How to find exploits in video games

(shalzuth.com)

186 points | by shalzuth 7 days ago ago

36 comments

  • shalzuth 7 days ago

    I wrote a short blog post about my thought process on how I reverse engineer video games and build tools that enable me to do security testing on them. It’s a bit brief on purpose, as reading the code is expected. Let me know your thoughts and what would make it better.

    • Joel_Mckay 3 days ago

      "build tools that enable me to do security testing on them"

      I gather you write cheat exploits... and if public... eventually the players account/GPU/IMEI risks getting permanently banned/flagged.

      It is always easier to break something, than to build something stable. People may focus resources on better content, game-play, and performance. Or play wack-a-mole with hostile Desktop/Mobile users...

      Thus, some folks won't ever patch exploits... just shadow-ban the users running them...

      Have a nice day =3

      • njbooher 3 days ago

        As someone who does security testing for video game service backends, I benefit significantly from all the reverse engineering and tools the hobbyists and cheaters build, and always enjoy reading more stuff.

      • johnisgood 3 days ago

        Yeah and you end up with one of the worst client-server architectures that RDR2 has.

        • Joel_Mckay 3 days ago

          "client-server architectures"

          Actually, public-key-signed object-p2p exchange systems allow for all sorts of fun. Even if people fiddle with the state exchange, the time+last_event indices can flag lag switchers, and signature audits detect memory patchers...

          My point was, one doesn't need to lock the door if you own a alligator farm. =3

    • shipscode 3 days ago

      Thanks for the write up! This is really interesting and a great piece of knowledge to have out there. Funnily it similar to mobile app reverse engineering workflows.

    • Levitating 3 days ago

      I love the briefness of your post. Your code and method are clearly conveyed.

    • caporaltito 3 days ago

      Very interesting

  • malkia 3 days ago

    I had a wonderful app MS-DOS resident (TSR) on my PC that when pressing a key would do a snapshot of the whole memory (or specific area) to disk, to a file. So if you play a game, and lose a live, or HP points, you keep on pressing this, and then there were tools to do the diff.

    There was one game that was storing the lifes as actual text - Ninja or something....

    So last year my son was hacking some games, and nowadays there is a similar tool too - also based on diffs - though with me back then it was only 640KB, and nowadays we are looking towards 8-16GB if not more!

    Somehow this technique still works for some games, but with way more gotchas...

    • memesarecool 3 days ago

      CheatEngine (80mb) is very widely used nowadays and does memory dumps and comparisons. A very useful tool not only for game reverse engineering.

      • maeil 3 days ago

        That's a broad use of "nowadays", haha. Following step-by-step Cheat Engine tutorials to use game hacks (MapleStory and Gunbound) was my first brush with coding/system internals when I was a child. This must have been around 2006 and it was already the most popular tool back then, though I remember there were loads of forks to bypass what must have been primitive anticheat systems that scanned for whether Cheat Engine was running.

    • pajko 3 days ago

      Used to do this in my childhood with save files. Save the game in Alone in the Dark, shoot the shotgun, save, shoot again, save, then proceed to look for the differences.

      • samwhiteUK 3 days ago

        I remember using CWCheat on PSP in the WWE games to create my own custom modes, adding ladders to Royal Rumble etc. Great fun

  • nottorp 3 days ago

    > The game monetizes through pay-to-win microtransactions

    IAP fests are not games. Let's start using "gacha" or something for them.

    • krageon 3 days ago

      Addiction-based exploitation. Perhaps the word "garbage" applies well to it. Or in a good reality, "criminal".

  • codiumm 3 days ago

    >but since the game is built on Unity, it was relatively easy to bypass these restrictions and enable system proxies. There are many others that do il2cpp mod tutorials, and I recommend those, with the key part being hooking HttpClientHandler.SendAsync.

    I could only find il2cpp tutorials that I could not get them to work. What is the non-il2cpp way? This should be a separate post and a new submission to HN.

    Which il2cpp tutorial works?

  • 3abiton 3 days ago

    It's really interesting to see people enjoying/more interested in breaking a game vs playing the game.

    • lunchmeat317 3 days ago

      You should check out Tool-Assisted Speedruns om tasvideos.org, then. They use some of these techniques to do RNG manipulation, among other things, to improve game times.

  • dvh 3 days ago

    From the end user perspective "let's game it out" is a must see YouTube channel.

  • joshua_delgad0 3 days ago

    [flagged]

    • alphan0n 3 days ago

      In most cases, in the US, reverse engineering is not illegal.

      • joshua_delgad0 3 days ago

        [flagged]

        • shipscode 3 days ago

          Terms of service breaches are not typically a criminal manner in the USA. Perhaps it could be a civil matter if you create financial damages. Even in that area, the cases are usually decided in the courts on a case-by-case basis.

          Generally, code is free speech, and the right to free speech protects this in America.

        • alphan0n 3 days ago

          Are you under the belief that terms of service can dictate or supersede US law? Thankfully that is not the case.

    • brokenmachine 3 days ago

      My PC my choice.

      • Der_Einzige 3 days ago

        Microsoft violated the NAP by forcing me to update and greying out the "remind me later" button.

        • johnisgood 3 days ago

          You are free to not use their products, however.

    • 3 days ago
      [deleted]
    • 123yawaworht456 3 days ago

      why are you larping a lawyer, bro

      • joshua_delgad0 3 days ago

        [flagged]

        • sourcepluck 3 days ago

          In the third sentece of the piece, it says:

          > "This exploration is purely for educational purposes."

        • 123yawaworht456 3 days ago

          for the hell of it?

          and even if it was unethical, unethical !== illegal.

  • dmafreezone 3 days ago

    [flagged]

    • Loocid 3 days ago

      This is overly defensive. They never said that Unity was the only engine that exposes intermediate code, just that it was an attack vector because the game was built with Unity. It's a perfectly valid thing to point out. You didn't come to the defence of Lua just because they decompiled some Lua scripts.

    • mbowcut2 3 days ago

      Brand new account + strange overreaction = maybe bot?

      • dmafreezone 10 hours ago

        I make a new account any time my karma gets too high. I’d rather not be a sheep, thank you.