Thursday, December 29, 2011

Tools of the trade

Let me be perfectly clear, I am not an expert in this field. While I’ve done a bit of Reverse Engineering (REing) for writing memory corruption exploit code, that was 10 years ago. I’m basically having to re-learn all the stuff I only somewhat knew back then. Obviously this is going to take a while, so if you already do this kind of work; you’ll most likely learn nothing new from me, so carry on nothing to see here. Again, the purpose of this blog is to record and keep track of everything I learn and hopefully someone, somewhere will learn something from it. Now, on to the real topic.

The majority of cheats require us to actually modify the way the game works. Whether it’s screwing with the DirectX rendering to make your enemies visible through walls, or writing a bot to act on changes in the environment. To do this we need to know a few things; how the game works, what rendering engine (although it should pretty much be DirectX only these days) is in use, which encryption/compression algorithms are being used etcetera. To know all of this, we need to be familiar with reverse engineering techniques and how to apply them.

The first step in reverse engineering is groking the assembly code of executables and their supporting DLLs. To do that, you will most likely end up using IDA Pro. Almost every game these days are still being compiled to x86 (32bit). I assume for support reasons 64 bit just hasn’t become the norm, but I’m not an expert in the gaming industry so I have no idea. This may or may not be important depending on which tools we use against the game. If some only support 32bit and we're messing with 64bit apps, you'll be shit out of luck. Also for modifying supporting files or patching the binary itself, you will want a decent hex editor, I personally prefer 010Editor as it has templates that will automatically parse various file types. You can download additional templates from here.

So we use IDA Pro and 010Editor for various REing activities, but those are for static analysis. We also are concerned with doing runtime analysis. For that we need a good debugger. Back when I was writing exploit code I used OllyDBG extensively. The interface was intuitive and it was just really easy to work with. These days, while a lot of people still use olly, it just doesn’t seem as powerful as WinDBG, so I figure now is a good time to learn that. Another important tool for game hacking is a decent API monitor. This will allow us to see and record what Win32APIs are being used by our target game. For that, there’s API Monitor and it is quite a helpful tool. It allows you to spy on the API by hooking various sets of function calls and recording their arguments and return values. I’ll explain process injection and hooking in later parts of this blog. And finally to inspect network traffic, we need a good packet capture tool, which of course is Wireshark. If you are following along, I hope that gives you an idea of what tools I'll be using.

Until next time…


Oh and of course I'll be using visual studio for any coding projects. So yeah there's that.

Wednesday, December 28, 2011

So where to begin?

As with any research topic you need to identify what needs to be researched and where you can research. My first stop was over at good ol' wikipedia. I was pleasently surprised to find this article covering the majority of topics already: http://en.wikipedia.org/wiki/Cheating_in_online_games. I'm primarily interested in topic 1: Bots and software assistance as I find that to be the most engrossing and difficult of the topics. However there are a few parts of "Unsporting play" that I definitely find interesting. In particular, environmental exploits and skin cheats.

While a lot of these cheats are well known and common sense, there are some good bits of information from this article. I found the look-ahead cheating problem to be particularly interesting. It basically works by a cheater purposely holding back their moves but reading in everyone else's, in that way it makes it easy to determine what the next best course of action would be. Think of it like mind reading where you know what everyone is going to do but you don't have to show them what you're going to do until you are ready. This is Definitely Cheating.
In regards to the look-ahead problem I found I was unfamiliar with the lockstep protocol. I did always wonder why people with 'high pings' are kicked from gaming servers. Now it makes sense, you have to wait for that 600ms pinging client to respond to your actions, which in turn can slow down your interaction with them. However it seems these days with the async version that it really shouldn't be a problem when you are interacting with players who are pinging decently (0~250ms). I say this as someone who plays FPSs from japan and has a ping of around 120ms on west coast US servers and 200ms on east coast US servers... So yeah, stop @#%!ing kicking me.

Since I am primarily interested in botting, I need to find some good bot/hacking forums that have good technical information and not stupid kid leachers just looking to cheat. There is a HUGE difference between those who create and those who use and it is very easily identifiable when reading these forums. (To the point you want to cut yourself).
Anyways, here's my list so far:

My next post will start to get more technical as I've already found a number of great resources and tools to aid in modifying game binaries at runtime.

In the beginning...

I created this blog to record my dive into the world of online game hacking and cheating. As a security researcher who also enjoys playing online games, I decided it was time I learned what these cheaters do, and how they do it. It's a terribly interesting world, if I do say so.