Today some folks notified me that there is a specific packet (ClientReportNotify) sent by the client to the server that contains some information about the system (loaded libraries, drivers, running user-space programs etc).
I went to check it and can confirm that this packet:
Existed at least since 1.5.0 and was observed in the game traffic since then (not on a regular basis);
Contains some information about the system;
Leaks some information about running the game on Wine.
Just to provide you an idea I will post here the contents of this packet (decoded, because it's not plaintext in the traffic; also I replaced some potentially sensitive information).
As you can clearly see, there's a lot less information about the system in the Wine's case (which makes sense). And the list of third-party libraries loaded into process' memory (key '1191') is not only much larger (because all Wine's libraries aren't signed) but it also includes winevulkan.dll, which is a Wine's wrapper for Vulkan. Your Wine installation may or may not include one, but it probably does - at least it's so in the case of Debian/Ubuntu and derivatives.
I don't think there's any way of rational mitigation for this issue (without stuff like proxy server or deep game logic patching). Also, this is just one telemetry packet we stumbled across by pure coincidence; only thorougful analysis of all 1500+ packet types and god knows how many HTTPS requests can tell if everything is safe.
So, just be aware: if you're running your game off Wine, miHoYo probably already know (provided the fact that they are interested in it, of course).
Use this patch at your own risk!
Today _some folks_ notified me that there is a specific packet (`ClientReportNotify`) sent by the client to the server that contains some information about the system (loaded libraries, drivers, running user-space programs etc).
I went to check it and can confirm that this packet:
1. Existed at least since 1.5.0 and was observed in the game traffic since then (not on a regular basis);
2. Contains some information about the system;
3. **Leaks some information about running the game on Wine**.
Just to provide you an idea I will post here the contents of this packet (decoded, because it's not plaintext in the traffic; also I replaced some potentially sensitive information).
Windows (game version 2.5.0):
```
{"1":["2.5.2"],"0":[3]}
{"1195":["12604:C:\\Program Files (x86)\\Total Commander\\TOTALCMD64.EXE"]}
{"1191":["d:\\gi\\dumper\\GIHook.dll;code:0x800b0100;sign:"]}
{"1196":["version:20210601","signtime:424269575400","status:34692"]}
{"1197":["COGNOSPHERE PTE. LTD.","D:\\gi\\Genshin Impact\\Genshin Impact game\\GenshinImpact.exe"]}
{"101":["c:\\windows\\system32\\drivers\\pmdrvs.sys;code:0x0;sign:Lenovo","c:\\windows\\system32\\drivers\\npcap.sys;code:0x0;sign:Insecure.Com LLC","c:\\windows\\system32\\drivers\\tppwr64v.sys;code:0x0;sign:Lenovo","c:\\windows\\system32\\drivers\\wintun.sys;code:0x0;sign:WireGuard LLC","c:\\windows\\system32\\driverstore\\filerepository\\nvltwi.inf_amd64_9440f1e3ce298109\\nvlddmkm.sys;code:0x0;sign:Nvidia Corporation","c:\\windows\\system32\\driverstore\\filerepository\\nvppc.inf_amd64_25fb711132593303\\ucmcxucsinvppc.sys;code:0x0;sign:NVIDIA Corporation","c:\\windows\\system32\\driverstore\\filerepository\\iigd_dch.inf_amd64_6091bde938afd934\\igdkmd64.sys;code:0x0;sign:Intel Corporation","c:\\windows\\system32\\drivers\\netwtw10.sys;code:0x0;sign:Intel Corporation","c:\\windows\\system32\\driverstore\\filerepository\\heci.inf_amd64_b8b95f256704d781\\x64\\teedriverw10x64.sys;code:0x0;sign:Intel Corporation","c:\\windows\\system32\\drivers\\glpcisd.sys;code:0x0;sign:GENESYS LOGIC, INC.","c:\\windows\\system32\\drivers\\ibmpmdrv.sys;code:0x0;sign:Lenovo","c:\\windows\\system32\\driverstore\\filerepository\\dptf_acpi.inf_amd64_d1c42ae92fd1696b\\dptf_acpi.sys;code:0x0;sign:Intel Corporation","c:\\windows\\system32\\drivers\\syntp.sys;code:0x0;sign:Synaptics Incorporated","c:\\windows\\system32\\driverstore\\filerepository\\intcaudiobus.inf_amd64_e3e292b2dfbe57f8\\intcaudiobus.sys;code:0x0;sign:Smart Sound Technology","c:\\windows\\system32\\drivers\\smb_driver_intel.sys;code:0x0;sign:Synaptics Incorporated","c:\\windows\\system32\\driverstore\\filerepository\\e1d68x64.inf_amd64_7b6bb8abbc171f0a\\e1d68x64.sys;code:0x0;sign:Intel(R) INTELND1820","c:\\windows\\system32\\drivers\\ialpss2_gpio2.sys;code:0x0;sign:Intel(R) Embedded Subsystems and IP Blocks Group","c:\\windows\\system32\\drivers\\oculus_vigembus.sys;code:0x0;sign:Oculus VR, LLC","c:\\windows\\system32\\drivers\\nvhda64v.sys;code:0x0;sign:NVIDIA Corporation","c:\\windows\\system32\\driverstore\\filerepository\\wiman.inf_amd64_f54d0a27ac206b8c\\wimanh\\wimanh.sys;code:0x0;sign:Intel Corporation"]}
{"101":["c:\\windows\\system32\\driverstore\\filerepository\\intcoed.inf_amd64_aa10a4fc95c19f7c\\intcoed.sys;code:0x0;sign:Smart Sound Technology","c:\\windows\\system32\\drivers\\rtkvhd64.sys;code:0x0;sign:Realtek Semiconductor Corp.","c:\\windows\\system32\\driverstore\\filerepository\\intcdaud.inf_amd64_658abcf72ee536fa\\intcdaud.sys;code:0x0;sign:Intel Corporation","c:\\windows\\system32\\drivers\\akccid.sys;code:0x0;sign:Alcorlink Corp.","c:\\windows\\system32\\drivers\\alcgener2.sys;code:0x0;sign:Alcorlink Corp.","c:\\windows\\system32\\driverstore\\filerepository\\ibtusb.inf_amd64_3655efbc3c2585c1\\ibtusb.sys;code:0x0;sign:Intel Corporation","c:\\windows\\system32\\drivers\\dump_dumpstorport.sys;code:0x80092003;sign:","c:\\windows\\system32\\drivers\\dump_stornvme.sys;code:0x80092003;sign:","c:\\windows\\system32\\drivers\\dump_dumpfve.sys;code:0x80092003;sign:","c:\\windows\\system32\\driverstore\\filerepository\\dptf_cpu.inf_amd64_1da48d5885266bb7\\dptf_cpu.sys;code:0x0;sign:Intel Corporation","c:\\windows\\system32\\driverstore\\filerepository\\dptf_cpu.inf_amd64_1da48d5885266bb7\\esif_lf.sys;code:0x0;sign:Intel Corporation","c:\\windows\\system32\\drivers\\tbtbusdrv.sys;code:0x0;sign:Intel Corporation"]}
{"1044":["d:\\gi\\genshin impact\\genshin impact game"],"1042":["GenshinImpact.exe","UnityPlayer.dll","GenshinImpact_Data\\Native\\UserAssembly.dll","GenshinImpact_Data\\Plugins\\xlua.dll","GenshinImpact_Data\\Plugins\\Mmoron.dll","GenshinImpact_Data\\Plugins\\MTBenchmark_Windows.dll","GenshinImpact_Data\\Plugins\\ZFProxyWeb.dll","GenshinImpact_Data\\Plugins\\mihoyonet.dll","GenshinImpact_Data\\Plugins\\cri_ware_unity.dll","GenshinImpact_Data\\Plugins\\cri_mana_vpx.dll"],"1043":["d:\\gi\\dumper\\GIHook.dll","C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2201.10-0\\MpOav.dll","C:\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\\comctl32.dll"]}
{"107":["GenshinImpact_Data","cpp"]}
{"106":["UnityPlayer.dll","GenshinImpact.exe","GenshinImpact_Data\\Native\\UserAssembly.dll","GenshinImpact_Data\\Plugins\\InControlNative.dll","GenshinImpact_Data\\Plugins\\MTBenchmark_Windows.dll","GenshinImpact_Data\\Plugins\\Mmoron.dll","GenshinImpact_Data\\Plugins\\NamedPipeClient.dll","GenshinImpact_Data\\Plugins\\Rewired_DirectInput.dll","GenshinImpact_Data\\Plugins\\UnityNativeChromaSDK.dll","GenshinImpact_Data\\Plugins\\UnityNativeChromaSDK3.dll","GenshinImpact_Data\\Plugins\\XInputInterface64.dll","GenshinImpact_Data\\Plugins\\ZFEmbedWeb.dll","GenshinImpact_Data\\Plugins\\ZFProxyWeb.dll","GenshinImpact_Data\\Plugins\\chrome_elf.dll","GenshinImpact_Data\\Plugins\\cri_mana_vpx.dll","GenshinImpact_Data\\Plugins\\cri_vip_unity_pc.dll","GenshinImpact_Data\\Plugins\\cri_ware_unity.dll","GenshinImpact_Data\\Plugins\\d3dcompiler_43.dll","GenshinImpact_Data\\Plugins\\d3dcompiler_47.dll","GenshinImpact_Data\\Plugins\\hdiffz.dll","GenshinImpact_Data\\Plugins\\hpatchz.dll","GenshinImpact_Data\\Plugins\\libEGL.dll","GenshinImpact_Data\\Plugins\\libGLESv2.dll","GenshinImpact_Data\\Plugins\\libUbiCustomEvent.dll","GenshinImpact_Data\\Plugins\\metakeeper.dll","GenshinImpact_Data\\Plugins\\mihoyonet.dll","GenshinImpact_Data\\Plugins\\sqlite3.dll","GenshinImpact_Data\\Plugins\\widevinecdmadapter.dll","GenshinImpact_Data\\Plugins\\xlua.dll","GenshinImpact_Data\\Plugins\\zf_cef.dll","GenshinImpact_Data\\upload_crash.exe","GenshinImpact_Data\\Plugins\\ZFGameBrowser.exe","GenshinImpact_Data\\Plugins\\crashreport.exe"]}
{"9":["0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d-3-OSRELWin2.5.0"]}
{"103":["MpCopyAccelerator.exe","Lenovo.Modern.ImController.PluginHost.SettingsApp.exe","winpty-agent.exe","jusched.exe","acrotray.exe","debian.exe","Discord.exe","openvpn-gui.exe","ida64.exe","chrome.exe","NisSrv.exe","Skype.exe","Code.exe","GoogleCrashHandler64.exe","GoogleCrashHandler.exe","Lenovo.Vantage.AddinHost.exe","OneDrive.exe","JetBrains.Dpa.Collector.exe","WinSCP.exe","dumpcap.exe","TbtP2pShortcutService.exe","ThunderboltService.exe","sqlwriter.exe","OVRServiceLauncher.exe","TextInputHost.exe","openvpnserv.exe","OVRRedir.exe","JetBrains.Etw.Collector.Host.exe","remoting_host.exe","AGMService.exe","AGSService.exe","armsvc.exe","SDXHelper.exe","fsnotifier.exe","ServiceHub.IdentityHost.exe","node.exe","ZFGameBrowser.exe","ServiceHub.Host.CLR.x86.exe","StartMenuExperienceHost.exe","Microsoft.Alm.Shared.Remoting.RemoteContainer.dll","ShellExperienceHost.exe","PerfWatson2.exe","putty.exe","OVRServer_x64.exe","ServiceHub.Host.CLR.x64.exe","wireguard.exe","SystemSettings.exe","OfficeClickToRun.exe","Microsoft.ServiceHub.Controller.exe","Lenovo.Modern.ImController.exe","SearchApp.exe","JetBrains.DPA.Ide.VS.Backend.exe","TeamViewer_Service.exe","Y.Music.exe","Microsoft.Photos.exe","LockApp.exe","Lenovo.Modern.ImController.PluginHost.Device.exe","ServiceHub.TestWindowStoreHost.exe","MsMpEng.exe","Wireshark.exe","dynamichasher.exe","TOTALCMD64.EXE","GenshinImpact.exe","LenovoVantageService.exe","java.exe","ServiceHub.ThreadedWaitDialog.exe","ServiceHub.RoslynCodeAnalysisService.exe","ServiceHub.SettingsHost.exe","datagrip64.exe","MSBuild.exe","webstorm64.exe","explorer.exe","Telegram.exe","devenv.exe","vsls-agent.exe","YourPhone.exe","ServiceHub.VSDetouredHost.exe"]}
```
Linux (game version 2.6.0):
```
{"1195":["444::452.0"]}
{"1":["2.6.2"],"0":[3]}
{"1191":["C:\\windows\\system32\\winevulkan.dll;code:0x800b0100;sign:","C:\\windows\\system32\\vulkan-1.dll;code:0x800b0100;sign:","C:\\windows\\system32\\dxgi.dll;code:0x800b0100;sign:","C:\\windows\\system32\\d3d11.dll;code:0x800b0100;sign:","C:\\windows\\system32\\wbem\\wbemprox.dll;code:0x800b0100;sign:","C:\\windows\\system32\\winspool.drv;code:0x800b0100;sign:","C:\\windows\\system32\\xinput1_3.dll;code:0x800b0100;sign:","C:\\windows\\system32\\mmdevapi.dll;code:0x800b0100;sign:","C:\\windows\\system32\\winealsa.drv;code:0x800b0100;sign:","C:\\windows\\system32\\DINPUT8.dll;code:0x800b0100;sign:","C:\\windows\\system32\\bthprops.cpl;code:0x800b0100;sign:","C:\\windows\\system32\\xinput1_4.dll;code:0x800b0100;sign:","C:\\windows\\system32\\icmp.dll;code:0x800b0100;sign:","C:\\windows\\system32\\mfplat.dll;code:0x800b0100;sign:","C:\\windows\\system32\\mfreadwrite.dll;code:0x800b0100;sign:","C:\\windows\\system32\\rtworkq.dll;code:0x800b0100;sign:","C:\\windows\\system32\\propsys.dll;code:0x800b0100;sign:","C:\\windows\\system32\\XAudio2_9.dll;code:0x800b0100;sign:"]}
{"107":["GenshinImpact_Data"]}
{"106":["UnityPlayer.dll","GenshinImpact.exe","GenshinImpact_Data\\Native\\UserAssembly.dll","GenshinImpact_Data\\Plugins\\InControlNative.dll","GenshinImpact_Data\\Plugins\\MTBenchmark_Windows.dll","GenshinImpact_Data\\Plugins\\Mmoron.dll","GenshinImpact_Data\\Plugins\\NamedPipeClient.dll","GenshinImpact_Data\\Plugins\\Rewired_DirectInput.dll","GenshinImpact_Data\\Plugins\\UnityNativeChromaSDK.dll","GenshinImpact_Data\\Plugins\\UnityNativeChromaSDK3.dll","GenshinImpact_Data\\Plugins\\XInputInterface64.dll","GenshinImpact_Data\\Plugins\\ZFEmbedWeb.dll","GenshinImpact_Data\\Plugins\\ZFProxyWeb.dll","GenshinImpact_Data\\Plugins\\chrome_elf.dll","GenshinImpact_Data\\Plugins\\cri_mana_vpx.dll","GenshinImpact_Data\\Plugins\\cri_vip_unity_pc.dll","GenshinImpact_Data\\Plugins\\cri_ware_unity.dll","GenshinImpact_Data\\Plugins\\d3dcompiler_43.dll","GenshinImpact_Data\\Plugins\\d3dcompiler_47.dll","GenshinImpact_Data\\Plugins\\hdiffz.dll","GenshinImpact_Data\\Plugins\\hpatchz.dll","GenshinImpact_Data\\Plugins\\libEGL.dll","GenshinImpact_Data\\Plugins\\libGLESv2.dll","GenshinImpact_Data\\Plugins\\libUbiCustomEvent.dll","GenshinImpact_Data\\Plugins\\metakeeper.dll","GenshinImpact_Data\\Plugins\\mihoyonet.dll","GenshinImpact_Data\\Plugins\\sqlite3.dll","GenshinImpact_Data\\Plugins\\widevinecdmadapter.dll","GenshinImpact_Data\\Plugins\\xlua.dll","GenshinImpact_Data\\Plugins\\zf_cef.dll","GenshinImpact_Data\\Plugins\\ZFGameBrowser.exe"]}
{"9":["0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d-3-OSRELWin2.6.0"]}
```
As you can clearly see, there's a lot less information about the system in the Wine's case (which makes sense). And the list of third-party libraries loaded into process' memory (key `'1191'`) is not only much larger (because all Wine's libraries aren't signed) **but it also includes `winevulkan.dll`, which is a Wine's wrapper for Vulkan**. Your Wine installation may or may not include one, but it probably does - at least it's so in the case of Debian/Ubuntu and derivatives.
I don't think there's any way of rational mitigation for this issue (without stuff like proxy server or deep game logic patching). Also, this is just one telemetry packet we stumbled across by pure coincidence; only thorougful analysis of all 1500+ packet types and god knows how many HTTPS requests can tell if everything is safe.
So, just be aware: **if you're running your game off Wine, miHoYo probably already know** (provided the fact that they are interested in it, of course).
**Use this patch at your own risk!**
The code that I am afraid of actually existed for a year or longer. Thank you for this information. It is in fact a very simple yet functional way to prove whether 3rd party apps (of any sort) were used, which is especially important to deal with non-F2P account matters.
Wine is clearly exposed here, even though covered as less obvious "Windows" system file. It would be possible to skip all system32 DLLs, but as you said "god knows how many HTTPS requests can tell if everything is safe".
This is again an important reminder that - unless there is an internal or official agreement - a ban wave is possible. After 484 days and counting, I really hope nothing will change.
The code that I am afraid of actually existed for a year or longer. Thank you for this information. It is in fact a very simple yet functional way to prove whether 3rd party apps (of any sort) were used, which is especially important to deal with non-F2P account matters.
Wine is clearly exposed here, even though covered as less obvious "Windows" system file. It would be possible to skip all `system32` DLLs, but as you said "god knows how many HTTPS requests can tell if everything is safe".
This is again an important reminder that - unless there is an internal or official agreement - a ban wave is possible. After 484 days and counting, I really hope nothing will change.
Just my two cents here but I almost want to say that it's guaranteed that it's been at least noticed (@r4m0n's comment). I feel like they wouldn't just add something like this and leave it alone. It really boils down to whether they're interested in chasing after it or not. Considering 1.5 was a year ago and nobody's been reported to have been banned simply for playing the game via Wine, it might be safe to assume they're not interested for now (and hopefully that doesn't change) and would rather chase after those actually cheating vs. those just trying to play the game as intended on a different OS.
Just my two cents here but I almost want to say that it's guaranteed that it's been at least noticed (@r4m0n's comment). I feel like they wouldn't just add something like this and leave it alone. It really boils down to whether they're interested in chasing after it or not. Considering 1.5 was a year ago and nobody's been reported to have been banned simply for playing the game via Wine, it might be safe to assume they're not interested for now (and hopefully that doesn't change) and would rather chase after those actually cheating vs. those just trying to play the game as intended on a different OS.
would rather chase after those actually cheating vs. those just trying to play the game as intended on a different OS.
Yeah, maybe they use this as a factor to scrutinize our accounts more closely, but as long as no one uses this project to cheat (please don't), I don't think they'd have a massive ban wave, especially considering some of the accounts using this are non-F2P…
Edit: One question though, if it's not too sensitive to share: How do I check if I'm affected by this? I'm on Arch, using Lutris, does that leak the winevulkan dll?
> would rather chase after those actually cheating vs. those just trying to play the game as intended on a different OS.
Yeah, maybe they use this as a factor to scrutinize our accounts more closely, but as long as no one uses this project to cheat (please don't), I don't think they'd have a massive ban wave, especially considering some of the accounts using this are non-F2P…
Edit: One question though, if it's not too sensitive to share: How do I check if I'm affected by this? I'm on Arch, using Lutris, does that leak the winevulkan dll?
I imagine it does. I'm using Lutris on Debian which has winevulkan in its system32 folder (pretty sure all versions of Wine on Lutris will).
Also, another point: the game works fine on a Pixel 5 running LineageOS and rooted with Magisk (and not passing SafetyNet because I really don't need it to)... so that tends to make me think they're lenient on just being able to play the game normally even if you're on a custom OS. I do understand that the Android version doesn't require patching to get it to work, but there's at least some comparison...
I imagine it does. I'm using Lutris on Debian which has winevulkan in its system32 folder (pretty sure all versions of Wine on Lutris will).
Also, another point: the game works fine on a Pixel 5 running LineageOS and rooted with Magisk (and not passing SafetyNet because I really don't need it to)... so that tends to make me think they're lenient on just being able to play the game normally even if you're on a custom OS. I do understand that the Android version doesn't require patching to get it to work, but there's at least some comparison...
that tends to make me think they're lenient on just being able to play the game normally
From all this, I'm getting the feeling they're no longer putting active effort against people running the game on unsupported configurations… which didn't make sense to me in the first place, but oh well…
I think that as long as the project officially condemns the use of cheats, and isn't widely used for nefarious purposes, there is no real reason to worry, and I don't think they're going to go after us. It feels to me that overall, the game isn't as popular as during the launch hype phase, and if they want to keep the game relevant, it's in their best interest to avoid cutting people off from playing the game. Sure, the Linux community isn't that big, but it's big and vocal enough that cutting us off for no apparent reason is, i think, not worth the risk for them. I don't think they'll back down on the anticheat or provide a native version any time soon, but I don't think purposely banning us all is in their plan either.
(I do realize that at this point this has really nothing to do with the original issue, so feel free to delete this if this is too off-topic, but I do think it's still important to talk about this kind of stuff, and reconsidering the purpose of staying underground in the first place, maybe we should make a separate issue?)
Coming back on topic, if there is a workaround to spoof this packet or something like that, it'd be a good nice-to-have, but I wouldn't consider it a priority right now. It's been fine for ~500 days at this point, they're not going to take action retroactively over that big of a period of time, and I don't see any reason for them to start acting on this now. If they really wanted Linux users off their game, there most likely would have been other techniques to flag us.
> that tends to make me think they're lenient on just being able to play the game normally
From all this, I'm getting the feeling they're no longer putting active effort against people running the game on unsupported configurations… which didn't make sense to me in the first place, but oh well…
I think that as long as the project officially condemns the use of cheats, and isn't widely used for nefarious purposes, there is no real reason to worry, and I don't think they're going to go after us. It feels to me that overall, the game isn't as popular as during the launch hype phase, and if they want to keep the game relevant, it's in their best interest to avoid cutting people off from playing the game. Sure, the Linux community isn't *that* big, but it's big and vocal *enough* that cutting us off for no apparent reason is, i think, not worth the risk for them. I don't think they'll back down on the anticheat or provide a native version any time soon, but I don't think purposely banning us all is in their plan either.
(I do realize that at this point this has really nothing to do with the original issue, so feel free to delete this if this is too off-topic, but I do think it's still important to talk about this kind of stuff, and reconsidering the purpose of staying underground in the first place, maybe we should make a separate issue?)
Coming back on topic, if there is a workaround to spoof this packet or something like that, it'd be a good nice-to-have, but I wouldn't consider it a priority right now. It's been fine for ~500 days at this point, they're not going to take action retroactively over that big of a period of time, and I don't see any reason for them to start acting on this now. If they really wanted Linux users off their game, there most likely would have been other techniques to flag us.
These speculations provide no use. They are nothing but wishful thinking.
I suggest to carry on as before and deal with issues when they appear. Thank you.
These speculations provide no use. They are nothing but wishful thinking.
I suggest to carry on as before and deal with issues when they appear. Thank you.
I'm well aware of the risks of running the game on Linux. What made me try the patch in the first place was the fact that I convinced myself to believe that if I get banned, it will make me stop playing the game, and therefore "fix" my gacha addiction.
Deep down I really hope this won't happen, and they release their own Linux version before that.
I'm well aware of the risks of running the game on Linux. What made me try the patch in the first place was the fact that I convinced myself to believe that if I get banned, it will make me stop playing the game, and therefore "fix" my gacha addiction.
Deep down I really hope this won't happen, and they release their own Linux version before that.
Id also like to add this, I'm sure many of us at least buy welkin or something, perhaps they are happy to take our money? The company also has more to worry about than a small community, if this becomes more popular they might focus on it but atm its probably fine. If anything it is somewhat reassuring on that front, if they know but still havent done anything about it
Id also like to add this, I'm sure many of us at least buy welkin or something, perhaps they are happy to take our money? The company also has more to worry about than a small community, if this becomes more popular they might focus on it but atm its probably fine. If anything it is somewhat reassuring on that front, if they know but still havent done anything about it
Today some folks notified me that there is a specific packet (
ClientReportNotify) sent by the client to the server that contains some information about the system (loaded libraries, drivers, running user-space programs etc).I went to check it and can confirm that this packet:
Just to provide you an idea I will post here the contents of this packet (decoded, because it's not plaintext in the traffic; also I replaced some potentially sensitive information).
Windows (game version 2.5.0):
Linux (game version 2.6.0):
As you can clearly see, there's a lot less information about the system in the Wine's case (which makes sense). And the list of third-party libraries loaded into process' memory (key
'1191') is not only much larger (because all Wine's libraries aren't signed) but it also includeswinevulkan.dll, which is a Wine's wrapper for Vulkan. Your Wine installation may or may not include one, but it probably does - at least it's so in the case of Debian/Ubuntu and derivatives.I don't think there's any way of rational mitigation for this issue (without stuff like proxy server or deep game logic patching). Also, this is just one telemetry packet we stumbled across by pure coincidence; only thorougful analysis of all 1500+ packet types and god knows how many HTTPS requests can tell if everything is safe.
So, just be aware: if you're running your game off Wine, miHoYo probably already know (provided the fact that they are interested in it, of course).
Use this patch at your own risk!
If we can't filter that out, might be better to remove this ticket, as they might have not noticed that info yet... But yeah, we're all exposed.
The code that I am afraid of actually existed for a year or longer. Thank you for this information. It is in fact a very simple yet functional way to prove whether 3rd party apps (of any sort) were used, which is especially important to deal with non-F2P account matters.
Wine is clearly exposed here, even though covered as less obvious "Windows" system file. It would be possible to skip all
system32DLLs, but as you said "god knows how many HTTPS requests can tell if everything is safe".This is again an important reminder that - unless there is an internal or official agreement - a ban wave is possible. After 484 days and counting, I really hope nothing will change.
Just my two cents here but I almost want to say that it's guaranteed that it's been at least noticed (@r4m0n's comment). I feel like they wouldn't just add something like this and leave it alone. It really boils down to whether they're interested in chasing after it or not. Considering 1.5 was a year ago and nobody's been reported to have been banned simply for playing the game via Wine, it might be safe to assume they're not interested for now (and hopefully that doesn't change) and would rather chase after those actually cheating vs. those just trying to play the game as intended on a different OS.
Yeah, maybe they use this as a factor to scrutinize our accounts more closely, but as long as no one uses this project to cheat (please don't), I don't think they'd have a massive ban wave, especially considering some of the accounts using this are non-F2P…
Edit: One question though, if it's not too sensitive to share: How do I check if I'm affected by this? I'm on Arch, using Lutris, does that leak the winevulkan dll?
I imagine it does. I'm using Lutris on Debian which has winevulkan in its system32 folder (pretty sure all versions of Wine on Lutris will).
Also, another point: the game works fine on a Pixel 5 running LineageOS and rooted with Magisk (and not passing SafetyNet because I really don't need it to)... so that tends to make me think they're lenient on just being able to play the game normally even if you're on a custom OS. I do understand that the Android version doesn't require patching to get it to work, but there's at least some comparison...
From all this, I'm getting the feeling they're no longer putting active effort against people running the game on unsupported configurations… which didn't make sense to me in the first place, but oh well…
I think that as long as the project officially condemns the use of cheats, and isn't widely used for nefarious purposes, there is no real reason to worry, and I don't think they're going to go after us. It feels to me that overall, the game isn't as popular as during the launch hype phase, and if they want to keep the game relevant, it's in their best interest to avoid cutting people off from playing the game. Sure, the Linux community isn't that big, but it's big and vocal enough that cutting us off for no apparent reason is, i think, not worth the risk for them. I don't think they'll back down on the anticheat or provide a native version any time soon, but I don't think purposely banning us all is in their plan either.
(I do realize that at this point this has really nothing to do with the original issue, so feel free to delete this if this is too off-topic, but I do think it's still important to talk about this kind of stuff, and reconsidering the purpose of staying underground in the first place, maybe we should make a separate issue?)
Coming back on topic, if there is a workaround to spoof this packet or something like that, it'd be a good nice-to-have, but I wouldn't consider it a priority right now. It's been fine for ~500 days at this point, they're not going to take action retroactively over that big of a period of time, and I don't see any reason for them to start acting on this now. If they really wanted Linux users off their game, there most likely would have been other techniques to flag us.
These speculations provide no use. They are nothing but wishful thinking.
I suggest to carry on as before and deal with issues when they appear. Thank you.
I'm well aware of the risks of running the game on Linux. What made me try the patch in the first place was the fact that I convinced myself to believe that if I get banned, it will make me stop playing the game, and therefore "fix" my gacha addiction.
Deep down I really hope this won't happen, and they release their own Linux version before that.
Id also like to add this, I'm sure many of us at least buy welkin or something, perhaps they are happy to take our money? The company also has more to worry about than a small community, if this becomes more popular they might focus on it but atm its probably fine. If anything it is somewhat reassuring on that front, if they know but still havent done anything about it