Hacking Online Games: Josh Phillips and Michael Donnelly at Defcon 19

Josh Phillips

Josh Phillips, Kaspersky Lab

Josh Phillips (Senior Malware Analyst at Kaspersky Lab): So my name is Josh Phillips. I have a surprise guest who did not show up on the schedule, his name is Michael Donnelly. I’ll have him, you know, introduce himself in a little bit.

I don’t know what it is but generally I always get the last law at the conferences I speak at, so hopefully I don’t tell everybody, you know, too much of a tiring lullaby. I mean, there is somebody after us, I feel really bad for him but, you know, what are you gonna do?

Okay, there we go. I’ve heard that all the presenters have been having really bad luck today, like no demos were working and, you know, stuff like that. So hopefully ours will go better.

So about me: in real life, I play a malware researcher at Kaspersky. I was also a malware analyst at Microsoft. And contrary to a popular opinion, or what you may find on Wikipedia, Conficker was not German and Dutch slang for ‘ass f..ker”, it was just a play on words that I managed to come up with. That was my, like, biggest achievement in life so far.

Underground I was a Gold farmer1, wrote some bots for some games that people might have heard of. I’ll let people guess as to what that is, because I know what ‘Blizzard’ does to people. I’ll let Mike talk about himself right now.

Glider botMike Donnelly (author of the Glider2): I’m Mike Donnelly, otherwise known as ‘Mercury’. I created the ‘Glider’ software for ‘World of Warcraft’, sold about 4 million dollars’ worth of the software, got sued badly, lost 6.5 million dollars in damages, personally liable, peeled it, got most of it flipped over, but overall the process was, I would say, less than fun. As far as my underground identity, I have none. Once you get sued, everything about you winds up in court record: all your deposition, all your addresses – everything.

But on the plus side, I did have a ‘Glider’ customer bring beer to my house. He had looked me up, dropped the beer off and then he posted a message on the ‘Glider’ forums that said “Hey Mercury, go check outside your front door, there’s a six pack of beer”. And there actually was the beer. Going through the garage I didn’t see it, and I went out, got it. That was only ‘Budweiser’, but free beer is free beer.

So if you’re gonna get smoked for 6.5 million dollars, at least I got some free beer.

Josh Phillips: Oh, and I guess all two of you ladies here, he’s single and he used to be rich. I’m married, so I’m not so lucky. So our goal of this talk is to not make anybody an expert at game hacking, so if you came here for that then we are going to disappoint you. You know, we planned on just giving you some overview. If you don’t have any technical skills – we assume you have some to get at least something out of this talk – but if you don’t have technical skills, we hope that some of our game hacking, war games will be entertaining for you guys.

Something I will say is we don’t really have any zero-days, so if you’re looking for zero-days then you’re also going to be disappointed. But we don’t really feel we need to give any zero-days because, you know, it’s really easy to find them. You know, every game that’s ever released is gonna have a buttload of stuff.

“He who knows when he can fight and when he cannot will be victorious” (Sun Tzu)

So here is a nice quote from Sun Tzu and I think Mike has some experience with this – he actually chose to fight, he’s actually the only person I know that actually did choose to fight, and I guess you can ask him about how that’s going. So here is a brief legal blurb that Mike has experience with, and he’s gonna talk about that.

Mike Donnelly: Yeah, one thing I wanted to say is of course everybody knows I’m not a lawyer, so I can’t give you any legal advice. But I’m a person and I can give you personal advice when it comes to lawyers: when you get sued, you’re f..ked. If it gets to that point, you are in a lot of trouble, chances are it’s gonna end badly. A lot of people, such as myself, might think “I’ve got a good legal theory for what to do: I’ve got section 117, I’ve got DMCA 1201(f) interoperability, you know. Let’s go man, you can’t take me down!”.

It’s incredibly painful and expensive to get that far, so even if you have winning arguments, the chances that you get there are slim. I’m not saying you should never do anything where you might get sued, I’m saying you need to understand the serious of getting sued. It’s bad, so you should take steps to avoid it. If you have to sell from Venus or Neptune or the 7th dimension, try to get away to avoid getting sued, because the game companies, if you piss them off, will show up at your door.

Josh Phillips: China is a good place to be though. So, my disclaimer is ‘We’re weasels’. I guess maybe I am a weasel, Mike chose to do everything in public. I think that might have been a poor choice, you guys can decide. So, you know, the names have been changed to protect the innocent.

So why do we hack? I think it’s mostly obvious: you know, we want some ‘womens’. Did I mention that Mike’s single?

Mike Donnelly: Oh, come on man!

Josh Phillips: So really there’s a lot of money in this. Mike made 4 million dollars, my first competitor was making half a million a month – that’s pretty real money. Sometimes people might want revenge or cheating, but that’s not really child play.

010 Editor So raise the hands who would like to go to ‘Game Hacking 101’ school. I mean, I really wish that this was, you know, offered in my college but it really wasn’t. We are gonna get through some tools of the trade: IDA, Ollydbg, Your favorite memory editor/searcher, 010 Editor, Wireshark, Custom tools – you make them. If you don’t know any of these, maybe you should start looking at them. So I think most reverse engineers can’t live without it. It should be pretty obvious what you do with that – you disassemble some code (‘Ollydbg’ – Olly Debugger). If you don’t know what a debugger is, then you probably shouldn’t be here really either. You need the memory, something to search memory – most people use something like ‘ArtMoney’ or ‘TSearch’, something like that; they’re pretty popular. ‘010 Editor’ – if you are doing anything with file formats, this is like ‘god mode’. I think that anybody doing it without ‘010 Editor’ is, you know, failing. It also helps with packet captures if you want to see what the structure of a packet is. And something that’s very important is your custom tools. Once you get serious about game hacking, if you don’t have your own scripts for IDA to do all these sorts of magical things, then you are wasting your time.

Mike Donnelly: One thing I wanted to add is these are the tools that you are looking at if you’re doing something professional, if you’re gonna build a big piece of software and sell it or run it, or, you know, take this on as a business. You can do a lot with nothing: you can duplicate items, you can find bugs in games just by being clever and tinkering, so this is like a pro-grade or what you would use to make money. Part of the Panel is hacking for fun, so I’m not gonna completely focus profit.

Josh Phillips: Yeah, there’s nothing worse than coding up a bot with a bunch of hard-coded offsets, and then, you know, the game releases an update and your stuff doesn’t work again, and then you have to start from pretty much ground zero.

So I’m gonna give you a bit of classification – basically, there’s like cheats, bots. I’m not gonna get into real deep details about this stuff. I’ll talk in more detail when the stuff comes up later on. There’s some really, I guess, motivated individuals who have written custom clients. One of my competitors in China wrote a custom client for ‘World of Warcraft” and pretty much destroyed us. They could run hundreds of clients per computer, and it’s really hard to compete with that when you can write, like, three or four.

Hellgate: LondonMike Donnelly: What about this one custom client in particular? It’s funny – just raise the hands how many people here have played the game ‘Hellgate: London”? Okay, how many people that have played it were playing it six months later? One? Okay. Well, the reason I mentioned it is I know a guy that works with ‘World of Warcraft’ – German guy – and he got the ‘Hellgate: London’ paid and he thought it was awesome. So he wrote a clientless bot, he reverse-engineered the entire protocol – everything (their keyshake or their handshake), all the encryption. He had it ready for game at launch time, and then… thousands of hours, you know. This is gonna be the next while. So, you know, if you’re writing something for profit, think of it like a business, don’t be stupid.

Josh Phillips: Yeah, that’s a lot of waste of time.

Then, there’s things like exploits. They can either be malicious or really get you a giant paycheck: dupes or, you know, ‘god mode’.

Asset hacks aren’t really worth it for the most part. You know, you can do some pathfinding if you can reverse-engineer the map formats and other assets. But pathfinding is super-hard, unless you’re going to do something like use recast navigation which is easy mode for solving a really-really tough problem.

So this is where we separate the ‘haves’ from the ‘have-nots’. People might not be able to follow. Hopefully they can follow.

So the skills that you need, you are probably gonna want to at least know ‘X86 Assembly’. If you don’t know that, then you’ve got a lot to learn, that’s gonna be a pretty big steep road ahead for you. The stuff isn’t really necessary, you can write some, like, lame pixel reading things – I think somebody presented that a couple of years ago here, it was pretty well attended and I wanted to punch the dudes because they were very cool. Yeah, noobs need not apply.

Read: Hacking Online Games: Josh Phillips and Michael Donnelly at Defcon 19. Part 2.


1Gold farmers – players who stay online for extremely long hours and farm mobs for selling the in-game money they accumulate for real-world money.

Glider logo 2Glider – aka WoWGlider or MMOGlider, was a bot created by Michael Donnelly, which interoperates with World of Warcraft. Glider automates and simplifies actions by the user through the use of scripting to perform repetitive tasks while the user is away from the computer. This allows the user to acquire in-game currency and level-ups of the character without being present to perform the required actions. As of 2008, it has sold approximately 100,000 copies.

Like This Article? Let Others Know!
Related Articles:

Comments are closed.

Comment via Facebook: