Continued discussion of online game hacking by Michael Donnelly (WoW bot Glider) and Josh Phillips (Kaspersky Lab Senior Malware Analyst).Josh Phillips: Anybody know Rich Thurman? He was, I think, one of the first guys who actually came public as a gold farmer. He made over 100,000 dollars – that’s what he admits. I think he made a little bit more than that just doing some hacks for ‘Ultima Online’. Basically, his tips were to play with memory editing, locate key data structures and profit. I guess it’s up to you.
So memory searching is an arcane art, but that’s the skill that you definitely need. If you cannot master memory searching, it’s gonna be really difficult to do some static analysis and find these things. So I mentioned some games here – I’m sure everybody is familiar with ‘World of Warcraft’. Anybody not? Okay, I think everybody is. So they were one of the first games to actually use a commodity script engine (most games make the mistake of rolling their own). But they chose Lua1, and one of the side effects of Lua is you have this string embedded in your binary that tells you the name of the function. So if you have a reverse-engineering code and you want to know “Hey, how do I cast a spell in ‘World of Warcraft’”, well you open up IDA2 and you look for the string like ‘CastSpell’, and it will pretty much instantly take you to where the code is.
Mike Donnelly: I was gonna add one more thing on the Lua thing that it makes reverse-engineering a game incredibly easy. What you can do is you can create a Lua script to do what you want like show the spell ID, make sure it works and then you can just load up the game, drop your break point right where the Lua is, hit your test code and step right though it – just right there on the platter.
Josh Phillips: Yeah, script engines can make things definitely easy in reverse-engineering, there’s no technical challenge there.
So brief history…I’m gonna go through some of these things pretty quick. ‘Ultima Online’ was probably the first major MMO3. I think it had around 225,000 users at peak, which is, I guess, pretty big compared to ‘World of Warcraft’ and, I guess, even some of the Facebook apps that have like 30 million people. Anybody play ‘Farmville’? No? Okay. I don’t believe you guys. So ‘Ultima Online’ was hackers’ heyday – I mean dupes, the cheats, people seeing invisible people, walk through walls etc. ‘World of Warcraft’, I think, definitely deserves a mention here as it was the first super-big one that had millions of people. It’s not so big compared to some other ones anymore, but it’s still pretty big. Chinese games are massive compared to ‘WoW’, if anybody knows.
The thing about ‘Blizzard’ though is they do more than saying just ‘cease and desist’ – Mike can attest to that.
Mike Donnelly: Right, actually ‘Blizzard’ sometimes doesn’t send a CMD at all, they just show up like “Knock-knock…I’m a lawyer, here’s a draft complaint. Sign this paper and cut off your thumb, or we’re filing this”. That’s how they work. But ‘World of Warcraft’ is a big game, there’s so much money there that even if you’re only getting 1% market penetration, it’s worth the risk, ‘cause it is a risk. But if you’re gonna take a risk, it’s gotta be for a big enough game where you have some kind of profit base.
Josh Phillips: I’d like to add, sometimes ‘Blizzard’ will show up on your doorstep, and if you don’t happen to have connections with Polish mafia to chase them out with the baseball bat, then you’re gonna end up like Mike. That did really happen.
Even if your game is really small, you can still make a couple of grand a month, which for a lot of people is worth it, especially in Eastern Europe, South America – a couple of grand a month is still living like a king.
Mike Donnelly: Oh yeah, absolutely. If you just make, you know, a thousand bucks a month – that’s where I started – and I thought this was a mortgage, or car payment (depends on a car).
Josh Phillips: So I mentioned ‘Eve’ and ‘Darkfall’. ‘Eve’ was, I think, the first game to actually use a commodity script engine – I think they were out before ‘World of Warcraft’. You know, the decompiled source of ‘Eve’ was released. I mentioned ‘Darkfall’, it was pretty massive – half a million lines of code. ‘Age of Conan’ – I think that was a big flop, I think a lot of people were excited about it. But the interesting thing here is they left a lot of debug strings. So I wrote a script that would search ‘IDA’ for something like ‘ClassName::MethodName’, and then I would have my ‘IDA’ script rename all of the functions in my IDB with this string. So that made it also a pretty easy mode. Then you have something like ‘Aion’ who tries to step up the barrier for game hacking, but they failed pretty miserably. So ‘GameGuard’ is actually a pretty formidable foe, and so is Themida, but if you don’t use any of the advanced features of either of these things, then it’s actually still pretty easy to bypass them. With ‘Aion’, you could just patch out a call and make it return ‘1’, and then you defeated their ‘GameGuard’.
So this is some brief overview of the types of hacks or exploits that have been in games that have been released. ‘Vanguard’ pretty much sucked, I think Microsoft wasted 50 million dollars on that pile of crap, and I guess that’s why they’ve cancelled, like, 3 more MMOs – they were probably afraid. So it’s like super powers.
Speedhacks have been around in every game imaginable. They are still available if you know how to do them in ‘World of Warcraft’ for example. With 2D games like ‘UO’ (‘Ultima Online’) it’s simpler, but with 3D games it’s really CPU intensive to track the movement of 20 – 30 thousand people, so they still really haven’t done that great of a job.
Mike Donnelly: Yeah, they just trust the client – we all know how ‘smart’ that is.
Josh Phillips: Yeah, if anybody here trusts the client, then you should probably leave…
So dupes are like what the Federal Reserve does when they go to the Treasury. They’re like “Hey, can you print me a million billion dollars? We promise we’ll have the American people pay it back”. Yeah, that’s really how you get rich. I’ve got a friend who did some hacks and was making, you know, close to a million a month. He at one point had two ‘Lambos’ (‘Twin Turbo Gallardo’ and a ‘Murcielago’), and now he is stuck with just online dream. I feel sorry for him.
Mike Donnelly: One thing on dupes before you go is this is a good display of just some of the tinkering. Figuring out how to duplicate an object is very much a non-technical thing. It really comes down to finding, like, an edge condition that the game developers didn’t think of. So it’s not some guy writing a clever piece of code – it’s somebody doing something weird, like, you know, maybe on ‘World of Warcraft’ you’re crafting an item, and while you’re casting the craft you trade one of the gradients and another player summons you. You know, all these weird conditions that the developer may not have thought of – that’s typically how you wind up with the dupe. You do something that they didn’t think of, or you can crash, like, a world server. So I could give Josh my sword of epic ass pounding, and then I crash the game server, and then when I log back in I still have it. But the point is that this is really just tinkering, which all of you guys know how to do, whether you’re pro reversers or not. It’s really just tinkering, and thinking outside the box. When you see the game, you see its zone, you see a pause – and you think, what if I’m in the middle of doing something at that time? The more mature games, they’re harder to find. But it really just does come down to tinkering.
Josh Phillips: I’d like to add, this isn’t like real-world security research where you find some bug in, like, ‘Adobe’, and then you spend three weeks figuring out how to exploit it and, you know, bypass ASLR (Address Space Layout Randomization). This isn’t like that. I wonder if they check whether or not I can substitute an ID with some other random player’s ID, or whether I can tell them that I just bought a million billion things for free. Yeah, so just a bunch of tinkering.
So I wanna talk about some, I guess, more detailed methods of hacking, like what you would try to do to, say, write a teleport etc. So basically, for teleport hack you look for the player’s position in memory and then you use your memory editor and change that value. And if you’re lucky, then you teleport – that’s really complex (not really).
Mike Donnelly: …Or you get banned.
Josh Phillips: Yeah, or you get banned or disconnected – that’s in an old game when they realized that people were gonna do that. It’s actually really surprising how naive a lot of game developers are. They generally don’t have any clue about how to write a game that’s hard to hack.
So you can go into more difficult ways. You know, if your game is more mature, like ‘World of Warcraft’, that’s how to deal with this stuff for, I guess, 7 years and they still haven’t done it correctly. You have to modify movement packets and, you know, forge the timing – stuff like that. It gets more complex but it’s still doable.
Speedhacks – again, you can get these off the shelf, they will work with every game. And if you’re lucky, then it still works with your game. And I don’t know what ‘squeezing network code’ means, I didn’t write that.
Mike Donnelly: Sorry. That’s actually just what I was talking about with lag hacks. And this still works on ‘World of Warcraft’, this works in every game today where you can literally unplug your Ethernet cable, move around in the game a little bit, and if you plug it back in before the TCP connection’s dead, then the game client will simply tell the server “Oh, here’s where I am”. It’s, you know, dealing with their congestion code, they have to accept some latency. So in a lot of situations you can pull out your Ethernet cable, walk past the monster, and all the logic to have the monster hit you is on the server side; of course the server doesn’t see you’re near the monster. Then you plug your Ethernet cable back in – good to go, you passed the monster without triggering anything. Don’t try it on wireless, ‘cause when you disable it you actually close the TCP connection. But if you can physically interrupt it just by pulling out the cable, it actually works, it works great.
Mike Donnelly: Seriously…
Josh Phillips: Dude, that’s kinda lame…
Mike Donnelly: I think you’re gonna mention this, but that’s where you see a lot of chests and various dungeons. You know, in ‘World of Warcraft’ there’s a lot of dungeons, and you could kinda eek your way along, deep into a dungeon just by lag-hacking past the monsters and get to a chest, exist instance and get the money. That’s why there are no more chests in instances anymore.
Josh Phillips: I know who is responsible for that.
So, dupes…Anybody who doesn’t know what a dupe is? Basically you duplicate something, and you get a million billion of it or something like that. This is the key to making a lot of money, and this is how my ‘poor’ friend with the Lamborghinis got them. With the game he was targeting, it took almost a year before they figured out how to deal with this stuff. They were like “I think we have a problem in that, you know, gold is really available to everybody now, nobody has to work for it. I wonder what happened”. Like I said, these game developers are pretty naïve. They think “Wow, these guys are good at playing my game”.
A lot of games have multiple servers and things like that, so you just try to do things back and forth and hope that if you do it fast enough, maybe sometimes the server will lose track of your items and they’ll magically start filling up in your backpack. Or, like in a game where if you can die and your items go on your corpse, you have your friend go loot your corpse before his character is saved. And then, you know, magically when you guys both log in the server you each have your items. These are pretty basic, like we said – tinkering. Sometimes there’s no skill involved or maybe just really a lot of creativity, you don’t necessarily have to be a god in reverse-engineering, but it definitely helps.
Integer overflow/underflow things are also really awesome. You can get from zero to max pretty easily, that’s a pretty big number.
Mike Donnelly: Yeah, and that just comes down to tinkering too, where you take your armour on and off and notice that one of your stats isn’t going back the way it should. And these things happened in ‘World of Warcraft’, we’d have a guy sitting in Orgrimmar taking his helmet on and off a hundred times, and then all of a sudden he’s got, you know, thirty second minus one strength. And it really did happen.
Josh Phillips: Or maybe he just used a memory editor and took a screenshot.
Alright, my favourites like GM mode – company will ship the game out with, you know, the ability to reverse-engineer and flip a bit, and now you are like a GM and you can teleport people, you can kill things, you got the commands, which is pretty interesting.
Or stealing from NPCs…‘Age of Conan’ was one that was really rife with vulnerabilities. You could for example kill a GM. I don’t think they were very happy…
Mike Donnelly: That was the source player ID thing, right?
Josh Phillips: Yeah, you just, you know, tell the game that I’m this GM and I just died.
Mike Donnelly: With each packet coming up, you would say “I’m gonna sell this item”, and your player ID was in there. And somehow, this game server would believe you if you said you were someone else. You’re like “No, I’m so and so, and I’m selling this”. Okay…
Josh Phillips: Did I say that game developers are naive? I mean they work hard but…
So, UI hacks are pretty much worthless unless you want to zoom out really far – that’s pretty much what you’re gonna get from UI hacks. Maybe you can get, like, ghost mode where you can fly around the world and you stay still, but it’s not very beneficial.
1 – Lua (from Portuguese: lua meaning “moon”) is a lightweight multi-paradigm programming language designed as a scripting language with “extensible semantics” as a primary goal. Lua combines simple procedural syntax with powerful data description constructs based on associative arrays and extensible semantics.
Lua was created in 1993 by Roberto Ierusalimschy, Luiz Henrique de Figueiredo, and Waldemar Celes, members of the Computer Graphics Technology Group at the Pontifical Catholic University of Rio de Janeiro.
2 – IDA (Interactive Disassembler) is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems.
3 – MMO (also called MMOG) is a massively multiplayer online video game which is capable of supporting hundreds or thousands of players simultaneously.