SlideShare a Scribd company logo

Hackathon 2013 - The Art Of Cheating In Games

Download as PPT, PDF
Souhail Hammou
Souhail Hammou

I speaked in Hackathon 2013 that took place in Casablanca the 06/15/2013 about how to cheat in games , defeat many protections that are took in place in order to stop, confuse or delay the reverse code engineering process. The Demo is about completely hacking the whole scoring system of PES 2013 game & defeating many protections.

TechnologyEntertainment & Humor
1 of 60
The Art Of Cheating In Games Reverse Engineering Games For Fun ! Http://www.itsecurity.ma/
Who am I ? • My name is Souhail Hammou (Dark-Puzzle) • Member of ITsecurity team (itsecurity.ma) • Independant Software Security researcher. • Found, Exploited & Reported many 0day vulnerabilities : Huawei , IDman , FlStudio ... • Now : Cooperating with Huawei reporting 0day vulnerabilities and providing vulnerabilities fixes. http://www.dark-puzzle.com
I will talk today about ...
Introduction
Why Attacking Games !!? • Simply because games are very popular. • A high pourcentage of computer users are playing games, spending loads of money buying them or subscribing to them. • Billions of dollars are spent to buy games every year and some of the game companies are getting richer and richer (Activision, Ubisoft , SquareEnix ...) • So It's Worth a Shot right ??
Cheating !? • Cheating in a game (online/offline) is to make a specific task , object , area , ressource completed or available for the cheater without any direct interaction with the game. • Cheats codes are coded with the game (Authourized Cheating). • Hacks , Trainers , Game patches are illegal cheating ways that work on modifying values , instructions inside the game. • Reverse Engineering games is strictly prohibited by the game companies (Konami,Ubisoft...) . Nevertheless we see cracks, trainers and patches for games everyday online.
Types of cheating • Wallhack • Aimbot • God mode • Infinite ammo • Fog removal • Lot of money • New items • Buy items without money • ...etc
Why Creating Your Own Cheats ? • To avoid malware infection. • Fun (personal need to hack a game) • Profit : – Selling virtual items gained by cheating against real money. – Sell a game patch or a trainer with multiple cheats. – Cheat in online casino games to win loads of $$
What do we need ? • We need weapons : – Tools : • Packet Interceptors/ Network Sniffers. • Disassembler • Debugger • Memory visualizer • Memory Editor. • In the demo we will use some of those to create an internal game patch !
Internal Game Patch ?? • Simply it's an executable. • Approximately have the same size of the original executable. • It has to be replaced into the game's folder. • Opening it will play a hacked version of the game (health hack ...) . • You don't need to attach any trainer or do some live edits , ALL is done automatically because the original exe has been edited.
What are the basic steps to cheat in my favourite game ?
Basics : • In games you're looking for values. • Ammo , Health , Ressources , Money , Gold , Weapons stats , Objects weight , Goals , Time ... • Those values are stored in different types in memory (Byte,Word,Dword ...)
What are the basic steps to follow ? • In general , we need to locate the exact memory field that we try to reach. • Here's what we do If we want to find the memory address(es) that store our current lifepoints: Actual game memory (GBbytes of Data) Memory addresses storing 5 as a DWORD Memory addresses stroring 3 as a DWORD 1 2
Basic Steps to follow (Cont'd) – Using Cheat Engine : • Enter value , specify type (Byte , WORD , DWORD , Float , Array ...) • Do a first scan to list all values • Go to the game and change that value (take a hit , score a goal ...) • Do a second scan to see what values changed from the first value to the second. • Easyy !! Right :D • Here's what CheatEngine looks like.
Cheat Engine !
Cheat Engine (Cont'd) • Cheat engine can be used a memory editor , debugger and has the functionality of creating a game trainer. • We will use cheat engine as a first step then switch to the debugger. • Cheat Engine is very easy to use, you can use it to change values directly inside the game and enjoy. • Nevertheless, in some games it may take time to find some values in memory.
Is cheating in games that easy ?
Anti-Cheating Protections: • Cheating became easy and popular in both offline & online games , that's why many protections took place. • Anti-Cheating protections are meant to slow down the reverse engineering process. • The reverser must work on finding an Anti-Anti-Cheating bypass in order to reach his goal.
What Can('t) Stop us ?? • DMA : Dynamic memory allocation : – Can be found at C/C++ – Dealocates and allocates memory by freeing it or allocating new dynamic memory on heap – In each game run , the memory addresses will change except the memory addresses which carry Opcodes. – New values stored in memory will be moved from a register or from stack to a memory location that is pointed by another reg or a reg+X . – Will see it in our demo . • Code Shifting protections : – In each game run the PE base address will be changed . – E.I : in the first run we had our oppcode address at : 0052698A and the Base Address is : 00520000 – in the second run we will have those oppcodes at : 0053698A and the Base Address is : 00530000 – Base address changed. – we need simply to calculate 0052698A - 00520000 and setting our instructions at game.exe+698A will always work . – Available in game like Countrer Strike , Max Payne 2 ... – More similar to ASLR protection .
Protections (Cont'd) • Multichecks : – Server Side Checks (Online games) : • The operation to be done is set by the client , checked then sent to the server to be checked again then it is done. • e.i : you buy a potion in WoW main server, your client will check how much you got on you $$ . This amount will be sent to the server in a packet (Encrypted) with a request of buying that item.The server will check again your amout of money and responds with a boolean (True or False) contained in a encrypted packet. – Client side Checks (Offline games , found on some MMOs also) : • Multiple checks of a certain condition or value in memory. • We will deal with it also in our Demo .
Protections (Cont'd) • Protections against Cheat Engine / Finding specific values by visualizing/searching in memory : – Values in memory differ from real values in the game. – After getting those values from memory they are edited by Addition , substruction , multiplication, division or encryption to be stored afterwards. – Digging into memory will not give you a right result. – This method is used to slow the cheater process of finding where exactly the value is stored in memory. – Examining the code may get you to the right value. – E.i : • I've written an example for a fake game that demonstrates that :
CheatEngine (Cont'd) When the player dies for example the value hold in memory for Life points will be 200. 1100
Cheat Engine Fails
Disassembly doesn't fail So cheat engine will absolutely find the 1300 value but not 1100.
Protections found in almost every game • Anti-Debugging : – Detects any ongoing debugger attached or running the game. – Uses IsDebuggerPresent API or time checking methods . • Self Modifying Code : – goes into a long loop(s) to edit instructions by then execute them. – Makes it hard for a static analysis • Packing : – The Game might be packed by a commercial packer which makes it difficult to find OEP. • CD/DVD Protections : – Most difficult protections to defeat (Please Insert CD to play) . – E.I : SafeRom 4.X uses a complicated routine to detect if the CD is in or out. – SafeRom 4.X is also protecting against debugging and unpacking.
How games are structured ?
Introduction to how games work : • Dealing with the Stack : – The Stack is storing local variables, arguments ... – The call stack helps you find where returns from calls will happen inside the executable at run-time. – In gaming , the stack stores (Sometimes) score, health... for a temporary period. • Dealing with SEH : – To avoid creating a long and recursive SEH chain , games use Multi-Threading which requires more processor performance in modern games . • Multi-Threading : – A thread is a unit of execution or processing. – Each thread is doing a specific mission (Loading maps ...) then sends a termination status flag , while the main thread is pending these tasks for completion.
Multi-Threading in PES 2013 • I analysed how Multi-Threading is working on PES 2013 by reverse engineering it and here's what I found : – In each match. All what happens inside the game field is defined by one thread. – When the ball go outside of the game field (Missed goal), this thread is terminated. – Here the game uses ExitThread function to deallocate the SEH chain then executes GetExitCodeThread function in order to retreive a termination status of the thread. – A new thread is created using CreateThread function which has the type of phase which will be executed (Goal Kick...) – We can conclude that the game uses each Thread to complete serie of action . (Replay,Fault,Goal,Ball inside the field). – Keep in mind : Many threads are running in the same time in the game . – E.i : the ball is outside the field but you can still hear the audience voice.
Reverse Engineering Games in Action. Detailed Demonstration.
How Can I Cheat in a Real Game ? • Pick a target (PES 2013 Demo Version). • Play the game to be more familiar with it. • Pick a specific functionality to hack (Scoring). • Start having fun !
Before going through the demo ! • It is illegal to Reverse this game (Who Cares anyway !) • You can download the demo game (1Gb I think). • If you want to try the patch that I created , which we will see in the demo feel welcome to ask me for it (15 Mb)
What am I going to do with scoring ? 1. The purpose is to make the goal that I score count. 2. The purpose is not to make opponent goals count. 3. When my team scores a goal I see : 1 - 0 4. When the opponent team score I still see : 1 - 0 5. Let the game begin !
Locating our target in memory. • How can we use CheatEngine ? : – Select Attach process button – Click on pes2013.exe – Then hit Open – Afterwards , score two goals on your opponent , then search for the Value 2 as a DWORD. – Score another goal or two , look for the new value. – Do the same with your opponent let him score then do the same method. – Score some goals against yourself then follow the same method. – You will find your self in front of two memory addresses.
• Memory addresses found : • First : 0196F964 • Second : 0196F96C • The instructions that write to these addresses : – To the first one : 00FD696D - 66 FF 04 50 - inc word ptr [eax+edx*2] – To the second one : 00FD6929 - 66 FF 40 08 - inc word ptr [eax+08] • I switched to Immunity Debugger , scored a goal against my self and I hit the second breakpoint. (No need to analyze this anymore) • The opponent scored against me and I hit the first bp , I scored against my opponent and I hit the first bp ! • The two possibilities are done with the same routine.
Let's see what's going on
• Lots of incrementation of values in memory. • Just one memory address that holds the value of goals scored is loaded into a register (EAX). (Other values stored in memory can be used for second checks later or anywhere else in the game...) • To achieve our goal we need to switch from incremention to Zeroing. • Have you noticed a problem using direct patching method to do that ?
• The score will be nulled for every team. • The solution is to : • Jump to an unused area inside the Executable (Code Cave) then write our own instructions. • Still Remember the value of EAX relative to who scored ? • That's what we're going to compare then do a conditional Jump if not taken it will Zero the opponent score, if taken it will continue the routine normally to inc our score.
Feeling Confused ?!! :p JMP to unused area of code EAX == 0196F628 ? (have we scored?) Rewrite instructions overwritten Patch all INC by Zeroing YES No JMP to RETN in the Original Routine To the instructions we've written Jump to continue running original routine like if nothing happened
(Cont'd) • Edit original routine (add a JMP to unused area of code) – 00FD694F ADD EAX, 0196F628 – 00FD6954 CMP CL,12 – 00FD6957 JNB SHORT 00FD6983 – 00FD6959 JMP 0133DD4C <-- Added this Jump – 00FD695E NOP – 00FD695F NOP – 00FD6960 PUSH ESI – 00FD6961 LEA ESI,DWORD PTR DS:[ECX+1] – 00FD6964 IMUL ECX,ECX,16 – 00FD6967 IMUL ESI,ESI,2C Two instructions overwritten : INC WORD PTR DS:[EAX+8] & MOVZX ECX,CL
Cont'd • The instruction INC WORD PTR DS:[EAX+8] We need to edit it when the opponent scores. So better remove it from original routine. • We jumped to 0133DD4C ! What's in there ? • As the Diagram shows . we have to write instructions that do a comparison of EAX to 0196F628. • ASM : – 0133DD4C CMP EAX,0196F628 – 0133DD51 JE SHORT 0133DD8E • If the compare is true we will jump to 0133DD8E ; it means that we scored a goal. • If the compare is false we will not jump & Zero memory locations instead of INC.
(Cont'd)
Running the game : • Save modifications in a patch. • Run the game ! • Behavior : – What Is expected to happen : • I score a goal , it is counted (routine goes normally) • Opponent scores a goal , not counted (No Incrementions) • I scored a goal I should see in the score panel ( 1 - 0 ) • The opponent scored back I should see ( 1 -0 ) • When the match end I should win . – What happens in reality : • I scored a goal I see in the score panel ( 1 - 0) • The opponent scored back I see ( 1 - 1 ) • When the match ends I win .
Here's what happens ! I just scored a goal (EAX comparison true , jump taken) The opponent scored back (EAX comparison false ; jump not taken Match ended and we won , so our patch is working but not with the scoreboard so we will need to patch it too
Real VS Shown • Real value of the goals is stored in a separated locations in Memory to be shown in the final game statistics. • Real value decides who is the winner. • Real value is the one we edited in the first example • Shown value is the one stored into the Scoreboard. • Changing it to 99-0 will not affect the winner or loser. • We have to link between those two to create a realistic and logic combination.
Fake Trainers Detected !! • I saw many trainers online that are made for PES 2011 and also PES 2013 that work on just editing the values on the scorepanel , so the real score isn't affected. • The winner will be the team who scored many goals like it is in normal cases.
Reverse Engineering the Problem : Creating a combination & beating protections :
Hacking the scoreboard ! Here's the two routines that are dealing with the scorepanel Got them using CheatEngine , It took me time to locate them as the value of memory address change in a delay of 3 seconds possibly because of the player celebration scene (A possible time-related protection to annoy fast and impatient cheaters).
We Undirectly Bypassed a Protection : • DMA bypassed : – In each run the score shown in the scoreboard is stored into different memory location addresses , that's because of the memory management. – Finding what writes to this address , gives us static opcodes found on a static address of the PE. – N.B : Previous cheat of real score deals with static memory addresses that don't change.
Can you see more protections here ?
Double Multi-Checking Protection • Multi-Checking protections (Double Protection): – The Responsible routine for each case (me scoring,opponent scoring) run 2 times for each goal. – In every case the other team score (Me or opponent) is always checked and stored again. – For example : – I scored a goal , the score will be MOVED into the scoreboard, but the opponent score that will stay as it is will be also checked and stored again. After a short period the same routine will be done again.
How could multiple checks beat a cheater in PES 2013 ? • How can the First Multiple-Checking technique beat you ? – The routine is run two times with a delay of some seconds. – The player may change the scoreboard values in memory either between those two runs , before or after them. – Chaging the value before or after a goal is scored : – When changing the values before or after a goal is scored , when the next goal is scored the scoring will return as normal because we're dealing with a MOV instruction not INC . – E.I : the player changes scoreboard when the match begins into : 12 - 0 » When a goal is scored against him he will see : 0 - 1 – Changing the value between the two runs of the same routine : – Which may be diffcult and requires more precision , but when doing it by chance using a CheatEngine for example , the first run will store the value changed but the second run will restore the original scoring – So using cheat-engine directly will not help here. We have to edit instructions then.
How could multiple checks beat a cheater in PES 2013 ? (Cont'd) • How can the second Multiple-Checking technique beat you ? – The reverser will look to Zero the opponent score in the scorepanel whenever he scored a goal , right ? – When the opponent scores against him he will be happy to see that the opponent score is still 0 in the scorepanel. – When he will score a goal he will be shocked to see that the opponent score is back to 1 . – Simply, because in each of those two routines your score and your opponent score are stored again.
A patch for it ?? • Very simple. • Zero the value of [EDI+231] when running any of those 2 routines to bypass excessive checks. • opponent scores : – The score is moved to AL from [EBP+44] – AL moves the new score to [EDI+231] – Replace : MOV AL,BYTE PTR SS:[EBP+44] – With : XOR AL,AL • when I score : – The score is moved to DL from [EBP+48] – DL moves old opponent score to [EDI+231] – Replace : MOV DL,BYTE PTR SS:[EBP+48] – With : XOR DL,DL
Result :
Game result : I scored Opponent scored Match ended , Combination works = WIN !!
What have we done so far ? • We just hacked the whole game scoring system. • To do that we hacked : – The real score that sets the winner. – The shown score in the scorepanel. • To win you need to score at least one goal. • All is done automatically so you will need just to open the executable and enjoy. • The fun part in Reversing Games ? – You will never encounter the same case or the same routines during the Try-To-Cheat-Me process. – Spending a sleepless night(s) reversing a game would be fun :) – 3nJ0y !!
QUESTIONS ? ?
Contact/Follow me : • dark-puzzle@live.fr • http://www.facebook.com/dark.puzzle.sec • http://www.dark-puzzle.com/ • http://www.itsecurity.ma/
HAVE A NICE EVENING AND CHALLENGE :) !

Recommended

BGA Studio Guidelines
BGA Studio GuidelinesBGA Studio Guidelines
BGA Studio GuidelinesBoard Game Arena
 
Game Development Session - 3 | Introduction to Unity
Game Development Session - 3 | Introduction to UnityGame Development Session - 3 | Introduction to Unity
Game Development Session - 3 | Introduction to UnityKoderunners
 
Work flow
Work flowWork flow
Work flowDeightonater
 
Introduction to Game Programming: Using C# and Unity 3D - Chapter 3 (Preview)
Introduction to Game Programming: Using C# and Unity 3D - Chapter 3 (Preview)Introduction to Game Programming: Using C# and Unity 3D - Chapter 3 (Preview)
Introduction to Game Programming: Using C# and Unity 3D - Chapter 3 (Preview)noorcon
 
Unity
UnityUnity
UnityKhaled Ismail
 
2d game printscreens
2d game printscreens2d game printscreens
2d game printscreensElliot Black
 
2D game workflow
2D game workflow2D game workflow
2D game workflowChristopher Lucas
 
Game design document
Game design document Game design document
Game design document ARshut Syabrin
 

Recommended

BGA Studio Guidelines
BGA Studio GuidelinesBGA Studio Guidelines
BGA Studio GuidelinesBoard Game Arena
 
Game Development Session - 3 | Introduction to Unity
Game Development Session - 3 | Introduction to UnityGame Development Session - 3 | Introduction to Unity
Game Development Session - 3 | Introduction to UnityKoderunners
 
Work flow
Work flowWork flow
Work flowDeightonater
 
Introduction to Game Programming: Using C# and Unity 3D - Chapter 3 (Preview)
Introduction to Game Programming: Using C# and Unity 3D - Chapter 3 (Preview)Introduction to Game Programming: Using C# and Unity 3D - Chapter 3 (Preview)
Introduction to Game Programming: Using C# and Unity 3D - Chapter 3 (Preview)noorcon
 
Unity
UnityUnity
UnityKhaled Ismail
 
2d game printscreens
2d game printscreens2d game printscreens
2d game printscreensElliot Black
 
2D game workflow
2D game workflow2D game workflow
2D game workflowChristopher Lucas
 
Game design document
Game design document Game design document
Game design document ARshut Syabrin
 
Cameron McRae - 2D Game Workflow
Cameron McRae - 2D Game WorkflowCameron McRae - 2D Game Workflow
Cameron McRae - 2D Game WorkflowCameronMcRae901
 
GameMaker Workflow
GameMaker WorkflowGameMaker Workflow
GameMaker Workflowadampatrickhughes
 
Chapt 2 storyboarding techniques
Chapt 2 storyboarding techniquesChapt 2 storyboarding techniques
Chapt 2 storyboarding techniquesMuhd Basheer
 
Swords and sandals 2 flash game hacks
Swords and sandals 2 flash game hacksSwords and sandals 2 flash game hacks
Swords and sandals 2 flash game hacksJudithFeist965
 
Input & output kirsty micallef
Input & output kirsty micallefInput & output kirsty micallef
Input & output kirsty micallefJosianne Sacco
 
Chapt 1 (part 2) installing the sdk and exploring the workspace
Chapt 1 (part 2) installing the sdk and exploring the workspaceChapt 1 (part 2) installing the sdk and exploring the workspace
Chapt 1 (part 2) installing the sdk and exploring the workspaceMuhd Basheer
 
7 gate game design document
7 gate game design document 7 gate game design document
7 gate game design document ARshut Syabrin
 
Run and jump tutorial (part 1) actors
Run and jump tutorial (part 1) actorsRun and jump tutorial (part 1) actors
Run and jump tutorial (part 1) actorsMuhd Basheer
 
The Ring programming language version 1.7 book - Part 53 of 196
The Ring programming language version 1.7 book - Part 53 of 196The Ring programming language version 1.7 book - Part 53 of 196
The Ring programming language version 1.7 book - Part 53 of 196Mahmoud Samir Fayed
 
Run and jump tutorial (part 3) behaviours
Run and jump tutorial (part 3) behavioursRun and jump tutorial (part 3) behaviours
Run and jump tutorial (part 3) behavioursMuhd Basheer
 
Run and jump tutorial (part 2) scenes
Run and jump tutorial (part 2) scenesRun and jump tutorial (part 2) scenes
Run and jump tutorial (part 2) scenesMuhd Basheer
 
unity basics
unity basicsunity basics
unity basicsReham Maher El-Safarini
 
Introduction to Unity3D Game Engine
Introduction to Unity3D Game EngineIntroduction to Unity3D Game Engine
Introduction to Unity3D Game EngineMohsen Mirhoseini
 
Nighthawk Controller
Nighthawk ControllerNighthawk Controller
Nighthawk ControllerBen Speer
 
Your VR Experience (Oculus Presentation, Indiecade 2016)
Your VR Experience (Oculus Presentation, Indiecade 2016)Your VR Experience (Oculus Presentation, Indiecade 2016)
Your VR Experience (Oculus Presentation, Indiecade 2016)Esteban Gallardo
 
Documentation
DocumentationDocumentation
Documentationrosstapher
 
Your VR Experience Presentation
Your VR Experience PresentationYour VR Experience Presentation
Your VR Experience PresentationEsteban Gallardo
 
Unit 72 my computer game user guide (1) (4)
Unit 72 my computer game user guide (1) (4)Unit 72 my computer game user guide (1) (4)
Unit 72 my computer game user guide (1) (4)Lewis Brierley
 
BSidesDelhi 2018: Headshot - Game Hacking on macOS
BSidesDelhi 2018: Headshot - Game Hacking on macOSBSidesDelhi 2018: Headshot - Game Hacking on macOS
BSidesDelhi 2018: Headshot - Game Hacking on macOSBSides Delhi
 
Presentation sanlab workshops
Presentation sanlab workshopsPresentation sanlab workshops
Presentation sanlab workshopsArtur Roszczyk
 
PHP games
PHP gamesPHP games
PHP gamesharwoodr
 
Endless frontier summary_global_2016
Endless frontier summary_global_2016Endless frontier summary_global_2016
Endless frontier summary_global_2016Ekkorr
 

More Related Content

What's hot

Cameron McRae - 2D Game Workflow
Cameron McRae - 2D Game WorkflowCameron McRae - 2D Game Workflow
Cameron McRae - 2D Game WorkflowCameronMcRae901
 
Chapt 2 storyboarding techniques
Chapt 2 storyboarding techniquesChapt 2 storyboarding techniques
Chapt 2 storyboarding techniquesMuhd Basheer
 
Swords and sandals 2 flash game hacks
Swords and sandals 2 flash game hacksSwords and sandals 2 flash game hacks
Swords and sandals 2 flash game hacksJudithFeist965
 
Input & output kirsty micallef
Input & output kirsty micallefInput & output kirsty micallef
Input & output kirsty micallefJosianne Sacco
 
Chapt 1 (part 2) installing the sdk and exploring the workspace
Chapt 1 (part 2) installing the sdk and exploring the workspaceChapt 1 (part 2) installing the sdk and exploring the workspace
Chapt 1 (part 2) installing the sdk and exploring the workspaceMuhd Basheer
 
7 gate game design document
7 gate game design document 7 gate game design document
7 gate game design document ARshut Syabrin
 
Run and jump tutorial (part 1) actors
Run and jump tutorial (part 1) actorsRun and jump tutorial (part 1) actors
Run and jump tutorial (part 1) actorsMuhd Basheer
 
The Ring programming language version 1.7 book - Part 53 of 196
The Ring programming language version 1.7 book - Part 53 of 196The Ring programming language version 1.7 book - Part 53 of 196
The Ring programming language version 1.7 book - Part 53 of 196Mahmoud Samir Fayed
 
Run and jump tutorial (part 3) behaviours
Run and jump tutorial (part 3) behavioursRun and jump tutorial (part 3) behaviours
Run and jump tutorial (part 3) behavioursMuhd Basheer
 
Run and jump tutorial (part 2) scenes
Run and jump tutorial (part 2) scenesRun and jump tutorial (part 2) scenes
Run and jump tutorial (part 2) scenesMuhd Basheer
 
Introduction to Unity3D Game Engine
Introduction to Unity3D Game EngineIntroduction to Unity3D Game Engine
Introduction to Unity3D Game EngineMohsen Mirhoseini
 
Nighthawk Controller
Nighthawk ControllerNighthawk Controller
Nighthawk ControllerBen Speer
 
Your VR Experience (Oculus Presentation, Indiecade 2016)
Your VR Experience (Oculus Presentation, Indiecade 2016)Your VR Experience (Oculus Presentation, Indiecade 2016)
Your VR Experience (Oculus Presentation, Indiecade 2016)Esteban Gallardo
 
Your VR Experience Presentation
Your VR Experience PresentationYour VR Experience Presentation
Your VR Experience PresentationEsteban Gallardo
 
Unit 72 my computer game user guide (1) (4)
Unit 72 my computer game user guide (1) (4)Unit 72 my computer game user guide (1) (4)
Unit 72 my computer game user guide (1) (4)Lewis Brierley
 

What's hot (18)

Cameron McRae - 2D Game Workflow
Cameron McRae - 2D Game WorkflowCameron McRae - 2D Game Workflow
Cameron McRae - 2D Game Workflow
 
GameMaker Workflow
GameMaker WorkflowGameMaker Workflow
GameMaker Workflow
 
Chapt 2 storyboarding techniques
Chapt 2 storyboarding techniquesChapt 2 storyboarding techniques
Chapt 2 storyboarding techniques
 
Swords and sandals 2 flash game hacks
Swords and sandals 2 flash game hacksSwords and sandals 2 flash game hacks
Swords and sandals 2 flash game hacks
 
Input & output kirsty micallef
Input & output kirsty micallefInput & output kirsty micallef
Input & output kirsty micallef
 
Chapt 1 (part 2) installing the sdk and exploring the workspace
Chapt 1 (part 2) installing the sdk and exploring the workspaceChapt 1 (part 2) installing the sdk and exploring the workspace
Chapt 1 (part 2) installing the sdk and exploring the workspace
 
7 gate game design document
7 gate game design document 7 gate game design document
7 gate game design document
 
Run and jump tutorial (part 1) actors
Run and jump tutorial (part 1) actorsRun and jump tutorial (part 1) actors
Run and jump tutorial (part 1) actors
 
The Ring programming language version 1.7 book - Part 53 of 196
The Ring programming language version 1.7 book - Part 53 of 196The Ring programming language version 1.7 book - Part 53 of 196
The Ring programming language version 1.7 book - Part 53 of 196
 
Run and jump tutorial (part 3) behaviours
Run and jump tutorial (part 3) behavioursRun and jump tutorial (part 3) behaviours
Run and jump tutorial (part 3) behaviours
 
Run and jump tutorial (part 2) scenes
Run and jump tutorial (part 2) scenesRun and jump tutorial (part 2) scenes
Run and jump tutorial (part 2) scenes
 
unity basics
unity basicsunity basics
unity basics
 
Introduction to Unity3D Game Engine
Introduction to Unity3D Game EngineIntroduction to Unity3D Game Engine
Introduction to Unity3D Game Engine
 
Nighthawk Controller
Nighthawk ControllerNighthawk Controller
Nighthawk Controller
 
Your VR Experience (Oculus Presentation, Indiecade 2016)
Your VR Experience (Oculus Presentation, Indiecade 2016)Your VR Experience (Oculus Presentation, Indiecade 2016)
Your VR Experience (Oculus Presentation, Indiecade 2016)
 
Documentation
DocumentationDocumentation
Documentation
 
Your VR Experience Presentation
Your VR Experience PresentationYour VR Experience Presentation
Your VR Experience Presentation
 
Unit 72 my computer game user guide (1) (4)
Unit 72 my computer game user guide (1) (4)Unit 72 my computer game user guide (1) (4)
Unit 72 my computer game user guide (1) (4)
 

Similar to Hackathon 2013 - The Art Of Cheating In Games

BSidesDelhi 2018: Headshot - Game Hacking on macOS
BSidesDelhi 2018: Headshot - Game Hacking on macOSBSidesDelhi 2018: Headshot - Game Hacking on macOS
BSidesDelhi 2018: Headshot - Game Hacking on macOSBSides Delhi
 
Presentation sanlab workshops
Presentation sanlab workshopsPresentation sanlab workshops
Presentation sanlab workshopsArtur Roszczyk
 
Endless frontier summary_global_2016
Endless frontier summary_global_2016Endless frontier summary_global_2016
Endless frontier summary_global_2016Ekkorr
 
ZaCon 4 (2012) - Game Hacking
ZaCon 4 (2012) - Game HackingZaCon 4 (2012) - Game Hacking
ZaCon 4 (2012) - Game HackingHypnZA
 
HKUST Security Lab Opening Ceremony
HKUST Security Lab Opening CeremonyHKUST Security Lab Opening Ceremony
HKUST Security Lab Opening CeremonyKelvin Chan
 
Play to Learn: Effective Learning Game Design
Play to Learn: Effective Learning Game DesignPlay to Learn: Effective Learning Game Design
Play to Learn: Effective Learning Game DesignSharon Boller
 
98 374 Lesson 01-slides
98 374 Lesson 01-slides98 374 Lesson 01-slides
98 374 Lesson 01-slidesTracie King
 
Fighting online game cheating with cryptography
Fighting online game cheating with cryptographyFighting online game cheating with cryptography
Fighting online game cheating with cryptographySteven Davis
 
DevLearn 2017 Play to Learn workshop slides
DevLearn 2017 Play to Learn workshop slidesDevLearn 2017 Play to Learn workshop slides
DevLearn 2017 Play to Learn workshop slidesSharon Boller
 
How to Design Effective Learning Games: Sharon Boller and Karl Kapp
How to Design Effective Learning Games: Sharon Boller and Karl KappHow to Design Effective Learning Games: Sharon Boller and Karl Kapp
How to Design Effective Learning Games: Sharon Boller and Karl KappSharon Boller
 
Lecture 2: C# Programming for VR application in Unity
Lecture 2: C# Programming for VR application in UnityLecture 2: C# Programming for VR application in Unity
Lecture 2: C# Programming for VR application in UnityKobkrit Viriyayudhakorn
 
Enterprise Tic-Tac-Toe
Enterprise Tic-Tac-ToeEnterprise Tic-Tac-Toe
Enterprise Tic-Tac-ToeScott Wlaschin
 
Casino_Presentation programming c--.pptx
Casino_Presentation programming c--.pptxCasino_Presentation programming c--.pptx
Casino_Presentation programming c--.pptxhamzaalkhairi802
 
BiowareDesignDoc.ppt
BiowareDesignDoc.pptBiowareDesignDoc.ppt
BiowareDesignDoc.pptHonggangMan
 
Ce hv6 module 51 hacking and cheating online games
Ce hv6 module 51 hacking and cheating online gamesCe hv6 module 51 hacking and cheating online games
Ce hv6 module 51 hacking and cheating online gamesVi Tính Hoàng Nam
 

Similar to Hackathon 2013 - The Art Of Cheating In Games (20)

BSidesDelhi 2018: Headshot - Game Hacking on macOS
BSidesDelhi 2018: Headshot - Game Hacking on macOSBSidesDelhi 2018: Headshot - Game Hacking on macOS
BSidesDelhi 2018: Headshot - Game Hacking on macOS
 
Presentation sanlab workshops
Presentation sanlab workshopsPresentation sanlab workshops
Presentation sanlab workshops
 
PHP games
PHP gamesPHP games
PHP games
 
Endless frontier summary_global_2016
Endless frontier summary_global_2016Endless frontier summary_global_2016
Endless frontier summary_global_2016
 
ZaCon 4 (2012) - Game Hacking
ZaCon 4 (2012) - Game HackingZaCon 4 (2012) - Game Hacking
ZaCon 4 (2012) - Game Hacking
 
HKUST Security Lab Opening Ceremony
HKUST Security Lab Opening CeremonyHKUST Security Lab Opening Ceremony
HKUST Security Lab Opening Ceremony
 
Pong
PongPong
Pong
 
Play to Learn: Effective Learning Game Design
Play to Learn: Effective Learning Game DesignPlay to Learn: Effective Learning Game Design
Play to Learn: Effective Learning Game Design
 
98 374 Lesson 01-slides
98 374 Lesson 01-slides98 374 Lesson 01-slides
98 374 Lesson 01-slides
 
Fighting online game cheating with cryptography
Fighting online game cheating with cryptographyFighting online game cheating with cryptography
Fighting online game cheating with cryptography
 
Lesson-1-Hack-Attack.pptx
Lesson-1-Hack-Attack.pptxLesson-1-Hack-Attack.pptx
Lesson-1-Hack-Attack.pptx
 
DevLearn 2017 Play to Learn workshop slides
DevLearn 2017 Play to Learn workshop slidesDevLearn 2017 Play to Learn workshop slides
DevLearn 2017 Play to Learn workshop slides
 
Evaluation fmp
Evaluation fmpEvaluation fmp
Evaluation fmp
 
How to Design Effective Learning Games: Sharon Boller and Karl Kapp
How to Design Effective Learning Games: Sharon Boller and Karl KappHow to Design Effective Learning Games: Sharon Boller and Karl Kapp
How to Design Effective Learning Games: Sharon Boller and Karl Kapp
 
Lecture 2: C# Programming for VR application in Unity
Lecture 2: C# Programming for VR application in UnityLecture 2: C# Programming for VR application in Unity
Lecture 2: C# Programming for VR application in Unity
 
Enterprise Tic-Tac-Toe
Enterprise Tic-Tac-ToeEnterprise Tic-Tac-Toe
Enterprise Tic-Tac-Toe
 
Game cih
Game cihGame cih
Game cih
 
Casino_Presentation programming c--.pptx
Casino_Presentation programming c--.pptxCasino_Presentation programming c--.pptx
Casino_Presentation programming c--.pptx
 
BiowareDesignDoc.ppt
BiowareDesignDoc.pptBiowareDesignDoc.ppt
BiowareDesignDoc.ppt
 
Ce hv6 module 51 hacking and cheating online games
Ce hv6 module 51 hacking and cheating online gamesCe hv6 module 51 hacking and cheating online games
Ce hv6 module 51 hacking and cheating online games
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

Hackathon 2013 - The Art Of Cheating In Games

  • 1. The Art Of Cheating In Games Reverse Engineering Games For Fun ! Http://www.itsecurity.ma/
  • 2. Who am I ? • My name is Souhail Hammou (Dark-Puzzle) • Member of ITsecurity team (itsecurity.ma) • Independant Software Security researcher. • Found, Exploited & Reported many 0day vulnerabilities : Huawei , IDman , FlStudio ... • Now : Cooperating with Huawei reporting 0day vulnerabilities and providing vulnerabilities fixes. http://www.dark-puzzle.com
  • 3. I will talk today about ...
  • 5. Why Attacking Games !!? • Simply because games are very popular. • A high pourcentage of computer users are playing games, spending loads of money buying them or subscribing to them. • Billions of dollars are spent to buy games every year and some of the game companies are getting richer and richer (Activision, Ubisoft , SquareEnix ...) • So It's Worth a Shot right ??
  • 6. Cheating !? • Cheating in a game (online/offline) is to make a specific task , object , area , ressource completed or available for the cheater without any direct interaction with the game. • Cheats codes are coded with the game (Authourized Cheating). • Hacks , Trainers , Game patches are illegal cheating ways that work on modifying values , instructions inside the game. • Reverse Engineering games is strictly prohibited by the game companies (Konami,Ubisoft...) . Nevertheless we see cracks, trainers and patches for games everyday online.
  • 7. Types of cheating • Wallhack • Aimbot • God mode • Infinite ammo • Fog removal • Lot of money • New items • Buy items without money • ...etc
  • 8. Why Creating Your Own Cheats ? • To avoid malware infection. • Fun (personal need to hack a game) • Profit : – Selling virtual items gained by cheating against real money. – Sell a game patch or a trainer with multiple cheats. – Cheat in online casino games to win loads of $$
  • 9. What do we need ? • We need weapons : – Tools : • Packet Interceptors/ Network Sniffers. • Disassembler • Debugger • Memory visualizer • Memory Editor. • In the demo we will use some of those to create an internal game patch !
  • 10. Internal Game Patch ?? • Simply it's an executable. • Approximately have the same size of the original executable. • It has to be replaced into the game's folder. • Opening it will play a hacked version of the game (health hack ...) . • You don't need to attach any trainer or do some live edits , ALL is done automatically because the original exe has been edited.
  • 11. What are the basic steps to cheat in my favourite game ?
  • 12. Basics : • In games you're looking for values. • Ammo , Health , Ressources , Money , Gold , Weapons stats , Objects weight , Goals , Time ... • Those values are stored in different types in memory (Byte,Word,Dword ...)
  • 13. What are the basic steps to follow ? • In general , we need to locate the exact memory field that we try to reach. • Here's what we do If we want to find the memory address(es) that store our current lifepoints: Actual game memory (GBbytes of Data) Memory addresses storing 5 as a DWORD Memory addresses stroring 3 as a DWORD 1 2
  • 14. Basic Steps to follow (Cont'd) – Using Cheat Engine : • Enter value , specify type (Byte , WORD , DWORD , Float , Array ...) • Do a first scan to list all values • Go to the game and change that value (take a hit , score a goal ...) • Do a second scan to see what values changed from the first value to the second. • Easyy !! Right :D • Here's what CheatEngine looks like.
  • 16. Cheat Engine (Cont'd) • Cheat engine can be used a memory editor , debugger and has the functionality of creating a game trainer. • We will use cheat engine as a first step then switch to the debugger. • Cheat Engine is very easy to use, you can use it to change values directly inside the game and enjoy. • Nevertheless, in some games it may take time to find some values in memory.
  • 17.
  • 18. Is cheating in games that easy ?
  • 19. Anti-Cheating Protections: • Cheating became easy and popular in both offline & online games , that's why many protections took place. • Anti-Cheating protections are meant to slow down the reverse engineering process. • The reverser must work on finding an Anti-Anti-Cheating bypass in order to reach his goal.
  • 20. What Can('t) Stop us ?? • DMA : Dynamic memory allocation : – Can be found at C/C++ – Dealocates and allocates memory by freeing it or allocating new dynamic memory on heap – In each game run , the memory addresses will change except the memory addresses which carry Opcodes. – New values stored in memory will be moved from a register or from stack to a memory location that is pointed by another reg or a reg+X . – Will see it in our demo . • Code Shifting protections : – In each game run the PE base address will be changed . – E.I : in the first run we had our oppcode address at : 0052698A and the Base Address is : 00520000 – in the second run we will have those oppcodes at : 0053698A and the Base Address is : 00530000 – Base address changed. – we need simply to calculate 0052698A - 00520000 and setting our instructions at game.exe+698A will always work . – Available in game like Countrer Strike , Max Payne 2 ... – More similar to ASLR protection .
  • 21. Protections (Cont'd) • Multichecks : – Server Side Checks (Online games) : • The operation to be done is set by the client , checked then sent to the server to be checked again then it is done. • e.i : you buy a potion in WoW main server, your client will check how much you got on you $$ . This amount will be sent to the server in a packet (Encrypted) with a request of buying that item.The server will check again your amout of money and responds with a boolean (True or False) contained in a encrypted packet. – Client side Checks (Offline games , found on some MMOs also) : • Multiple checks of a certain condition or value in memory. • We will deal with it also in our Demo .
  • 22. Protections (Cont'd) • Protections against Cheat Engine / Finding specific values by visualizing/searching in memory : – Values in memory differ from real values in the game. – After getting those values from memory they are edited by Addition , substruction , multiplication, division or encryption to be stored afterwards. – Digging into memory will not give you a right result. – This method is used to slow the cheater process of finding where exactly the value is stored in memory. – Examining the code may get you to the right value. – E.i : • I've written an example for a fake game that demonstrates that :
  • 23. CheatEngine (Cont'd) When the player dies for example the value hold in memory for Life points will be 200. 1100
  • 25. Disassembly doesn't fail So cheat engine will absolutely find the 1300 value but not 1100.
  • 26. Protections found in almost every game • Anti-Debugging : – Detects any ongoing debugger attached or running the game. – Uses IsDebuggerPresent API or time checking methods . • Self Modifying Code : – goes into a long loop(s) to edit instructions by then execute them. – Makes it hard for a static analysis • Packing : – The Game might be packed by a commercial packer which makes it difficult to find OEP. • CD/DVD Protections : – Most difficult protections to defeat (Please Insert CD to play) . – E.I : SafeRom 4.X uses a complicated routine to detect if the CD is in or out. – SafeRom 4.X is also protecting against debugging and unpacking.
  • 27. How games are structured ?
  • 28. Introduction to how games work : • Dealing with the Stack : – The Stack is storing local variables, arguments ... – The call stack helps you find where returns from calls will happen inside the executable at run-time. – In gaming , the stack stores (Sometimes) score, health... for a temporary period. • Dealing with SEH : – To avoid creating a long and recursive SEH chain , games use Multi-Threading which requires more processor performance in modern games . • Multi-Threading : – A thread is a unit of execution or processing. – Each thread is doing a specific mission (Loading maps ...) then sends a termination status flag , while the main thread is pending these tasks for completion.
  • 29. Multi-Threading in PES 2013 • I analysed how Multi-Threading is working on PES 2013 by reverse engineering it and here's what I found : – In each match. All what happens inside the game field is defined by one thread. – When the ball go outside of the game field (Missed goal), this thread is terminated. – Here the game uses ExitThread function to deallocate the SEH chain then executes GetExitCodeThread function in order to retreive a termination status of the thread. – A new thread is created using CreateThread function which has the type of phase which will be executed (Goal Kick...) – We can conclude that the game uses each Thread to complete serie of action . (Replay,Fault,Goal,Ball inside the field). – Keep in mind : Many threads are running in the same time in the game . – E.i : the ball is outside the field but you can still hear the audience voice.
  • 30. Reverse Engineering Games in Action. Detailed Demonstration.
  • 31. How Can I Cheat in a Real Game ? • Pick a target (PES 2013 Demo Version). • Play the game to be more familiar with it. • Pick a specific functionality to hack (Scoring). • Start having fun !
  • 32. Before going through the demo ! • It is illegal to Reverse this game (Who Cares anyway !) • You can download the demo game (1Gb I think). • If you want to try the patch that I created , which we will see in the demo feel welcome to ask me for it (15 Mb)
  • 33. What am I going to do with scoring ? 1. The purpose is to make the goal that I score count. 2. The purpose is not to make opponent goals count. 3. When my team scores a goal I see : 1 - 0 4. When the opponent team score I still see : 1 - 0 5. Let the game begin !
  • 34. Locating our target in memory. • How can we use CheatEngine ? : – Select Attach process button – Click on pes2013.exe – Then hit Open – Afterwards , score two goals on your opponent , then search for the Value 2 as a DWORD. – Score another goal or two , look for the new value. – Do the same with your opponent let him score then do the same method. – Score some goals against yourself then follow the same method. – You will find your self in front of two memory addresses.
  • 35. • Memory addresses found : • First : 0196F964 • Second : 0196F96C • The instructions that write to these addresses : – To the first one : 00FD696D - 66 FF 04 50 - inc word ptr [eax+edx*2] – To the second one : 00FD6929 - 66 FF 40 08 - inc word ptr [eax+08] • I switched to Immunity Debugger , scored a goal against my self and I hit the second breakpoint. (No need to analyze this anymore) • The opponent scored against me and I hit the first bp , I scored against my opponent and I hit the first bp ! • The two possibilities are done with the same routine.
  • 36. Let's see what's going on
  • 37. • Lots of incrementation of values in memory. • Just one memory address that holds the value of goals scored is loaded into a register (EAX). (Other values stored in memory can be used for second checks later or anywhere else in the game...) • To achieve our goal we need to switch from incremention to Zeroing. • Have you noticed a problem using direct patching method to do that ?
  • 38. • The score will be nulled for every team. • The solution is to : • Jump to an unused area inside the Executable (Code Cave) then write our own instructions. • Still Remember the value of EAX relative to who scored ? • That's what we're going to compare then do a conditional Jump if not taken it will Zero the opponent score, if taken it will continue the routine normally to inc our score.
  • 39. Feeling Confused ?!! :p JMP to unused area of code EAX == 0196F628 ? (have we scored?) Rewrite instructions overwritten Patch all INC by Zeroing YES No JMP to RETN in the Original Routine To the instructions we've written Jump to continue running original routine like if nothing happened
  • 40. (Cont'd) • Edit original routine (add a JMP to unused area of code) – 00FD694F ADD EAX, 0196F628 – 00FD6954 CMP CL,12 – 00FD6957 JNB SHORT 00FD6983 – 00FD6959 JMP 0133DD4C <-- Added this Jump – 00FD695E NOP – 00FD695F NOP – 00FD6960 PUSH ESI – 00FD6961 LEA ESI,DWORD PTR DS:[ECX+1] – 00FD6964 IMUL ECX,ECX,16 – 00FD6967 IMUL ESI,ESI,2C Two instructions overwritten : INC WORD PTR DS:[EAX+8] & MOVZX ECX,CL
  • 41. Cont'd • The instruction INC WORD PTR DS:[EAX+8] We need to edit it when the opponent scores. So better remove it from original routine. • We jumped to 0133DD4C ! What's in there ? • As the Diagram shows . we have to write instructions that do a comparison of EAX to 0196F628. • ASM : – 0133DD4C CMP EAX,0196F628 – 0133DD51 JE SHORT 0133DD8E • If the compare is true we will jump to 0133DD8E ; it means that we scored a goal. • If the compare is false we will not jump & Zero memory locations instead of INC.
  • 43. Running the game : • Save modifications in a patch. • Run the game ! • Behavior : – What Is expected to happen : • I score a goal , it is counted (routine goes normally) • Opponent scores a goal , not counted (No Incrementions) • I scored a goal I should see in the score panel ( 1 - 0 ) • The opponent scored back I should see ( 1 -0 ) • When the match end I should win . – What happens in reality : • I scored a goal I see in the score panel ( 1 - 0) • The opponent scored back I see ( 1 - 1 ) • When the match ends I win .
  • 44. Here's what happens ! I just scored a goal (EAX comparison true , jump taken) The opponent scored back (EAX comparison false ; jump not taken Match ended and we won , so our patch is working but not with the scoreboard so we will need to patch it too
  • 45. Real VS Shown • Real value of the goals is stored in a separated locations in Memory to be shown in the final game statistics. • Real value decides who is the winner. • Real value is the one we edited in the first example • Shown value is the one stored into the Scoreboard. • Changing it to 99-0 will not affect the winner or loser. • We have to link between those two to create a realistic and logic combination.
  • 46. Fake Trainers Detected !! • I saw many trainers online that are made for PES 2011 and also PES 2013 that work on just editing the values on the scorepanel , so the real score isn't affected. • The winner will be the team who scored many goals like it is in normal cases.
  • 47. Reverse Engineering the Problem : Creating a combination & beating protections :
  • 48. Hacking the scoreboard ! Here's the two routines that are dealing with the scorepanel Got them using CheatEngine , It took me time to locate them as the value of memory address change in a delay of 3 seconds possibly because of the player celebration scene (A possible time-related protection to annoy fast and impatient cheaters).
  • 49. We Undirectly Bypassed a Protection : • DMA bypassed : – In each run the score shown in the scoreboard is stored into different memory location addresses , that's because of the memory management. – Finding what writes to this address , gives us static opcodes found on a static address of the PE. – N.B : Previous cheat of real score deals with static memory addresses that don't change.
  • 50. Can you see more protections here ?
  • 51. Double Multi-Checking Protection • Multi-Checking protections (Double Protection): – The Responsible routine for each case (me scoring,opponent scoring) run 2 times for each goal. – In every case the other team score (Me or opponent) is always checked and stored again. – For example : – I scored a goal , the score will be MOVED into the scoreboard, but the opponent score that will stay as it is will be also checked and stored again. After a short period the same routine will be done again.
  • 52. How could multiple checks beat a cheater in PES 2013 ? • How can the First Multiple-Checking technique beat you ? – The routine is run two times with a delay of some seconds. – The player may change the scoreboard values in memory either between those two runs , before or after them. – Chaging the value before or after a goal is scored : – When changing the values before or after a goal is scored , when the next goal is scored the scoring will return as normal because we're dealing with a MOV instruction not INC . – E.I : the player changes scoreboard when the match begins into : 12 - 0 » When a goal is scored against him he will see : 0 - 1 – Changing the value between the two runs of the same routine : – Which may be diffcult and requires more precision , but when doing it by chance using a CheatEngine for example , the first run will store the value changed but the second run will restore the original scoring – So using cheat-engine directly will not help here. We have to edit instructions then.
  • 53. How could multiple checks beat a cheater in PES 2013 ? (Cont'd) • How can the second Multiple-Checking technique beat you ? – The reverser will look to Zero the opponent score in the scorepanel whenever he scored a goal , right ? – When the opponent scores against him he will be happy to see that the opponent score is still 0 in the scorepanel. – When he will score a goal he will be shocked to see that the opponent score is back to 1 . – Simply, because in each of those two routines your score and your opponent score are stored again.
  • 54. A patch for it ?? • Very simple. • Zero the value of [EDI+231] when running any of those 2 routines to bypass excessive checks. • opponent scores : – The score is moved to AL from [EBP+44] – AL moves the new score to [EDI+231] – Replace : MOV AL,BYTE PTR SS:[EBP+44] – With : XOR AL,AL • when I score : – The score is moved to DL from [EBP+48] – DL moves old opponent score to [EDI+231] – Replace : MOV DL,BYTE PTR SS:[EBP+48] – With : XOR DL,DL
  • 56. Game result : I scored Opponent scored Match ended , Combination works = WIN !!
  • 57. What have we done so far ? • We just hacked the whole game scoring system. • To do that we hacked : – The real score that sets the winner. – The shown score in the scorepanel. • To win you need to score at least one goal. • All is done automatically so you will need just to open the executable and enjoy. • The fun part in Reversing Games ? – You will never encounter the same case or the same routines during the Try-To-Cheat-Me process. – Spending a sleepless night(s) reversing a game would be fun :) – 3nJ0y !!
  • 59. Contact/Follow me : • dark-puzzle@live.fr • http://www.facebook.com/dark.puzzle.sec • http://www.dark-puzzle.com/ • http://www.itsecurity.ma/
  • 60. HAVE A NICE EVENING AND CHALLENGE :) !