TheSnowfield
commented
2 years ago Forget it, I don't want to face these annoying things. You can close this issue at any time.
Closed TheSnowfield closed 2 years ago
TheSnowfield
commented
2 years ago Forget it, I don't want to face these annoying things. You can close this issue at any time.
Menci
commented
2 years ago This project has nothing to do with BotArcAPI. You are hacking the API protocol while I'm hacking the gameplay. So first of all, I don't think what lowiro will do against me will also against you.
I know you developed BotArcAPI and archash4all and made them public at first. You hid your work behind a private repo to prevent being targeted by lowiro. But is it to hide your ears and steal the bell really helpful even a little? No, as long as your service is running, as long as your users (includes me) are still sending /arc b30 over and over again, lowiro still know there're BOTs consuming their servers' resources so they're still changing the challenge token algorithm over and over again. Do they need to know how we cracked the game client? Do they need to see the code and realize "Oh, the hackers found this this and this so we must protect it"? No, they only need to know there're that things happening. Whether the code is here or not, lowiro could always see players are uploading self-made charts playing videos to bilibili, could always see there servers are under high load caused by some /friend/me/add, /score/song/friend and /friend/me/delete requests. They always know we are abusing Arcaea. They can always know, in order to prevent cracking, they should obfuscate the code more.
I don't care whether you think making your BotArcAPI project private would help you reduce your reverse-engineering work. If you agree, there's no problem to private the code of a service because the user (and lowiro XD) don't need to be reachable to your source code in order to reach your service. But, did you think, what's the problem for me? I'm creating a tool. How can my users use it if I private it?
However, I don't think we are standing on two opposite sides of Arcaea community. Our common enemy should be the code obfuscation and DMCA takedown notice. Reverse-engineering is always a cat and mouse game -- there'll be no winner. Please calm down -- maybe, in the future, someday, the only thing we can do is "Go Play A Song Instead Of Looking At This".
TheSnowfield
commented
2 years ago This project has nothing to do with BotArcAPI. You are hacking the API protocol while I'm hacking the gameplay. So first of all, I don't think what lowiro will do against me will also against you.
I know you developed BotArcAPI and archash4all and made them public at first. You hid your work behind a private repo to prevent being targeted by lowiro. But is it to hide your ears and steal the bell really helpful even a little? No, as long as your service is running, as long as your users (includes me) are still sending
/arc b30over and over again, lowiro still know there're BOTs consuming their servers' resources so they're still changing the challenge token algorithm over and over again. Do they need to know how we cracked the game client? Do they need to see the code and realize "Oh, the hackers found this this and this so we must protect it"? No, they only need to know there're that things happening. Whether the code is here or not, lowiro could always see players are uploading self-made charts playing videos to bilibili, could always see there servers are under high load caused by some/friend/me/add,/score/song/friendand/friend/me/deleterequests. They always know we are abusing Arcaea. They can always know, in order to prevent cracking, they should obfuscate the code more.I don't care whether you think making your BotArcAPI project private would help you reduce your reverse-engineering work. If you agree, there's no problem to private the code of a service because the user (and lowiro XD) don't need to be reachable to your source code in order to reach your service. But, did you think, what's the problem for me? I'm creating a tool. How can my users use it if I private it?
However, I don't think we are standing on two opposite sides of Arcaea community. Our common enemy should be the code obfuscation and DMCA takedown notice. Reverse-engineering is always a cat and mouse game -- there'll be no winner. Please calm down -- maybe, in the future, someday, the only thing we can do is "Go Play A Song Instead Of Looking At This".
We have contacted the lowiro in last week. We try to cooperate with them to provide players a better experience about score probing without using BotArcAPI. BotArcAPI is still archived and won't continue to maintain.
The other users cannot use it normally like before (accessing the arcapi needs a challenge token), cuz we do not public the ArcHash4All library now.
Btw, here is the original email from lowiro.
I'm worried status of the game community, hope you can understand. Thanks.
Menci
commented
2 years ago Yes I know someone is contacting lowiro for a score API and I've seen this reply email last week, before this issue. (I am told this email is confidential and not suitable to post publicly, isn't it?)
Closed as resolved.
You can create an aff player similar to playable Arcade without using any official resources instead of mod the game client.
I don't deny the mod has appeared for a long time, at least they're strictly private (except the leaker) and modded manually.
This project can be a bomb that forces official security of their application again cuz it's an automatic mod tool that can lower the threshold about the users making their own mod. btw, or you can private the repo I think it's a good idea.
If they're released a new version with the more powerful obfuscation, we have to cost more time on reverse engineering, also all the bots will be down for a long time (reference the v3.6.0-v3.6.4).
Thanks.