
You Have to Hack This Massively Multiplayer Game to Beat It - ikeboy
http://www.wired.com/2015/04/multiplayer-hack-to-win/
======
ShaneWilton
Pwnadventure 3 debuted at the Ghost in the Shellcode CTF this year, and it was
an absolute blast. If anyone is hoping to break into security or CTFs, I can't
recommend this contest enough.

I play as part of the team that placed 2nd this year, Samurai, and all of us
were in awe at how well put together the problems were, and how great the
experience was overall.

Here's a link to a writeup I did of one of the quests, that involved reverse
engineering a massive circuit, then using it to open a locked door:
[https://medium.com/@shanewilton/ghost-in-the-
shellcode-2015-...](https://medium.com/@shanewilton/ghost-in-the-
shellcode-2015-blockys-revenge-7074a119115e)

The official website for the CTF is here:
[http://ghostintheshellcode.com/](http://ghostintheshellcode.com/)

Edit: If you enjoyed that writeup, here is a (In my opinion), much more
interesting writeup I did of a similar problem last year:
[https://medium.com/@shanewilton/9447-ctf-2014-hellomike-
writ...](https://medium.com/@shanewilton/9447-ctf-2014-hellomike-writeup-
ba812f012d5)

~~~
borski
I like to think I'm good at this stuff, but that HelloMike writeup still
boggles my mind. I need to get better at NFAs, etc.

------
gtank
I highly endorse this sort of thing! Reverse engineering online games is how I
really got started with computers. It's a great teaching tool because the
reward loop is short and immediately relevant - you get superpowers, in the
game you already play with your friends, in almost direct proportion to how
much you've learned.

Depending on the game you'll learn about binary reversing, executable formats,
networking, rendering, x86 assembly, C, JVM bytecode, or more advanced topics.
We dove right into hard things because it was fun and there was no one to tell
us they were too hard for kids. The end result among my group of friends seems
to be several careers in tech with a decided systems and security skew.

edit: I remember Runescape in particular. They applied such an escalating
series of obfuscations to the client code and network protocol that we
deployed things I now recognize as AST analysis and machine learning to work
past them. These days, I really wonder what the view from the Jagex security
team was like. Did they have fun constantly coming up with new challenges for
bored teenagers?

~~~
stickydink
I too got into my game development career by essentially, trying to hack
Runescape. I sank an unhealthy amount of my early teenage years working on
Runescape bots, for both original and RS2. Every time I think back on it, so
many happy and exciting memories.

From AutoRune scripts, to writing bots, to computer vision, all for one game.
That turned into an obsession with an industry that had me move half way
across the world to work on our own multiplayer virtual worlds.

The community was pretty active, and at one point I was building/hosting the
most-used public bots/sites. I can imagine our paths crossed one-way or
another at some point!

~~~
gtank
I have a very similar set of good memories. I put more time into
deobfuscation, updating, detection evasion, and (eventually) server emulation
than bots per se.

My contact info is in my profile, it would be cool to see if we ran into each
other back then.

------
nerdy
I've been involved in the gamehacking scene for longer than I'd like to admit;
it's a tremendous amount of fun and feels rewarding but it's a very hollow
reward. Sure, you can build programs to manipulate game clients to do all of
those things. The problem is that there's most often no legitimate way to
openly bring the fruit of that labor to market as a result of the MDY vs
Blizzard case regarding wowglider[1] and more specifically with the DMCA.

I wasn't sued but paid for intellectual property counsel to examine how the
Ninth Circuit ruling would translate across the US and they didn't exactly
tell me to go ahead.

There are plenty of legitimate reasons to extend games, which is why WoW had
LUA and many other games are at very least hooked into for parsing
capabilities. These kinds of 3rd party parsers are in many cases not legal, so
not openly marketable.

So for anyone considering a future for-profit project, hire a lawyer and
review all those nasty agreements and see how the DMCA might come back to
haunt you before you're _too_ invested in it.

For anyone who's considering it for fun: Just understand that the time you
spend on gamehacking _probably_ won't result in a revenue-producing project.
If you're looking to learn, gamehacking can teach you a lot about a variety of
things like memory (address space/pointers/offsets), rendering, assembly code,
geometric and pathfinding algorithms (Dijkstra/A*), pattern matching/signature
scanning. Many of those things have real-world applications such as signature
scanning for virus definitions. You'll get plenty of hexadecimal math
practice. You can learn about DirectX or network traffic. You can have really
enjoyable learning experiences working with games at a lower-than-intended
level, but keep in mind that any time not learning is only about as well-spent
as time playing video games... it's fun but incredibly addictive and they're
already at "Pwn Adventure 3" so there's no end in sight!

[1]
[http://en.wikipedia.org/w/index.php?title=MDY_Industries,_LL...](http://en.wikipedia.org/w/index.php?title=MDY_Industries,_LLC_v._Blizzard_Entertainment,_Inc.&oldid=646787903)

~~~
dikaiosune
FYI, HN seems to bork that link. Tried replying with the "correct" link and
something was reformatted to make it no longer work.

~~~
BenTheElder
It's stripping the period from the end of the url.

Perhaps the permalink to the current version will work:

[http://en.wikipedia.org/w/index.php?title=MDY_Industries,_LL...](http://en.wikipedia.org/w/index.php?title=MDY_Industries,_LLC_v._Blizzard_Entertainment,_Inc.&oldid=646787903)

Edit: yep works.

Wikipedia will also accept without any parameters so just adding an ampersand
to the end should work:
[http://en.wikipedia.org/w/index.php?title=MDY_Industries,_LL...](http://en.wikipedia.org/w/index.php?title=MDY_Industries,_LLC_v._Blizzard_Entertainment,_Inc.&)

~~~
nerdy
It works! Good job, thanks for the info. Updated the parent comment.

------
ccvannorman
Reminds me of Code Hero, a game I once worked on --
[https://www.kickstarter.com/projects/primerist/code-hero-
a-g...](https://www.kickstarter.com/projects/primerist/code-hero-a-game-that-
teaches-you-to-make-games-he)

We need more games like this!

~~~
bradjohnson
I remember playing this at PAX one year, it was a cool concept. Is the project
dead now?

~~~
ecaron
Dead. [https://www.kickstarter.com/projects/primerist/code-hero-
a-g...](https://www.kickstarter.com/projects/primerist/code-hero-a-game-that-
teaches-you-to-make-games-he/posts/788367)

------
BenTheElder
Well this looks fun. I'd be interested to hear about how they go about sand-
boxing the server (perhaps for the previous games so as not to ruin the fun).

~~~
psifertex
There's no sandboxing on the server since all the challenges this year were
essentially exploiting the trust relationship between the client and the
server (or required reverse engineering that was just hard regardless of where
the logic was). We certainly didn't /intend/ for someone to directly exploit
the server, though it's always a possibility in these sorts of games. If so,
they deserved the points they got (not all the flags were available even if
you did hack it as some challenges were outside of the game).

It was also somewhat mitigated by the fact that the game was deployed on AWS
instances just for that weekend and it was easy to bring up new instances any
time we needed it, so someone cracking the server could certainly cause
trouble, but there really wasn't any long-term damage they could do.

~~~
BenTheElder
Thanks, sounds like it was a lot of fun.

------
giancarlostoro
The first challenge makes me think of the first Diablo game, in which all your
player stats were hosted locally for online gameplay, so if you edited your
files and gave yourself the best weapons locally, you were invinsible (or
rather powerful) online as well.

------
whybroke
So is it a felony to play this game as intended?

[http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act)

~~~
BenTheElder
I am NOT a lawyer but:
[http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#Cr...](http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#Criminal_offenses_under_the_Act)

    
    
      1) it's not a government server or data.
      2) pretty sure they've authorized you to access the server.
      3) see 1)
      4) no fraud involved.
      5) playing the game (as intended) is not causing damage.
      6) no commerce involved.
      7) no extortion involved.
    

So no, I'd hazard that it is not a felony to play this game...

------
mkoryak
I once "hacked" an online game called bombermine and made myself a god(or at
least able to kill anyone) by exploiting a few bugs I found:

[http://imgur.com/a/QeYJ7](http://imgur.com/a/QeYJ7)

Some day i should do a writeup about the man in the middle thing i had to
build to make this possible

------
z3t4
What you should learn from game programming about security is to:

    
    
      Never thrust the client!
    

I'm baffled that in games like Minecraft, the server sends all blocks to the
client, instead of just the blocks that are visible. Or that you can give
yourself any weapon and infinite ammo in DayZ. etc ...

~~~
asgard1024
To be fair, it's very hard to do, especially in a sandbox game - the computer
has not only to have a good model of the world, but also a model of how the
client sees the world.

And in Minecraft it's not really a problem, because the game is more
cooperative than competitive.

------
pulverizer
I remember years ago in a multi-player shooting game. I switched clothing
index in the client code. So to me the enemies are wearing vivid jungle color
while running in snow scenes and bright white color while hiding in jungle
scenes. Easy to pick them up at a distance with my machine gun. I was
Pulverizer.

------
RockofStrength
This reminds me of the silly tight melee formations in Myth 2 that were
necessary to compete online.

------
iosengineer
Hack'n'Slash goes MMORPG!

~~~
psifertex
Our first previous version of the game
(ghostintheshellcode.com/#pwnadventure2) was also a 3d hackable MMORPG and was
released earlier than Hack N Slash. So really it was more like PwnAdventure
went 2d. ;-)

------
EGreg
Anyone played RoboWar for the mac?

Anything comparable out today with a community?

------
tsaoutourpants
We generally call that cheating, not hacking, but whatever.

~~~
EC1
It certainly _results_ in cheating, but the _process_ is hacking.

~~~
barkingcat
I'd argue it's not actually cheating if the game is meant to be played in such
a fashion.

~~~
EC1
If the goal of the game is to cheat, you're still cheating. It just happens to
be the main mechanism of the game.

~~~
mburns
If you are using the game as it is intended, you are by definition not
cheating.

