The Art Of Cheating In
Games
Reverse Engineering Games For Fun !
Http://www.itsecurity.ma/
Who am I ?
• My name is Souhail Hammou (Dark-Puzzle)
• Member of ITsecurity team (itsecurity.ma)
• Independant Software Se...
I will talk today about ...
Introduction
Why Attacking Games !!?
• Simply because games are very popular.
• A high pourcentage of computer users are playing
games,...
Cheating !?
• Cheating in a game (online/offline) is to make a specific
task , object , area , ressource completed or avai...
Types of cheating
• Wallhack
• Aimbot
• God mode
• Infinite ammo
• Fog removal
• Lot of money
• New items
• Buy items with...
Why Creating Your Own Cheats ?
• To avoid malware infection.
• Fun (personal need to hack a game)
• Profit :
– Selling vir...
What do we need ?
• We need weapons :
– Tools :
• Packet Interceptors/ Network Sniffers.
• Disassembler
• Debugger
• Memor...
Internal Game Patch ??
• Simply it's an executable.
• Approximately have the same size of the original
executable.
• It ha...
What are the basic steps to cheat in
my favourite game ?
Basics :
• In games you're looking for values.
• Ammo , Health , Ressources , Money , Gold , Weapons
stats , Objects weigh...
What are the basic steps to follow ?
• In general , we need to locate the exact memory field
that we try to reach.
• Here'...
Basic Steps to follow (Cont'd)
– Using Cheat Engine :
• Enter value , specify type (Byte , WORD , DWORD , Float , Array .....
Cheat Engine !
Cheat Engine (Cont'd)
• Cheat engine can be used a memory editor , debugger
and has the functionality of creating a game t...
Is cheating in games that easy ?
Anti-Cheating Protections:
• Cheating became easy and popular in both offline &
online games , that's why many protections...
What Can('t) Stop us ??
• DMA : Dynamic memory allocation :
– Can be found at C/C++
– Dealocates and allocates memory by f...
Protections (Cont'd)
• Multichecks :
– Server Side Checks (Online games) :
• The operation to be done is set by the client...
Protections (Cont'd)
• Protections against Cheat Engine / Finding specific
values by visualizing/searching in memory :
– V...
CheatEngine (Cont'd)
When the player dies for example the value hold in memory for Life
points will be 200.
1100
Cheat Engine Fails
Disassembly doesn't fail
So cheat engine will absolutely find the 1300 value but not 1100.
Protections found in almost every game
• Anti-Debugging :
– Detects any ongoing debugger attached or running the game.
– U...
How games are structured ?
Introduction to how games work :
• Dealing with the Stack :
– The Stack is storing local variables, arguments ...
– The ca...
Multi-Threading in PES 2013
• I analysed how Multi-Threading is working on PES 2013 by reverse
engineering it and here's w...
Reverse Engineering Games in
Action.
Detailed Demonstration.
How Can I Cheat in a Real Game ?
• Pick a target (PES 2013 Demo Version).
• Play the game to be more familiar with it.
• P...
Before going through the demo !
• It is illegal to Reverse this game (Who Cares anyway !)
• You can download the demo game...
What am I going to do with scoring ?
1. The purpose is to make the goal that I score count.
2. The purpose is not to make ...
Locating our target in memory.
• How can we use CheatEngine ? :
– Select Attach process button
– Click on pes2013.exe
– Th...
• Memory addresses found :
• First : 0196F964
• Second : 0196F96C
• The instructions that write to these addresses :
– To ...
Let's see what's going on
• Lots of incrementation of values in memory.
• Just one memory address that holds the value of goals
scored is loaded int...
• The score will be nulled for every team.
• The solution is to :
• Jump to an unused area inside the Executable (Code
Cav...
Feeling Confused ?!! :p
JMP to unused area of code
EAX == 0196F628 ?
(have we scored?)
Rewrite instructions
overwritten
Pa...
(Cont'd)
• Edit original routine (add a JMP to unused area of code)
– 00FD694F ADD EAX, 0196F628
– 00FD6954 CMP CL,12
– 00...
Cont'd
• The instruction INC WORD PTR DS:[EAX+8] We need
to edit it when the opponent scores. So better remove it
from ori...
(Cont'd)
Running the game :
• Save modifications in a patch.
• Run the game !
• Behavior :
– What Is expected to happen :
• I score...
Here's what happens !
I just scored a goal (EAX comparison true , jump taken)
The opponent scored back (EAX comparison fal...
Real VS Shown
• Real value of the goals is stored in a separated locations
in Memory to be shown in the final game statist...
Fake Trainers Detected !!
• I saw many trainers online that are made for PES 2011
and also PES 2013 that work on just edit...
Reverse Engineering the Problem :
Creating a combination & beating
protections :
Hacking the scoreboard !
Here's the two routines that are dealing with the scorepanel
Got them using CheatEngine , It took...
We Undirectly Bypassed a Protection :
• DMA bypassed :
– In each run the score shown in the scoreboard is stored into
diff...
Can you see more protections here ?
Double Multi-Checking Protection
• Multi-Checking protections (Double Protection):
– The Responsible routine for each case...
How could multiple checks beat a cheater in PES 2013 ?
• How can the First Multiple-Checking technique beat
you ?
– The ro...
How could multiple checks beat a cheater in PES 2013 ? (Cont'd)
• How can the second Multiple-Checking technique beat
you ...
A patch for it ??
• Very simple.
• Zero the value of [EDI+231] when running any of those 2
routines to bypass excessive ch...
Result :
Game result :
I scored
Opponent scored
Match ended , Combination works = WIN !!
What have we done so far ?
• We just hacked the whole game scoring system.
• To do that we hacked :
– The real score that ...
QUESTIONS ?
?
Contact/Follow me :
• dark-puzzle@live.fr
• http://www.facebook.com/dark.puzzle.sec
• http://www.dark-puzzle.com/
• http:/...
HAVE A NICE EVENING AND
CHALLENGE :) !
Hackathon 2013 - The Art Of Cheating In Games
Upcoming SlideShare
Loading in …5
×

Hackathon 2013 - The Art Of Cheating In Games

1,078 views

Published on

I speaked in Hackathon 2013 that took place in Casablanca the 06/15/2013 about how to cheat in games , defeat many protections that are took in place in order to stop, confuse or delay the reverse code engineering process.
The Demo is about completely hacking the whole scoring system of PES 2013 game & defeating many protections.

2 Comments
3 Likes
Statistics
Notes
  • My advice is: start simple with a FOSS game, treat it as if it would be closed source and you're able to check your findings against the source.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Really nice presentation! Unfortunately, it shows game cheating for Windows only.
    I'm the author of the Universal Elite Game Trainer 'ugtrain' - the best tool for Linux. It is free and open-source software (FOSS) under GPLv2 license with public source on Github. It is developed by example and includes a couple of example configs (plain-text) for FOSS games of course as these allow cheating. This makes me a White Hat Cheater. There are configs and videos e.g. for Chromium B.S.U. and Warzone 2100. It is teaming up with scanmem, patchelf and objdump -D. It bypasses ASLR/PIC/PIE to make static memory static again. I wrote the ASLR support for scanmem as well. So it fits together. Ugtrains dynamic memory support sets it apart! It uses API hooking of e.g. malloc() and free() with LD_PRELOAD as on Linux the Cheat Engine DMA support (which utilizes static access pointers for this) wouldn't work. This way ugtrain has simple config self adaption. It disassembles with objdump -D and searches for the correct _Znwm()/_Znwj() [GNU C++ 'new' operator] and malloc() calls as the allocation size is known.

    Details:
    https://github.com/sriemer/ugtrain
    http://en.wikipedia.org/wiki/Trainer_%28games%29

    Dynamic memory discovery works by recording all mallocs, finding a value on the heap with scanmem, killing the game process and giving the found memory address to ugtrain. It searches reverse for the related memory allocation and returns the object size, a code address, the reverse stack offset (as GNU backtrace() is unreliable), the function name and the offset of the value within the object. With that configured ugtrain can watch the value and dump the object to find more values within.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
1,078
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
11
Comments
2
Likes
3
Embeds 0
No embeds

No notes for slide

Hackathon 2013 - The Art Of Cheating In Games

  1. 1. The Art Of Cheating In Games Reverse Engineering Games For Fun ! Http://www.itsecurity.ma/
  2. 2. Who am I ? • My name is Souhail Hammou (Dark-Puzzle) • Member of ITsecurity team (itsecurity.ma) • Independant Software Security researcher. • Found, Exploited & Reported many 0day vulnerabilities : Huawei , IDman , FlStudio ... • Now : Cooperating with Huawei reporting 0day vulnerabilities and providing vulnerabilities fixes. http://www.dark-puzzle.com
  3. 3. I will talk today about ...
  4. 4. Introduction
  5. 5. Why Attacking Games !!? • Simply because games are very popular. • A high pourcentage of computer users are playing games, spending loads of money buying them or subscribing to them. • Billions of dollars are spent to buy games every year and some of the game companies are getting richer and richer (Activision, Ubisoft , SquareEnix ...) • So It's Worth a Shot right ??
  6. 6. Cheating !? • Cheating in a game (online/offline) is to make a specific task , object , area , ressource completed or available for the cheater without any direct interaction with the game. • Cheats codes are coded with the game (Authourized Cheating). • Hacks , Trainers , Game patches are illegal cheating ways that work on modifying values , instructions inside the game. • Reverse Engineering games is strictly prohibited by the game companies (Konami,Ubisoft...) . Nevertheless we see cracks, trainers and patches for games everyday online.
  7. 7. Types of cheating • Wallhack • Aimbot • God mode • Infinite ammo • Fog removal • Lot of money • New items • Buy items without money • ...etc
  8. 8. Why Creating Your Own Cheats ? • To avoid malware infection. • Fun (personal need to hack a game) • Profit : – Selling virtual items gained by cheating against real money. – Sell a game patch or a trainer with multiple cheats. – Cheat in online casino games to win loads of $$
  9. 9. What do we need ? • We need weapons : – Tools : • Packet Interceptors/ Network Sniffers. • Disassembler • Debugger • Memory visualizer • Memory Editor. • In the demo we will use some of those to create an internal game patch !
  10. 10. Internal Game Patch ?? • Simply it's an executable. • Approximately have the same size of the original executable. • It has to be replaced into the game's folder. • Opening it will play a hacked version of the game (health hack ...) . • You don't need to attach any trainer or do some live edits , ALL is done automatically because the original exe has been edited.
  11. 11. What are the basic steps to cheat in my favourite game ?
  12. 12. Basics : • In games you're looking for values. • Ammo , Health , Ressources , Money , Gold , Weapons stats , Objects weight , Goals , Time ... • Those values are stored in different types in memory (Byte,Word,Dword ...)
  13. 13. What are the basic steps to follow ? • In general , we need to locate the exact memory field that we try to reach. • Here's what we do If we want to find the memory address(es) that store our current lifepoints: Actual game memory (GBbytes of Data) Memory addresses storing 5 as a DWORD Memory addresses stroring 3 as a DWORD 1 2
  14. 14. Basic Steps to follow (Cont'd) – Using Cheat Engine : • Enter value , specify type (Byte , WORD , DWORD , Float , Array ...) • Do a first scan to list all values • Go to the game and change that value (take a hit , score a goal ...) • Do a second scan to see what values changed from the first value to the second. • Easyy !! Right :D • Here's what CheatEngine looks like.
  15. 15. Cheat Engine !
  16. 16. Cheat Engine (Cont'd) • Cheat engine can be used a memory editor , debugger and has the functionality of creating a game trainer. • We will use cheat engine as a first step then switch to the debugger. • Cheat Engine is very easy to use, you can use it to change values directly inside the game and enjoy. • Nevertheless, in some games it may take time to find some values in memory.
  17. 17. Is cheating in games that easy ?
  18. 18. Anti-Cheating Protections: • Cheating became easy and popular in both offline & online games , that's why many protections took place. • Anti-Cheating protections are meant to slow down the reverse engineering process. • The reverser must work on finding an Anti-Anti-Cheating bypass in order to reach his goal.
  19. 19. What Can('t) Stop us ?? • DMA : Dynamic memory allocation : – Can be found at C/C++ – Dealocates and allocates memory by freeing it or allocating new dynamic memory on heap – In each game run , the memory addresses will change except the memory addresses which carry Opcodes. – New values stored in memory will be moved from a register or from stack to a memory location that is pointed by another reg or a reg+X . – Will see it in our demo . • Code Shifting protections : – In each game run the PE base address will be changed . – E.I : in the first run we had our oppcode address at : 0052698A and the Base Address is : 00520000 – in the second run we will have those oppcodes at : 0053698A and the Base Address is : 00530000 – Base address changed. – we need simply to calculate 0052698A - 00520000 and setting our instructions at game.exe+698A will always work . – Available in game like Countrer Strike , Max Payne 2 ... – More similar to ASLR protection .
  20. 20. Protections (Cont'd) • Multichecks : – Server Side Checks (Online games) : • The operation to be done is set by the client , checked then sent to the server to be checked again then it is done. • e.i : you buy a potion in WoW main server, your client will check how much you got on you $$ . This amount will be sent to the server in a packet (Encrypted) with a request of buying that item.The server will check again your amout of money and responds with a boolean (True or False) contained in a encrypted packet. – Client side Checks (Offline games , found on some MMOs also) : • Multiple checks of a certain condition or value in memory. • We will deal with it also in our Demo .
  21. 21. Protections (Cont'd) • Protections against Cheat Engine / Finding specific values by visualizing/searching in memory : – Values in memory differ from real values in the game. – After getting those values from memory they are edited by Addition , substruction , multiplication, division or encryption to be stored afterwards. – Digging into memory will not give you a right result. – This method is used to slow the cheater process of finding where exactly the value is stored in memory. – Examining the code may get you to the right value. – E.i : • I've written an example for a fake game that demonstrates that :
  22. 22. CheatEngine (Cont'd) When the player dies for example the value hold in memory for Life points will be 200. 1100
  23. 23. Cheat Engine Fails
  24. 24. Disassembly doesn't fail So cheat engine will absolutely find the 1300 value but not 1100.
  25. 25. Protections found in almost every game • Anti-Debugging : – Detects any ongoing debugger attached or running the game. – Uses IsDebuggerPresent API or time checking methods . • Self Modifying Code : – goes into a long loop(s) to edit instructions by then execute them. – Makes it hard for a static analysis • Packing : – The Game might be packed by a commercial packer which makes it difficult to find OEP. • CD/DVD Protections : – Most difficult protections to defeat (Please Insert CD to play) . – E.I : SafeRom 4.X uses a complicated routine to detect if the CD is in or out. – SafeRom 4.X is also protecting against debugging and unpacking.
  26. 26. How games are structured ?
  27. 27. Introduction to how games work : • Dealing with the Stack : – The Stack is storing local variables, arguments ... – The call stack helps you find where returns from calls will happen inside the executable at run-time. – In gaming , the stack stores (Sometimes) score, health... for a temporary period. • Dealing with SEH : – To avoid creating a long and recursive SEH chain , games use Multi-Threading which requires more processor performance in modern games . • Multi-Threading : – A thread is a unit of execution or processing. – Each thread is doing a specific mission (Loading maps ...) then sends a termination status flag , while the main thread is pending these tasks for completion.
  28. 28. Multi-Threading in PES 2013 • I analysed how Multi-Threading is working on PES 2013 by reverse engineering it and here's what I found : – In each match. All what happens inside the game field is defined by one thread. – When the ball go outside of the game field (Missed goal), this thread is terminated. – Here the game uses ExitThread function to deallocate the SEH chain then executes GetExitCodeThread function in order to retreive a termination status of the thread. – A new thread is created using CreateThread function which has the type of phase which will be executed (Goal Kick...) – We can conclude that the game uses each Thread to complete serie of action . (Replay,Fault,Goal,Ball inside the field). – Keep in mind : Many threads are running in the same time in the game . – E.i : the ball is outside the field but you can still hear the audience voice.
  29. 29. Reverse Engineering Games in Action. Detailed Demonstration.
  30. 30. How Can I Cheat in a Real Game ? • Pick a target (PES 2013 Demo Version). • Play the game to be more familiar with it. • Pick a specific functionality to hack (Scoring). • Start having fun !
  31. 31. Before going through the demo ! • It is illegal to Reverse this game (Who Cares anyway !) • You can download the demo game (1Gb I think). • If you want to try the patch that I created , which we will see in the demo feel welcome to ask me for it (15 Mb)
  32. 32. What am I going to do with scoring ? 1. The purpose is to make the goal that I score count. 2. The purpose is not to make opponent goals count. 3. When my team scores a goal I see : 1 - 0 4. When the opponent team score I still see : 1 - 0 5. Let the game begin !
  33. 33. Locating our target in memory. • How can we use CheatEngine ? : – Select Attach process button – Click on pes2013.exe – Then hit Open – Afterwards , score two goals on your opponent , then search for the Value 2 as a DWORD. – Score another goal or two , look for the new value. – Do the same with your opponent let him score then do the same method. – Score some goals against yourself then follow the same method. – You will find your self in front of two memory addresses.
  34. 34. • Memory addresses found : • First : 0196F964 • Second : 0196F96C • The instructions that write to these addresses : – To the first one : 00FD696D - 66 FF 04 50 - inc word ptr [eax+edx*2] – To the second one : 00FD6929 - 66 FF 40 08 - inc word ptr [eax+08] • I switched to Immunity Debugger , scored a goal against my self and I hit the second breakpoint. (No need to analyze this anymore) • The opponent scored against me and I hit the first bp , I scored against my opponent and I hit the first bp ! • The two possibilities are done with the same routine.
  35. 35. Let's see what's going on
  36. 36. • Lots of incrementation of values in memory. • Just one memory address that holds the value of goals scored is loaded into a register (EAX). (Other values stored in memory can be used for second checks later or anywhere else in the game...) • To achieve our goal we need to switch from incremention to Zeroing. • Have you noticed a problem using direct patching method to do that ?
  37. 37. • The score will be nulled for every team. • The solution is to : • Jump to an unused area inside the Executable (Code Cave) then write our own instructions. • Still Remember the value of EAX relative to who scored ? • That's what we're going to compare then do a conditional Jump if not taken it will Zero the opponent score, if taken it will continue the routine normally to inc our score.
  38. 38. Feeling Confused ?!! :p JMP to unused area of code EAX == 0196F628 ? (have we scored?) Rewrite instructions overwritten Patch all INC by Zeroing YES No JMP to RETN in the Original Routine To the instructions we've written Jump to continue running original routine like if nothing happened
  39. 39. (Cont'd) • Edit original routine (add a JMP to unused area of code) – 00FD694F ADD EAX, 0196F628 – 00FD6954 CMP CL,12 – 00FD6957 JNB SHORT 00FD6983 – 00FD6959 JMP 0133DD4C <-- Added this Jump – 00FD695E NOP – 00FD695F NOP – 00FD6960 PUSH ESI – 00FD6961 LEA ESI,DWORD PTR DS:[ECX+1] – 00FD6964 IMUL ECX,ECX,16 – 00FD6967 IMUL ESI,ESI,2C Two instructions overwritten : INC WORD PTR DS:[EAX+8] & MOVZX ECX,CL
  40. 40. Cont'd • The instruction INC WORD PTR DS:[EAX+8] We need to edit it when the opponent scores. So better remove it from original routine. • We jumped to 0133DD4C ! What's in there ? • As the Diagram shows . we have to write instructions that do a comparison of EAX to 0196F628. • ASM : – 0133DD4C CMP EAX,0196F628 – 0133DD51 JE SHORT 0133DD8E • If the compare is true we will jump to 0133DD8E ; it means that we scored a goal. • If the compare is false we will not jump & Zero memory locations instead of INC.
  41. 41. (Cont'd)
  42. 42. Running the game : • Save modifications in a patch. • Run the game ! • Behavior : – What Is expected to happen : • I score a goal , it is counted (routine goes normally) • Opponent scores a goal , not counted (No Incrementions) • I scored a goal I should see in the score panel ( 1 - 0 ) • The opponent scored back I should see ( 1 -0 ) • When the match end I should win . – What happens in reality : • I scored a goal I see in the score panel ( 1 - 0) • The opponent scored back I see ( 1 - 1 ) • When the match ends I win .
  43. 43. Here's what happens ! I just scored a goal (EAX comparison true , jump taken) The opponent scored back (EAX comparison false ; jump not taken Match ended and we won , so our patch is working but not with the scoreboard so we will need to patch it too
  44. 44. Real VS Shown • Real value of the goals is stored in a separated locations in Memory to be shown in the final game statistics. • Real value decides who is the winner. • Real value is the one we edited in the first example • Shown value is the one stored into the Scoreboard. • Changing it to 99-0 will not affect the winner or loser. • We have to link between those two to create a realistic and logic combination.
  45. 45. Fake Trainers Detected !! • I saw many trainers online that are made for PES 2011 and also PES 2013 that work on just editing the values on the scorepanel , so the real score isn't affected. • The winner will be the team who scored many goals like it is in normal cases.
  46. 46. Reverse Engineering the Problem : Creating a combination & beating protections :
  47. 47. Hacking the scoreboard ! Here's the two routines that are dealing with the scorepanel Got them using CheatEngine , It took me time to locate them as the value of memory address change in a delay of 3 seconds possibly because of the player celebration scene (A possible time-related protection to annoy fast and impatient cheaters).
  48. 48. We Undirectly Bypassed a Protection : • DMA bypassed : – In each run the score shown in the scoreboard is stored into different memory location addresses , that's because of the memory management. – Finding what writes to this address , gives us static opcodes found on a static address of the PE. – N.B : Previous cheat of real score deals with static memory addresses that don't change.
  49. 49. Can you see more protections here ?
  50. 50. Double Multi-Checking Protection • Multi-Checking protections (Double Protection): – The Responsible routine for each case (me scoring,opponent scoring) run 2 times for each goal. – In every case the other team score (Me or opponent) is always checked and stored again. – For example : – I scored a goal , the score will be MOVED into the scoreboard, but the opponent score that will stay as it is will be also checked and stored again. After a short period the same routine will be done again.
  51. 51. How could multiple checks beat a cheater in PES 2013 ? • How can the First Multiple-Checking technique beat you ? – The routine is run two times with a delay of some seconds. – The player may change the scoreboard values in memory either between those two runs , before or after them. – Chaging the value before or after a goal is scored : – When changing the values before or after a goal is scored , when the next goal is scored the scoring will return as normal because we're dealing with a MOV instruction not INC . – E.I : the player changes scoreboard when the match begins into : 12 - 0 » When a goal is scored against him he will see : 0 - 1 – Changing the value between the two runs of the same routine : – Which may be diffcult and requires more precision , but when doing it by chance using a CheatEngine for example , the first run will store the value changed but the second run will restore the original scoring – So using cheat-engine directly will not help here. We have to edit instructions then.
  52. 52. How could multiple checks beat a cheater in PES 2013 ? (Cont'd) • How can the second Multiple-Checking technique beat you ? – The reverser will look to Zero the opponent score in the scorepanel whenever he scored a goal , right ? – When the opponent scores against him he will be happy to see that the opponent score is still 0 in the scorepanel. – When he will score a goal he will be shocked to see that the opponent score is back to 1 . – Simply, because in each of those two routines your score and your opponent score are stored again.
  53. 53. A patch for it ?? • Very simple. • Zero the value of [EDI+231] when running any of those 2 routines to bypass excessive checks. • opponent scores : – The score is moved to AL from [EBP+44] – AL moves the new score to [EDI+231] – Replace : MOV AL,BYTE PTR SS:[EBP+44] – With : XOR AL,AL • when I score : – The score is moved to DL from [EBP+48] – DL moves old opponent score to [EDI+231] – Replace : MOV DL,BYTE PTR SS:[EBP+48] – With : XOR DL,DL
  54. 54. Result :
  55. 55. Game result : I scored Opponent scored Match ended , Combination works = WIN !!
  56. 56. What have we done so far ? • We just hacked the whole game scoring system. • To do that we hacked : – The real score that sets the winner. – The shown score in the scorepanel. • To win you need to score at least one goal. • All is done automatically so you will need just to open the executable and enjoy. • The fun part in Reversing Games ? – You will never encounter the same case or the same routines during the Try-To-Cheat-Me process. – Spending a sleepless night(s) reversing a game would be fun :) – 3nJ0y !!
  57. 57. QUESTIONS ? ?
  58. 58. Contact/Follow me : • dark-puzzle@live.fr • http://www.facebook.com/dark.puzzle.sec • http://www.dark-puzzle.com/ • http://www.itsecurity.ma/
  59. 59. HAVE A NICE EVENING AND CHALLENGE :) !

×