Understanding Project1999 Protections
This is part of a multi-part series:
- Installing ShowEQ For Project1999 in 2020
- Getting traffic to your ShowEQ system
- Understanding Project1999 Protections (you are here)
- Decrypting Project1999 Spawns
- Project1999 Green and /List information.
Welcome back! This story is a continuation of posts on getting ShowEQ working in 2018 and bypassing server protections enabled by private servers, such as Project1999. Please read part 1 and 2 before preceding.
Project1999 is a private, emulated, free-to-play EverQuest community offering a ‘classic’ experience of playing EverQuest. The server is currently content locked to Velious and managed by a handful of private server developers.
Project1999 Disclaimers
Upon installation of Project1999, the initial disclaimer screen boasts some of the advanced detection and anti-cheating functionality that is implemented on the server. According to the EULA, “Project 1999 uses anti-cheat software to detect this behavior. The effort put forth to catch this is much more active than anything Sony has done on Live Everquest.” So what is this anti-cheat software and how exactly is it implemented.
Project1999 Anti-cheat Software
As part of the installation of Project1999, you are required to install custom files into the EverQuest program directory that implement the returning of EverQuest into “classic” mode. Reading the ‘Project 1999 Installation Guide’ you are instructed to “download the required Spell and File changes in order to play on Project 1999”. At the time of this writing, the files are on version 45.
As we can see, the majority of files are game resources, classic spell effects/descriptions, and UI assets. However, there is one file that replaces an existing game library and modifies the game functionality: “dsetup.dll”.
Analyzing dsetup.dll
The traditional approach to analyzing compiled code usually involves leveraging both static and dynamic code analysis techniques. Unfortunately for us, Project1999 does not make this easy. The developers have leveraged a powerful commercially available obfuscating code packer, known as Themida/WinLicense, to prevent source code analysis. As Themida has been also leveraged by malware to prevent AV analysis, this is why some Antivirus applications will detect Project1999’s DLL as malware.
There exists many novel techniques to defeating code obfuscation, so we will leave that as an exercise to the reader.
Once removed, you can begin to analyze the specific code that implements the bulk of Project1999’s modifications to the EverQuest Titanium client. Of particular interest, there is a thread of execution that injects modifications into the game. The majority of this code is dedicated to implementing Project1999 functionality (or maybe more accurately restrictions) in an attempt to move the game’s engine closer to it’s earlier releases.
These following modifications of interest were observed in the binary:
- Disabling Luclin-expansion models
- Disabling the in-game map
- Disabling spellsets
- Replacing /guide commands with /petition
- The existence of test commands “/rogean” and “/rogtest”
- A whole bunch of location specific in-memory client patches
Anti-Cheat Engine
Project1999 implements it’s anti-cheat engine as a separate thread that appears to be continually or periodically running in the background. There are three main functions that perform anti-cheating detection capabilities.
The first function, dubbed ModuleChecker, inspects all of the libraries (aka. dlls, modules) loaded into the current running process (EQGame.exe). For MacroQuest to perform it’s functionality, it injects itself into the running EverQuest process. ModuleChecker leverages the built-in Win32 API calls (GetCurrentProcessID, CreateToolhelp32Snapshot, Module32First, etc.) to walk through each loaded library. The function checks the names of the libraries loaded and attempts to identify ones associated with MacroQuest.
A second function, dubbed ProcessChecker, also attempts to identify cheat tools like MacroQuest with a slightly different approach. ProcessChecker leverages the built-in Win32 API calls (GetTopWindow, GetWindowTextA, GetWindowThreadProcessId, etc.) to traverse the Windows ‘Z-order’. For each window it identifies it checks the window’s title text. If this text matches a preconfigured list, it enumerates the process ID of that window and then identifies all loaded modules in the window in a similar manner to ModuleChecker.
If either of these methods identify a cheating application, mainly MySEQ and MacroQuest2, a flag is sent to the game server. There are multiple flags (we observed 5) based on what is detected and through which method. The data sent to the server includes the full path of the application and the full path of the loaded modules.
Security & Privacy
From a privacy perspective, Project1999 can be leaking information on your system. While the detections are intended to identify specific cheating programs, it is implemented in such a way that false positives may regularly occur. Simply recording and sending back running process lists may be enough information to discover your identity, job, and other sensitive information.
Project1999 also appears to contain code to enumerate your computer name, logged in username, and IP device information. The functionality of code is likely to identify whether you are running multiple versions of EQ on the same system (two-boxing). We were unavailable to determine the conditions in which this code runs. However, based on leaked customer service representative data, we do know that Project1999 attempts to identify or track people using multiple characters through other interfaces.
Whats next?
In addition to the anti-cheat engine, there’s some modifications done to EverQuest networking protocols to implement the rest of the Project1999 experience. We’ll be discussing network-level modifications next time.
