WIXLIB

Exploiting Online Games:Cheating massively distributed systemsGary McGraw, Ph.D.CTO, Cigitalhttp://www.cigital.com 2009 Cigital

Cigital Founded in 1992 to provide software security and softwarequality professional servicesRecognized experts in software security and software quality Widely published in books, white papers, and articles Industry thought leadersConsultants to EA 2009 Cigital

Disclaimer In our research for this book and this presentation we havebroken no laws.We expect our readers likewise not to break the law using thetechniques we describe. 2009 Cigital

Why online games? 2009 Cigital

Online games are a bellwether Online games (like World of Warcraft) have up to 900,000simultaneous users on six continents 10,000,000 people subscribe to WoW 16,000,000 play MMORPGs Clients and servers are massively distributed Time and state errors are rampantMMORPGs push the limits of software technologyModern distributed systems in other domains are evolvingtoward similar models SOA, Web 2.0Time and state errors are the XSS of tomorrow 2009 Cigital

2009 Cigital

Online games are big business One game (WoW) has over 10,000,000 subscribers 14 * 10M 140M * 12 1.68B (not to mention buying theclient)A healthy middle market exists for pretend stuffCheating pays off 2009 Cigital

Why pick on World of Warcraft? 2009 Cigital

Isn’t this exploit discussion bad?1995 Dan Farmer fired fromSilicon Graphics forreleasing SATAN withWietse VenemaFUD: possible attack tool!2009 Any system administratornot using a port scanner tocheck security posture runsthe risk of being firedFall 2004 John Aycock at University ofCalgary publicly criticizedfor malware courseFUD: possible bad guyfactoryShould we talk aboutattacking systems? 2009 Cigital

The good news and the bad newsGood news The world loves to talk abouthow stuff breaksThis kind of work sparks lots ofinterest in computer securityBad news The world would rather not focuson how to build stuff that doesnot breakIt’s harder to build good stuffthan to break junky stuff 2009 Cigital

Lawyers, guns, and money 2009 Cigital

Lawyers Game law is set up to counter piracy (not cheating) “Cracking” a game costs game companies big money Security mechanisms protect against cracking Online components answered this problem whollyThe DMCA is now being used to counter cheating as wellEnd User License Agreements (EULAs) and Terms of Use(TOU) lay out license obligations WoW Glider case Ginko Financial disappearsClick to agree 2009 Cigital

Egregious EULAs Sony’s EULA allows installationof a rootkit on your machineBlizzard’s EULA allowsmonitoring The Warden The Governor Spyware or securitymechanism?Gator’s EULA disallowsremoval of the software Microsoft’s Frontpage disallowsnegative comments aboutMicrosoftEULAs for viruses allow (legal)propagation!Apple’s EULA never dies 2009 Cigital

“Guns” 2009 Cigital

Money Exchange rates exist between in-game currency and real money Per capita GDP in some MMO worlds is greater than the percapita GDP of some real countries Economists study game economiesMicrosoft reports that the market in 2005 was over 6BDFC says the market will double to 12B by 2010Secondary markets are also thriving In 10/2005 a player paid 100,000 for virtual stuff (an AsteroidSpace Resort in Project Entropia) IGE has over 420 employees and project a 7B market by 2009 Connections to thottbot (for better sweat shop work) Chinese sweat shops make economic sense Second Life is set up as a market in virtual stuff (and playersown their creations) 2009 Cigital

“It’s easier than making shoes!” In China, over a half-millionpeople “farm” MMO games Some sleep on cots nearthe computers and work inshiftsPeople choose this job. It canbe better than working on yourdad’s state-owned farmAlmost anyone can get this job,even “unskilled” laborhttp://youtube.com/watch?v ho5Yxe6UVv4 2009 Cigital

Bugs, bots, and kung fu 2009 Cigital

Two kinds of cheating “Exploits” - actual game bugs, which are exploited to Teleport Duplicate items or gold See stuff you’re not supposed to seeBots Both AFK and non-AFK Only performing legal inputs, but in an automated fashion 2009 Cigital

Botting Botting happens because “Grinding” is really boring Players are “farming” Running the game tofarm a resource,possibly runningmultiple accounts atonceFarming bots are commonAimbots are a different story FPS hacksPvP combat bots help too For use in RPG combatHow botting happens MACRO’s & Scripts (mostcommon) Memory read & write DLL Injection Debugging 2009 Cigital

MACROs Inject keystrokes and mouse movementSample pixels and read memory locations Take over the GUI Must dedicate the computer to this Error prone Screen and controls must be preconfigured exactly asrequiredACTool, AutoHotKey, AutoIt3.0, LTool-0.3, xautomationExample: WoW Agro Macro (in chapter 2) 2009 Cigital

2009 Cigital

Process manipulation Read & Write memory data Coordinates Speed DirectionUse with a MACRO Read data directly (insteadof sampling pixels)Build fresh sploits Map hacks Teleporting Speed hacks 2009 Cigital

Thread hijacking Hijack main system thread Eliminates thread safety issuesCall internal functions within game client directly Minimize the game program Runs itself Doesn’t have errors in samplingEliminates need for MACRO altogether 2009 Cigital

Thread hijacking Used in a few WoW botting DETOUR PATCHLoops hundreds of times per second 2009 Cigital

Techniques for cheating Over the game (control theGUI) keystrokes mouse dropping pixel samplingIn the game (manipulatingobjects) memory manipulation finding objects(automatically) Under the game 3D teleporting DLL injection be the graphics cardOutside the game sniffing crypto cracking kernel fu 2009 Cigital

Total conversion and mod’ing Replace graphics with new graphicsReplace client logic 2009 Cigital

Advanced game hacking fu See Hacking World of Warcraft: An exercise in advancedrootkit development Greg Hoglund’s presentation from Black Hat 2006 Hack.rar 2009 Cigital

State of the art Combine injected payload with cloaking and thread hijacking toFORCE in-game events Spell casting Movement Chat Acquire and clear targets Loot inventory 2009 Cigital

superMAINTHREADINJECTEDCODE PAGERenderWorld(.)MAINTHREADuncloakHARDWARE BPbranchcompleteCastSpellByID( . )ScriptExecute( . )ClearTarget( . )MSGRenderWorld(.)MAINTHREADrecloakrestore 2009 Cigital

Classic arms race 2009 Cigital

Breaking stuff is important Learning how to think likean attacker is essentialDo not shy away fromdiscussing attacks Engineers learn fromstories of failureAttacking class projects isalso useful! 2009 Cigital

Solving the problem:Software Security 2009 Cigital

Three pillars of software security Risk management framework Touchpoints Knowledge 2009 Cigital

Software security touchpoints 2009 Cigital

Using BSIMM BSIMM released March 2009 under creative commons http://bsi-mm.com steal the data if you wantBSIMM is a yardstick Use it to see where you stand Use it to figure out what your peers doBSIMM is growing More BSIMM victims (9 17 and counting) BSIMM Europe BSIMM Begin Statistics Correlations 2009 Cigital

Where to Learn More 2009 Cigital

informIT & Justice League www.informIT.comNo-nonsense monthly securitycolumn by Gary McGrawwww.cigital.com/justiceleagueIn-depth thought leadershipblog from the Cigital Principals Scott Matsumoto Gary McGraw Sammy Migues Craig Miller John Steven 2009 Cigital

IEEE Security & Privacy Magazine 2 Podcasts Building Security InSoftware Security BestPractices column edited byJohn .com/silverbulletwww.cigital.com/realitycheck 2009 Cigital

Exploiting Online Games: the book Cheating massively distributedsystems Sploits, hacks, mods Key lessons for othersoftwarePart of the Addison-WesleySoftware Security SeriesAVAILABLE NOW 2009 Cigital

For more Cigital’s Software SecurityGroup invents and deliverssoftware security See the Addison-WesleySoftware Security series Send e-mail: gem@cigital.com“If we're going to improve our securitypractices, frank discussions like the ones inthis book are the only way forward.”-Ed FeltenPrinceton 2009 Cigital

2009 Cigital Exploiting Online Games: Cheating massively distributed systems Gary McGraw, Ph.D CTO, Cigital http://www.cigital.com