Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Open Letter to En Masse Entertainment regarding a Security Patch Proposal for fast-fire Exploits
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
To whom it may concern,
To the majority of the TERA community that I am addressing today, I am quite happy to accept that I will be seen as a nobody as I do not play TERA. I vaguely remember playing a character on Mount Tyrannas very briefly but that's about it. The reason I'm writing this to the TERA community is more to get one of my friends who plays off my back about recent "security" issues that the game has had, because they it won't shut up about it
Professionally, I work as a software programmer based in the UK, with the additional responsibilities as a Cryptography Researcher and an Information Security Researcher. Prior to my current employment, I completed two separate Masters Degrees in "Information Security" and "Mathematics of Cryptography and Communications" at Royal Holloway College, University of London, and a Bachelors in Mathematics at the University of Glasgow.
As I have been informed over the last year, there have been a variety of software that have been used by TERA players to "enhance", "equalise" and/or "improve" their gaming experience for whatever reason, with some of it unfortunately being malicious, causing 3 notable scandals in the process amongst the community.
As a clarification on wording before I begin, I will be using the word "Exploit" as it seems to be the term currently preferred by the publishers for the North America Regions of TERA, En Masse Entertainment, to refer to such software, though the term has negative connotations and others in the community refer to it in a positive manner.
I will be address one specific exploit here. If I come to understand the workings of other exploits, then I may provide further security analyses for them in the future.
====
What is the Exploit?: Usage of software to provide a "fast-fire" functionality to major DPS skills of the Archer, Gunner and Ninja Classes to simulate low ping environments.
- ----
Why is it being used?: The major DPS skills in question (Rapid Fire, Burning Heart and Burst Fire) are dependent on user input for each activation of the skill. where: "activation time of the skill" = "ping tax" + "skill animation time". As "skill animation time" is effectively constant, ping tax is the factor that influences how long these skills take to cast
Comparing a player with 10ms and 110ms, which are both reasonable ping estimates to get for North American players to the North America TERA servers, if both players cast all 10 activations of Burning Heart at the same time, the 10ms ping player will finish their skill at least an entire second before the player with 110ms does. The other skills suffer from similar time differences.
The incentive for the 110ms ping Burning Heart user to use the aforementioned exploit is that it removes the extra one second of ping tax it takes for them to cast all 10 activations of the skill when compared to the 10ms ping player.
- ----
Proposed Security Fix (Burning Heart): - One activation of this skill will now fire 5 animations of Burning Heart at the same speed at the same speed with 0 ping tax, irrespective of ping (similar to the Traverse Cut skill for Warriors).
- One activation of this skill will now cost 500 Chi (similar to how Rampage costs the entire Rage meter of the Brawler).
- The cooldown of this skill has been removed.
Proposed Security Fix (Rapid Fire): - One activation of the skill will now fire all 7 animations of Rapid Fire at the same speed with 0 ping tax, irrespective of ping (similar to the Traverse Cut skill for Warriors).
- Each animation of the skill can be chained into Sequential Fire to prematurely end the skill if required (similar to how Blade Draw can be chained into from the second hit of Traverse Cut on Warriors to end the chain).
- The first animation of the skill resets the cooldown of Sequential Fire.
Proposed Security Fix (Burst Fire): - One activation of the skill fire all the animations of the skill at the same speed with 0 ping tax, irrespective of ping (similar to the Traverse Cut skill for Warriors).
- Each animation of the skill can be interrupted by any Gunner skill. If it is not possible to make all skills interrupt an animation of Burst Fire, one candidate for a suitable skill to do this is Blast, as it can be used to "animation cancel" many Gunner skills (similar to how Blade Draw can be chained into from the second hit of Traverse Cut on Warriors to end the chain).
- ----
Proposed Outcome of the Proposed Security Fixes: By implementing the above changes, the activation time of the skill becomes solely dependent on the animation of the skill, regardless of the players ping.
No Ping Dependence = No Incentive to use fast-fire Exploits.
No Incentive to use fast-fire Exploits = One Less Exploit in the Game.
====
I hope that this informal security analysis like this, for issues that the players seem to ba having in TERA, is the beginning of a fruitful series of discussions that will both hopefully reduce the number of exploits in the game and improve the TERA experience for the players of TERA as a whole.
Yours Faithfully,
Andes Ho
PS: The Proposed Security Fixes have been submitted to EME as Support Ticket #090517-000284 and will also posted on the current EME forums by forum user clfarron4 on behalf of myself. It will also emailed to contact[at]enmasse.com/community[at]enmasse.com, and posted to the EME Official Discord Server by myself, Andes Ho (andesho91@gmail.com).
PPS: This is a PGP signed message which can be verified by copy-pasting everything in the code block into https://keybase.io/verify. If after clicking "Verify" it does not say "Signed by andesho91" with a link to my public PGP key hosted at https://keybase.io/andesho91, then the entire codeblock should be considered compromised as it will have been edited by some that is not the author of the message.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJZrxqcAAoJEG/mmDGyLPKlCYkP/04DsfC+kwDdOmDYn+0xYRIh
5jtcj8rCjARSf9Uy9aMDQUYTR8YO5aQ8gDtTc88oPBI45YsKEOV3w8m+IZnETadY
wCBfq/uFeML+iNx320NrUrx8oachXWrlhCzmCtnzF8OB1mCAhZbLiK7K7sopF6oJ
picy2BH1w5EZaqo+bBUpGZ+/oxvjXjbwOvEfqoRctAm7kcgztC4sT1TDQriZ+QA7
uUf9vXYsunCEXjAoV8/PIesNK3V+1R/BPB3qEROpiK9STkYkUkajYghl/m4F6AVr
zvYjELK/G9cjNHyYu692oiMm2vZ5SGidPeofQhZEmsqYF7oOYvboJhXrzqxPB4mm
2K82UsP/8HbnJGPM4hoNTKKzVXugPJ1e6k8ajPbnRLuGuDymx+JHEqOl9HwDXyC/
83CMxxUPSJbnP8BfwLBepsZYA2JazPJzfszLlCW/egztd6h0NHqYKqmxba+jmfxG
cX3vk80LBn86SWN3wH+NOC1OuKyxXABqKhXnZevJMJQMGh71b/d+TCzpuBlzD6TD
xXh9zc24raXVzxwuZ4r2EIAgzlzDvWl+YIjvBjl9KZ2Gf0NY9fCo5IKJN3pkPs7g
aN9XvTqgxK45zqiGcI5irFq+2AplQMnlDAYYUwUuzRoJGa9F1Balt+el36c8B3c6
vIT1r8RQSIz5zgz0bAxQ
=31PQ
-----END PGP SIGNATURE-----
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.