I speaked in Hackathon 2013 that took place in Casablanca the 06/15/2013 about how to cheat in games , defeat many protections that are took in place in order to stop, confuse or delay the reverse code engineering process.
The Demo is about completely hacking the whole scoring system of PES 2013 game & defeating many protections.
DSPy a system for AI to Write Prompts and Do Fine Tuning
Hackathon 2013 - The Art Of Cheating In Games
1. The Art Of Cheating In
Games
Reverse Engineering Games For Fun !
Http://www.itsecurity.ma/
2. Who am I ?
• My name is Souhail Hammou (Dark-Puzzle)
• Member of ITsecurity team (itsecurity.ma)
• Independant Software Security researcher.
• Found, Exploited & Reported many 0day vulnerabilities :
Huawei , IDman , FlStudio ...
• Now : Cooperating with Huawei reporting 0day
vulnerabilities and providing vulnerabilities fixes.
http://www.dark-puzzle.com
5. Why Attacking Games !!?
• Simply because games are very popular.
• A high pourcentage of computer users are playing
games, spending loads of money buying them or
subscribing to them.
• Billions of dollars are spent to buy games every year and
some of the game companies are getting richer and
richer (Activision, Ubisoft , SquareEnix ...)
• So It's Worth a Shot right ??
6. Cheating !?
• Cheating in a game (online/offline) is to make a specific
task , object , area , ressource completed or available for
the cheater without any direct interaction with the game.
• Cheats codes are coded with the game (Authourized
Cheating).
• Hacks , Trainers , Game patches are illegal cheating
ways that work on modifying values , instructions inside
the game.
• Reverse Engineering games is strictly prohibited by the
game companies (Konami,Ubisoft...) . Nevertheless we
see cracks, trainers and patches for games everyday
online.
7. Types of cheating
• Wallhack
• Aimbot
• God mode
• Infinite ammo
• Fog removal
• Lot of money
• New items
• Buy items without money
• ...etc
8. Why Creating Your Own Cheats ?
• To avoid malware infection.
• Fun (personal need to hack a game)
• Profit :
– Selling virtual items gained by cheating against real money.
– Sell a game patch or a trainer with multiple cheats.
– Cheat in online casino games to win loads of $$
9. What do we need ?
• We need weapons :
– Tools :
• Packet Interceptors/ Network Sniffers.
• Disassembler
• Debugger
• Memory visualizer
• Memory Editor.
• In the demo we will use some of those to create an
internal game patch !
10. Internal Game Patch ??
• Simply it's an executable.
• Approximately have the same size of the original
executable.
• It has to be replaced into the game's folder.
• Opening it will play a hacked version of the game (health
hack ...) .
• You don't need to attach any trainer or do some live edits
, ALL is done automatically because the original exe has
been edited.
11. What are the basic steps to cheat in
my favourite game ?
12. Basics :
• In games you're looking for values.
• Ammo , Health , Ressources , Money , Gold , Weapons
stats , Objects weight , Goals , Time ...
• Those values are stored in different types in memory
(Byte,Word,Dword ...)
13. What are the basic steps to follow ?
• In general , we need to locate the exact memory field
that we try to reach.
• Here's what we do If we want to find the memory
address(es) that store our current lifepoints:
Actual game memory
(GBbytes of Data)
Memory addresses
storing 5
as a DWORD
Memory addresses stroring 3
as a DWORD
1 2
14. Basic Steps to follow (Cont'd)
– Using Cheat Engine :
• Enter value , specify type (Byte , WORD , DWORD , Float , Array ...)
• Do a first scan to list all values
• Go to the game and change that value (take a hit , score a goal ...)
• Do a second scan to see what values changed from the first value
to the second.
• Easyy !! Right :D
• Here's what CheatEngine looks like.
16. Cheat Engine (Cont'd)
• Cheat engine can be used a memory editor , debugger
and has the functionality of creating a game trainer.
• We will use cheat engine as a first step then switch to
the debugger.
• Cheat Engine is very easy to use, you can use it to
change values directly inside the game and enjoy.
• Nevertheless, in some games it may take time to find
some values in memory.
19. Anti-Cheating Protections:
• Cheating became easy and popular in both offline &
online games , that's why many protections took place.
• Anti-Cheating protections are meant to slow down the
reverse engineering process.
• The reverser must work on finding an Anti-Anti-Cheating
bypass in order to reach his goal.
20. What Can('t) Stop us ??
• DMA : Dynamic memory allocation :
– Can be found at C/C++
– Dealocates and allocates memory by freeing it or allocating new dynamic memory on heap
– In each game run , the memory addresses will change except the memory addresses which carry Opcodes.
– New values stored in memory will be moved from a register or from stack to a memory location that is
pointed by another reg or a reg+X .
– Will see it in our demo .
• Code Shifting protections :
– In each game run the PE base address will be changed .
– E.I : in the first run we had our oppcode address at : 0052698A
and the Base Address is : 00520000
– in the second run we will have those oppcodes at : 0053698A
and the Base Address is : 00530000
– Base address changed.
– we need simply to calculate 0052698A - 00520000 and setting our instructions at game.exe+698A will
always work .
– Available in game like Countrer Strike , Max Payne 2 ...
– More similar to ASLR protection .
21. Protections (Cont'd)
• Multichecks :
– Server Side Checks (Online games) :
• The operation to be done is set by the client , checked then sent to
the server to be checked again then it is done.
• e.i : you buy a potion in WoW main server, your client will check how
much you got on you $$ . This amount will be sent to the server in a
packet (Encrypted) with a request of buying that item.The server will
check again your amout of money and responds with a boolean
(True or False) contained in a encrypted packet.
– Client side Checks (Offline games , found on some MMOs
also) :
• Multiple checks of a certain condition or value in memory.
• We will deal with it also in our Demo .
22. Protections (Cont'd)
• Protections against Cheat Engine / Finding specific
values by visualizing/searching in memory :
– Values in memory differ from real values in the game.
– After getting those values from memory they are edited by
Addition , substruction , multiplication, division or encryption to
be stored afterwards.
– Digging into memory will not give you a right result.
– This method is used to slow the cheater process of finding
where exactly the value is stored in memory.
– Examining the code may get you to the right value.
– E.i :
• I've written an example for a fake game that demonstrates that :
26. Protections found in almost every game
• Anti-Debugging :
– Detects any ongoing debugger attached or running the game.
– Uses IsDebuggerPresent API or time checking methods .
• Self Modifying Code :
– goes into a long loop(s) to edit instructions by then execute
them.
– Makes it hard for a static analysis
• Packing :
– The Game might be packed by a commercial packer which
makes it difficult to find OEP.
• CD/DVD Protections :
– Most difficult protections to defeat (Please Insert CD to play) .
– E.I : SafeRom 4.X uses a complicated routine to detect if the CD
is in or out.
– SafeRom 4.X is also protecting against debugging and
unpacking.
28. Introduction to how games work :
• Dealing with the Stack :
– The Stack is storing local variables, arguments ...
– The call stack helps you find where returns from calls will
happen inside the executable at run-time.
– In gaming , the stack stores (Sometimes) score, health... for a
temporary period.
• Dealing with SEH :
– To avoid creating a long and recursive SEH chain , games use
Multi-Threading which requires more processor performance in
modern games .
• Multi-Threading :
– A thread is a unit of execution or processing.
– Each thread is doing a specific mission (Loading maps ...) then
sends a termination status flag , while the main thread is
pending these tasks for completion.
29. Multi-Threading in PES 2013
• I analysed how Multi-Threading is working on PES 2013 by reverse
engineering it and here's what I found :
– In each match. All what happens inside the game field is defined by one thread.
– When the ball go outside of the game field (Missed goal), this thread is
terminated.
– Here the game uses ExitThread function to deallocate the SEH chain then
executes GetExitCodeThread function in order to retreive a termination status of
the thread.
– A new thread is created using CreateThread function which has the type of
phase which will be executed (Goal Kick...)
– We can conclude that the game uses each Thread to complete serie of action .
(Replay,Fault,Goal,Ball inside the field).
– Keep in mind : Many threads are running in the same time in the game .
– E.i : the ball is outside the field but you can still hear the audience voice.
31. How Can I Cheat in a Real Game ?
• Pick a target (PES 2013 Demo Version).
• Play the game to be more familiar with it.
• Pick a specific functionality to hack (Scoring).
• Start having fun !
32. Before going through the demo !
• It is illegal to Reverse this game (Who Cares anyway !)
• You can download the demo game (1Gb I think).
• If you want to try the patch that I created , which we will
see in the demo feel welcome to ask me for it (15 Mb)
33. What am I going to do with scoring ?
1. The purpose is to make the goal that I score count.
2. The purpose is not to make opponent goals count.
3. When my team scores a goal I see : 1 - 0
4. When the opponent team score I still see : 1 - 0
5. Let the game begin !
34. Locating our target in memory.
• How can we use CheatEngine ? :
– Select Attach process button
– Click on pes2013.exe
– Then hit Open
– Afterwards , score two goals on
your opponent , then search for
the Value 2 as a DWORD.
– Score another goal or two , look
for the new value.
– Do the same with your opponent
let him score then do the same
method.
– Score some goals against yourself
then follow the same method.
– You will find your self in front of
two memory addresses.
35. • Memory addresses found :
• First : 0196F964
• Second : 0196F96C
• The instructions that write to these addresses :
– To the first one :
00FD696D - 66 FF 04 50 - inc word ptr [eax+edx*2]
– To the second one :
00FD6929 - 66 FF 40 08 - inc word ptr [eax+08]
• I switched to Immunity Debugger , scored a goal against my self and I hit the
second breakpoint. (No need to analyze this anymore)
• The opponent scored against me and I hit the first bp , I scored against my
opponent and I hit the first bp !
• The two possibilities are done with the same routine.
37. • Lots of incrementation of values in memory.
• Just one memory address that holds the value of goals
scored is loaded into a register (EAX). (Other values
stored in memory can be used for second checks later or
anywhere else in the game...)
• To achieve our goal we need to switch from
incremention to Zeroing.
• Have you noticed a problem using direct patching
method to do that ?
38. • The score will be nulled for every team.
• The solution is to :
• Jump to an unused area inside the Executable (Code
Cave) then write our own instructions.
• Still Remember the value of EAX relative to who
scored ?
• That's what we're going to compare then do a conditional
Jump if not taken it will Zero the opponent score, if taken
it will continue the routine normally to inc our score.
39. Feeling Confused ?!! :p
JMP to unused area of code
EAX == 0196F628 ?
(have we scored?)
Rewrite instructions
overwritten
Patch all INC
by Zeroing
YES
No
JMP to
RETN
in the
Original
Routine
To the instructions
we've written
Jump to
continue
running
original
routine
like if nothing
happened
40. (Cont'd)
• Edit original routine (add a JMP to unused area of code)
– 00FD694F ADD EAX, 0196F628
– 00FD6954 CMP CL,12
– 00FD6957 JNB SHORT 00FD6983
– 00FD6959 JMP 0133DD4C <-- Added this Jump
– 00FD695E NOP
– 00FD695F NOP
– 00FD6960 PUSH ESI
– 00FD6961 LEA ESI,DWORD PTR DS:[ECX+1]
– 00FD6964 IMUL ECX,ECX,16
– 00FD6967 IMUL ESI,ESI,2C
Two instructions overwritten :
INC WORD PTR DS:[EAX+8] & MOVZX ECX,CL
41. Cont'd
• The instruction INC WORD PTR DS:[EAX+8] We need
to edit it when the opponent scores. So better remove it
from original routine.
• We jumped to 0133DD4C ! What's in there ?
• As the Diagram shows . we have to write instructions
that do a comparison of EAX to 0196F628.
• ASM :
– 0133DD4C CMP EAX,0196F628
– 0133DD51 JE SHORT 0133DD8E
• If the compare is true we will jump to 0133DD8E ; it
means that we scored a goal.
• If the compare is false we will not jump & Zero memory
locations instead of INC.
43. Running the game :
• Save modifications in a patch.
• Run the game !
• Behavior :
– What Is expected to happen :
• I score a goal , it is counted (routine goes normally)
• Opponent scores a goal , not counted (No Incrementions)
• I scored a goal I should see in the score panel ( 1 - 0 )
• The opponent scored back I should see ( 1 -0 )
• When the match end I should win .
– What happens in reality :
• I scored a goal I see in the score panel ( 1 - 0)
• The opponent scored back I see ( 1 - 1 )
• When the match ends I win .
44. Here's what happens !
I just scored a goal (EAX comparison true , jump taken)
The opponent scored back (EAX comparison false ;
jump not taken
Match ended and we won , so our patch is working but not
with the scoreboard so we will need to patch it too
45. Real VS Shown
• Real value of the goals is stored in a separated locations
in Memory to be shown in the final game statistics.
• Real value decides who is the winner.
• Real value is the one we edited in the first example
• Shown value is the one stored into the Scoreboard.
• Changing it to 99-0 will not affect the winner or loser.
• We have to link between those two to create a realistic
and logic combination.
46. Fake Trainers Detected !!
• I saw many trainers online that are made for PES 2011
and also PES 2013 that work on just editing the values
on the scorepanel , so the real score isn't affected.
• The winner will be the team who scored many goals like
it is in normal cases.
48. Hacking the scoreboard !
Here's the two routines that are dealing with the scorepanel
Got them using CheatEngine , It took me time to locate them as the value of
memory address change in a delay of 3 seconds possibly because of the player
celebration scene (A possible time-related protection to annoy fast and impatient
cheaters).
49. We Undirectly Bypassed a Protection :
• DMA bypassed :
– In each run the score shown in the scoreboard is stored into
different memory location addresses , that's because of the
memory management.
– Finding what writes to this address , gives us static opcodes
found on a static address of the PE.
– N.B : Previous cheat of real score deals with static memory
addresses that don't change.
51. Double Multi-Checking Protection
• Multi-Checking protections (Double Protection):
– The Responsible routine for each case (me scoring,opponent
scoring) run 2 times for each goal.
– In every case the other team score (Me or opponent) is always
checked and stored again.
– For example :
– I scored a goal , the score will be MOVED into the
scoreboard, but the opponent score that will stay as it is
will be also checked and stored again. After a short
period the same routine will be done again.
52. How could multiple checks beat a cheater in PES 2013 ?
• How can the First Multiple-Checking technique beat
you ?
– The routine is run two times with a delay of some seconds.
– The player may change the scoreboard values in memory either
between those two runs , before or after them.
– Chaging the value before or after a goal is scored :
– When changing the values before or after a goal is scored , when the
next goal is scored the scoring will return as normal because we're
dealing with a MOV instruction not INC .
– E.I : the player changes scoreboard when the match begins into : 12 - 0
» When a goal is scored against him he will see : 0 - 1
– Changing the value between the two runs of the same routine :
– Which may be diffcult and requires more precision , but when doing it
by chance using a CheatEngine for example , the first run will store the
value changed but the second run will restore the original scoring
– So using cheat-engine directly will not help here. We have to edit
instructions then.
53. How could multiple checks beat a cheater in PES 2013 ? (Cont'd)
• How can the second Multiple-Checking technique beat
you ?
– The reverser will look to Zero the opponent score in the
scorepanel whenever he scored a goal , right ?
– When the opponent scores against him he will be happy to see
that the opponent score is still 0 in the scorepanel.
– When he will score a goal he will be shocked to see that the
opponent score is back to 1 .
– Simply, because in each of those two routines your score and
your opponent score are stored again.
54. A patch for it ??
• Very simple.
• Zero the value of [EDI+231] when running any of those 2
routines to bypass excessive checks.
• opponent scores :
– The score is moved to AL from [EBP+44]
– AL moves the new score to [EDI+231]
– Replace : MOV AL,BYTE PTR SS:[EBP+44]
– With : XOR AL,AL
• when I score :
– The score is moved to DL from [EBP+48]
– DL moves old opponent score to [EDI+231]
– Replace : MOV DL,BYTE PTR SS:[EBP+48]
– With : XOR DL,DL
56. Game result :
I scored
Opponent scored
Match ended , Combination works = WIN !!
57. What have we done so far ?
• We just hacked the whole game scoring system.
• To do that we hacked :
– The real score that sets the winner.
– The shown score in the scorepanel.
• To win you need to score at least one goal.
• All is done automatically so you will need just to open the
executable and enjoy.
• The fun part in Reversing Games ?
– You will never encounter the same case or the same routines
during the Try-To-Cheat-Me process.
– Spending a sleepless night(s) reversing a game would be fun :)
– 3nJ0y !!