SlideShare ist ein Scribd-Unternehmen logo

Beat Your Mom At Solitaire—Reverse Engineering of Computer Games

Christoph Matthies
Christoph Matthies

An overview of the methods used to reverse engineer computer games. Special focus is put on using memory manipulation at runtime to cheat at games as well as the countermeasures deployed by game developers. Christoph Matthies (@chrisma0), Lukas Pirl Published under CC BY-NC-SA 3.0

Software
1 von 25
Downloaden Sie, um offline zu lesen
Beat Your Mom At Solitaire Reverse Engineering of Computer Games Christoph Matthies, Lukas Pirl @chrisma0 May 2014
Beat your mom at Solitaire
by cheating :( Beat your mom at Solitaire
Beat your friends at Minesweeper
How it’s done In-flight memory patching[1] (view game as bunch of memory, change important bits at runtime) Benefits: ○ Generic (i.e. programming language, framework agnostic) ○ Fast (usually faster results than binary analysis) ○ Invisible (without checking for external programs) ○ Good Tool support (Cheat Engine[2] is popular) [1] Elie Burszstein—Defcon 18 - Kartograph, Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Games [2] www.cheatengine.org
In-flight memory patching[1] (view game as bunch of memory, change important bits at runtime) Drawbacks: ○ Needle in a haystack (one 4-byte value in 50 MB memory) ○ No control over the algorithm (need to trigger the algorithm to do something, not as reliable as patching binary) [1] Elie Burszstein—Defcon 18 - Kartograph, Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Games How it’s done
● Money (market is huge, 2013, USA: $15.39 B spent on games[1]) ○ Build better bots to farm gold ○ Sell bots / exploits / cheats[2] ● Progress faster through the game (20 hours of fishing?) ● Curiosity, learning, research the game ● Port old, abandoned games to new platform[3] ● Build your own server ○ Because the official server is discontinued Reasons to reverse engineer games [1] Entertainment Software Association, Essential facts 2014, http://www.theesa.com/facts/pdfs/ESA_EF_2014.pdf, 2014 [2] Exploits for games protected by PunkBuster - http://pansemuckl.netcoders.cc/ [3] OpenRA—Libre/Free Real Time Strategy game engine supporting early Westwood classics, http://openra.res0l.net/
Some static approaches (interact with the binary file) ● Disassemble (but games are huge these days) ○ Find vulnerabilities ○ Understand data structures to pinpoint in memory ○ Find a future ■ Understand the pseudo-random algorithm (PRNG) ● Patch the binary ○ Dll analysis, import own dll ○ Patch render loop, run custom code first Methods to RE games
Methods to RE games Some dynamic approaches (1/2) (interact with the software at runtime) ● Using a debugger ○ Set breakpoints on important events ○ Get notified when something happens ○ Manipulate variables ● Using a proxy (in networked games) ○ Intercept & modify game data packets on-the-fly ○ Reverse engineer protocol ● Fuzzing (send random data, see what happens)
Some dynamic approaches (2/2) (interact with the software at runtime) ● Bots, macros (interact with the user interface) ○ Rebind keys (ex. shoot w/ mouse wheel) ○ Sample pixels / read memory locations (Error prone, screen must be configured) ○ Inject / simulate keystrokes, mouse movement (dedicate computer to this task alone) ○ Tool support (e.g. AutoHotkey[1]) ● Manipulate memory Methods to RE games [1] Autohotkey—Fast scriptable desktop automation with hotkeys, http://www.autohotkey.com/
Example: Map Hack in a RTS game (i.e. remove the fog of war) game memory Step 0 Acquire entire game memory.
Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. game memory
Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. game memory
Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. Step 3 Repeat. game memory
Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. Step 3 Repeat. Step 4 Find the data structure. game memory
Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. Step 3 Repeat. Step 4 Find the data structure. Step 5 Understand and manipulate the structure. game memory
Heat map analysis of memory region[1] Step 4: Find the map [1] Kartograph—Elie Bursztein and Jocelyn Lagarenne, Stanford University, http://www.defcon.org/images/defcon-18/dc-18-presentations/Burszstein-Lagarenne/DEFCON-18-Bursztein-Lagarenne-Kartograph.pdf in game in memory
Step 5: Understanding & manipulating ● Understand structure, logic of data structure ○ Many ways to represent structure (linked list, array, ...) ○ Additive visibility vs. bitmap visibility ● Manipulate ○ Once vs. continually ○ Spawn a thread to continually rewrite memory ● Force game to redraw / read changed memory ○ E.g. change resolution
Networked games ● Client-Server model stops naive game modification ○ Client: “I have gathered 99999999 gold” ○ Server: “Not according to my model! Disconnect!” ● Efficiency vs. security ○ “Never trust the client” ○ Only send data that is needed (just-in-time, can lead to lag with slow connections) ○ Send complete gamestate (fast, vulnerable to memory manipulation, scales well)
Countermeasures Game developers try to stop cheating / modifications ○ Frustrates players, players leave (money is lost) ○ Arms race between cheaters & devs Examples: ● Client data file checksums ○ Compare checksums with server ○ Keep files in “open state” (change kernel behavior to circumvent)
Countermeasures Employ additional anti-cheat software (Spyware?!) ○ PunkBuster (EA, Activision, Ubisoft,...) ■ Memory scanning ■ Status reports ■ Screenshots of player’s screen ■ Check player’s settings, search across all players ■ Hardware bans (HD id is banned) [1] ○ Additional attack surface ■ Anticheat itself can be target of exploits [1] Ban Stats for Battlefield 3 - http://www.pbbans.com/mbi-latest50-bf3-lfb41.html
[...] the Warden pokes around into other processes, doing things like reading the window text in the title bar of every window and doing a scan of the code loaded for every process running on your computer (which it then compares against known cheat code). [...] nothing is really stopping the company from doing whatever it wants on a gamer's PC, and it has already crossed the invisible line by poking around outside the game's process area. We don't trust them. [1] Countermeasures: The Warden Blizzard’s anti-cheat (WoW, SC2, DIablo III, etc.) [1] G. Hoglund and G. McGraw. Exploiting online games:cheating massively distributed systems. 2007. “ ”
Consent to Monitor. WHEN RUNNING, THE GAME MAY MONITOR YOUR COMPUTER'S RANDOM ACCESS MEMORY (RAM) FOR UNAUTHORIZED THIRD PARTY PROGRAMS RUNNING CONCURRENTLY WITH THE GAME. [...] IN THE EVENT THAT THE GAME DETECTS AN UNAUTHORIZED THIRD PARTY PROGRAM, THE GAME MAY (a) COMMUNICATE INFORMATION BACK TO BLIZZARD, INCLUDING WITHOUT LIMITATION YOUR ACCOUNT NAME, DETAILS ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM DETECTED, AND THE TIME AND DATE; AND/OR (b) EXERCISE ANY OR ALL OF ITS RIGHTS UNDER THIS AGREEMENT, WITH OR WITHOUT PRIOR NOTICE TO THE USER. Diablo III EULA[1] You have to agree to this (or not play) [1] http://us.blizzard.com/en-us/company/legal/d3_eula.html Countermeasures: The Warden Blizzard’s Anticheat (WoW, SC2, DIablo III, etc.) “
Discussion PunkBuster Privacy Heat map visualization The Warden Cheat Engine Memory Proxy Countermeasures Solitaire Bots Macros Binary Patching CheatingMorality Arms race ChecksumsMaphack Hardware bans
● Bursztein, E.; Hamburg, M.; Lagarenne, J.; Boneh, D., "OpenConflict: Preventing Real Time Map Hacks in Online Games" Security and Privacy (SP), 2011 IEEE Symposium on. Available at: http://crypto.stanford.edu/~dabo/pubs/papers/onlinegames.pdf ● G. Hoglund and G. McGraw. Exploiting online games: cheating massively distributed systems. 2007. ● Elie Bursztein, Jocelyn Lagarenne. Stanford University. “Kartograph: Anatomy of a Maphack”. Defcon 18. Retrieved from https://www.youtube.com/watch?v=mFprkIAeKgM. Slides available at: http://www.defcon.org/images/defcon-18/dc-18- presentations/Burszstein-Lagarenne/DEFCON-18-Bursztein-Lagarenne-Kartograph.pdf ● Bruce Potter, Logan Lodge. “Living with Game Servers”. DEFCON 17. 2009. Retrieved from https://www.youtube.com/watch?v=SooVvF9qO_k ● Loïc Hoguin. “Reverse-Engineering A Proprietary Game Server With Erlang”. EUC 2012. Retrieved from http://ninenines.eu/talks/reverse-engineering/reverse-engineering.html References

Empfohlen

Learning to Play Complex Games
Learning to Play Complex GamesLearning to Play Complex Games
Learning to Play Complex Games
butest
 
Ddn
DdnDdn
Ddn
kiranvx7
 
MetaBoard
MetaBoardMetaBoard
MetaBoard
squidik
 
عالم الكمبيوتر
عالم الكمبيوترعالم الكمبيوتر
عالم الكمبيوتر
comtech2010
 
nullcon 2011 - Memory analysis – Looking into the eye of the bits
nullcon 2011 - Memory analysis – Looking into the eye of the bitsnullcon 2011 - Memory analysis – Looking into the eye of the bits
nullcon 2011 - Memory analysis – Looking into the eye of the bits
n|u - The Open Security Community
 
Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade Machines
Michael Scovetta
 
Computer Games Inner Workings - I. Loukeris AIT
Computer Games Inner Workings - I. Loukeris AITComputer Games Inner Workings - I. Loukeris AIT
Computer Games Inner Workings - I. Loukeris AIT
AIT_Communications
 
Introduction to Procedural Contents Generation
Introduction to Procedural Contents GenerationIntroduction to Procedural Contents Generation
Introduction to Procedural Contents Generation
Davide Aversa
 

Empfohlen

Learning to Play Complex Games
Learning to Play Complex GamesLearning to Play Complex Games
Learning to Play Complex Games
butest
 
Ddn
DdnDdn
Ddn
kiranvx7
 
MetaBoard
MetaBoardMetaBoard
MetaBoard
squidik
 
عالم الكمبيوتر
عالم الكمبيوترعالم الكمبيوتر
عالم الكمبيوتر
comtech2010
 
nullcon 2011 - Memory analysis – Looking into the eye of the bits
nullcon 2011 - Memory analysis – Looking into the eye of the bitsnullcon 2011 - Memory analysis – Looking into the eye of the bits
nullcon 2011 - Memory analysis – Looking into the eye of the bits
n|u - The Open Security Community
 
Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade Machines
Michael Scovetta
 
Computer Games Inner Workings - I. Loukeris AIT
Computer Games Inner Workings - I. Loukeris AITComputer Games Inner Workings - I. Loukeris AIT
Computer Games Inner Workings - I. Loukeris AIT
AIT_Communications
 
Introduction to Procedural Contents Generation
Introduction to Procedural Contents GenerationIntroduction to Procedural Contents Generation
Introduction to Procedural Contents Generation
Davide Aversa
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
Felipe Prado
 
Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)
David Evans
 
Initial design (Game Architecture)
Initial design (Game Architecture)Initial design (Game Architecture)
Initial design (Game Architecture)
Rajkumar Pawar
 
Create a Scalable and Destructible World in HITMAN 2*
Create a Scalable and Destructible World in HITMAN 2*Create a Scalable and Destructible World in HITMAN 2*
Create a Scalable and Destructible World in HITMAN 2*
Intel® Software
 
Going Multi-Node
Going Multi-NodeGoing Multi-Node
Going Multi-Node
SmartLogic
 
Game Models - A Different Approach
Game Models - A Different ApproachGame Models - A Different Approach
Game Models - A Different Approach
Nick Pruehs
 
PHP games
PHP gamesPHP games
PHP games
harwoodr
 
Chrome game programming_with_for_play
Chrome game programming_with_for_playChrome game programming_with_for_play
Chrome game programming_with_for_play
firenze-gtug
 
Chrome game programming_with_for_play
Chrome game programming_with_for_playChrome game programming_with_for_play
Chrome game programming_with_for_play
firenze-gtug
 
Unity introduction for programmers
Unity introduction for programmersUnity introduction for programmers
Unity introduction for programmers
Noam Gat
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
Alcides Fonseca
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest Protection
Federico Franzoni
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryany
yaevents
 
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Yandex
 
Intro to Massively Multiplayer Online Game (MMOG) Design
Intro to Massively Multiplayer Online Game (MMOG) DesignIntro to Massively Multiplayer Online Game (MMOG) Design
Intro to Massively Multiplayer Online Game (MMOG) Design
Christopher Mohritz
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer games
Maciej Siniło
 
Game development with Cocos2d-x Engine
Game development with Cocos2d-x EngineGame development with Cocos2d-x Engine
Game development with Cocos2d-x Engine
Duy Tan Geek
 
3.4 game architecture
3.4 game architecture3.4 game architecture
3.4 game architecture
Sayed Ahmed
 
Unity workshop
Unity workshopUnity workshop
Unity workshop
fsxflyer789Productio
 
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Christoph Matthies
 
Automated Exercises & Software Development Data
Automated Exercises & Software Development DataAutomated Exercises & Software Development Data
Automated Exercises & Software Development Data
Christoph Matthies
 

Weitere ähnliche Inhalte

Ähnlich wie Beat Your Mom At Solitaire—Reverse Engineering of Computer Games

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 
Initial design (Game Architecture)
Initial design (Game Architecture)Initial design (Game Architecture)
Initial design (Game Architecture)
Rajkumar Pawar
 
Chrome game programming_with_for_play
Chrome game programming_with_for_playChrome game programming_with_for_play
Chrome game programming_with_for_play
firenze-gtug
 
Chrome game programming_with_for_play
Chrome game programming_with_for_playChrome game programming_with_for_play
Chrome game programming_with_for_play
firenze-gtug
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryany
yaevents
 
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Yandex
 
Game development with Cocos2d-x Engine
Game development with Cocos2d-x EngineGame development with Cocos2d-x Engine
Game development with Cocos2d-x Engine
Duy Tan Geek
 

Ähnlich wie Beat Your Mom At Solitaire—Reverse Engineering of Computer Games (20)

Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)
 
Initial design (Game Architecture)
Initial design (Game Architecture)Initial design (Game Architecture)
Initial design (Game Architecture)
 
Create a Scalable and Destructible World in HITMAN 2*
Create a Scalable and Destructible World in HITMAN 2*Create a Scalable and Destructible World in HITMAN 2*
Create a Scalable and Destructible World in HITMAN 2*
 
Going Multi-Node
Going Multi-NodeGoing Multi-Node
Going Multi-Node
 
Game Models - A Different Approach
Game Models - A Different ApproachGame Models - A Different Approach
Game Models - A Different Approach
 
PHP games
PHP gamesPHP games
PHP games
 
Chrome game programming_with_for_play
Chrome game programming_with_for_playChrome game programming_with_for_play
Chrome game programming_with_for_play
 
Chrome game programming_with_for_play
Chrome game programming_with_for_playChrome game programming_with_for_play
Chrome game programming_with_for_play
 
Unity introduction for programmers
Unity introduction for programmersUnity introduction for programmers
Unity introduction for programmers
 
Programar para GPUs
Programar para GPUsProgramar para GPUs
Programar para GPUs
 
Hybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest ProtectionHybis: Advanced Introspection for Effective Windows Guest Protection
Hybis: Advanced Introspection for Effective Windows Guest Protection
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryany
 
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
Константин Серебряный "Быстрый динамичекский анализ программ на примере поиск...
 
Intro to Massively Multiplayer Online Game (MMOG) Design
Intro to Massively Multiplayer Online Game (MMOG) DesignIntro to Massively Multiplayer Online Game (MMOG) Design
Intro to Massively Multiplayer Online Game (MMOG) Design
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer games
 
Game development with Cocos2d-x Engine
Game development with Cocos2d-x EngineGame development with Cocos2d-x Engine
Game development with Cocos2d-x Engine
 
3.4 game architecture
3.4 game architecture3.4 game architecture
3.4 game architecture
 
Unity workshop
Unity workshopUnity workshop
Unity workshop
 

Mehr von Christoph Matthies

Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Christoph Matthies
 
Agile Software Development Practices: Perceptions & Project Data
Agile Software Development Practices: Perceptions & Project DataAgile Software Development Practices: Perceptions & Project Data
Agile Software Development Practices: Perceptions & Project Data
Christoph Matthies
 
Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...
Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...
Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...
Christoph Matthies
 
Should I Bug You? Identifying Domain Experts in Software Projects Using Code...
Should I Bug You? Identifying Domain Experts in Software Projects Using Code... Should I Bug You? Identifying Domain Experts in Software Projects Using Code...
Should I Bug You? Identifying Domain Experts in Software Projects Using Code...
Christoph Matthies
 
Lightweight Collection and Storage of Software Repository Data with DataRover
Lightweight Collection and Storage of Software Repository Data with DataRoverLightweight Collection and Storage of Software Repository Data with DataRover
Lightweight Collection and Storage of Software Repository Data with DataRover
Christoph Matthies
 

Mehr von Christoph Matthies (20)

Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
Investigating Software Engineering Artifacts in DevOps Through the Lens of Bo...
 
Automated Exercises & Software Development Data
Automated Exercises & Software Development DataAutomated Exercises & Software Development Data
Automated Exercises & Software Development Data
 
Challenges (and Opportunities!) of a Remote Agile Software Engineering Projec...
Challenges (and Opportunities!) of a Remote Agile Software Engineering Projec...Challenges (and Opportunities!) of a Remote Agile Software Engineering Projec...
Challenges (and Opportunities!) of a Remote Agile Software Engineering Projec...
 
Experience vs Data: A Case for More Data-informed Retrospective Activities
Experience vs Data: A Case for More Data-informed Retrospective ActivitiesExperience vs Data: A Case for More Data-informed Retrospective Activities
Experience vs Data: A Case for More Data-informed Retrospective Activities
 
More than Code: Contributions in Scrum Software Engineering Teams
More than Code: Contributions in Scrum Software Engineering TeamsMore than Code: Contributions in Scrum Software Engineering Teams
More than Code: Contributions in Scrum Software Engineering Teams
 
Agile Software Development Practices: Perceptions & Project Data
Agile Software Development Practices: Perceptions & Project DataAgile Software Development Practices: Perceptions & Project Data
Agile Software Development Practices: Perceptions & Project Data
 
The Road to Data-Informed Agile Development Processes
The Road to Data-Informed Agile Development ProcessesThe Road to Data-Informed Agile Development Processes
The Road to Data-Informed Agile Development Processes
 
Counteracting Agile Retrospective Problems with Retrospective Activities
Counteracting Agile Retrospective Problems with Retrospective ActivitiesCounteracting Agile Retrospective Problems with Retrospective Activities
Counteracting Agile Retrospective Problems with Retrospective Activities
 
Using Data to Inform Decisions in Agile Software Development
Using Data to Inform Decisions in Agile Software Development Using Data to Inform Decisions in Agile Software Development
Using Data to Inform Decisions in Agile Software Development
 
An Additional Set of (Automated) Eyes: Chatbots for Agile Retrospectives
An Additional Set of (Automated) Eyes: Chatbots for Agile RetrospectivesAn Additional Set of (Automated) Eyes: Chatbots for Agile Retrospectives
An Additional Set of (Automated) Eyes: Chatbots for Agile Retrospectives
 
Feedback in Scrum: Data-Informed Retrospectives
Feedback in Scrum: Data-Informed Retrospectives Feedback in Scrum: Data-Informed Retrospectives
Feedback in Scrum: Data-Informed Retrospectives
 
Beyond Surveys: Analyzing Software Development Artifacts to Assess Teaching E...
Beyond Surveys: Analyzing Software Development Artifacts to Assess Teaching E...Beyond Surveys: Analyzing Software Development Artifacts to Assess Teaching E...
Beyond Surveys: Analyzing Software Development Artifacts to Assess Teaching E...
 
Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...
Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...
Scrum2Kanban: Integrating Kanban and Scrum in a University Software Engineeri...
 
Should I Bug You? Identifying Domain Experts in Software Projects Using Code...
Should I Bug You? Identifying Domain Experts in Software Projects Using Code... Should I Bug You? Identifying Domain Experts in Software Projects Using Code...
Should I Bug You? Identifying Domain Experts in Software Projects Using Code...
 
Introduction to Lean Software & Kanban
Introduction to Lean Software & KanbanIntroduction to Lean Software & Kanban
Introduction to Lean Software & Kanban
 
Lightweight Collection and Storage of Software Repository Data with DataRover
Lightweight Collection and Storage of Software Repository Data with DataRoverLightweight Collection and Storage of Software Repository Data with DataRover
Lightweight Collection and Storage of Software Repository Data with DataRover
 
Pybelsberg — Constraint-based Programming in Python
Pybelsberg — Constraint-based Programming in PythonPybelsberg — Constraint-based Programming in Python
Pybelsberg — Constraint-based Programming in Python
 
Git Tricks — git utilities that make life git easier
Git Tricks — git utilities that make life git easierGit Tricks — git utilities that make life git easier
Git Tricks — git utilities that make life git easier
 
How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...How to reverse engineer Android applications—using a popular word game as an ...
How to reverse engineer Android applications—using a popular word game as an ...
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
 

Kürzlich hochgeladen

Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 

Kürzlich hochgeladen (20)

Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 

Beat Your Mom At Solitaire—Reverse Engineering of Computer Games

  • 1. Beat Your Mom At Solitaire Reverse Engineering of Computer Games Christoph Matthies, Lukas Pirl @chrisma0 May 2014
  • 2. Beat your mom at Solitaire
  • 3. by cheating :( Beat your mom at Solitaire
  • 4. Beat your friends at Minesweeper
  • 5. How it’s done In-flight memory patching[1] (view game as bunch of memory, change important bits at runtime) Benefits: ○ Generic (i.e. programming language, framework agnostic) ○ Fast (usually faster results than binary analysis) ○ Invisible (without checking for external programs) ○ Good Tool support (Cheat Engine[2] is popular) [1] Elie Burszstein—Defcon 18 - Kartograph, Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Games [2] www.cheatengine.org
  • 6. In-flight memory patching[1] (view game as bunch of memory, change important bits at runtime) Drawbacks: ○ Needle in a haystack (one 4-byte value in 50 MB memory) ○ No control over the algorithm (need to trigger the algorithm to do something, not as reliable as patching binary) [1] Elie Burszstein—Defcon 18 - Kartograph, Finding a Needle in a Haystack or How to Apply Reverse Engineering Techniques to Games How it’s done
  • 7. ● Money (market is huge, 2013, USA: $15.39 B spent on games[1]) ○ Build better bots to farm gold ○ Sell bots / exploits / cheats[2] ● Progress faster through the game (20 hours of fishing?) ● Curiosity, learning, research the game ● Port old, abandoned games to new platform[3] ● Build your own server ○ Because the official server is discontinued Reasons to reverse engineer games [1] Entertainment Software Association, Essential facts 2014, http://www.theesa.com/facts/pdfs/ESA_EF_2014.pdf, 2014 [2] Exploits for games protected by PunkBuster - http://pansemuckl.netcoders.cc/ [3] OpenRA—Libre/Free Real Time Strategy game engine supporting early Westwood classics, http://openra.res0l.net/
  • 8. Some static approaches (interact with the binary file) ● Disassemble (but games are huge these days) ○ Find vulnerabilities ○ Understand data structures to pinpoint in memory ○ Find a future ■ Understand the pseudo-random algorithm (PRNG) ● Patch the binary ○ Dll analysis, import own dll ○ Patch render loop, run custom code first Methods to RE games
  • 9. Methods to RE games Some dynamic approaches (1/2) (interact with the software at runtime) ● Using a debugger ○ Set breakpoints on important events ○ Get notified when something happens ○ Manipulate variables ● Using a proxy (in networked games) ○ Intercept & modify game data packets on-the-fly ○ Reverse engineer protocol ● Fuzzing (send random data, see what happens)
  • 10. Some dynamic approaches (2/2) (interact with the software at runtime) ● Bots, macros (interact with the user interface) ○ Rebind keys (ex. shoot w/ mouse wheel) ○ Sample pixels / read memory locations (Error prone, screen must be configured) ○ Inject / simulate keystrokes, mouse movement (dedicate computer to this task alone) ○ Tool support (e.g. AutoHotkey[1]) ● Manipulate memory Methods to RE games [1] Autohotkey—Fast scriptable desktop automation with hotkeys, http://www.autohotkey.com/
  • 11. Example: Map Hack in a RTS game (i.e. remove the fog of war) game memory Step 0 Acquire entire game memory.
  • 12. Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. game memory
  • 13. Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. game memory
  • 14. Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. Step 3 Repeat. game memory
  • 15. Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. Step 3 Repeat. Step 4 Find the data structure. game memory
  • 16. Example: Map Hack in a RTS game (i.e. remove the fog of war) Step 0 Acquire entire game memory. Step 1 Do everything, but discover map, keep memory that didn’t change. Step 2 Only discover map, keep only data that changed. Step 3 Repeat. Step 4 Find the data structure. Step 5 Understand and manipulate the structure. game memory
  • 17. Heat map analysis of memory region[1] Step 4: Find the map [1] Kartograph—Elie Bursztein and Jocelyn Lagarenne, Stanford University, http://www.defcon.org/images/defcon-18/dc-18-presentations/Burszstein-Lagarenne/DEFCON-18-Bursztein-Lagarenne-Kartograph.pdf in game in memory
  • 18. Step 5: Understanding & manipulating ● Understand structure, logic of data structure ○ Many ways to represent structure (linked list, array, ...) ○ Additive visibility vs. bitmap visibility ● Manipulate ○ Once vs. continually ○ Spawn a thread to continually rewrite memory ● Force game to redraw / read changed memory ○ E.g. change resolution
  • 19. Networked games ● Client-Server model stops naive game modification ○ Client: “I have gathered 99999999 gold” ○ Server: “Not according to my model! Disconnect!” ● Efficiency vs. security ○ “Never trust the client” ○ Only send data that is needed (just-in-time, can lead to lag with slow connections) ○ Send complete gamestate (fast, vulnerable to memory manipulation, scales well)
  • 20. Countermeasures Game developers try to stop cheating / modifications ○ Frustrates players, players leave (money is lost) ○ Arms race between cheaters & devs Examples: ● Client data file checksums ○ Compare checksums with server ○ Keep files in “open state” (change kernel behavior to circumvent)
  • 21. Countermeasures Employ additional anti-cheat software (Spyware?!) ○ PunkBuster (EA, Activision, Ubisoft,...) ■ Memory scanning ■ Status reports ■ Screenshots of player’s screen ■ Check player’s settings, search across all players ■ Hardware bans (HD id is banned) [1] ○ Additional attack surface ■ Anticheat itself can be target of exploits [1] Ban Stats for Battlefield 3 - http://www.pbbans.com/mbi-latest50-bf3-lfb41.html
  • 22. [...] the Warden pokes around into other processes, doing things like reading the window text in the title bar of every window and doing a scan of the code loaded for every process running on your computer (which it then compares against known cheat code). [...] nothing is really stopping the company from doing whatever it wants on a gamer's PC, and it has already crossed the invisible line by poking around outside the game's process area. We don't trust them. [1] Countermeasures: The Warden Blizzard’s anti-cheat (WoW, SC2, DIablo III, etc.) [1] G. Hoglund and G. McGraw. Exploiting online games:cheating massively distributed systems. 2007. “ ”
  • 23. Consent to Monitor. WHEN RUNNING, THE GAME MAY MONITOR YOUR COMPUTER'S RANDOM ACCESS MEMORY (RAM) FOR UNAUTHORIZED THIRD PARTY PROGRAMS RUNNING CONCURRENTLY WITH THE GAME. [...] IN THE EVENT THAT THE GAME DETECTS AN UNAUTHORIZED THIRD PARTY PROGRAM, THE GAME MAY (a) COMMUNICATE INFORMATION BACK TO BLIZZARD, INCLUDING WITHOUT LIMITATION YOUR ACCOUNT NAME, DETAILS ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM DETECTED, AND THE TIME AND DATE; AND/OR (b) EXERCISE ANY OR ALL OF ITS RIGHTS UNDER THIS AGREEMENT, WITH OR WITHOUT PRIOR NOTICE TO THE USER. Diablo III EULA[1] You have to agree to this (or not play) [1] http://us.blizzard.com/en-us/company/legal/d3_eula.html Countermeasures: The Warden Blizzard’s Anticheat (WoW, SC2, DIablo III, etc.) “
  • 24. Discussion PunkBuster Privacy Heat map visualization The Warden Cheat Engine Memory Proxy Countermeasures Solitaire Bots Macros Binary Patching CheatingMorality Arms race ChecksumsMaphack Hardware bans
  • 25. ● Bursztein, E.; Hamburg, M.; Lagarenne, J.; Boneh, D., "OpenConflict: Preventing Real Time Map Hacks in Online Games" Security and Privacy (SP), 2011 IEEE Symposium on. Available at: http://crypto.stanford.edu/~dabo/pubs/papers/onlinegames.pdf ● G. Hoglund and G. McGraw. Exploiting online games: cheating massively distributed systems. 2007. ● Elie Bursztein, Jocelyn Lagarenne. Stanford University. “Kartograph: Anatomy of a Maphack”. Defcon 18. Retrieved from https://www.youtube.com/watch?v=mFprkIAeKgM. Slides available at: http://www.defcon.org/images/defcon-18/dc-18- presentations/Burszstein-Lagarenne/DEFCON-18-Bursztein-Lagarenne-Kartograph.pdf ● Bruce Potter, Logan Lodge. “Living with Game Servers”. DEFCON 17. 2009. Retrieved from https://www.youtube.com/watch?v=SooVvF9qO_k ● Loïc Hoguin. “Reverse-Engineering A Proprietary Game Server With Erlang”. EUC 2012. Retrieved from http://ninenines.eu/talks/reverse-engineering/reverse-engineering.html References