GameHacking 101 - Part 1 - Introduction
I have been playing games since I was a child, starting with the Super Nintendo. At a young age, I had memorized the GameShark codes for Super Mario World - mostly for my mom's benefit. I eventually graduated from consoles and moved to computer games. I started playing WarCraft: Orcs vs. Humans, Diablo, StarCraft, and Dungeon Keeper. I learned how to modify the games I was playing using Universal Game Editor (UGE) thanks to my dad's interest in it. I learned how to Google for cheats, trainers, and hacks; but never learned how to do these things myself. As I got older, I wondered how people came up with these applications. And ever since then I have been interested in how to do these things for myself. Especially since these applications do not exist for every game. And also because I have been interested in automating gameplay - as I gravitate towards more grindy MMO games such as Diablo II.I started looking and found several articles telling those interested to learn C++ as this is what most everything was written in. So I started learning the complexities of C++ - but the language learning did not do me as much good as I would hoped as it did not cover the WinAPI, graphical user interfaces, or really much of anything I was ultimately interested in. In other words, it did not help with the discovery or programming of exploits. So I shifted my focus from programming to security.
I tried doing wargames and other security oriented subjects because I thought it would help in the area I felt I was lacking in. I went to school for Computer Science because I believed it would help shed light on what else I needed or was missing. I graduated, and well, even with the information garnered with four years of college and the security challenges under my belt; I found that programming is only one part of the process. You need to understand the target. You need to understand what you want it to do. You need to understand what tools are available and how to use them. Tools like CheatEngine, OllyDbg, IDA and others.
I started looking into CheatEngine, and the other tools. A difficult process if you are not sure what the endgame is. These tools did teach me more about what I needed to know about memory, and how to understand what my target was doing in memory. I kept searching for tutorials, resources, forums.. anything that would be a good introduction on Reverse Engineering.
I watched some of Lena's Reverse Engineering for Newbies, which is a good start into behavior analysis and manipulation. Basically, how to figure out what the target is doing in memory but it was still did not solve the problem I had. I read the book Exploiting Online Games - which has a good introduction into what Game Hacking is but does not do a great job of explaining how to do it. Instead it directs the reader to topics covered in their other security books. Building security in, exploiting software. And they are valid, the tools and topics are somewhat interchangeable. But they should not have released this book. There is a new book that looks like it may be more promising called Game Hacking: Developing Autonomous Bots for Online Games.
It was not until I found a guide by ToyMaker that I found what I was looking for. I needed something that brought the reader through all aspects of the process; bit by bit. Toymaker's introduction took the reader through creating the original application (programming) which allowed the novice to understand the conversion from C code to assembly (what the application does in memory at runtime). It covered how to modify the program you made to do what you wanted it to (manipulating behavior). And it was relatively easy to understand for novices. Unfortunately, by the time I found it - the example would not work and ToyMaker seemed to have disappeared without continuing the series.
I was not going to give up that easily. I had found the missing piece for me. This was what I needed to understand the entire process. And so I have elected to take what was provided by ToyMaker and expand upon it. I have planned a series of posts that will cover the evolution of a small game. I hope this series can be used as a new resource for people to refer to who are interested in Game Hacking and Reverse Engineering.
Cheating Methods That Do Not Require Programming
I am going to start by covering the various methods of cheating in games. Some of them do not require any programming skills. These kinds of cheats are bugs in the games code, the user interface, or macros recorded by the user to do a repeated task indefinitely by simulating key presses or mouse clicks.A few good examples of bugs that can be exploited can be found in a game called Morrowind. There is one that allows a player to arbitrarily increase their statss by creating a spell that has a Fortify Stat attribute on self and a spelltrap attribute on target. For whatever reason, the spelltrap component makes the Fortify Stat attribute permanent on the character sheet. Or even another, if you want to train a skill, you can create a spell to reduce the skill you want to train for a certain amount of time, find a trainer who will train you and train that skill up for cheap. Alternatively you can make any trainer an master trainer in the skill you want to train by casting a Fortify Skill on them with the skill you want to train.
A good example of a user interface bug that can be exploited can be found in Diablo II. When you have a character with teleport you can open the inventory or character sheet screen to allow your character to teleport a little further to make those gaps you would not normally be able to reach. A good video explaining this can be found on YouTube. As an added benefit it prevents the teleporter from getting stopped by breakable objects you may land on.
There are several ways to do macro recording. Some mouse and keyboard manufacturers are even including the ability to do this on their devices. Otherwise you may have to use software like AutoHotkey or an alternative. It is possible to download an application that has been tailored to the game you wish to automate.
Recently, I was tired of manually training the Speechcraft skill in Morrowind, so I created a macro to automate the process of selecting Persuasion->Admire by having it repeatedly simulate mouse clicks in the same spot. I resized the character dialogue window to the point where clicking Persuade would pop up the Persuasion type window with the mouse over Admire. Then I started the macro to repeatedly click.
In Diablo II, there used to be an application called MMBot that was a botting automation application. Scripts could be written but you could also download scripts out of the box that would work for the character you wished to use. These scripts would do all of the killing and looting for you. I may be stretching a little with this one but I put this example here because MMBot was popular for not injecting into the Diablo II process. In other words, it simulated mouse and keyboard presses. It did mod the game though by making monsters square blobs of color that it would use to detect. Another example is the RoS-Bot for Diablo III where the user can simply download the character script to run and the pickit desired. No custom changes need to be made, although the system does allow it. RoS-Bot also does not inject into the remote process.
Other Cheating Methods
Other methods that we will cover more thoroughly is manipulating the application directly.Already covered somewhat are the applications that sit outside of the application and read the memory and simulate the actions a user would take. Although much more precise and uncanny. These are the things like aimbots or grinding bots. Some may require the application they are monitoring to have the focus on the screen, others will inject the simulated actions directly into the application allowing it to be minimized.
The most straightforward way is patching the executable outright, but this is not really a viable option anymore except to bypass DRM (and is known as cracking in that sense). You can alter the applications code directly to do what you want and then save the changes to the original executable. This is not a feasible method if the application you are making these changes to is updated frequently - you can see a method of this kind of manipulation in my Reversing Twitter BootStrap MVC series where we find several ways to modify the assembly to get it to bypass the licensing mechanism.
Similarly there is in memory manipulation. These changes are only done while the program is running and so do not persist between executions. The drawback is they are harder to set up to run and any patches performed on the original executable may cause the application making those changes may need to be updated. This option can be performed by overwriting certain memory sections like a patch in the previous method. Alternatively, a DLL can be injected and caused to run inside the remote host. Both methods are relatively risky to being detected, although there have been strides made to prevent detection. This is also probably the easiest way once you get your DLL into the remote host as it becomes integrated as part of the application. D2BS is an application that does this.
Some anti-detection methods include scrubbing the list of modules loaded (known as DLL cloaking) of which more information can be found on BlizzHackers. This gets into more advanced hacking techniques and may or may not be touched on in this series.
What Programming Language to Use
One of the most common barriers to getting started is not knowing what language to use. And depending who you ask you are likely to get a different response. In short, there is no best language for game hacking. The most important part is choosing a programming language you are comfortable with, you can use easily, and that has the capability to hook or manipulate memory. Manipulating memory is typically done by reading and writing data to a remote process. Generally, C or C++ are the most common choices for this due to the Win32 runtime-loadable libraries or DLLs . All modern Windows operating systems use these to provide certain functions - including those to read and write process memory. This makes either language an ideal candidate for writing applications to interact with the game client.Depending on the language you end up using, you may have to find additional libraries that allow you to interact with a remote process. Or, you may have to do things a little differently (if you have a managed DLL in C# you need to load the .NET Runtime in order to have your managed DLL execute in the remote process - if the remote process is not a managed one. More on this later).
However, do not let that deter you from using a language with which you are more confident and familiar with. Even scripting languages like JavaScript and AutoIt have been used! There may come a time where you may need to create or provide additional functionality in the programming language of your choice. This is a great learning opportunity if you are so inclined, but it will take a lot of work on your part. Additionally, finding examples that others may have worked on is going to decrease as you choose more abstract programming languages. And for this reason, it may be in the reader's best interest to use C or C++. They are low level enough to accommodate more advanced game hacking techniques without requiring too much additional work.
Setup
I have opted to use the C language as it will allow converting the sample easier, the exploit will work natively on Windows, and most games are written in it at this point. You could do this in other languages, you could even mix and match. You could write the console application in C/C++ and exploiting it in Python. I will not be covering these alternatives as they beyond the scope and introduce unnecessary complexity to a topic I am trying to simplify.If you choose to do the same the only other requirement is to set up your system with a compiler, and a text editor/ide. You can use anything from a simple text editor like notepad, to something more complex like vim/emacs. If you are new however, I would recommend you use a trusty IDE like Microsoft's Visual Studio or Code::Blocks. If you use Visual Studio I would highly encourage the JetBrains C++ ReSharper plugin or VisualAssist. They are not necessary but help by providinghints to keep your code clean and running smoothly.
Other software you should have is a Memory Searcher like CheatEngine or ArtMoney, and a debugger like OllyDbg or a disassembler like IDA Pro. If you do not know whether to use 64-bit or 32-bit, you are probably not ready for this yet. Regardless, if you want to follow along anyways you should choose the 32-bit as it will work on both. Well, assuming your target is not a 64-bit process.
No comments:
Post a Comment