 Okay, welcome everybody The next talk will be how hackers grind and MMORPG by taking it apart an Introduction to reverse engineering network protocols. So and now I would like you now I would like you to give a very warm and welcoming applause to our very nice Speaker ring stringer Oh, thank you. I'm here to talk about how to grind an MMORPG if you don't know what an MMORPG is I won't I will get into that shortly, but just for reference who does not know what an MMORPG is never heard of it Wow amazing Okay, well, then I'll get the show on the road. I'm a ring springer I'm a software engineer and if you want to know something else I have a web page which I Inquire which I encourage you to visit So what am I what am I going to talk about? I will first give a short introduction about the game I decided to want to look into wounds of magic who has heard of this game Well, that's a lot more people than I expected to be honest I heard it's quite popular in Germany, but well, you never know So I'm going to briefly touch it and mainly to to to tell you Why it's interesting to look at a game like this I will also tell you my motivation and then we will get right into the technical stuff And I'm going to show to tell you how I captured traffic and I started poking at it looking at it analyzing it I've written tools to help me and I've also talked into a lawyer because well It's a it's a strange world these times So now I wanted to be sure I was safe and after that first time for some Q&A So but first I want to thank some people the first person is someone who has a blog about wounds of magic research As far as I know he never released something but when I was really like I I'm stuck I milled him he had a really good Helpful reply. So I was like, oh, thank you The FDB extractor is a very nice tool which I will cover in a I will cover it so don't worry But I'm happy it exists The reason I'm giving this talk is because in previous year there was a talk about cybernecromency But reverse engineering debt protocols and I was like well, that's interesting if people are interested in that sort of stuff Maybe maybe I should contribute to this as well because it is about protocols and in this case a server is still live But on the other hand this game is really not trivial. So Well, as I said, I talked to lawyers are not angry. There's a Dutch lawyer who's a really friendly guy And I can highly recommend his blog. In fact, he he will be he will be be writing something about About my questions and about his view on the matter on his blog So if you can read Dutch Google his name and you will find it and of course No, nothing is complete without either an Oli DBG if you haven't heard of the tools I'm not sure what you're doing here because they were really good and you should check them out So but first what is an MMO RPG? Well, it's an abbreviation and you can read it But what it basically means is it's an online game and the online game means you have a character And it's usually something of a fantasy theme and elf Wizard of Runo's want and the the idea of these games is that we are subscription based or free to play So in the first case you pay every month a certain amount and in the other and in the other part You just you can you can play it for free But they are micro transactions to you know to ensure the developers can eat the goal of the game is to create a virtual character like this elf wizard or whatever and You improve it and you improve it by by gaining levels by finding items gear if you will by completing quest because quest gives you levels typically and And the main the main reason to play this game is because you want to get stronger you want to do More content you want. Yeah, you want to do stuff You want to show the world your virtual person is interesting and the game is socially involved as team play involved You can't do generally do stuff By us by yourself you need others you need friends and Well, what level of friendship you need is an entire different matter But you can't do it alone and secondly these games are designed to suck up time They are designed to get you coming back if they really want you to to get in the world and they want you to keep playing in and You can do it by playing, but you can also do it with different means which I will show you now So what does the game look like the game I'm covering it looks like this if you've never played it before it's all by now, but Who knows it's free to play So you so you can you can just go out download it install it you can do whatever you want with it Well, that's what I did anyway It has a time when he's developer and a German publisher and you really see it back in In the way the game is created because the term grinding means you you repeat some activity over and over again If that's exactly what they do and I've heard time on these developers Asians really are really will love this stuff And this game does it quite well So what does this game offer a really really quick quick now in line if you will you have three races human elves Dwarves you have a lot of classes the interesting part about this game is you can play a wizard warrior and that that unique combination gives you seven or skills and I find it is really interesting and it is one of the things that Dreaming to this game you can do crafting an instance is like a team level if you will where you can join up together and destroy Monsters and what not to get the items you need to process and you can do really interesting things with the items here You can customize them in any way you want well There's a pet system you can have a pet you haven't you have you haven't how you can do all sort of things And all this stuff is encoded in a protocol and I was wondering how the hell does it work? So to give you an idea what what stands here is not important The idea is the item to the left is is what you find an item to the right is what you can create of it So what this means is the left thing is you're lucky if you find it Let's put it first, but you can't use it It does nothing is useless an item to the right you can enhance it and you can and it is useful The item to the right is what you would use if you play this game like I have a year and a half ago or something So why did I intend to do this? I was curious. I mean this was the first ammo RPG I ever touched Spoiler alert is going to be the last because first things really suck up time But I was wondering how does it work? What does make a stick and I was like it's my PC You give me an executable phone and 15 gigs of data. What does it do on my PC? What does it send out? What's my what's I wanted to know does it send something of my Configuration I was like, hmm, this is interesting to figure out and of course the time is now because well The game is active now so you can capture whatever traffic you want You can yeah, you can basically you can just do whatever you want and if they decide to yeah to take the servers online It's much and much harder. So I was like I'm going to do this now and to be honest Also, I got bored of playing the game. So I was like what the hell? Let's just let's just take it apart So the first step you need to do is you need to capture packets I don't I was like how am I going to do this without the game knowing what I'm going to do and the reason I was Some games essentially contain things like root kids this can your memory this can your deal else They do whatever they want to figure out that you're playing the game as intended and I was like I don't know how good those developers are. I don't I don't know what they're sending So I was like, you know what? I'm just going to take another computer formal hardware the problem And I'm just going to capture on it. So you have this tool TCP dump I'm sure everyone knows it and there's also a nice tool called TCP flow and what it does is the You can just insert your dump fall from TCP dump in TCP flow and you get a text fall with the TCP data And that's really useful because I don't like reading TCP headers myself. So What you do is it looks like this you can just tell TCP them to dump everything from a certain network into a fall And it's really useful to filter on a network because you don't want the new DNS requests And whatever to your own systems to be locked You just want to dump everything that goes to the network of the publisher and the nice part is you can use Who is to find out what the range is so you really know quite fast What's interesting and what is not and then you you call TCP dump on this capture phone You just say, okay, let's let's look at the fall and you obtain with something like the stuff below So what it does is it has a source IP destination may and two ports and it just shows okay This is the data of that of what I found. It's really simple well, if you look at the one when I'm logging into the Game you get something like this and if you look at it you're like, hmm That's a lot of data But the important thing you start to note. I started to notice. There's a lot of zeros in there, right? I mean zero says odd and I logged in with with four ace issues name and four aces password and what I noticed was Hmm, there's still zeros in there. So I'm pretty sure they have crafted a really interesting Super high-tech Encryption algorithm and I'm going to find it out. All right, because that's what we do and the other part that I noticed is The first four bytes of every packet are the length of that of that piece Because if you just look at it, but before but the first is 16 and for our 16 bytes And by and by the thing on the bottom there are 14 and indeed 14 bytes So the and this also gives another clue because it's little and Ian you can immediately tell because Everyone recognizes little and Ian right So if we continue with this and We just trip out the zeros right because we don't care anymore about them What you see is this is what I get when I log in with four ace and four ace No, this doesn't look very interesting. So I decided I'm going to log in with four ace and four bees and what you see is the underlined Numbers are the numbers that changed And as you can see the packet lengths, which I assumed whether where the first four bytes just by making Educated guesses because that is what you do and stuff like this and what you see is they don't change So guess is pretty likely. Okay. Well, the other packets. Hmm. That's tough changing in there And well, I'm not sure but I can make an educated guess because the data of the Yeah, you can see that there is four times of five a and if you look at the previous slide at the second packet of said 10 That's four. That's four times 21. So that's likely the username right and I tested this theory because I was like, okay now I'm going to do six ace and Indeed you see six and it's nicely padded with zeros. That's because we love me. They want me to do this stuff So if you continue with this you see, hmm, this can't be hard But instead of looking at the actual Encryption data mangling however you want to call it what what I did was I was just making a guess Hmm, the password is always at offset 50 and 60 and the and the password you see it is all It is not no kind of metal right because if you just look at the difference between each bite then I was like, hmm This only skips one or two or four or seven. It's not random at all So I'm making a guess here. I was like, hmm I know MD five is 16 bytes in and but if I write MD five has hex digits I know it's 32 bytes, right? So let's try So I tried it and if you if you calculate MD five has your four age You will get 74 blah blah blah and if you try to map this to the password The seven and a four the difference between them is free and f7 f4 the difference between them is free Hmm that can be a coincidence, right? Well, if we continue this guessing game, you will The fourth the fourth digit is a seven after that is a three and indeed you will you will see that the password repeats f7 f3 over there and You you will see that it then contains three seven So the next two bytes are indeed every f3 f7. So I was like, hmm I'm pretty sure they use MD five because well the difference and we don't know how it's encoded But what we do know is we understand that the difference between the the bytes if you will it is the same It's exactly the same. So if it usually means if they use super high-level cryptography Sorry, of course who doesn't and And what I what I decided was I I was first I was just writing down, right? Because I you just assume that that f7 f3 goes to this MD five stuff. We've just yeah We've just basically guessed that they used but the next part was well, hmm How do you get from f7 to for three seven and if you just if you just write down bits because that's what I do when I When I don't know then what I started noticing is that only the top bits were different and then I was like hmm I don't have the crypto skills to deal with this But I remembered that a zero becomes to a zero right and how do you do it with XOR how it's simple You just plus a letter you plus a number you sort of that number and you end up with zero Because n XOR n is zero and if you just apply this knowledge because the first packet I got is I assumed is the key. I didn't know anything about it, but it changed And if I just assume the very first byte is a key and I plug it in as a 20 you see at the top If I insert the 20 I take f7 plus 20 XOR 20. I end up exactly what I expected so This basic proofs it might go a bit quick But the slides are in a system so you can look it up if you want to do and I want to get this boring stuff out Of the way, but the interesting part of this is You can do this by hand just by thinking about the data. What do you see? You see a lot of zilch You see data that is not random at all So I was like hmm. That's interesting So then you continue you have an idea how the cryptography works You have an idea how the rest of the game continues So what you do is you start dumping a lot of his stuff and you start looking at it, right? The things I saw was if you look at the last four numbers here, you'll see if they just Continue so you get zero one two all the times two and it just goes on and on So it's a sequence number because you need them in TCP, right? Very important and the number before it it just goes from zero all the way to nine I've entered resets again to zero one, etc And I was like hmm. Maybe that's the key they're using because I know the key is 10 bytes and indeed it turned out the Fat number just says that's the key you need to use is if it's FF you obtain the key yourself And that's basically all to it, but there are two numbers. I was like what what do they do? They looked random to me real random as if They don't differ by one every packet because that isn't random and what I noticed was I Didn't know anything at all. So I fired up only DBG and either I set a few break points and after a bit of coffee and a bit of Patient they are checksums and they have suffered header and data checksums in this game Hmm. That's interesting. I finally the value after the number Which you will see is always to it is just a flag for it if it's to the packet is encrypted if it's free It's a key simple as that But then I noticed some packet I could not understand and it's this it never has any payload What I show there is basically what you see. So I was like, hmm, that's boring If I get them the client starts to answer them with with oh wait the flag number is different and then I noticed if I This is likely a keeper life. So thinking about what I saw you see sequence numbers. You see keep a life packets If this is likely they decided you repeat the product of the future and then they decided that you repeat is Actually pretty hard to use correctly because things like Reassembly of lost data is really useful. So my guess is they try to invent their own TCP layer They they got the same problems as we got in in the 1980s So they decided just to just to push it over TCP and be done with it But then again, I will never know So if you were if and from now on I'm going to ignore that boring header We had with the length and the keys and a flag I'm also going to ignore the complete encryption stuff because No, I don't care anymore. I figured it out. It works and I'm now going to continue with the packet data itself And what I noticed is if I run around in this game What you notice is when I get a lot of the packets from the client to the server Which must mean the client is trying to tell the server we are moving in direction blah We are at this coordinate or something in among those lines. I don't know what it does But I'm guessing I'm making educated guesses, right and it's served quite well up to now So I'm just going to continue and what I noticed was if you do this Then those numbers didn't make any sense at all and I know the game is a little endian because the lengths are in the game So what I did was I'm just tried I plugged them in as a floating point number and suddenly they made sense from those are not random floating point numbers because the beauty of floating point numbers is if you take Complete a complete nonsense number and you try to make it a float it will become a complete nonsense float It will be a very huge number a very small number or it just says I don't know it's zero And you know, maybe it's not a float. So if you don't recognize it, it's likely a float So I did a lot of staring and drank a lot of coffee, of course And what I noticed is I understand the packet header. It's yeah, as you see if it's isn't rock and science All I did was I just created Megabytes of logs and I tried to to to figure out the login process and went on from there What you see is you understand the packet header You will understand that our types of packets and you will then understand that some packets have some Yes, yeah, they have a type and a subtype and I think it has to do with the way packets are rooted inside the game But don't know then I got feather because I don't know if you ever stared more than a day about hex dumps But yeah, it tends to get boring, right? So I was like, let's create a tool. Let's create a tool to do this boring stuff for us That's what I did. I created a tool called rom dump and the name is Inspired by TCP dump because it can dump protocols and what I did was the first the first input I get is a text file from the TCP flow So what it does is it just takes the headers away from us and reassembles the stream and stuff and it dumps it in a fall And the second part is an XML file which contains the definitions of the packets as you will Well, what it does is because we know the length because TCP has this annoying tendency to bluff us stuff really annoying So and sometimes you will just get a packet that's incomplete or the complete TCP packets You get contains three and a half packets and you have to remember her. I need to understand the last 12 bytes I need to Very annoying. So I wrote this tool to help me with it and what it does is it just assembles a packet Does the decryption stuff and such and it looks in the XML file and it will continue So what I so this is what it looks like I will look I will first do the packet at the at the bottom of the screen the logon failure packets Those names are just what I came up with because Thought they helped and if you look at the top right, you can just say packet name is again It's the first filter is a is a is a U32 The name is type and it has a fixed value of four and the second is some value Which I call our and if you look at right at the at the At the bottom right, you will see that we get 0 4 0 0 0 so that's 4 came because little Indian and then we will get 65 So what the tool does is is dumps this as packet is log in failure type is 4 hours 65 so that's much more fun than having to to first get rid of that annoying Encryption of the skating calling whatever you want to call it and the second part is suppose sometimes I I add a field because I now know that error is not an error coder But it is a bit filled or something that I can just apply this knowledge to my XML file I can just say okay, okay They are tool please process for 200 megabytes of packet dumps for me And I will so I will immediately start to see things because now I have a tool which helps me for it And if I ever managed to figure out what that a known field of the account name and password was I can just plug it in One or two and I will see things so that's really useful I really recommend to if you do this sort of stuff think about making such tools I know there I know this stuff, but we will get we will get there while making custom stuff is always more fun So as I said some packets can be nested So you have you have a packet which I called client request an idea of a client request this it's always sent from the client to the server it always has a fixed type and Contained in this packet is a sub packet which has I want to move I want I want to quit the game I want to say something to the game world. I want to do whatever So I was like hmm. I can I can I can nest things in my parcel, right? Because everyone likes creating parses So if you look at the data at the bottom right you it's exactly the same packet as I was illustrated with with floating point stuff and Well, that doesn't make any sense But if you just if you just create a create a definition and you just say hmm Let's try float here and you will see Values that make sense you will very quickly get the basic idea of the protocol Because if you understand the headers and the idea what the makers had you will know all the code is layered, right? Mostly as I hope so. I really hope they just don't blow structs over a network socket But who knows but if I must be some pattern to his and we can exploit that So well when I was doing this tool, I made a great mistake. I wrote a DC plus plus that was done you really shouldn't do it and after this I learned Python and Python is much more fun to do this stuff and and The reason I'm stressing this point is When I when you create tools like this you want to add features because first time yeah, you can decode structs and stuff That's really cool But you eventually you will learn that for example an account name is always say 64 bytes or so the show the moment you start seeing one of them You know this is like these 64 bytes, right? Because they're always 64 bytes or is no reason to assume you don't so you want to have constants You also want in a rations because in a rations are cool and everyone uses them So what you want to do is you want to add oh? Login air of log in code one is Password error login to his account band log in freeze whatever and you just want to see them You don't know you do not want to have to look them up at the same time And also you won't need structured types at least I did and the reason is The item structure of this game is really complex, right? We've seen and lots lots of stuff on the screen. It has to go to your client in some way So what I did was I wanted to add structs to this Because all items will likely have exactly the same format because first programmers are lazy and They should be what you want to do is you want to figure it out one time And then you want to use this everywhere so you need structured types You need a race because a race or everyone loves them you you you will see you will see the data that belongs together But the other interesting part is I wanted I have transformation support and what that does is I Sometimes you will you will find a packet type or something and it's compressed because Yeah, it's a natural gimmick sense to confess stuff So once you figure it out, I will get into that shortly how you can do this But you want to be able to tell your dump tool from high the data that's coming is compressed with algorithm XYZ and No, transform it for me And if you implement it right in other words, you do not write this tool in C Then it's really easy to do because well It took me a few clever hacks to put it in and also you want annotations And what I mean by that is if you log into this game It will it will say hi you have completed quest one two three four And I was like I have no idea what quest one two three four is so I was like how the how can I learn this? I will get next in the next slide that you can Really clever ways to look it up But you want your dump tool to know if you have this number you need to look it up in a table and I want to see the The human readable form because computers like quest one two three four and I want to know what is really in there And you also want dynamic annotations and this game works I'm I'm I'm actually just walking ahead now But it's a game works by open object basis the server says hi There's an object over there everything that is not static is an object and the ideas of the objects are random You have actually sequential so that's not really random, but but you can't predict them At least I can't so what it what what you do is it will just say hi hi I want you to show Object one two three object type one two three four at at some position And I'm going to call it object two and what what a dynamic annotation in the tool does is Everywhere it sees object at he to it will say aha That's that door because it knows it was a door so you can show that it's a door I will give examples of this But first how there are custom items idea and I touched them previously and One of the things you need to realize is games are typically and everything that we do is it's just numbers, right? And there's a database and it has its numbers So I was like it's really useful when you start figuring out Inventory management and you just click around items in your backpack and see what they do you want to see Hmm this this I have this potion and I think the game must have it in this data fall So what's the idea of the potion? It must have an identifier and it turns out that if you just Google around a lot The game has ways of just linking an object to another player so you can show someone high I have this awesome sword and they will see it in chat and if they click it They will see a they will see a model of it and it turns out that so first things typically use exactly the same ideas And there are websites item databases if you will and they also use the same ID because why not why should we event something else? So what I what I decided to do was first I use the Mac band tool and what it does is you feed a data fall in it and It dumps out the internal tables of the game and it has some tools to To do interesting stuff of it. I also wrote my own because why not and I was bored of looking at hex dumps For a while, so I wanted to do something different But it really helps if you know that an item you want you are interested in because you pick it up or whatever you it helps If you know it has a certain ID So and they're also interesting part of it is if you have hex dump support that you can just dump all packages Hacks you can just search for it because if you search in hex data for the ID You will immediately identify all pack all packets that do stuff with items and that is so much easier than Just looking them one by one So I was continuing and it's really good nice and then I got a packet. I was like, hmm There's no pattern it is at all but what I like to do I print stuff and I just grab a pencil a lot of coffee and and Evening and I start just Just drawing lines annotating things as I think how they work That's what I used to do and that's why I like the XML stuff so much But one of the things I noticed was that fit the data looks random It's I couldn't make hazzard tales of it I had a lot of characters a lot of different terms of settings and this pieces of the name what are pieces of the pieces of the inventory item IDs whatever not everything So it's like this looks like something compressed and what I did was I was like I'm going to use my big friends only DBG and either and I'm going to learn what the protocol does and I think I'm Reasonably certain they didn't invent this which protocol itself and it really takes a lot of time to take a lot of assembly and try to learn and Compression algorithm, but it's really fun to do. I think I think you should do it But the problem is when I got this it's I got 100 kilobytes of data and of our fields I could identify I had the inventory for a part, but 100 kilobyte is a lot It's really a lot my first computer didn't even have that for the amount of memory So I was like hmm. I need some way to figure out how I can how do I continue? I don't I don't know enough about this data But first I was actually quite fed up with my capturing setup and the reason is First tours are good, but this game It's a distributed game right as in there are multiple servers a lot of back ends and the game if you look into the game you go will get redirects to another server and That that server can decide no no You're going to this server and you need to look in again And you will have a lot of connections and you need to look at a lot of state So what I decided to do was I was like hmm. I'm not interested in the I want I want to capture this in a bit better fashion So I decided I know how the basic protocol works. I'm going to write a proxy this is what I did and What I did was it's a tool it just listens on TCP and it connects to the real server and it just forwards your data to the Server what's come back for respect to the client and it writes everything in a really nice logging file format and I know they want me to do this because you can just set in a server any fall you can say no No, this is the server IP you should be contacting So I'm Now it logs tough First keeper lives it does that and if it sees a server redirect It's like no no you want to talk to me and it redirects. It's nicely to its own IP address And the client on the other side don't know client on the other side don't care It just looks oh this looks like a valid IP address even for even for it's in private IP space I'm just going to connect to it So what and this turned out to be really handy It's and it's undetectable as far as I know because I didn't want this on my own or my gaming PC I just run it on some on some Linux box somewhere in my network and then the nice part is you can do really cool stuff of this I'm not getting into details, but I Think you get the idea now because you can just rewrite packets and you can just lie about them You can you've died. Hmm. I didn't see that packet. Goodbye Of course, I haven't tried this So I have this tool I can make nice logs But answering the game vote is 400 kilobytes of data and that excludes the data for decompressors So the raw data you get is 400 kilobytes. That's a whole lot It's really a lot that I was like hmm. I'm pretty sure most of the data is not relevant, but No idea what I could do. So what I did was I wanted I need to influence data, right? Of this 100 kilobyte structure. I need to change things and I need to look I need to learn how the how the how the game reacts to it So I was like, let's write a server So what I did was I just I just fumbled something together. It's really terrible But it works good enough and I had this idea from it. Do you know what I'm going to plug a Python script language in it Because Python is good But then I was like hmm if I just type broadcast and on some array of bytes Yeah, well, well, we have real back to the packet dumps you wanted to avoid So I was like, let's not do it because we have this nice XML file And if we can use it to dump we can also use it to create packets and we can go Further as all my projects like to do what I did was I created a tool called MCA dev also super specific There's also a very stupid idea Because who passes XML in C but then again what it does is it just takes this fall And it creates source code files one of the packets data itself And those packet files are just they just create classes and you can just Put in there. Oh, I want to see I want to send And create object with this and this data and I want to send it now in office packing and encrypting and stuff It's all handled by this code and it also creates Python bindings So I can just hook it in my part and interpret I can say hi I want you to send create object with this and this arguments and it both causes to all the client it has That's really awesome. And you will see it soon So how about this is looks like Now I have this packet display yellow text. I am sure you have no idea what it does and what it and What you can do is you can just turn it to the server on some port You can just copy paste your text in there and what happens is the What happens is you will see yellow text on the client screen, but you can also mess with the parameters because I'm I'm not sure what unknown for this I'm going to type something else and I'm going to look at what what what does the client show and This is really fun to do because you can just change things and you can just observe what happens And you really learn quickly about it And you you are not you are not harming anyone, right? Because the right the game servers wherever they are. They're just humming along They don't know what you do is because it's your own server But first snatched I was like, you know what? I'm just going to to put this font kilowatts of data to the to the clients and it crashes. Yay Yeah, the client is if you've played this game you understand Maybe it wasn't It could have used a bit more more Q&A maybe but But so what I did was I was like, maybe I just put sleeps in there Well, I took a lot of time, but I managed to log in and then I just started to remove stuff I hoped was not important and step by step I got to somewhere I could log into the game world and I could do my packets Analyst analysis, so I'm now going to show you a small demo So please pray with me the stars a lie that it doesn't crash because I won't say it that happened before because it has But the packet I'm going to show is if you the game works in objects, right? and if you create an object and you are and you are like a Player character you can customize your character a bit and the game uses some packet and it tells you okay The the has the hair looks like this and the The beard style is that and what sort of stuff so what I Eventually, I knew this packet does it, but I don't know what this what the 32 bytes do what it does so My god is still up What I'm going to do is I'm going to start my server which has the nice name open rom because I really suck at names And yeah, well open projects are popular, right? So I was like maybe for adapt this one So I'm going to look in with an username password. I hope it's visible But as you can see the server starts seeing stuff and we are yeah We have our own server with the nice name solitude because it's not really an online game anymore. Is it? So now I'm going to log in with with a reverse engineer because that's what we do And in the meanwhile, you will see the log on the background. That's why you need logging You want to so you want to know that stuff is going on I'm not going to talk about what the packets are actually like I will be presenting a short one or one the oversphere of the protocol and you can get the rest of my github but Yeah, did I mention the game is slow? Ah, there it is now as you can see we're an engineer at 32 C free Because I can send whatever I want so I can send guild names It's really fun. Oops This is how the game is supposed to look like and Now I'm I'm I'm going to zoom in on my face And yeah, I really haven't So now I'm just going to tell that to the stuff I am going to enter Python stuff, right? I first I'm going to set a variable because variables are nice Then I'm going to set a lot of data and this is the data I just sniffed from somewhere and I'm going to and I'm going to modify this But first I'm just going to send it. So what you see here is Nothing happens. Oh, that's boring But that's good because it's exactly the same data as I sent when I created this character So now I'm just going to say hmm a known five I have no idea what it does, but I'm going to send it to two five five because two five five is a nice value. Oh In Usually just testing extreme values if it's ten make it two hundred if it's two hundred make it three It's really helps to figure out the Yeah, what kind of value it is so now I'm going to send it to two five five And now I'm going to send the object appearance pack it again And as you can see my character has lost all its hair Now I can continue with this I can also send a known vis unknown character and now my beard is another color So I know now that the beard is somehow linked to a known 12 and the character hair is linked to a known five But what you can also do is you can also create arbitrary characters And I'm now going to quickly do that because sometimes you know that that that Commands interact with other with other things. So now I want to create a monster and I'm going to do it and Of course, I messed up. You see we have friends Oh, that's looks scary, right? But the good part is I Figured out the object tight command. Bye. Bye You can just kill it and then I had this unknown nine to e Thing and I didn't know what it was. So I'm just going to send it and it sparkles sparkling is good and Sparkling in a game. No, she can loot it. So now if I looted my server I'm I guess I can show this as well. I if I you you will see that hey, I get an unknown one FF packet So I know aha unknown one FF must mean you want to loot and now I'm supposed to send to the client Which kind of cool items he has But well, that's about it for the demo. Let's hope it doesn't die So now I'm quickly going to cover the protocol because I'm running out of time So how the game works is you there are three layers of servers You have a login server it would and it just says hi Who are you a count name password? And if it doesn't match, it's I go away if you make it through it You get to a portal server and the portal server just says hi First are all the game servers you can connect to and if you then connect to a server You end up with a specific game server So you always have three hops and that's why I wrote the proxy tool because well It's it's a much nicer if you if someone solves all this problem for you Now the other thing to notice is this game has a lot of commands Really a lot of almost everything has a command if you join a team There's a there's a command to sell you to tell you hi the join went perfectly There's a command to tell you okay You need to add this to your message log there's a command to tell you oh You're in your player character. You need to add this guilt name There's a command to tell you all the user interface needs to add this guilt name There's a package that gets sent which says oh this is guilt by the way has fees and fees members And it goes on and on and that's the nice thing about having a server You can just do it step by step and see what happens when you send it because I don't know about you But if I get like 40 40 packets, maybe 20 of which are relevant I don't know and if I can just send them myself using for scripting stuff It's much easier to figure out because there are over 200 packet types I know about 150 of them as I said, it's object-based everything that's not static is an object So things like doors that can be removed are objects things you can guard our objects NPCs bosses that sort of stuff all objects Player characters have appearances and that's just a physical appearance And you you have separate commands over how that gear looks and positioning fighting everything has a command If you just look at the monster and it and it looks back It has a command if if it changes stance from I'm a hostile. I'm going to kick you. It has a command It's If it says I'm going to hit you it has a command if they hit match it. It has a command. It's It's really a lot So what I learned was this 100 kilobyte character info packet it influences the ui and that's really cool Because what you can do is you can just put in there. Okay. We have We have 100 kilobytes of data, right? But then there's 100 by the kilowatts of data the game world the objects the player you can move has nothing to do with it And the quest notes which the client knows which quests are pending So if you log in that 100 kilobytes just has a lot of bad bits because everyone loves bits too And what it does is it will just tell the client, okay This quest you can is not is not done yet and this quest is done yet And the client figures out what it needs to show. It's really interesting Client security really sucks in this game if you make a mistake and center by too much it crashes That's bad, right? If you if you mess up this character info packet is the you get an an exception on the stack Well, it's really cool because well, we can execute code with this if we can influence the server and I Expect the server isn't really much better, but I didn't dare try it because well There's also some information guarding in there. It tells you your mac address It tells you your video card your operating system stuff like that I don't know why maybe if you wanted to have an idea of the of what you of what your clients were But I can spoof them as well So I was like now what because I want to release this stuff But I sought legal help and the reason I did this is because I don't like getting sued For for us some guy who was who had a talk with that awesome silence shoot for two billion dollars I don't want to give a talk about being sued for two million euros So I was like I'm going to talk to a lawyer most of them say don't go there. Oh, that's stupid. That's boring So I met Arnold Engelfried and he was really helpful Because what he told me was after a few meals because he's one of the few person I know who is also an engineer a server engineer and he's also a lawyer Crazy combination, but hey all the better for us and he says well first tools You made are really interesting as long as you can you your goal should not be cheating if you're going cheating you Yeah, you're acting illegally, right because wow that's that's not good And if you do this in private, you don't release anything you can do whatever you want But your goal can never be cheating. So I want to express my goal never was cheating So as he continued he said, okay Well, the sir you shouldn't release the server card the other tools are okay for nice fairly straight up points Very very interesting, but the server well they can see it as competition, you know and I was like why it doesn't crush as often but This the suggestion was don't do it really do not release it and I was like I'm a bit ashamed of what the code looks like and I I do not intend to release it And it's not because I don't like love open source and stuff But I don't want to get sued and if anyone here has contacts with with the developer or publisher of this game And it's like, okay, you can do it I will I will and if they ever take the official servers on offline So you can't play the game over immediately dump everything I have on github So I wanted to thank you all the stuff I've been talking count is on my github account And there's also a lot more stuff on there because the item stuff is in order for different repository, but who knows But if you have any questions now is the time and I also have email and stuff so Thank you for this very insightful talk We now have about 10 minutes for Question and answer So if you want to ask a question proceed to this inner microphones and Yeah, we start right now Yeah, that right microphone there Hi, thanks for the talk Did you ever accidentally send packets to the server and see it reacting strange ways? Yes, I did And that uh, it was okay. Sorry. Sorry Everybody who's now leaving just be a little bit more quiet so everybody can get the question and answer. Thank you But yes, I did and One of the things I wanted to know is if the if it really matters if the client Sends all the data it does And it turned out it doesn't but that's code. I'm definitely going to release because you know what you can do with it, right? Okay, is there a question on that microphone or no question Okay, then another one there Um, I wanted to know how long you've been working on this like was it last week in a caffeine fueled nightmare Have you been working on this for several months now? This project took two years But it was on and off because I well I did suffer from from yeah other interests like life and stuff so It was it was really ups and downs but I can say that overall. I think if I could do this full time it was about More four to six months. I guess because if you once you get You get into it. It really goes fast Okay, there is a question from the internet Yeah, actually there are two questions right now The first one is if there is any kind of end-to-end encryption or authentication between the client and the server Yes, sure and plus Yeah, okay And the second question is if you could in theory spawn items on a real server I knew that question was coming Yeah, well, what I want to say about this is the following I I know about players within the game who have managed to duplicate items and stuff You can do that or you could I don't know if you still can because I don't play the game anymore And I have this idea if you don't want to let me play the game anymore But you most of it seem to be perks on the server side because if the client is convinced he has Some item and surprise surprise you can lie about that then I'm pretty I'm pretty sure it's not rock solid I think you can do it But you'll just most people find it out by just clicking an item Seven million times and you can script in the game in lura And some people just made scripts to do something 20 times in a row and the server just gave up and said, okay, whatever so It has happened. I don't know if it's fixed, but it has happened Are there more questions? Yes there Hello Did you try the things on other mmo's? Or is this a unique case to this broken piece of software? No, what you can do is you can do this basically on any game you want you can also For example, if you have an sql server, you could use some like these techniques because it's it's Basically boils down to understanding the data and that's why I try to To talk more about the the approach I took then the actual game because the game Well, it's less interesting than the approach. So but if you're volunteering, I would really like to know how how the old republic works Okay, any more questions On that microphone. Okay. Hi interesting talk. Thanks Uh, actually, I'm a game developer and at the moment I'm Yes, I'm I'm trying to Not a massive multiplayer game, but an online game. So you have any advices for me to make you your work harder Yeah, well one of the things I think you should really consider is people can and will do this given they're sufficiently bored with the game as I was And one of the and I think that what you should do is you yeah, if it were up to me I would just release the protocol and say ha ha have fun But the reason is eventually you will figure it out eventually you can learn how it works And you should design with that in mind you should design one. Hmm. If some crazy person sends complete quest 20 times Maybe I should check for it You should you should never trust data the client sends you should always you should always consider it as well This can be influenced. You should always you should also think about the fact that maybe someone did something evil and the client never got All data you send do you instantly kick it off your network? I think you should design for that There is another question from the internet. Yes, the question is have you have ever had contact with the developer? I'm sorry. Could you repeat it if you've had contact with the developer of the game? No, and the reason I didn't is I tried to Contact some guys of the Verso communities, right and everything I said about as and I had this ID They were connected somehow because both we're being in German and stuff But the problem was I never could find anything and I do not know how to contact the the publisher because it's really a Large company based in Berlin. I'm really happy the congress isn't there and the And well, I don't know where to begin. So I was hoping maybe someone here knows how I can get in Some don't have any experience of that stuff Any more questions Last chance Okay, then yeah, thank you again for sharing our your awesome work with us really nice You