Major Dark Souls exploit that took servers offline has been released

The major Dark Souls exploit that forced Bandai Namco to take all PC game servers offline in January has been made public, as previously promised.

PvP servers for PC versions of Dark Souls games were taken down in January, following the discovery of a serious remote code execution (RCE) vulnerability, which would allow abusers to take control of PCs. other players.

Almost two months later, they remain inactive and one of the people behind the discovery of the vulnerability has now publicly disclosed the details of the exploit, after Bandai Namco released a statement claiming it would fix the problem.

The user originally planned to share the exploit before the release of Elden Ring, but told VGC that they instead decided to put their plans on hold so they could play finishing Elden Ring first “instead of doing some work. ‘reverse engineering day one’.

Elden Ring – the VGC review

The public disclosure, which was shared on Github, contains proof-of-concept code and documentation for the RCE exploit that forced From Software to shut down PC servers. According to the description, the vulnerability is confirmed to be present in Dark Souls 1, Dark Souls Remastered, Dark Souls 2, and Dark Souls 3.

While the vulnerability hasn’t been confirmed for Demon’s Souls, it’s “very likely”, and it’s also confirmed to be in Sekiro, but there would be no way to trigger it.

However, the person who discovered the exploit confirmed to VGC that it appears to be “fully patched” in Elden Ring.

According to them, LukeYui – the developer of Dark Souls Blue Sentinel anti-cheat software – “sent From Software a huge document documenting many other Dark Souls exploits, including both security vulnerabilities such as read/write out of bounds and in-game exploits. like banning other players, modifying their game data, etc.

“To my surprise, they fixed every single one of them in Elden Ring, which is amazing,” they told VGC.

They point out, however, that the implementation of Easy Anti Cheat in Elden Ring “is highly flawed and can be trivially circumvented in several ways”.

They explained, “Even if the simple workarounds are fixed, it would require a complete overhaul to properly use all the features of the EAC, which is absolutely necessary for it to be effective.”

As VGC reported last month, the person behind the RCE discovery said that they informed Bandai Namco about it more than a month earlier and that neither publisher nor developer From Software did had acted on the warning until its discoverer demonstrated it in a public Twitch stream last month, as seen here:

In a statement released shortly after, Bandai Namco confirmed that online services for Dark Souls PC games will remain offline until the release of Elden Ring on February 25, as they work to fix the exploit.

“We would like to thank the entire Dark Souls community and players who reached out to us directly to voice their concerns and offer solutions,” he said. “Thanks to you, we have identified the cause and are working to resolve the issue.

“We have extended the investigation to Elden Ring – our next title launching on February 25 – and have ensured that the necessary security measures are in place for this title on all target platforms.

“Due to the time required to set up proper testing environments, online service for the Dark Souls series on PC will not resume until after the release of Elden Ring. We will continue to do our best to restore these services. as soon as possible. “

However, while the investigation appears to have resolved the issue for Elden Ring, the Dark Souls PC game servers remain unavailable, meaning players have not had online access for nearly two months.