 So my name is Josh Phillips, I have a surprise guest who did not show up in the schedule, his name is Michael Donnelly, I'll let him introduce himself in a little bit. I don't know what it is but generally I always get the last slot at the conferences I speak at and so hopefully I don't tell everybody too much of a tiring lullaby. Yeah, yeah, okay. I mean there is somebody after us and I feel really bad for him but, you know, what are you going to do? So, let me see if I can check. Okay, there we go. And, okay that's the right slide. Stuff's not working for me. I've heard that all the presenters have been having really bad luck today. No demos are working and stuff like that so hopefully ours will go better. So, about me, in real life I play a malware researcher at Kaspersky. I was also a malware analyst at Microsoft and contrary to popular opinion or what you may find on Wikipedia, Configure was not German and Dutch slang for ass fucker. It was just a play on words that I managed to come up with. That was my biggest achievement in life so far. Underground, I was a gold farmer, wrote some bots for some games that people might have heard of but I'll let people guess as to what that is because I know what Blizzard does to people. I'll let Mike talk about himself right now. Alright, I'm Mike Donnelly, otherwise known as Mercury. I created the Glider software for World of Warcraft. Sold about $4 million worth of the software. Got sued, lost, I think it even says right on there, badly, lost the $2.5 million in damages, personally liable. Appealed it, got most of it, flipped over. But overall the process was, I would say, less than fun. As far as my underground identity, I have none. Once you get sued, everything about you winds up in court record, all your deposition, all your addresses, everything. But on the plus side, I did have a Glider customer bring beer to my house. He looked me up, dropped the beer off and then he posted a message on the Glider forums. He said, hey Mercury, go check outside your front door, there's a six pack of beer. That was pretty nice. And there actually was the beer, I'd go through the garage so I didn't see it and I went out and got it. It was only Budweiser, but free beer is free beer. If you're going to get smoked for $6.5 million, at least I got some free beer. Oh and I guess all two of you ladies here, he's single and he used to be rich. Yeah, I am married, but yeah, so I'm not so lucky. So our goal of this talk is to not make anybody like an expert at game hacking. If you came here for that, then we're going to disappoint you. We plan on just giving you some overview. If you don't have any technical skills, we assume you have some to get at least something out of this talk. But if you don't have technical skills, we hope that some of our game hacking war games will be entertaining for you guys. Something I will say is we don't really have any zero days. So if you're looking for zero days, then you're also going to be disappointed. But we don't really feel we need to give any zero days because it's really easy to find them. Every game that's ever released is going to have a buttload of stuff. So here's a nice quote from Sun Tzu and I think Mike has some experience with this. He actually chose to fight. He's actually the only person I know that actually did choose to fight. And I guess you can ask him about how that's going. That could be better. Could be better. Could be worse. Yeah, it could be. So here's a brief legal blurb that Mike has experience with and he's going to talk about that. Yeah, yeah. And one thing I wanted to say is, of course, everybody knows I'm not a lawyer. So I can't give you any legal advice. But I'm a person and I can give you personal advice when it comes to lawyers. And when you get lawyers, you're fucked. If it gets to that point, you're in a lot of trouble. Chances are it's going to end badly. A lot of people, such as myself, you might think, well, I've got a good legal theory for what to do. You know, I've got Section 117, owner of a copy. I've got DMC 1201F, interoperability. You know, let's go, man. You can't take me down. It's incredibly painful and expensive to get that far. So even if you have winning arguments, the chances that you get there are slim. I'm not saying you should never do anything where you might get sued. I'm saying you need to understand the seriousness of getting sued. It's bad. So you should take steps to avoid it if you have to sell from Nevis or Neptune or the seventh dimension. Try to get away to avoid getting sued because the game companies, if you piss them off, they will show up at your door. That's a good place to be, though. I'm sorry, I didn't hear you. I'm good. So my disclaimer is we're weasels. I guess maybe I'm a weasel. Mike chose to do everything in public. I think that might have been a poor choice. You guys can decide. So the names have been changed to protect the innocent. So why do we hack? I think it's mostly obvious. We want some women's. Did I mention that Mike's single? Come on, man. So really, there's a lot of money in this. Mike made $4 million. My first competitor was making half a million a month. That's pretty real money. Sometimes people might want revenge or cheating, but that's not really important. Kids being kids. Child play. So raise of hands, who would like to go to this school? I mean, I really wish that this was offered in my college, but it really wasn't. So we're going to get through some tools of the trade. If you don't know any of these, maybe you should start looking at them. So I think most reverse engineers can't live without it. It should be pretty obvious what you do with that. Reassemble some code. Ollydbg. Let me go back. Olly debugger. If you don't know what a debugger is, then you probably shouldn't be here really either. You need a memory, something to search memory. Most people use something like art money or t-search, something like that. They're pretty popular. 010 editor. If you are doing anything with file formats, this is like God mode. I think that anybody doing it without 010 editor is failing. It also helps with packet captures if you want to see what the structure of a packet is. And something that's very important are your custom tools. And once you get serious about game hacking, if you don't have your own scripts for IDA to do all these sorts of magical things, then you are wasting your time. One thing I wanted to add is these are the tools that you're looking at if you're doing something professional. If you're going to build a big piece of software and sell it or run it or take this on as a business, you can do a lot with nothing. You can duplicate items. You can find bugs in games just by being clever and tinkering. So this is, I don't know, pro grade or what you would use to make money. Part of the panel is hacking for fun, so I'm not going to completely focus on profit. Yeah, there's nothing worse than coding up a bot with a bunch of hard coded offsets and then, you know, the game releases an update and your stuff doesn't work again and then you have to start from pretty much ground zero. That's where your tools come in. So I've got a bit of classification. Basically like some, there's like cheats, bots. I'm not going to go into really detail about the stuff. I'll talk more detail about it when the stuff comes up later on. There's some really, I guess, motivated individuals who have written, you know, custom clients. One of my competitors in China wrote a custom client for World of Warcraft and pretty much destroyed us. You know, they could run hundreds of clients per computer and it's really hard to compete with that when you can run like three or four. What about, there's one custom client that in particular is funny. Just by raising hands, how many people here have played the game Hellgate London? Okay, how many people that have played it were playing it six months later? One? I feel sorry for the people who play it. Well, the reason I mention that is I know a guy that works with World of Warcraft, German guy. And he got the game, he got the Hellgate London beta and he thought it was awesome. So he wrote a clientless bot. He reversed engineered the entire protocol, everything, their key shake or their handshake, all the encryption. He had it ready for game at launch time and then, thousands of hours. Yeah, he's like, man, this is going to be the next while. This is going to be the next while, yeah. So, you know, if you're writing something for profit, think of it like a business, don't be stupid. Yeah, that was a lot of wasted time. Then there's things like exploits there. They can either be malicious or really get you a giant paycheck. Dupes are, you know, God mode. Asset hacks aren't really worth it for the most part. You know, you can do some like pathfinding if you can reverse engineer the, you know, map formats and other assets. But pathfinding is super hard unless you're going to do something like use recast navigation, which is easy mode for solving a really, really tough problem. So this is where we separate the haves from the have nots. People might not be able to follow. Hopefully they can follow. So the skill set that you need, you're probably going to want to at least know x86 assembly. If you don't know that, then you've got a lot to learn. That's going to be a pretty big steep road ahead for you. This stuff isn't really necessary. You can write some like lane pixel reading things. I think somebody presented that a couple of years ago here. It was pretty well attended and I wanted to punch the dudes because it wasn't very cool. Noobs need not apply. So anybody know this guy? His name is Rich Thurman. He was, I think, one of the first guys who actually came public as a gold farmer. This picture is from an IEEE article that they wrote about him. Around 2000, 2001, he made over $100,000. That's what he admits. I think he made a little bit more than that. Just doing some hacks for Ultima Online. Basically his tips were play with memory editing, key data structures, and profit. I guess it's up to you. You forgot the question marks in there, yeah. Memory searching is an arcane art, but it's a skill that you definitely need. If you cannot master memory searching for finding things like hit points, etc., it's going to be really difficult to do some static analysis and find these things. I mentioned some games here. I'm sure everybody is familiar with World of Warcraft. Anybody not? Okay, I think everybody is. They're one of the first games to actually use a commodity script engine. Most games make the mistake of rolling their own, but they chose Lua. One of the side effects of Lua is you have this string embedded in your binary that tells you the name of the function. If you ever are reverse engineering code and you want to know, hey, how do I cast a spell in World of Warcraft? I then look for the string like cast spell and it will pretty much instantly take you to where the code is a cast spell. So I'm going to go through a... I was going to add one more thing on the Lua thing. That makes reverse engineering the game incredibly easy. What you can do is you can create a Lua script to do what you want as a test harness to show the spell ID that a unit is casting. Make sure it works. And then you can just load up the game, drop your break point right where the Lua is, hit your test code, step right through it, and just right there on a platter. Yeah, script engines can make things definitely easy mode, reverse engineering. There's really no technical challenge there. So brief history. I'm going to go through some of these things pretty quick. So Ultima Online was probably the first major MMO. I think they had around 225,000 users at peak, which is I guess pretty chump change compared to World of Warcraft and I guess even some of the Facebook apps that have like 30 million people. Anybody play like Farmville? No, okay. I don't believe you guys. So Ultima Online, like hackers had a heyday. I mean dupes, cheats, people, you know, see invisible people, walk through walls, etc. World of Warcraft I think definitely deserves a mention here as you know it was the first like super big one that had millions of people. It's not so big compared to some other ones anymore but it's still pretty big. Chinese games are massive compared to, wow, if anybody knows. Yeah, I got news, no Chinese, you're good to go. Yeah, yeah. So the thing about Blizzard though is they do more than send just seasoned assists, might can attest to that. Most other places just sent seasoned assists. Right, right, actually Blizzard doesn't, well sometimes they don't send a C and D at all. They just show up. Like, your lawyer, here's a draft complaint, sign this paper and cut off your thumb or file in this. That's how they work. But World of Warcraft is a big game. There's so much money there that even if you're only getting 1% market penetration it's worth the risk because it is a risk. But if you're going to take a risk it's got to be for a big enough game where you have some kind of profit base. I'd like to add sometimes Blizzard will show up on your doorstep and if you don't happen to have a brother who's in a Polish mafia to chase them out with a baseball bat then you're going to end up like Mike. That really happened by the way. It did really happen, yes. So, also a little bit. Mike, even if your game is really small you can still make a couple grand a month which for a lot of people is worth it especially Eastern Europe, South America a couple grand a month is still living like a king. Oh, yeah, absolutely. If you just get into it to make, you know, a thousand bucks a month, that's where I started and I thought, hey, this is a mortgage. Yeah, definitely. Car payment. Depends on the car. I mentioned Eve Darkfall so Eve was I think the first game to, sorry about the slides, the first game to actually use a commodity a script engine, I think they were out before World of Warcraft. You know, the decompiled source of Eve was released. I mentioned Darkfall because it's pretty massive half a million lines of code. Aegiconan, I think it was a big flop. I think a lot of people were excited about it but the interesting thing here is they left a lot of debug strings. So I wrote a script with search IDF for something like class name, colon, colon, method name and then I would have my IDF script rename all of the functions in my IDP with, you know, the string so that made it also pretty easy mode. Then you have something like Ion who tries to step up, you know, the barrier to entry for game hacking but they failed pretty miserably. So Game Guard is actually a pretty formidable foe, so is Tamida. But if you don't use any of the advanced features of either of these things and it's actually still pretty easy to bypass them with Ion you could, you know, just patch out a call and make it return one and then you defeated their patch guard. Or not their patch guard, their Game Guard, sorry. So this is some, you know, brief overview of like the types of hacks or exploits that have been in games that have been released. Vanguard pretty much sucked, I think Microsoft wasted 50 million dollars on that pile of crap. And I guess that's why they've canceled like three more MMOs. They're probably afraid. So it's like super powers, speed hacks have been around in every game imaginable. They're, you know, still available if you know how to do them in World of Warcraft for example for anybody who's interested. I'll be in the QA room. 2D games like UO or Ultima Online have solved this but 3D games, it's really CPU intensive to track the movement of like 20,000, 30,000 people. So they still really haven't done that great of a job. Yeah, they just trust the client. We all know how smart that is. Yeah, we should anyways. If anybody here trusts the client then you probably leave. So dupes are like what the Federal Reserve does when they go to the Treasury. They're like, hey, can you print me a million billion dollars? I promise we'll have the American people pay it back. But yeah, that's really how you get rich. I've got a friend who did some hacks and was making, you know, close to a million a month. He at one point had two Lambos, twin turbo Gallardo and a Marcellargo. And now he's stuck with just a lime green Gallardo. I mean I feel sorry for him. One thing on dupes before you go is this is a good display of just some of the tinkering. Like figuring out how to duplicate an object is very much a non-technical thing. It really comes down to finding like an edge condition that the game developers didn't think of. That's how historic they've all been done. So it's not some guy, you know, writing a clever piece of code. It's somebody doing something weird. Like, you know, maybe you're in World of Warcraft and you're crafting an item and while you're casting the craft, you trade one of the ingredients and another player summons you. You know, all these weird conditions that the developer may not have thought of, that's typically how you wind up with a dupe where you either do something that they didn't think of or you can crash like a world server where you could give, you know, Joshmai sort of epic ass pounding and then I crash the game server so my character never got saved and then when I log back in I still have it. But the point is that this is really just tinkering, which all you guys know how to do whether you're, you know, pro-reversers or not. It's really just tinkering and thinking outside the box. When you see the game, you see it zone or you see a pause and you think, well, what if I'm in the other order to find, but it really just does come down to tinkering. I'd like to add this isn't like real world security research where you find like some bug in like Adobe and then you spend three weeks figuring out how to exploit it and bypass ASLR in depth. This isn't like that. This is, hmm, I wonder if they check, you know, whether or not I can substitute an ID with, you know, some other random thing or whether I can tell them that I just bought a million, billion things for free. Yeah, so just a bunch of tinkering. So I'm going to talk about some, I guess, more detailed methods of hacking. So like what you would try to do to say write a teleport, et cetera. I'll go over these things in the next few slides. So basically for a teleport hack, you look for the player's position in memory and then you use your memory editor and change that value. And if you're lucky, then you teleport. It's really complex. Yeah, not really. Or you get banned here. Or you get banned or disconnected, yeah. That's in an old game when they've realized that, oh hey, wait, people are going to do that. It's actually really surprising at how naive a lot of game developers are. They generally don't have any clue about a game that's hard to hack. So you can go into more difficult ways. If your game is more mature, like World of Warcraft, that's had to deal with this stuff for, I guess, seven years and they still haven't done it correctly, then you have to modify movement packets and forge the timing, stuff like that. Yeah, the timestamp. It gets more complex, but it's still doable. Speed hacks. Again, you can get these off the shelf that will work with every game. And if you're lucky, then it still works with your game. And I don't know what squeezing network code means. I didn't write that. That's mine. Well, that's actually just what I was talking about with lag hacks. And this still works in World of Warcraft. This works in every game today. Where you can literally unplug your Ethernet cable, move around in the game a little bit. And if you plug it back in before the network decides the TCP connection is dead, then the game client will simply tell the server, oh, here's where I am. It's dealing with their congestion code. They have to accept some latency. So in a lot of situations, you can pull out your Ethernet cable, walk past a monster, and all the logic to have the monster hit you is on the server side. Of course, the server doesn't see you near the monster. Then you plug your Ethernet cable back in. Good to go. You pass the monster without triggering anything. Don't try it on wireless, because when you disable it, it will actually close the TCP connection. But if you can physically interrupt it just by pulling the cable, it actually works. It's ghetto, but it works great. That's pretty high-tech dog. Seriously. Dude, that's kind of lame. I think you're going to mention this, but that was used to get a lot of chests in various dungeons. In World of Warcraft are the five-man dungeons, and you could kind of eek your way along deep into a dungeon just by lag hacking past the monsters to get to a chest. You can just loot the chest and exit instance and money. You're lead, dude. That's why there are no more chests and instances anymore. Yeah. Yeah. I know who's responsible for that. So dupes. Anybody don't know what a dup is? Basically, you duplicate something and you get a million billion of it or something like that. Basically, this is the key to making a lot of money, and this is how my poor friend with the Lamborghinis, this is how he got them. And it took the game that he was targeting almost a year before they figured out how to deal with this stuff. They're like, hmm, I think we have a problem in that gold is really available to everybody now. Nobody has to work for it. I wonder what happened. Yeah. Like I said, these game developers are pretty naive. They're like, wow, these guys are good at playing my game. So, a lot of games have multiple servers and things like that. So, you just try to do things back and forth and hope that if you do it fast enough, maybe sometimes the server will lose track of your items and they magically start filling up in your backpack or in a game where if you can die and your items go on your corpse, you have your friend go loot your corpse before his character is saved and then magically when you guys both log in and server up, you each have your items. These are pretty basic. Like we said, tinkering. Sometimes there's no skill involved or maybe just really a lot of creativity. You don't necessarily have to be a god reverse engineer, but it definitely helps. Integer overflow and underflow things are also really awesome. You can get from like zero to unsigned int max pretty easily. That's a pretty big number. Yeah, and that just comes down to tinkering too, where you might take your armor on and off and notice that one of your stats isn't going back the way it should. And these things happened in World of Warcraft. We'd have a guy sitting in Orgrimmar taking his helmet on and off 100 times and then all of a sudden he's got 2 to the 32nd minus 1 strength and he really did happen. Or maybe he just used like a memory editor and took a screenshot and tried to sell his account, but yeah. My favorite is like GM mode. The company will ship their game out with the ability to reverse engineer and flip a bit and now you're like a GM. You can teleport to people. You can kill things. You got like the commands and whatnot. It's pretty interesting. Or like stealing from NPCs. Age of Conan was one that was really rife with vulnerabilities. You could, for example, kill a GM. I don't think they were very happy. Yeah, yeah, yeah. Well that was the source player ID thing, right? Yeah, yeah, you just, you know, tell the game that, yeah, I'm this GM and I just died. Right, yeah, like each packet coming up with all this item and your player ID was in there like kind of like a source address and somehow the game server would believe you if you said you were someone else. You're like no, I'm so and so and I'm selling this. Okay. Yeah, and that's just basic tinkering. Yeah, did I say that game developers are naive? I mean they work hard, but so UI hacks are pretty much worthless unless you want to zoom out really far. That's pretty much what you're going to get from UI hacks. You can get like ghost mode where you can fly around the world and you stay still, but it's not very beneficial. Well, yeah, you can also do the wild language translation because they had the thing where alliance players couldn't understand what the board players were saying, so that was all client side, so the actual text from the opposing player was sent to the client, it would just choose not to display it. So it's actually a pretty easy hack to see it, but it's not really marketable. I don't know who's going to pay for that. Yeah, good luck selling that, but it's not very powerful. Wow, you can talk to humans if you're an orc. I'm in your base killing your mans. It's dudes. Dudes? No, it's mans. It's mans. I'll look it up later. I don't believe you. I don't believe you. I really don't care. So I guess I'm going to tell you exactly how to write a teleport hack. Okay, I didn't hear you. Whoever that was. So the easy way to do a teleport hack is you're going to have to find the player position in memory. Use write process memory to overwrite that, and then you'll teleport. I pretty much said that again, so it's kind of repeat. You can also, if you know in the code where it's responsible for updating your player's location, you can call out directly with some functions. Is there teleport spell? Maybe there's a Lua function called cast spell, and it takes some parameters like the location you want to teleport to, and the server doesn't verify that you're a mage and you're a warrior and you just cast this spell. That's basic tinkering. It's not going to work today, but that kind of stuff is out there, and poking and prodding at it is actually pretty fun to find. Yes, it definitely worked in some games. The hard way is when you actually have to get down to forging movement packets, and this takes, you have to do some math and figure out how they're sending the updates. You have to reverse engineer the structures for their movement packets, and maybe adjust the time stamp and so that you can teleport or run faster. Logic attack, this is what we were talking about in Agent Conan. You could give fall damage to anything in the game, and that's how you killed a GM. You told him that he just had a million fall damage and he would die. That was funny. So this could also be used maliciously in Agent Conan in that you could force somebody else to trade with you and they wouldn't really know that they just traded with you. But you could also force an NPC to trade with you, so it was still useful and not mean. So I don't feel bad stealing from computer characters. I don't think any of you guys should either. They're just digital tears there. They're fine. They're okay. All right, so item dupes, basically exploit, I talked about this earlier. I'll say that server lane issues, Agent Conan had some zoning, EverQuest had zoning, Final Fantasy 11 had zoning, Ultima Online just had these server lines where if you cast a spell on one side and cross the server line and you were fighting somebody, then you were fucked. Repetition attacks, I talked about you just basically move things back and forth from say a trade window to your backpack a thousand times a second. I mean, most people should do that right by hand. Yeah, and the server eventually loses track of stuff and they start filling up in your backpack. Or maybe everybody knows like Diablo 1 where you just drop an item on the ground, you run up to it, I see some head knobs and you pick the item up really quickly on your cursor and it appears in your backpack and on your cursor, so that's pretty fun. Asset hacking I mentioned is definitely not worth it unless somebody else has published their work for you and you can borrow it. But yeah, so basically what you do here, maybe some people have played World of Warcraft and somebody has magically appeared on your side what's that called? Battleground. I never actually played World of Warcraft. Yeah, too boring. I'd much rather bought it. Yeah, I should have bought Glider. But yeah, so those people either use teleports to go from one side of the Battleground to the enemies base and he's in your base killing your mans. Pretty confident it's mans. I'm never wrong. Or maybe he used Noggett and modified the map to have this tunnel so that he could run underground and nobody would know or see him. Maybe you could see his little name on the screen or dot on the screen as he's running there and you're like, wow, where is he? Yeah. But otherwise it's not worth it. They're really complex. Gamehacking 4.20. Real profit is definitely dangerous, a quote from Machiavelli. You can get sued. I think... So you can have a ghetto bot. I think somebody talked about one a couple years ago. I wanted to punch him. It wasn't very interesting. Basically you do pixel reading. There's something with, like, auto it. And there's really no RE reverse engineering required. You just, like, read that your hit points are red when they're full and they're not red when you're dying and you make it send some keystrokes. It's very limited scope but most likely you're not going to get detected and detection is something that is not your friend. Actually, real quick, just by show of hands, does anybody know why detection is so bad? I mean, you all understand this, right? I don't want to gloss over client-side detection. Everybody appears very wise in regards to detection. We don't really care about what you say. We can't really hear you. I'll go over just real quick. Obviously the game manufacturers don't like everything we're talking about, hence the lawsuits. So what they do is they try to detect your software in the game and if they do, then they ban you. If you're just doing this for fun, it's, you know, hacking around, tinkering, you lose your game account, it's not a big deal. If you have 100,000 customers, it is a big deal because then all your customers are banned and then you're fucked. So avoiding detection is really important. We're going to get into that a lot more later, but client-side detection of your software is very important. Also, I'll say does anybody ever wonder why, you know, it takes like three months for a band wave to happen? That's because when you ban like 50,000 accounts every week then those people who are re-buying those 50,000 accounts never actually re-buy them again because it gets expensive. But if you do it every three months or every four months they will actually go buy the accounts back so it's actually, you know, profitable for, you know, the game company to say, oh hey, let's, you know, we've detected these guys ever since they, you know, turned on Glider, but we're not going to detect them yet because we know that if we ban them too soon they won't give us 50 more dollars. That's true. So we got some code injection. It's basically you inject some assembly code to do some small thing like maybe some crappy RPC thing, a remote procedure call. Your attack surface is a little bit higher. I mean you can really easily detect that and then you have something like DLL injection where you've got some pretty big blob of code written in a high-level language, like C or C++ and it's really easy to detect that and so you get into this game where now you write this, you know, DLL loader that fixes all your imports and stuff like that and it gets really complex and you're still pretty easy to detect. Or you can go to the network or packet level and do some really good work like reverse engineering the network protocol which is very time consuming. I think there are very few games or maybe there's a lot of games that have complete, you know, analysis on this. But it's still not easy to do. Or you can go write your custom client if you think that you're really good. Not many people think that they're that good. It takes a lot of time. He thinks he's that good. Oh, the guy leaving? No, no, no, no. Oh, damn. I didn't think I was that boring. Sorry, guys. But if you write a custom client if you're at that level then you're probably going to make a lot of money. Like the guys that destroyed me I think we're probably making at least a couple hundred grand a month. And writing a custom client isn't something you're going to sell. This is, you know, gold farming, real money. So you're writing a custom client so that you can have your partner run 10 million instances of the game on a server farm. If you don't have a custom client, that's way too much 3D rendering. But if you can just take the game out of the equation, I just don't render anything. So it's all a matter of scale for gold farming at this point. You go from like two or three clients per computer to two or 300. So it's pretty big scaling. And stuff, this stuff gets difficult sometimes. I can't emphasize enough that it's very important to not be detected as in you lose. Alright, yeah. What I want to talk about on this is not so much the technical aspects of detection but how you approach this strategically. This isn't in the book on MMO hacking. I think there's a book. Yeah, one of my friends wrote it. Yeah, I think it was written by the guy that was eliminated by the first. Something like that. So this isn't in the book, but strategically what you're looking at is you have two main things to worry about with your software. You have the attack surface, which is how hard your software is to detect. And that's going to work in a couple of ways because it also is going to make detection code bigger. Secondarily, you have what I'm just calling intelligence which is how much of what they're doing that you know. You don't know what they're doing. If you don't know how any of it works, how are you going to keep from being detected? And they work together such that if your attack surface is very big it's going to be really hard to tell what they're doing because the effort that they have to take is so minimal. If they can write one line of code to detect your bot, you know, you're never going to find it when they do. I don't show that code yet. Alright. Sorry. The other, the only other thing with attack service is that of course that's a constraint on your features. So when you think of something really cool like I'm going to have my bot, you know, react within 2 milliseconds every time a monster does something you might be setting yourself up for some detection. So that's a decision you have to make when you're choosing your features and handling what your customers are asking for is, you know, do I want to risk increasing my attack surface by adding this? Not yet. The next slide, I want to talk about something that happened with me and another software developer with World of Warcraft. This guy, we'll call him, we'll call the software interspace because that's what it was. It worked by injecting a DLL into the game which is pretty big but the guy that wrote it is a very competent reverse engineer so he had taken all of Blizzard's detection code in Warden and he had it wired up as soon as they sent it down to 15 million break points and it was pretty neat stuff but he still had a DLL in memory which he tried to obfuscate and more importantly he had to patch one of Blizzard's functions so he'd go to the beginning of the function and just stick a far jump in there and he's like, well I got Warden covered so they're not going to find it. Are you ready for the code yet? Okay, I'm ready for the code. Can you zoom on just like the top function? I'm trying. Oh, you had a pretty... No, no. Thanks, Josh. Wow, dude. Look, we all have that fixation, right? I think some of us do. Alright, so this is an example. This is a piece of code that would be inside the game. This is not actually from World of Warcraft because... He's being sued by Blizzard. Right, I don't think it would be a good idea to post that and I would just be posting a dead listing from IDA and that's not fun to look at. There's a piece of code here that the game uses to request, say, your buddy's list. And as you can see, it has a parameter, optional parameter we never used before and it takes like a packet number, you know, the command number, B-O-O-B, hey, what are you going to do? Sticks that optional parameter in there, sends it up to the server. Pretty simple stuff. So the way that code used to get called, scroll it down a little bit to the two-line comment, as you can see where it says old code, ask for buddy's list, just passing zero for the optional parameter we never used before. So one day Blizzard says, you know what, we're going to get this guy, we're going to find his patch function and they changed that call to the little sample code there. This is again slightly paraphrased. They load up a register and then do some math on it so that IDA won't see another reference to that function. Reach into the function that's being patched, pull the first byte of their own code and send that as the optional parameter we never used before. So what this is doing is just sending out one byte of their own code every time they make that request. And of course on the server side, they just comb through it, find the E9, gone. What's interesting is in the software here, you don't see anything like if this guy is a bot, you can grab this byte and send it up. And it's a tiny piece of code and it doesn't even change the underlying network code. There's no new parameters, no new nothing else. The only way you would find this is if you were somehow watching that data going out and say, well, it used to always be zero. Now it's E9, that can't be good. That's a far jump. So when they did this, he lost all his customers. They waited a few weeks, because Lex hated me, but I'm pretty confident he lost a pretty hefty chunk of change. Yeah, I don't know how he did business, but hopefully he did okay. But they did this, they just hammered him again and again with this. And I found this way after the fact. And as far as I can tell, he never found it. But it's a good explanation of how much your attack surface matters. I mean patching one function turned into this. All right, now I'm ready for the next slide. The point is that if you think you know where all the detection code is, there's always a chance it's not where you think it is. In the case of Blizzard, they had never put detection code outside of Warden. They kept everything in this nice bucket, hide from me in Warden, and then they wised up and said, well, just stick a little tiny code here. Pow. So it's incredibly important, A, to stay hard to detect, because if they had to make a new call, maybe he's running a private API monitor, not that I ever did that, and he would see a new kernel call. But because they can just get him with one move, poof. So it's really important to stay small, and it's really important to keep an eye on what they're doing. Building tools to monitor their systems, building tools to monitor what the data stream is supposed to look like, and then if it smells funny, maybe you have a problem. With Glider, we actually had tools that would page us. And that, you know, it didn't look good. It would actually page me. So, you know, Warden's supposed to have eight entry points. Oh, now it's got nine in the V-table. It would page me and I'd run down to the office and freak out. When he's wasted. Right. Well, I can always just turn off Glider. I'm too drunk to fix it. Glider's off for a while. So there's always a way out. But it does come down to you can't do that. I think we've both had a couple of, like, all-nighters, 36-hour shifts trying to find out what they're doing. Oh, yeah, there's the Rickroll too, but I'll say that. Oh, yeah, definitely. You got to tell them about the Rickroll. Yeah, you can do it now. All right. We won't try not to bore you guys too much. At one point, Blizzard updated Warden and they added a new scan. And the way the scan worked is it would take an encrypted string inside Warden, and it would decrypt the string, and then it would call getPROC address, kernel 32. If I'm losing you, don't worry, it gets funny. And they would take whatever that string was, and if it resolved to a function, you know, the getPROC adder liked, they would just call it with no parameters. So I was looking at this code, and, you know, the game is down for a patch, so I can't see, I don't have the key to see what it's going to decrypt to. And I'm looking at it, and I'm like, well, what are they going to do? What are the parameters? What's the point? And of course, if the getPROC adder fails, then it just does nothing. So I sat there looking at it for hours, and I was talking to the Hellgate London smart guy, and we couldn't figure it out, and so I'm like, well, let's just bring it up. So, you know, we bring it up, stick some break points in, and they send the key down right away. I'm like, oh, here's the key. Let's see what the string is. So you see it, you know, it decrypts it, and it's a URL. All right, so they pass the YouTube URL to getPROC adder. Proc adder says no, and nothing happens. So of course, I'm like, I got it, no. So I paste in a browser, and it's fucking Rickroll. Like, they Rickrolled me, and I don't know how many people they got, not many. We're at five? Yeah, bro, I think you got worked up pretty well. We're almost done. Anyway, that was epic, you know, and it was really well done. So that's all I got to say. That is the most epic Rickroll ever. Yeah, I think so. Oh yeah, we are pretty much done, aren't we? I don't know if we're going to make it through in five minutes, though, but we'll try. So I'll go quick. So there are some client-side things that can be pretty powerful. They can use packers like Thamina obfusc... I won't say that word. Obfuscation. Thank you very much. Oh dudes. Yeah, the biggest thing that you have to worry about if you're really, you know, professional in this is server-side data mining. Some analyst at Blizzard gave us a really big bone and was like, hey man, this is how I detect people. I just write some SQL queries and I walk in the next morning and I ban people. And we're like, well, thanks for telling us that. I mean, now we can modify our stuff, but I don't think he realized that I think he was just trying to be cool. So you have things like that are both client and server-side and basically what these things are like command and control things that botnets use. You send your game client, in this case, 10 million World Warcraft customers, this blob of code that they're going to execute and trust on their machine. Oh yeah, this is like a botnet and malware to detect a bot. Yeah, it's pretty funny. A little irony there. Yes. So, punkbuster... I won't go through... Well, I'll go through this story. So, punkbuster basically looked for strings to ban people. I mean, they could be strings or they could just be some binary data. A lot of the times they would be strings like a window name. And this group discovered that. And they're like, hey, I don't like this clan that always beats me. And so what I'm going to do is I'm going to go into their IRC channel and I'm going to send some strings to all of their members. And then I'm going to go back in game and watch them all get banned for cheating. That worked, yeah. Of course, punkbuster was like, no, no, that's not how it works, but it really worked that way. Yeah. Yeah, I just skipped to the D3. Well, this is where you get into money. If you're not an expert by now, I hope you guys are all experts. Then... Yeah, we're going to skip this a little bit. We've got two minutes, I think. Yeah, there's one thing that came under development before. Oh, yeah. Yeah, this one. This was released last week. This is Diablo 3. This is the Diablo 3 auction house. How many of you guys have seen this news about the RMT? Yeah, a bunch of you have. There it is. That's a dollar sign. That's a dollar sign. That's Blizzard endorsing you selling items for money. So you can wire up like a third party payment system to your Blizzard battle net account. And you can sell that sort of epic ass pounding that you made for real money. Or you can buy gold, you can sell gold. You're not going to have to compete with me because I'm done with Blizzard, but this is very interesting. Yes, very interesting. So we'd like to thank all of our friends in Poland, Germany, New Zealand, and Australia. They couldn't be here. It's really expensive for them to all fly. They'd probably get arrested anyway. Yeah. So we've got, I guess, time for some questions, maybe? No. All right. Well, we're going to be in the Q&A. Hey, thanks for coming out, man. Welcome to DEF CON.