An overview of the methods used to reverse engineer computer games. Special focus is put on using memory manipulation at runtime to cheat at games as well as the countermeasures deployed by game developers.
Christoph Matthies (@chrisma0), Lukas Pirl
Published under CC BY-NC-SA 3.0
5. How it’s done
In-flight memory patching[1]
(view game as bunch of memory, change important bits at runtime)
Benefits:
○ Generic (i.e. programming language, framework agnostic)
○ Fast (usually faster results than binary analysis)
○ Invisible (without checking for external programs)
○ Good Tool support (Cheat Engine[2] is popular)
[1] Elie Burszstein—Defcon 18 - Kartograph, Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Games
[2] www.cheatengine.org
6. In-flight memory patching[1]
(view game as bunch of memory, change important bits at runtime)
Drawbacks:
○ Needle in a haystack (one 4-byte value in 50 MB memory)
○ No control over the algorithm
(need to trigger the algorithm to do something,
not as reliable as patching binary)
[1] Elie Burszstein—Defcon 18 - Kartograph, Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Games
How it’s done
7. ● Money (market is huge, 2013, USA: $15.39 B spent on games[1])
○ Build better bots to farm gold
○ Sell bots / exploits / cheats[2]
● Progress faster through the game (20 hours of fishing?)
● Curiosity, learning, research the game
● Port old, abandoned games to new platform[3]
● Build your own server
○ Because the official server is discontinued
Reasons to reverse engineer games
[1] Entertainment Software Association, Essential facts 2014, http://www.theesa.com/facts/pdfs/ESA_EF_2014.pdf, 2014
[2] Exploits for games protected by PunkBuster - http://pansemuckl.netcoders.cc/
[3] OpenRA—Libre/Free Real Time Strategy game engine supporting early Westwood classics, http://openra.res0l.net/
8. Some static approaches
(interact with the binary file)
● Disassemble (but games are huge these days)
○ Find vulnerabilities
○ Understand data structures to pinpoint in memory
○ Find a future
■ Understand the pseudo-random algorithm (PRNG)
● Patch the binary
○ Dll analysis, import own dll
○ Patch render loop, run custom code first
Methods to RE games
9. Methods to RE games
Some dynamic approaches (1/2)
(interact with the software at runtime)
● Using a debugger
○ Set breakpoints on important events
○ Get notified when something happens
○ Manipulate variables
● Using a proxy (in networked games)
○ Intercept & modify game data packets on-the-fly
○ Reverse engineer protocol
● Fuzzing (send random data, see what happens)
10. Some dynamic approaches (2/2)
(interact with the software at runtime)
● Bots, macros (interact with the user interface)
○ Rebind keys (ex. shoot w/ mouse wheel)
○ Sample pixels / read memory locations
(Error prone, screen must be configured)
○ Inject / simulate keystrokes, mouse movement
(dedicate computer to this task alone)
○ Tool support (e.g. AutoHotkey[1])
● Manipulate memory
Methods to RE games
[1] Autohotkey—Fast scriptable desktop automation with hotkeys, http://www.autohotkey.com/
11. Example: Map Hack in a RTS game
(i.e. remove the fog of war)
game
memory
Step 0
Acquire entire
game memory.
12. Example: Map Hack in a RTS game
(i.e. remove the fog of war)
Step 0
Acquire entire
game memory.
Step 1
Do everything,
but discover
map, keep
memory
that didn’t
change.
game
memory
13. Example: Map Hack in a RTS game
(i.e. remove the fog of war)
Step 0
Acquire entire
game memory.
Step 1
Do everything,
but discover
map, keep
memory
that didn’t
change.
Step 2
Only discover
map, keep
only data that
changed.
game
memory
14. Example: Map Hack in a RTS game
(i.e. remove the fog of war)
Step 0
Acquire entire
game memory.
Step 1
Do everything,
but discover
map, keep
memory
that didn’t
change.
Step 2
Only discover
map, keep
only data that
changed.
Step 3
Repeat.
game
memory
15. Example: Map Hack in a RTS game
(i.e. remove the fog of war)
Step 0
Acquire entire
game memory.
Step 1
Do everything,
but discover
map, keep
memory
that didn’t
change.
Step 2
Only discover
map, keep
only data that
changed.
Step 3
Repeat.
Step 4
Find the data
structure.
game
memory
16. Example: Map Hack in a RTS game
(i.e. remove the fog of war)
Step 0
Acquire entire
game memory.
Step 1
Do everything,
but discover
map, keep
memory
that didn’t
change.
Step 2
Only discover
map, keep
only data that
changed.
Step 3
Repeat.
Step 4
Find the data
structure.
Step 5
Understand
and
manipulate
the structure.
game
memory
17. Heat map analysis of memory region[1]
Step 4: Find the map
[1] Kartograph—Elie Bursztein and Jocelyn Lagarenne, Stanford University,
http://www.defcon.org/images/defcon-18/dc-18-presentations/Burszstein-Lagarenne/DEFCON-18-Bursztein-Lagarenne-Kartograph.pdf
in game in memory
18. Step 5: Understanding & manipulating
● Understand structure, logic of data structure
○ Many ways to represent structure (linked list, array, ...)
○ Additive visibility vs. bitmap visibility
● Manipulate
○ Once vs. continually
○ Spawn a thread to continually rewrite memory
● Force game to redraw / read changed memory
○ E.g. change resolution
19. Networked games
● Client-Server model stops naive game modification
○ Client: “I have gathered 99999999 gold”
○ Server: “Not according to my model! Disconnect!”
● Efficiency vs. security
○ “Never trust the client”
○ Only send data that is needed
(just-in-time, can lead to lag with slow connections)
○ Send complete gamestate
(fast, vulnerable to memory manipulation, scales well)
20. Countermeasures
Game developers try to stop cheating / modifications
○ Frustrates players, players leave (money is lost)
○ Arms race between cheaters & devs
Examples:
● Client data file checksums
○ Compare checksums with server
○ Keep files in “open state” (change kernel behavior to circumvent)
21. Countermeasures
Employ additional anti-cheat software (Spyware?!)
○ PunkBuster (EA, Activision, Ubisoft,...)
■ Memory scanning
■ Status reports
■ Screenshots of player’s screen
■ Check player’s settings, search across all players
■ Hardware bans (HD id is banned) [1]
○ Additional attack surface
■ Anticheat itself can be target of exploits
[1] Ban Stats for Battlefield 3 - http://www.pbbans.com/mbi-latest50-bf3-lfb41.html
22. [...] the Warden pokes around into other processes, doing
things like reading the window text in the title bar of every
window and doing a scan of the code loaded for every process
running on your computer (which it then compares against
known cheat code). [...] nothing is really stopping the company
from doing whatever it wants on a gamer's PC, and it has
already crossed the invisible line by poking around outside the
game's process area. We don't trust them. [1]
Countermeasures: The Warden
Blizzard’s anti-cheat (WoW, SC2, DIablo III, etc.)
[1] G. Hoglund and G. McGraw. Exploiting online games:cheating massively distributed systems. 2007.
“
”
23. Consent to Monitor.
WHEN RUNNING, THE GAME MAY MONITOR YOUR COMPUTER'S
RANDOM ACCESS MEMORY (RAM) FOR UNAUTHORIZED THIRD PARTY
PROGRAMS RUNNING CONCURRENTLY WITH THE GAME. [...] IN THE
EVENT THAT THE GAME DETECTS AN UNAUTHORIZED THIRD PARTY
PROGRAM, THE GAME MAY (a) COMMUNICATE INFORMATION BACK TO
BLIZZARD, INCLUDING WITHOUT LIMITATION YOUR ACCOUNT NAME,
DETAILS ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM
DETECTED, AND THE TIME AND DATE; AND/OR (b) EXERCISE ANY OR
ALL OF ITS RIGHTS UNDER THIS AGREEMENT, WITH OR WITHOUT
PRIOR NOTICE TO THE USER.
Diablo III EULA[1]
You have to agree to this (or not play)
[1] http://us.blizzard.com/en-us/company/legal/d3_eula.html
Countermeasures: The Warden
Blizzard’s Anticheat (WoW, SC2, DIablo III, etc.)
“
25. ● Bursztein, E.; Hamburg, M.; Lagarenne, J.; Boneh, D., "OpenConflict: Preventing Real
Time Map Hacks in Online Games" Security and Privacy (SP), 2011 IEEE Symposium on.
Available at: http://crypto.stanford.edu/~dabo/pubs/papers/onlinegames.pdf
● G. Hoglund and G. McGraw. Exploiting online games: cheating massively distributed
systems. 2007.
● Elie Bursztein, Jocelyn Lagarenne. Stanford University. “Kartograph: Anatomy of a
Maphack”. Defcon 18. Retrieved from https://www.youtube.com/watch?v=mFprkIAeKgM.
Slides available at: http://www.defcon.org/images/defcon-18/dc-18-
presentations/Burszstein-Lagarenne/DEFCON-18-Bursztein-Lagarenne-Kartograph.pdf
● Bruce Potter, Logan Lodge. “Living with Game Servers”. DEFCON 17. 2009.
Retrieved from https://www.youtube.com/watch?v=SooVvF9qO_k
● Loïc Hoguin. “Reverse-Engineering A Proprietary Game Server With Erlang”. EUC 2012.
Retrieved from http://ninenines.eu/talks/reverse-engineering/reverse-engineering.html
References