PlayerScope, plugins, and Dalamud's fate

When I “fought” GShade almost two years ago, a lot of my work in that timeframe made its waves across the FFXIV community. I had learned firsthand what it felt like to be capital-letter Known, and also what it felt like to have a lot of your friends mad at you. While my friend groups cheered me on and random community members praised my work, the Dalamud maintainers and moderators I was friends with weren’t as happy.

I was booted off of the Discord server’s support team, and the server banned discussion of the current events completely. This was a really harsh reality for me to face - I had derived a lot of individual meaning from my ability to help (especially on chaotic patch days), and my attachment to the project in any form was eliminated right then and there. This led me down a difficult few months when my respect was earned in the wrong place I wanted it - I wanted my peers to trust me, not random people on the internet.

I’m a different person now, with a better outlook on my drive for creation, and I’ve rebuilt most of my trust with those people. I have since learned to not do what makes me feel like I’m “part of a community”, and instead focus on what makes me and others happy the most. I’ve mostly stopped contributing to Dalamud and XIVLauncher, and I put my attention towards building other software that makes people happy (with notable examples being Slop Crew, moonlight, and GDWeave).

While I’ve had a few other moments since, I learned to quiet down and not stir up unneeded drama. I took the impression from the scorched-earth policy on discussion that most Dalamud maintainers did not want to poke at the community’s monthly drama.

Many, many things would pass since then. Despite all that time, we’re seeing another one of those moments - a somewhat-unified dislike towards a project’s goal, stirring up enough discourse to make it to PCGamer.

The project is known as “PlayerScope”, a custom repository Dalamud plugin, and the goal of it is to correlate alts of players using an account identifier sent to the client. This would catch me off guard seeing the Dalamud maintainers publish a statement on it, which means things have gotten truly dire, in my eyes. This is a stark contrast to the handling of the GShade incident - of course, brought upon from the fact that it’s more relevant to Dalamud itself - but still unusual for their patterns of communication.

This feels oddly familiar to everything I witnessed two years ago, except now this has a direct privacy issue tied into it. The stakes are much higher, and I watch over this kind of turmoil - one not focused on a group of players’ actions (like with most drama), but rather a piece of software itself - and I fear for the future of our ecosystem.

How did we get here, anyway

For the readers here that somehow do not know what I’m talking about - meet XIVLauncher. XIVLauncher is a custom launcher for FFXIV, most known for the in game plugin system named Dalamud. Dalamud is considered a third party tool, and third party tools are against the terms of service for FFXIV. Despite this, there are a lot of Dalamud users. As I write this, over 20,000 people are connected to Mare Synchronos (a project I’ll talk about in a few paragraphs).

When I started playing FFXIV, sometime around the release of Shadowbringers, I was told by the friend that got me into this game about this cool launcher that adds some quality of life features. I was explicitly told to not talk about this in game - it being against the terms of service and all - and moved on with it. Dalamud was decently well known back then, but not at the numbers that we know today. (For the record, nobody knows of the actual number of Dalamud users minus the maintainers.)

A bit before my time (I want to say 2020 or so), Dalamud was very simple. Zip files of plugins were submitted to the repository (there were no custom repositories), and the concept of “dev plugins” was a folder you copied DLLs into. Plugins were simpler, with us holding less understanding of the game client and jankier APIs to use. (Does anyone else remember UIDev?)

Dalamud would add custom repositories sometime later, allowing developers to host their own plugin lists without having to get direct approval from the Dalamud team. I like how this system works (I even took the idea for my Discord client mod), but it also inherently opens a hole for malicious actors to make plugins with questionable morals. Custom repositories play an important part in this story, as a lot of plugins that get the attention of users (like Penumbra) are distributed on a custom repository. Nowadays, they are essential to learn how to use for anyone wanting to mod assets.

The unfortunate truth is that these custom repositories have been boiled down into simple guides so much that some users don’t realize they’re even different. From my time providing support in the Dalamud Discord server, a fair share of users didn’t even understand where some of their plugins came from, or what we meant by “disabling third party plugins”. We’d eventually adopt the term “custom repository” instead, because people would argue that Dalamud itself is technically third party to the game.

Nowadays, people will hear about popular plugins, want to install them, and follow an installation guide that dumbs down all the security risks they should be thinking critically about. Dalamud plugins are just code, and they can do anything on your computer. Some users don’t care, though - they just wait the 15 or so seconds for the prompt to go away, and add a URL that downloads and executes unverified code on their machine.

Most users I’ve seen do not realize that they need to trust the developer of the plugins they install. For the official repository, this is fine because every plugin is audited and built from source (I helped build that!), but custom repositories can be made by anyone, and the deployed binaries don’t even have to match the published source code of the plugin. This isn’t an issue for the big name plugins from trusted developers, but the act of adding a repository is so trivial that it’s hard to remember you have to trust the developer of every single URL you add.

The community has dumbed down being able to run arbitrary code too much, in an attempt to optimize away having to answer questions. Countless YouTube videos and crusty looking Carrds serve as shorthands to be linked to - a codex of every possible question and issue one could have when installing custom repository plugins, in an attempt to be accessible.

Should we really be trying to optimize for clueless users? Should we really be trying to focus our efforts on user accessibility at all costs when the users in question don’t know what they’re getting into? Some may call this gatekeeping, but I firmly believe that we shouldn’t be trying to build software this way. The patterns and behavior we establish as common place for these users matter, and the imprint we leave on how to interact with Dalamud and what is “safe” is extremely important. There is a bar that has to be set somewhere.

The dead practice of staying hidden

Over time, the number of Dalamud users concerningly grew. In the past, most people used common sense and didn’t talk about their use of plugins in game, or linked their online modding persona to their in game character information. I do not think the community has this skill anymore!

As time went on and Dalamud became more popular, people started doing the unthinkable and talking about plugins in game chat. Hell, half of the North American Party Finder experience is linking your Tomestone.gg profile when forming a party nowadays. We as a community have developed a dangerous habit of announcing a bannable offense right where it can be recorded.

Most people I ask about this say that it’s okay if it’s in a /tell or Free Company chat, but I strongly disagree. The fact that you can or can’t be reported does not mean a lot when Square Enix has already logged you admitting to breaking the terms of service. I have seen a lot of people just directly not care about this, and I struggle to understand why.

I’ve talked to a lot of friends I know who are guilty of this, and I have yet to hear a coherent reason to justify willingly “video-game-TOS-incriminating” yourself. A common argument I hear is “I wouldn’t care if I got banned”, which must be some sort of denial given the people I talked to have sunk several thousand hours into this game.

I largely attribute one of the big players in this change in mindset to Mare Synchronos. For the unaware, Mare is a plugin that enables you to sync your character mods in real time with other players. You can enable a mod or change your outfit clientside, and it will sync to every other person you’ve “paired” with in real time. (This is also a very concerning security issue given that the file parsers for this game are not good, but that’s a discussion for another day.)

Mare (and the greater asset modding scene) is a very big draw towards this part of the ecosystem, given the infinite customization options it awards you, and being able to show those options to your friends. The official instructions for Mare has always been to only pair with who you trust, but again, users do not care. Mare features a system called “syncshells” which allow you to sync an entire group together at once. Of course, this would quickly evolve beyond the original scope of a close group of friends, now being used at scale for large in-game gatherings and codes shared into the public. (Syncshells are also dangerous for the above mentioned file parsers, but again, another day.)

This kind of feature invites a culture that is hard to control. It is designed to allow you to announce your character’s presence with mods to a large group of people, which already reaches beyond the original commonly-known statement of “don’t talk about plugins in game”. When joining a syncshell, the act of you using mods can be verified by anyone else in that syncshell. Given the nature of the system, other friends will get invited, and who knows about your character and your mods spirals out of control.

Some Mare players I’ve seen also directly advertise themselves - they disregard all safety warnings given out in the community, and will advertise their use of Mare in their Search Info or otherwise in game chat. The usual play is some auto-translate entry dogwhistle that leads into a /tell to ask for their pairing code. I strongly believe that this is incredibly unsafe, and the fact we’ve gotten here is very disappointing to me.

Some people don’t want to maintain this threat model anymore, probably because they’ve gotten too comfortable with the idea that nobody will get banned. I usually hear that “it’s such a tiny user base, they don’t care” or “it’s such a large user base, if they killed it everyone would stop playing”. I disagree with both. Penumbra 1.3.2.0, released last month, has over 100,000 downloads - that’s a very big portion of the population using scraped Lodestone estimations! In my opinion, Square Enix isn’t going to hesitate to try and stop it if they wanted, just like they still shuffle packet opcodes to this day to break ACT.

We have hundreds of thousands of active players running around using third party tools, some of them clueless enough to admit it, and some of them conditioned to automatically trust the plugins they see. What next?

Miqo’te and mouse

Back to the original point of this blog post - PlayerScope. In April, Square Enix announced that they were changing the blacklist system. Some technical limitations they mentioned caused a few of us in the Dalamud community to wonder if they were going to implement it clientside - I even called this myself at the time.

Come 7.0, a plugin developer realizes that there are some new fields on the player game object. After an investigation, we find that these are the player Content ID and Account ID.

The “Content ID” is a unique ID for your player. It starts at a very large base (depending on the region you created your character in) and increments for each character that is created. I used this technique to estimate that the Cloud Test datacenter had 76,000 characters created on it. We’ve had ways to see a player’s Content ID before, but never this easily.

The “Account ID”, however, is different. This is tied to your FFXIV service account, so multiple characters on the same service account will have the same account ID. We’ve almost never been able to see this account ID in the network before, so having everyone’s account ID attached to their character is a big one.

Both of these IDs are not that useful for anything beyond identification (you can’t use them to log into your account or anything). They’re still fun to stare at (especially with the region data being exposed), and I ended up writing a quick proof of concept plugin to dump the starting region of a character at the launch of 7.0.

This, of course, allows a dangerous deanonymization technique. If you scrape enough players, you can correlate their account IDs together, and detect alts of players. That’s where PlayerScope comes in - it does that! Of course, this can only be done with crowdsourcing or botting, and the plugin relies on the former. Part of the reason I’m so annoyed at this news cycle for how “dangerous” the plugin is comes from the fact that the plugin relies on it being known and used. By writing this, I am of course getting that knowledge out more, which I recognize myself and apologize for.

For the record, PlayerScope is distributed in a custom plugin repository. Even if the Dalamud team doesn’t approve of the plugin idea, users have developed the habit to automatically trust the repository, and they know how to find and enable it. This is an unfortunate series of events based on the fact that we taught the general public how to use these repositories to get to Penumbra/Glamourer/Mare, and they wouldn’t have been accepted (or wouldn’t have been submitted) to the official repository.

I don’t really care about the project itself - this was going to happen eventually - but what concerns me is the public’s reaction. The blog post from Dalamud maintainers says “Any tool capable of reading game data (e.g. Cheat Engine) or sniffing network data (e.g. ACT, Wireshark) is able to grab and extract these values” - which is true, but it undermines the validity of packet capturing for the sake of reverse engineering or archival. This has put a lot of people in panic about what data is being sent or received from the server, which worries me for the future reception to archival projects.

Of course, this now has the community asking “why can’t Dalamud just stop PlayerScope?”. There’s a lot of ways to answer this question, but the easiest one to explain is that you can’t really stop someone who’s dedicated. Dalamud is completely open source, and it would be trivial to bypass any “block”, which would just evolve into a cat and mouse game. While I was able to fight it with GShade, Dalamud developers do not have the time or immaturity to do that, and the events of GShade were only in my favor because I was dealing with an irresponsible developer.

This is what I meant earlier by custom repositories and questionable morals. This openness in a community is a good thing, but bad actors will always exist. If this outlet did not exist for them, they would fork Dalamud or build another tool. There’s also questions about why plugins are able to even see that data, and that’s because it ends up in memory which we have full control over - attempts to sandbox plugin APIs and block free memory access have been proposed, but none have gone through, and likely never will due to how much flexibility it removes for plugin developers.

Last I’ve heard of PlayerScope, the developer “really appreciate(s) the interest” and is working to make it an actual public plugin (this entire drama came from a private version of the plugin!). The developer’s identity is mostly unknown - the GitHub account seems brand new, but the username seems to have matches on other sites, particularly on MyAnimeList where the account has marked Hitler as a “Favorite Person”. Jesus Christ.

How this could end

This entire scenario is a sad intersection between the normalization of third party tools and how much they annoy Square Enix. The exploit is the fault of Square Enix’s, in my opinion, but they probably won’t care about fixing the blacklist system. What they will do is unknown, but there are a few options I can envision:

• The plugin dies down and nobody cares anymore.
• Square Enix kills Dalamud in some way. They have many ways to do this, from adding client-side anti-cheat, to adding some basic obfuscation in their build system, to turning on a compiler option that’ll ruin our work. There are several ways to kill Dalamud that doesn’t involve anti-cheats, though!
• Square Enix fixes the blacklist system, treating it as an exploit. I find this unlikely, given that the exploit is the result of a third party tool, and it’s likely more efficient for them to just kill the tool.
• The developer continues maintaining the plugin, and it gains popularity. Like other third party tools, it is mentioned carelessly in chat, furthering the infestation of third party tools into Square Enix’s userbase.

Square Enix does not like third party tools - their statement from TOP should tell you that enough. Their stance has always remained fairly neutral, though. Most of their efforts go towards tools they don’t like existing (e.g. opcode shuffling to make ACT harder). They have expressed not wanting to add invasive software into FFXIV in an attempt to detect third party tools, and the most the client really has for anticheat is ACLs and a check for debuggers.

The more drama we cause and the more things Square Enix has to deal with, the worse. We do not know what their threshold is, and none of us certainly want to find out. This is what makes me so upset about this entire discourse - we have slowly normalized the use of plugins in FFXIV, and now we must pay for it, as each time we slowly interfere more and more with Square Enix’s game.

I spent several years of my life dedicated towards building software for FFXIV because I love it, and I would hate for that work to vanish. I wrote this post not to specifically call out the behavior of this specific plugin (even though that’s the hook), or to say we are approaching FFXIV Doomsday, but rather to express my frustration at the state we’ve gotten ourselves into. I hope our projects live on, and I hope the state of things improves.