Conference DEFCON 19. Break open MMORPG for fun and profit. Part 1

Original author: Josh Phillips, Mike Donnelly
  • Transfer
My name is Josh Phillips and I want to introduce you to a special guest who is not on the list of speakers, his name is Mike Donnelly. Later I will give him the opportunity to introduce myself. I usually speak last at the conference, so I hope that our performance will not play the role of a lullaby for you. If someone else is going to speak after us, I do not envy him, but I can do nothing about it. Well, let's get started.

I heard that all today's speakers were not lucky, because they had problems with the slide show, but I hope that everything will work out for us. So, in real life, I research malware in Kaspersky Lab. I also worked as a malware analyst at Microsoft, and contrary to popular belief or what can be found on Wikipedia, the name of the Conficker virus is not the German or Danish equivalent of the English word “assfucker”, it’s just a play on words. So inventing a name for this computer worm can be considered the greatest achievement in my life. I am a "gold farmer" and as a hobby I wrote a few bots for computer games, try to guess which ones. Now I will give the floor to Mike to tell about himself.

Mike Donnelly: I'm Mike Donnelly, known by the nickname Mercury, who created the Glider internet bot for World of Warcraft. Establishing ownership of this bot, 100,000 copies of which were sold by a third party for $ 4 million, the court was engaged. I was able to appeal the decision of the court of first instance, and the appellate court decided to compensate me, as the true owner, the damage in the amount of $ 6.5 million, but in any case the court case did not give me much pleasure.

I can say that I don’t have any hobbies, because instead of him I’m doing a lawsuit. The positive thing about this was that one of the Glider users, finding out where I live, gave me a beer, delivered it directly to the house and published a message on the Glider forum: “Hey, Mercury, look out the door - there’s a place for you 6 cans of beer! It was quite nice, it really was there, I went home through the garage and therefore did not immediately notice the packaging of beer cans in front of the entrance door. It was only Budweiser, but free beer is free beer, so if they try to heat me up for six and a half million dollars, then at least I got a few free cans of beer.

Josh Phillips: I saw several women in the hall, so I advise you to pay attention to Mike - he is still a bachelor and also rich. By the way, I am married, but not so lucky. So, the purpose of our conversation is not to make someone an expert on cracking online games, so if you come here for this, you will be disappointed. We assume that you at least know a little about the technical aspects of this issue, but if this is not the case, we still hope that you know something about the MMORG hacking. I note that we are not experts on the “zero days” device in this segment of the Internet, so if you want to hear from us about this, you will also be disappointed. But we really feel that we shouldn’t have 0-days, because it’s easy enough to destroy any online game that has ever been released.

The objectives of our presentation:

  • briefly highlight the history of online games and the use of real money in them;
  • explain why we break them;
  • tell in detail about the hacking process;
  • tell in detail about writing game bots.

On this slide, Sun Tzu’s quotation is: “He who knows when he can fight, and when he cannot, will be the winner,” and I think Mike has some experience with this. He chose to fight, he is the only one of my friends who has chosen this path, I think you can ask him how well he fights.

Mike Donnelly: it could be better!

Josh Phillips: Yes, it could be better!

Mike Donnelly: it could be worse.

Josh Phillips: Yes, it could be so. You see a slide with brief legal conclusions to which Mike arrived based on his own experience, what he is going to talk about. We are not lawyers, but:

  • everything you know makes no difference;
  • your clever legal ideas do not bother anyone, even if they are perfectly correct,
    if you participate in the judicial proceedings, they will have you anyway;
  • avoid litigation: run away, hide offshore, disappear from this planet, etc .;
  • Blizzard will still appear behind your door.

Mike Donnelly: First of all, I’ll say that I’m not a lawyer and can’t give legal advice, but as an ordinary person, I can tell you - if you have contacted lawyers, consider that you have been raped. If it comes to court, it will end badly for you anyway. Many people, like me, believe that if you have all the copies of the original software, compatibility codes, and so on, no one will win you. However, the process of proving your rights is very painful and costs incredibly expensive, and even if you have “iron” arguments in your favor, the chance to prove your case is very small.

Therefore, you need to understand that the trial is in any case a bad idea, and you should take all measures to avoid it. If you need to sell something from Nevis, Neptune or 7th Dimencion, try to be far away from them, so as not to get on trial, because if gaming companies feel that you, as a developer, are trying to “cheat” them, they will immediately appear at your door.

Josh Phillips: China is a good place to get lost. My disclaimer is: we are cunning, so the fact that I decided to reveal my secrets to the public is not the best choice. Therefore, some real names and places have been changed to protect the innocent, in this case - ourselves.

So why are we breaking into games? In most cases, in order to attract female attention, I have already mentioned that Mike is a bachelor. In truth, this is done to make money - Mike made $ 4 million to sell the bot, and my first competitor earned half a million every month, this is serious money. Sometimes people take revenge in this way or cheat someone by doing cheating. Raise your hands, who would like to go through the Game Hacking 101 "school", I would really like this subject to be taught in my college!

So, we are going to mention some tools for hacking games, shown on the next slide:

  • IDA
  • Ollydbg
  • Your favorite memory editor / search engine
  • 010 Editor
  • Wireshark

Custom tools that you can create yourself, which is very useful.
Most people engaged in reverse engineering cannot live without them, so it’s quite obvious what you can do with these tools — for example, disassemble code, modify files using the Ollydbg debugger. If you don’t know what a debugger is, you don’t belong here. When you need a tool to work with memory, most people use ArtMoney or something similar. If you are working with file formats, 010 Editor provides you with god-mode, because if someone tries to do this without this editor, it will fail. You also need a tool to capture Wireshark packets if you want to deal with the contents of the packet.

The tools created by you personally are of great importance, because if you try to hack games without handwritten DES scripts and other magical things, you will simply waste your time.

Mike Donnelly: I want to add - if you create your own software or a piece of software code that you plan to use or sell, this can later become your business. You will be able to clone different game items and find the mistakes of the game, just approaching it wisely. However, our discussion is not only about how to earn money with it, but also about how to enjoy playing games, so I’m not going to focus on the profit aspects.

Josh Phillips: you know, there is nothing worse than creating a hard-coded bot that stops working after updating the game and you have to start all over again, so here's what else your tools might be useful for.

I tried to classify a little tools for hacking games. They can be divided into cheats, bots, user clients / servers and exploits. I'm not going to go into details, we will discuss all these things in detail later.

Some people write custom clients for games, add-ons, for example, one of my competitors from China wrote such a client for World of Warcraft, which pretty much destroyed us. You know that you can run hundreds of such clients on one computer, and you cannot compete with them if you run only 3 or 4 clients on your computer.

Mike Donnelly: By the way about user clients. Raise the hands of those who played in Hellgate: London? Well, how many people continued to play it six months after the release? One man?

Josh Phillips: I feel sorry for these people ...

Mike Donnelly: the reason I mention this is because I know a guy from Germany who works with World of Warcraft, and when the beta version of Hellgate: London came out, he was I admire what I wrote for her clientless bos. He did reverse engineering of the entire protocol, all of these handshakes, encryption, and the like, and was ready to launch the game, but it turned out that he simply wasted thousands of hours (note: all game servers were closed less than a year after the release of this game ).

Josh Phillips: This will be the next “wow”!

Mike Donnelly: Yes, this will be our next “wow”! So if you are doing something for your own benefit, treat it as a business.

Josh Phillips: otherwise you just waste your time. So, if we talk about exploits, they can be both malicious and capable of bringing you tangible benefits, for example, cloning of Dupes items or god mode god-mode. Using exploits, you can also perform in-game thefts or use a DoS attack on the server.

Active hacking of games includes card hacking and searching for workarounds, which you can accomplish using reverse engineering and mathematical development. Finding ways is a very difficult task, so if you are going to do this, you need the Recast Navigation library to find ways in the space of 3D games that will help you solve the most serious problems.

We will do something like weaning out the noobs, so I hope that those present here will be able to keep track of our thoughts. In order to hack games, you must have the following skills.

You need to learn assembly language, for example, Intell syntax, C / C ++ language, learn how to work with the Win32 API feature set, and perhaps learn how to write drivers. It will be very useful to learn how to write things like Lane pixel reading, about which someone told here a couple of years ago. Therefore, noobs do not belong here.

Anyone know the guy on this slide? His name is Rich Thurman, I think he was one of the first to appear before the public as a "golden farmer." This picture was published in an article by the Institute of Electrical and Electronics Engineers IEEE around 2000-2001, when it earned more than $ 100,000 from online games. This is the amount that he recognized, but I think that in reality, Rich earned a lot more just by hacking Altum Online in Minecraft. Basically, it was “played” with memory editing, found key data structures, and extracted profit from it.

Memory search is a magical art, this is what you really need. If you cannot operate with memory in order to find places in which things like game points, skills, abilities, and the like are stored, it will be very difficult for you to perform a static game analysis for profit.

I have already mentioned several online games and I am sure that most are familiar with such a game as World of Warcraft. This game was one of the first to use a modified script engine, but most of the games that use it make mistakes. The creators of WoW used a Lua-scripting language to develop games, a side effect of which is embedding a string with a function name in a binary file. This greatly facilitates reverse engineering, so if you are interested in, for example, how to use this or that spell during a battle, you simply look for a line with the word "spell", find the corresponding code there and use it in the game process for your own purposes.

Mike Donnelly: I want to add that using Lua makes the process of reverse engineering in games incredibly simple. You can write a Lua script that will do everything you want and test it in test mode. If you know the spell ID, you can pause the game, insert this code, and use the desired spell during the game.
Josh Phillips: Yes, scripting engines make reverse engineering extremely easy, there are really no technical problems with them. Now I will briefly go through the history of several games. I think that Ultima Online was probably the first major MMO to collect up to 225,000 online players, but these are mere trifles compared to World of Warcraft or online games on Facebook, which have up to 30 million users. Are any of you playing Farmville? Not? I still do not believe you.

You all know that in these games, people cheat, create objects, pass through walls and so on.

WoW became the most massive game, it even got into the Guinness Book of Records as the most popular online role-playing game with 10 million users, perhaps more Chinese users collect more games. I note that development companies sometimes refrain from selling their games or seasonal passes in some countries.

Mike Donnelly: Yes, Blizzard sometimes refuses to send out CDs at all, they just come and knock on your door. They work through lawyers who offer you to sign a draft lawsuit, or to cut off your finger. Here is how they work. WoW is a big game, there is so much money there that even if you capture 1% of the market, it justifies all the risks. But if you are going to take risks, the game should be massive enough.

Josh Phillips: I want to add that sometimes Blizzard is on your doorstep, and if you don’t have a brother in the Polish mafia who will chase them with a baseball bat, you risk ending up like Mike.

Mike Donnelly: It really happens.

Josh Phillips: Yes, it is. I note that even if your game is really small, you can still make a couple of “pieces” on it a month, which is quite a lot of money for many people, especially in Eastern Europe or in South America. A couple thousand dollars a month - and you live like a king.

Eve Online, written in Python, was the first game to use a scripting engine based on the commodity principle, and Darkfall was half a million lines in Java. An interesting feature and a big mistake was that in the Age of Conan game, the developers left detailed debugging lines, so I wrote a script for it that searched for IDA like class names, and this script renamed the functions inside my IDB according to these debugging lines .

In the game Aion, the developers tried to prevent hacking by packing the game with Themida and using Game Guard, but if you do not use the additional features of this protection, it is pretty easy to bypass it. You could roll back the patch and hack the Game Guard before they tried to fix their game. This slide shows a list of MMORG games, in which Speedhack cheats were used rather quickly after the release: these are Age of Conan, WoW, UO, EQ, Vangard.

Microsoft spent $ 50 million on this pile of shit, and I think they canceled three more MMOs just because they were afraid they would be hacked too. In principle, the Speedhack cheat can be used for any online game, if you know how to execute it, so that anyone who is interested in World of Warcraft burglary can contact me about this after our performance, I will be in the question room and replies. Such 2D online games like UO or Ultima Online solved this problem, but 3D games that intensively use processor power to track the movements of 20-30 thousand users have not yet done the job of fixing vulnerabilities.

Mike Donnelly: they just trust customers, not realizing how smart they can be.

Josh Phillips: that's it, so if someone from here here trusts clients of online games, then he can safely leave this room. So, dupes, or the cloning of gaming items, is similar to what the Federal Reserve is doing when its representatives go to the treasury and say, "Hey, you can't print us a million billion dollars, and we promise that we will make the American people return this debt". This is really what can make you rich, I have a friend who hacks games in this way and earns about a million dollars a month. He has 2 cars Lamborgini - twin-turbo Diablo and Mursielago, and now he is going to get a lemon-green Gallardo, so I feel a little ashamed of him.

Mike Donnelly: add a few words about the cloning of game objects. There is nothing high-tech here, when using dupes, it all comes down to looking for developers' blunders who did not think that some clever guy could write a piece of code that would do something special in the game. For example, in WoW you can create a lot of crafting or spells that you sell to other players.

All this is possible only because the developers did not think about the fact that you can use the cloning of objects in the game or cause a server failure. For example, when Josh casts off on my epic ass, I will simply crash the game server, and the damage to my character will not persist, and then I will enter the game again like nothing has happened. But the bottom line is that all this is a simple craft that you all can do, regardless of whether you understand reverse engineering or not.

Josh Phillips: It's like real-world computer security research, when you find a bug, for example, in Adobe, and spend 3 weeks looking for a solution, how this bug can be used, how to get around the SLR algorithm, and the like. Interestingly, I can replace my ID with the identifier of any other random player and just say that I received a million billion free gaming items for free. So for this you just need to tinker a bit with the game.

Let's talk in more detail about hacking methods, for example, when you are trying to create a teleport or something like that. I will quickly go through these things on the next slides.

In order to teleport, you look for the player's position in the memory, and then use the memory editor to change its value, and if you're lucky, you will be transferred to another point on the map.

Mike Donnelly: and you are banned for it!

Josh Phillips: Yes, for this you can be banned and excluded from the game. This method is often used by cheaters in old games. Amazingly naive many developers who do not think about how to write a game that is difficult to crack. You can go a more complicated way, for example, in the case of WoW, which has existed for 7 years, but the developers have not been able to ensure the correct operation of the protection. You can modify the movement packs, change the time stamps, use more sophisticated cheating options such as Speedhack, which are still working in this game. With the help of Speedhack, you can change the frequency of the processor, the speed of movement of the character, and if you are lucky, all these chips will still work in your game. But I do not know what it means to “compress the network to reset the server code.”
Mike Donnelly: I wrote this! This applies to artificially created lags that still work in a game such as World of Warcraft, as in any modern online game. You can literally disconnect the Ethernet cable, “move around” a little in the game and reconnect to the Internet. In this case, the network stack determines that the TCP connection has died, after which the game client informs the server that your character is now in a completely different place. In this case, you are dealing with a server congestion code, so they must agree to a short delay. In many situations, you can pull out the power cable, run around the monster, and since all the logic that a monster must “nail down” you is on the server side, the monster will not notice your maneuver. Then you connect the cable, the game client detects

However, do not try to do this if you are using a wireless internet connection, because you simply close the TCP connection. But if you can just physically break the connection by pulling out the cable, it works.

Josh Phillips: Yes, this is really high tech hacking! Man, it just sucks!
Mike Donnelly: I think you should consider this possibility, because in this way you can open a lot of chests in different dungeons. You know that in WoW you can play with a group of 5 people in the same dungeon, and you could get quite far by simply using logs to go around monsters and get to the chests. You just rob all the chests and use your loot to get money.

Josh Phillips: Now I know who is to blame for the fact that in the dungeons there are no more crafting chests left. I will mention "dupes" - if someone does not know what it is, I will say that dupes is just cloning, or replicating game items, allowing you to get a whole bunch of necessary things. Basically, this is the key to getting big money, which is used by my poor friend with two Lamborghini. As I said, the developers are very naive, so they are just surprised that someone “plays well” in their game.

So, many games run on multiple servers, and if you run fast enough to and fro, the server will lose your trail, and your backpack will begin to magically fill with all sorts of objects. Using lags, you can even have time to rob the corpse of your character before he disappears.

25:40 min

Conference DEFCON 19. Break open MMORPG for fun and profit. Part 2

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr's users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until spring for free if you pay for a period of six months, you can order here .

Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?

Also popular now: