Hacking Online Games - University Of Arizona
Hacking Online GamesMatt Ward & Paul Jennas IIApril 22, 2012
AgendaImportanceAttack Tree for Cheating On-line PokerBotsDenial of ServiceCollusionSoftware ExploitsConclusion
ImportanceOut-of-band market for virtual equipmentEverQuest exampleIn 2004, ”the Gross National Product of EverQuest, measuredby how much wealth all the players together created in asingle year inside the game . turned out to be 2,266 U.S.per capita.”77th wealthiest country: equivalent to Russia - ahead of India,Bulgaria, and ChinaMost gaming companies frown upon these markets
Importance (cont’d)QuestionIf the markets are outside of the game itself, should they addany more motivation for gaming companies to preventcheating?Real motivation for gaming companies is to keep the customerhappy2005 survey showed ”no game hacking and cheating” as the#2 reason users chose a particular game and the #1 reasonthey stopped playing a game”Any behavior that hurts business is bad behavior.” - RaphKoster, Creative Director for Star Wars GalaxiesFocus on on-line gamblingThe ”market” in on-line gambling is in-bandObvious added motivation to prevent cheating
Attack Tree for Cheating Online PokerCheating Poker VulnerabilityExploitRandom nData
Attack Tree for Cheating Online Poker (cont’d)Cheating Poker nandIntentional SelfDisconnectAttackPoker SiteForce OpponentDisconnectSecretAllianceTake AdvantageOf OpponentandPreventSite rverEncryptDataCombineChipsShare HoleCard InfoBully OpponentsWith Reraises
Poker TutorialCard game where card ranks and forming “hands” are used todetermine winner.High card, Pair, Two Pair, Three of a Kind, Straight, Flush,Full House, Four of a Kind, Straight FlushSkilled players understand game statistics and humanpsychologyMany variations of the game(hand definitions fairly standard)Texas Hold’em, Omaha, Stud, etc.Actions include Bet, Check, Fold, Call, Raise
BotsResource collectionSimple poker bots that win most of the time are sufficient formaking moneycheater can deploy large number of botseach bot may only make a small dollar amount per hour buthaving several that run simultaneously and around the clockcan add up to significant amounts of moneyMore complex bots with advanced AI can improve winpercentagesPolaris Pokerbot won 2008 Man vs. Machine PokerChampionship
MacrosMacrosScripts used to create bots that can play a gameFarming - having a bot perform a repetitive process to gaingame resourcese.g. In WOW find a location where an enemy spawns, havebot locate and kill enemy, then wait for respawn, rinse andrepeatAC Tool is a powerful Macro builder (http://www.actool.net/)Macros have many legitimate purposes, such as GUIautomation testing
AC ToolAC ToolMacro builder - build sequence of commandsPress any number of keys for any amount of timeMove mouse to specific mouse location and click left or rightmouse buttonHold left mouse button down and move mouse to dragwindowsSample pixelsAllows you to locate items on the screen (e.g. enemies)Simple programming logic (if/else, loops, variables, procedures,etc.)Can even ftp
BotsCountermeasuresPlayers can chat to try to discover a botSome players play several games at once and can’t respondIn a game of revolving around misdirection, players may refuseto respond to try to disguise themselves as a botCAPTCHAs - prompt players periodically during long periodsof playScan player’s computers
Bot DetectionWorld of Warcraft (WOW) has client progam called”Warden”Runs every 15 seconds (new versions of Warden come from theserver whenever Blizzard’s wants)Checks every dll injected into WOW.exeReads the titlebar text of every open windowAlso reads memory of every open process
Countermeasures (cont’d)Greg Hoglund wrote program called ”The Governor” tomonitor Warden and see exatly what it looks atGreg noticed email addresses, open URLs, IM contacts andprogram names being sent back to serverConsiders Warden spyware and a major privacy issueDo you agree?
Countermeasures (cont’d)
Denial of ServiceIn on-line poker, users are required to act within a set amountof time
Denial of ServiceIn on-line poker, users are required to act within a set amountof timeIf the site policy is to auto-fold a disconnected player
Denial of ServiceIn on-line poker, users are required to act within a set amountof timeIf the site policy is to auto-fold a disconnected playerOpportunity for a cheater to perform a DDoS attack
Denial of ServiceIn on-line poker, users are required to act within a set amountof timeIf the site policy is to auto-fold a disconnected playerOpportunity for a cheater to perform a DDoS attackAlice and Bob are in a heads-up situation with a large pot atstake
Denial of ServiceIn on-line poker, users are required to act within a set amountof timeIf the site policy is to auto-fold a disconnected playerOpportunity for a cheater to perform a DDoS attackAlice and Bob are in a heads-up situation with a large pot atstakeWhen the action gets to Alice, Bob performs a DDoS attackto prevent her from acting
Denial of ServiceIn on-line poker, users are required to act within a set amountof timeIf the site policy is to auto-fold a disconnected playerOpportunity for a cheater to perform a DDoS attackAlice and Bob are in a heads-up situation with a large pot atstakeWhen the action gets to Alice, Bob performs a DDoS attackto prevent her from actingAlice is auto-folded, Bob wins the pot
Denial of ServiceIn on-line poker, users are required to act within a set amountof timeIf the site policy is to auto-fold a disconnected playerOpportunity for a cheater to perform a DDoS attackAlice and Bob are in a heads-up situation with a large pot atstakeWhen the action gets to Alice, Bob performs a DDoS attackto prevent her from actingAlice is auto-folded, Bob wins the potIf the site policy is to place the player “all-in”
Denial of ServiceIn on-line poker, users are required to act within a set amountof timeIf the site policy is to auto-fold a disconnected playerOpportunity for a cheater to perform a DDoS attackAlice and Bob are in a heads-up situation with a large pot atstakeWhen the action gets to Alice, Bob performs a DDoS attackto prevent her from actingAlice is auto-folded, Bob wins the potIf the site policy is to place the player “all-in”Players can intentionally disconnect themselves
DoS (cont’d)DoS attacks for ransomAttack on Grafix SoftechHackers bypassed firewalls and security systems to insert virusthat encrypted data on all five production serversGrafix paid ransom to get the encryption keyLost 75,000 per day for approx 1 week
DoS (cont’d)DoS CountermeasuresDon’t provide IP addresses of other usersUse multiple ISPsDisaster-recovery plan and replicationTrack user disconnect history
CollusionOne of the major issues in on-line pokerRequirement: out-of-band communicationTwo or more players acting together have a significantadvantageWhipsawing - coordinated raises to isolate opponentsCan share information on hole cards – improves oddscalculations
Collusion (cont’d)The BoardJ72 J7 27 6 67Eve’shole cards 5 cards left that could improve Eve’s hand– three 6’s, two 7’s Eve needs at least 4:1 pot odds
Collusion (cont’d)The BoardJ72 2 J7676 6 67 3 cards left that could improve Eve’s hand– one 6, two 7’s Eve now needs over 7:1 pot odds Bob also gains information This information saves both Eve and Bob money Eve’shole cards 6 6Bob’shole cards
Collusion (cont’d)Combining chip stacks in a tournamentIn tournament play, size mattersColluding players can purposefully lose to one member tocreate a large chip stackA single player with multiple accounts can also employ thesecheats
Collusion (cont’d)Collusion CountermeasuresIP checking - prevent nearby players from sitting at the sametable
Collusion (cont’d)Collusion CountermeasuresIP checking - prevent nearby players from sitting at the sametabledoes not prevent communication via phone, text message, IM
Collusion (cont’d)Collusion CountermeasuresIP checking - prevent nearby players from sitting at the sametabledoes not prevent communication via phone, text message, IMeven less effective given wifi and cell phone tethering
Collusion (cont’d)Collusion CountermeasuresIP checking - prevent nearby players from sitting at the sametabledoes not prevent communication via phone, text message, IMeven less effective given wifi and cell phone tetheringCollusion-detection algorithms
Collusion (cont’d)Collusion CountermeasuresIP checking - prevent nearby players from sitting at the sametabledoes not prevent communication via phone, text message, IMeven less effective given wifi and cell phone tetheringCollusion-detection algorithmseffective against whipsawing
Collusion (cont’d)Collusion CountermeasuresIP checking - prevent nearby players from sitting at the sametabledoes not prevent communication via phone, text message, IMeven less effective given wifi and cell phone tetheringCollusion-detection algorithmseffective against whipsawingunlikely to detect players sharing hole card information
Collusion (cont’d)Collusion CountermeasuresIP checking - prevent nearby players from sitting at the sametabledoes not prevent communication via phone, text message, IMeven less effective given wifi and cell phone tetheringCollusion-detection algorithmseffective against whipsawingunlikely to detect players sharing hole card informationTrack player stats, investigate anomalies
Software ExploitsSoftware ExploitsClient codeNetwork PacketsServer CodeExploit VulnerabilityInsider AttackMemory or data modifications
Software ExploitsExploit the game’s card shuffling algorithmASF Software displayed shuffling algorithm online to show howfair it wasCigital Software was able to break it in real timeA seed is used for random number generatorSeed just 32 bits, which allows 4 billion shuffles, much lessthan a real deck’s 52!
Computer Randomness - Shuffling - cont.Seed set with number of miliseconds since midnight, but just86 million milliseconds in a day, so now just 86 millionpossible shufflesGuessing system clock and seed allowed Cigital to reducenumber of shuffles to 200,000 possbilitiesOnce 5 cards were known they were easily able to tell how thedeck was shuffled
Software Exploits (cont’d)Insider attack at AbsolutePokerPlayers noticed a few accounts on AbsolutePoker’s high stakestables with an abnormally high win-percentage
Software Exploits (cont’d)Insider attack at AbsolutePokerPlayers noticed a few accounts on AbsolutePoker’s high stakestables with an abnormally high win-percentageOne player estimated losing as much as 700,000
Software Exploits (cont’d)Insider attack at AbsolutePokerPlayers noticed a few accounts on AbsolutePoker’s high stakestables with an abnormally high win-percentageOne player estimated losing as much as 700,000Group of players obtained hand histories involving the suspectaccounts
Software Exploits (cont’d)Insider attack at AbsolutePokerPlayers noticed a few accounts on AbsolutePoker’s high stakestables with an abnormally high win-percentageOne player estimated losing as much as 700,000Group of players obtained hand histories involving the suspectaccountsWin rate was 15 standard deviations above the mean
Software Exploits (cont’d)Insider attack at AbsolutePokerPlayers noticed a few accounts on AbsolutePoker’s high stakestables with an abnormally high win-percentageOne player estimated losing as much as 700,000Group of players obtained hand histories involving the suspectaccountsWin rate was 15 standard deviations above the meanVideo of reconstructed game: http://www.youtube.com/watch?v FczbS7FiWSM
Software Exploits (cont’d)Win rates of 5,200 online playersX-axis represents the number of blinds won per 100 handsY-axis represents the percent of hands the user entersCheater’s win rate is the equivalent of winning a lottery withone-in-a-million odds 6 times in a row
Software Exploits (cont’d)HackingInsider attacks which allow a player to see opponents’ holecardsThe BoardJ72 J726 7 67Eve’shole cards 5 cards left that could improve Eve’s hand– three 6’s, two 7’s Eve needs at least 4:1 pot oddsBob’shole cards
Software Exploits (cont’d)Software ExploitsInsider attacks which allow a player to see opponents’ holecardsThe BoardJ72 2 J7676 6 67Eve’shole cards 6 6Bob’shole cards if Eve is heads up against Bob then pot odds no longer matter Eve has Bob beat she can even attempt to induce a bluff out of Bob
Software Exploits (cont’d)Hacking Client SideHacking client code itself (need source access or decompilefrom exe)Modifying network packetsModifying client memory (memory modifying tools or DLLInjection)
Software Exploits - DLL InjectionDLL Injection - get application to run your DLLDLL vs EXEexe is executable program, has main()exe runs in own memorydll is dynamic linked library, no main()dll is like a library, can be loaded dynamically in memory bymany processesCan link dll at load time or run time
Software Exploits - DLL InjectionDLL Injection - get apllication to run your DLL contThree examples:CreateRemoteThreadUse Windows API to start a thread (running your dll) inanother processSetWindowsHookEx”Hook” onto a Windows message for a remote threadYour dll will run in remote thread when message is receivedCode Cave MethodSuspend target thread (use SuspendThread)Save address of next instruction to be executed (look inregister for stack pointer)Allocate and load dll in memory (use VirtualAllocEx). Settarget thread’s next execution instruction to the beginning ofour dll’s location in memoryResume suspended target thread. When we finish our work,call back what would have been the next instructionCan imagine running some code each pass in game loop
Software Exploits - Create Remote Thread DemoCreateRemoteThread example with MinesweeperUsed Ollydbg and IDA to learn Minesweeper timer memorylocation and function signaturesAllows me to change time and open about dialogFairly trivial using Microsoft Visual C (seehttp://www.blizzhackers.cc/viewtopic.php?p 2483118)
DisassemblerInteractive Disassembler (IDA)Generates assembly code from exeShow imported functions from other dllsBy analyzing stack and register usage and cross referencingwith known libraries can generate function names andparametersHas debugger ndex.shtml
IDA - Software Exploits cont.
IDA - Software Exploits cont.
DebuggerOllyDbgAlso shows assembly, but can set breakpoints in codeView stack and registershttp://www.ollydbg.de/
Olly - Software Exploits cont.
Software Exploits (cont’d)Hacking CountermeasuresEmploy insider attack safeguards (background checks, codereviews, access to critical info requires multiple people, etc.)Simple clientMinimize data available to clientAll critical decisions should be made by serverTools that check for injected DLLs or checksums on client code
ConclusionAs a userOn-line gamblers need to do their homeworkReview the security features employed by the gambling siteAs a gaming companySecurity precautions need to be regularly reviewed and updated– security is an ongoing and evolving battleEven out-of-band markets provide motivation“of course, there is one kind of help you usually don’t want:the government.” – Stephen Davis
End of Document
Online gambling - american gaming association, irs/key-issues/online-gambling .Noa Bar-Yosef.Hacking the house: How cybercriminals attack online casinos.Security Week, August -cybercriminals-attack-online-casinos .Simon Carlass.Gaming Hacks.O’Reilly Media, Inc., 2004.Darawk.Dll injection.Blizz Hackers, March 2006.http://www.blizzhackers.cc/viewtopic.php?p 2483118Stephen Davis.
Protecting Games: A Security Handbook for Game Developersand Publishers.Course Technology PTR, 2009.Jack M. Germain.Global extortion: Online gambling and organized hacking.TechNewsWorld, March 2004.http://www.technewsworld.com/story/33171.html .Greg Hoglund and Gary McGraw.Exploiting Online Games: Cheating Massively DistributedSystems.Addison-Wesley Professional, 2007.Adam Lake.Game Programming Gems 8.Course Technology PTR, 2010.
Gary McGraw and Greg Hoglund.Cheating Online Games.Addison-Wesley Professional, 2006.Matthew Pritchard.How to hurt the hackers: The scoop on internet cheating andhow you can combat it.Gamasutra, July w to hurt the hackers the scoop .php .Andrew Rollins and Ernest Adams.Andrew Rollings and Ernest Adams on Game Design.New Riders, 2003.Shahen Ramezany.Hacking / exploiting / cheating in online games.Abysssec, March ds/2011/03/Exploiting-Online-Games.pdf.
Ira Rosen.How online gamblers unmaksed cheaters.CBS News, June 2009.http://www.cbsnews.com/2100-18560 162-4633254.html?tag contentMain.Nikola Strahija.Russian hackers raid largest online gaming operation anddestroy data in blackma.Xatrix Security, February -raid- niel Terdiman.Hacking online games a widespread problem.CNET, April 2009.http://news.cnet.com/8301-10797 3-10226485-235.html .Cheating in online games.Wikipedia, February 2012.
http://en.wikipedia.org/wiki/Cheating in online games.
Hacking Online Games Matt Ward & Paul Jennas II April 22, 2012. Agenda Importance Attack Tree for Cheating On-line Poker Bots Denial of Service Collusion Software Exploits Conclusion. Importance Out-of-band market for virtual equipment EverQuest example In 2004, ”the Gross National Product of EverQuest, measured
Hacking Concepts 1.10 What is Hacking? 1.11Who is a Hacker? 1.12 Hacker Classes 1.13 Hacking Phases o Reconnaissance o Scanning o Gaining Access o Maintaining Access o Clearing Tracks Ethical Hacking Concepts 1.14 What is Ethical Hacking? 1.15 Why Ethical Hacking is Necessary 1.16 Scope and Limitations of Ethical Hacking
Chapter 7 Passwords In This Chapter Identifying password vulnerabilities Examining password-hacking tools and techniques Hacking operating system passwords Hacking password-protected files Protecting your systems from password hacking P assword hacking is one of the easiest and most common ways attack-ers obtain unauthorized network, computer, or application access.
Hacking The Wild: Desert Island Castaway Survival Series Marathon Hacking The Wild: Escape from Death Valley Hacking The Wild: Deadly Glacier Hacking The Wild: Alaskan Ice Forest Hacking The Wild: Black Bayou, The Hacking The Wild: Desert Island Castaway
Chapter 7 Passwords In This Chapter Identifying password vulnerabilities Examining password-hacking tools and techniques Hacking operating system passwords Hacking password-protected files Protecting your systems from password hacking P assword hacking is one of the easiest and most common ways attack-ers obtain unauthorized network, computer, or application access.
private sectors is ethical hacking. Hacking and Ethical Hacking Ethical hacking can be conceptualized through three disciplinary perspectives: ethical, technical, and management. First, from a broad sociocultural perspective, ethical hacking can be understood on ethical terms, by the intentions of hackers. In a broad brush, ethical
to as “ethical hacking”—hacking for an ethical reason—whereby it will be argued that law and policy ought not to be the same here as for those hacking activities that are purely for economic gain or to cause harm or mischief. As will be seen, I have grouped ethical hacking int
Hacking Opportunities 49 Summary 49 Chapter 3 Hacking LEGO I: Connections 51 Mindstorms Wires Explained 51 Inside the Mindstorms Wire 52 Hacking Mindstorms Wires 53 Exploring Wireless Options 56 Infrared Sensor and Beacon 56 Bluetooth 57 Hacking Wireless 58 Summary 62 Chapter 4 Project: Remote-Controlled Crane 63 Parts List 64 Building the Crane 65
CEHv11 Change Summary 1. The Module 18: IoT and OT Hacking is a completely modified module in CEHv11 which inclues OT hacking (OT concepts, attacks, hacking methodology, hacking tools, and countermeasures) 2. The Module 19: Cloud Computing is a completely modified module in CEHv11 which
