Spray sanitizer plugin for tf2

[Hexdragon]

Hello everyone!

I work as a developer, and I want to know if it would be possible, to make a plugin for tf2 server that can sanitize sprays so they can be re-enabled. Would there be need for such plugin? Or am I the only one who misses sprays?
I would like to develop such plugin if possible and there was interest for it.

I wish everyone a nice day!

 

[Creadora]

A plugin for tf2 server that can sanitize sprays so they can be re-enabled.

You mean detect that if nothing suspicious is on the spray? (for example sprays that triggers anti viruses)

 

[Hexdragon]

You mean detect that if nothing suspicious is on the spray? (for example sprays that triggers anti viruses)

Yup, exactly.

 

[Bottiger]

There is already a plugin to filter sprays but as already explained many many times, a new virus can be made, and someone could copy and paste bits of it into a new spray that would be undetected by whatever filter you have.

 

[Hexdragon]

There is already a plugin to filter sprays but as already explained many many times, a new virus can be made, and someone could copy and paste bits of it into a new spray that would be undetected by whatever filter you have.

So let me get this straight, you cannot verify if a vtf file has non-color and data in it, or the malicious sprays are somehow completely abide the code format of the vtf extension?
Do we not know how a vtf file should look like? If yes I'm pretty sure we could check if a vtf file truly just contains color information and nothing else.

As a plan B you could submit sprays for review if you played enough hours on the servers, buy it with score or if that's not secure enough trough some other steam id verification. I think after an initial review rush there wouldn't be many sprays flowing in daily, I'm pretty sure, and this way only non-bot could submit sprays for review.

I'll aks my friend who was a whitecap hacker back in the day, if they have any advice regarding this topic.

 

[Bottiger]

So let me get this straight, you cannot verify if a vtf file has non-color and data in it, or the malicious sprays are somehow completely abide the code format of the vtf extension?

VTF is just a header with a bitmap attached to it. If the bitmap could have "non-color" "data" you wouldn't be able to represent every possible image.

I'm surprised that you aren't able to think of this if you are a developer.

As a plan B you could submit sprays for review if you played enough hours on the servers, buy it with score or if that's not secure enough trough some other steam id verification.

No thanks, no one is going to do this work.

There is absolutely no way to fix this without being able to edit the client which only Valve can do.

 

[Hexdragon]

VTF is just a header with a bitmap attached to it. If the bitmap could have "non-color" "data" you wouldn't be able to represent every possible image.

I'm surprised that you aren't able to think of this if you are a developer.



No thanks, no one is going to do this work.

There is absolutely no way to fix this without being able to edit the client which only Valve can do.

Alright I talked to my friend, he said that it all depends how the script kiddies injected the fingerprints into the file, we could indeed write a plugin that parses every vtf file that get's uploaded to a server and check if it has any irregularities, or extra bits attached.
Basically the parser would just need to see if everything is as specified in this: https://developer.valvesoftware.com...d be below 33,512 multiplied by 32,768 equals

How could I get my hands on a virus fingerprinted vtf file? I need to see what they did exactly.


Also for the verification tf2-s community is one of the most dedicated, I don't think it would be more than a 5 min job everyday after the initial rush, expecially if only dedicated and verified players can send in requests. I have played on skial a bunch There is always 30-40 regulars, that's 30-40 sprays,, and they slowly rotate in and out, really not a lot of work.

 

[Zeo]

Alright I talked to my friend, he said that it all depends how the script kiddies injected the fingerprints into the file, we could indeed write a plugin that parses every vtf file that get's uploaded to a server and check if it has any irregularities, or extra bits attached.
Basically the parser would just need to see if everything is as specified in this: https://developer.valvesoftware.com/wiki/Valve_Texture_Format#:~:text=vtf should be below 33,512 multiplied by 32,768 equals

How could I get my hands on a virus fingerprinted vtf file? I need to see what they did exactly.


Also for the verification tf2-s community is one of the most dedicated, I don't think it would be more than a 5 min job everyday after the initial rush, expecially if only dedicated and verified players can send in requests. I have played on skial a bunch There is always 30-40 regulars, that's 30-40 sprays,, and they slowly rotate in and out, really not a lot of work.

That’s already too much work. If it isn’t near instant then what’s the point? People would complain that their spray isn’t working.

No matter what you write in terms of validation it can always be circumvented. What are ‘irregularities’ and how would you test that? There’s a high likelihood of false positives if you have to manually define what a vtf should look like.

For easily exploited file formats the best thing to do is just outright block it. Why do you think images are blocked from loading in emails?

 

[Hexdragon]

That’s already too much work. If it isn’t near instant then what’s the point? People would complain that their spray isn’t working.

No matter what you write in terms of validation it can always be circumvented. What are ‘irregularities’ and how would you test that? There’s a high likelihood of false positives if you have to manually define what a vtf should look like.

For easily exploited file formats the best thing to do is just outright block it. Why do you think images are blocked from loading in emails?

It's very clear what you need to write, it's set in stone everything is an irregularity that doesn't follow the vtf documentation, and every spray follow that except the fingerprinted onces, it's really not that hard to do. Such parser is not that hard to write expecially since we know the exact way a vtf should look.

Currently vtf-s hexcode just can be edited to whatever you want them to be and then nothing checks if it's been tempered with. It's also not resource intensive it should run with O(1) aka it can be done in a single pass.

For the maunal one they can buy the spray and then we can easily diplay that next time he logs in others will be able to see their spray, the manual way is also very simple.

Of course you could also do an API call to virustotal whenever a player joins, or whenver they change their spray, I'm not sure the latter can be detected or not but that would be ideal. Because the daily 500 requests would run out pretty fast :D

There is plenty of ways to slove this problem.

 

[Hexdragon]

As I read here it's just stuck to the end of the spray: https://www.skial.com/threads/report-skial-servers-giving-trojan-warning.98347/#post-835922 That's super easy to fix with a plugin, it doesn't even need a full parse.

 

[Bottiger]

It's very clear what you need to write, it's set in stone everything is an irregularity that doesn't follow the vtf documentation, and every spray follow that except the fingerprinted onces, it's really not that hard to do. Such parser is not that hard to write expecially since we know the exact way a vtf should look.

You're just not getting it. The portion of the VTF that specifies the pixels can be anything you want and it would be a valid VTF no matter what you put in it. You could put Shakespeare in it and it would be a valid VTF. I'm quite confused how you can't understand this as a "developer" as well as your "hacker" friend.

It also doesn't matter if the current method is just appending a virus to the end of the file. People will eventually be smart enough to put it in the portion that specifies the pixels.

The moment one of your schemes screws up we will have hecklers from competing communities saying we're giving people viruses on purpose (which someone already did).

Just accept the fact that sprays aren't going to be fixed unless Valve does it.

 

[Zeo]

It's very clear what you need to write, it's set in stone everything is an irregularity that doesn't follow the vtf documentation, and every spray follow that except the fingerprinted onces, it's really not that hard to do. Such parser is not that hard to write expecially since we know the exact way a vtf should look.

Currently vtf-s hexcode just can be edited to whatever you want them to be and then nothing checks if it's been tempered with. It's also not resource intensive it should run with O(1) aka it can be done in a single pass.

For the maunal one they can buy the spray and then we can easily diplay that next time he logs in others will be able to see their spray, the manual way is also very simple.

Of course you could also do an API call to virustotal whenever a player joins, or whenver they change their spray, I'm not sure the latter can be detected or not but that would be ideal. Because the daily 500 requests would run out pretty fast :D

There is plenty of ways to slove this problem.

If you want to upload and scan files, there’s a maximum of 4 requests a minute. It’s not just the 500 requests per day that’s an issue. If you ever worked with similar types of API’s you would know it’s prone to failure. I have tested several malware that was undetected by Virustotal too. As a developer you would never want to use something like that. API’s that like are clearly for personal use.

With malware development, anything goes. Defenders build new detections and attackers circumvent those detections. It’s a never ending cycle. Nothing is ever absolute or completely safe. This is the reality of computing in general.

 

[Hexdragon]

If you want to upload and scan files, there’s a maximum of 4 requests a minute. It’s not just the 500 requests per day that’s an issue. If you ever worked with similar types of API’s you would know it’s prone to failure. I have tested several malware that was undetected by Virustotal too. As a developer you would never want to use something like that. API’s that like are clearly for personal use.

With malware development, anything goes. Defenders build new detections and attackers circumvent those detections. It’s a never ending cycle. Nothing is ever absolute or completely safe. This is the reality of computing in general.

Yeah I know. That is ghow it is, though I don't know some tf2 trolls would just try to get the freshest of the viruses, but who knows, maybe I underestimate them.

 

[Hexdragon]

You're just not getting it. The portion of the VTF that specifies the pixels can be anything you want and it would be a valid VTF no matter what you put in it. You could put Shakespeare in it and it would be a valid VTF. I'm quite confused how you can't understand this as a "developer" as well as your "hacker" friend.

It also doesn't matter if the current method is just appending a virus to the end of the file. People will eventually be smart enough to put it in the portion that specifies the pixels.

The moment one of your schemes screws up we will have hecklers from competing communities saying we're giving people viruses on purpose (which someone already did).

Just accept the fact that sprays aren't going to be fixed unless Valve does it.

Yeah my friend told me that bitmaps cna be used to store malicious information without breaking the rules of the format. I just saw that they were appending to the vtf, and that's solvable as well as many other injections.

I'd say the manular review would work just fine, I'd gladly watch the submissions flow in and test them daily. I'd say make it cost around 10-20k points and we are grand.
If you would have this, you would have something that no other servers have.

 

[kody]

This whole spray causing malicious activity sounds like an excuse from twitch streamers or youtubers.

 

[Seminal Inhalation]

This whole spray causing malicious activity sounds like an excuse from twitch streamers or youtubers.

There's entire videos of it on youtube by the exploiters, but whatever you say blank profile.