Hacker News new | past | comments | ask | show | jobs | submit login
You Have to Hack This Massively Multiplayer Game to Beat It (wired.com)
212 points by ikeboy on Apr 22, 2015 | hide | past | web | favorite | 46 comments

Pwnadventure 3 debuted at the Ghost in the Shellcode CTF this year, and it was an absolute blast. If anyone is hoping to break into security or CTFs, I can't recommend this contest enough.

I play as part of the team that placed 2nd this year, Samurai, and all of us were in awe at how well put together the problems were, and how great the experience was overall.

Here's a link to a writeup I did of one of the quests, that involved reverse engineering a massive circuit, then using it to open a locked door: https://medium.com/@shanewilton/ghost-in-the-shellcode-2015-...

The official website for the CTF is here: http://ghostintheshellcode.com/

Edit: If you enjoyed that writeup, here is a (In my opinion), much more interesting writeup I did of a similar problem last year: https://medium.com/@shanewilton/9447-ctf-2014-hellomike-writ...

I like to think I'm good at this stuff, but that HelloMike writeup still boggles my mind. I need to get better at NFAs, etc.

I highly endorse this sort of thing! Reverse engineering online games is how I really got started with computers. It's a great teaching tool because the reward loop is short and immediately relevant - you get superpowers, in the game you already play with your friends, in almost direct proportion to how much you've learned.

Depending on the game you'll learn about binary reversing, executable formats, networking, rendering, x86 assembly, C, JVM bytecode, or more advanced topics. We dove right into hard things because it was fun and there was no one to tell us they were too hard for kids. The end result among my group of friends seems to be several careers in tech with a decided systems and security skew.

edit: I remember Runescape in particular. They applied such an escalating series of obfuscations to the client code and network protocol that we deployed things I now recognize as AST analysis and machine learning to work past them. These days, I really wonder what the view from the Jagex security team was like. Did they have fun constantly coming up with new challenges for bored teenagers?

I too got into my game development career by essentially, trying to hack Runescape. I sank an unhealthy amount of my early teenage years working on Runescape bots, for both original and RS2. Every time I think back on it, so many happy and exciting memories.

From AutoRune scripts, to writing bots, to computer vision, all for one game. That turned into an obsession with an industry that had me move half way across the world to work on our own multiplayer virtual worlds.

The community was pretty active, and at one point I was building/hosting the most-used public bots/sites. I can imagine our paths crossed one-way or another at some point!

I have a very similar set of good memories. I put more time into deobfuscation, updating, detection evasion, and (eventually) server emulation than bots per se.

My contact info is in my profile, it would be cool to see if we ran into each other back then.

Me too! It was such a fantastic experience in retrospect. I've never been so incentivized to learn than during my reverse engineering years.

I started off writing SCAR scripts for Runescape and then got into development for the Aryan bot and private RS servers (if any of those ring any bells). I remember deobfuscation tools being consistently released and updated, but I left the runescape scene for warcraft before I could that far involved.

I have a friend who worked on anti-cheat technology for a very well known gaming company. He in fact started off selling hacks for said company and was hired to protect against them many years later. It was entertaining because part of his job was to maintain his old aliases and create new ones and frequent all the hacking forums and IRC channels to listen in on all the discussions. He would even sometimes contribute random information as part of his ruse. The best part is when his team would leave secret messages to hack developers (like in the byte patterns of the signature scans or embedded within the anti-cheat modules that were being mapped into memory). They had a great sense of humor and the hacking community picked up on it and loved it.

I think coming from our background and having to work in a security capacity like that would be fun as hell. It's very open-ended and like a never ending cat-and-mouse game. I'm sure the Jagex security team felt a similar drive back in the day.

I've been involved in the gamehacking scene for longer than I'd like to admit; it's a tremendous amount of fun and feels rewarding but it's a very hollow reward. Sure, you can build programs to manipulate game clients to do all of those things. The problem is that there's most often no legitimate way to openly bring the fruit of that labor to market as a result of the MDY vs Blizzard case regarding wowglider[1] and more specifically with the DMCA.

I wasn't sued but paid for intellectual property counsel to examine how the Ninth Circuit ruling would translate across the US and they didn't exactly tell me to go ahead.

There are plenty of legitimate reasons to extend games, which is why WoW had LUA and many other games are at very least hooked into for parsing capabilities. These kinds of 3rd party parsers are in many cases not legal, so not openly marketable.

So for anyone considering a future for-profit project, hire a lawyer and review all those nasty agreements and see how the DMCA might come back to haunt you before you're too invested in it.

For anyone who's considering it for fun: Just understand that the time you spend on gamehacking probably won't result in a revenue-producing project. If you're looking to learn, gamehacking can teach you a lot about a variety of things like memory (address space/pointers/offsets), rendering, assembly code, geometric and pathfinding algorithms (Dijkstra/A*), pattern matching/signature scanning. Many of those things have real-world applications such as signature scanning for virus definitions. You'll get plenty of hexadecimal math practice. You can learn about DirectX or network traffic. You can have really enjoyable learning experiences working with games at a lower-than-intended level, but keep in mind that any time not learning is only about as well-spent as time playing video games... it's fun but incredibly addictive and they're already at "Pwn Adventure 3" so there's no end in sight!

[1] http://en.wikipedia.org/w/index.php?title=MDY_Industries,_LL...

You are thinking about only one side of the thing, and not about the more ethical/legal side. For example you could sell your knowledge by helping developers to prevent hacks. Like the Anti-Cheat Toolkit for Unity: https://www.assetstore.unity3d.com/en/#!/content/10395 Sure it doesn't prevent motivated cheaters but it's still has value for the developers. Another useful thing could be to sell online curses about your knowledge.

> You are thinking about only one side of the thing, and not about the more ethical/legal side. For example you could sell your knowledge by helping developers to prevent hacks. Like the Anti-Cheat Toolkit for Unity: https://www.assetstore.unity3d.com/en/#!/content/10395 Sure it doesn't prevent motivated cheaters but it's still has value for the developers.

So in other words I (or the OP) shall sell snake oil to developers? :-(

> Another useful thing could be to sell online c[o]urses about your knowledge.

Even providing real-life examples would probably be of very dubious legality. And building artificial examples would involve building, say, at least half of a game engine - lots of work for artificial, contrived examples. :-(

(Not that I know this particular product, but) it's not necessarily snake-oil, any more than a steering-wheel lock is. Disincentivizing hacking has actual dollars-and-cents ROI for a game company even if hacking isn't completely eliminated. The fewer players left who are interested in spending serious time to break the game, the more resources can be dedicated to finding/stopping each individual one.

> And building artificial examples would involve building, say, at least half of a game engine

You could take an existing FOSS game engine, and alter it to have a particular vulnerability, so as to explain how such a vulnerability would then be found and exploited in the resulting product.

FYI, HN seems to bork that link. Tried replying with the "correct" link and something was reformatted to make it no longer work.

It's stripping the period from the end of the url.

Perhaps the permalink to the current version will work:


Edit: yep works.

Wikipedia will also accept without any parameters so just adding an ampersand to the end should work: http://en.wikipedia.org/w/index.php?title=MDY_Industries,_LL...

It works! Good job, thanks for the info. Updated the parent comment.

Weird... tried everything I could think of to get it to work and also could not fix it.

Reminds me of Code Hero, a game I once worked on -- https://www.kickstarter.com/projects/primerist/code-hero-a-g...

We need more games like this!

I remember playing this at PAX one year, it was a cool concept. Is the project dead now?

Just checked the website, and surprisingly there was an update yesterday. I wouldn't be terribly optimistic, but it's not completely dead.


Kickstarter backer here...and sadly, yes. As far as I can tell anyways. Never received anything that actually worked :(

Well this looks fun. I'd be interested to hear about how they go about sand-boxing the server (perhaps for the previous games so as not to ruin the fun).

There's no sandboxing on the server since all the challenges this year were essentially exploiting the trust relationship between the client and the server (or required reverse engineering that was just hard regardless of where the logic was). We certainly didn't /intend/ for someone to directly exploit the server, though it's always a possibility in these sorts of games. If so, they deserved the points they got (not all the flags were available even if you did hack it as some challenges were outside of the game).

It was also somewhat mitigated by the fact that the game was deployed on AWS instances just for that weekend and it was easy to bring up new instances any time we needed it, so someone cracking the server could certainly cause trouble, but there really wasn't any long-term damage they could do.

Thanks, sounds like it was a lot of fun.

The first challenge makes me think of the first Diablo game, in which all your player stats were hosted locally for online gameplay, so if you edited your files and gave yourself the best weapons locally, you were invinsible (or rather powerful) online as well.

So is it a felony to play this game as intended?


I am NOT a lawyer but: http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#Cr...

  1) it's not a government server or data.
  2) pretty sure they've authorized you to access the server.
  3) see 1)
  4) no fraud involved.
  5) playing the game (as intended) is not causing damage.
  6) no commerce involved.
  7) no extortion involved.
So no, I'd hazard that it is not a felony to play this game...

I'm really confused why people bring this up. You're not the only one, so I don't blame you in particular, but it's still strange to me. One of the key elements of CFAA is "without authorization" -- it's literally in the first sentence.

Given that the explicit, stated purpose of these types of challenges (of which there are many, many other examples (https://ctftime.org/)) is to be backed, it'd be pretty weird to think someone could be charged under CFAA for it.

I once "hacked" an online game called bombermine and made myself a god(or at least able to kill anyone) by exploiting a few bugs I found:


Some day i should do a writeup about the man in the middle thing i had to build to make this possible

What you should learn from game programming about security is to:

  Never thrust the client!
I'm baffled that in games like Minecraft, the server sends all blocks to the client, instead of just the blocks that are visible. Or that you can give yourself any weapon and infinite ammo in DayZ. etc ...

To be fair, it's very hard to do, especially in a sandbox game - the computer has not only to have a good model of the world, but also a model of how the client sees the world.

And in Minecraft it's not really a problem, because the game is more cooperative than competitive.

I remember years ago in a multi-player shooting game. I switched clothing index in the client code. So to me the enemies are wearing vivid jungle color while running in snow scenes and bright white color while hiding in jungle scenes. Easy to pick them up at a distance with my machine gun. I was Pulverizer.

This reminds me of the silly tight melee formations in Myth 2 that were necessary to compete online.

Hack'n'Slash goes MMORPG!

Our first previous version of the game (ghostintheshellcode.com/#pwnadventure2) was also a 3d hackable MMORPG and was released earlier than Hack N Slash. So really it was more like PwnAdventure went 2d. ;-)

Anyone played RoboWar for the mac?

Anything comparable out today with a community?

We generally call that cheating, not hacking, but whatever.

True, however: That healing-wine hack isn’t cheating, say Jordan Wiens and Rusty Wagner, the two former Raytheon security researchers who created Pwn Adventure. In this World of Warcraft-style game, hacking the game is the game.

'Cheating' is not playing the game the way your competition regards as fair. It's getting an unfair advantage by using techniques that your opponents wouldn't use.

Consider this: Imagine a fighting game which is unbalanced. 'Unbalanced', here, means that one character is so inherently better that using it is a victory condition in itself; maybe it can spam a really effective move without giving the opponent a chance to retaliate. Whatever the details, the person who chooses that character is guaranteed a victory assuming they play to win.

In that case, the community of people who play that game would effectively ban the character to make the game as it is played more balanced. Anyone who picks that character would be unable to find opponents, and everyone else would restrict themselves to the characters which offer both players a chance to win.

My point is, in that not-entirely-contrived scenario, doing something the game software allows is cheating because it is something the game community has agreed to be cheating. Cheating has little to do with what the un-hacked code allows. In fact, in this case, hacking the code to remove the unbalanced character (or, more likely, to make that character unavailable on the selection screen) would remove a possible cheat, making the hacked version less amenable to cheating.

David Sirlin wrote a book called "Playing To Win" which touches on a lot of what I just talked about. He was actually lead designer of Street Fighter HD Remix, Puzzle Fighter HD Remix, and Kongai:


That's the point of this game (according to the article) - the hack is the game, the cheat is the side effect but it's part of the game - so you have to hack to play the game.

If there was ever a time to not care about words and meanings this is it (or split infinitives). Also, Knuth[0] likes to play this way https://news.ycombinator.com/item?id=7159934 too.

[0] http://www-cs-faculty.stanford.edu/~uno/

It certainly results in cheating, but the process is hacking.

I'd argue it's not actually cheating if the game is meant to be played in such a fashion.

If the goal of the game is to cheat, you're still cheating. It just happens to be the main mechanism of the game.

If you are using the game as it is intended, you are by definition not cheating.

The goal of the game is to 'hack' it to win. There's nothing dishonest about playing the game as intended.

Engineering the cheats and modifying the game client yourself is hacking

To be honest this doesn't seem to be hacking or cheating, as the 'hack' is an intended part of the gameplay.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact