Half Life 2 Source Code Leaked

Pyroman[FO] writes "Gamers with Jobs is reporting that the Half Life 2 source code is floating around the net right now. It looks to be about a month old. There's no official word from Valve on the source code leak yet. Unfortunately those who want to use it to cheat already have it, we need to get the word to legitimate customers to educate them about the situation." Update: 10/02 21:51 GMT by S : Valve's Gabe Newell has an official statement, via ShackNews/HalfLife2.net, indicating "infiltration of our network" and appealing for information on the culprits.

One Word:

[Digital11]

Wow.

That's quite a big deal to have leaked. Unfortunately the article is down to I can't RTFA, but is this just the SDK source code or the whole friggin thing?

If it's the whole thing think of how much jeopardy that puts them in with the people they've licensed technology from (such as the Havok physics engine, etc).
Again I say, Wow.

"use it to cheat?"

[dnoyeb]

Aren't we past security through obscurity by now? Or is that just applied to Microsoft.

Re:Pascal

[cybercrap]

Mod this shit up. Actually got a chuckle on this one.

Re:One Word:

[Moonshadow]

I got wind of this earlier this morning. There's a big thread on it. So far, those looking at it believe it's most likely a heavily-modified HL1 SDK, or something. Not sure if it's a hoax yet. Of course, they're gamers, not coders.

Thread here [halflife2.net].

Be interesting to see what the verdict of the Slashdot code gurus is.

Does this guarantee a Linux port now?

[pecosdave]

I mean, not like they have way to much of a choice right?

Re:Look on the bright side

[Gudlyf]

What's so funny about that? That's probably all this is -- leaked source that was sent to modders. I thought I read somewhere that Valve had done that. So really, the code's probably worthless to anyone not doing modding (i.e., no models, sounds, textures, scripting, etc.)

Re:Open Source now?

[adrianbaugh]

Not a bad idea. By allowing other people to port the code to different OSes they could get some instant karma, save themselves some effort and get a bigger potential market all in one go. After all, people would still have to buy the game to get the datafiles.
The only problem is if the code contains third-party stuff like sound modules, physics engines etc.

Re:You know you're on Slashdot when...

[Lord Kano]

There are two possible widespread problems that come with the release of the source. 1. is making it easier for people to produce cheats, 2. is that people can reverse engineer cd-keys, that will lead to piracy.

But source code and source code alone does not a great game make. There are models, textures, maps, config files and myriad other items that the finished product contains that the source archive will not.

You're not going to see people rolling their own pirate releases of HL2 just because of this code, but it could help people to rip off the full version, once it's available.

LK

License

[Chris Canfield]

Valve makes money from three sources: Sales of their games for sake of their games, sales of their games to support mods (such as counterstrike), and sales of their engine to other companies to create their own game. Because the art resources weren't leaked with the source, sales of their own game for their own sake will not be hurt. The other two cases are a little more interesting.

Sales of the engine may be hurt, or it may be helped. Certain companies may wind up "doing the wrong thing" and incorporating Valve code into their own, but no major player would be caught dead doing such a thing. I expect that snippets of that code may find its way into the wild due to overtasked programmers trying to make their game the best it can be, but such snippets wouldn't have equalled a sale, they simply mean fiercer competition. And with the increased visibility, companies can now know the quality of the code that their 500 grand will be buying. True, being released into the wild may reduce the perception of value, but with the availability of the code this may still lead to increased sales.

Modders are a different story. Without economic interests compelling them to buy a license, they might begin releasing compiled binaries of their work to the community without requiring a half-life 2 license, which would cripple Valve's sales numbers. But on the other hand with access to source, modders could create more extensive and more active modifications, creating original features instead of mere graphical facelifts. If these code modders require the original game to be playable, it could lead to a real renissance in modding and a tremendous boost in sales for Valve.

I can see how this may possibly turn out to be somewhat damaging to Valve, but I can't see how this is one of the four horsemen of their apocolypse. The head of the man who intentionally leaked the code should roll (if it truly was intentional), but it is way too soon to declare this the end of the company. Under closer analysis, it may even be a boon.

I doubt it.

[dmaxwell]

This is not a sanctioned code release. It would be just about impossible to build a development community around it. Anything made with it would be warez. I suppose its possible some tight knit group of geniuses could adapt and "spread" the work but I wouldn't hold my breath. There would be inevitable bugs and no good way for the clandestine developers to get feedback.

Contrary to SCO's opinion, unclean code doesn't help Linux at all. The best thing to do is just avoid that source like the plague. It would legally contaminate anyone who even had just had it much less looked at it.

Re:MaxClients

[tcopeland]

> what happens to a loaded server with
> MaxClients set too high

Right, it starts swapping since more child processes are forked than can fit into memory. As other posters have suggested, Apache's MaxClients needs to be aligned with MySQL's max_connections configuration.

Re:You know you're on Slashdot when...

[Leffe]

The leak includes Havok 2, Miles Sound System, 3DSM plugins, etc...

I think Valv^E will be pretty poor after this.

Re:Does this guarantee a Linux port now?

[SmallFurryCreature]

mmm, hadn't thought of that. Certainly if it contains a relativly recent version of the code a port shouldn't be that hard. (no I couldn't do it but there are far smarter people then me out there)

As for the legality. Well if the porters didn't steal the code and don't claim copyright on the port then it might even be legal.

After all translating a letter you found in the street is not illegal is it?

Ofcourse valve is not going to like people having a good look at their code but well they should just have taken better care. Loosing this is really really stupid. Of course if someone really stole this then they are in for a world of hurt.

Anyway it has happened, might as well make the best out of it. It is not like ID was ever hurt by their games being easily copied or releasing the code (granted years later but still)

After all this is just the code. NOT the game.

Re:Does this guarantee a Linux port now?

[rastachops]

Or one step better, a Mac port!! Thats the one game that i'd love to be on OS X...

This is BAD!

[digitalwanderer]

I'm feeling bummed going thru the source code, this is looking legit and some script-kiddies are going to have a field day with this! :(

Anyone wanna bet that Valve is going to delay the hell out of Half-life2 over this? Or that it was leaked because Valve didn't release the benchmark on the 30th?

Oh boy. :rolleyes:

Finally

[pmz]

we can determine the exponential rate at which the number of bugs in open source software decreases.

IT COMPILES

[W2k]

Someone already managed to squeeze a HL2.EXE and TF2.EXE out of the source. Behold:

http://www.devils-children.com/hl2_1.jpg [devils-children.com]

It's being picked apart in #HL2-Source on irc.quakenet.org at the moment. Fun fun.

Please

[tomblackwell]

That's the lame excuse offered by lazy people who don't want to learn their own language.

Don't forget the value to competitors

[Len]

Another worry with the leaked source is that it's possible for competitors to rip off Valve's fancy new game engine. Any proprietary techniques in the code aren't secret any more.

And here's the first DOS attack from the source

[Anonymous Coward]

The buffer handling in their socket code
(Tracker/common/Socket.cpp) makes many
assumptions. Notice how they have incomplete
state for split packets:

if( *(int *)&buffer[0] == -2 ) // its a split packet :)
{
int curPacket=0,offset=0;
SPLITPACKET *pak =reinterpret_cast<SPLITPACKET *>(&buffer[0]);

if(m_iTotalPackets==0) // this is the first in the series
{
m_iTotalPackets = (pak->packetID & 0x0f);
m_iSeqNo = pak->sequenceNumber;
m_iRetries=0;
m_iCurrentPackets=1;// packet numbers start at zero, total is the total number (i.e =2 for packet 0,1)

curPacket= (pak->packetID & 0xf0)>>4;
}
else if (m_iSeqNo == pak->sequenceNumber)
{
m_iCurrentPackets++;
curPacket= (pak->packetID & 0xf0)>>4;
}
else
{
m_iRetries++;
if(m_iRetries>MAX_RETRIES) // make sure we give up eventually on fragments
{
m_iTotalPackets=0;
}
return; // TODO: add support for multiple fragments at one time?
}

What faith in proper sequencing!
It would take a child 5 minutes to write a
netcat exploit for this. Why, here's a child
right here....

Remember: Many shifty eyes make all exploits
shallow.

Re:Any chance that...

[Mortanius]

It's an interesting thought, and perhaps this would be about the only way to start something of this nature.

Company A makes a great game for Windows that people absolutely love. Linux community begs for a port, but A doesn't want to spend the time. Someone gets their hands on the source code to the game and widely distributes it, to the point where it's everywhere. It's not feasible for A to try to legally crush the people who have the source, since they're simply too many, and decide to cut their losses and support them. The company provides further support, helps to organize work, etc. using the open-source community to help build their Linux version. In the process, bugs are found and patches are released for the Windows version while the Linux port is being worked on.

Idealist? Of course, there'll be many arguments by GPL zealots and so forth. Still an interesting thought though.

Re:No it wouldn't

[SpiffyMarc]

Your analogy is flawed. Reading the source code to the program would be like having the sheet music, or the outlines/notes the author used when writing the novel.

Your analogy would only work if the programmer was playing the game/using the application, not looking at the source code.

It is NOT OK

[Anonymous Coward]

UMM no it is not. If the source is basically stolen then you are guilty just by reading it. You are contaminated because it is then up to you to PROVE that you did not use the illegal code as a base for any software written by you in the future.

Contains GPL'd code ...

[polyp2000]

I have downloaded the code and taken a quick peek, It does indeed seem to be legitimate. More disturbing though is , a simple grep through the code tree reveals that this leaked source tree contains gpl'd code .

files in these directories contain such code for example ./ivp/havana/havok/hk_math/ ./utils/vmpi/mysql/include/

It would take someone a little more clued up than I to verify that this code is actually used in a binary release.

Someone should take a closer look.

It's all over for STEAM, at least for some time.

[dnaumov]

unsigned char md5[16]; // Client's launcher.exe hash value (for versioning)

I guess Valve will have come come up with a new authentefication system...

Re:Any chance that...

[mccormick]

This situation has actually happend before. Dave Taylor (ddt) of the long now defunct crack dot com (and of Abuse and Golgotha fame) did the original port of Quake to Solaris (or some non-exactly-gamers-first-choice platform.) However, the machine with the code on it got cracked and the code become widely distributed (this was years before id officially released & GPL'd the code.) A Linux enthusiast got his hands on the code (it wasn't a hard thing to come by at the time), did a succesful port and actually sent it back to id. Not sure what happend there after, but I do know that ddt continued handling the un*x ports at id for awhile thereafter.

Re:Linux port

[paranode]

What's really interesting is in the src_main directory there is a linux subdirectory that has Makefiles for Linux.

Header:
#
# Half-life Makefile for x86 Linux
#
# Feb 2001 by Leon Hartwig (hartwig@valvesoftware.com)
#

Perhaps something good coming our way? Or maybe just a dropped endeavor... one can only hope.

Falcon 4.0's Leaked Source Code

[mnemonic_]

Falcon 4.0, a landmark achievement in consumer flight simulation technology had its full source code leaked several years ago. What happened aftewards?

Nothing for several months. People went about playing Falcon 4.0 as they did before. Then a user posted a single screenshot to the combatsim.com fora. It showed the Falcon 4.0 options menu, except with some rather peculiar options-- 3dnow! support, 32 bit textures, object texture filtering, DirectX 7 support, and some others. Falcon 4.0 did not ship with support for said features, so either it was an edited screenshot or the user had modified the source code. Then the actual executable was released. It was real, the engine enhancements worked.

Development of the leaked source code exploded shortly after that. A team known as eTeam (the executable was called eFalcon) was created to work on it, devoted to closing the numerous memory leaks, and improving the overall realism and performance of the game. The improvements were incredible, bringing a game released in 1998 to a 2001 state, competitive (or far superior, which was most people's opinions) to simulations released that year. The game's publisher ignored this for a few years.

The game's publisher then put its foot down. It said that all development of the leaked source code had to be ceased. Quickly though the community reached an agreement. It managed to convince the publisher to allow continued development of the leaked source code, as long as the publisher maintained all rights to all of the community's work and was not required to compensate the actual contributors. The result was the Falcon 4.0 Unified Team [slashdot.org], composed of most of the eTeam members (not all though, some refused to join because of the constrictive agreement) as well as many from the Realism Patch group, a non-source code team focusing mostly on realism enhancements. The F4UT has succeeded in making hundreds if not thousands of changes to Falcon 4.0, ranging from technical (graphics engine, campaign engine, AI, sound engine, etc.) to gameplay (new flyable aircraft, dogfight AI improvements, numerous miscellaneous tweaks etc.) to other content (re-done textures, models, sound effects, completely new cockpit art, etc.). The F4UT finally brought Falcon 4.0 to what its original developers intended, not only simulation of F-16 combat, but a true military aviation experience taking place in a dynamic computer simulated war.

How does this relate to Half-Life 2's source code being leaked? Well, sometimes leaked source code can lead to greater things. After the Falcon 4.0 source code happenings, the full source code, including the graphics engine, network code etc. of a few simulations (Enemy Engaged Comanche Vs. Hokum, MiG Alley, maybe some others) have been released to the public. Maybe this practice could spread to other game genres.

Steam included?

[Man Eating Duck]

I've had a look at the source, and although I'm far from an expert C++ coder, it doesn't seem to me that the Steam code is included. There is, however, a 'steam.lib' file in there.

If I understand the workings of Steam correctly, it handles authentication, and also includes mechanisms for controlling the integrity of game files. Ie there's no way you could use a hacked version of the engine for your cheats, and still authenticate through Steam.

<tinfoilhat reinforced with lead>

Maybe they intentionally leaked a (mangled?) version of the source just to prove that Steam has its virtues when it comes to dealing with hacked executables?

</tinfoilhat etc>

GPL code found in source

[W2k]

The leaked Half-Life 2 source contains GPL:ed code. Makes one wonder, would we ever have known it was there if it wasn't for this leak? Or were Valve planning a sneaky GPL violation?

Here's the beginning comment from "hl2_src\src_main\ivp\havana\havok\hk_math\odesolv e.cpp":

/*

Dynamics/Kinematics modeling and simulation library.
Copyright (C) 1999 by Michael Alexander Ewert

This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Library General Public License for more details.

You should have received a copy of the GNU Library General Public
License along with this library; if not, write to the Free
Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

*/

Re:Contains GPL'd code ...

[Anonymous Coward]

Assuming Michael Alexander Ewert [google.com] is the author who LGPLed it in the first place.

The weird thing is that if it's LGPL it should be "out there", right? But a search for his name with the addition 'odesolve [google.com]' give zero hits.

You're probably right, but it's worth digging until there's certainty. I haven't been able to find any public source matching the one GPL'ed. Not that there must be one, but...

Re:IT COMPILES

[Anonymous Coward]

Best Windows IRC client out there. I mean, what would you use? pIRCh?

(yeah, there's BitchX and XChat ports, but mIRC wins on functionality.)

If this is the HL2 source...

[Blackice912]

Why are there comments about Quake in it? Below is comments from a random file I opened (common.cpp), no code:

/*
All of Quake's data access is through a hierarchical file system, but the contents of
the file system can be transparently merged from several sources.

The "base directory" is the path to the directory holding the quake.exe and all
game directories. The sys_* files pass this to host_init in engineparms->basedir.
This can be overridden with the "-basedir" command line parm to allow code
debugging in a different directory. The base directory is
only used during filesystem initialization.

The file contains more refrences to Quake as you go on.

This is horrible ...

[snowtigger]

No matter how much I love open source programming, I can't help feeling really sad for Valve. The gaming market is such a competitive place and this is really the worst thing immaginable. It must be absolutely horrible for Valve to see man-years of work fly out the window. Recent posts have talked about different risks, but I think the potential rumors on "HalfLife2 sources are leaked, so there will be too many cheaters" are a lot worse from a marketing and reputation perspective.

As for you GPL programmers, there is already a lot of interesting code out there to play around with. I cannot express in words how thankful I am to different companies letting me play with their products such as Quake2 by id. I think they deserve making money on their hard work and heavy risktaking. GPLing such code is giving me a present I could never make up for.

As I'm quite fond of snowboarding, I ended up working on the Soul Ride snowboard game engine [sourceforge.net]. It would take me years to reproduce the same code on my own. Even if noone ever uses my changes, I really enjoy working on it and it's fun showing my changes to (geek)friends.

Open source is fun to play with. Stolen code just isn't. The whole idea of open source code is built on honesty and solidarity.

Anyway, good luck Valve, I'll buy the game when it comes out. Also, I will enjoy working on the real source you may GPL in 5-10 years, not this leaked one.

(I'm sure some slashdotters won't like what I write, but I've got karma to spend...)

Re:If this is the HL2 source...

[Jagasian]

Doesn't this mean that Valve has been caught lying? They claimed that the Half-Life 2 engine was written from scratch. Id Software should be upset if Vavle is releasing an engine that uses Id Software code, without paying. If Vavle's Half-Life 2 code has GPL or unlicensed Id Software code in it, then I don't feel sorry for them. If such is the case, then they are criminals too.

latest rumours(?) on leak

[mutewinter]

Apparently the source code was stolen in some type of hacking attack as opposed to being leaked. Stolen passwords, DoS, outlook exploit, I guess we'll only know for sure in the coming days. I think that the implications for this are larger than many people realise. Back in the Doom days, I strongly believe a pre-release leak of the Doom or Build engine could have been a complete disaster. The question is now, how much will this financially hurt, or even benefit valve? Valve has been very supportive of the Mod community, and its practically an axiom that mods made HL the success that it is today. So.. if a game that is open to modding is far more beneficial to everyone ( long-term sales, a *really* big bang for your buck, creation of hobbies that build careers for others (CS, DOD), can a leaked source code be even more beneficial? I really hope so.

Re:Completely legit, response from Valve

[DavittJPotter]

Yeah, funny that a company developing a FPS game for Windows would use the most common MS applications. "Oh, I'm sorry, Half-Life 2 doesn't run on a machine with Outlook installed; you'll need to switch to Mozilla, the open-source browser/email client."

"Uh, what?"

Right. "Hi, I'd like to return this game, it doesn't run on my computer."

Outlook !== BAD *if* you have good sysadmins and keep up on your patches. The buffer exploits in the preview pane have been patched for some time. Thanks for the typical Slashdot attitude, though. MS fucks up plenty, but don't blame them when the fix is readily available.

Security thru obscurity ppl are missing the point

[moebius_4d]

Saying over and over again that "security through obscurity" is bad is missing the point. That phrase means that simply not telling people how you protect yourself is not much of a defense, because a clever attacker can figure it out. To be safe, you need to be able to tell the potential attacker exactly what you have done (if not the exact key, etc.) and still have reason to believe that he can't compromise your security.

But none of that applies here.

First of all, you are actually not trying to protect the server. The client is actually allowed to send all the data that a hacked/aimbot/etc client sends. The limitation is supposed to be that the client is operated by human skill instead of a program. So what you are really trying to protect is the client. (Yes, some things like looking one way and firing another, too rapid/accurate turns and shots can be detected server side, but for the purpose of detecting a hacked client. Again, it's about securing the client.)

Now the problem with this is, that it's impossible. The client is in the hands of the enemy. By definition all your security is through obscurity, since the client can be disassembled, its memory can be watched as it runs, etc. There is no other kind of security on the client besides obscurity, short of some Palladium-like thing.

If you have a better idea, don't waste it on a game, because it's worth around a billion dollars to the right people these days.

So I wish all the knee-jerk posters would lay off smugly saying that there's no security through obscurity so they get what they deserve. You need to put down the pipe and think it through.