Shall we play a game?

Video in TIB AV-Portal: Shall we play a game?

Formal Metadata

Shall we play a game?
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Everybody plays games, and a bunch of us plays computer games. Despite this, very few of usconsider them as interesting targets. Granted, you won't likely be able to hack into a corporate network via games, but you can target the people running the company via their games. You should also consider that a game could grant Not So Admirable people access to your network - the network that all your phones, your cameras, and your smart house components are part of. Hackers tend to ignore the low hanging fruits in favor of beautiful exploits, but we really shouldn't. This is why I have decided to take a look around and see what's already there in the games that allows access to the gamers' network. Thus this research about how game scripting engines can be abused started. I'll show in this talk that using custom game content could easily lead to code execution on our PCs. My targets are popular games and I'll show a wide range of script abuse from the most simple to the very technical ones.

Related Material

Logical constant Complex (psychology) State of matter Multiplication sign Direction (geometry) Execution unit Set (mathematics) Insertion loss Client (computing) Mereology Food energy Formal language Medical imaging Core dump Cuboid Software framework Endliche Modelltheorie Information security Social class Physical system Pattern recognition Mapping Software developer Moment (mathematics) Sound effect Special unitary group Degree (graph theory) Arithmetic mean Website Summierbarkeit Asynchronous Transfer Mode Server (computing) Functional (mathematics) Virtual machine Control flow Binary file Product (business) Internetworking Dilution (equation) Game theory Validity (statistics) Surface Content (media) Line (geometry) System call Exploit (computer security) Data exchange Video game Game theory Communications protocol Window
Laptop Supremum Slide rule Virtual machine Maxima and minima Bit Whiteboard Game theory Game theory Value-added network
Supremum Information management MUD Slide rule Mapping View (database) Web page Sigma-algebra Virtual machine Maxima and minima Coordinate system Special unitary group System call Uniform resource name Calculation Solitary confinement Quicksort Game theory Resultant
Supremum Dependent and independent variables Functional (mathematics) Slide rule View (database) Virtual machine Sound effect Water vapor Dynamic random-access memory Emulation Revision control Acoustic shadow Logic gate Game theory Exception handling Library (computing)
Supremum Dependent and independent variables Personal identification number Inheritance (object-oriented programming) Slide rule View (database) Duplex (telecommunications) Maxima and minima Summierbarkeit Process (computing) Game theory Normal (geometry) Summierbarkeit Game theory
Standard deviation Scaling (geometry) Staff (military) Special unitary group Entire function CAN bus Hypermedia Videoconferencing Moving average Physical law Right angle Whiteboard Game theory Game theory Library (computing) Computer worm
Multiplication sign Entropie <Informationstheorie> Basis <Mathematik> Game theory Whiteboard Game theory
Classical physics Functional (mathematics) Implementation Divisor Latin square State of matter Multiplication sign Virtual machine Hypermedia Hacker (term) Software testing Text editor Game theory Address space Physical law Projective plane Graph (mathematics) Computer simulation Line (geometry) Exploit (computer security) Personal digital assistant Calculation Order (biology) Quicksort Game theory Pressure Computer worm Row (database)
Polar coordinate system Game theory Indian Remote Sensing
Game theory
Game theory 2 (number)
Graphical user interface Menu (computing) Text editor Game theory Emulation
Metropolitan area network Abstract state machines Slide rule Information Computer file Multiplication sign Cellular automaton Computer simulation Set (mathematics) Special unitary group Rule of inference Arm Variance Word Profil (magazine) Solitary confinement Moving average Quicksort Game theory Summierbarkeit Game theory Dean number Wide area network
Raw image format Manufacturing execution system Twin prime Virtual machine Special unitary group Emulation Linear multistep method IRIS-T Data Encryption Standard Whiteboard Game theory Hacker (term) Game theory Square number
Revision control Profil (magazine) Right angle Information security Game theory Connected space
Dependent and independent variables Functional (mathematics) Slide rule Divisor View (database) Maxima and minima Insertion loss Special unitary group Emulation Personal digital assistant Game theory Data structure Summierbarkeit Proxy server Game theory Data structure
Implementation Execution unit Maxima and minima Port scanner Parameter (computer programming) IP address Hand fan Emulation Medical imaging Game theory Authentication Supremum Boss Corporation Slide rule Twin prime View (database) Gamma function Forcing (mathematics) Bit Price index Term (mathematics) Personal area network Data Encryption Standard Game theory Freeware
Metropolitan area network Slide rule View (database) Forcing (mathematics) Planning Codec Special unitary group Summierbarkeit Game theory
Slide rule View (database) Multiplication sign Strut Maxima and minima Water vapor Hidden Markov model Special unitary group Arm Medical imaging Level set method Set (mathematics) Game theory Summierbarkeit Game theory
Presentation of a group Run time (program lifecycle phase) Code State of matter Multiplication sign Coroutine Numbering scheme Insertion loss Water vapor Parameter (computer programming) Function (mathematics) Mereology Disk read-and-write head IP address Uniformer Raum Strategy game Semiconductor memory Different (Kate Ryan album) Hypermedia Endliche Modelltheorie Extension (kinesiology) Physical system Metropolitan area network Touchscreen Structural load Sound effect Bit Knot Variable (mathematics) Demoscene Data mining Order (biology) Right angle Whiteboard Freeware Speicheradresse Bytecode Point (geometry) Slide rule Domain name Functional (mathematics) Server (computing) Computer file Link (knot theory) Variety (linguistics) Real number MIDI Hidden Markov model Streaming media Inequality (mathematics) Field (computer science) Metadata Number Power (physics) Prototype Goodness of fit Causality Energy level Speicherbereinigung Data structure Game theory Address space Forcing (mathematics) Physical law Line (geometry) Directory service Exploit (computer security) Uniform resource locator Word Loop (music) Pointer (computer programming) Personal digital assistant Funktionspunktmethode Game theory Pressure Window Library (computing)
Supremum Slide rule View (database) Multiplication sign Set (mathematics) Solitary confinement Water vapor Personal area network Game theory Curve fitting Wide area network
Computer chess Metropolitan area network MUD Slide rule Mapping View (database) State of matter Virtual machine Computer Emulation Internetworking Operator (mathematics) Video game Right angle Game theory Information security Game theory Dean number Wide area network
I'm about it I hope you join activity this year and I'm going to start the question do you play computer games now K and those of you play computer games have you ever thought about getting attacked by the games you play but I'm still not and I'm going to talk exactly about that but 1st a few things about myself I'm not myself and I I work for a plant that developer for a security company in unit time required to be awarded to high heaven was the and I was 1 of I part of the product toss you don't want the effect is easier to times and that was the European champion of global in to those on 2 of you OK what I did my favorite quote from my favorite movie and summarize these flights love I'm not function another that prefer to be called a core I do have been going in binary files elaborates engineering laughter recognition recently corporate protections and 1 more thing I'm going to have that by myself and I don't want to start framework here but I really really prefer Q D 1 solar flightless birds of so we sort of pieces of that class in window frames that's sad I have to make a call session I am and I was 4 years in love with the means of situated beyond the just so disgustingly beautiful or something that you you just get a and again that this will be somewhat along the on the slant and so games needs and security and breaks talk with the modern stay things and talking to a room full of high across I'm sure I don't have to tell you about the 1st to make things better to implement your own ideas and yeah game will gene is basically the same principle you have the framework of the game and you want to do something more courses and obviously you want to share your creations and direct use websites where you can upload your patience and other people can download dominant play on what's my now this to you can even get paid for these moths likens the work from and and dilute because I wanted to be sure about that this is not some furious so people create what's and the other people to download and play that OK so games and security and important despite is which player immune system over the last fail on nearly all games have some kind of would player functionality what this means from a security standpoint means a constant data exchange between the client and the server and the state of the whole certainly is quite lanterns 5 complex think but water levels of maps and the protocol of the users often obscure or some kind of in-house developed protocol so you should realize that this is a fuzzy and have and yet we want showed us into those and talk to you in an accident to walk that the images are indeed vulnerable and a short summary of my exploits a little dizzy validations of game engines but I'm not going to talk about the scandals box and going to talk about the things abusing skating so there's a lot of games that incorporate some kind of those 15 years mn functionality you don't they you but some existing language is like you well or data developed by sum of the line but it is that in a lot of things it is there because it makes a creating dynamic content a lot that easier and these skipping Ganges that often available at 2 models so we can use them but could there be a really dangerous thing about this for a moment create a map and somebody downloads it or somebody Joyce server and the model or map gets downloaded degrees machine and the scripts that in these maps modes eventually will be right on that machine and yet most of the game the low-cost realized that this would be a set so they tried to mitigate that they tried to implement some books is about the Sun boxes that are often 40 they can be easily circumvented so it this this kind of this is to be exploited that surely not I'm not the first 1 to realize this and yeah I'm not that our Latin letters is about game exploits on the internet consume and understand what exploits a lot of articles about the Garry's Mod exploits so when I'm I talking about this is this is the background and talking about this because again exploits are used cheating games but they can you access your PC and for your PC they can be recessive Europe will not talk to to your security cameras and so on and so on and again this is defined that nobody seems to talk about what I'm going to now my 1st became the 1st crisis remember I said that most of the energy loss realized that you think would be a set well Triton is not 1 of them they seem to be but the surface scientists said about the futility of resistance so they didn't implement any kind of some books is any kind of protection so they use lot as scripting engine and you can call it whatever you want you can even call was that execute which is used to to execute the West comments in the world and I am going
to show you these where the crisis to board has
created for sure at least some of fuel James about taking something via by just of the button but we are going to do that now as soon as the game notes here that are from 5 games and the free of virtual machines instructions on this laptop now so we have it's a bit it's so looking at
you and OK it's building OK
so here we are in this result to the island and that of the drug but some wonder what happens when I push I push it and yet the calculator reach something you're starting so that's how you can execute coordinate on a playoff machine where they crisis map like how do they do that and initially the coords that is attached to the unused so of you don't have a lot of these legal but it's here and it's where these this call this 1 quality so was the execute OK but what is this so let's let's let's let's bloodletting it's 1 of the reasons why do we have the resources to API and the interest you sort of every
API that uses 5 uses 5 past can you was you in the past and again I would library and shall execute does not an exception this so if you can call somehow you can call these functions on your rectum Uganda loaded the that or you can execute something from made in water that so you don't have to write chocolate and so on and so on and this has 1 nice side effect since it uses a bindle shadow you can see enantiomer generously responses this you can if you can try to include some fights from maybe more chal
and yeah I have do more for this through it seem grinding as the gate which is a much newer version of trying to him than the 1 used in crisis and I have it here and I also have a virtual machine
reads we need be the sum
or or its name but it's
summer and they're going to jump into the game you push the button and then you can see the anti along
China's response here of the of the duplex OK so we in this was the
little my next tragedies of ability to it's another mostly escape the board game but it has some kind of some books so you can't just call packages you would label was executed but it has a huge lead the entire standards and URI libraries available so you can read 5 so you can write size so you can use the same as the media and the scaling take you can last flies from the enormous you can deploy with around staff or you can do with the idea that this the more things on the video I
coding might be awarded I'm you know the basics for performance and what I'm gonna do in this who escaped is decoded and executed from this the little debate on from this some basic for strain and rights the the daughter to executable with my payload so this is the data what it's actually a calculator and they're starting to
gain it's only in the
disorder because I don't have time to do this in the game itself so the escaped has to to the and this is found even so I'm going to spy on the go board and as soon as I do that the game starts to decode the basis for stranger and riots the executable so all
sorts somewhere here
OK so we can see that the executable in the deductible will return and so the next time we stop the game which will be the game that starts about the calculator or payload so that's how we can have a machine here where people to to much next projects with the goal of this kind but simulator it's common flight simulator and then surely you know that Latin that's of exploits start and test pressures well of the of the of the aggression that we have been exploiting this the most but not the depression you see usually OK so the CS also uses a lawful order emissions scripting and they also have a leaky factor they had some of these ideas reported that 1 the day of the states in a few weeks and from the swan reported them and they didn't responsible if don't know what to them but I'm gonna show you this the whole rather or I have be here for whoever can I mean what is wrong with the school this is the sandbox implementation of of this yes and they have a narrow somebody OK so nobody speaks you are OK so I'm going to try to delete is on the telephone line and they tried to non disabled media that bias into the address space is so they tried to mail out the function lordly but it should be packaged offloaded be is not it's already medium so they achieved nothing with this line so we can call back to school children of which is used to know what to yeah that's lies all cases normative on the B here I have about that questions 1st from the title of this tool to support who asked that question really it's a classic hacker movies OK OK I have another record has the answer is a Jewish wool from war against at the back of questions to what is my favorite movie or you can have to be the OK so this is the mission mandatory in DCs and what I'm doing here is that I've put up permission where i've that i've base was created to the brink graphs even so 1 might think pressures this gets cold tools of the allowed
and yes and I'm sure we can use this year's PCs going to pop into the cockpit radius 51 the booklet OK but it's it's so to all of the you know the the so there but this
I don't know it's not responding at all OK we are
here but it's not turning please rather flight now it's multiplied and this is like was doing the war i think ok we assume and nothing but this
all I mean tried again
so it's no full-screen
fly again yet the mole
rats they they have something against me and a OK
if you more seconds
and I think yeah had and OK it's going to work at k I'm crashing yeah I crash and that the last thing OK so hot yeah it's
sexy and OK please don't
be and but they still carry and my
might that's the rule is to be different than the others because of the other words Deselaers the bad guy and a Guimaraes the victim this time the game a real beauty the bad guy guys and the budget is the on so at the game it's military combat simulator very you can have a strong runs and you can customize your most from them information just by that name your mobile and so on and so on and that these discriminatory information are visible and I just for you but for everyone on this sort of this for us by you know when you set up your profile you can set set that you were at an XML file and every time you join that sort so reflects that x amount of file and that was URIs southern information from that so when I 1st saw the bodies that I was sure it's a vulnerable to let's see and th was quite disappointment that it was not but it's still a Messiah since you can get to the cell also over to know all the words that you provide OK I'm
going to show you would use more by the set up there
this guy having and under server and that he has also used the charts so on the same machine for keeping status or something like that and this chart vulnerable to work with execution but that can be triggered by gets expressed and that we are going to to your best and exploits so they have to
game here and summer have listened OK I'm listening here on the board for 4 4 4 and I have
my profile and it this is the you arrived that through yours PHP charts exploits the you can see that it's a coming version of OK it's called rude and so I played much rarer that's my on or or just trying to join its
and there something where should the connections right I'm not home yet and security is so we can see that it's it's really working the mines and present appear so that you get from a collection of from the other under so it's sort of by just connecting to the OK moving almost being used and
HTTP GET request and it really use the more about this http you need this to to to explain this is somewhat restricted because you can see the of response and you can't can't counselor too much but there are other against the where you can issue HTTP requests some of them from the involved army is very small but you have to use HTTP requests factor and the HTTP function that uses this structure and you can see that you can cancel every aspect of the HTTP request can cancel the matter with you can't council of the you know how the loss you can control everything so what this means this means that you have a small there basically have HTTP proxy to the game especially into the game a certain dominant work
here I have the more for this to and why is this not found in all cases from the somewhere
opportunities so I'm going to start the game I have
a gamma is more and more the design loading now and
I have implementation of free Gonzalo commands for of these a Council commands can be used to buy you are in a super administrative law and that they are used for creating that for something a c k scan realist it's basically it's cancer or the connected also not for for http devices used http to be so or and sent back to the desired to the of administrator and that yeah I just can't my left for him which is this game and the unit together and and the I'd be found the security camera on this IP address that it requires a lot of indication occasional problems I have another council command well that can brute force HTTP Basic authentication through the 1st 2 parameters first one is the players ID and the 2nd 1 the story is the might be addressed copy paste OK and is trying to uh brute force you can see what what it's trying and yet it has found that the user name is happening and the best way is to so now we can have access to that security camera and what my for the Council commands do these stealing a picture from that camera and it's requires the ID and the and the boss for d image into our and so it cheating bit yeah should all
or that I don't have you are this could be brute force to based on all camera diet plans and and and and some other but yeah I'm terrorists for him but I and I don't that a member of the codec us so I'm just gonna try this and it was
in that OK and so on I
don't want to take any more time with this but yeah it was going to be who was so your image of what's a fault in the game but yeah and maybe if I have some time after the talk or you have some remaining time I'm gonna try again so so that but the the the
yeah so sodium at that time but it's so my last the you should be afraid of mind and they're not talking about those the rest but they can be dangerous to and talking about this from this is a large effect GE is what of models and like water which affect see peripheral Ross it can be used 52 invited the from much that gaming soft power and it can be scripted in you want it has a very very tight sandbox it's really not to use it to supplement its but it's not impossible to describe and course it's who had a beautiful company if you wish to explore its but in in 2014 I think the abused handcrafted you will buy what he done some loss functions quantify the bytecode loaded function and yes indeed but that used to chase reduce hand crafted will worldwide called 1st from being getting the memory addresses many of the will variable the double and the 2nd being creating new every strategy you all variables that points to a memory locations you want to read or write these 2 combined meson arbitrary memory these right which can be used for code execution OK how do can do with these takes the first one getting memory addresses in in law every variable is devalue devalues the structure of each phosphate fights is either a pointer to an underlying structure or in case failure 1 number it's about so if we somehow can get to what to into at an arbitrary variable as a new 1 number them can get to the point where we can get that Memorial address and yet it can be done on the day for for loop consists of 2 hmm for courts 1 of the 1st being booked for practically checks that all variables for that for artifacts number the 2nd of is just the so if we know about your for profit and then we can get to interpret that what the s a number so that's how we get the memory addresses the 2nd tricky it's a bit more complicated in scripting obesity values it's done in these 2 lines that are going to go through this code line by line firstly creates from the stream that still missing in memory that looks like a knot values up using the new are there for you to represent the function parameter costs and the variety variables that are declared outside of the scope of the function so we create a scheme that looks like another value and the not you would that uses our memory location that you want to read or write next to the get the address of the screen we can get this 3 D firstly and we have to talk about 24 to this because of the became gets the address of these these structure but the what's truly would even want to use the actual correct erase address and yeah you can see that the the force 24 bytes of these is just some metadata so we had 24 2 dissidents and get the web address both that character or a Hindi PTI variable as a double next we just concatenate 3 times that of pdfs and modified the will bite would so the variable magic which is the the TIR free of gotten 18 via be interpreted as an actual and the as you can see in the bottom part of the slides by 16 to 24 overlaps the the actual shores of us feel the 1st field is a reasonable radial offer you point loss and scenes by the 16 to 24 in hour these and other value point of the would be violent so this is how we can excessive arbitrary memory addresses in the wall by modifying bytecode OK what it costs due to exploit this that he created a coroutine with quoting rapid which creates a city also on the
most active signals during is basically a lot of the presentation of of Fe native functions the native function being you will be you expect in this case he simply replace the uh the memory variety the Seikosha loss function point it and I need so when he called the called routine in the DLL well name it's the other got caught so we'll get loaded into the address what did I do differently a 1st for cause it's his exploits the is a word for it to be it's exploit Mining Server 64 this is important because the memory layouts are at the front and the and the decoding conventions are different so function but I'm just I'm not that pushed onto the stack and they are of the use of registers to to do that and the most important fact is that the size of a double equals the size of the point of the each major piece exploits much much easier on 64 instrument do OK and I couldn't lord and the lord of the because you can compile you are in and Nancy only mauled by the eligibility is just the stop so I had to call node library directly how to do that so in the function of the the native function you want to go and it's a prototype must match the the function pointer and yeah it's library ocean execute that candidates because they have long parameter that is a point or so how do we call it an old library some of the get code libraries of suggests and it's thought about this and the next slide replaced the you will be your water from the node library a and the override the newest state media learning because the Seikosha loss of function point that point out some of expects the lowest status sperm parameter when the overriding and called corralled library than low level because have to do your were written data OK and yet the last step we have to political routine OK so there are some difficulties in doing this how do we get the real estate and stocks suggests the 1 right so we want the doesn't that call routine those running gives you back to state find you run inequalities so the entire exploits has to be red according between and we can easily get the most states that so that's OK 1 I did this there were some random pressures so I had to disable what the back what's on day that there were some more pressures and yeah i stop them by stopping the garbage collector and by restoring the lost state OK the most interesting part how do we get to library addressed there is a simple solution the can get the Lord library and the lobby you walk step functions addressed differences from the the executable file and we can get and you will be walks addressed at runtime and yet we can calculate the Lord library address from that but that's not really nice solution because you you have to have the exact executables that you are trying to exploit there are more generic solutions and these workers on the Windows and on links and other operating systems to funding those we can only get the address of the entity have developed because they can read memory they can get from the and the head of the of the rest of the board directory in the port directly because for coming the book deal and from sounds gonna to we can get good libraries address from Canada to users reported a stable or this using those 2 drinks I assure you on OK there are some restrictions to to the sex exploits the can only all right 16 bytes of the you state but since the the last century restriction of a social Europe began in order from dealers from be more trash and loaded words like that uh we can for me to do to the other extension so for being able to the other you can just use B and we have basically the can get 9 characters from an IP address and obviously more domain name which is quite feasible so it's not to your research OK the time if yeah I
don't you know how much time idea got because I think it started to be too late for OK
where you are OK such an indoor down I'm very happy what the work is and has nothing is this and the
region rest them into the most you can find the literature and made them for so you can see them if you want
so to summarize all these should be listened Joshua and and stick to a nice game of chess cost matter should play computer games because they can be be fine but we have to be security conscious even when the operating so all bundled of any kind of or maps from the internet or just play on a computer that you use for nothing as we or updates does this right so it forces you to update this machine has to be offline for months because I didn't want steam updates OK and that was of game divorce should really think about security endogenous because to the state of security in news is really really OK so thank you very much for listening still I hope you enjoyed it and haven't nicely thank you


  201 ms - page object


AV-Portal 3.21.3 (19e43a18c8aa08bcbdf3e35b975c18acb737c630)