DEF CON 20 – Elie Bursztein and Patrick Samy – Fuzzing Online Games

Just another WordPress site

DEF CON 20 – Elie Bursztein and Patrick Samy – Fuzzing Online Games

we’ve been working with Patrick which is here for about a year on reversing games and facing games online games particularly and before I start we have a bunch of question for you guys the first one would be how many of you ever play online games please raise your hand all right some people don’t okay don’t expect that how many of you ever sort of cheating come on don’t be shy don’t be shy okay how many of you really succeeded in doing that all right well so all of you probably everyone who tried to cheat at one game like the apple tree or league of legend which would be the focus of the talk today realize quickly that it is very very hard and when we started to do the presentation for this talk we had two options the first option was well how about doing a torque where we show you a bunch of attacks or a bunch of how we crash games and the second one was more into telling you how we did it and we decided to take the later route because I’ve been since I’ve been doing a lot of fighting and a lot of reversing on games for the last three years I have been cruising a bunch of forums and most of the thing I read is I know I something cool and you see I know C++ how do I do reversing games and most of the skill set that you need to do that are not your standard beavers technique idea or skill set so what we hoped you to get from this toolkit ideas on how next time you want you test a game not for cheating of course but for internal intellectual satisfaction you have the right skill sets right yeah by the way if you start shooting at geometry would be super angry because I still playing it so please hold for a little while before you start doing that thank you wow it’s a very very tough place and over the last year we met love incredible people and before starting we want to acknowledge them because they did some of the work and we want to take credit for it so we want to thank particularly jus mercies which did a lot of work on laboratory and inclined line which is that I work on League of Legends and they we are building on what they did and we help them along the way and they helped us so it’s really like they should be there together with us that is here in spirit I guess so why facing online game is so hard well interview is super simple you have a server and you have a gay man nothing special in it except a few things first well you don’t have the server when you try to further I say apache or ftp server you usually have the binary as a very so you can actually instrument it look how it works and you can be launched it and stuff when you are facing games you don’t you simply don’t have the server the server is something out of your which you don’t know how it works you know how its run on which platform in this run it’s completely obscured to you and by the way do not fast games server first in game server is illegal and have to put this this camera somewhere do not try to first the apple tree gamer server I never tell you to do that do not do that I ugh maybe first client that may be legal I’m not a lawyer but i’m pretty sure fuzzy services we go oh yeah the second thing is when you look at the protocol over the time they became more and more complicated i’m going to tell you more about the one about diablo 3 and the one on league of legends but most of them maybe except form of you how very very complex and encrypted and you don’t really know what’s inside which we hard to just fire up a sniper and just look at packet won’t give you much these days you have to really work harder on that and finally well again try to do the best i can to prevent you for debugging code so they have on to debugging techniques they also have active security checks the most well-known would be the warden i’m going to give you a few word on this in a few slide which is Blizzard active security checker and a very very very complex piece of code you’re looking at huge binary with a ton of dll so if you just say what i’m going to just reverse it let’s pop up a DA or any type of analysis and you go to fail because it’s just too big and then when you look at that you exist that’s actually my usual face which is like oh that’s where it is really hard and you make no progress when Patrick join me like six months ago he spent probably like two months doing zero progress it’s like very frustrating and we don’t you want you guys to feel the same so we try to give you a point of how to not be stuck it’s possible and most people are like this in the firm I don’t know what to do how am I starting

what is the thing I should need to know well friends there is hope it is possible to first game it is possible to have result you just have to be very creative and we have to think out of the box and use some sort of technique that you might not feel like our link to reverse but actually are really useful and yes i’m going to give you statistics and yes we are going to do some mathematical analysis of packets because at some point as you will see there is no the way and it actually would be faster than just reverse the same so what we really want you to take out from this talk is the new techniques or the techniques with vamped to first game that we come across versa last year and then you can take them home and try to play with them and hopefully you will help a bunch of open source project at our own games and a lot of good come out of that so here’s our master plan for today we have the game we have the server so what we try to do usually as we try to begin to be in between we want to allow a tool to actually intercept so traffic and be able to see the packet and there is here is our first twist is we also want out you to correlate that with memory offsets one of the scene which is very powerful is when you combine network traffic with memory analysis because you know what packet effect which site and then you can write things like if I see this packet what does the packet I see one disk value climbed up or which value comes down and so forth so it’s actually a very useful technique for to combine both of them so today we’re going to show you four things one is how do you enjoy a traffic which is the first step then how you have to bypass encryption so every game use encryption so you have to do that before doing any works then how do you reverse the traffic’s when you have the crypt at your packets how do you actually come up with a understanding of what it is and then we’ve finished by tell you a little bit of one you have this packet and wireless the ability to first and you sort of know what you want to do how you monitor the results on the client side so intercepting traffic’s there is mainly three ways for intercepting traffic’s the first one is you take your game and you do something which is one known which is GI injections I’m speaking of windows windows games for Linux fan is more like a LD preload where you try to overwrite a specific set of functions the other one is you work as the OS level and where you have to write the driver or you use a vm you put your gaming to the vm depending on how graphic intensive is your game you might or might not be able to do that and then your writer driver was going to intercept the package before they leave the box and before they eat the router or the last way is to actually have the network across the iPad visor and just do this interception after the packets leave the box ok so hooking windsock so most of the games in Windows use wind socks which is the windows socket API which is a tunnel way to send and receive packets I have yet to see a game which doesn’t choose it and basically there is a couple of functions that you want to basically overwrite the first one is connect which / you to manipulate where the game connect the second one is receive when for reasoning packets and the third one is obviously sending packets as a three functions that you want to hook and there is two ways may need to do that the first one is to use Microsoft the two libraries which is a way for you to write a dr besides i want to intercept these diseases and this and then he’s going to inject a dll into the game and you would have liked to by pass through these functions the other one if you don’t want to use the tour and there is a lot of discussion is for communities on what is the best way to do you can actually not choose with Microsoft deter and use a ihe hooking which is basically you write the table of the front of the pointer directed by yourself and then they’re going to go to you to your to your function and then you return to the real function that’s where things come become harder when you do again if you do that on my mobile on the browser like I it worked perfectly if you do that on geometry you have to face a warden so what is the worgen so werden is the code name for blizzard aunty chillin engine it is meant basically to do for three things the first thing which we know most about is it’s read with certain offsetting the memories we look at different offset in the game and try to see this offset I’ve been modified in any ways it also scan the list of process you have run on your computer for known but unknown executable like debuggers packet and receptors my fur and so forth and reportage blizzard and last thing it actually seems to be able to run a blob of code so basically some time is fetch a blob of code and just run it and we turn the visual to

blizzard what it means for us is that if you use hooking you will get cold you will there’s like new some you might not be good right away because you might inject or hook a little bit differently that they receive a sin function you can the upper approach this function but sometimes they will figure this out and you get code because the wardens can for every type ways of injecting the elms so the other options that we sort of work we use for the last six months is use a writer driver two years ago we were starting to do use an LSP which was the old way to do it by Microsoft there was actually a talk at DEFCON 15 on that it’s fine to tell you how old is like five or six years old there is a new one we came out which is actually easier so if you want to look at doing that the easiest way to do is to use the windows filter platform which make basically you can tell I want to answer sep TCP connection or I want to intercept the stream on top of it it’d make it easier for you because it’s going to resync tcp counter for you and so forth so it’s pretty good so thing you have to be careful when you write the driver is actually the driver what you do is basically you stop the packets to go to the server and your eng exam the Prime on you do that with the driver is your own packet are going to go back to your own driver so you have to tag them it seems easy to explain when you’re implemented is sort of tricky and you might find weird bugs like having the same packet sent twice to the server and so forth so you have to be careful on a side note you can’t really we direct IP so I saw that a bunch of time in the forums people say well but what you can do is simply tell geometry to go and connect to your own IP service like a command line option for that so truth is it’s used to be working better in wheelies you can’t do that basically the server send a packet a challenge packet to geometry with the IP of the server and if it actually doesn’t match lit it has into a dll which is downloaded every time we launched a game it’s going to issues to look to connect so you actually have to the diablo 3 has to believe that you connect to the right IP otherwise you can’t actually launched a game and some people were stay well but i can hook this function well if you hook this function the world is going to catch you so you can’t do that you have to either we will see IP to a different box or you have to use the driver interceptions so to summarize this part you can do gillette injections and it works fine on game which don’t have like active checks like League of Legends that’s probably the current way of doing it for League of Legends when you deal with game which I really really secure like geometry you have to do something more more fancy we use driver for a very good reason is as I said in my master plan I want to be able to read the game state I want to be able to correct packets with what is happening in the memory and the only way for me to do that to be on the same computer I might be able to do it with the second box what I have to do socket and so forth and there will be some latency which might not be which might miss my single teacher so our current approach what we recommend to do is actually use a driver and use the WPF way of doing it just intercept packets that’s how we did it encryptions let’s start with the easy one league of legends so League of it you don’t use Blowfish I have no idea why is issues Blowfish which is slow but somehow someone they must have read that Blowfish is great so they’re implemented blockage so league of legends have two binary one which is the launcher where you find your game and then you click play and it runs a game the interesting part of that is actually when you click on launch the key with a Blowfish key up here in the common line so they have some sort of encryption not a big deal let’s boil let’s go back to something way more complicated ‘enter diablo 3 alright so you have the game and you have the battlenet server which is the first server you connect you so first thing you’re going to do is what’s this color SLP 6 challenge which is basically a way for you to prove that you have the right login and password without transplanted without transmitted mean it in clear it’s a six-step protocol I’m not going into details if you look google srp 6 you’re going to find it the basic idea is you hash your password with like a secret with an ounce and then you exchange at with some sort of diff yemen crypto and basically the network attacker has no way to brute force your password that’s why it’s pretty good it’s actually very very the right way to do that and when you have done that what you obtain is a secret key which is shared between the

battlenet server and the game and change out every instant of the game of course and then you use that to start TLS so you do TR FPS key which is pressure at key so basically they start to the TRS instead of using certificate to exchange which is actually use the key they have use is in sr p 6 and when this is done and you say okay i can do all of this ah you have the eris a challenge and I’m going to assign you a little bit what is the RSA challenges and then after that you actually connect to a second server which is what we call the game server where the actual game occur you know when you click play actually you are moving to another server and no please do not put the key into the command line at this time so why a eris a challenge so TLS PS key is basically using SSL with a pressure at key which is the one you exchanged during the the srp seek challenge and it should be perfectly fine for us because well I know my password so i can recreate a surface exchange on my interception mechanism and so there is no way for blizzard to know that the end-to-end connection so the user error said challenge who the client expect a message which is signed with the private key of blizzard and if this is not should buy if it’s not valid then the game will refuse to launch again it’s actually located in to the password dll so many thing what happened is we don’t know the key we don’t talk blizzard private key and the game expect you to have this challenge shine by the privacy of blizzard always refuse to launch so it’s a way for them to do authentications and it’s actually perfectly man should be prevented exactly what we want to do which is managed the middle attacks so there is two ways to bypass the challenge one is you going to factor as error psyche which is as far as i can tell impossible or you go in to patch a game but if you pass your game you know what happened the warden is going to go after you remember the warden we should look at the off-site they actually look at the offset of the key so if you try to change the key or change the task they’re going to catch you so that’s probably what’s a happy face you make and you’re like okay it has become complicated so you start to thinking well maybe I can do put in to debug mode swap on during the challenge and be very quick and we move the swap or might intercept the water and I might actually trick the world into notes the right offset and then you look more and more and then you realize something really deep traffic to the game server is not encrypted so when you realize that you like yes I can’t so you can’t what’s it mean is we can monitor the game by itself but we can’t do fraction auction a house protocol is encrypted so if you want to basically try to face the option ouch and again is illegal you might not be able to do that because this packet are encrypted so they protect your login the character selection and the auction house if you just want to be in the game like bashing announcer and doing quest this is not encrypted so that’s the part we focus with and so at that point we give up on magnesium in turning everything and we just like let’s go to game do all the authentication for yourself and we pick up the connection after all this is done and we just give up on basically the auction the ash and so forth all right reversing protocol here’s what a diablo 3 game podcast look like so they use TCP and on top of TCP is they use our PC which is remote posting your call so they send a lot of calls to the server say juices do that for instance I’m facing this i’m going there and also going to say place this animation or I’m going to kill this monster so basically you say I’m going to attack there and the server is going to send you back how much dps you did because all the computation are done on the server side to prevent cheating again and then on top of that they use what we call protobuf protobuf is a way to create a nested protocol which is developed by google also risen up an implementation of that the community has created a c-sharp version of it so you have it for Python C++ and Java and C sharp currently available open source and if you want to know what the Diablo 3 packets look like this is a packet which is half reversed so there you have this is an attack packets so when you attack package this is what we have been able to is alight so you have something which is like an aim target message

where you have three fields we believe it’s actually five or six fields we don’t know exactly how to split it yet and then you have the location where you want to eat which is like three coordinate which are at the bottom of the screen this is a kind of stuff you’re going to get and you can see it’s a prototype because it has nested component and that’s how they probably say Oh them they have like bunch of component and you unlock them on the other side League of Legends you something completely different they use UDP and on top of that they use Annette which is a reliable connection on top of UDP on top of that they have Blowfish and on top of that they have a new protocol which is a league of legend protocol which is a own custom particle which is the thing you care deeply about so in it’s just a way to multiplex basically the load with the legal protection package formats is something like this you have an opcode which tell you what is the action is followed by an ID which is a integer so little bit little endian and then followed by some content and then there are multiplexing across multiple channels and hnl have a set of flags so usually have like four or five channels and one or two flags for this usually trees for sending informations and one is for receiving information or something like that and then you like at the open you feel pretty good you like well okay now I’m I know the protocol I am able to manipulate it I’m happy I did all the hard work right since fair and and from now it should be done here well let’s take some check we recorded a game which lasted 21 minutes and in 21 minutes we get 60,000 packets that’s all of the actual process and on average you get about 48 pack at second so if you try to do that with us my fur well you won’t see anything if you try to process that with the sniper well it’s going to take you a lot of time and we have isolated 78 different up code so there’s also a lot of different packets so if you want to grab that you have some birth to up to eighty percent or 90 90 packets a second at some point and it’s very very very oscillating and it’s not hot not easy to do that like with that and then well yeah there is too much stuff to process you can’t just look at it and just figure out what it is because it’s actually too much data well there is no such thing as too much data you know having a lot of data is good because if we have a lot of data we can start to do something like statistical analysis and don’t be afraid is pretty easy to actually figure out the love of things by themselves and then use that so what I propose to do from there is first we’re going to bucket which is basically splits of traffic by up cut because we know that each up code is some of sort of separated and then try to do some what I call differential analysis i’m going to show you how it works then we’re going to try to mutate this to do the fencing and then we can inject the code and just look at the data and see how it’s going to work so beckenham is very simple all you do is you look at the opcode and you say well if it’s up code a I’m going to put it into the bucket a and if it be i’m going to put it the bucket be and that’s all there is to it so it’s not hard and it’s going to be like to a four lines of Python or something and then you have your bucket and then you can work on each of them in these relations when you have each bucket what you do is you take each packet and what you’re going to do is you’re going to do so first packet forward by the second packet and you’re going to look at how many of them have our differences in the same offset so you going to compare offset by offset which is like column by column and you compare all of them and for instance you can see that for the first offset the value is from two to nine we have the range because the load the lowest one is 0-2 and the highest one is 09 and the second one hasn’t moved so it’s basically some sort of static field is there an identifier or a split separator or something like that and so the third one is also separated when you have that you have to do a second step where what you do is you do differential and analysis between traces so you have one traces which might have this shape where the first offset is variable the second point is figs assault one is fixed and then you for instance look with photos taken prayer trays and you compare those two and what you can see from there is that of course so first off set have variations the second one is fixed but actually the third one is also viable because it’s probably the ID of the user or ID of the player so you can actually get more data if you want all of this I put all the differential analysis on the League of Legend protocol and choosy the get up if you look for a league of legend Annette line you’re going to find them i have all of them in public and when you have that one can say well now i can first everything so then what i’m going to do is I’m going to take every range and for

each range i’m going to just you know just mutate all of those well the problem is it looked like this it’s what we call the crest of dimension and dimensionality if you try to have one bucket to change it’s perfectly fine if you have certain range which actually change even if you try to do for mutation by range and combine all of those you’re going to end up with millions and millions of packets to give you an idea when we try to generate all the fussing vectors for the League of Legend client and we only use three value which is minimum maximum and median value we ended up with 1.5 million packets and the problem is League of Legends is very brittle the client so every most of the time we actually crush the client so in the problem is and you have to click on Reno’s the game we set the car which we set the the game and then click and then start and even if you automate that with a tail oh do it then you have to do it in super slow so well you have to take it to the next level it’s not good enough even if you are to that point where you know what is fixed what is not fixed and you are able to try to do all the fuzzing you’re not good enough you need something better so you can sort with something very simple you can look at frequency analysis this is the plant what you can see here is by up code and it’s a logarithmic scale so the biggest bar are actually way higher than they look at you on the diagram some up code are very very frequent as there are mainly pings and update on location and stuff like that which are not really what you are interested in on the other end there is a handful up code which are very very very rare and these are the one we actually care about why because the small stuff is usually the good stuff for instance when you do a level up well develop is not that often you’re not going to develop a witch second so you might have like four or five of those into the trace same thing for buying item you do not buy like 20 items you or million item you buy maybe 10-20 item so it’s very very low and anything for attacking you do not attack that often so there is very very few packets so if you discard all the stuff which is very very frequently updated then you end up with a small chunk of up code which are more manageable to do that being said remember it’s an online game so when you send a comment you also want to know what the answer is linked to it so problem is with a league of legend that I said there is multiple packets as a sort of multiplex each other so it’s actually hard to know which one is related to one another so you need to actually do correlations between up codes for instance when you have an attack trigger you want to know what is the response from the server for that or when you assign a new ski or what you really want to know is well what is the server entering to me and how I can play with that so to do that you do something which is very standard which is called n-gram analysis it’s very a big word for I’m going to be Graham it’s actually a big word for something which is dead simple what you do is you take if you only take the opcode and then you take the first packet and then the second packet and then you say well I see these two up code one after the other one time and then you move and you say well this is to of course one after the other one time and so forth at the end if you repeat across also trace you’re going to get some of them which are more frequent and other and it’s going to get actually rid of the noise so if you actually trigger something multiple time is likely that at some point the answer and the response which are related are going to to appear close together more often than as an author I’m simplifying a little bit because you need to be a little bit more fuzzy but that the essence of this and there is one gotcha with that if you try to do that do not try to keep high frequency packet into it because you have some packet which are like 10 times the second so they going to mess up your analysis so you need to actually get rid of all the high frequency packets before inserting it into it so let me give you a concrete example so far we’ve been doing a lot of hand waving here is a league league of legend sets killed packets so every time you can you gain a level you have the ability to select the skill and say I want to increase the scale of this kid of this scale what you actually do is we put out those rice for you and in blues there is the opcode three E and then you have 1 B 1 c 1 a 1 b which is the second column which is basically the player ID how we know that we know that because if you use if you look at one tries it’s fixed if you look at multiple tries with multiple players actually become viable so we know it’s actually linked to the player and then at the end you have zero zero two zero three zero accessorised actually call from zero zero two zero five and then we took a deeper look at that by basically clicking on one of those slot and then looking at what packet we got by playing the game and

looking at the so output at the same time and it’s actually the slot position so what the packet says is i want to put the player ID axe want to put one more point to this slot and then you need the answer right and so we did this frequency analysis and then Graham and we get the answer and the answer is 18 and so 18 is the same thing you have a player ID forward by the SWAT position you actually said and then the server tell you how much you have right so basically tells you well for slot position 1 which is your 0 you get a skill between 0 1 and 0 6 which is the maximum you can get forgiving ski out and you look at that and you like mm-hmm is there a bug yes no maybe yes it seems to be there is a bad way you like well it’s a server send me how much power I can get for a given fluid what happened if I we write 0 1 2 let’s say 0 60 i get like i said i’m going to assign one point and then i stopped the packet from the server and I say well no in reality you don’t get one more point to get like six more point it’s sort of work in a sense that you are sir your client is going to believe that you actually have six so your current is going to believe what the server say and it’s going to say yes you have a spell over six but when you try to use it it won’t work because actually the server keep tab of how much dps you do so actually even you can pretend to have the skill but it’s actually not going to do anything because I do the computation on the server I don’t know when they fixed it but it’s fixed all right another way to do it we found very useful is binding a specific set of keystroke to our tour of keyboard before we doing in action so we actually say we usually use ctrl x and so you would press ctrl acts just before we want to see action we’re interested in and then our software actually add to the two tries to a click event into the trace and after that what we do is we usually look at the entry packet after that so it actually happen basically entras mounting the game and looking at a try at the same time putting the click at that point is actually help us to easily at the packet we want to look at if you don’t want to do all the different entities and stuff the easiest way you just to record a specific zip line and say well I want you to know well as a packet from this particular point in time and then you can actually look at only this packet again what we want to come across is don’t try to reverse the entire protocol because most of the protocol Porter sort of independent just try to focus on the one you are really interested in like attacking or setting an item or removing an item and then just look at those packets and you should get enough of those packets you’re going to find a recurrence and then with this you can actually figure out how the protocol works and then for the next part I’m going to ask Patrick tell you a little bit more how we managed to as a result okay so what about monitoring the results remember the bigger picture is to build a further so we kind of need some way to automate the monitoring of the results so that we can build some scripts for example is going to check whether or not we succeeded so why do i do pal to do that as my packet affected the game state to do that we need to read the state of the of the game we have a couple of way to do that the first one is to read the game memory so we are going to inject a packet and then we need to find the memory of sets of the potential value that is going to be affected and this value will give us an idea of how we succeeded in changing the state of the game for example if we take the health of the player of the number of gold pieces we can say that I have 10 gold and now I’m joint you buy an item and I have 11 gold so did my injection worked now how can I fund the upsets in the memory the idea is to start with the complete armor for example and take a wall snapshot of the memory then you remove one piece of error and you do the

same thing you filter all the values that didn’t change and you keep the good stuff and then you do it again you change another piece of error and you take another snapshot and filter the values and again and again and at the end it’s likely that you will find the be well done value in a couple of iterations well what if the offset is encrypted or if you’re skating usually not all the structure is encrypted is it’s only the interesting values so you need to find a field in the structure for example the prior structure that is not encrypted the idea is for instance in diablo 3 the goal value is not encrypted in the player structure so it’s actually a float so you can find this value and then climbed up or down in the structure to find the health value and then you get the offset in this structure and you can get the actual memory address another option would be to do more set and unset on the value until we get only one value but this can take a lot of time and a lot of iterations if it’s sophisticated the thing that you can do is just look for value that changes original changes and try to extract what it’s what is important for you and then find out how it’s obvious KD ok so that’s it for the game analysis jo thank you for coming and you can follow us on twitter or jeebus you