beat your mom at solitaire—reverse engineering of computer games

Download Beat Your Mom At Solitaire—Reverse Engineering of Computer Games

Post on 19-Jul-2015

349 views

Category:

Software

6 download

Embed Size (px)

TRANSCRIPT

  • Beat Your Mom At SolitaireReverse Engineering of Computer Games

    Christoph Matthies, Lukas Pirl @chrisma0

    May 2014

  • Beat your mom at Solitaire

  • by cheating :(Beat your mom at Solitaire

  • Beat your friends at Minesweeper

  • How its done

    In-flight memory patching[1](view game as bunch of memory, change important bits at runtime)

    Benefits: Generic (i.e. programming language, framework agnostic) Fast (usually faster results than binary analysis) Invisible (without checking for external programs) Good Tool support (Cheat Engine[2] is popular)

    [1] Elie BurszsteinDefcon 18 - Kartograph, Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Games[2] www.cheatengine.org

  • In-flight memory patching[1](view game as bunch of memory, change important bits at runtime)

    Drawbacks: Needle in a haystack (one 4-byte value in 50 MB memory)

    No control over the algorithm (need to trigger the algorithm to do something, not as reliable as patching binary)

    [1] Elie BurszsteinDefcon 18 - Kartograph, Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Games

    How its done

  • Money (market is huge, 2013, USA: $15.39 B spent on games[1]) Build better bots to farm gold Sell bots / exploits / cheats[2]

    Progress faster through the game (20 hours of fishing?) Curiosity, learning, research the game Port old, abandoned games to new platform[3] Build your own server

    Because the official server is discontinued

    Reasons to reverse engineer games

    [1] Entertainment Software Association, Essential facts 2014, http://www.theesa.com/facts/pdfs/ESA_EF_2014.pdf, 2014[2] Exploits for games protected by PunkBuster - http://pansemuckl.netcoders.cc/[3] OpenRALibre/Free Real Time Strategy game engine supporting early Westwood classics, http://openra.res0l.net/

  • Some static approaches(interact with the binary file)

    Disassemble (but games are huge these days) Find vulnerabilities Understand data structures to pinpoint in memory Find a future

    Understand the pseudo-random algorithm (PRNG) Patch the binary

    Dll analysis, import own dll Patch render loop, run custom code first

    Methods to RE games

  • Methods to RE games

    Some dynamic approaches (1/2)(interact with the software at runtime)

    Using a debugger Set breakpoints on important events Get notified when something happens Manipulate variables

    Using a proxy (in networked games) Intercept & modify game data packets on-the-fly Reverse engineer protocol

    Fuzzing (send random data, see what happens)

  • Some dynamic approaches (2/2)(interact with the software at runtime)

    Bots, macros (interact with the user interface) Rebind keys (ex. shoot w/ mouse wheel) Sample pixels / read memory locations

    (Error prone, screen must be configured) Inject / simulate keystrokes, mouse movement

    (dedicate computer to this task alone) Tool support (e.g. AutoHotkey[1])

    Manipulate memory

    Methods to RE games

    [1] AutohotkeyFast scriptable desktop automation with hotkeys, http://www.autohotkey.com/

  • Example: Map Hack in a RTS game(i.e. remove the fog of war)

    gamememory

    Step 0Acquire entire game memory.

  • Example: Map Hack in a RTS game(i.e. remove the fog of war)

    Step 0Acquire entire game memory.

    Step 1Do everything, but discover map, keepmemory that didnt change.

    gamememory

  • Example: Map Hack in a RTS game(i.e. remove the fog of war)

    Step 0Acquire entire game memory.

    Step 1Do everything, but discover map, keepmemory that didnt change.

    Step 2Only discover map, keep only data that changed.

    gamememory

  • Example: Map Hack in a RTS game(i.e. remove the fog of war)

    Step 0Acquire entire game memory.

    Step 1Do everything, but discover map, keepmemory that didnt change.

    Step 2Only discover map, keep only data that changed.

    Step 3Repeat.

    gamememory

  • Example: Map Hack in a RTS game(i.e. remove the fog of war)

    Step 0Acquire entire game memory.

    Step 1Do everything, but discover map, keepmemory that didnt change.

    Step 2Only discover map, keep only data that changed.

    Step 3Repeat.

    Step 4 Find the data structure.

    gamememory

  • Example: Map Hack in a RTS game(i.e. remove the fog of war)

    Step 0Acquire entire game memory.

    Step 1Do everything, but discover map, keepmemory that didnt change.

    Step 2Only discover map, keep only data that changed.

    Step 3Repeat.

    Step 4 Find the data structure.

    Step 5 Understand and manipulate the structure.

    gamememory

  • Heat map analysis of memory region[1]Step 4: Find the map

    [1] KartographElie Bursztein and Jocelyn Lagarenne, Stanford University, http://www.defcon.org/images/defcon-18/dc-18-presentations/Burszstein-Lagarenne/DEFCON-18-Bursztein-Lagarenne-Kartograph.pdf

    in game in memory

  • Step 5: Understanding & manipulating

    Understand structure, logic of data structure Many ways to represent structure (linked list, array, ...) Additive visibility vs. bitmap visibility

    Manipulate Once vs. continually Spawn a thread to continually rewrite memory

    Force game to redraw / read changed memory E.g. change resolution

  • Networked games

    Client-Server model stops naive game modification Client: I have gathered 99999999 gold Server: Not according to my model! Disconnect!

    Efficiency vs. security Never trust the client Only send data that is needed

    (just-in-time, can lead to lag with slow connections) Send complete gamestate

    (fast, vulnerable to memory manipulation, scales well)

  • Countermeasures

    Game developers try to stop cheating / modifications Frustrates players, players leave (money is lost) Arms race between cheaters & devs

    Examples: Client data file checksums

    Compare checksums with server Keep files in open state (change kernel behavior to circumvent)

  • Countermeasures

    Employ additional anti-cheat software (Spyware?!) PunkBuster (EA, Activision, Ubisoft,...)

    Memory scanning Status reports Screenshots of players screen Check players settings, search across all players Hardware bans (HD id is banned) [1]

    Additional attack surface Anticheat itself can be target of exploits

    [1] Ban Stats for Battlefield 3 - http://www.pbbans.com/mbi-latest50-bf3-lfb41.html

  • [...] the Warden pokes around into other processes, doing things like reading the window text in the title bar of every window and doing a scan of the code loaded for every process running on your computer (which it then compares against known cheat code). [...] nothing is really stopping the company from doing whatever it wants on a gamer's PC, and it has already crossed the invisible line by poking around outside the game's process area. We don't trust them. [1]

    Countermeasures: The WardenBlizzards anti-cheat (WoW, SC2, DIablo III, etc.)

    [1] G. Hoglund and G. McGraw. Exploiting online games:cheating massively distributed systems. 2007.

  • Consent to Monitor.WHEN RUNNING, THE GAME MAY MONITOR YOUR COMPUTER'S RANDOM ACCESS MEMORY (RAM) FOR UNAUTHORIZED THIRD PARTY PROGRAMS RUNNING CONCURRENTLY WITH THE GAME. [...] IN THE EVENT THAT THE GAME DETECTS AN UNAUTHORIZED THIRD PARTY PROGRAM, THE GAME MAY (a) COMMUNICATE INFORMATION BACK TO BLIZZARD, INCLUDING WITHOUT LIMITATION YOUR ACCOUNT NAME, DETAILS ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM DETECTED, AND THE TIME AND DATE; AND/OR (b) EXERCISE ANY OR ALL OF ITS RIGHTS UNDER THIS AGREEMENT, WITH OR WITHOUT PRIOR NOTICE TO THE USER.

    Diablo III EULA[1]You have to agree to this (or not play)

    [1] http://us.blizzard.com/en-us/company/legal/d3_eula.html

    Countermeasures: The WardenBlizzards Anticheat (WoW, SC2, DIablo III, etc.)

  • Discussion

    PunkBusterPrivacy

    Heat map visualization

    The Warden

    Cheat Engine

    Mem

    ory

    Proxy

    Countermeasures

    Solitaire

    Bots

    Macros

    Binary Patching

    CheatingMoralityArms race ChecksumsMaphack

    Hardware bans

  • Bursztein, E.; Hamburg, M.; Lagarenne, J.; Boneh, D., "OpenConflict: Preventing Real Time Map Hacks in Online Games" Security and Privacy (SP), 2011 IEEE Symposium on. Available at: http://crypto.stanford.edu/~dabo/pubs/papers/onlinegames.pdf

    G. Hoglund and G. McGraw. Exploiting online games: cheating massively distributed systems. 2007.

    Elie Bursztein, Jocelyn Lagarenne. Stanford University. Kartograph: Anatomy of a Maphack. Defcon 18. Retrieved from https://www.youtube.com/watch?v=mFprkIAeKgM. Slides available at: http://www.defcon.org/images/defcon-18/dc-18-presentations/Burszstein-Lagarenne/DEFCON-18-Bursztein-Lagarenne-Kartograph.pdf

    Bruce Potter, Logan Lodge. Living with Game Servers. DEFCON 17. 2009. Retrieved from https://www.youtube.com/watch?v=SooVvF9qO_k

    Loc Hoguin. Reverse-Engineering A Proprietary Game Server With Erlang. EUC 2012. Retrieved from http://ninenines.eu/talks/reverse-engineering/reverse-engineering.html

    References