Conference DEFCON 19. Break open MMORPG for fun and profit. Part 2

Original author: Josh Phillips, Mike Donnelly
  • Transfer
Conference DEFCON 19. Break open MMORPG for fun and profit. Part 1

Josh Phillips: as we said, all hacks are pretty simple, and their use sometimes does not require any skills, just a creative approach to business. To use “superpower” you don't have to be a reverse engineering god, but it definitely helps things like integer overflow or underfilling, and you can easily change the values ​​from 0 to maximum, for example, to cause deadly damage to the enemy.

Mike Donnelly: Yes, it all comes down to the ability to make hacks, for example, maximize your armor. This happens in World of Warcraft - we had a boy who, sitting in the Orcish capital Orgrimmar, took off and put on his helmet 100 times, pumping his strength from 2 to 32 levels.

Josh Phillips: did it really happen, or maybe he just used a memory editor and made a screenshot?

Mike Donnelly: you may be right!

Josh Phillips: My favorite mode is GM Mode. Some companies produce games with the open possibility of reverse engineering, so that you, having become GM's “game owner,” can teleport to people, destroy things, give commands and do other interesting things. There is such an interesting hack, the theft of items from non-player NPC characters. Age of Conan was one of the first to have a vulnerability that could kill a GM, and I don’t think its developers are happy.

Mike Donnelly: The vulnerability was the ability to replace key player IDs?

Josh Phillips: Well, yes, like what you said to the server: "I am a game master and am going to die now."

Mike Donnelly: sometimes the game server trusts you when you say that you are another game character, saying, “I’m such and I’m selling it”!

Josh Phillips: I have already said that game developers are naive people. Hacking the UI Hack is less valuable. It is useful if you want to see the gaming space very far or rush over the map of the terrain, like a ghost, while remaining in place.

Mike Donnelly: you can still use such a thing as a “wild” translation of the language, which is why, for example, Alliance players will no longer understand Ward players. Here, hacking occurs on the client's side so that during the dialogue, the text of the enemy, sent to the player, simply will not be displayed. This is fairly easy to do, but I doubt that anyone will pay for this kind of hacking.

Josh Phillips: The next section of the presentation is called: “I'm at your base, guys, to kill you!” I will try to explain to you how to write a teleport hack. For this there is an easy way and a difficult way.

The easy way is to find the player’s position in the memory, rewrite it and call the game function responsible for changing the player’s location to teleport to the selected location. So, if you know where the code for the player’s location is located, and you can call him directly with a function, it could be a teleportation spell, which in Lua is “cast spell”, then you can give it the desired value. player teleportation sites. In this case, the server will not be able to recognize whether you are an ordinary warrior or a magician who can use spells. This method works in many games.
The hard way is faking motion packages. This will require mathematical calculations and knowledge of how they are updated, reverse engineering of motion packages, and the like. You may need to adjust the timestamp to teleport or run faster.

The next hack is the attacks of the game logic by replacing the original ID in the package with the desired ID, which we mentioned in the context of Age of Conan. These are attacks on the player’s trading skills, critical damage or the complete destruction of Fall damagé of both characters and game items, as well as attacks by NPC merchants to rob. In Age of Conan, it was possible to inflict critical damage to any character in the game, and even kill GM, assigning him a million Fall damagé, after which he simply died.

Mike Donnelly: yes it was fun!

Josh Phillips: in this game you could also use malicious code, so that someone entered into a trade relationship with you, even without knowing it. You could force the NPC to sell you something, and this technique is still used by many players other than me, because I do not like to steal from computer characters. And I don't think any of you should do that.

Mike Donnelly: it causes digital tears ...

Josh Phillips: followed by dupes, or cloning of objects. Many games have vulnerabilities such as server-side delineation problems. For example, Age of Conan, EverQuest, Final Fantasy XII and Ultima Online have zoning, that is, if you cast a spell on one side and then cross the server line, you find an opponent who defeated you and can continue the battle. The method of repetition hack is that you move things there at a tremendous speed, for example 1000 times per second, back from the trade window to your backpack. As a result, the server stops tracking things, and they completely fill your backpack. Everyone knows the game Diablo 1, where you just drop an object on the ground, run up to it, hover over it, try to pick it up, and it immediately appears in your backpack, while remaining on the ground,

Hacking game resources, or Asset hacking, as I mentioned, is not worth it, unless someone else has published his work for you that you can borrow. Those who played WoW know that someone can magically appear on your side - I don’t know how it is properly called ...

Mike Donnelly: the battleground, the battlefield.

Josh Phillips: Actually, I have never played World of Warcraft, for me it's too boring. So, players use teleportation to instantly transfer from the battlefield to the enemy base and kill all opponents there. They can also modify the game map and create a tunnel to run underground in the desired area so that no one will see. You may see his tiny name - a tag that moves around the map, but you will not see the player himself. But in any case, these methods of hacking are not worth the effort.

The section “Hacking Games 420” I will start with a quote by Machiavelli: “Nothing great has ever been achieved without danger,” so you can even be sued.

Mike Donnelly: yes yes yes yes.

Josh Phillips: I think this is true. You can use the bot in the game, someone spoke about this a couple of years ago about this, and I wanted to hit him, because it was not quite interesting. So, for this you do something like reading pixels and automate this process, there is no reverse engineering here. For example, with one quick keystroke, you redraw the “red” critical points of your own damage so that they do not turn red and you don’t die. This is a very limited hack, and your actions will go unnoticed if you act very quickly.

Mike Donnelly: That's right, you need to act very quickly. Does anyone know why detection works so badly? Understand me correctly, I do not want to embellish the situation with the discovery on the client side, everyone here seems very wise ... Obviously, game manufacturers do not like everything we are talking about, so they are trying to find your software in the game, and if they find banned you If you cheat for fun, then the maximum that you can lose is your own game account, but if you have 100 thousand clients, this is a big problem, because if all your clients are banned, you will simply go bust.

Therefore, preventing detection of cheating is very important. We'll talk about this later, but now I want to note that finding your software on the client side is very important.

Josh Phillips: Have any of you thought about why a wave of bans rolls about once every 3 months? The fact is that when you ban 50 thousand accounts every week, people who re-tie these 50 thousand accounts will never do it again because of the high cost of living. But if you ban them no more than once every 3 or 4 months, they will re-buy accounts, as this will be profitable. Companies think something like this: we found these guys who use, say, the Glider bot, but we are not going to ban them, because if we ban them too often, they will bring us no more than 50 dollars of profit.

Mike Donnelly: yes it is true.

Josh Phillips: another way of hacking is code injection, when you insert a small assembly code to make some trifle, such as a remote call to some RPC procedure. With this, the surface of your attack can increase, I mean, that you can really use something like a DLL injection into a large piece of code written in high-level C or C ++, which is really easy to detect. You are writing a DLL loader that fixes all your imports and all that.

You can attack the network packet layer and do such a good thing as reverse engineering the network protocol. This is very laborious work, because there are not too many games that allow the analysis of this kind of content. This is still not an easy task, and if you consider yourself a pro, you can write your own game client. People often think that they can do it and spend a lot of time in vain, but if you are really able to write a good client, like those guys who destroyed me a couple of months ago, you can earn a couple of hundred thousand a month.

Mike Donnelly: writing a custom client is not something you are going to sell, but “golden farming” and real money transactions. If you have written your game client, you can ask your partner to launch ten million copies of the game on the farming server. If your game client does not require performing a large number of 3D rendering operations, you can use its excellent functionality to scale the gold farming.
Josh Phillips: if usually you can run 2-3 gaming clients on a computer, and you were able to launch 200-300 clients, this will be quite a lot of scaling.

Now consider the thing called anti-cheat. It can be used to deal with software that calculates and bans cheaters. This is often a very difficult task, but sometimes it is very important not to be discovered, otherwise you can lose everything. On the slide, I quote one more quote from Sun Tzu, who said: “Be extremely thin up to formlessness. Be extremely mysterious down to silence. "

Mike Donnelly: I want to note that there are not many technical aspects of detection, but you need to approach this strategically, this is not in the book MMO Hacking. Probably, there is such a book?

Josh Phillips: Yes, it was written by one of my friends.

Mike Donnelly: This guy is eliminated first. So, like this is not in the book, but if we talk about a strategic approach to business, then you should worry about two main things concerning your software. You have an attack surface that determines how difficult it will be to detect your software, and anti-cheat can in this case simply increase the detection code if it is small. Secondly, you should have what I simply call “intelligence”, that is, how well you are aware of what the enemy is doing, you need to understand how his detection programs work, because this is very important. Both of these things work together, and if the attack surface is too large, it will be difficult to say what the enemy is doing in response, because his efforts may be minimal - just write one line of code, which will detect your bot. If you do something really cool, like my bot, which will respond within 2 milliseconds, if the monster does something, you can avoid detection.

So this is a decision that you have to make when you choose functions and develop what customers ask of you. You must decide whether you want to risk increasing the attack surface by adding such functions.

Before showing the next slide, I want to talk about what happened to me and other software developers of World of Warcraft. One guy developed the software, let's call it Innerspace, which worked by injecting dll into a fairly large game. This guy is well versed in reverse engineering, so he took all measures against the detection of Blizzard programs. But he still left the dll in memory, which he wanted to "confuse", and more importantly, he had to patch one of the functions of Blizzard. Therefore, he simply went to the beginning of this function and inserted the “far jump” in the right place of the code, being sure that he was sufficiently disguised and no one would find it.

The next slide shows the function with the inserted code, pay attention to the values ​​highlighted in red, we will enlarge this fragment so that everyone can see.

This is a piece of code inserted inside the game, but this is not World of Warcraft ...

Josh Phillips: because Mike is chasing Blizzard ...

Mike Donnelly: I just think that giving an example from WoW would not be a good idea. In this code snippet, you can see that the game uses the query for the friends list askForBuddiesList, which has an optional parameter that has never been used before. It is perceived as a package number, or a team number, or a BOB number - “Brothers Over Bitches”. This optional parameter is “pasted” in this place of the code and sent to the server, everything is very simple.

So, this “pasted” code - let's scroll a couple of lines down to the comments - says: the old code was askForBuddiesList (0), it is 0, and instead it is now using the new code with the _asm option parameter that has never been used before.

So, Blizzard is going to find the function corrected by this guy in the game’s code. To do this, they changed this function call to a small code sample. They used registers, did some mathematical calculations, so that IDA would not see another reference to this function. Then they go to the corrected function, pull out the first byte of their code and send it as a parameter that has never been used before. What happens then? They send one byte of their own code every time they make this request, and, of course, on the server side, they just “read” it, and if they find E9 instead of zero, it’s ready, it's done!

What is interesting about this software is that here you don’t see anything like “if this guy is a bot, tell the server about it”. You just see that I take this byte and send it, and this is a tiny piece of code that does not even change the basic network code, there are no new parameters, nothing new. The only way to find it is to somehow observe how this data is collected, and then you can say: “aha, this thing was always 0, and now it is 9, it’s not good”!

So, when they did this, this guy lost all of his clients, because they waited a few weeks until they were banned, and then the company struck again and again.
This is a good example of how much the attack surface means, because fixing just one function of the game led to such retaliatory measures. The fact is that if you think you know where the detection code is, there is always a chance that this is not what you think. In the case of Blizzard, they never placed their detection code outside the “caretaker” Warden, they “kept all their eggs in one basket”, hiding the detectors in the “caretaker”. But then they got smarter and said that we will simply place our tiny code wherever we want - and that’s all.
It is therefore extremely important to remain difficult to detect. If they came up with something like a new kernel call, or started a private API monitor, their activity could be detected, but when they made just one tiny step, you would immediately fall. Therefore, it is very important to observe what they are doing and how they create new tools for monitoring how the data flows in the system should look.

As for Glyder, we had tools that warned us, for example, that Warden was updated and now has 9 entry points instead of 8, and after such a warning I ran to my office and started feverishly fixing Glyder, brought it to order and run again. So there is always a way out, the main thing is not to be lazy. In this case, really a lot of work, but it pays off.

Josh Phillips: Yes, I think we both had to work 36 hours without a break.

Mike Donnelly: when Blizzard updated the "caretaker", they added a new scanner to it. This scanner takes a string that is encrypted inside the "caretaker", gets the server key, decrypts this string, and calls the GetProcAddress function, which retrieves the address of the exported function from the specified dynamic-link library, in this case kernel32.dll. If I am tired of you, do not worry, then it will be more fun.

Thus, they take a string, whatever it is, and if it is regulated by this function, then GetProcAddress is applied to it without any parameters. Thus, if I search for this code and the game is closed for a patch, I will not be able to find it, because I don’t have a key and I don’t see what it is going to decrypt. That is, I see a function that is designed to call something from kernel32.dll without any parameters, and I do not understand what is the point.

So, I look at this code for a few hours and I can’t understand anything, after which I decide to talk to one smart guy, Mike, who was engaged in Hellgate: London. Again we cannot understand anything and decide to just pick up this topic, insert breakpoints into the code and start the game, and they send us the key! Mike says: “It's the key! Let's see what this string is! ”

We decrypt it, and it turns out that this is the URL - the address of the video on YouTube! That is, they skip this address through GetProcAddress, ProcAddress says that nothing happens, I, having received it, as if inserting this address into my browser, so that they just troll me with a commercial! I do not know how many people they caught on this bait. So it was epic, they did it really well. That's all I wanted to talk about, it really was the most epic ricroll I've ever seen!

Josh Phillips: we have little time left, so I will try to speak quickly. So, it is possible to overcome anti-cheats from the client side by entangling traces, checking memory, detecting a debugger, detecting a dll detector and unpacking. If you are smart enough, you can do mining on the server side. To do this, some analysts and Blizzard threw us a really big bone, like "hey, man, that's how I find people - I just write a few random requests, and then I come the next morning and send these people to the ban."

There are also things that can be used both on the client side and on the server side, mostly command & control methods using a botnet network that fight Warden and Punkbaster anti-cheat. In this case, you send your game client to ten million WoW players, a piece of code that runs on their computers.

Mike Donnelly: This is both a botnet and bot detection software.

Josh Phillips: Yes, that's pretty funny. Punkbaster basically searches for strings to ban people, I mean strings or binary data in the game client of the user. In most cases, these are strings of type that Punkbaster detects. The meaning of these lines is something like this: “hey, I don’t like this clan, he always asshole me, so I’m going to enter their IRC channel and send a few lines to all members of this clan, and then return to the game and see how they are banned for cheating. "

Naturally, Punkbaster will say: “No, no, it doesn’t work at all!”, But in reality it works that way.

So, we have reached the defense of a doctoral dissertation on the topic of advanced hacking games. This is a very deep well into which all your money can flow if you are not an expert in this field. Advanced hacking includes work with game updates and full automation of the gameplay. We have less than two minutes left, so we'll skip some slides.

Mike Donnelly: I want to mention one thing that the developers presented last week, this is the Diablo 3 auction house.

Please draw your attention to the novelty that appeared there - do you see the dollar sign in front of the numbers? Now Blizzard allows you to sell gaming items for real money. So now you can connect payment systems directly to your Blizzard game account and sell gold or buy gold. Of course, you will not be able to compete with me, because I "made" Blizzard, but it is still very interesting.

Josh Phillips: Yes, it is really interesting. I would like to thank all our friends from Poland, Germany, New Zealand and Australia who could not be present here because of the high cost of the flight.

Mike Donnelly: I think they will be arrested anyway ...

Josh Phillips: I hope we have a little more time, so go to the question and answer room and continue our communication.

Mike Donnelly: Thank you for your attention, DefCon!

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr's users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until spring for free if you pay for a period of six months, you can order here .

Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?

Also popular now: