 Hi everyone, I'm Eli, and this is Jocelyn, and today we're going to present you Cartograph. So we do a lot of reverse engineering with Jocelyn, and we thought that it might be fun to actually apply reverse engineering techniques to games, and that's Cartograph. So you see on the slide you have the hashtag, it's Cartograph. We put for you a video of the demo of the tool, and we also already put a slide, so if you want to gather them, you have them, you have the link there on Twitter. So what is Cartograph? Cartograph is basically a memory analyzer, which we're going to do patching on-flight games, and we're going to show you how we can do that and how efficient it is to hack modern game. So what are we trying to do that for multiple things? So you can do a lot of stuff with Cartograph. You can first try to have a unit which levels faster. We can also have a way to have infinite monies or any resources you want, and we also have a way to have X-ray vision, meaning we know what your opponent is doing, and finally we also have an invisible unit. Before we start, let me show you what the end result is. So this is a video of Supreme Commander 2, and if you notice our tank on the bottom, it never dies. The health boys keep replenishing, that's Cartograph in action. It's basically replenishing the health pool. So do you want to know how we do that? Okay, so the way we do that is we are doing in-flight memory patching, so view your game as a huge chunk of memory, and what we try to do is to modify it, and if you modify it in the right way, then you end up having a nice effect. So having a building, having an infinite amount of money, and that kind of stuff. So the nice thing about doing in-flight patching of the memory is that it's a generic way to attack game. You can do this on any kind of game you want. It's pretty fast. It turns out that actually looking at the memory and trying to reverse again from the memory is for me actually faster than doing a binary analysis. And finally it's almost invisible because you're only rewriting a part of the memory. So people, it's very hard for a game to detect that you did cheat. So actually we have some drawbacks for this kind of game, for this kind of attack. First, it's really finding a needle in a haystack. For instance, Supreme Commander, we just showed it to you, have about 800 megabytes of data. And what we are looking for, let's say the map is only one megabyte, so you're really trying to find a needle in a haystack. The other other problem we have, and we're going to show you that, when you try to re-write the memory, we have no direct control over the algorithm of the game. So sometimes we have to find a way to trigger the algorithm to do something for us, and sometimes it works, sometimes it does not. So in some cases it's not as reliable as patching the binary. So here's what we're going to present to you. First we're going to give you a quick background of a game. Who is playing game here? Almost everyone. Okay, so that would be pretty quick. And then we're going to show you how we can actually really build a map hack with us again and build a map hack out of it with Cartograph. Then we're going to show you how we are able to make invisible units on another game. And finally we'll discuss how we can actually re-sync the network to prevent being caught when we are cheating online. And finally, if the God of the Demo is with us, he's going to show you how Cartograph code is and he's going to do in real time a map hack for you if it works. So, bit of background. We all know that games actually earn a lot of money. About 273 million this last year. And there is a ton of different kind of game. Action game, Mario, first person shooter, sports game, role-playing game, World of Warcraft. Any World of Warcraft player here? No one is playing World of Warcraft? Two of you? I do. Okay. And some adventure game. Not that interesting to cheat on actually. And finally, strategy game. And the one we actually did focus on for this talk is these rare strategy games because they are the ones who are the most sold on PC. We could have done any other type of game. But this one is the most used, so that's the one we go for. For those who never see us, and I think there's almost anyone here who never saw it, there is a bunch of, the idea is you want to build up your opponent and to do that, you gather resources and then you accumulate them until you can buy stuff like building units and you have what we call a mini map on the corner usually, which displays the entire map. And you see there is a part which is visible, which is a part you actually show your opponent. If your opponent is in this visible section, you see it. And if you don't, if it's not in this section, it's what we call the fog of war. It's where you don't have any line of sight. And if your opponent is here, you don't see it. All the entire idea of the map is actually to remove it. We're going to show you the demo on the most recent game we were able to find. This is Superman Commodore 2. It's a fairly straightforward real-time strategy game. It has been released in March. So it's the most recent one we came up with. The newest one is of course Starcraft 2. I'm going to discuss this in a bit, but we haven't had the game when we were doing this kind of demo. So fairly recent game and you see all our unit and if you remove a unit onto the top, you will see that we are able to see the fog of war in effect and our opponent is going to show up. And all the tutorial for this first part will be to actually lift up this restriction. So as we said, there is multiple ways to cheat on our RTS. The first one is to try to have more resources. The second one is having more units, some units which are cheaper or have more health points, invincible units if you want. And finally you can also do this kind of map hack. So a map hack visually is just this, right? So we try to rewrite the memory and through the game into syncing that we can see everything. So if we are successful, you basically see the entire map. So there is no spoon. It might seem that there is three kind of hack, one for resources, one for unit and one for map hack. Actually, it's not true. For our perspective, it's only a bunch of bits and all we have to do is find the algorithm to figure out which bits is what and try to flip them in the right order so we can trigger an effect. So it's basically going through the matrix and see it and try to modify it. So how will we build a map hack? We had to find a way, the hard part was to find a way to instrument the game in a way that gives us enough information so we know what to look for. So we do that in three steps. The first step, four steps. The first step would be to reduce the part of memory we want to consider as the potential place of the structure is, then we want to find it visually and then we try to understand it by doing some testing and finally we just rewrite it on fly and either one time or multiple time depends on which kind of rewriting we need. So how we do that is first we acquire us a memory. Cartograph basically reads the entire memory. That's why we had to move to 64 bits. That's where actually 64 bits is great for us. One of the games for Super Mario 2 takes like 800 megabytes of memory. We have to have at least 6 or 7 gigabytes of RAM to actually hold this in multiple places and do a lot of computation on it. So we work on Windows 7 64 bits. You can do that in a 32-bit structure actually. But memory is cheap, right? So the first step to instrument the game is we first by playing the game and we try everything except discovering the map and we're going only to keep what is the part which did not move because we didn't discover the map so it must be a memory which didn't change and it should help us to reduce what we are considering. Then the second step, we're going to discover the map and only discover the map and this time we ask only the memory, we only keep the memory which did change so it helps us to reduce further how many memory we need to consider and finally we do a third step and we play the game again. And after that we should have a fairly small chunk of memory usually 2 or 3 megabytes where we know the map is in it and then we have to look at it visually. That's what we're going to show you. So how do we acquire the game memory for real? This is a video of cartography in action so we're going to select the process of Supreme Commander and then we're going to read the memory from it. It takes a bit of time because the memory, as I said, is 800 megabytes and for each of them we have to store the address and the value so basically we have to store 1.6... 1.6 megabytes of data for this step so it takes a little bit of time. You click on I'm going to do a map hack there is a ton of buttons in the interface. For those who wonder, a cartograph has been developed in C-Sharp.net So we do that and hopefully when this step is done we can move on and try to do something else which is we try to remove an unrelated memory. Same idea. We go back to the game and then we try to trigger as many stuff as we can either by creating new units, looking at our building, rotating the camera, doing zooming because this game you have a lot of zoom. So basically we try to change as many memory which is unrelated to the game to narrow down what we have and then we have cartograph to remove everything that has been changed and this is actually faster and we're going to basically knock off about 100 megabytes of data which is not related to the map and it's pretty quick. So you see the progress board in green in the middle of the video. So when this is done we have to do the most important step we have to use a couple of units to discover the map and then keep only which part of the memory has been changed. Actually we never have a clean screenshot because a lot of things are happening all the time but it's really, really reduced the map from about 600 megabytes to 200.5 megabytes. So let's see that. So you're going to see on the video I'm going to move two units to the bottom left of the map. You will see them right now. Here they go. So one and two. So basically I'm discovering the bottom left of the map and try to remember the shape because that's the one we're going to look in the memory. So when we have that we do a third step which is, as I said, similarly to the step one we're going to redo a change but we're going to re-move everything which will change by just playing the game a little bit more. Okay, I think I skipped the video. So same thing. We try to move a little bit. It doesn't have to be long. It's just really efficient. At that time we probably will remove half of the size going from 2.5 to 1.2 megabytes of data. And when we're done with that we need to find the map in memory. So now we have reduced as much as we can. We now really have to look at the memory and try to figure out where the map is. So we have one working assumption. It turns out to be true in almost every game we look at is that the map is stored into a 2D array. Actually, you can have multiple maps into the memory. Shostra is going to show you this slide in the demo. But for now we just assume that the map is one array in 2D and if you look at this using visualization techniques what you're going to observe in memory is something like this. So you should be able to see with different colors a 2D array which pop up in the memory we have acquired. So let's wait for here. So first we're going to select the snapshot we want. We have only one snapshot now which is the one which is the memory we did remove all the part and we're going to use what we call a heat map visualization. The heat map visualization is simply having one pixel for each bit of the memory and that has different colors depending on the value. And if we scroll down to it I'm not sure it's very visible on the screen. On the bottom of the map you have a very, very strange shape. Can everyone see it? You see on the bottom of the shape? You see the shape on the bottom? It's like a tilted line, right? It exactly looks almost like what we have as the two units. Yeah? Okay, so I'm going to show you a zoom of it but that's the idea. So let's get to what we see from Cartograph and we're going to try to isolate this potential map. If you look in memory here is what you look like. On the left this is a game. On the right this is what we can have using a heat map visualization of this part of the memory. So you see it really looks like the map we have in game. And Supreme Commander 2 is a specific kind of map. It's what we call an additive visibility map meaning that every time you have a unit it actually increases the value with one by one. So if you have two units the value will be two. If you have three units the value will be three. So basically every time you move a unit you have to subtract or add visibility point to all the map. So the way we're going to hack it is we're going to rewrite the entire memory with FFF meaning that we have 255 units which are actually able to view each square of the map. And we're going to do this continuously into memory because every time you move a unit you actually decrease it so at some point if we don't do it the map tends to fade. So how we came up with the idea this is an additive structure is because we are able to use another trick which is called a diff map. So remember this was the situation of the game and what we did, what we're going to do is we're going to move one unit. We know where the map is so what we're going to do is we're just going to move the unit from bottom to up and have two different positions and we're going to use what we call a diff map. So diff map is basically a heat map with two colors. Blue mean nothing change, red mean change and if you look here we're going to put you side by side with the previous map you'll see that the only spot which did move was the one where the unit was, right? Everyone see that? Okay, so far so good. So now we can look at the value you see the tool tip of Cartesian display what the value is. So we know what the value was before and what the value is now so we can have a guess of how the algorithm works. Once again we're only comparing the storage structure, not the algorithm so we have to count on the game to actually reprocess the storage sometimes it works, sometimes it does not. So at that point it's most done, right? We know what to rewrite, we know what to rewrite it so it's basically just having spreading a thread and writing the memory of the game and do you want to see how it looks like? Okay, good. So here is the video when you try to rewrite it so it's an in-game visualization of it. So as you see on the top there is my opponent I can't see it, it's at the fold of war and we just rewrite it right now as we speak, so what will happen is it will pop and you will see that the game will really believe that see, here you go and as you see the game is completely full believing that we can see everything and our different store are starting to shoot as a unit, we can even click on the building it's completely invisible at that point you have a full map hack pretty cool, right? How many of you did order Starcraft 2? Starcraft 2? Yes, just really right and some of us so we wanted to show you how to do that for Starcraft 2 we didn't have time sorry but we have something for you, so this is Starcraft 2 and we are not ready to we tried to do it but it was really quick game released two days ago so what we have is we were able to find the mini map doesn't mean that we can rewrite it to actually make something useful of it but we are able to find it in memory if you see it's just in mirror side but you can see the mini map so we are able to actually already find the mini map from Starcraft 2 so it's really easy approach you can work on any modern game we know if you have any other idea of game you think we should try you can just send us a tweet or email we'll be happy to try by the way we're not going to release a tool we have a really late at night and we try a bunch of game and we have some unexpected effect so we want just to show you want to see what other thing we can come up with so I think it was like two months ago two months ago we tried to do ANO which is a strategy game and we were messing up with the visibility map so we were trying one effect here and we had trap running and we just tried to put our boat into the fog but in a way we did succeed to find the map so we just make it the fog permanent yeah the underlying reason why it's not working is because actually when you remove the fog the algorithm do not reprocess the map so you can't actually remove it because it's already removed just you don't know it that's some kind of effect we have a bunch of video like this in Civilization 4 for instance we were able to have the map completely disappear don't see anything else side effects when you compare with memory you never know what happened a little bit about unit hacking unit hack is way way more harder because this time what we were looking for is probably a few kilobyte of data and so visualization won't work you can't actually look at the map and say here here it is and click on it so we started to rely on shape analysis which our algorithm we tried to put a lot of effort in that I think it spent night and days for about a month and a half on this it's really hard to come up with an algorithm which helps you to find the structure which change and understand which structure so we have one algorithm for each type of structure stacks chainhead list pointer list and so forth to give you an idea how we do that we have a bunch of heuristics so if you want to find the stack of pointer what we do is we make sure that the memory we look considering is only having one integer added every time we create a unit and we also make sure that this integer is a real pointer so what we have under the hood is a D referencing algorithm which look at the pointer and try to see where it points into the memory once again it's easier said than done and that's how we do that the basic idea to narrow down the memory we are considering is simply the same idea we build unit and every time we build a unit the possible place where the map, the unit list is keeps decreasing until we have a very small one so when we have this memory we go back to our idea of using visualization and here we go this is a visualization of the unit list of Age of Empire 3 I guess on this one as you see we have only a strip, each strip represents one unit so if you have 5 units it's 5 strips and the black void between each unit is basically a bunch of memory which is not related to the unit list so it's really hard then when we have that we have to figure out how the units work any idea how we do that? you get the right idea, exactly so the way we do that is we go back to the idea of using a DiffMap so we start with the unit which is completely blue memory of the unit would be blue because we don't move it, we don't do anything with it and then to know where the coordinate of the unit are stored we just make it move and by make it move we're able to know which part of the memory change so we know where the coordinate are and then we have to figure out how the coordinate system works and when we know that we're able to have units which teleport across the map pretty cool hack and the one we really like is we try to have an invisible unit and to do that the way we do is like our own unit and we make it blue so we shoot at them and hopefully we know by looking where the HP decrease to know where the HP point are and as a result you get something like this, right? you get four units which you are able to completely whip off the base because they just not dying you can notice that our health bar are black is because when we rewrite the memory what happens is we probably also rewrite the color of the bar we have no way to tell where the color is because it also change with the health point but as you can see we are able to have invincible units, right? Pretty cool so now I'm going to tell you the third part of the story there is a third part in the story network, right? if you try to cheat on the game on the network side, here's what you get out of sync we basically get out of sync because a lot of game actually do some type of checking on the value of the number of units you have how much health points they have for instance if your unit is not dying on your side and is dying on the other side something is off so we have to deal with desynchronization the way we have to do that is basically you are either able to re-sync or you basically get cooked what happens is for some hack, like the map hack it's not detectable by this kind of integrated checking because all you are saying is I am able to see this map which basically is not triggered by that but if you try to have an invisible unit or comparing with the resources then you get this we had actually to build on one idea which has been presented at DEF CON 15 and it was pretty cool which was using the LSP so the LSP is a layer service provider it's a functionality provided by Winsock and it actually allows you to divert some of the traffic to an application if you want so what we did is we worked with Pascal Gennagier which is a French guy which helped us get it to run on Windows 7 he started his own project and we were able to actually intercept packets and with that we are able to actually tamper with the traffic basically by first collecting it and then trying to rewrite it to re-sync the game so to do that we do four steps the first one is we're going to bucket the traffic when you have a game you usually have four to seven type of packets and the way we know there is five to seven type of packets is because these packets have a specific size and so we're going to only focus on one size at a time because we can compare as in what is not changing and then we're going to visualize how the change are and then we try to understand it sometimes we are able to do it sometimes we are not able to do it and finally we are able to re-write the packets and by re-writing the packet re-sync the game so usually you end up having not re-sync we're not going to tell you how to cheat on a game on network sorry we're going to show you what the interface looks like but it's up to you if you want to really apply it on a real game we know it works we don't want to be the one who should be playing because everyone is starting to cheat so I'm going to show you that kind of famous game sorry but here's the interface on the left you have what we call the LSP listener so the LSP is a live at the windsoft level so we have to have a IPC which is going to speak with the with cartograph and cartograph will tell him whether to let the packet go or to modify it and then tell him to re-write it with a specific value we want then we have all the buckets I was speaking up before so for LSP, for civilization 4 there is 5 types of packets which are sorted by side and finally you have the visualization for each bucket so we can visualize one bucket at a time a little bit more on the visualization bucket view so the visualization bucket works like this on the X axis you have the length of the packet so the top, the right most part is the last bit of the packet, byte of the packet and the left most part is the first bit so basically each block is one different bit of the packet and on the Y axis is basically each packet are stacked up to the other so we see the evolution of the trace and as you can see and on the top of it we have something different which is blue and red and you should be used to it by now this is our diffmap analysis for the trace so it tells us which part of the packets are moving and which part is not blue meaning not moving and red meaning did change at some point and by just looking and visualizing the trace you can infer a lot of information on how the protocol works if it's a fixed value then you see it's the same color all over the place like the pink one on the screen if it's a counter then that's where the hitmap is really useful is you're going to see a gradient so basically you see this is an increment every time it increments it changes color by one so you see a continuous gradient which means it's probably a counter so we don't really have to take care of this until we want to inject something more and finally you have this part on the right which is completely look like scramble it's usually either an IV or an encrypted value with a given key although the game we look at didn't have key exchange so it's a little bit more subtle specific value for each packet as an IV before Joe is going to try to do a demo real-time for you just a little bit more of what we're doing now we didn't do that for only hacking game what we really hope to do is building more crypto stuff to actually make the game more secure we should have a leap ready about in 3 months or 4 months which actually will help developer to build more secure games so we don't have to work anymore and we're also working on trying to detect boat because I kind of hate when I have a boat in front of me which gathers everything and I have nothing so let's pray all together the god of the demo and who wants to see a catagraph real-time so Joe, everyone is counting on you for sure ok let's see if it works you hear me ok but there is no screen on my side sorry, technical problem I see nothing ok, so sorry some technical difficulties I'm going to show you how to make a map on edge of empire 3 because I'm only using my little MacBook so I didn't have a lot of memory but it still work and still cool so just starting a game here is cartograph so first step I will just choose a good process if I find it ok so as you can see in this game there is 235 megabytes of data so ok the game is starting so first step I will use my back button and I will just scan all of the memory so I'm acquiring it ok now it's done, I will just like Heli said you I'm just making the game play a little so I'm making my units gather some of your resources to make the memory to make the memory change so now it's done, I'm going to the step 2 so as you can see at the beginning I was 235 megabytes now I only have 196 megabytes and the first step is the one that will use the most of the memory so to do that I will just take one of my units and make it discover the map so like this I will be able to change the map the structure of the map and hopefully I will be able to identify it let's move a little so now like always clicking and now as you can see I only have 3 megabytes left so it's really reduced all of the memory all of the data I need so now I just have to let the game play a little more to reduce a little more of the memory left ok enough now it's pretty quick and here's the interface for the screenshot manager and as you can see the screenshot is only 1.8 megabytes I will use the it map to visualize it and hopefully find the map so here's the it map so as you can see there's a lot of data left but not so much all of the black spots here compressed memory space that is not really relevant and here as you can see we can see like 2 maps the blue one and the brown one but in fact because I know this game already I know that the 2 with this 2 1 are only the mini map they're not the one I'm interested in the one I'm interested in should be I think this one like all this color here it's not really look like a map but when I will zoom on it here I'm just trying to grab the good memory the good addresses memory here it's done as you can see here I have the memory the 2 address memory I just grab and oh isn't working it's a technical problem I can see all my screen I'm afraid there's some white and how can I do that I can do my snapchat I can access my my screen I will try to change the resolution just for a minute just a second sorry it's better on my screen I just have to do the manipulation again some technical difficulties sorry we'll be back in a few seconds oh you can see in fact oh perfect I'm just doing it again okay and someone right here so you can see this is the part that I wasn't able to see and this is the most important part because it's where I write the memory so here are the 2 addresses I just select I do a new snapchat here it is and I will use a button that try to increase the size of the snapchat just to hold the memory hold the map zoom a little on it something like that it looks like gibberish but if I find a way to align it just have to find a good alignment I'm not sure this part is one of the hardest because I have to make it align and we didn't find a way to make it automatically yeah it looks like a little faster as you can see you can see some shape that trying to appear and here it is this map is kind of different of the one that Ellie showed you it's not an additive visibility map it's a bit mask map so here's my base as you can see the value are 0,2, 0,2 and this is my value the first 2 bytes of high value my actual visibility and the 2 lower 0,2 are what I already saw but I can't see anymore for example here I can see where is my unit to be somewhere here I was here but I'm not here anymore so I can just show the game but not the units so all I have to do and everything else the NPC player that have a visibility 2 and store in the same map so their value are 0,1 and here must be my opponent and his value is 0,4 so everything I have to do is to use a bit mask and do with this value so and put it everywhere on the map so let's try that so click on bit map and travel you and I will do this mask I will try I will use a thread to be able to rewrite it all the time to be able to see the map all the time and space and along the writing and hopefully it will work I will be able to see the game and all the map so you can see on the mini map nothing change it doesn't really look like it sorry I made the same mistake so here I just write the memory I saw I select so I just have to select the whole so I'm sorry map so to do that just click here give me all the addresses of the map here and here change and do the same write it and here as you can see on the mini map the unit begin to pop it's not working very well because as I told you we can control the algorithm that makes the game appear the map but we can force it by for example changing the resolution of the game that will force the game to rewrite all of the map so I just have to change the resolution and here it is I can see all the map and that's it you can change it on your game if you want it's bad don't do that so and to conclude here is the addresses where you can find all of our tutorials and screenshots and keynotes let's conclude so just to let you know if you didn't follow everything we did into the demo we spent a lot of time with Joe which is about 10 minutes which actually sum up everything we did so you can have it on video and we also put a slide online if you want them don't hesitate to share them with your friend it will be happy and if you have any question it's room 106 and we'll be happy to answer your question even a little bit more of the tool if you want to play with it be happy to show you how it do everything and thanks for attending our talk and that's it