The major Dark Souls exploit that forced Bandai Namco to pull all PC game servers offline in January has been publicly disclosed, as previously promised.
The PvP servers for the PC versions of the Dark Souls games were turned off in January, following the discovery of a severe remote code execution (RCE) vulnerability, which was said to allow abusers to take control of other players’ PCs.
Nearly two months later, they remain down, and one of the people behind the discovery of the vulnerability has now publicly disclosed details of the exploit, after Bandai Namco released a statement claiming it would fix the issue.
The user was initially planning to share the exploit before the release of Elden Ring, but told VGC they instead decided to hold fire on their plans so they could play finish Elden Ring first “instead of reverse engineering it day one”.
Elden Ring – the VGC review
The public disclosure, which has been shared on Github, contains proof of concept code and documentation for the RCE exploit that forced From Software to take the PC servers down. According to the description, the vulnerability is confirmed to be present in Dark Souls 1, Dark Souls Remastered, Dark Souls 2 and Dark Souls 3.
Although the vulnerability has not been confirmed for Demon’s Souls it is said to be “very likely”, and it’s also confirmed to be in Sekiro but there’s allegedly no way to trigger it.
However, the person who discovered the exploit has confirmed to VGC that it appears to be “completely fixed” in Elden Ring.
According to them, LukeYui – the developer of fan-made Dark Souls anti-cheat software Blue Sentinel – “sent From Software a huge document documenting many other Dark Souls exploits, including both security vulnerabilities like out of bounds reads/writes and in game exploits such as banning other players, editing their game data, etc.
“To my surprise, they fixed every single one of them in Elden Ring, which is amazing,” they told VGC.
They do point out, however, that the Easy Anti Cheat implementation in Elden Ring “is heavily flawed and can be trivially bypassed in multiple ways.”
They explained: “Even if the simple bypasses are patched, it would require a full rework to make proper use of all EAC features, which is absolutely necessary for it to be effective.”
As reported by VGC last month, the person behind the discovery of the RCE said that they had made Bandai Namco aware of it over a month earlier, and that neither the publisher nor developer From Software acted upon the warning until its discoverer demonstrated it in a public Twitch stream last month, as seen here:
In a statement published shortly afterwards, Bandai Namco confirmed that online services for the Dark Souls PC games would remain offline until after the release of Elden Ring on February 25, as it worked to fix the exploit.
“We want to thank the entire Dark Souls community and the players who have reached out to us directly to voice their concerns and offer solutions,” it said. “Thanks to you, we have identified the cause and are working on fixing the issue.
“We have extended the investigation to Elden Ring – our upcoming title launching on February 25th – and have made sure the necessary security measures are in place for this title on all target platforms.
“Due to the time required to set up proper testing environments, online service for the Dark Souls series on PC will not resume until after the release of Elden Ring. We will continue to do everything we can to bring back these services as soon as possible.”
However, while the investigation appears to have fixed the issue for Elden Ring, the Dark Souls PC game servers remain down, meaning players have been without online access for nearly two months.
