I just finished this yesterday. I believe some of you will like it, while others will hate me for it.

Remember, with great power, comes great responsibility.


This is a python script that will deprotect any Zelda Classic quest made in version 1.92 and higher.

REQUIRES PYTHON 3.0 and higher. NOT 2.7 OR LOWER

Told you so.


...

Saw this coming. Didn't think it would be posted to the forums like this. AGN has no rules prohibiting this ...yet. I don't know if we ever did in the past. I noticed this was removed on PZC. Waiting to see what you all think.

If you all have any feelings about this, please reply.

I've made my feelings known to the staff. Could be useful, but could be morally wrong. Also, has the potential to do a lot of damage.

-James

Thank you. If you wish to keep your response private. That's okay too.
Feel free to PM a staff member preferably one whose active. ;)

I will ask one question, and that is all. What actual damage can come from this? Sure, people won't be able to prevent others from being able to look at their quests and edit them and enable cheats, but aside from that what can actually happen that is irredeemably bad?

It doesn't give out passwords, it replaces the hashes with an empty password, so no security risk there.
If people start taking assets from other quests and using them without giving credit then usually someone will call them out on it and they will feel like an ass(I have done this myself as I produce 3d models and textures and give them out for free)

The absolute worst thing i can think of coming out of having no passwords would be people making derivatives of a quest with alterations they feel are appropriate and putting them up on the download database, thus changing the original artist's vision for it. I don't see this being a bad enough reason to even have passwords to begin with.

Please explain to me what each of you feel is so bad about not having passwords? I am sorry I offended you, but this will also make the quests able to be ported over to the open source ZC whenever it's done.

Thank you for your time.

Personally I don't mind now that I know it erases passwords instead of extracting them. The only quest I ever password protected was for the purpose of guarding some custom tiles; I've since improved on them and I don't really care if somebody tries to snatch them out of the other file anymore. However, my opinion isn't indicative of the community as a whole.

So the risk of damage is exactly what you've mentioned: people won't be able to prevent others from being able to look at their quests and edit them and enable cheats. Though it is not a sentiment that everyone in the community holds, a large portion of quest developers for ZC feel the need to protect their work and a password scrubber might drive them away. To that end it's plausible that your program would scatter the community, so we need to make sure everybody understands what your code represents before we make any decisions.

While your intentions do seem innocent from another perspective, them actions could of really caused a shit storm if that script would of fell into the hands of the devil or some other hacker. As for your question: worst case scenario is actually a side effect to come, The community as a whole is divided or worst scattered as CJC put it. And if things get to that point Zelda Classic may just cease to exist as a result. This has always been a touchy-fealy subject cause people are willing to kill to protect their quest while other people including myself could give two shits.

You beat me to it by a few days, but I took a different approach and simply patched ZQuest itself. I spent about 15 minutes in IDA Pro and OllyDbg and got this as a result.

http://www.youtube.com/watch?v=AraknwSehGE

Now I'm working on a patch for the Linux build of ZQuest, since that's my primary OS. I'm not releasing anything though.

I only did this because I disliked the name of the protagonist in a quest I'd been playing.
Pretty lousy reason, I know, but technically I could now also fix bugs should I run into any in a password protected quest.

No this doesn't allow me to recover passwords - there are no passwords in quest files - merely a hash of the creator's chosen
password and that's already visible to anyone that opens a protected quest in ZQuest.

I sure hope all of these talented dev haxxors decide to help develop for ZC when it's open source.

Just to let everyone know ZC is approaching Open Source just a few minor issues to hash out and we're done. Also using a password by pass build is dumb. Report the quest bug and if that doesn't work find a new quest to play cause the quest maker is either long gone or is a jerk. It's not your responsibility to fix another quest authors bugs. It's theirs.

I sure hope all of these talented dev haxxors decide to help develop for ZC when it's open source.

Just to let everyone know ZC is approaching Open Source just a few minor issues to hash out and we're done. Also using a password by pass build is dumb. Report the quest bug and if that doesn't work find a new quest to play cause the quest maker is either long gone or is a jerk. It's not your responsibility to fix another quest authors bugs. It's theirs.

I do recall reading somewhere that it was planned to release Zelda Classic as open source with some minor changes, but that was a while back and I hadn't seen any recent updates on that so I kind of assumed that this idea had been scrapped haha. Good to know that it's still in the works. There are a number of things that I'd love to contribute to Zelda Classic if given the opportunity so I'm looking forward to it. n_n

Yeah, perhaps it is dumb to have modified ZQuest to bypass the password hash comparison, but I personally find it to be useful and it was fun so, meh. As for bugs, of course I'd report them, but there's no real reason to simply drop a quest due to a bug that could be fixed if one has the ability to do so. It's not like I'd be distributing unofficial updates to quests or anything haha.

It's always been the plan to open source it eventually. Then the 2.11 Decade happen and that came to a halt.

Hah, the coincidence gave me a well needed laugh. I actually thought about doing the same thing, but I decided not to for a few reasons:

For one, I read somewhere that steps were taken to prevent people from doing exactly that.
I wanted to distribute it after I was done and I didn't want to distribute someone elses work.
I also wanted it to be a single file python script since it's more portable and people can see the source code so they can verify that it's legit.
And I was invested in the challenge of deciphering the assembly by that point.

Also, CAD, I'm more of a python guy. I tried C++ a bit as a college requirement in mechanical engineering, but I still love my python more.
Btw, if this is the same CAD that wrote the Halo CE: Animation Exporter for 3DS Max, thanks man, love that shit.

Hah, the coincidence gave me a well needed laugh. I actually thought about doing the same thing, but I decided not to for a few reasons:

For one, I read somewhere that steps were taken to prevent people from doing exactly that.
I wanted to distribute it after I was done and I didn't want to distribute someone elses work.
I also wanted it to be a single file python script since it's more portable and people can see the source code so they can verify that it's legit.
And I was invested in the challenge of deciphering the assembly by that point.

Yeah, it's definitely more fun to reverse the code itself and re-implement it to achieve whatever you've set out to do, but in this particular
case I just wanted something that worked. I actually looked around for a bit to see if anyone else had done this yet and didn't find anything
so last night I decided to do it myself.

Your script is pretty nice though and portability is always great. n_n

C++, Vala, and C# are the languages I've spent the most time with. I've tried Python, but I'm not really a fan of the syntax. I prefer when the syntax is similar to that of C.


It's always been the plan to open source it eventually. Then the 2.11 Decade happen and that came to a halt.

Thank you for the clarification. n_n

I see a lot of arguments over the risks as well as the uses but it really just boils down to the fact that this is a community. If the majority of the community really feels strongly about something then decisions will likely follow. It is looking like we will probably not be allowing software that bypasses or removes passwords on these forums. Nothing official has been decided yet that is just my guess. As Gleeok has said we can expect a lot more of this stuff when the source is out so we might as well reach a decision now. Obviously no one can stop you from distributing but links to it probably won't be allowed here at AGN. Of course we aren't going to stop you from talking about it. That's not how we do. :P

A reminder for the millionth time: Even though these examples don't pull passwords, your passwords on quests are not safe. Do not use account passwords to lock your quest.

Actually, I think the community has lightened up a bit the last few years. Who knows, maybe in a few more years no one will really care anymore. :shrug:

Actually, I think the community has lightened up a bit the last few years. Who knows, maybe in a few more years no one will really care anymore. :shrug:
There will always be someone who cares, but yes perhaps we will see more people grow to simply not care whether or not someone can edit their quests in the near future. The option to protect one's quest should definitely always be available though. If Zelda Classic were re-written perhaps a more viable solution for securing quests could be implemented.

As it is now, there's not really much else you can do since Zelda Classic itself needs to be able to read quests. I'd like to see quests compiled down to some form of bytecode which could be embedded in a 'runner' of sorts, producing an executable (possibly along with some necessary libraries) which could then be distributed as opposed to quest files. This would be possible with a complete rewrite of Zelda Classic. Something along those lines would be quite a bit more secure.

Anyway, I patched the latest build of ZQuest for Linux... I'm done now, I promise. xD

http://www.youtube.com/watch?v=vRCs-RE6UCM


I see a lot of arguments over the risks as well as the uses but it really just boils down to the fact that this is a community. If the majority of the community really feels strongly about something then decisions will likely follow. It is looking like we will probably not be allowing software that bypasses or removes passwords on these forums. Nothing official has been decided yet that is just my guess. As Gleeok has said we can expect a lot more of this stuff when the source is out so we might as well reach a decision now. Obviously no one can stop you from distributing but links to it probably won't be allowed here at AGN. Of course we aren't going to stop you from talking about it. That's not how we do. :P

A reminder for the millionth time: Even though these examples don't pull passwords, your passwords on quests are not safe. Do not use account passwords to lock your quest.
Nothing wrong with prohibiting users from distributing such tools here. Glad to see that you're not simply going to censor discussions of this type, but I personally feel that there are cases in which it would be perfectly reasonable to take action. Example: Someone describes, in detail, how to bypass or remove passwords.

Are the password hashes not salted? Shouldn't be too big of a concern as long as they're not straight MD5 hashes, but SHA-1 hashes are still arguably more secure. n_n

As it is now, there's not really much else you can do since Zelda Classic itself needs to be able to read quests. I'd like to see quests compiled down to some form of bytecode which could be embedded in a 'runner' of sorts, producing an executable (possibly along with some necessary libraries) which could then be distributed as opposed to quest files. This would be possible with a complete rewrite of Zelda Classic. Something along those lines would be quite a bit more secure.

Nothing wrong with prohibiting users from distributing such tools here. Glad to see that you're not simply going to censor discussions of this type, but I personally feel that there are cases in which it would be perfectly reasonable to take action. Example: Someone describes, in detail, how to bypass or remove passwords.

Are the password hashes not salted? Shouldn't be too big of a concern as long as they're not straight MD5 hashes, but SHA-1 hashes are still arguably more secure. n_n

It would be a more secure and portable option to have quests as stand alone games. I imagine Phantom Menace never imagined his little program to have such reach or longevity. Obviously we have the benefit of seeing how things could work better.

Censorship of freedom of speech will be discussed on a case by case basis taking into acount the content and the drama it may cause. Obviously the ones specifically forbidden in the rules are exceptions.

Even if there were a more secure way to store the passwords would it really matter? We have no way of preventing a dictionary attack which might be more effective on most people's passwords than trying to reverse the hash. Is any hash truly secure? Simple solution: use a unique password for your quest.

It would be a more secure and portable option to have quests as stand alone games. I imagine Phantom Menace never imagined his little program to have such reach or longevity. Obviously we have the benefit of seeing how things could work better.

Censorship of freedom of speech will be discussed on a case by case basis taking into acount the content and the drama it may cause. Obviously the ones specifically forbidden in the rules are exceptions.

Even if there were a more secure way to store the passwords would it really matter? We have no way of preventing a dictionary attack which might be more effective on most people's passwords than trying to reverse the hash. Is any hash truly secure? Simple solution: use a unique password for your quest.
Of course. I don't think anyone foresees anything they've created becoming popular to any considerable extent. I only just re-discovered Zelda Classic this year; the last I did anything with it was probably sometime in 2004-2005 so even I was surprised to see how far along things have come.

Not disagreeing with you there haha, but when I typed that I was just thinking about someone simply taking a hash and comparing it against a large collection of other hashes generated from common passwords, words, etc. since that's generally the first thing most people would do with a hash.

Unique password example, gibberish...

Not disagreeing with you there haha, but when I typed that I was just thinking about someone simply taking a hash and comparing it against a large collection of other hashes generated from common passwords, words, etc. since that's generally the first thing most people would do with a hash.

Makes sense. Not really anything I considered all that much.

Unique password example: Hacker, suck my balls!

I am confused on how to change it from txt to pyw.

So, Eternal Zunder sent me a link to the program he made here. Very knowledgeable guy. Reading through the topic here, saw some of the posts and concerns you guys have about the program.

I come from the Halo Custom Edition community. We make custom maps for Halo on the PC. I've been doing that since 2006. In '06 the community was thriving. Today it's been dead for years.

It became dead because the community was extremely protective of their work. People would protect the mapfiles to prevent people from stealing their assets.

Protecting the maps made it so everybody who saw these amazing mods/maps couldn't open them up to steal assets or data. They also couldn't open them up to learn how to do it themselves. And the people who made these assets might also use custom programs they designed, which they also would not release. So not only can I not steal the Halo 3 Brute (that the original modder stole from Bungie, mind you), but I can't even use the programs to get the brute myself.

Now the influx of people who say "Wow this is awesome I want to do this" instead get turned away, because what they want is impossible for them to do. They never learn and become part of the group. This repeats for a decade and your community ends up dead.

I have no interest in this project. Zelda is sweet, favorite series, but that's not why I'm here. I'm here because I saw the same posts and opinions being put here that I've seen for over 12 years now in my own community. I remember the same issues being raised when I made Eternal Lightning, which was the first semi-public Halo map deprotector. They were wrong then, and you guys are wrong now. Please, learn from our mistakes. Open Sourcing EVERYTHING is the best way to ensure your community prospers. Will content get stolen, hashed together and released as a conglomerate pack of random crap from different quests? Absolutely. There will be a ton of those. And you guys will tell them it sucks, and they'll learn to make something better.

Or they never learn at all. Nobody new comes in. No new quests get made. Your friends on the forum get tired of the same thing, and slowly your community dwindles and dies until you're left sitting in the room alone.


It seems like this place is still growing. Don't lose that.