ZaCon 4 (2012) - Game Hacking

About Me:
I’m a Ruby on Rails developer at Platform45 - we make web and
iOS applications and games: http://www.platform45.com
Have been hacking games, off and on, since 2005.
Twitter: @hypn
Email: ross@hypn.za.net
Website: http://www.hypn.za.net

Not Covered:
• Latest games - I want to avoid lawsuits and “history repeats
itself” (methods shown work for the latest games, eg: DotA 2)
• FPS (aim) Bots - typically require DirectX/OpenGL programming
knowledge (and I have none)
• Android games - I’m an iPhone user, sorry!

DISCLAIMER:
The “Terms of Service” / “Terms and Conditions” of most games
prevent you from decompiling or modifying game ﬁles, or
intercepting and manipulating data trafﬁc.
Hack creators have been sued for making hacks (under “copyright
infringement”).
You might get banned from your favourite game.

ZaCon 4 - Game Hacking
1. Console Games
1.1. Game Genie and others

Game Genie
Inserted in to the NES before
game cartridges.

Game Genie
game cartridges.
User is prompted to enter
codes, which ultimately
overwrote game logic:

Game Genie
game cartridges.

inﬁnite lives

Game Genie
game cartridges.

inﬁnite lives

super powers

Game Genie
game cartridges.

inﬁnite lives

super powers

kill Toad!

(change the game)

Game Genie is available for
mutliple consoles.
Many similar devices and
systems have been created,
such as the GameShark.

1. Console Games
2. DOS Games
2.1. Memory Scanning

Game Wizard 32 is a DOS
memory scanner

memory scanner
Search for a value (eg: health,
ammo, money) in game

memory scanner
Keep searching for the value,
as is it changes

memory scanner
as is it changes
Find the correct memory
address (trial and error)

memory scanner
as is it changes
Enter a new value, and
“freeze” it if desired

memory scanner
as is it changes
Enter a new value, and
“freeze” it if desired

God mode!

1. Console Games
2. DOS Games
2.1. Memory Scanning
2.2. Hex Editing save games

Take note of the value (eg:
health, ammo, money) in
game to be changed, and
create a save game

create a save game
Open the save game and ﬁnd
the hex value of the amount
(bytes might be switched)
1000 = 03E8 in hex

create a save game
1000 = 03E8 in hex
Overwrite with the new
value (trial and error)
31337 = 7A69 in hex

create a save game
1000 = 03E8 in hex
Overwrite with the new
value (trial and error)
31337 = 7A69 in hex

Proﬁt!

1. Console Games
2. DOS Games
3. Windows Games
3.1. Diablo 1 & Memory Scanning

MHS (“Memory Hacking
Software”) is a great
Windows memory scanner

Some game mechanics are
available to the game client
even if not shown

even if not shown
Eg:Wirt’s “Cape of Health” in
Diablo 1

even if not shown
Diablo 1
Doing a “string” search for it
in MHS...

even if not shown
Diablo 1
Doing a “string” search for it
in MHS... ﬁnds the address,
which can be read in the
future.

Diablo 1 had no multiplayer
“state” checking
Game clients dictated the
stats of their character to
each other (peer to peer, via
Battle.Net)
Character stats could be
changed
Items could be exported,
imported and modiﬁed
Custom items could be
created (eg:“Zacon Item of
L33tn3ss”)

1. Console Games
2. DOS Games
3. Windows Games
3.1. Diablo 1 & Memory Scanning
3.2. StarCraft 1 map hack with OllyDbg (debugger)

Making of a StarCraft map
hack:
1. explore a new area, and
search for “unknown” data

hack:
2. leave the area, and search
again

hack:
2. leave the area, and search
again
3. repeat until “suspicious”
results are found (lots of
addresses changing between
two values, in order)
4. copy one of these
addresses

hack:
5. attach OllyDbg to the
game, and put a breakpoint
on the memory address

hack:
6. wait for the game to pause
(map being redrawn)

hack:
(map being redrawn)
7. modify the code to always
set the “shown” value (jump
to code cave if necessary)

hack:
(map being redrawn)
7. modify the code to always
set the “shown” value (jump
to code cave if necessary)

Map hack!
(in multiplayer)

Unlike Diablo 1, StarCraft has
“state” checking, so values
couldn’t just be modiﬁed...
... (ﬂawed) game logic has to
be exploited
“The Zerg Mineral Hack works by
sending a command that tells a
larva to morph into an invalid unit,
which is worth 564 minerals.Then,
the morphing auto-cancels (it's a
feature of the hack, not the exploit)
and the player receives 514 extra
minerals.” - Zynastor

Unlike Diablo 1, StarCraft has
“state” checking, so values
couldn’t just be modiﬁed...
... (ﬂawed) game logic has to
be exploited
1600 minerals, seconds in to
the game, and counting!
“The Zerg Mineral Hack works by
sending a command that tells a
larva to morph into an invalid unit,
which is worth 564 minerals.Then,
the morphing auto-cancels (it's a
feature of the hack, not the exploit)
and the player receives 514 extra
minerals.” - Zynastor

1. Console Games
2. DOS Games
3. Windows Games
3.3. World of Warcraft & more memory hacks

“Memory Hacking” is often
thought to be simple,
limiting, and “lame”
Many hacks can be achieved
by changing, or freezing,
memory values:
Teleporting, ﬂying, no-
clipping, speed hacks, etc

memory values:
Spammers make use of them

memory values:
Spammers make use of them
Sometimes “restricted” Spell
IDs are found, and used, by
non-GameMasters, resulting
in mass (in-game) death

1. Console Games
2. DOS Games
3. Windows Games
3.3. World of Warcraft & more memory hacks
3.4. Kartograph

“Kartograph”, shown at
Defcon 18, takes an
interesting approach to game
hacks:
Game memory is monitored

“Kartograph”, shown at
Defcon 18, takes an
interesting approach to game
hacks:
Game memory is monitored,
and shown as a “heat map”,
making identifying data, and
making (especially map)
hacks, much quicker and
easier
I can’t do them enough
justice in these slides, visit
http://elie.im/talks/kartograph
to learn more about it!

1. Console Games
2. DOS Games
3. Windows Games
3.5. Ultima Online “POL” server exploitation with W32Dasm

“POL”, an Ultima Online
server emulator, stores it’s
data in key-value based text
ﬁles.
An advisory was mailed out,
suggesting that if someone
where to insert a “newline”
character additional
properties could be inserted.
Luckily this was deemed
impossible ;)
So I set out to do it...

Game clients often restrict
input, but we can put in
“markers” (the third “A” in
this case)

this case), and then search for
it’s hex value in memory...

(changing it,

(changing it, and searching for
it’s new value, until we ﬁnd it)

... and then replacing it with
something like, like a newline

... and then replacing it with
something like, like a newline
(or something else more
malicious?)
Game clients don’t always
like us doing that... BUT...

W32Dasm (aka WinDasm) is
a decompiler which can ﬁnd
text strings in an application

text strings in an application,
and show us the code around
them
In this case there’s a
“Conditional” jump from
0041EC75

text strings in an application,
and show us the code around
them
In this case there’s a
“Conditional” jump from
0041EC75
Which performs some kind
of checking, and then jumps
to the code with the string
in, if the condition is met.
We can make note of the
offset (0001EC75)...

... and open the ﬁle, going to
that location, in a hexeditor
Where we see the same hex
codes

codes
Changing them to “90”s...

codes
Changing them to “90”s...
“nop”s them out
“nop”s basically mean “do
nothing” (“No Operation”) -
in this case, never error on
invalid characters

The “CmdLevel test” payload
after our marker would give
your character GameMaster
powers.
This has been ﬁxed in more
recent POL versions - for
character names, but
theoretically every text input
(such as naming pets) may
still be vulnerable

1. Console Games
2. DOS Games
3. Windows Games
4. iPhone / iPad Games
4.1. Non-Jailbroken hacks - modifying “plist” and other conﬁg ﬁles

iPhone games can be hacked,
to some degree, without
jailbreaking

jailbreaking
Using a program like
“iExplorer” game ﬁles can be
accessed

jailbreaking
accessed, and changed (eg:
changing a high-score, and
setting scores as not have
been sent yet)

jailbreaking
accessed, and changed (eg:
changing a high-score, and
setting scores as not have
been sent yet)
The next time the game is
run, the scores are updated!

Some games “lock” content
until certain levels or scores
are reached (or payments
have been made)

have been made)
Often these “locks” are
controlled in config files
(look out for “ini”,“plist” and
“sqlite” files!)

have been made)
Changing “0” values to “1”s
often does the trick

have been made)
Changing “0” values to “1”s
often does the trick

Unlocked!

Tools like Burp Suite, and
mitmproxy, can be used to
intercept game trafﬁc

Tools like Burp Suite, and
mitmproxy, can be used to
intercept game trafﬁc
And re-write values, such as
XP, gold, scores, or
“premium” (paid-for) credits
mitmproxy lets you write
scripts to do this
automatically

1. Console Games
2. DOS Games
3. Windows Games
4. iPhone / iPad Games
4.2. Jailbroken hacks - decompiling with IDA Pro

iOS games are encrypted
when downloaded from the
App Store
Calculating offsets, using
“gdb” to dump memory, and
trial and error byte switching
can decrypt apps... OR...
A jailbroken app called
“clutch” can be used to
decrypt them quickly and
easily

Decrypted iOS apps can be
opened in “IDA Pro” - be
sure to set the “Processor
type” to “ARM” though!

Analysis will run, displaying
function names on the left,
allowing you to view their
actions
Un-wanted commands can be
found, their offsets noted
(0011A508)

actions
(0011A508), the application
ﬁle opened in a hex editor

actions
(0011A508), the application
ﬁle opened in a hex editor,
and them edited out
(00’s work as NOPs in ARM)

NOTE: after modifying an
iOS application (and re-
uploading it to your device),
you will need to “sign” it with
“ldone” (from Cydia)
Your device will probably
need to be restarted before
the app will run

the app will run
The game WordsWithFriends
has a “isValidMove” method...

the app will run
The game WordsWithFriends
has a “isValidMove” method...
... which could be set to
always return true - the
server, and other clients,
don’t seem to care!

Recommended Reading:
1. “Exploiting Online Games: Cheating Massively Distributed
Systems” - Greg Hoglund & Gary McGraw
2. “Hacking and Securing iOS Applications” - Jonathan Zdziarski
3. Forums:
http://www.blizzhackers.cc & http://www.mpgh.net/forum/

Real world concerns?
1. Bypass string terminators in saved games to buffer overﬂow and
root devices? (eg: PSP - http://pspslimhacks.com/psp-6-20-save-
data-exploit-released-hello-world-6-20/)
2. Send malicious (code execution?) instructions to multiplayer
clients (eg: Starcraft forced map download hack)
3. Send XSS or SQL injection to “high score” severs not checking
or ﬁltering input

ZaCon 4 (2012) - Game Hacking

More Related Content

What's hot

Similar to ZaCon 4 (2012) - Game Hacking

Recently uploaded

ZaCon 4 (2012) - Game Hacking