. This kind of "evidence" quickly becomes useless because it can be used for nefarious purposes, which is why it should never be used at all.
This is not only ineffective, it's dangerous. And it's an invasion of privacy since you can simply create a rainbow table of domain names, as other people have pointed out.
Come on, Valve.
Adding 0x20 to any uppercase ASCII character will get you its lowercase equivalent.
A similar thing was done with PunkBuster: https://en.wikipedia.org/wiki/Punkbuster#Attacks_on_PunkBust... - since it was scanning all of your computer's memory for cheat signatures, you could just paste a fragment on IRC in order to get people banned.
I guess it's a way for them to pretend they're not actually invading the user's privacy, just looking for certain websites. That's pretty weak though.
It's trivial to MD5 a list of common domains, or any other ones of interest, and compare that to the user's list.
This absolutely represents a privacy invasion.
Yes, this would also include sites opened while using private browsing, since the DNS cache doesn't get flushed afterwards (at least a Mozilla bug report said so.)
Can't say in which cases VAC will do all of that.
Maybe that's just my optimism speaking though. Every good company turns bad at some point.
So far there seems to be zero evidence that this is used to send data to valve.
Is this a reasonable way of detecting cheats? In my opinion, yes. They can't send the hostnames to the client (even in hashed format), because then the cheat authors could see if their hostname(s) are listed and subsequently change them, even if the list sent to the client is hashed (they'd just have to run their own hostnames through the same hashing function). Having my DNS cache sent to VALVe and used (likely ephemerally) is a small price to pay for multiplayer games that I enjoy to continue to be fun.
No, we can safely assume this is done to compare your DNS cache to a list of hosts known for their involvement in some kind cheating (be it a website distributing cheats or some kind of cheat connecting to a certain host.)
Even if Valve doesn't intend to use this for any other purpose (and I honestly don't think they are) doesn't mean that a) they won't change their mind later on and b) their infrastructure is perfect, meaning someone could steal this information.
The above will manually clear out the windows DNS cache. Note this doesn't block it, but rather simply limits what it can find out. I'm not sure it would be possible to block this functionality entirely without also breaking DNS, or otherwise causing the Anti-cheat tool to detect something odd.
By default, the Windows DNS cache doesn't flush itself, with entries lasting for 24 hours or so. As stated in the post, you can view currently cached domain names by entering
ipconfig /displaydns
Strangely, this doesn't seem to list some of the sites I've visited this morning within firefox
I'm not convinced I like other peoples suggestions of constantly flushing your DNS because you're having to hope that VAC doesn't recheck your cache before your automated job flushes it.
Especially at an API level.
Yes, Steam spying is a problem, so don't get angry with someone suggesting a workaround.
