SlideShare uma empresa Scribd logo

In-Flight Memory Patching Games

Christoph Matthies
Christoph Matthies

An overview of the methods used to reverse engineer computer games. Special focus is put on using memory manipulation at runtime to cheat at games as well as the countermeasures deployed by game developers. Christoph Matthies (@chrisma0), Lukas Pirl Published under CC BY-NC-SA 3.0

Software
1 de 25
Baixar para ler offline
Beat Your Mom At Solitaire Reverse Engineering of Computer Games Christoph Matthies, Lukas Pirl @chrisma0 May 2014
Beat your mom at Solitaire
by cheating :( Beat your mom at Solitaire
Beat your friends at Minesweeper
How it’s done In-flight memory patching[1] (view game as bunch of memory, change important bits at runtime) Benefits: ○ Generic (i.e. programming language, framework agnostic) ○ Fast (usually faster results than binary analysis) ○ Invisible (without checking for external programs) ○ Good Tool support (Cheat Engine[2] is popular) [1] Elie Burszstein—Defcon 18 - Kartograph, Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Games [2] www.cheatengine.org
In-flight memory patching[1] (view game as bunch of memory, change important bits at runtime) Drawbacks: ○ Needle in a haystack (one 4-byte value in 50 MB memory) ○ No control over the algorithm (need to trigger the algorithm to do something, not as reliable as patching binary) [1] Elie Burszstein—Defcon 18 - Kartograph, Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Games How it’s done
● Money (market is huge, 2013, USA: $15.39 B spent on games[1]) ○ Build better bots to farm gold ○ Sell bots / exploits / cheats[2] ● Progress faster through the game (20 hours of fishing?) ● Curiosity, learning, research the game ● Port old, abandoned games to new platform[3] ● Build your own server ○ Because the official server is discontinued Reasons to reverse engineer games [1] Entertainment Software Association, Essential facts 2014, http://www.theesa.com/facts/pdfs/ESA_EF_2014.pdf, 2014 [2] Exploits for games protected by PunkBuster - http://pansemuckl.netcoders.cc/ [3] OpenRA—Libre/Free Real Time Strategy game engine supporting early Westwood classics, http://openra.res0l.net/
Some static approaches (interact with the binary file) ● Disassemble (but games are huge these days) ○ Find vulnerabilities ○ Understand data structures to pinpoint in memory ○ Find a future ■ Understand the pseudo-random algorithm (PRNG) ● Patch the binary ○ Dll analysis, import own dll ○ Patch render loop, run custom code first Methods to RE games
Methods to RE games Some dynamic approaches (1/2) (interact with the software at runtime) ● Using a debugger ○ Set breakpoints on important events ○ Get notified when something happens ○ Manipulate variables ● Using a proxy (in networked games) ○ Intercept & modify game data packets on-the-fly ○ Reverse engineer protocol ● Fuzzing (send random data, see what happens)
Some dynamic approaches (2/2) (interact with the software at runtime) ● Bots, macros (interact with the user interface) ○ Rebind keys (ex. shoot w/ mouse wheel) ○ Sample pixels / read memory locations (Error prone, screen must be configured) ○ Inject / simulate keystrokes, mouse movement (dedicate computer to this task alone) ○ Tool support (e.g. AutoHotkey[1]) ● Manipulate memory Methods to RE games [1] Autohotkey—Fast scriptable desktop automation with hotkeys, http://www.autohotkey.com/
Example: Map Hack in a RTS game (i.e. remove the fog of war) game memory Step 0 Acquire entire game memory.
Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. game memory
Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. game memory
Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. Step 3 Repeat. game memory
Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. Step 3 Repeat. Step 4 Find the data structure. game memory
Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. Step 3 Repeat. Step 4 Find the data structure. Step 5 Understand and manipulate the structure. game memory
Heat map analysis of memory region[1] Step 4: Find the map [1] Kartograph—Elie Bursztein and Jocelyn Lagarenne, Stanford University, http://www.defcon.org/images/defcon-18/dc-18-presentations/Burszstein-Lagarenne/DEFCON-18-Bursztein-Lagarenne-Kartograph.pdf in game in memory
Step 5: Understanding & manipulating ● Understand structure, logic of data structure ○ Many ways to represent structure (linked list, array, ...) ○ Additive visibility vs. bitmap visibility ● Manipulate ○ Once vs. continually ○ Spawn a thread to continually rewrite memory ● Force game to redraw / read changed memory ○ E.g. change resolution
Networked games ● Client-Server model stops naive game modification ○ Client: “I have gathered 99999999 gold” ○ Server: “Not according to my model! Disconnect!” ● Efficiency vs. security ○ “Never trust the client” ○ Only send data that is needed (just-in-time, can lead to lag with slow connections) ○ Send complete gamestate (fast, vulnerable to memory manipulation, scales well)
Countermeasures Game developers try to stop cheating / modifications ○ Frustrates players, players leave (money is lost) ○ Arms race between cheaters & devs Examples: ● Client data file checksums ○ Compare checksums with server ○ Keep files in “open state” (change kernel behavior to circumvent)
Countermeasures Employ additional anti-cheat software (Spyware?!) ○ PunkBuster (EA, Activision, Ubisoft,...) ■ Memory scanning ■ Status reports ■ Screenshots of player’s screen ■ Check player’s settings, search across all players ■ Hardware bans (HD id is banned) [1] ○ Additional attack surface ■ Anticheat itself can be target of exploits [1] Ban Stats for Battlefield 3 - http://www.pbbans.com/mbi-latest50-bf3-lfb41.html
[...] the Warden pokes around into other processes, doing things like reading the window text in the title bar of every window and doing a scan of the code loaded for every process running on your computer (which it then compares against known cheat code). [...] nothing is really stopping the company from doing whatever it wants on a gamer's PC, and it has already crossed the invisible line by poking around outside the game's process area. We don't trust them. [1] Countermeasures: The Warden Blizzard’s anti-cheat (WoW, SC2, DIablo III, etc.) [1] G. Hoglund and G. McGraw. Exploiting online games:cheating massively distributed systems. 2007. “ ”
Consent to Monitor. WHEN RUNNING, THE GAME MAY MONITOR YOUR COMPUTER'S RANDOM ACCESS MEMORY (RAM) FOR UNAUTHORIZED THIRD PARTY PROGRAMS RUNNING CONCURRENTLY WITH THE GAME. [...] IN THE EVENT THAT THE GAME DETECTS AN UNAUTHORIZED THIRD PARTY PROGRAM, THE GAME MAY (a) COMMUNICATE INFORMATION BACK TO BLIZZARD, INCLUDING WITHOUT LIMITATION YOUR ACCOUNT NAME, DETAILS ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM DETECTED, AND THE TIME AND DATE; AND/OR (b) EXERCISE ANY OR ALL OF ITS RIGHTS UNDER THIS AGREEMENT, WITH OR WITHOUT PRIOR NOTICE TO THE USER. Diablo III EULA[1] You have to agree to this (or not play) [1] http://us.blizzard.com/en-us/company/legal/d3_eula.html Countermeasures: The Warden Blizzard’s Anticheat (WoW, SC2, DIablo III, etc.) “
Discussion PunkBuster Privacy Heat map visualization The Warden Cheat Engine Memory Proxy Countermeasures Solitaire Bots Macros Binary Patching CheatingMorality Arms race ChecksumsMaphack Hardware bans
● Bursztein, E.; Hamburg, M.; Lagarenne, J.; Boneh, D., "OpenConflict: Preventing Real Time Map Hacks in Online Games" Security and Privacy (SP), 2011 IEEE Symposium on. Available at: http://crypto.stanford.edu/~dabo/pubs/papers/onlinegames.pdf ● G. Hoglund and G. McGraw. Exploiting online games: cheating massively distributed systems. 2007. ● Elie Bursztein, Jocelyn Lagarenne. Stanford University. “Kartograph: Anatomy of a Maphack”. Defcon 18. Retrieved from https://www.youtube.com/watch?v=mFprkIAeKgM. Slides available at: http://www.defcon.org/images/defcon-18/dc-18- presentations/Burszstein-Lagarenne/DEFCON-18-Bursztein-Lagarenne-Kartograph.pdf ● Bruce Potter, Logan Lodge. “Living with Game Servers”. DEFCON 17. 2009. Retrieved from https://www.youtube.com/watch?v=SooVvF9qO_k ● Loïc Hoguin. “Reverse-Engineering A Proprietary Game Server With Erlang”. EUC 2012. Retrieved from http://ninenines.eu/talks/reverse-engineering/reverse-engineering.html References

Recomendados

Learning to Play Complex Games
Learning to Play Complex GamesLearning to Play Complex Games
Learning to Play Complex Gamesbutest
 
Ddn
DdnDdn
Ddnkiranvx7
 
MetaBoard
MetaBoardMetaBoard
MetaBoardsquidik
 
عالم الكمبيوتر
عالم الكمبيوترعالم الكمبيوتر
عالم الكمبيوترcomtech2010
 
nullcon 2011 - Memory analysis – Looking into the eye of the bits
nullcon 2011 - Memory analysis – Looking into the eye of the bitsnullcon 2011 - Memory analysis – Looking into the eye of the bits
nullcon 2011 - Memory analysis – Looking into the eye of the bitsn|u - The Open Security Community
 
Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesMichael Scovetta
 
Computer Games Inner Workings - I. Loukeris AIT
Computer Games Inner Workings - I. Loukeris AITComputer Games Inner Workings - I. Loukeris AIT
Computer Games Inner Workings - I. Loukeris AITAIT_Communications
 
Introduction to Procedural Contents Generation
Introduction to Procedural Contents GenerationIntroduction to Procedural Contents Generation
Introduction to Procedural Contents GenerationDavide Aversa
 

Recomendados

Learning to Play Complex Games
Learning to Play Complex GamesLearning to Play Complex Games
Learning to Play Complex Gamesbutest
 
Ddn
DdnDdn
Ddnkiranvx7
 
MetaBoard
MetaBoardMetaBoard
MetaBoardsquidik
 
عالم الكمبيوتر
عالم الكمبيوترعالم الكمبيوتر
عالم الكمبيوترcomtech2010
 
nullcon 2011 - Memory analysis – Looking into the eye of the bits
nullcon 2011 - Memory analysis – Looking into the eye of the bitsnullcon 2011 - Memory analysis – Looking into the eye of the bits
nullcon 2011 - Memory analysis – Looking into the eye of the bitsn|u - The Open Security Community
 
Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesMichael Scovetta
 
Computer Games Inner Workings - I. Loukeris AIT
Computer Games Inner Workings - I. Loukeris AITComputer Games Inner Workings - I. Loukeris AIT
Computer Games Inner Workings - I. Loukeris AITAIT_Communications
 
Introduction to Procedural Contents Generation
Introduction to Procedural Contents GenerationIntroduction to Procedural Contents Generation
Introduction to Procedural Contents GenerationDavide Aversa
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)David Evans
 
Initial design (Game Architecture)
Initial design (Game Architecture)Initial design (Game Architecture)
Initial design (Game Architecture)Rajkumar Pawar
 
Create a Scalable and Destructible World in HITMAN 2*
Create a Scalable and Destructible World in HITMAN 2*Create a Scalable and Destructible World in HITMAN 2*
Create a Scalable and Destructible World in HITMAN 2*Intel® Software
 
Going Multi-Node
Going Multi-NodeGoing Multi-Node
Going Multi-NodeSmartLogic
 
Game Models - A Different Approach
Game Models - A Different ApproachGame Models - A Different Approach
Game Models - A Different ApproachNick Pruehs
 
PHP games
PHP gamesPHP games
PHP gamesharwoodr
 
Chrome game programming_with_for_play
Chrome game programming_with_for_playChrome game programming_with_for_play
Chrome game programming_with_for_playfirenze-gtug
 
Chrome game programming_with_for_play
Chrome game programming_with_for_playChrome game programming_with_for_play
Chrome game programming_with_for_playfirenze-gtug
 
Unity introduction for programmers
Unity introduction for programmersUnity introduction for programmers
Unity introduction for programmersNoam Gat
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUsAlcides Fonseca
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionFederico Franzoni
 
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Yandex
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryanyyaevents
 
Intro to Massively Multiplayer Online Game (MMOG) Design
Intro to Massively Multiplayer Online Game (MMOG) DesignIntro to Massively Multiplayer Online Game (MMOG) Design
Intro to Massively Multiplayer Online Game (MMOG) DesignChristopher Mohritz
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer gamesMaciej Siniło
 
Game development with Cocos2d-x Engine
Game development with Cocos2d-x EngineGame development with Cocos2d-x Engine
Game development with Cocos2d-x EngineDuy Tan Geek
 
3.4 game architecture
3.4 game architecture3.4 game architecture
3.4 game architectureSayed Ahmed
 
Unity workshop
Unity workshopUnity workshop
Unity workshopfsxflyer789Productio
 
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...Christoph Matthies
 
Automated Exercises & Software Development Data
Automated Exercises & Software Development DataAutomated Exercises & Software Development Data
Automated Exercises & Software Development DataChristoph Matthies
 

Mais conteúdo relacionado

Semelhante a In-Flight Memory Patching Games

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)David Evans
 
Initial design (Game Architecture)
Initial design (Game Architecture)Initial design (Game Architecture)
Initial design (Game Architecture)Rajkumar Pawar
 
Create a Scalable and Destructible World in HITMAN 2*
Create a Scalable and Destructible World in HITMAN 2*Create a Scalable and Destructible World in HITMAN 2*
Create a Scalable and Destructible World in HITMAN 2*Intel® Software
 
Going Multi-Node
Going Multi-NodeGoing Multi-Node
Going Multi-NodeSmartLogic
 
Game Models - A Different Approach
Game Models - A Different ApproachGame Models - A Different Approach
Game Models - A Different ApproachNick Pruehs
 
Chrome game programming_with_for_play
Chrome game programming_with_for_playChrome game programming_with_for_play
Chrome game programming_with_for_playfirenze-gtug
 
Chrome game programming_with_for_play
Chrome game programming_with_for_playChrome game programming_with_for_play
Chrome game programming_with_for_playfirenze-gtug
 
Unity introduction for programmers
Unity introduction for programmersUnity introduction for programmers
Unity introduction for programmersNoam Gat
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionFederico Franzoni
 
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Yandex
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryanyyaevents
 
Intro to Massively Multiplayer Online Game (MMOG) Design
Intro to Massively Multiplayer Online Game (MMOG) DesignIntro to Massively Multiplayer Online Game (MMOG) Design
Intro to Massively Multiplayer Online Game (MMOG) DesignChristopher Mohritz
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer gamesMaciej Siniło
 
Game development with Cocos2d-x Engine
Game development with Cocos2d-x EngineGame development with Cocos2d-x Engine
Game development with Cocos2d-x EngineDuy Tan Geek
 
3.4 game architecture
3.4 game architecture3.4 game architecture
3.4 game architectureSayed Ahmed
 

Semelhante a In-Flight Memory Patching Games (20)

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)
 
Initial design (Game Architecture)
Initial design (Game Architecture)Initial design (Game Architecture)
Initial design (Game Architecture)
 
Create a Scalable and Destructible World in HITMAN 2*
Create a Scalable and Destructible World in HITMAN 2*Create a Scalable and Destructible World in HITMAN 2*
Create a Scalable and Destructible World in HITMAN 2*
 
Going Multi-Node
Going Multi-NodeGoing Multi-Node
Going Multi-Node
 
Game Models - A Different Approach
Game Models - A Different ApproachGame Models - A Different Approach
Game Models - A Different Approach
 
PHP games
PHP gamesPHP games
PHP games
 
Chrome game programming_with_for_play
Chrome game programming_with_for_playChrome game programming_with_for_play
Chrome game programming_with_for_play
 
Chrome game programming_with_for_play
Chrome game programming_with_for_playChrome game programming_with_for_play
Chrome game programming_with_for_play
 
Unity introduction for programmers
Unity introduction for programmersUnity introduction for programmers
Unity introduction for programmers
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest Protection
 
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryany
 
Intro to Massively Multiplayer Online Game (MMOG) Design
Intro to Massively Multiplayer Online Game (MMOG) DesignIntro to Massively Multiplayer Online Game (MMOG) Design
Intro to Massively Multiplayer Online Game (MMOG) Design
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer games
 
Game development with Cocos2d-x Engine
Game development with Cocos2d-x EngineGame development with Cocos2d-x Engine
Game development with Cocos2d-x Engine
 
3.4 game architecture
3.4 game architecture3.4 game architecture
3.4 game architecture
 
Unity workshop
Unity workshopUnity workshop
Unity workshop
 

Mais de Christoph Matthies

Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...Christoph Matthies
 
Automated Exercises & Software Development Data
Automated Exercises & Software Development DataAutomated Exercises & Software Development Data
Automated Exercises & Software Development DataChristoph Matthies
 
Challenges (and Opportunities!) of a Remote Agile Software Engineering Projec...
Challenges (and Opportunities!) of a Remote Agile Software Engineering Projec...Challenges (and Opportunities!) of a Remote Agile Software Engineering Projec...
Challenges (and Opportunities!) of a Remote Agile Software Engineering Projec...Christoph Matthies
 
Experience vs Data: A Case for More Data-informed Retrospective Activities
Experience vs Data: A Case for More Data-informed Retrospective ActivitiesExperience vs Data: A Case for More Data-informed Retrospective Activities
Experience vs Data: A Case for More Data-informed Retrospective ActivitiesChristoph Matthies
 
More than Code: Contributions in Scrum Software Engineering Teams
More than Code: Contributions in Scrum Software Engineering TeamsMore than Code: Contributions in Scrum Software Engineering Teams
More than Code: Contributions in Scrum Software Engineering TeamsChristoph Matthies
 
Agile Software Development Practices: Perceptions & Project Data
Agile Software Development Practices: Perceptions & Project DataAgile Software Development Practices: Perceptions & Project Data
Agile Software Development Practices: Perceptions & Project DataChristoph Matthies
 
The Road to Data-Informed Agile Development Processes
The Road to Data-Informed Agile Development ProcessesThe Road to Data-Informed Agile Development Processes
The Road to Data-Informed Agile Development ProcessesChristoph Matthies
 
Counteracting Agile Retrospective Problems with Retrospective Activities
Counteracting Agile Retrospective Problems with Retrospective ActivitiesCounteracting Agile Retrospective Problems with Retrospective Activities
Counteracting Agile Retrospective Problems with Retrospective ActivitiesChristoph Matthies
 
Using Data to Inform Decisions in Agile Software Development
Using Data to Inform Decisions in Agile Software Development Using Data to Inform Decisions in Agile Software Development
Using Data to Inform Decisions in Agile Software Development Christoph Matthies
 
An Additional Set of (Automated) Eyes: Chatbots for Agile Retrospectives
An Additional Set of (Automated) Eyes: Chatbots for Agile RetrospectivesAn Additional Set of (Automated) Eyes: Chatbots for Agile Retrospectives
An Additional Set of (Automated) Eyes: Chatbots for Agile RetrospectivesChristoph Matthies
 
Feedback in Scrum: Data-Informed Retrospectives
Feedback in Scrum: Data-Informed Retrospectives Feedback in Scrum: Data-Informed Retrospectives
Feedback in Scrum: Data-Informed Retrospectives Christoph Matthies
 
Beyond Surveys: Analyzing Software Development Artifacts to Assess Teaching E...
Beyond Surveys: Analyzing Software Development Artifacts to Assess Teaching E...Beyond Surveys: Analyzing Software Development Artifacts to Assess Teaching E...
Beyond Surveys: Analyzing Software Development Artifacts to Assess Teaching E...Christoph Matthies
 
Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...
Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...
Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...Christoph Matthies
 
Should I Bug You? Identifying Domain Experts in Software Projects Using Code...
Should I Bug You? Identifying Domain Experts in Software Projects Using Code... Should I Bug You? Identifying Domain Experts in Software Projects Using Code...
Should I Bug You? Identifying Domain Experts in Software Projects Using Code...Christoph Matthies
 
Introduction to Lean Software & Kanban
Introduction to Lean Software & KanbanIntroduction to Lean Software & Kanban
Introduction to Lean Software & KanbanChristoph Matthies
 
Lightweight Collection and Storage of Software Repository Data with DataRover
Lightweight Collection and Storage of Software Repository Data with DataRoverLightweight Collection and Storage of Software Repository Data with DataRover
Lightweight Collection and Storage of Software Repository Data with DataRoverChristoph Matthies
 
Pybelsberg — Constraint-based Programming in Python
Pybelsberg — Constraint-based Programming in PythonPybelsberg — Constraint-based Programming in Python
Pybelsberg — Constraint-based Programming in PythonChristoph Matthies
 
Git Tricks — git utilities that make life git easier
Git Tricks — git utilities that make life git easierGit Tricks — git utilities that make life git easier
Git Tricks — git utilities that make life git easierChristoph Matthies
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...Christoph Matthies
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionChristoph Matthies
 

Mais de Christoph Matthies (20)

Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
 
Automated Exercises & Software Development Data
Automated Exercises & Software Development DataAutomated Exercises & Software Development Data
Automated Exercises & Software Development Data
 
Challenges (and Opportunities!) of a Remote Agile Software Engineering Projec...
Challenges (and Opportunities!) of a Remote Agile Software Engineering Projec...Challenges (and Opportunities!) of a Remote Agile Software Engineering Projec...
Challenges (and Opportunities!) of a Remote Agile Software Engineering Projec...
 
Experience vs Data: A Case for More Data-informed Retrospective Activities
Experience vs Data: A Case for More Data-informed Retrospective ActivitiesExperience vs Data: A Case for More Data-informed Retrospective Activities
Experience vs Data: A Case for More Data-informed Retrospective Activities
 
More than Code: Contributions in Scrum Software Engineering Teams
More than Code: Contributions in Scrum Software Engineering TeamsMore than Code: Contributions in Scrum Software Engineering Teams
More than Code: Contributions in Scrum Software Engineering Teams
 
Agile Software Development Practices: Perceptions & Project Data
Agile Software Development Practices: Perceptions & Project DataAgile Software Development Practices: Perceptions & Project Data
Agile Software Development Practices: Perceptions & Project Data
 
The Road to Data-Informed Agile Development Processes
The Road to Data-Informed Agile Development ProcessesThe Road to Data-Informed Agile Development Processes
The Road to Data-Informed Agile Development Processes
 
Counteracting Agile Retrospective Problems with Retrospective Activities
Counteracting Agile Retrospective Problems with Retrospective ActivitiesCounteracting Agile Retrospective Problems with Retrospective Activities
Counteracting Agile Retrospective Problems with Retrospective Activities
 
Using Data to Inform Decisions in Agile Software Development
Using Data to Inform Decisions in Agile Software Development Using Data to Inform Decisions in Agile Software Development
Using Data to Inform Decisions in Agile Software Development
 
An Additional Set of (Automated) Eyes: Chatbots for Agile Retrospectives
An Additional Set of (Automated) Eyes: Chatbots for Agile RetrospectivesAn Additional Set of (Automated) Eyes: Chatbots for Agile Retrospectives
An Additional Set of (Automated) Eyes: Chatbots for Agile Retrospectives
 
Feedback in Scrum: Data-Informed Retrospectives
Feedback in Scrum: Data-Informed Retrospectives Feedback in Scrum: Data-Informed Retrospectives
Feedback in Scrum: Data-Informed Retrospectives
 
Beyond Surveys: Analyzing Software Development Artifacts to Assess Teaching E...
Beyond Surveys: Analyzing Software Development Artifacts to Assess Teaching E...Beyond Surveys: Analyzing Software Development Artifacts to Assess Teaching E...
Beyond Surveys: Analyzing Software Development Artifacts to Assess Teaching E...
 
Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...
Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...
Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...
 
Should I Bug You? Identifying Domain Experts in Software Projects Using Code...
Should I Bug You? Identifying Domain Experts in Software Projects Using Code... Should I Bug You? Identifying Domain Experts in Software Projects Using Code...
Should I Bug You? Identifying Domain Experts in Software Projects Using Code...
 
Introduction to Lean Software & Kanban
Introduction to Lean Software & KanbanIntroduction to Lean Software & Kanban
Introduction to Lean Software & Kanban
 
Lightweight Collection and Storage of Software Repository Data with DataRover
Lightweight Collection and Storage of Software Repository Data with DataRoverLightweight Collection and Storage of Software Repository Data with DataRover
Lightweight Collection and Storage of Software Repository Data with DataRover
 
Pybelsberg — Constraint-based Programming in Python
Pybelsberg — Constraint-based Programming in PythonPybelsberg — Constraint-based Programming in Python
Pybelsberg — Constraint-based Programming in Python
 
Git Tricks — git utilities that make life git easier
Git Tricks — git utilities that make life git easierGit Tricks — git utilities that make life git easier
Git Tricks — git utilities that make life git easier
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
 

Último

Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineeringssuserb3a23b
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 

Último (20)

Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineering
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Odoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting ServiceOdoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting Service
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 

In-Flight Memory Patching Games

  • 1. Beat Your Mom At Solitaire Reverse Engineering of Computer Games Christoph Matthies, Lukas Pirl @chrisma0 May 2014
  • 2. Beat your mom at Solitaire
  • 3. by cheating :( Beat your mom at Solitaire
  • 4. Beat your friends at Minesweeper
  • 5. How it’s done In-flight memory patching[1] (view game as bunch of memory, change important bits at runtime) Benefits: ○ Generic (i.e. programming language, framework agnostic) ○ Fast (usually faster results than binary analysis) ○ Invisible (without checking for external programs) ○ Good Tool support (Cheat Engine[2] is popular) [1] Elie Burszstein—Defcon 18 - Kartograph, Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Games [2] www.cheatengine.org
  • 6. In-flight memory patching[1] (view game as bunch of memory, change important bits at runtime) Drawbacks: ○ Needle in a haystack (one 4-byte value in 50 MB memory) ○ No control over the algorithm (need to trigger the algorithm to do something, not as reliable as patching binary) [1] Elie Burszstein—Defcon 18 - Kartograph, Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Games How it’s done
  • 7. ● Money (market is huge, 2013, USA: $15.39 B spent on games[1]) ○ Build better bots to farm gold ○ Sell bots / exploits / cheats[2] ● Progress faster through the game (20 hours of fishing?) ● Curiosity, learning, research the game ● Port old, abandoned games to new platform[3] ● Build your own server ○ Because the official server is discontinued Reasons to reverse engineer games [1] Entertainment Software Association, Essential facts 2014, http://www.theesa.com/facts/pdfs/ESA_EF_2014.pdf, 2014 [2] Exploits for games protected by PunkBuster - http://pansemuckl.netcoders.cc/ [3] OpenRA—Libre/Free Real Time Strategy game engine supporting early Westwood classics, http://openra.res0l.net/
  • 8. Some static approaches (interact with the binary file) ● Disassemble (but games are huge these days) ○ Find vulnerabilities ○ Understand data structures to pinpoint in memory ○ Find a future ■ Understand the pseudo-random algorithm (PRNG) ● Patch the binary ○ Dll analysis, import own dll ○ Patch render loop, run custom code first Methods to RE games
  • 9. Methods to RE games Some dynamic approaches (1/2) (interact with the software at runtime) ● Using a debugger ○ Set breakpoints on important events ○ Get notified when something happens ○ Manipulate variables ● Using a proxy (in networked games) ○ Intercept & modify game data packets on-the-fly ○ Reverse engineer protocol ● Fuzzing (send random data, see what happens)
  • 10. Some dynamic approaches (2/2) (interact with the software at runtime) ● Bots, macros (interact with the user interface) ○ Rebind keys (ex. shoot w/ mouse wheel) ○ Sample pixels / read memory locations (Error prone, screen must be configured) ○ Inject / simulate keystrokes, mouse movement (dedicate computer to this task alone) ○ Tool support (e.g. AutoHotkey[1]) ● Manipulate memory Methods to RE games [1] Autohotkey—Fast scriptable desktop automation with hotkeys, http://www.autohotkey.com/
  • 11. Example: Map Hack in a RTS game (i.e. remove the fog of war) game memory Step 0 Acquire entire game memory.
  • 12. Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. game memory
  • 13. Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. game memory
  • 14. Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. Step 3 Repeat. game memory
  • 15. Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. Step 3 Repeat. Step 4 Find the data structure. game memory
  • 16. Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. Step 3 Repeat. Step 4 Find the data structure. Step 5 Understand and manipulate the structure. game memory
  • 17. Heat map analysis of memory region[1] Step 4: Find the map [1] Kartograph—Elie Bursztein and Jocelyn Lagarenne, Stanford University, http://www.defcon.org/images/defcon-18/dc-18-presentations/Burszstein-Lagarenne/DEFCON-18-Bursztein-Lagarenne-Kartograph.pdf in game in memory
  • 18. Step 5: Understanding & manipulating ● Understand structure, logic of data structure ○ Many ways to represent structure (linked list, array, ...) ○ Additive visibility vs. bitmap visibility ● Manipulate ○ Once vs. continually ○ Spawn a thread to continually rewrite memory ● Force game to redraw / read changed memory ○ E.g. change resolution
  • 19. Networked games ● Client-Server model stops naive game modification ○ Client: “I have gathered 99999999 gold” ○ Server: “Not according to my model! Disconnect!” ● Efficiency vs. security ○ “Never trust the client” ○ Only send data that is needed (just-in-time, can lead to lag with slow connections) ○ Send complete gamestate (fast, vulnerable to memory manipulation, scales well)
  • 20. Countermeasures Game developers try to stop cheating / modifications ○ Frustrates players, players leave (money is lost) ○ Arms race between cheaters & devs Examples: ● Client data file checksums ○ Compare checksums with server ○ Keep files in “open state” (change kernel behavior to circumvent)
  • 21. Countermeasures Employ additional anti-cheat software (Spyware?!) ○ PunkBuster (EA, Activision, Ubisoft,...) ■ Memory scanning ■ Status reports ■ Screenshots of player’s screen ■ Check player’s settings, search across all players ■ Hardware bans (HD id is banned) [1] ○ Additional attack surface ■ Anticheat itself can be target of exploits [1] Ban Stats for Battlefield 3 - http://www.pbbans.com/mbi-latest50-bf3-lfb41.html
  • 22. [...] the Warden pokes around into other processes, doing things like reading the window text in the title bar of every window and doing a scan of the code loaded for every process running on your computer (which it then compares against known cheat code). [...] nothing is really stopping the company from doing whatever it wants on a gamer's PC, and it has already crossed the invisible line by poking around outside the game's process area. We don't trust them. [1] Countermeasures: The Warden Blizzard’s anti-cheat (WoW, SC2, DIablo III, etc.) [1] G. Hoglund and G. McGraw. Exploiting online games:cheating massively distributed systems. 2007. “ ”
  • 23. Consent to Monitor. WHEN RUNNING, THE GAME MAY MONITOR YOUR COMPUTER'S RANDOM ACCESS MEMORY (RAM) FOR UNAUTHORIZED THIRD PARTY PROGRAMS RUNNING CONCURRENTLY WITH THE GAME. [...] IN THE EVENT THAT THE GAME DETECTS AN UNAUTHORIZED THIRD PARTY PROGRAM, THE GAME MAY (a) COMMUNICATE INFORMATION BACK TO BLIZZARD, INCLUDING WITHOUT LIMITATION YOUR ACCOUNT NAME, DETAILS ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM DETECTED, AND THE TIME AND DATE; AND/OR (b) EXERCISE ANY OR ALL OF ITS RIGHTS UNDER THIS AGREEMENT, WITH OR WITHOUT PRIOR NOTICE TO THE USER. Diablo III EULA[1] You have to agree to this (or not play) [1] http://us.blizzard.com/en-us/company/legal/d3_eula.html Countermeasures: The Warden Blizzard’s Anticheat (WoW, SC2, DIablo III, etc.) “
  • 24. Discussion PunkBuster Privacy Heat map visualization The Warden Cheat Engine Memory Proxy Countermeasures Solitaire Bots Macros Binary Patching CheatingMorality Arms race ChecksumsMaphack Hardware bans
  • 25. ● Bursztein, E.; Hamburg, M.; Lagarenne, J.; Boneh, D., "OpenConflict: Preventing Real Time Map Hacks in Online Games" Security and Privacy (SP), 2011 IEEE Symposium on. Available at: http://crypto.stanford.edu/~dabo/pubs/papers/onlinegames.pdf ● G. Hoglund and G. McGraw. Exploiting online games: cheating massively distributed systems. 2007. ● Elie Bursztein, Jocelyn Lagarenne. Stanford University. “Kartograph: Anatomy of a Maphack”. Defcon 18. Retrieved from https://www.youtube.com/watch?v=mFprkIAeKgM. Slides available at: http://www.defcon.org/images/defcon-18/dc-18- presentations/Burszstein-Lagarenne/DEFCON-18-Bursztein-Lagarenne-Kartograph.pdf ● Bruce Potter, Logan Lodge. “Living with Game Servers”. DEFCON 17. 2009. Retrieved from https://www.youtube.com/watch?v=SooVvF9qO_k ● Loïc Hoguin. “Reverse-Engineering A Proprietary Game Server With Erlang”. EUC 2012. Retrieved from http://ninenines.eu/talks/reverse-engineering/reverse-engineering.html References