Conference DEFCON 19. Break open MMORPG for fun and profit. Part 2
Conference DEFCON 19. Break open MMORPG for fun and profit. Part 1
Josh Phillips: as we said, all hacks are pretty simple, and their use sometimes does not require any skills, just a creative approach to business. To use “superpower” you don’t have to be a reverse engineering god, but it definitely helps things like integer overflow or underfilling, and you can easily change the values from 0 to maximum, for example, to cause deadly damage to the enemy.
Mike Donnelly: Yes, it all comes down to the ability to make hacks, for example, maximize your armor. This happens in World of Warcraft - we had a boy who, sitting in the Orcish capital Orgrimmar, took off and put on his helmet 100 times, pumping his strength from 2 to 32 levels.
Josh Phillips: did it really happen, or maybe he just used a memory editor and made a screenshot?
Mike Donnelly: you may be right!
Josh Phillips: my favorite mode is GM Mode. Some companies produce games with the open possibility of reverse engineering, so that you, having become GM's “owner of the game,” can teleport to people, destroy things, give commands and do other interesting things. There is such an interesting hack, the theft of items from non-player NPC characters. Age of Conan was one of the first to have a vulnerability that could kill a GM, and I don’t think its developers are happy.
Mike Donnelly: Is the vulnerability the ability to replace key player IDs?
Josh Phillips: Well, yes, like what you said to the server: "I am a game master and am going to die now."
Mike Donnelly: Sometimes the game server believes you when you say that you are another game character, saying, “I’m so-and-so and selling it!”
Josh Phillips: I have already said that game developers are naive people. Hacking the UI Hack is less valuable. It is useful if you want to see the gaming space very far or rush over the map of the terrain, like a ghost, while remaining in place.
Mike Donnelly: you can still use such a thing as a “wild” translation of the language, which is why, for example, Alliance players will no longer understand Ward players. Here, hacking occurs on the client side so that during the dialogue, the text of the enemy, sent to the player, simply will not be displayed. This is pretty easy to do, but I doubt that anyone will pay for this kind of hacking.
Josh Phillips: The next section of the presentation is called: “I'm at your base, guys, to kill you!” I will try to explain to you how to write a teleport hack. For this there is an easy way and a difficult way.
The easy way is to find the player’s position in the memory, rewrite it and call the game function responsible for changing the player’s location to teleport to the selected location. So, if you know where the code for the player’s location is located, and you can call him directly using some function, it could be a teleportation spell, which in Lua is called “cast spell”, then you can give it the desired value player teleportation sites. In this case, the server will not be able to recognize whether you are an ordinary warrior or a magician who can use spells. This method works in many games.
The hard way is faking motion packages. This will require mathematical calculations and knowledge of how they are updated, reverse engineering of motion packages, and the like. You may need to adjust the timestamp to teleport or run faster.
The next hack is the attacks of the game logic by replacing the original ID in the package with the desired ID, which we mentioned in the context of Age of Conan. These are attacks on the player’s trading skills, critical damage or the complete destruction of Fall damagé of both characters and game items, as well as attacks by NPC merchants for the purpose of robbery. In Age of Conan, it was possible to inflict critical damage to any character in the game, and even kill GM, assigning him a million Fall damagé, after which he simply died.
Mike Donnelly: yes it was fun!
Josh Phillips: in this game you could also use malicious code, so that someone entered into a trade relationship with you, even without knowing it. You could force the NPC to sell you something, and this technique is still used by many players other than me, because I do not like to steal from computer characters. And I don't think any of you should do that.
Mike Donnelly: it causes digital tears ...
Josh Phillips: followed by dupes, or cloning of objects. Many games have vulnerabilities such as server delimitation problems. For example, Age of Conan, EverQuest, Final Fantasy XII and Ultima Online have zoning, that is, if you cast a spell on one side and then cross the server line, you find an opponent who defeated you and can continue the battle. The method of repetition hack is that you move things there at a tremendous speed, for example 1000 times per second, back from the trade window to your backpack. As a result, the server stops tracking things, and they completely fill your backpack. Everyone knows the game Diablo 1, where you just drop an object on the ground, run up to it, hover over it, try to pick it up, and it immediately appears in your backpack, while remaining on the ground, so this is a rather funny way of hacking.
Hacking game resources, or Asset hacking, as I mentioned, is not worth it, unless someone else has published his work for you that you can borrow. Those who played WoW know that someone can magically appear on your side - I don’t know how it is properly called ...
Mike Donnelly: battleground, battlefield.
Josh Phillips: Actually, I have never played World of Warcraft, for me it's too boring. So, players use teleportation to instantly transfer from the battlefield to the enemy base and kill all opponents there. They can also modify the game map and create a tunnel to run underground in the desired area so that no one will see. You may see his tiny name - a tag that moves around the map, but you will not see the player himself. But in any case, these methods of hacking are not worth the effort.
The section "Hacking Games 420" I will start with a quote by Machiavelli: "Nothing great has ever been achieved without danger," so you can even be sued.
Mike Donnelly: Yes, yes, yes.
Josh Phillips: I think this is true. You can use a bot in the game, someone spoke about such a couple of years ago about this, and I wanted to hit it, because it was not quite interesting. So, for this you do something like reading pixels and automate this process, there is no reverse engineering here. For example, with one quick keystroke you redraw the “red” critical points of your own damage so that they do not turn red and you don’t die. This is a very limited hack, and your actions will go unnoticed if you act very quickly.
Mike Donnelly: That's right, you need to act very quickly. Does anyone know why detection works so badly? Understand me correctly, I don’t want to embellish the discovery position on the client side, everyone here seems to be very wise ... Obviously, game manufacturers don’t like everything we are talking about, so they try to detect your software in the game, and if they find it banned you If you cheat for fun, then the maximum that you can lose is your own game account, but if you have 100 thousand clients, this is a big problem, because if all your clients are banned, you will simply go bust.
Therefore, preventing detection of cheating is very important. We'll talk about this later, but now I want to note that finding your software on the client side is very important.
Josh Phillips: Have any of you thought about why a wave of bans rolls about once every 3 months? The fact is that when you ban 50 thousand accounts every week, people who re-tie these 50 thousand accounts will never do it again because of the high cost of living. But if you ban them no more than once every 3 or 4 months, they will re-buy the accounts, as this will be profitable. Companies think something like this: we found these guys who use, say, the Glider bot, but we are not going to ban them, because if we ban them too often, they will bring us no more than 50 dollars of profit.
Mike Donnelly: Yes, that's true.
Josh Phillips: Another way to hack is to inject code when you insert a small assembler code to make some trifle, such as a remote call to some RPC procedure. With this, the surface of your attack can increase, I mean, that you can really use something like a DLL injection in a large piece of code written in high level C or C ++, which is really easy to detect. You are writing a DLL loader that fixes all your imports and all that.
You can attack the network packet layer and do such a good thing as reverse engineering the network protocol. This is very laborious work, because there are not too many games that allow the analysis of this kind of content. This is still not an easy task, and if you consider yourself a pro, you can write your own game client. People often think that they can do it and spend a lot of time in vain, but if you are really able to write a good client, like those guys who destroyed me a couple of months ago, you can earn a couple of hundred thousand a month.
Mike Donnelly: writing a user client is not something you are going to sell, but “golden farming” and real money transactions. If you have written your game client, you can ask your partner to launch ten million copies of the game on the farming server. If your game client does not require performing a large number of 3D rendering operations, you can use its excellent functionality to scale the gold farming.
Josh Phillips: if usually you can run 2-3 gaming clients on a computer, and you were able to launch 200-300 clients, this will be a fairly large scale.
Now consider the thing called “anti-anti-cheat”. It can be used to deal with software that calculates and bans cheaters. This is often a very difficult task, but sometimes it is very important not to be discovered, otherwise you can lose everything. On the slide, I quote one more quote from Sun Tzu, who said: “Be extremely subtle, even formless. Be extremely mysterious down to silence. "
Mike Donnelly: I want to note that there are not many technical aspects of detection, but you need to approach this strategically, this is not in the book MMO Hacking. Probably, there is such a book?
Josh Phillips: Yes, one of my friends wrote it.
Mike Donnelly: This guy is eliminated first. So, like this is not in the book, but if we talk about a strategic approach to business, then you should worry about two main things regarding your software. You have an attack surface that determines how hard it will be to detect your software, and anti-cheat in this case can simply increase the detection code if it is small. Secondly, you should have what I simply call “intelligence”, that is, how well you are aware of what the enemy is doing, you must understand how his detection programs work, because this is very important. Both of these things work together, and if the attack surface is too large, it will be difficult to say what the enemy is doing in response, because his efforts may be minimal - just write one line of code that will detect your bot. If you do something really cool, like my bot, which will respond within 2 milliseconds, if the monster does something, you can avoid detection.
So this is a decision that you have to make when choosing functions and developing what your customers are asking for. You must decide whether you want to risk increasing the attack surface by adding such functions.
Before showing the next slide, I want to talk about what happened to me and other software developers of World of Warcraft. One guy developed the software, let's call it Innerspace, which worked by injecting dll into a fairly large game. This guy is well versed in reverse engineering, so he took all measures against the detection of Blizzard programs. But he still left the dll in memory, which he wanted to "confuse", and more importantly, he had to patch one of the functions of Blizzard. Therefore, he simply went to the beginning of this function and inserted the “far jump” in the right place of the code, being sure that he was sufficiently disguised and no one would find it.
The next slide shows the function with the inserted code, pay attention to the values highlighted in red, we will enlarge this fragment so that everyone can see.
This is a piece of code inserted inside the game, but this is not World of Warcraft ...
Josh Phillips: because Mike is chasing Blizzard ...
Mike Donnelly: I just think that giving an example from WoW would not be a good idea. In this code snippet, you can see that the game uses the query for the friends list askForBuddiesList, which has an optional parameter that has never been used before. It is perceived as a package number, or a team number, or a BOB number - “Brothers Over Bitches”. This optional parameter is “pasted” in this place of the code and sent to the server, everything is very simple.
So, this “pasted-in” code - let's scroll a couple of lines down to the comments - says: the old code was askForBuddiesList (0), it is 0, and instead it is now using the new code with the _asm option parameter that has never been used before.
So, Blizzard is going to find in the game code a function corrected by this guy. To do this, they changed this function call to a small sample code. They used registers, performed some mathematical calculations, so that IDA would not see another reference to this function. Then they go to the fixed function, pull out the first byte of their code and send it as a parameter that has never been used before. What happens then? They send one byte of their own code every time they make this request, and, of course, on the server side, they just “read” it, and if they find E9 instead of zero, it’s ready, it's done!
What is interesting about this software is that here you don’t see anything like "if this guy is a bot, tell the server about this." You just see that I take this byte and send it, and this is a tiny piece of code that does not even change the basic network code, there are no new parameters, nothing new. The only way to find it is to somehow observe how this data is collected, and then you can say: “Aha, this thing is always 0, and now it is 9, it’s not good”!
So, when they did this, this guy lost all of his clients, because they waited a few weeks until they were banned, and then the company struck again and again.
This is a good example of how much the attack surface means, because fixing just one function of the game led to such retaliatory measures. The fact is that if you think you know where the detection code is, there is always a chance that this is not the way you think. In the case of Blizzard, they never placed their detection code outside the “caretaker” Warden, they “kept all their eggs in one basket”, hiding the detectors in the “caretaker”. But then they got smarter and said that we will simply place our tiny code wherever we want and that's all.
It is therefore extremely important to remain difficult to detect. If they had come up with something like a new kernel call, or started a private API monitor, their activity could be detected, but when they made just one tiny step, you would immediately fall. Therefore, it is very important to observe what they are doing and how they are creating new tools to monitor how the data flows in the system should look.
As for Glyder, we had tools that warned us, for example, that Warden was updated and now has 9 entry points instead of 8, and after such a warning, I ran to my office and started feverishly fixing Glyder, brought it to order and run again. So there is always a way out, the main thing is not to be lazy. In this case, really a lot of work, but it pays off.
Josh Phillips: Yes, I think we both had to work 36 hours without a break.
Mike Donnelly: when Blizzard updated the "caretaker", they added a new scanner to it. This scanner takes a string that is encrypted inside the "caretaker", receives the server key, decrypts this string and calls the GetProcAddress function, which retrieves the address of the exported function from the specified dynamic-link library, in this case kernel32.dll. If I tired you, do not worry, then it will be more fun.
Thus, they take a string, whatever it is, and if it is regulated by this function, then GetProcAddress is applied to it without any parameters. Таким образом, если я ищу этот код и игра закрыта для патча, то я не смогу его найти, потому что у меня нет ключа и я не вижу, что он собирается расшифровать. То есть я вижу функцию, которая предназначена для вызова чего-то из kernel32.dll без всяких параметров, и не понимаю, в чём здесь смысл.
Итак, я смотрю на этот код несколько часов и ничего не могу понять, после чего решаю поговорить с одним умным парнем, Майком, который занимался Hellgate: London. Мы опять не можем ничего понять и решаем просто поднять эту тему, вставляем в код точки останова и запускаем игру, и они отправляют нам ключ! Майк говорит: «это же ключ! Давай посмотрим, что это за строка»!
Мы её расшифровываем, и выясняется, что это URL — адрес видео на YouTube! То есть они пропускают этот адрес через GetProcAddress, ProcAddress говорит, что ничего не происходит, я же, получив его, будто бы вставляю этот адрес в свой браузер, так что они просто троллят меня рекламным роликом! Не знаю, как много людей они поймали на эту удочку. Так что это было эпично, они действительно хорошо это проделали. Вот и всё, о чём я хотел рассказать, это действительно был самый эпичный ricroll, которой я когда-либо видел!
Джош Филлипс: у нас осталось мало времени, так что я постараюсь говорить побыстрей. Итак, преодолеть анти-читы с клиентской стороны можно с помощью запутывания следов, проверки памяти, обнаружения отладчика, обнаружения детектора dll и распаковки. Если вы достаточно умны, то можете заняться майнингом данных на стороне сервера. Для этого некоторые аналитики и Blizzard кинули нам действительно большую кость, типа «эй, чувак, вот как я обнаруживаю людей – я просто пишу несколько случайных запросов, а затем прихожу на следующее утро и отправляю этих людей в бан».
Также существуют вещи, которые можно использовать и на стороне клиента, и на стороне сервера, в основном это методы command & control с использованием сети ботнет, которые борются со «смотрителем» Warden и античитом Punkbaster. В данном случае вы посылаете свой игровой клиент десяти миллионам игроков WoW, это кусок кода, который исполняется на их компьютерах.
Майк Доннелли: это как ботнет и вредоносное программное обеспечение для обнаружения ботов.
Джош Филлипс: да, это довольно забавно. Punkbaster в основном ищет строки, чтобы забанить людей, я имею ввиду строки или двоичные данные в игровом клиенте пользователя. В большинстве случаев это строки типа window.name, которые обнаруживает Punkbaster. Смысл этих строк примерно такой: «эй, мне не нравится этот клан, он всегда надирает мне задницу, поэтому я собираюсь войти в их IRC канал и отправить несколько строк всем членам этого клана, а потом вернуться в игру и посмотреть, как всех их забанят за читерство».
Естественно, Punkbaster скажет: «нет-нет, это работает совсем не так!», но в действительности это работает именно таким образом.
Итак, мы дошли до защиты докторской диссертации на тему продвинутого взлома игр. Это очень глубокий колодец, в который могут утечь все ваши деньги, если вы не являетесь экспертом в этой области. Продвинутый взлом включает в себя работу с обновлениями игр и полную автоматизацию игрового процесса. У нас осталось меньше двух минут, так что мы пропустим немного слайдов.
Майк Доннелли: хочу упомянуть одну вещь, которую разработчики представили на прошлой неделе, это аукционный дом Diablo 3.
Прошу обратить ваше внимание на новинку, которая там появилась – вы видите значок доллара перед цифрами? Теперь Blizzard разрешает вам продавать игровые вещи за реальные деньги. Так что теперь вы можете подключать платежные системы напрямую к своему игровому аккаунту Blizzard и продавать золото или покупать золото. Конечно, вы не сможете конкурировать со мной, потому что я «сделал» Blizzard, но это всё равно очень интересно.
Джош Филлипс: да, это действительно интересно. Я бы хотел поблагодарить всех наших друзей из Польши, Германии, Новой Зеландии и Австралии, которые не смогли присутствовать здесь по причине дороговизны авиаперелёта.
Майк Доннелли: думаю, их арестуют в любом случае…
Джош Филлипс: надеюсь, у нас осталось ещё немного времени, так что перейдём в комнату вопросов и ответов и продолжим наше общение.
Майк Доннелли: Благодарим за внимание, DefCon!
Спасибо, что остаётесь с нами. Вам нравятся наши статьи? Хотите видеть больше интересных материалов? Поддержите нас оформив заказ или порекомендовав знакомым, 30% скидка для пользователей Хабра на уникальный аналог entry-level серверов, который был придуман нами для Вас: Вся правда о VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps от $20 или как правильно делить сервер? (доступны варианты с RAID1 и RAID10, до 24 ядер и до 40GB DDR4).
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps до весны бесплатно при оплате на срок от полугода, заказать можно тут .
Dell R730xd в 2 раза дешевле? Только у нас 2 х Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 ТВ от $249 в Нидерландах и США! Читайте о том Как построить инфраструктуру корп. класса c применением серверов Dell R730xd Е5-2650 v4 стоимостью 9000 евро за копейки?
Josh Phillips: as we said, all hacks are pretty simple, and their use sometimes does not require any skills, just a creative approach to business. To use “superpower” you don’t have to be a reverse engineering god, but it definitely helps things like integer overflow or underfilling, and you can easily change the values from 0 to maximum, for example, to cause deadly damage to the enemy.
Mike Donnelly: Yes, it all comes down to the ability to make hacks, for example, maximize your armor. This happens in World of Warcraft - we had a boy who, sitting in the Orcish capital Orgrimmar, took off and put on his helmet 100 times, pumping his strength from 2 to 32 levels.
Josh Phillips: did it really happen, or maybe he just used a memory editor and made a screenshot?
Mike Donnelly: you may be right!
Josh Phillips: my favorite mode is GM Mode. Some companies produce games with the open possibility of reverse engineering, so that you, having become GM's “owner of the game,” can teleport to people, destroy things, give commands and do other interesting things. There is such an interesting hack, the theft of items from non-player NPC characters. Age of Conan was one of the first to have a vulnerability that could kill a GM, and I don’t think its developers are happy.
Mike Donnelly: Is the vulnerability the ability to replace key player IDs?
Josh Phillips: Well, yes, like what you said to the server: "I am a game master and am going to die now."
Mike Donnelly: Sometimes the game server believes you when you say that you are another game character, saying, “I’m so-and-so and selling it!”
Josh Phillips: I have already said that game developers are naive people. Hacking the UI Hack is less valuable. It is useful if you want to see the gaming space very far or rush over the map of the terrain, like a ghost, while remaining in place.
Mike Donnelly: you can still use such a thing as a “wild” translation of the language, which is why, for example, Alliance players will no longer understand Ward players. Here, hacking occurs on the client side so that during the dialogue, the text of the enemy, sent to the player, simply will not be displayed. This is pretty easy to do, but I doubt that anyone will pay for this kind of hacking.
Josh Phillips: The next section of the presentation is called: “I'm at your base, guys, to kill you!” I will try to explain to you how to write a teleport hack. For this there is an easy way and a difficult way.
The easy way is to find the player’s position in the memory, rewrite it and call the game function responsible for changing the player’s location to teleport to the selected location. So, if you know where the code for the player’s location is located, and you can call him directly using some function, it could be a teleportation spell, which in Lua is called “cast spell”, then you can give it the desired value player teleportation sites. In this case, the server will not be able to recognize whether you are an ordinary warrior or a magician who can use spells. This method works in many games.
The hard way is faking motion packages. This will require mathematical calculations and knowledge of how they are updated, reverse engineering of motion packages, and the like. You may need to adjust the timestamp to teleport or run faster.
The next hack is the attacks of the game logic by replacing the original ID in the package with the desired ID, which we mentioned in the context of Age of Conan. These are attacks on the player’s trading skills, critical damage or the complete destruction of Fall damagé of both characters and game items, as well as attacks by NPC merchants for the purpose of robbery. In Age of Conan, it was possible to inflict critical damage to any character in the game, and even kill GM, assigning him a million Fall damagé, after which he simply died.
Mike Donnelly: yes it was fun!
Josh Phillips: in this game you could also use malicious code, so that someone entered into a trade relationship with you, even without knowing it. You could force the NPC to sell you something, and this technique is still used by many players other than me, because I do not like to steal from computer characters. And I don't think any of you should do that.
Mike Donnelly: it causes digital tears ...
Josh Phillips: followed by dupes, or cloning of objects. Many games have vulnerabilities such as server delimitation problems. For example, Age of Conan, EverQuest, Final Fantasy XII and Ultima Online have zoning, that is, if you cast a spell on one side and then cross the server line, you find an opponent who defeated you and can continue the battle. The method of repetition hack is that you move things there at a tremendous speed, for example 1000 times per second, back from the trade window to your backpack. As a result, the server stops tracking things, and they completely fill your backpack. Everyone knows the game Diablo 1, where you just drop an object on the ground, run up to it, hover over it, try to pick it up, and it immediately appears in your backpack, while remaining on the ground, so this is a rather funny way of hacking.
Hacking game resources, or Asset hacking, as I mentioned, is not worth it, unless someone else has published his work for you that you can borrow. Those who played WoW know that someone can magically appear on your side - I don’t know how it is properly called ...
Mike Donnelly: battleground, battlefield.
Josh Phillips: Actually, I have never played World of Warcraft, for me it's too boring. So, players use teleportation to instantly transfer from the battlefield to the enemy base and kill all opponents there. They can also modify the game map and create a tunnel to run underground in the desired area so that no one will see. You may see his tiny name - a tag that moves around the map, but you will not see the player himself. But in any case, these methods of hacking are not worth the effort.
The section "Hacking Games 420" I will start with a quote by Machiavelli: "Nothing great has ever been achieved without danger," so you can even be sued.
Mike Donnelly: Yes, yes, yes.
Josh Phillips: I think this is true. You can use a bot in the game, someone spoke about such a couple of years ago about this, and I wanted to hit it, because it was not quite interesting. So, for this you do something like reading pixels and automate this process, there is no reverse engineering here. For example, with one quick keystroke you redraw the “red” critical points of your own damage so that they do not turn red and you don’t die. This is a very limited hack, and your actions will go unnoticed if you act very quickly.
Mike Donnelly: That's right, you need to act very quickly. Does anyone know why detection works so badly? Understand me correctly, I don’t want to embellish the discovery position on the client side, everyone here seems to be very wise ... Obviously, game manufacturers don’t like everything we are talking about, so they try to detect your software in the game, and if they find it banned you If you cheat for fun, then the maximum that you can lose is your own game account, but if you have 100 thousand clients, this is a big problem, because if all your clients are banned, you will simply go bust.
Therefore, preventing detection of cheating is very important. We'll talk about this later, but now I want to note that finding your software on the client side is very important.
Josh Phillips: Have any of you thought about why a wave of bans rolls about once every 3 months? The fact is that when you ban 50 thousand accounts every week, people who re-tie these 50 thousand accounts will never do it again because of the high cost of living. But if you ban them no more than once every 3 or 4 months, they will re-buy the accounts, as this will be profitable. Companies think something like this: we found these guys who use, say, the Glider bot, but we are not going to ban them, because if we ban them too often, they will bring us no more than 50 dollars of profit.
Mike Donnelly: Yes, that's true.
Josh Phillips: Another way to hack is to inject code when you insert a small assembler code to make some trifle, such as a remote call to some RPC procedure. With this, the surface of your attack can increase, I mean, that you can really use something like a DLL injection in a large piece of code written in high level C or C ++, which is really easy to detect. You are writing a DLL loader that fixes all your imports and all that.
You can attack the network packet layer and do such a good thing as reverse engineering the network protocol. This is very laborious work, because there are not too many games that allow the analysis of this kind of content. This is still not an easy task, and if you consider yourself a pro, you can write your own game client. People often think that they can do it and spend a lot of time in vain, but if you are really able to write a good client, like those guys who destroyed me a couple of months ago, you can earn a couple of hundred thousand a month.
Mike Donnelly: writing a user client is not something you are going to sell, but “golden farming” and real money transactions. If you have written your game client, you can ask your partner to launch ten million copies of the game on the farming server. If your game client does not require performing a large number of 3D rendering operations, you can use its excellent functionality to scale the gold farming.
Josh Phillips: if usually you can run 2-3 gaming clients on a computer, and you were able to launch 200-300 clients, this will be a fairly large scale.
Now consider the thing called “anti-anti-cheat”. It can be used to deal with software that calculates and bans cheaters. This is often a very difficult task, but sometimes it is very important not to be discovered, otherwise you can lose everything. On the slide, I quote one more quote from Sun Tzu, who said: “Be extremely subtle, even formless. Be extremely mysterious down to silence. "
Mike Donnelly: I want to note that there are not many technical aspects of detection, but you need to approach this strategically, this is not in the book MMO Hacking. Probably, there is such a book?
Josh Phillips: Yes, one of my friends wrote it.
Mike Donnelly: This guy is eliminated first. So, like this is not in the book, but if we talk about a strategic approach to business, then you should worry about two main things regarding your software. You have an attack surface that determines how hard it will be to detect your software, and anti-cheat in this case can simply increase the detection code if it is small. Secondly, you should have what I simply call “intelligence”, that is, how well you are aware of what the enemy is doing, you must understand how his detection programs work, because this is very important. Both of these things work together, and if the attack surface is too large, it will be difficult to say what the enemy is doing in response, because his efforts may be minimal - just write one line of code that will detect your bot. If you do something really cool, like my bot, which will respond within 2 milliseconds, if the monster does something, you can avoid detection.
So this is a decision that you have to make when choosing functions and developing what your customers are asking for. You must decide whether you want to risk increasing the attack surface by adding such functions.
Before showing the next slide, I want to talk about what happened to me and other software developers of World of Warcraft. One guy developed the software, let's call it Innerspace, which worked by injecting dll into a fairly large game. This guy is well versed in reverse engineering, so he took all measures against the detection of Blizzard programs. But he still left the dll in memory, which he wanted to "confuse", and more importantly, he had to patch one of the functions of Blizzard. Therefore, he simply went to the beginning of this function and inserted the “far jump” in the right place of the code, being sure that he was sufficiently disguised and no one would find it.
The next slide shows the function with the inserted code, pay attention to the values highlighted in red, we will enlarge this fragment so that everyone can see.
This is a piece of code inserted inside the game, but this is not World of Warcraft ...
Josh Phillips: because Mike is chasing Blizzard ...
Mike Donnelly: I just think that giving an example from WoW would not be a good idea. In this code snippet, you can see that the game uses the query for the friends list askForBuddiesList, which has an optional parameter that has never been used before. It is perceived as a package number, or a team number, or a BOB number - “Brothers Over Bitches”. This optional parameter is “pasted” in this place of the code and sent to the server, everything is very simple.
So, this “pasted-in” code - let's scroll a couple of lines down to the comments - says: the old code was askForBuddiesList (0), it is 0, and instead it is now using the new code with the _asm option parameter that has never been used before.
So, Blizzard is going to find in the game code a function corrected by this guy. To do this, they changed this function call to a small sample code. They used registers, performed some mathematical calculations, so that IDA would not see another reference to this function. Then they go to the fixed function, pull out the first byte of their code and send it as a parameter that has never been used before. What happens then? They send one byte of their own code every time they make this request, and, of course, on the server side, they just “read” it, and if they find E9 instead of zero, it’s ready, it's done!
What is interesting about this software is that here you don’t see anything like "if this guy is a bot, tell the server about this." You just see that I take this byte and send it, and this is a tiny piece of code that does not even change the basic network code, there are no new parameters, nothing new. The only way to find it is to somehow observe how this data is collected, and then you can say: “Aha, this thing is always 0, and now it is 9, it’s not good”!
So, when they did this, this guy lost all of his clients, because they waited a few weeks until they were banned, and then the company struck again and again.
This is a good example of how much the attack surface means, because fixing just one function of the game led to such retaliatory measures. The fact is that if you think you know where the detection code is, there is always a chance that this is not the way you think. In the case of Blizzard, they never placed their detection code outside the “caretaker” Warden, they “kept all their eggs in one basket”, hiding the detectors in the “caretaker”. But then they got smarter and said that we will simply place our tiny code wherever we want and that's all.
It is therefore extremely important to remain difficult to detect. If they had come up with something like a new kernel call, or started a private API monitor, their activity could be detected, but when they made just one tiny step, you would immediately fall. Therefore, it is very important to observe what they are doing and how they are creating new tools to monitor how the data flows in the system should look.
As for Glyder, we had tools that warned us, for example, that Warden was updated and now has 9 entry points instead of 8, and after such a warning, I ran to my office and started feverishly fixing Glyder, brought it to order and run again. So there is always a way out, the main thing is not to be lazy. In this case, really a lot of work, but it pays off.
Josh Phillips: Yes, I think we both had to work 36 hours without a break.
Mike Donnelly: when Blizzard updated the "caretaker", they added a new scanner to it. This scanner takes a string that is encrypted inside the "caretaker", receives the server key, decrypts this string and calls the GetProcAddress function, which retrieves the address of the exported function from the specified dynamic-link library, in this case kernel32.dll. If I tired you, do not worry, then it will be more fun.
Thus, they take a string, whatever it is, and if it is regulated by this function, then GetProcAddress is applied to it without any parameters. Таким образом, если я ищу этот код и игра закрыта для патча, то я не смогу его найти, потому что у меня нет ключа и я не вижу, что он собирается расшифровать. То есть я вижу функцию, которая предназначена для вызова чего-то из kernel32.dll без всяких параметров, и не понимаю, в чём здесь смысл.
Итак, я смотрю на этот код несколько часов и ничего не могу понять, после чего решаю поговорить с одним умным парнем, Майком, который занимался Hellgate: London. Мы опять не можем ничего понять и решаем просто поднять эту тему, вставляем в код точки останова и запускаем игру, и они отправляют нам ключ! Майк говорит: «это же ключ! Давай посмотрим, что это за строка»!
Мы её расшифровываем, и выясняется, что это URL — адрес видео на YouTube! То есть они пропускают этот адрес через GetProcAddress, ProcAddress говорит, что ничего не происходит, я же, получив его, будто бы вставляю этот адрес в свой браузер, так что они просто троллят меня рекламным роликом! Не знаю, как много людей они поймали на эту удочку. Так что это было эпично, они действительно хорошо это проделали. Вот и всё, о чём я хотел рассказать, это действительно был самый эпичный ricroll, которой я когда-либо видел!
Джош Филлипс: у нас осталось мало времени, так что я постараюсь говорить побыстрей. Итак, преодолеть анти-читы с клиентской стороны можно с помощью запутывания следов, проверки памяти, обнаружения отладчика, обнаружения детектора dll и распаковки. Если вы достаточно умны, то можете заняться майнингом данных на стороне сервера. Для этого некоторые аналитики и Blizzard кинули нам действительно большую кость, типа «эй, чувак, вот как я обнаруживаю людей – я просто пишу несколько случайных запросов, а затем прихожу на следующее утро и отправляю этих людей в бан».
Также существуют вещи, которые можно использовать и на стороне клиента, и на стороне сервера, в основном это методы command & control с использованием сети ботнет, которые борются со «смотрителем» Warden и античитом Punkbaster. В данном случае вы посылаете свой игровой клиент десяти миллионам игроков WoW, это кусок кода, который исполняется на их компьютерах.
Майк Доннелли: это как ботнет и вредоносное программное обеспечение для обнаружения ботов.
Джош Филлипс: да, это довольно забавно. Punkbaster в основном ищет строки, чтобы забанить людей, я имею ввиду строки или двоичные данные в игровом клиенте пользователя. В большинстве случаев это строки типа window.name, которые обнаруживает Punkbaster. Смысл этих строк примерно такой: «эй, мне не нравится этот клан, он всегда надирает мне задницу, поэтому я собираюсь войти в их IRC канал и отправить несколько строк всем членам этого клана, а потом вернуться в игру и посмотреть, как всех их забанят за читерство».
Естественно, Punkbaster скажет: «нет-нет, это работает совсем не так!», но в действительности это работает именно таким образом.
Итак, мы дошли до защиты докторской диссертации на тему продвинутого взлома игр. Это очень глубокий колодец, в который могут утечь все ваши деньги, если вы не являетесь экспертом в этой области. Продвинутый взлом включает в себя работу с обновлениями игр и полную автоматизацию игрового процесса. У нас осталось меньше двух минут, так что мы пропустим немного слайдов.
Майк Доннелли: хочу упомянуть одну вещь, которую разработчики представили на прошлой неделе, это аукционный дом Diablo 3.
Прошу обратить ваше внимание на новинку, которая там появилась – вы видите значок доллара перед цифрами? Теперь Blizzard разрешает вам продавать игровые вещи за реальные деньги. Так что теперь вы можете подключать платежные системы напрямую к своему игровому аккаунту Blizzard и продавать золото или покупать золото. Конечно, вы не сможете конкурировать со мной, потому что я «сделал» Blizzard, но это всё равно очень интересно.
Джош Филлипс: да, это действительно интересно. Я бы хотел поблагодарить всех наших друзей из Польши, Германии, Новой Зеландии и Австралии, которые не смогли присутствовать здесь по причине дороговизны авиаперелёта.
Майк Доннелли: думаю, их арестуют в любом случае…
Джош Филлипс: надеюсь, у нас осталось ещё немного времени, так что перейдём в комнату вопросов и ответов и продолжим наше общение.
Майк Доннелли: Благодарим за внимание, DefCon!
Спасибо, что остаётесь с нами. Вам нравятся наши статьи? Хотите видеть больше интересных материалов? Поддержите нас оформив заказ или порекомендовав знакомым, 30% скидка для пользователей Хабра на уникальный аналог entry-level серверов, который был придуман нами для Вас: Вся правда о VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps от $20 или как правильно делить сервер? (доступны варианты с RAID1 и RAID10, до 24 ядер и до 40GB DDR4).
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps до весны бесплатно при оплате на срок от полугода, заказать можно тут .
Dell R730xd в 2 раза дешевле? Только у нас 2 х Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 ТВ от $249 в Нидерландах и США! Читайте о том Как построить инфраструктуру корп. класса c применением серверов Dell R730xd Е5-2650 v4 стоимостью 9000 евро за копейки?
Source: https://habr.com/ru/post/437790/