Thursday, March 16, 2006

Civilization 3 Complete PBEM exploit

I said to the group:

Fellow Civ 3 Complete players,

I have discovered a fairly simple exploit that makes it possible to cheat against other human players. That's why I resigned my game against Marion, because I tested it out in the game against him. I never sent him a cheat-based turn. I resigned as soon as I knew I could cheat against him. Maybe you all know about this exploit already and have discussed it extensively in the past. I submitted a bug report to Firaxis via their website on 3/7, asking them to patch the exploit. I added: "I used to work at a software company, so I know that patches can take a long time. Please let me know what your timeframe is, otherwise I'll need to publicize this so that no players are taken advantage of. And, thank you for the great game."

That was over a week ago, and other than the automated thank-you, there has been no email from Firaxis. So my question to the group is: Should I describe the exploit? If I do, and if you're not already familiar with it as a community, there would seem to be three possible paths forward:

1) Honor code (hard to enforce, so I don't favor it)

2) Modified honor code (allowing restricted use of the exploit in a way such that crossing the line could be detected -- the option I favor)

3) Anything goes (I don't favor this option).

I am very new to this group, so I have no familiarity with the players, but my intuition tells me that someone must be making use of the exploit unbeknownst to the rest of us.

They replied that a patch was unlikely, given how old the game is now (version four is already out), and said to go ahead and describe the expolit.

I replied:

Thanks for the feedback. Yes, I guess it is an old game by now. Those of you with C4, please check and see if the exploit still exists in that version.

The exploit relates to the player password not being encrypted. It's stored in plaintext the saved-game file used in PBEM1. I used a file comparison utility (but really, any file editor would work), and searched for my password. It was there, right near my game name, (brainhell). So then I searched for Marion's game name (O'Shaughnessy), and found that. His password was right nearby, and when I tested it on the file I was about to send him, it worked. I was able to view his empire, his research, see all his units ... it was as if I were him.

(Marion -- I found out that your wretched desert island was joined by a long, narrow neck of land to my greener end of the same dumbell-shaped island. You had a spearman and a warrior and had just moved a settler out of your capitol. You were researching iron working and building another spearman. There had been a barbarian to the southwest of your city, but you zapped him. This is the game where a goody hut turned into a new city for me. Given that all you had was desert, and I had the greener end, I don't think the AIs would have mattered much, and I think I would have had the advantage. But we'll never know. I will try to upload a screenshot of your empire.)

Given what I had seen, there was no way I could just put the knowledge out of my mind and play on.

So, assuming that there will be no patch, several options present:

1) Honor code against looking at passwords.

2) Snooping on other human players is allowed, but not attempting to change the enemy empire. This one stinks because sneak attacks are almost impossible, for one thing.

3) Any cheating is allowed.

Basically, all three of these options stink. I hope that it will turn out that passwords cannot be sniffed in C4 PBEM files.

Let me know what you folks think, please.

In the meantime, I am interested in playing some real-time games via IP address. There's no passwords involved there (so far as I know -- never having played one).

Left grip is 27 pounds (19, 22, 27), right grip is 73 pounds (59, 65, 73), inhale volume is 3450 mL.

Play By Email
Weblog Commenting and Trackback by