Hacking MMORPGs for Fun and Mostly Profit

Video thumbnail (Frame 0) Video thumbnail (Frame 986) Video thumbnail (Frame 5861) Video thumbnail (Frame 9722) Video thumbnail (Frame 15983) Video thumbnail (Frame 17087) Video thumbnail (Frame 19737) Video thumbnail (Frame 20703) Video thumbnail (Frame 31737) Video thumbnail (Frame 42636) Video thumbnail (Frame 50040) Video thumbnail (Frame 57489) Video thumbnail (Frame 59535) Video thumbnail (Frame 61672) Video thumbnail (Frame 63269) Video thumbnail (Frame 65714) Video thumbnail (Frame 74046) Video thumbnail (Frame 75035)
Video in TIB AV-Portal: Hacking MMORPGs for Fun and Mostly Profit

Formal Metadata

Hacking MMORPGs for Fun and Mostly Profit
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Josh Phillips - Hacking MMORPGs for Fun and Mostly Profit https://www.defcon.org/images/defcon-19/dc-19-presentations/Phillips/DEFCON-19-Phillips-Hacking-MMORPGs.pdf Extra Materials Here: https://www.defcon.org/images/defcon-19/dc-19-presentations/Phillips/Extras.zip Online games, such as MMORPG's, are the most complex multi-user applications ever created. The security problems that plague these games are universal to all distributed software systems. Online virtual worlds are eventually going to replace the web as the dominant social space on the 'Net, as Facebook apps have shown, and this is big business. MMORPG game security is something that is very important to game studios and players, yet bots and exploits continue to infest all major MMORPG's, the creators and maintainers of the next generation of MMORPG's will need to understand software security from the ground up or face failure. The problem extends from software bugs such as item or money duplication, to mechanical exploitation such as botting, which leads to economic forces and digital identity theft. There is upwards of a billion dollars at stake, for both game hackers and game operators. Both Josh and Kuba have explored game hacking from both sides, and this talk presents a pragmatic view of both threats and defenses. Josh Phillips is currently a Senior Malware Researcher at Kaspersky Lab, previously he was a Virus Analyst for Microsoft Corp. He cut his teeth reversing by hacking and botting for profit, several MMORPG games. He has had professional ties to several of the big name virtual currency dealers in addition to being well known in the underground game hacking community.
Scheduling (computing) Hidden Markov model Bit
Slide rule Presentation of a group Computer virus Demo (music) Real number Robot Expert system Message passing Malware Word Process (computing) Software Video game Configuration space Right angle Game theory Hacker (term) Freeware Game theory Address space Form (programming) Row (database) Identity management
Axiom of choice Point (geometry) Real number Sheaf (mathematics) Parameter (computer programming) Theory Dimensional analysis Java remote method invocation Goodness of fit Game theory Hacker (term) Game theory Metropolitan area network
Beta function Code Multiplication sign Robot 1 (number) Motion capture Client (computing) Mereology Neuroinformatik Software bug Semiconductor memory Encryption Data structure Text editor Game theory Metropolitan area network God Scripting language File format Server (computing) Debugger Electronic mailing list Client (computing) Bit Density of states Exploit (computer security) Entire function Software IRIS-T Text editor Game theory Quicksort Hacker (term) Communications protocol Writing Reverse engineering Asynchronous Transfer Mode
Point (geometry) Scripting language Intel Pixel Functional (mathematics) Key (cryptography) Code Binary code Sound effect Bit Device driver Formal language Casting (performing arts) Read-only memory Hacker (term) Semiconductor memory String (computer science) Data structure Game theory Hacker (term) Game theory Data structure Reverse engineering
Structural load Code Multiplication sign Execution unit Source code 1 (number) Client (computing) Software bug Facebook Sign (mathematics) Mathematics Cuboid Electronic visual display Information security Sanitary sewer Social class Thumbnail Scripting language Source code Software developer Open source Bit FLOPS Type theory Process (computing) Right angle Quicksort Hacker (term) Freeware Reverse engineering Asynchronous Transfer Mode Point (geometry) Slide rule Server (computing) Twin prime Inheritance (object-oriented programming) Vapor barrier Computer file Patch (Unix) Real number Control flow Crash (computing) Hacker (term) String (computer science) Green's function Software testing Proxy server Design of experiments Game theory Condition number Time zone Turbo-Code Server (computing) Client (computing) Line (geometry) Group action Exploit (computer security) String (computer science) Game theory Object (grammar) Family
Code Interior (topology) Ferry Corsten Multiplication sign Source code Client (computing) Stack (abstract data type) Bookmark (World Wide Web) Formal language Mathematics Coefficient of determination Semiconductor memory Logic Electronic visual display Monster group Position operator Vulnerability (computing) God Bit Maxima and minima Überlastkontrolle Instance (computer science) Connected space Data mining Condition number Right angle Text editor Hacker (term) Asynchronous Transfer Mode Reverse engineering Slide rule Trail Asynchronous Transfer Mode Server (computing) Statistics Inheritance (object-oriented programming) Translation (relic) Hidden Markov model Login Number Sound effect Goodness of fit Hacker (term) Integer output Game theory Address space Multiplication Dependent and independent variables Key (cryptography) Server (computing) Code Computer network Client (computing) Timestamp Logic Game theory Integer Buffer overflow
Trail Complex (psychology) Server (computing) Functional (mathematics) Code Multiplication sign File format Parameter (computer programming) Disk read-and-write head Neuroinformatik Substitute good Mathematics Semiconductor memory Uniqueness quantification Game theory Metropolitan area network Position operator Dot product NP-hard Touchscreen Mapping Server (computing) Code Line (geometry) Cursor (computers) Timestamp Uniform resource locator Process (computing) Logic Function (mathematics) Thumbnail Right angle Figurate number Game theory Hacker (term) Window Electric current Reverse engineering
Point (geometry) Surface Server (computing) Pixel Inheritance (object-oriented programming) Injektivität Code Robot Real number Multiplication sign Client (computing) Neuroinformatik Goodness of fit Read-only memory Energy level Nichtlineares Gleichungssystem Implementation Communications protocol Pixel Booting Game theory Injektivität Scaling (geometry) Host Identity Protocol Assembly language Surface High-level programming language Mathematical analysis Code Computer network Client (computing) Bit Database transaction Instance (computer science) Hooking Wave Coding theory Software Volumenvisualisierung Right angle Game theory Remote procedure call Procedural programming Hacker (term) Communications protocol Reading (process) Reverse engineering
Surface Software Code Surface Robot Line (geometry) Hacker (term) Semantics (computer science) Game theory
Point (geometry) Surface Slide rule Functional (mathematics) Service (economics) Code Interior (topology) Real number Robot Patch (Unix) Multiplication sign Decision theory Control flow 10 (number) Semiconductor memory Monster group Game theory Hydraulic jump Constraint (mathematics) Closed set Software developer Surface Client (computing) Software Game theory Hacker (term) Reverse engineering Spacetime
Surface Functional (mathematics) Server (computing) Code Electronic mailing list Client (computing) Bit Parameter (computer programming) Line (geometry) Number Goodness of fit Computer configuration Game theory
Surface Slide rule Server (computing) Functional (mathematics) Code Robot Multiplication sign Structural load Surface Electronic mailing list Sampling (statistics) Client (computing) Parameter (computer programming) System call Mathematics Software Hydraulic jump
Satellite Building Group action Code Debugger Multiplication sign Parameter (computer programming) Client (computing) Malware Encryption Office suite Physical system Product (business) Data mining Data stream Angle Figurate number Hacker (term) Point (geometry) Web page Surface Server (computing) Functional (mathematics) Game controller Sequel Robot Patch (Unix) Virtual machine Control flow Web browser Read-only memory String (computer science) Data mining Game theory YouTube Address space Metropolitan area network Shift operator Key (cryptography) Server (computing) Expert system Plastikkarte Client (computing) System call Word Uniform resource locator Kernel (computing) Personal digital assistant Query language Game theory Table (information) Window
Sign (mathematics) Data recovery Software developer System programming Bit Quicksort Hacker (term) Game theory Physical system
Multiplication sign Metropolitan area network
so my name is josh phillips I have a surprise guest who did not show up in the schedule his name is Michael Donley I'll let him you know introduce himself in a little bit I don't know what it is but generally I always get the last slot at the conference as I speak at and so hopefully I don't you know tell everybody you know too much of a tiring a little bite yeah okay I mean there is somebody after us and I feel really bad for him but you know what are you gonna do so let me see if I can change hmm okay there we go and okay that's the
right slide stuffs not working for me I've heard that that all the presenters have had been having a really bad luck today like no demos are working and you know stuff like that so hopefully we do yeah hopefully ours will go better so about me in real life I play a malware researcher at Kaspersky I was also a malware analyst at Microsoft and contrary to popular opinion or what you may find on Wikipedia configure was not German and Dutch slang for ass fucker it was just a play on on words that I managed you know to come up with that was my like biggest achievement in life so far ah yeah underground you know I was a gold farmer wrote some bots for some games that people might have heard of but i will i'll let people guess as to what that is because i know what blizzard does to people and i'll let Mike talk about himself right now alright I'm uh I'm Mike Donnelly otherwise known as mercury i created the glider software for world of warcraft sold about four million dollars worth of the software got sued lost i think it even says right on there badly lost the tuna six and half million dollars in damages personally liable appealed it got most of it flipped over but overall the process was i would say less than fun as far as my underground identity I have none once you get sued everything about You winds up in court record all your deposition all your address is everything but on the plus side I did have a glider customer bring beer to my house he looked me up and dropped the beer off and then he posted a message on the glider forms is that a mercury go check outside your front door there's a six-pack of beer it was pretty nice and there actually was the beer i go them through the garage so i didn't see it and i went out got it it was only Budweiser but free beer is free beers so not doctor if you're going to get smoked for six and half million dollars at least i got some free beer oh and um i guess all two of you ladies here he's single and he used to be rich yeah i am married but yeah so i'm not so lucky so our goal of this talk is to not make anybody like an expert at game hacking so if you came here for that then we're going to disappoint you we uh you know we plan on just giving you know some overview if you if you don't have any like technical skills we assume you have some to get you know at least something out of this talk but if you don't have technical skills we hope that you know some of our game hacking war games are you know will be entertaining for you guys something i will say is we don't really have any zero days so if you're looking for zero days then you're also going to be disappointed but we don't really feel we need to give any zero days because you know that's really easy to find them you know every game that's ever released is going to have you know a buttload of stuff so so here's a nice
quote from son Sue and I think mike has some experience with this no he actually chose to fight he's actually the only person I know that actually did choose to fight and I guess you can ask him about how that's going that's could be better could could be better good worse yeah could be so here's a brief legal
blurb that Mike has experience with and he's going to talk about that yeah yeah and one thing I wanted to say is of course everybody knows I'm not a lawyer so I can't give you any legal advice but I'm a person and I give you personal advice when it comes to lawyers and when you get lawyers you're fucked if it gets to that point you're in a lot of trouble chances are it's going to end badly a lot of a lot of people such as myself you might think well I've got a good legal theory for what to do you know I've got section 117 owner of a copy I've got dmc-12 01 F interoperability you know let's go man you can't take me down it's incredibly painful and expensive to get that far so even if you have winning arguments the chances that you get there are slim I'm not saying you should never do anything where you might get sued I'm saying you need to understand the seriousness of getting sued it's bad so you should take steps to avoid it if you have to sell from Nevis or Neptune or the seventh dimension try to get away to avoid getting sued because the game companies if you piss them off they will show up at your door China is a good place to be though I'm sorry to do I'm good so my disclaimer is we're weasels I guess maybe I'm a weasel Mike you know chose to do everything in in public I think that might have been a poor choice you guys can decide so you know the names have been changed to protect the innocent so why do we hack I think as mostly obvious you know we want some women's and yeah so did I mention that Mike single come on man so really I mean there's a lot of money in this you know Mike made you know four million dollars my first competitor was making half a million a month that's pretty real money I'll you know sometimes people might want revenge or cheating but that's not really kids being kids yeah child child play so
raise our hands who would like to go to this school I mean I really wish that this was you know offered in my college but it really wasn't so we're gonna get
through some tools of the trade you know if you don't know any of these maybe you should start looking at them so I did I think most reverse engineers can't live without it it should be pretty obvious what you do with that you just assemble some code Ollie dbg let me go back alley debugger if you don't know what a debugger is and you probably shouldn't be here really either you need a memory something to search memory most people use something like art money or T search something like that they're pretty popular 0 and 0 editor if you are doing anything with file formats this is like god mode I think that anybody doing it without 010 editors you know failing it also helped with like packet captures if you want to you know see what the structure of a packet is and something that's very important are your custom tools and once you get serious about game hacking if you don't have your own script for Ida to do all these sorts of magical things then you're wasting your time yeah let's say one thing i want to add is is these are the tools that you're looking at if you're doing something professional if you're going to build a big piece of software and sell it or run it or you know take this on as a business you can do a lot with nothing you can you can duplicate items you can find bugs and games just by being clever and tinkering so this is you know what I don't know pro-grade or what you would use to make money but part of the panel is hacking for fun so I'm not going to completely focus on profit yeah there's nothing worse than then coating up a bot with a bunch of hard coded offsets and then you know the game releases an update and your stuff doesn't work again and then you have to start from pretty much ground zero that's where your tools come in so I've got a bit of classification I'll basically like some so there's like cheats bots I'm not going to go into really detail about the stuff i'll talk to talk more detail at it when when the stuff comes up later on you know there's some really i guess motivated individuals have written you know custom clients one of my competitors in china wrote a custom client for World of Warcraft and pretty much destroyed us you know they could run hundreds of clients per computer and it's really hard to complete compete with that when you can run like three or four what about there's one custom client that in particular is funny just by raising hands how many people here have played the game hellgate london okay how many people that have played it we're playing at six months later one okay I feel sorry for the people who yeah well the reason I mention that is I know a guy that works with world of warcraft german guy and he got the game he got the hellgate london beta and he thought it was awesome so he wrote a client list bought he reversed engineered the entire protocol everything their key shake or their their handshake all the encryption had it ready for game at launch time and then thousands of hours it's like man is this is going to be the next one's gonna be the next wow yeah so you know if you're writing something for profit think of it like a business don't be stupid yeah that was a lot of waste of time then there's things like exploits there they can either be malicious or really get you a giant paycheck dupes are you know god mode asset hacks aren't really worth it for the most part you know you can do some like pathfinding what if you can reverse engineer the you know Matt format and what other assets but pathfinding super hard unless you're going to do something like use recast navigation which is easy mode for solving a really really tough problem so
this is where we separate the two halves from the have-nots that people might not be able to follow hopefully they can follow so the skill set that you need
you're probably going to want to at least know x86 assembly if you don't know that then you've got a lot to learn that's going to be a pretty big steep road ahead for you this stuff isn't really necessary you can write some light lane pixel reading things I think somebody presented at that a couple years ago here it was pretty well attended and I wanted to punch the dudes as it wasn't very cool yeah noobs need not apply so anybody know this guy his
name is a rich Thurman he was I think one of the first guys who actually came public as a gold former this picture is from an i triple e article that they wrote about him in around 2000 2001 he made the 100 over a hundred thousand dollars that's what he admits I think he made a little bit more than that just doing some hacks for Ultima Online basically his tips were play with memory editing locate key data structures and profit I guess it's up to you you forgot the question marks in there yeah yeah yeah so memory searching is an arcane art but as a skill that you definitely need if you cannot master memory searching for you know finding things like hit points etc it's going to be really difficult to do some static analysis and find these things so I mentioned some some games here I'm sure everybody is familiar with world of warcraft anybody not okay I think everybody is so they they're one of the first game to actually use a a commodity script engine most most games make the mistake of rolling their own but they chose Lua and one of the side effects of Lewis you have this string embedded in your binary that tells you in the name of the function so if you ever are reverse engineering code and you want to know hey how do I cast a spell in world war huh well you open up Ida and look for the string like cast spell and it will pretty much instantly take you to where you know the code is at cast spells so
I'm going to go through a mic well I was going to add one more thing on the Lua thing is that that makes reverse engineering the game incredibly easy you can what you can do it you can create a Lewis script to do what you want you know as a test harness if you know to show the spell ID that a unit is casting make sure it works and then you can just load up the game drop your break point right where the loo is hit your test code step right through it it just right there on a platter yeah script engines can make things definitely easy mode reverse engineering there's really no no technical challenge there so brief history I'm going to go through some of
these things pretty quick so Ultima Online was probably the first major mmm oh I think they had around two hundred twenty-five thousand users at peak which is I guess pretty chump change compared to World of Warcraft and I guess even some of the facebook apps that have like 30 million people anybody play like farmville no okay good I don't believe you guys so ultimate line like PETA hackers had a heyday I mean dupes that cheats people you know see invisible people walk through walls etc a world of warcraft i think definitely deserves a mention here is you know it was the first like super big one that had millions of people it's not so big compared to some other ones anymore but it's still pretty big Chinese games are massive compared to wow if anybody knows yeah there's no Chinese you're good to go yeah so the thing about blizzard though is they do more than send just seasoned assists might can attest to that most other places just sent seasoned assists right right actually blizzard doesn't well sometimes they don't send a C and D at all they just show up like yeah lawyer here's a draft complaint sign this paper and cut off your thumb or we're file in this that's how they work but where the warcraft is a big game there's so much money there that even if you're only getting one percent market penetration it's worth the risk because it is a risk but if you're going to take a risk it's got to be for a big enough game where you have you know some kind of Prophet base I'd like to add sometimes Blizzard will show up on your doorstep and if you don't happen to have a brother who's in the polish mafia to chase them out with the baseball bat then you're going to end up like Mike that really happened by the way I did really happen yes so I also a little bit might even if even if your game is really small you can still make a couple grand a month which for a lot of people is it's worth it especially Eastern Europe South America couple grand a month is still living like a king oh yeah absolutely if you just get into to make you know a thousand bucks a month that's where I started and I thought hey this is you know this is a mortgage yeah definitely car payment depends on the car yeah so I mentioned Eve darkfall so Eve was I think the the first game too sorry about slides the first game to actually use a commodity script engine I think they were out before before World of Warcraft you know the decompiled source of Eve was released i mentioned dark film is it's pretty massive half a million lines of code age of conan i think it was a big flop i think a lot of people were excited about it but the interesting thing here is they left a lot of debug strings so i wrote a script that would search ida for something like class name colon colon method name and then I would have I have my I descript rename the functions in in my ID be with you know the string so that made it also pretty easy mode then you have something like I on who tries to step up you know the barrier to entry for game hacking but they they failed pretty miserably so game guard is actually a pretty formidable foe sosta mighta but if you don't use any of the advanced features of either these things and it's actually still pretty easy to bypass them with eye on you could you know just jump a patch out a call and make it return 1 and then you defeated their patch guard or they're not there Patrick up their game guard sorry so this is some you know brief overview of like the types of hacks or exploits that have been in games that have been released Vanguard pretty much sucked i think Microsoft wasted 50 million dollars on that pile of crap and I guess that's why they've canceled like three more MMOs they're probably afraid so like super powered speed hacks have been around in every game imaginable there you know still available if you know how to do them in World of Warcraft for example for anybody who's interested i'll be in the QA room 2d games like like you owe or ultima online have solved this but 3d games the it's really cpu intensive to track the movement of like twenty thirty thousand people so they still really haven't done that great of a job yeah they just trust the client we all know how smart that is yeah yeah we should anyways if anybody here trust the client then you should probably leave so dupes are like what the Federal Reserve does when they go to the Treasury they're like hey can you print me a million billion dollars I promise we'll have the American people pay it back but yeah that's really how you get how you get rich I've got a friend who who did some hacks and was making you know close to a million a month he at one point had two Lambos twin turbo gr doe and a marsh Largo and now he's stuck with just a lime green gr doe I mean I feel sorry for him hey one thing on dupes before before you go is that this is a good display of just some of the tinkering like figuring out how to duplicate an object is very much a non-technical thing it really comes down to finding like an edge condition that the game developers didn't think of that's how historically they've they've all been done so it's not some guy you know right now clever piece of code it's it's somebody doing something weird like you know maybe your world of warcraft and you're crafting an item and while you're casting the craft you trade one of the ingredients and another player summons you you know all these weird conditions that the developer may not have thought of that's typically how you wind up with a dupe where you either you do something that they didn't think of or you can crash like a world server so i could give you know josh my sort of epic ass pounding and then i crash the game server so my character never got saved and then when i log back in i still have it but but the point is that this is really just tinkering which all you guys know how to do whether you're you know pro reversers or not it's really just tinkering and thinking outside the box when you see the game you see it zone or you see a pause and you think well what if i'm in the middle of doing something at that time the more mature games they're harder to find but it really just does come down to tinkering i'd like to add this isn't like real world security research where you find like some bug in in like adobe and then you spend three weeks figuring out how to exploit it and and you know bypass aslr in-depth this isn't like that this is my wonder if they check you know whether or not i can substitute an ID with you know some other random players ID or whether i can tell them that i just bought a million billion things for free yeah so just a bunch of tinkering so i'm going to talk about
some i guess more detailed methods of hacking so like what you would try to do too you say write a teleport etc I'll go
over these things in the next few slides so basically for a teleport hack you
look for the players position in memory and then you use your memory editor and change that value and if you're lucky than you teleport that's really complex yeah not really or you get banned him yeah where you get banned or disconnected yeah that's in an old game when they've realized that oh hey wait people are going to do that it's actually really surprising and how naive a lot of game developers are they generally don't have any clue about how to write you know a game that's hard to hack so you can go into more difficult ways you know if your game is more mature like World of Warcraft that's had to deal with this stuff or I guess seven years and they still haven't done it correctly then you have to modify like movement packets and you know Ford's the you know the timing stuff like that yeah a timestamp it gets more complex but it's still doable speed hacks again you can get these off the shelf that will work with every game and if you're lucky then it still works with your game and I don't know what squeezing that work code means I didn't write this that's mine well that's actually just what I was talking about with lag hacks and this still works in World of Warcraft this works in every game today where you can literally unplug your Ethernet cable move around in the game a little bit and if you plug it back in before the network stack besides the TCP connections dead then the game client will simply tell the server oh here's where I am it's you know dealing with their congestion code they have to accept some latency so in a lot of situations you can pull out your Ethernet cable walk past a monster and all the logic to have the monster hit you is on the server side of course the server doesn't see you near the monster then you plug your Ethernet cable back in good to go you pass the monster without triggering anything don't try it on wireless because when you disable it it will actually close a TCP connection but if you can physically interrupt it just by pulling the cable it actually works it's it's ghetto but it works great that's that's pretty high-tech dog seriously dude that's kind of lame either I think you're going to mention this but there that was used to get a lot of chests in various dungeons you know the in world of work after the five-man dungeons and you could kind of eat your way along deep into a dungeon just by lag hacking past the monsters to get to a chest then you just loot the chest and blue exit instance and money your lead dude and that's why there are no more chests and instances anymore yeah yes I know who's responsible for that so dupes anybody don't know what a dupe is basically you duplicate something and you get a million billion of it or something like that basically this is like the key to making a lot of money and this is how my friend with you know my poor friend what the Lamborghinis this now he got them and it took you know the game that he was you know targeting like almost a year before they figured out how to deal with this stuff they're like hmm I think we have a problem in that you know gold is really available to everybody now nobody has to work for it I wonder what happened yeah yeah yeah like I said these you know game developers are pretty naive wow these guys are good at playing my game so a lot of games have like multiple servers and things like that so you just try to you know go things do things back and forth and hope that if you do it fast enough maybe sometimes the the server will lose track of your items and they magically start filling up in your backpack or like in the game where if you can die and like your items go on your corpse you you have your friend go loot your corpse before you know he before you know his character is saved and then you know magically when you guys both login and server up you each have your items these are pretty basic like we said tinkering sometimes there's no skill involved or maybe just really a lot of creativity you don't necessarily have to you know be a god reverse engineer but it definitely helps a integer overflow and underflow things are also really awesome you can get from like zero to unsigned int max pretty easily that's a pretty big number yeah and that just comes down to tinkering to where you you might take your armor on and off and notice that one of your stats isn't going back the way it should and these things happen in world of warcraft we'd have a guy sitting in orgrimmar taking his helmet on and off under times and then all sudden he's got you know to to the 32nd minus one strength yeah and it really did happen or maybe he just used like a memory editor and took a screenshot you're right yeah I'm try to sell as a count but yeah my favorite is like GM mode the company will ship their game out with you know the the ability to you know reverse engineer and slip a bit and now you're like a GM you can teleport to people you can kill things you guys like the commands and whatnot it's pretty interesting or like stealing from NPCs age of conan was one that was really rife with with vulnerabilities you could for example killer GM i don't think they were very happy yeah well that was the source player ID thing right yeah you just you know tells the game that yeah I'm this GM and I just died right yeah like each packet coming up like you would say you know I'm gonna sell this item and your player ID was in there like kind of like a source address and somehow the game server would believe you if you said you were someone else you're like no I'm so-and-so and I'm selling this okay and yeah and it's not just basic tinkering yeah did I say that game developers are naive I mean they work hard but so you I hacks are pretty much worthless unless you want to zoom out really far that's pretty much what you're going to get from you I hacks maybe you can get like ghost mode where you can fly around the world and you're you stay still then it's not very beneficial well yeah you can also do the wild language translation because they had the thing where Alliance players couldn't understand Ward players were saying so that was all client side so the actual text from the opposing player was sent to the client it would just choose not to display it so it's actually a pretty easy hack to see it but it's not really marketable I don't know who's going to pay for that yeah yeah good luck selling that but it's not very powerful wow you
can talk to humans if you're an org I'm in your base killing your man's it's dudes dudes no it's man's it's man's I'll look it up late I don't believe you I don't believe you I really don't care
you know so this is I guess I'm going to tell you exactly how to write a teleport hack so okay I didn't hear you whoever that was so the easy way to do a teleport hack is you're going to have to like find the player position in memory use right process memory to overwrite that and then you'll teleport I pretty much said that again so it's kind of repeat you can also if you know like in the code where where you know what it's responsible for updating your players location you can call out directly with some functions is there teleport spell you know maybe maybe there's a lua function called you know cast spell and it takes some parameters like your the location you want to teleport to and the server doesn't verify that you are a you know a mage and your warrior and you just cast a spell that's its basic tinkering it's it's not going to work today but that kind of stuff is out there and poking and prodding at it is is actually pretty fun to find yes it definitely worked in in some games the hard way is when you actually have to get down to forging movement packets and this takes you you have to do some math and you know figure out you know how they're sending the updates you have to reverse engineer you know the destructors for their movement packets and maybe adjust the the timestamp and so that you can teleport or run faster logic attack this is what we were talking about on an ting and age of conan you could give fall damage to anything in the in the game and that's how you killed a GM you gave told him that he'd you know just had a million fall damage and he would die that was funny huh so this could also be used maliciously in age of conan in that you could force somebody else to trade with you and they wouldn't really know that they just traded with you but you could also force an NPC to trade with you so it was still useful and not me so I don't feel bad stealing from computer characters I don't think any of you guys should either they're just digital tears they're they're fine they're okay all right so item dupes basically exploit I you know talked about this before I'll say the server line issues age of conan had some zoning EverQuest had zoning final fantasy 11 head zoning Ultima Online just had these several lines where if you cast a spell on one side and cross the server Lonnie and you were fighting somebody than you were fucked repetition attacks I talked about you just basically move things back and forth from say a trade window to your backpack a thousand times a second I mean most people should do that right by hand and the server eventually loses track of stuff and they start filling up in your backpack or maybe everybody knows like Diablo one where you just drop an item on the ground you run up to it I see some head knobs and you pick the item up really quickly on your person and it appears in your backpack and on your cursor so that's pretty fun asset hacking I mentioned is definitely not worth it unless somebody else has published their work for you and you can borrow it but yeah so basically what you do here maybe some people have played World of Warcraft and somebody has magically appeared on your side uh what's that cold ground battle ground I never actually played World of Warcraft I did yeah too boring I'd much rather bought it yeah yeah I should have bought glider but yeah so so those people either use teleports to go from one side of the battleground to the you know to the enemy's base and you know he's in your base killing your man's pretty confident it's man's I'm never wrong or maybe he used you know nugget and modified the map to you know have this tunnel so that he could run under underground and nobody would know or see him maybe you could see his little his little name on the screen or dot on the screen as he's running there and you're like wow where is he yeah but otherwise it's not worth it they're really complex game hacking
420 real profit is definitely dangerous
to the quote from makaveli yeah you can get sued I think yeah so you can have a
ghetto bot I think somebody talked about one last a couple years ago I wanted to punch him it wasn't very interesting basically you do pixel readings or something with like auto it and there's really no re reverse engineering required you just like read that your hip points are red when they're full and they're not read when they're when you're dying and you make it send some key strokes it's very limited scope but most likely you're not going to get detected and detection is something that is not your friend actually real quick does just by show of hint is anybody know why detection is so bad i mean you all understand this right I don't want to gloss over client-side detection everybody appears very wise and we're it's the detection we don't we don't really care what you say okay can I read that well I'll go just real quick um obviously the game manufacturers don't like everything we're talking about hence the lawsuits so what they do is they try to detect your software in the game and if they do then they ban you if you're just doing this for fun it's you know hacking around tween you know tinkering you lose your game account it's not a big deal if you have a hundred thousand customers that is a big deal because then all your customers are banned and then you're fucked so avoiding detection is really important what we're going to get into that a lot more later but client-side detection of your software is very important also I'll say it does anybody ever wonder why you know it takes like three months for a ban wave to happen that's because when when you ban like 50,000 accounts every week then those people who are rebinding those 50,000 accounts never actually rebuy them again because it gets expensive but if you do it every three months or every four months they will actually go by the accounts back so it's actually you know profitable for you know the game company to say oh hey let's you know we've detected these guys ever since they you know turned on glider but we're not going to detect them yet because we know that if we band them too soon they won't give us 50 more dollars mr. so we got some code injection is basically you inject some assembly code to do some small thing like maybe some crappy RPC thing remote procedure call your attack surface is a little bit higher I mean you can really easily detect that and then you have something like DLL injection where you've got some pretty big blob of blob of code written in a high-level language like C or C++ and it's really easy to detect that and so you get into this game where now you write this you know dll loader that fixes all your imports and stuff like that and it gets really complex and you're still pretty easy to detect or you can go to the network or packet level and do some really good work like reverse engineering the network protocol which is very time-consuming I think there are very few games well maybe there's a lot of games that have complete you know analysis on this but it's still not easy to do or you can go write your custom client if you think that you're really good not many people think that they're that good it takes a lot of time so he thinks he's that good that guy does oh oh the guy leaving yeah no no no no no oh damn I didn't think I was that boring sorry guys but if you write a custom client if you're at that level then you're probably going to make a lot of money like the guys that destroyed me i think we're probably making at least couple hundred grand a month yeah right and writing a custom client isn't something you're going to sell this is you know gold farming real money transactions so you're writing a custom clients so that you can have your partner run 10 million instances of the game on a server farm if you don't have a custom client that's way too much 3d rendering but if you can just take the game out of the equation I just don't render anything yeah so it's all a matter of scale for gold farming at this point here you go from like two or three clients per computer to two or three hundred so it's pretty big scaling
here's where we get into semantics cheat stuff this stuff gets difficult sometimes I can't emphasize enough that
it's very important to not be detected as then you lose all right yeah what I
want to talk about on this is not so much the technical aspects of detection but how you approach this strategically this isn't in the book on MMO hack I think there's a book there's one of my friends wrote it yeah i think was written by the guy that was eliminated by warden first something like that so this isn't in the book but strategically what you're looking at is you have two main things to worry about with their software you have the attack surface which is how hard your software is to detect and that's going to work in a couple ways because it also was going to make detection code bigger secondarily you have what I'm just calling intelligence which is how much of what they're doing that you know how good is your understanding of their detection code because it's very important if you don't know what they're doing if you don't know how any of it works how are you going to keep from being detected and they work together such that if your attack surface is very big it's going to be really hard to tell what they're doing because the effort they have to take is so minimal if they can write one line of code to detector your bot you know you're never going to find it when
they do I don't show that code yet alright sorry I'm real close though the
other you only other thing with the tax service is that of course that's a constraint on your features so when you think of something really cool like I'm going to have my bot you know react within two milliseconds every time a monster does something you might be setting yourself up for some detection so that's a decision you have to make when you're choosing your features and handling what your customers are asking for is you know do I want to risk increasing my tax surface by adding this not yet not yet so if so before the next slide I want to talk about a something that happened with me and another software developer with world of warcraft this guy will call him will call the software inner space because that's what it was yeah it worked by injecting a dll under the game which is pretty big but the guy that wrote it is a very competent reverse engineer so he had taken all of blizzards detection code and warden and he added wired up as soon as they sent it down he'd lay down a million break points and it was pretty neat stuff but he still had a dll in memory what she tried to obfuscate and more importantly he had to patch one of lizards functions so you know he'd go to the beginning of the function and just stick a far jump in there and he's a think well I got warden covered so they're not gonna find it are you ready for the code yet I came ready for the code not it okay can you zoom on
just like the top function I'm trying
there we go yeah ooh oh you had pretty
no no oh yeah yeah I know what jaws wow
dude look it we all have that fixation
right that's I think some of us do all right so this is an example this is a piece of code that would be inside the game this is not actually from World of
Warcraft because he's pursued by
Blizzard right out on the OB good idea to post that and you know I would just be posting a dead listing from Ida that's not fun to look at so we're looking at a piece of code here that the game uses to request say your buddies list and as you can see it has a parameter optional parameter we never used before and it takes like a packet number you know the command number b.o.b hey what are you gonna do sticks that optional parameter in there sends it up to the server pretty simple stuff so the way that code used to get called scroll down a little bit to the two line
comment as you can see where it says old code ask for buddies list just pass in zero for the optional parameter we never used before so one day Blizzard says you know what we're going to get this guy we're going to find his patched function and they change that call to the little sample code there this is again slightly paraphrased they you know load up a register and then do some math on it so that Ida won't see another reference to that function then they reach into their the functions being patched pull the first bite of their own code and send that as the optional parameter we never use it before so what this is doing is just sending up one bite of their own code every time they make that request and of course on the server side they just comb through it find the e 9 gone what's interesting is in the software here you don't see anything like a if this guy is a bot then tell the server you just see how we'll just grab this byte send it up and it's a tiny piece of code it doesn't even change the underlying network code there's there's no new parameters no new nothing else the only way you would find this is if you were somehow watching that that data going out and say well used to always be 0 now it's oh it's a 9 that can't be good that's a far jump so when they did this he lost all his customers now they waited a few weeks banned them all and yeah I don't know for sure because Lex hated me but I'm pretty confident he lost a pretty hefty chunk of change well yeah I don't know how I did business-wise hopefully did okay but they did this they just hammered him again and again with this and i found this way after the fact and I as far as
I could tell he never found it but it's a good explanation of how much your attack surface matters I mean patching 1 function turn into this all right now I'm ready for the next slide that's it
for the code the point is that you if you think you know where all the detection code is there's always a chance that's not where you think it is and in the case with blizzard they had never put detection code outside of warden they kept everything in this nice bucket you know hide from me in warden and then they wised up and said we'll just stick a little clod you know a little tiny code here Pat so it's incredibly important a to stay hard to detect because if they had you know if they had to make a new kernel call or something to detect him maybe he's running a private api monitor not that I ever did that and he would see a new kernel call but because they can just get them with one move poof so it's really important to stay small and it's really important to keep an eye on what they're doing you know building tools to monitor their systems building tools to monitor what the data stream supposed to look like and then if it smells funny and maybe you have a problem with glider we actually had tools that would page us so I would you know if warden updated and that you know it didn't look good it would actually page me so you know warden supposed to have eight entry point so now it's got nine in the V table it would page me and I'd run down to the office and freak out when he's wasted right yeah yeah well I can always just turn off glider I'm too drunk to fix it gliders off for a while you know so there's always a way out but it does come down to you can't be lazy in you know again I'm talking from the prophet angle not the fun angle it's a lot of work but it pays off yeah I think we've both had a couple of like all nighters 36-hour shifts trying to find out what they're doing oh yeah there's the rickroll too but I'll say that oh yeah definitely you got a you got to tell him about the rickroll yeah you can do it now no I won't try not to bore you guys too much at one point lizard updated warden and they added a new scan and the way that scan worked is it would take an encrypted string inside warden get a key from the server I would decrypt the string and it would call get proc address on kernel32 if I'm losing you don't worry it gets funny and they would take whatever that string was and if it resolved to a function you know that get proc adder liked they would just call it with no parameters so I was looking at this code and you know the game is down for a patch so I can't see I don't have the key to see what it's going to decrypt ooh I'm looking at it I'm like well what are they going to do they just going to call one kernel call was something at kernel32 with no parameters what's the point and of course if you know if they get proc at or fails and it just does nothing so I SAT there looking at it for hours and I was talking to the hellgate london smart guy and we couldn't figure it out so like oh let's just bring it up so you know we bring it up sticks and break points in and they send the key down right away Michael here's the key let's see what the string is so you see it you know it decrypts it and it's a URL I'm like what it's in it too it's a YouTube URL all right so they passed the YouTube URL to get proc at her proc adder says no and nothing happens so of course I'm like I gotta know so I pasted in a browser and it's fucking rickroll like they rickrolled me and i don't know how many people they got not many we're at five yeah bro I think you got worked up pretty well almost done anyway that was epic you know it and it was really well done so that's all I got to say that that's the most epic rickroll ever yeah I think so yeah oh yeah we are pretty much done our way I don't know if we're gonna make it through in five minutes though but we'll try so I'll go quick so there are some client-side things that can be pretty powerful they can use packers like the minor absolute up these I won't say that word obfuscation thank you very much Oh dudes yeah the the biggest thing that you have to worry about if you're really you know professional in this is server-side data mining so they can some analyst and Blizzard gave us a really big bone and was like hey man this is how I detect people I just write some sequel queries and I walk in the next morning and I ban people and we're like well thanks for telling us that I mean now we can modify our stuff but I don't think he realized that I think he was just trying to be cool so you have things like that are both client and server side and basically what these things are like command and control things that botnets use you send your game client in this case 10 million world warcraft customers this blob of code that they're going to execute and trust on their machine oh yeah this is like a botnet and malware to detect a bot yeah it's pretty funny little irony there yes so punkbuster i won't go through well i'll go through this story wow so punkbuster basically looked for looked for strings to ban people I mean they could be strings or they could just be some binary data a lot it a lot of the times it would be strings like a window name and this group discovered that and they're like hey I don't like this clan that always beats me and so what I'm going to do is I'm going to go into their IRC channel and I'm going to send some strings to all of their members and then I'm going to go watch go back in game and watch them all get banned for cheating at worked of course punkbuster was like no no that's not how it works but it really worked that way yeah I just skipped all
right skip to the deep well this is where you get into money if you're not an expert by now I hope you guys are all experts then yeah we're going to skip
this a little bit we've got two minutes I think yeah this one there's one thing that came under development before yeah
this one this this this was released last week this is diablo 3 diablo 3 auction house how many you guys have seen this news about the RMT yeah a bunch you have there it is that's
a dollar sign that's a dollar sign that's Blizzard endorsing you selling items for money so you can wire up like a third party payment system to your Blizzard a battlenet account and you can
sell that sort of epic ass pounding that
you made for real money or you can buy gold you can sell gold you're not going to have to compete with me because I'm done with blizzard but this is very interesting yes very interesting so we'd
like to thank all of our friends in Poland Germany New Zealand and Australia they couldn't be here it's really expensive for them foul fly they probably get arrested anyway yeah so we've got I guess time for some questions maybe oh well we're going to be in the Q&A okay thanks for coming out man fun def con