Final part of MMO hacking discussion at Defcon 19 by Michael Donnelly, Glider WoW bot author, and Josh Phillips, Kaspersky Lab.
Mike Donnelly: You can also do the language translation, ‘cause they had the thing where Alliance players couldn’t understand what Horde players were saying. That was all client side, so the actual text from the opposing player was sent to the client – it would just choose not to display it. So it’s actually a pretty easy hack to see it, but it’s not really marketable, I don’t know who’s gonna pay for that.
Josh Phillips: Yeah, good luck selling that. But it’s not very powerful – wow, you can talk to humans if you’re an orc… “I’m in your base killing your mans”…
I guess I’m gonna tell you exactly how to write a teleport hack. So the easy way to do a teleport hack is you’re gonna have to, like, find the player position in memory, use WriteProcessMemory to overwrite that, and then you’ll teleport. And you can also – if you know where the code is that’s responsible for updating player’s location – call that directly with some functions. Is there a teleport spell? You know, maybe there’s a ‘Lua’ function called, you know, ‘CastSpell’ and it takes the parameters like the location you want to teleport to, and the server doesn’t verify that…
Mike Donnelly: That’s basic tinkering. It’s not gonna work today but that kinda stuff is out there, and poking and prodding it is actually fun to find.
Josh Phillips: It definitely worked in some games. The hard way is when you actually have to get down to forging movement packets. You have to do some math, you have to reverse-engineer the structures for the movement packets and maybe adjust the timestamp so that you can teleport or run faster.
Logic attack – this is what we were talking about with ‘Age of Conan’. You could give fall damage to anything in the game, and that’s how you kill the GM. You told them that you had a million fall damage and he would die.
Mike Donnelly: That was funny.
Josh Phillips: So this could also be used maliciously in the ‘Age of Conan’ in that you could force somebody else to trade with you and they wouldn’t really know that they just traded with you. But you could also force an NPC1 to trade with you, so still useful and not mean. So I don’t feel bad stealing from computer characters. I don’t think any of you guys should either.
Alright, so item dupes – that’s basically exploiting, I’ve talked about this before. I’ll say that server line issues in the ‘Age of Conan’ had some zoning a request, had zoning in ‘Final Fantasy XI’ and had zoning in ‘Ultima Online’ – just had these server lines where if you cast a spell on one side across the server line and you were fighting somebody, then you are f..ked.
Repetition attacks – you just basically move things back and forth from, say, a trade window to your backpack a thousand times a second. I mean, most people should do that by hand, right? The server eventually loses track of stuff and they start filling up in your backpack. Or maybe everybody knows ‘Diablo 1’ where you just drop an item on the ground, you run up to it and pick the item up really quickly on your cursor, and it appears in your backpack and on your cursor, so that’s pretty fun.
Asset hacking – I mentioned it – is definitely not worth it unless somebody else has published their work for you and you can borrow it. So basically what you do here, maybe some people have played ‘World of Warcraft’ and somebody has magically appeared on your side. I never actually played ‘World of Warcraft’, it’s too boring. I’d much rather have bought it. Year, I should have bought a Glider. So those people who either use teleports to go from one side of the battleground to the enemy’s base – you know, “he’s in your base killing your mans” (pretty confident it’s ‘mans’) – or maybe they modify the map to have this tunnel so they could run under ground and nobody would know or see them (maybe you could see his name on the screen or this little dot on the screen and you go like “Wow, where is he?”) – otherwise it’s not worth it, they’re really complex.
Real profit is definitely dangerous, like Niccolo Machiavelli said. You can get sued, I think.
So you can have a game bot, I think somebody talked about one a couple of years ago and I wanted to punch him as it wasn’t very interesting. Basically, you do pixel reading and there’s really no reverse-engineering required. You just see that your hit points are red when they’re full, and they’re not red when you’re dying. It’s very limited scope, but most likely you’re not gonna get detected, and detection is something that is not your friend.
Mike Donnelly: Actually, real quick, just by show of hands – does anybody know why detection is so bad? I mean, you all understand this, right? I don’t wanna glass over client-side detection. Everybody appears very wise in regards to detection.
I’ll go over it just real quick. Obviously game manufacturers don’t like everything we’re talking about, hence the lawsuits. So what they do is they try to detect your software, and again, if they do then they ban you. If you’re just doing this for fun, just, you know, hacking around, tinkering, and you lose your game account – it’s not a big deal. If you have 100,000 customers, that is a big deal because when all your customers are banned, then you’re f..ked. So avoiding detection is really important. We are gonna get into that a lot more later, but client-side detection of your software is very important.
Josh Phillips: Also, I’ll say does anybody ever wonder why it takes, like, 3 months for the ban to happen? That’s because when you ban, like, 50,000 accounts every week, then those people who are re-buying those 50,000 accounts never actually re-buy them again because it gets expensive. But if you do it every 3 months or every 4 months, they will actually go buy the accounts back, so it’s actually, you know, profitable for the game company to say “Oh, hey, we’ve detected these guys ever since they turned on the lighter, but we’re not gonna detect them yet because we know that if we ban them too soon, they won’t give us 50 more dollars”.
So we got some code injection where basically you inject some assembly code to do some small thing like maybe some crappy RPC2 thing. Your attack surface is a little bit higher, I mean you couldn’t really easily detect that. And then you have something like dll injection where you’ve got some pretty big bulk of code written in a high-level language like C or C++, and it’s really easy to detect that. And so you get into this game where you write this dll loader that fixes all your imports and stuff like that, and it gets really complex and you’re still pretty easy to detect.
Or you can go into the network or packet level and do some really good work like reverse-engineering the network protocol, which is very time-consuming. I think there are very few games (or maybe there’s a lot of games) that have complete analysis on this, but it’s still not easy to do.
Or you can go write your custom client if you think that you’re really good. Not many people think that they’re that good. It takes a lot of time, but if you write a custom client and if you’re at that level, then you’re probably gonna make a lot of money, like the guys that destroyed me I think were probably making at least a couple of hundred grand a month.
Mike Donnelly: Right. And writing a custom client isn’t something you’re gonna sell. This is, you know, goldfarming, real money transactions. So you’re writing a custom client so that you can have your partner run 10 million instances of game on a server farm. If you don’t have a custom client, that’s way too much 3D rendering, but if you can just take the game out of the equation – just don’t render anything. So it’s all a matter of scale for goldfarming at this point.
Josh Phillips: You go from, like, 2 or 3 clients per computer to 200 or 300, so it’s pretty big scaling.
Here is where we get into some anti-cheat stuff. This stuff gets difficult sometimes. I can’t emphasize enough that it’s very important to not be detected ‘cause then you lose.
Mike Donnelly: Alright, what I wanna talk about on this is not so much the technical aspects of detection but how you approach it strategically. This isn’t in the book on MMO hacking – I think there’s a book.
Josh Phillips: Yeah, one of my friends wrote it.
Mike Donnelly: I think it was written by the guy who was eliminated by Warden3 first. So this isn’t in the book, but strategically what you’re looking at is you have 2 main things to worry about. You have the attack surface, which is how hard your software is to detect, and that’s gonna work in a couple of ways because it’s gonna make detection code bigger. Secondarily, you have what I’m just calling intelligence, which is how much of what they’re doing that you know, how good is your understanding of their detection code – because it’s very important. If you don’t know what they’re doing, if you don’t know how any of it works, then how are you gonna keep from being detected? And they work together, such that if your attack surface is very big, it’s gonna be really hard to tell what they’re doing because the effort they have to take is so minimal. If they can write one line of code to detect your bot, you’re never gonna find it when they do.
The only other thing with attack surface is that of course that’s a constraint on your features, so when you think of something really cool (like “I’m gonna have my bot react within 2 milliseconds every time a monster does something”), you might be setting yourself off some detection. So that’s a decision you have to make when you’re choosing your features and handling with your customers. You should ask yourself whether you want to risk increasing your attack surface by adding this. So before the next slide, I want to talk about something that happened with me and another software developer with ‘World of Warcraft’. We’ll call the software ‘Interspace’ ‘cause that’s what it was – it worked by injecting a dll into the game, which is pretty big. But the guy that wrote it is a very competent reverse-engineer, so he had taken all of Blizzard’s detection code, he had it wired up and as soon as they sent it down he’d laid down a million breakpoints – it was pretty neat stuff. But he still had the dll memory which he tried to obfuscate, and more importantly, he had to patch one of Blizzard’s functions. So, you know, he’d go to the beginning of the function and just stick a ‘far jump’ in there. He’d think “Well, I got Warden covered, so they’re not gonna find it”.
Josh Phillips: Are you ready for the code yet?
Mike Donnelly: Okay, I’m ready for the code. Alright, so this is an example of a piece of code that would be inside the game.
This is not actually from the ‘World of Warcraft’. So we’re looking at a piece of code here that the game uses to request, say, your buddies list. As you can see, it has an optional parameter we never used before, and it takes a packet number (command number) b00b, sticks that optional parameter in there and sends it up to the server – pretty simple stuff. So the way that code used to get called – you can see where it says ‘Old code’ askForBiddiesList, just passing (0) for the optional parameter we never used before.
So what Blizzard said was “You know what, we’re gonna get this guy, we’re gonna find his patch function”. And they changed that call to the little sample code there – well, this is again slightly paraphrased. They load up a register and they do some math on it so that IDA won’t see another reference to that function. Then they reach into the function that’s being patched, pull the first byte of their own code and send that as the optional parameter we never used before. So what this is doing is just sending up one byte of their own code every time they make their request. And of course on the server side, they comb come through it, find the ‘E9’ – gone. What’s interesting is in the software here you don’t see anything like “If this guy is a bot, then tell the server”. You just see how they grab this byte and send it up, and it’s a tiny piece of code, it doesn’t even change the underlying network code. There’s no new parameters, no new nothing else. The only way you would find it is if you are somehow watching that data going out and see it used to always be ‘0’ and now it’s ‘E9’ – that can’t be good, that’s a far jump.
So when they did this, he lost all those customers. You know, they waited a few weeks and banned ‘em all. I don’t know how he did business, hopefully he did okay. But they just hammered him again and again with this, and I found this way after the fact and as far as I can tell, he never found it. But it’s a good explanation of how much the attack surface matters. I mean, patching one function turned into this. Alright, that’s it for the code.
The point is that if you think you know where all the detection code is, there’s always a chance it’s not where you think it is. In the case with Blizzard, they had never put detection code outside of Warden – they’d kept everything in this nice bucket, hide from me and Warden. So it’s incredibly important to stay hard to detect, ‘cause if they had to make a new kernel call or something to detect him, maybe he was running a private API monitor (not that I ever did that) and he would see a new kernel call. But because they can just get him with one move – poof…So it’s really important to stay small and it’s really important to keep an eye on what they’re doing: you know, building tools to monitor their systems, building tools to monitor what the data stream is supposed to look like, and then if it smells funny, maybe you have a problem. With ‘Glider’, we actually had tools that would page us, so if Warden was updated and that didn’t look good, they would actually page me. Well, I can always just turn off ‘Glider’, I’m too drunk to fix it – so there’s always a way out, but it does come down to “You can’t be lazy”. Again, I’m talking from the profit angle, not the fun angle. It’s a lot of work but it pays off.
At one point, Blizzard got data Warden and they added a new scan. And the way the scan worked is it would take an encrypted string inside the Warden, get a key from the server, it would decrypt this string, and they would call ‘GetProg’ address (kernel 32). They would take whatever that string was, and if it resolved to a function, they would just call it with no parameters. So I was looking at this code and, you know, the game was down for a patch, so I don’t have the key to see what it’s gonna decrypt to. And I’m like “What are they gonna do? Are they just gonna call something at kernel 32 with no parameters? What’s the point?” Of course, if the ‘GetProg’ fails, it just does nothing. So I sat there looking at this for hours, and I was talking to the ‘Hellgate: London’ smart guy, and we couldn’t figure it out. So we just decided to bring it up. So we’d bring it up, stick some breakpoints in and they’d send the key down right away. Oh, there’s the key, let’s see what the string is! So you see, it decrypts it, and it’s a URL, it’s a YouTube URL. So I pasted it in the browser, and it’s a f..king rickroll. They rickrolled me, and I don’t know how many people they got (not many). Anyway, that was epic, you know, and it was really well done. That’s all I got to say, that’s the most epic rickroll ever.
Josh Phillips: So there are some client-side things that can be pretty powerful. They can use packers for obfuscation. The biggest thing that you have to worry about if you’re really professional in this is server-side data mining. Some analyst at Blizzard gave us a really big bone and was like “Hey man, this is how I detect people. I just write some sequel queries and I walk in the next morning and I ban people”. And we’re like “Well, thanks for telling us that. Now we can modify your stuff”. But I don’t think he realized that, I think he was just trying to be cool.
So you have things that are both client and server side, and basically what these things are is like command and control things that botnets use. You send your game client – in this case, 10 million ‘World of Warcraft’ customers – this bulk of code that they’re gonna execute on their machines.
Mike Donnelly: This is like a botnet malware to detect a bot.
Josh Phillips: Yeah, it’s pretty funny.
So, ‘PunkBuster’ – I’ll go through this story. ‘PunkBuster’ basically looked for strings to ban people. I mean, they could be strings or they could just be some binary data. A lot of the times, they would be strings like a window name. And this group discovered that, and they were like “Hey, I don’t like this. And so what I’m gonna to is I’m gonna go into their IRC channel and I’m gonna send some strings to all of their members, and then I’m gonna go back in game and watch them all get banned for cheating”. Of course ‘PunkBuster’ was like “No, that’s not how it works”. But it really worked that way.
This is where you get into money. If you’re not an expert by now – I hope you guys are all experts.
Mike Donnelly: There’s one thing that came under development before. In ‘Diablo 3 Auction House’, Blizzard started endorsing you selling items for money. So you can wire up a third-party payment system to your Blizzard battlenet account and you can sell that sort of epic ass pounding that you made for real money, or you can buy gold, you can sell gold. You’re not gonna have to compete with me ‘cause I’m done with Blizzard, but this is very interesting.
Josh Phillips: Yes, very interesting.
So we’d like to thank all of our friends in Poland, Germany, New Zealand and Australia. They couldn’t be here, it’s really expensive for them to fly over.
1 – NPC (non-player character, or non-person character) is any character not controlled by a player in electronic games – usually a character controlled by the computer through artificial intelligence.
2 – RPC (remote procedure call) is an inter-process communication that allows a computer program to cause a subroutine or procedure to execute in another address space (commonly on another computer on a shared network) without the programmer explicitly coding the details for this remote interaction.
3 – Warden is an anti-cheating tool integrated in many Blizzard Entertainment games. Some privacy specialists consider this software to be spyware.