I don't need to test my programs. I have an error-correcting modem.
Legacy:MasterMD5Commandlet
This package, new to versions of the Unreal Engine post-UT2003 provides package-level security. This commandlet creates an .md5 checksum of passed files, and updates the database file of the md5 checksums - found in /System/Packages.md5.
This can be used, for example, by a game server to verify clients' package checksums - if there is a mismatch, the client is rejected, removed from the server, and shown a "Corrupt Connection" message.
Comment from Epic[edit]
Here is a post to the UT2003 Mod Developers list by Joe W @ Epic...
"I do know about the external bot that's floating around. It's a typical opengl hack that uses modified skins to detect when to fire at an opponent. Like all external bots, it's most useful only in low pings situations.
Directly after the patch is finalized, I'll release a mutator that will allows admins to lock down any file in the game with an MD5 check. This can then be used to detect the skin hack needed to make this bot function. Eventually, I'll merge the functionality back in to the main UT2003 code, but not until we decide to break netcode compatibility.
Now with that said, let me try and explain in a little more detail about the MD5 database system. When a client connects to your server, he sets up a communication stream that describes all of the packages loaded on the client. Each package is identified and it's corresponding checksum is sent to the server for verification. The
server then looks up each package in the MD5 database and determines if the package is indeed correct. If not, it drops the player with a Corrupted Connection message.
ONLY packages that contain Uscript structures are verified, so while every package type in UT2003 can contain script code, only those that actually do will be processed. There is no way to hide script code from detection. If it exists in a package, that package will be flagged.
So where does the MD5 database get it's data from? 4 places. First, is the default data shipped with the game or the patch (or when you rebuild the database from scratch). The second is any package loaded on the server will automatically be added to the database. Third, is upon connect to the master server, your server might receive critical updates from us. Finally, you can manually add packages yourself.
So, when should you add a package to your database? If you are adding .U files that require ServerActors or are mutators/new game types, then you probably do not need to manually add the package. UT2003 should auto-detect them (as long as they are loaded). Also, as a general rule, new resource files (.UTX/.UKX/.USX/Etc) shouldn't need to be added.
However, if the package you wish to allow has a .U file (or is known to contain code) and you wish to allow clients to use it, but it's not loaded on your server, feel free to add the file.
Starting with the patches, the format to use the MasterMD5 command is as follows:
ucc mastermd5 [-option..] <parms>
Options:
- -c
- Rebuild the Packages.MD5 database from scratch. Parms are a list of wildcards to process. Ex: "ucc mastermd5 -c *.u". The -C command will search all sub directories in \UT2003.
- -a
- Adds a file (or files) to your Packages.MD5 database. Same params as -c above
- -s
- Shows all entries in the current database.
- -f
- Performs a full MD5 hash of the single file passed in Parms.
- -w
- Dumps the GUIDs and MD5 hashes of the single file (or multiple files) passed in Parms.
Some of you write-protected your Packages.md5. Please do not do this anymore. You will need those updates. I hope this helps shed some light on everything. If not, drop me a line.
J.
Joe Wilcox
Programmer, Epic Games
Discussion[edit]
DJPaul: Thanks to [[Legacy:FurrySound{Moo}|FurrySound{Moo}]] for this.
Foxpaw: Is there a way to disable the checksum.. check? I can't remember why I wanted to do this since it's late and I'm on my way to bed, but I wanted to be able to have different packages on different clients, and I'm sure I'll remember why when I get up tomorrow. Obviously, of course, they would have to be "compatible," IE replicating the same information and not simulating anything that might differ, but is there a way to disable the MD5 check from the server to make this possible? I understand that you can have server-only script, but I'd like the capability to have client-only script as well.
El Muerte TDS: no you can't disable MD5 checking. However it is possible do have diffirent client and server versions of a package, as long as the MD5 record is present on the server there won't be a problem.
Foxpaw: Won't it reject the client if the MD5 checksums do not match? Since the packages would be different they would clearly have a different MD5 checksum.
El Muerte TDS: only if the packages.md5 archive doesn't have the right GUID/MD5 combo for that client package
Foxpaw: I'm still confused.. The server and client have their own MD5 checksums stored and they only verify against themselves? Or does the server store MD5 checksums for both themselves and the clients?
Mychaeel: The server calculates them and caches them in Packages.md5. The client calculates them on the fly when queried by a server and sends them back to the server for verification.
Foxpaw: I'm a bit unclear still on how this works, is the following correct?
- Client connects to Server
- Client performs MD5 checksum on all packages containing script
- Client sends checksum data along with package names to server
- Server compares MD5 checksum to stored checksum to verify if the package is allowed
So this is for client-side only packages then? Or did I misunderstand the above? And there's no way to disable it if you want to, say, have clients be able to make their own UScript packages that will interact with the server packages in some way, only packages that have been on the server and had their checksum added to the database can be used on the client?
El Muerte TDS: you can't disable it
Foxpaw: So is the rest of my understanding about it accurate?