 So here's the deal. This is Logan. Everybody say hi, Logan. Hi, Logan. So Logan's been to how many Defqons? Two. Two. This is your second. Second. So one and a third. Yes. Logan's never spoken to Defqons, so he's a Defqon Virgin speaker. And we'll have to... Yeah, we'll be gentle. So here's the deal. You used to come to Defqon and when we gave a talk, people in the audience were downright belligerent. They were usually very drunk. Some of you may still be drunk but aren't nearly belligerent enough in my humble opinion. No offense to the goons who are trying to control this place. There you go. So what I really want is a proper Defqon greeting for Logan, which is a big fuck you, Logan. All in unison. One, two, three. Fuck you, Logan. There we go. Welcome to Defqon. Thank you very much. Yeah, no pressure. So you're going to stand for the whole thing or... Eventually. Just wait till the target's off your body. Painted it right there so you know where to aim. Anyway, so I normally start most of my talks with the same random thing, which is don't believe all the random shit that you hear when you come to a conference. And the same is true now. I think more than ever, Defqon has become almost polite at times. We cue like British. We all stand politely in line with our tea and wait to get into a room. Then they switch the rooms and we swear under our breath and then we scurry off into other rooms or whatever. But honestly, you know, the undertone of the whole thing is the same, right? It's all about attacking offense, owning computers, defending computers, all that kind of stuff. People that get on stage, I've said it a million times. Your ability to stand on stage here to talk like this is just a testament. Your ability to socially engineer your way past the paper submission people, right? Like, I wrote a book or I started writing a book and somebody had to pick up the pieces at the end. I wanted to do a book and I thought, I'll do wireless security. I don't know dick about it. And I wrote up a little proposal, sent it to O'Reilly and two weeks later they fed X me a contract and I signed it and I was suddenly an author. And I thought, well, I should buy some wireless cards and figure out how to secure these things. Not a joke. This is really how it happened. There wasn't a lot of digitalism involved in the entire process. So I missed the flash and everything that was just retarded. So, alright, here's the deal. Oh, that one doesn't make noise. Gaming is big. We're going to talk about computer games. You know, it's funny because I wasted the last two years of my life probably playing Team Fortress way more than I should have. How many people have played Team Fortress? How many people have played in the Team Fortress tournament that we have? How many people knew there was a Team Fortress tournament? Yeah, handful, yeah. Lots of random questions. How many people have social security numbers? It starts with two. Anyway, so I encourage you, if you haven't played the Team Fortress tournament, even if you're not a gamer, please come by because we really put a lot of effort into it. We built a just big-ass crate. It was 1100 pounds a gear that we shipped from Maryland to come to Vegas. We wrote a custom, or I didn't, these guys, Logan and a couple other guys wrote a custom scoreboard with Flex and Python and much other stuff to score it. We got real-time video. And it's just kind of comical to watch because a lot of people playing have never played and they suck. And so you can watch the real-time video and their heads blow up into a billion little pieces and we all giggle. It's great. Anyway, when we were thinking about what we wanted to do for Defcon, we said, well, why don't we do something about gaming? You know, we're not in the game industry. That's not our native thing, but we do play a lot of video games. So by default, that makes us an expert. I know how to configure a firewall. Therefore, I'm a security expert. Ooh, sorry. So gaming is a big industry. I don't need to go into it too much. Oh, there's a few of those, by the way. They originally were every slide, but it was decided that it might have been a little excessive. So that was every other slide. So at the end, we'll vote. Was it excessive, all the unreal and quake noises that you'll hear? And I hope to sincerely, it wasn't excessive because I really enjoy it and I giggle every time I do this. Anyway, this is just a number of concurrent Steam users each night. You know, I got two million people online. It's a big business. Fortunately, it's not a big enough business for Black Hat. We were rejected. This talk was rejected because, quote, it wasn't business enough. So $47 billion industry does not, you know, apparently make a business. So we're here instead talking to Black, or Defcon, bringing our A game, right? Woo, yes. Yes. And by yes, we should preface this by saying we started setting up the Team Fortress 2 tournament yesterday morning. We started the first match at 1. And what really happened was 1.30. He was still writing code, actually, for the scoreboard and everything. Today at 1.30, he continued to write code until I said, hey, dude, we have a talk to give it an hour and a half. And he actually looked at the slides yet. So you should probably stop coding. So anyway, we've been really wrapped up with the TF2 attorney. So I apologize if this is a little rough around the edges. Monster kill. So, you know, have some levity with that. Here's the deal. Gaming, again, you know, I wasn't trying to rag on Black Hat, but seriously, people don't view gaming as a business. They don't view it as something that warrants serious discussion, right? Although, arguably, everybody in this room plays video games. You all know 100 people that play video games. It's obviously a billion-dollar, multi-billion-dollar industry. But when we talk about gaming, we talk about reviews of video games. We talk about industry analysts, you know, who's buying who and, you know, what development studios are doing what and what now. But we don't really talk about the security much, right? We don't talk about the security of game servers or anything of that nature. We talk about it when there's money to be gained or while it's involved, apparently, and then two edge cases there. Maybe potentially the same edge case. You know, how do you farm more efficiently and can you get people to do it and make money? Yes, okay, then we're going to care about cheating. But in general, cheating is just kind of marginalized and game server security is kind of marginalized. It's something that, you know, it's just the really geeky people because, apparently, video gamers make computer security people look like normal, well-adjusted suit-wearing types. Yes, they do. We all know, I love reading the Penny Arcade comics when they're like, you know, when you have online games and anonymity it results in, you know, complete fucktards. You know, people that just leave all etiquette at the door and that's, apparently, the gaming community. What we're trying to do here is have a start, well, there's some people that are having kind of public discussions about cheating and game server security. We're trying to help contribute to that community and also hopefully open the eyes of people that are here to, you know, what's possible, what people are doing with respect to gaming security and cheating. People play a lot of different games. What we're really going to talk about, we're kind of short on time, so I'm going to... Holy shit, shit, shit, shit. That one's got a three? Well, it's every other slide, so that would be how many slides? Four. Jesus Christ. Yeah, there's a schmooble, all right. You missed, you were aiming for that guy. God. I have the hard hat on though, so I can just kind of talk and cover. For the rest of this talk, what we're really going to focus on is the source dedicated server that Valve's released. Source has an interesting past. It's a platform that not only supports, you know, Valve's needs, but unlike a lot of other gaming engines, it's very customizable. It's very open and they encourage people to, you know, extend it and do things with it. There's a huge number of source servers deployed worldwide. The real reason we're talking about Source is not because it's fantastically interesting, but we all play a lot of TF2, so it's what we know. It's what we're familiar with. It's what we administer every day. Source server and most of the other gaming servers have this fantastically interesting problem, which is that you've got people on machines of all shapes and sizes with connections to networks of all shapes and sizes trying to play what boils down to a fair game, right? We're all trying to have a reasonable experience. It doesn't matter if you're on a P4 1.6 gigahertz on the ass end of a 256K DSL line or you're on a files line with an overclocked i7, right? They want it to be fair and they want it to be enjoyable, and it turns out that's actually a really hard math problem. There's an awful lot of complexity. Holy shit! They're applauding for it over next door, yeah. They think something else is going on over here. So, you know, it's a fantastically complex piece of software because you have to provide basically real-time services on a non-real-time operating system. So, and speaking of non-real-time, we run ours on Centos, which I don't know if you've noticed, it's had a little bit of an issue lately. The main maintainer's kind of gone AWOL and all the developers on the main centos.org page have posted an open letter of why this guy's an ass hat, and then there's like a little FAQ on the side like, no, Centos isn't going away. That guy's just a jerk, which is not something you want on a operating system, like on the main page. Imagine going to Novell and seeing it on their main page. It's like, oh, the CEO's a dick, you know? Let me install that. Where are the disks? Bring it on. So, you know, Linux by nature is not RTOS, you know, it's not real-time, but these game servers have to somehow make these operating systems behave appropriately. They have to deal with all the data coming to and from the clients and basically make a fair game. So, you know, they control cheating and all this other crap. Really, it's an amazing piece of software that you get for free to run a server and do your own thing. And people give Valve untold amounts of shit for it. Like, I don't know how many people, who here administer source servers? Anybody? A handful? Got some of the source admin mailing lists? Like, people, I mean, there's public mailing lists on there, people just slagging on Valve all the time. I'm like, are you serious? Like, these guys give you, you know, millions of lines of code for free to do this stuff and form your own communities two years after it was created and people, they still support the game. They're still adding new pieces. You know, most games that you buy, you're lucky if you get a patch when it's broken, right? Valve still supports the thing, it still adds functionality. So, God bless Valve. Yay, yay. I want to throw that in in case any of their lawyers get upset about this talk. I find it's always nice to stock them up first. And so, by this time, the lawyers are kind of tuning out. Like, oh, they're speaking nice about us. Hit stop. So, I found out after the fact, and I'll admit to being kind of an idiot here, that when we first started, we first started looking into this, we were like, well, it's a lot of binary, man. So, I guess we're going to just have to disassemble reverse engineer this thing, and it's big. I mean, a lot of libraries get hooked, all kinds of crazy shit happens. So, we've got debuggers running, and I'm trying to just get a high-level view of the code, and what's doing what? He's like, dude, you know if you go into Steam, you can just download the source code. That's why I had the debugger open. Shit. Yeah, just because I can't doesn't mean that I should. Absolutely. We wasted a fair bit of time, because they had like anti-debugging stuff in there, subverting that, moving it away. It was ridiculous. Anyway, what's interesting is all the code base that they exposed are like the game rules, object interaction, that kind of thing. So, you basically build your own video game out of the source engine, which is really interesting. We release the source code for the stuff that we would actually care about. So, there's stuff that happens where you're doing something with an object in the game, and in a nutshell, what happens is that data about what you've done to manipulate it, as an example, will get serialized and sent across the network to the server, or the server will take and serialize something and send it to the clients, vectors of who's moving where, and all this kind of stuff, but it's all just a bit stream, right? So, what happens is in the source code you have the network, and then you just call this magical function, and that magical function only exists in object code. That source code doesn't exist, and we discovered that after digging through many, many lines of source code, so then we went back to where we started, and by that point, we had to get ready for the TF2 tournament, and didn't make as much progress as we wanted to, because, basically, we're idiots. Head nodding. He doesn't want to use the mic. He's like, yep, we're dicks. Anyway, head shot. That one's not really important. Pong, I love this thing. Pong, why was Pong successful? Because everyone could grasp the concept, and in eight words in the front, avoid missing the ball for high score and insert coin. That was the entire premise, right? Not complicated. Even drunk people in a bar could put a quarter in and play. Even drunk people in a bar can play TF2. Why? There's two colors, right? If you're on the blue team, you kill the red team. It doesn't matter. That game's fun because people blow up, right? You find people with the opposite color of you, you blow them up. Start calling them names and whatever. There's also some fantastic work that they did on the art direction, and if you want to grab this talk later, just for that URL alone at the bottom, it's like a two-hour long discussion on the palette choices and all the weird rendering stuff they had to do to get the feeling for the kind of 50s style cartoony bits of TF2 that they wanted to get. They put a lot of effort in the game. I have a lot of respect for them. I sound like an Apple fanboy, except I'm a Valve fanboy right now. This is not important. There's a lot more... Impressive. Thank you. A lot more slides. The server has remote administration, like SSH except non-encrypted. Basically, it's just remote console commands. You send a password and the command that you want and it changes it. This is everything from changing levels to low-level rate manipulation to enabling cheats and doing all kinds of other stuff. It's just wide open. There's also rate limiting that you can do because they know it's unencrypted. They know it's difficult to control. They try to rate limit how often you can connect. They have this nasty history of having bugs that if you try to connect to the Archon console too many times, it just crashes the server anyway. It's a cute DOS. I think it's one of their favorites, apparently. The one thing about Archon access is it's damn near equivalent to shell access. You can save files wherever you have access to save files in the file system. If you get really cute, you can execute code even. Your Archon password is like any other password or really bad thing, but it's amazing there are places you go online where you read about game servers and people are having permissions problem. You know what the answer is? Running is root! I'm a big fan of running is root. Real men run is root. Chuck Norris ran is root. I'm a big fan of that, but when it comes to millions of lines of random gaming code, maybe a jail is prudent thing. Just a hunch. Anyway, they have plugins too. This is actually kind of neat. If you want to interact with the engine directly, you can write plugins that hook all these public APIs that they have. The problem is some of the APIs are pretty complex. People have written abstraction layers to allow lay people to write reasonable plugins to do total gameplay modifications or just administrative functions or something like that. Real popular one that we use and we're using on the server in the TF2 room is MetaMod with SourceMod. And again, this is layers of abstraction on top of APIs. Again, we didn't do a lot of research into this, but one can assume when you start abstracting things like that there's a long history in the security community of shit going wrong. Security issues with MetaMod and SourceMod and people enabling things that they shouldn't and things being opened that they shouldn't and things of that nature. It's a big extensible system is the lesson of the story and what it results in is why we're all here. The female ones are better than male ones in my humble opinion. Always. It's cheating. That's pretty much the big focus that we're going to talk about today is actually trying to control cheating. There's ways to cheat that are idiotically simple and there's ways to cheat that are fantastically interesting and would make for actually probably a good black hat talk. Someone should submit something. Haha. Yeah, oh, hey, I'm sorry. I did make an assumption there, sir. No, it's a good DEF CON talk. You're correct. Damn it. Wow, that was bad. I missed that by like a foot. You can just replace sound files on the computer to have different effects. You would think, what difference does a sound file make? Well, there's a class in Team Fortress 2. How many people have actually played TF2? I'm sorry, raise your hands. Holy shit, a lot of people. In general, for those that haven't, there's nine classes in TF2 and they all have different capabilities. One of them's the spy. The spy can become invisible and sneak up behind you and then become visible as a team member and there's no, oops, I didn't kill you because I didn't stab you hard enough. It's an instant death, so they're really assholes. And so anything that you can do to prevent the spy from being an asshole is viewed in general as a plus, except for the people that are playing spy. So what you can do is they make little subtle noises when they un-cloak. And so here's the spy un-cloaking. Is that playing? No. There we go. And so listen very carefully. Hear that whoosh? That was un-cloaking. And then you die. Right? So that's, and when you're in a game with 24 people and there's stuff blowing up around you, you don't hear a little whoosh. You know, that's not a fanciful sound. You just get stabbed in the back. Thank you. Here we go. So this is with a slightly different sound to give the player a little bit of an advantage. You'll hear the whoosh. Here it comes. There we go. And then here's the new sound. Scatman. Scatman. Scatman. Scatman. Scatman. So that one is, and it's funny because I gave this talk at Nonicon, not this talk, but kind of a variant of it that was focused more on administration. And I had made this demo on my main gaming rig, but I left that sound in. That sound down forever. And some dude called me on it on some server the other day. He's like, G-Dead, you have really good hearing. I'm like, yes, that's exactly it. Shit. I'm that guy. Other things you can do. There are certain materials that will show through walls. I've made some maps just to play around. You can make maps through the editor. And my kids actually made a map on the map, and you can see the decals all the way through the entire level, regardless if there's a wall in front of you. And they loved it. There's decals everywhere. You have no idea how far away they are because they're at a wall that's 100 feet away. It's just bouncing into things because all you see is these decals that go through. Certain materials will show through walls and things of that nature. Here's a demo of certain materials say people's clothing which, let's just say, gives you a little advantage. This guy's on the blue team. He sees red people coming down this hallway to his right, knows who in the class they are, knows how many they are, sees them completely. This is just fantastic bounce of information. This guy knows where everybody is on the other team. So he dies, sees all his own team members through walls, runs across these people all over the place. This is an obvious kind of cheat. It's just carnage. Anyway, there's nothing really funny about this except for the fact this guy just mows everyone down. You notice their heads are a different color? Because you can actually look and get to this, their bots that you can have that will focus on certain colors that are on the screen and when the bot sees that pink color it just aimed there for you. So, yeah, it turns out it's really useful. Combinating! Whoa, that was loud! Shit, that's funny. That's getting funnier, that's the part I love. So, how do you stop this? I mean, seriously, it's child's play but it completely changes the nature of the game, right? Like, when you're playing on a server, I've been on servers where I've had either a bad day or some guy was really cheating and it's not fun. Like, honest to God, and when games stop being fun, people stop playing them, people stop buying them and game companies lose money, right? There are lots of games who started out kind of fun but for whatever reason people just didn't get into it or there was a lot of cheating in Unreal Tournament. Yes, yeah, UT. Yeah, my favorite thing about UT how many people play in Unreal Tournament? You know, and they have the bots. Okay, how many people have seen the Penny Arcade comic where, like, dude doesn't realize that they're bots and is talking with them and, like, talking smack to them and whatever? I first got Unreal Tournament. I did that. I was on a server and I've, like, beaten the hell out of these guys and suddenly some dude joins and I'm, like, chatting and whatever and he's like, guy, those are all bots. I'm, like, really? I've been here for an hour. And then I read that Penny Arcade and I'm, like, Jesus, apparently this is like an endemic problem, you know? Anyway, so how do you control this? So the server can implement this thing called SVPure so there's all these variables that get set with the server that control how the server acts in this one, SVPure, basically is a way that Valve tries to control these client-side cheats, these really simple, highly effective cheating mechanism. By default, it's SVPure is zero. You turn it to one and it scans for some sounds, some models and things, you know, basically the stuff that I showed you would be caught with SV1. Some custom contents allow people to use sprays like little things, images that they can put on walls and stuff to say, like, their clan was here or whatever. And custom materials, certain things can be whitelisted on the server side. So this is a real flexible way to control that. SV2 is basically, I'm going to scan what you possibly could change, and if you did change it, then I'm not going to allow you to join the server. There's a couple of problems with this. One, it increases load time, right? It's basically an antivirus scan. It's chugging along. And it's already, I mean, seriously, it takes a while to load TF2. Like, no screwing around, a lot of these source-based games take a long time to load. I've got an SSD at home that I use basically just for loading TF2. It's fast. And I get really pissed off when I get back in a regular spindle because it takes so long to load the game. The other problem is it uses CRC32. Which arguably, we know how to subvert, right? Like, we've handled MD5 pretty well. I think we can do CRC32 in our sleep. Like, there's probably an option on the Microsoft calculator to subvert CRC32. So it's not a real security mechanism. But again, it stops the ankle biters. It stops idiots like me from just replacing the spy-on-cloak sound without making the wave file match the original CRC32 checksum. So there's obviously some limitations of what you can do when you're just searching and replacing these skins and these sounds and that kind of thing. If you want to automatically control your player, you want to automatically aim, shoot that kind of thing, you have to actually look under the hood of the source server. And that's what we're going to go into next is some lower-level cheats of how people manipulate the source engine. Dominating! So that one wasn't even funny, right? I mean, it was just, no. Was it the same as last time? Wait till you get to his slides. They're all the same. No, I changed them for you. No problem. This was his quote. I think all my slides, when they flip, say perfect, return, return, return, that's because they are. It was sarcasm. It was sarcasm, yes. He used 8-point font, by the way. I had to change that. Anyway, so one thing that Valve uses is a Valve anti-cheat. It's called VAC. A lot of you that play Valve games are familiar with this. What this thing really is, is, again, it's a relatively, it's a more sophisticated anti-virus program, if you will, except it's not looking for malware. It's looking for changes to the source engine. It unfortunately isn't that good. It's not a behavioral analysis. It's not the holy grail of anti-cheat. It's looking for basically blacklisted bad stuff. You know, someone wrote a cheat. Someone found out the cheat, sent the information to Valve. Valve figured out how it worked. Valve writes a little rule somewhere, gets caught up in VAC, and then anyone who's found using that is banned for life through VAC. It's pretty simple. It's effective at stopping stuff that's in wide deployment, but it's not effective in stopping people who are willing to take a cheat, change it a little bit. You know, it's just like modern day networks, right? Right? We've got anti-virus. It's great for commodity viruses, but you change that one little bit and you can go own an entire enterprise. Right? That's how it works. I mean, I'm dealing with enterprises all the time right now who have massive problems because someone recompiled a binary and a little change or repacked it or whatever, and magically it flies through all the security protocols and pops everything. Whoopsie! You know, same problem where I had Mortal Kombat reference. No one plays Mortal Kombat anymore. No one. God, that was like my high school. Anyway, so here's what... Here's where we're going to turn it over to Logan and he's going to talk about other things. I still have a microphone. Great. So I started looking at the Dark Storm source that... Actually, first I started going down the line of writing my own sheet, and then I found the Dark Storm source, fortunately, because these things are really, really complicated. Not only do you have to know how to do common hacker techniques, such as DLL injection and, you know, process injection and all that stuff, but you have to know DirectX and vector math and it's impressive what these guys can do. And Dark Storm is just one example of basically a cheating tool kit that is out there, right? There's lots of people out there that have cheating tool kits. Some of them are publicly available, like Dark Storm. Others are available only to, you know, friends of friends and that kind of thing, like the carding industry or whatever, you know, if you know someone, you can get in, you get to cheat, because the cost of failure here for all these guys is the same. If their cheats are found out, they become worthless, right? And you can't cheat anymore and they're not cool. And so Dark Storm is a good example of one that's pretty extensible and we got some examples from it, but again, we didn't write most of this. This is just stuff we took from Dark Storm. We're using it as an example of this is how it works, this is how people get passed back and inject themselves into these programs. Perfect. Told you. Alright, so the first step in loading a cheat that is going to inject into the process is naturally injecting it. We do this through standard injection techniques. We do this with the SSID allocate space in the address, virtual address space, and then create your remote thread and kick off every function you want to hook inside of there. It does a couple things. Well, there are a couple different ways you can hide from VAC. And this particular cheat employs one of them, removing the PE header, that's it. But while I was looking around and analyzing some of these other cheats, you can do a lot of different things. The link list one, I think, is an interesting one. You should tell them about that one. It's a standard virus technique to remove yourself from the link list that describes all the modules that are loaded in a particular process. And VAC will go through and they'll look at that and that's how they'll get their list of modules to analyze and take a signature of. They also use the PE header as a way to start their signatures, too. So effectively, removing your PE header hides you from VAC and it is almost impossible for VAC to start scanning your memory space. Perfect. Oh, I changed them, really. Right. Like I said before, this is pretty much the only hiding technique that DarkStorm employs. Pretty standard. It grabs the image header and just nulls out the bits that say, I'm a PE. The first thing we need to do is undo some flags that say that we can't call certain functions because these functions ValveConsider is protected and they know that they could be used in order to cheat. So we go down the line of this PVAR struct and just flip bits and that's basically what's happening right here in this loop. And this is the first... It got funny again. It's like Family Guy, right? Like it starts out... Okay, y'all got it. I don't even need to explain it. Alright, so the first function that we hook is called CreateMove. It's pretty well named because it is just your move with the character. Every tick of the game this function is called and there can be 30, 40 ticks a second that happens. So every time a tick happens, we call this function and we start down our line of what do we want to do to cheat? Aimbot. I'm sure most of you know what an aimbot is. Unfortunately, there's no video of an aimbot because Valve released a patch and removed a particular function that was used by this aimbot to aim. So it would have taken a conservative amount of work to emulate that function and get it working again. It didn't have the time. Because of the TF2 30. Yeah, we have to have an excuse, right? It's not because we're lazy or just dumb or anything. It's something else going on. Rampage. Alright, so here's a basic premise of how it works, though. You grab your list of entities, entity being anything on the board, anything that is moving or stationary. And you just go through an if statement and say, is it a player? Is it not me? Is it solid? Are they on the other team? Yes, then grab where I am, grab where they are and give me a vector. Aim my vector, aim my position in that direction and if I'm aiming at the right portion of their body, fire. Fire to choose from, but I don't know anybody that chooses anyone but the head, seriously. The speed hack. So this one is actually pretty deductible on a lot of servers. People have written a lot of plugins to perform the security that VAC doesn't. Which is kind of strange. We were talking about Source Mod and Meta Mod before. There's like a serious plugin that's written by a guy named Kagan which defeats a lot of these cheats. So while I was going around on just getting experience cheating, I don't cheat normally, as evidenced and you'll see in a second in the videos. I was worried that some of these servers would have been employing this mod and I was going to be caught but apparently they weren't. So the speed hack, real quick, it just sets a CVAR which is a console variable inside of SRCDS which says what is my host timescale speed and you can set it between 1 and 25. You don't want to go above 7 because you can't move. It's too fast. It's just insanely fast. 7 is about right. So if you're playing with this 7 is what you want to do. Humiliation. No pressure. No pressure at all. Rapid fire. So there's a couple of characters in the game that have pistols and basically you can flip a bit and your pistol turns into a chain gun and that's exactly what happens right here. It just comes in, sets the bit to fire and you go to town, just mowing people down. This works really well with the constant criticals. Cheat because when you have a chain gun it hurts people. An ESP. So ESP is it's just what you think it is. You're getting information about targets from a distance. You're finding out stuff about their class, their hit points, what weapon they're holding and you can see it through walls. So there's a good example. Real quick how it works. You're basically taking the model that's drawn on the screen for source or SRCDS and you're appending these values to it and you'll see in the next picture what happens. Double kill. If you can see that pretty well but that's basically based on the weapon he's holding, that's a scout on the other side of the wall and I know he's at full life so that's what ESP does for you. And I think we got a video. Can I annotate this video for you? This is my favorite. If I say no, will you not? No, it's not an optional problem. I need to stand up for this because this one makes me laugh. I almost fell out of my chair when I first watched this video. Logan doesn't cheat a lot. Imagine if you will, you're playing a game and someone shoots you from across the room and you have to respawn. He's still there because he doesn't want to get shot again. Well, Logan has ESP so he knows where everybody is but yet he's still looking where there's no one there because he's so worried he's going to get shot in the head. First he's going to get dominated by Boogie Girl. Boogie Girl just nominates him. I'm old Greg by the way. Now he's going to round the corner and he's got ESP so he knows where everybody is. Boogie Girl was on the roof and now Boogie Girl jacks him in the head. Same person. Now he's really scared. He doesn't want to be embarrassed again because he knows this is going to show up at DEF CON so he's a sniper and he rounds the corner and he looks up there and there's no one there. There's no ESP information but he's still looking up there. He's really worried that maybe she's got a cheat that disables the ESP Yeah. He does have a redeeming shot up here in a minute. I have a couple. I mean you were able to pull the trigger successfully I'll give you credit. Thanks. I don't know if there's a way to fast forward this or not. This gets kind of boring but in general you get the idea. This is a good part. The scout was coming behind the wall so I'm coming the whole time and he actually managed to hit him in the head. Thank you. So obviously this is a lot of information. You can't see through the walls you can't see exactly the characters but you actually still get the character information through the walls. It's a fantastically useful cheat so you can control at least know where everybody is. That's probably good. Hold on. Just a second. One more. There you go. Good job. Okay. 10. Killing spree. Alright. Constant criticals. So this is pretty useful but at the same time it's kind of a kind of a bane because the way that it happens there's not just a magic bit that says every shot you're going to make is going to be a critical. We actually have to try and compute our probability for a critical and on every tick of the game we try and see if our next shot's going to be a critical and if it is if we're pressing the button then we fire. So this can result in some lag time so sometimes you'll press the button and nothing will happen and sometimes you'll press the button and two crit rockets will come out. So it's interesting and there's a video to go along with it also. So for those that don't know a critical it's basically the same shot as another kind of shot it just does more damage like 50% more damage and in TF2 they also are lit up and they're a different color. So it becomes kind of abundantly obvious because normally you get one about every 5 to 10 and you start shooting like 20 in a row it's really obvious. So what you'll see Logan here doing in a minute is shooting in different directions in different places just so not everyone sees the fact that he's just unloading critical rockets over and over and over. I was pretty worried that my own team was going to turn me in for cheating even though it was helping them out but they didn't so that was a good thing. It's like a critical you hit the button and nothing happens. Don't make me come up here. Wow! I'm going to go with no video. Impressive. I would just keep moving. Alright so then there's a then you can do a thing called a wall hack. So this will basically draw the materials on the models in the game but it sets a certain value these values down here sorry these values right here when I set material flag is called and it sets the Z-index to something different than the wall so whenever a character is displayed on the screen you see it instead of the wall. You can you can see that pretty well there there's the demo man he's sitting right there obviously behind the wall but I can see him and I know exactly where you know what direction he's facing and what he's doing there that's part of ESP dominating and no scope so I don't know if you guys noticed when I was in the video back there but normally when you're a sniper you have a scope and your scope looks like that the one on the right that is the one on the left is what happens when you execute this code and remove the materials for all four corners of the scope it's a huge advantage as a sniper being able to run around zoom in and see 100% of the world you want me to tackle this or you got it yeah that's actually the end of the dark storm so alright a couple of things real quick one SRCDS will log just like anything else and what's interesting about the longing is that there's a lot of third party products that will pick up the logs and display like how well you're doing, how much you kick ass whatever and you go to webpages, hlstats, hlstats, x or some of the more well known versions of that anyone can write code to do that and there's lots of third party logging and log analysis utilities that are out there including the ones that we wrote which turned out were ripe for sequel ejection and DOS attacks because what are you out there Peter O'Toole there's a guy who was he at Shmucon at Shmucon he had a character in his name that killed our parser outright and Logan fixed it and then inadvertently commented that code out and then brought that code to Defcon and same dude showed up and crashed our parser again just kind of a cute trick to have it happen twice with the same guy you know it's basically you know this is standard stuff right it takes data it's going to parse it with a language, Perl, Python, whatever it's going to shove it in a database so it's ripe for issues like sequel and injection every once in a while I'll see somebody running around on the server with you know Robert Semicolon drop tables as his name oh it's little Bobby Tables just the greatest thing ever and like three people get it and everyone else like who's the dick with the name and meanwhile like I don't know how many it's amazing the grasp of extended ASCII characters that gamers have like I can't type in a backwards RF but sure should apparently like ASCII like you know 212 is that thing at some entire clan has that as their clan tag screw off I know how to do it that was another problem we had extended ASCII yeah barfed along on that stuff I think even today we still just basically drop it right yeah we just ignore it so if you have a fancy clan tag that doesn't have regular ASCII fuck off um meant that in the nicest possible way five minutes yes I think she might have thrown me out for other reasons real quick there has to be code releases because we're here at DEF CON so unfortunately we didn't have a lot of the security relevant code that we wanted to have to release here partially because we did get so wrapped up with this but one thing we wanted to do is turn back to community all the scoreboard and parsing stuff that we have for the real time stats tracking for the streaming video and all the other stuff so and team sign ups and the whole deal so if anyone runs land parties or anything there's actually a lot of code here that'd be very useful for you so that'll be available on the no moose website here shortly we have version one up there right now but version two will be released after DEF CON's and slogan I think it's still running said code it's done okay you sure I'm taking your editors away and we'll see what happens so and at some point you can go to our website look at the hokey video setup we had for Shmoocon which involved two transcodings and I shit you not an audio loopback cable for those that don't know that's a really short headphone cable that goes from audio out to audio in that's how we're capturing the audio yes yes that's exactly yeah it's idiotic so there was another release I was hoping to have which was a wire shark protocol to sector which was going to dig around and figure out all the innards of the source protocol stuff put in a bunch of work doing that and unfortunately what I've got so far written is basically I can see the first two 32 bit counters that are little endian what and I can find the strings that are all in there in TLV format so it parses all that stuff out but it doesn't get all the vectors of who's moving where yet still trying to figure out all the serialized stuff I hope to have that done actually this year it's still a project I'm working on but it wasn't done by this point and if anybody's interested in helping out feel free to let me know one last yes one last thing Shmoocon 2010 woo how many people here have been to Shmoocon? hot diggity for those that don't know Shmoocon's a security conference that the Shmoocon group puts on in Washington DC every year it's been the same place for the last five years there have been no more we've had people come up and tell us like at Shmoocon 4 that they've been to all 6 apparently it was so good there was a couple extras it's a lot of fun we try to be honest members of the community give back as much as we can through Shmoocon so it's anyway you can ask other people that have been if you haven't been it's a good time we really enjoy it and we really enjoy having people show up we have dates now February 5th through 7th 2010 again at the Warburn Park Marriott DC CFP will be open by the end of the month and you can follow Shmoocon on Twitter or go to Shmoocon.org for more info as it's released but you can expect the CFP will largely be like the CFP that we had before and most other hacker cons have as well which is have a cool project submit a rational write up you might get in so anyway that's lots of humiliation this is kind of a scattershot gun of a talk but we appreciate y'all showing up there's a lot of information here I mean there was just source code that we just you know washed over whatever you know feel free to download this presentation feel free to download some of these cheats from the places that we reference have fun with them get yourself an extra steam account though when you do because you might get your ass banned but it's it's really interesting because as Logan pointed out you know this isn't just a cheating thing if you can write a cheat for that gets past back you can write malware that gets past antivirus right it's the same techniques we're doing the same tricks to get past back as we are to get past McAfee and Symantec and whatever else and so it's kind of you're killing two birds with one stone right you get your rocks off blowing people up like playing a video game and you're learning how to write malware so it's like a double whammy who wouldn't do this is like an introductory course to malware giggle giggle quack all right I think that's it if you guys have questions you can catch us later on at the TF2 tourney where Logan will still be writing code I appreciate you guys showing up oh run run