Hacking Games
in a
Hacked Game

rusty-hs.jpg jordan-hs.jpg
wide-black-small.png

BIO

  • CTF junkies
  • Worked for Raytheon SI
  • Quit and founded Vector 35 to do "CTF stuff"

Is this talk for you?

  • Did you play Pwn Adventure 3 during Ghost in the Shellcode this year?
  • Have you ever played a CTF before?
  • Have you heard of CTFs before?
  • Have you played or hacked a video game?

Questions?

Motivation

Game Industry Profits

digicapital.png

Hacking (in?) the Game Industry

  • As old as the game industry itself
  • Led to the rise of the demo scene, cracking, trainers, etc

sanderfocus_animation.gif

Notable Examples

  • BNET.D (interop)
  • Glider (interop)
  • Diablo 3 Auction House (vuln)

blizzard.jpg

Code-Signing

  • Game platforms as early bellwethers

twilight-hack.jpg nintendo-patch.jpg

TAS Total Control

tasvideos.png

TASBot

tasbot.jpg

AGDQ 2015

tasbot-twitch.png

Growth of CTFs

Brief History of CTFs

two-toy-soldiers.jpg

Basics

  • Red Team (Jeopardy Style)
  • Blue Team ("Defensive")
  • Full Spectrum (or Attack/Defense)
  • WarGames

DEF CON

  • One of the earliest (1996)
  • Beginning of "modern" A/D (2004/2005)
  • Kenshoto (2005-2009)
  • DDTEK (2010-2013)
  • LegitBS (2014-Current)

Real World Bugs

phplogo.png

fighting for equality

php.png

example

<?php
    $key = "key{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}";
    $pass = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
    if ( strcasecmp( $_GET['pass'], $pass ) == 0 ) {
        echo($key);
    }
?>

$ curl http://target.ip/?pass[]

php-cgi

eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823 eindbazen.png

go go!

Bunyan's Revenge (PlaidCTF 2013)

    case ODOTPTR:
        cgen(nl, res);
+       // explicit check for nil if struct is large enough
+       // that we might derive too big a pointer.
+       if(nl->type->type->width >= unmappedzero) {
+           regalloc(&n1, types[tptr], res);
+           gmove(res, &n1);
+           n1.op = OINDREG;
+           n1.type = types[TUINT8];
+           n1.xoffset = 0;
+           gins(ATESTB, nodintconst(0), &n1);
+           regfree(&n1);
+       }
        if(n->xoffset != 0) {
-           // explicit check for nil if struct is large enough
-           // that we might derive too big a pointer.
-           if(nl->type->type->width >= unmappedzero) {
-               regalloc(&n1, types[tptr], res);
-               gmove(res, &n1);
-               n1.op = OINDREG;
-               n1.type = types[TUINT8];
-               n1.xoffset = 0;
-               gins(ATESTB, nodintconst(0), &n1);
-               regfree(&n1);
-           }
            ginscon(optoas(OADD, types[tptr]), n->xoffset, res);

Pirate Danbi

beist.png

lollerskaters privesc

=============================================================================
FreeBSD-SA-11:05.unix                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Buffer overflow in handling of UNIX socket addresses

Category:       core
Module:         kern
Announced:      2011-09-28
Credits:        Mateusz Guzik
Affects:        All supported versions of FreeBSD.

[...]

II.  Problem Description

When a UNIX-domain socket is attached to a location using the bind(2)
system call, the length of the provided path is not validated.  Later,
when this address was returned via other system calls, it is copied into
a fixed-length buffer.

Linux uses a larger socket address structure for UNIX-domain sockets
than FreeBSD, and the FreeBSD's linux emulation code did not translate
UNIX-domain socket addresses into the correct size of structure.

wireshark 0day

wireshark.jpg

guesspw

  • challenge from codegate CTF
inputfile = realpath(argv[1]);
if (strstr(inputfile,"password") || strstr(inputfile,"flag"))
{
  goto fail;
}
password = read(open("/home/guesspw/password"));
attempt = read(open(inputfile));
if (strcmp(password,attempt)) 
{
  system("/bin/sh");
}

guesspw solutions

  • /dev/fd/3
  • race condition (TOCTTOU)
  • MAXSYMLINKS (SYMLOOP_PMAX)

bound payloads / chflags

Free Tools!

freelabor.jpg

CTF Gaming Challenges

(a most certainly non-exhaustive list)

          ________
         / ____/ /_  ____  ____  ________     __  ______  __  _______
        / /   / __ \/ __ \/ __ \/ ___/ _ \   / / / / __ \/ / / / ___/
       / /___/ / / / /_/ / /_/ (__  )  __/  / /_/ / /_/ / /_/ / /
       \____/_/ /_/\____/\____/____/\___/   \__, /\____/\__,_/_/
    ____                    ___       __   /____/        __
   / __ \_      ______     /   | ____/ /   _____  ____  / /___  __________
  / /_/ / | /| / / __ \   / /| |/ __  / | / / _ \/ __ \/ __/ / / / ___/ _ \
 / ____/| |/ |/ / / / /  / ___ / /_/ /| |/ /  __/ / / / /_/ /_/ / /  /  __/
/_/     |__/|__/_/ /_/  /_/  |_\__,_/ |___/\___/_/ /_/\__/\__,_/_/   \___/

You hold in your hands a map to a vast treasure under the mountain.  Your
desire to be rich far outweighs your desire to cooperate with others, so
you are obviously going on this quest alone, with only your wits and your
awesome hacker magic to aid you.

You start your quest on a road just outside of town.

You feel a strange forboding feeling eminating from the map, like it has
an alien magic all of its own.

What do you do?
1) Follow the road toward the mountain.
2) Turn around and ask the mage in town what is going on.
Choice:

Blocky

blocky-02-overview.png

Blocky

blocky-03-westdetail.png

Escape from Minecraft

logic_overview.png

Plaid CTF v1

worldmap.png

Plaid CTF v2

pctf2013.jpg

Pwn Adventure (2)

Pwn Adventure 3 Demo

Challenges

  • Unbearable Revenge
  • Fire and Ice
  • Overachiever
  • Until the Cows Come Home
  • Pirate's Treasure
  • Blocky's Revenge
  • Egg Hunt

3rd Party Hacks

LD_PRELOAD

Wireshark Dissector

-- gits.lua
-- A wireshark plug-in to reverse engineer PwnAdventure 3 traffic
--
-- http://pwnadventure.com/ for more information.
--
-- [email protected]

gits_proto=Proto("GitS", "Pwn Adventure 3")

function addLocation(tvb, pos, tree)
  local branch

  branch=tree:add(tvb(pos,12), "Location")
  branch:add(tvb(pos,4), "X Coordinates: "..tvb(pos,4):le_uint())
  branch:add(tvb(pos+4,4), "Y Coordinates: "..tvb(pos+4,4):le_uint())
  branch:add(tvb(pos+8,4), "Z Coordinates: "..tvb(pos+8,4):le_uint())
end

PwnAdventure3Hacks Github

overlay.png

Samurai PwnHax.cpp

gist.github.com/dropkickgit/2b65c0ac18506e5c5f0f

#include <Windows.h>
#include <detours.h>
#include <fstream>
#include <cstdio>
#include <cstdlib>

#pragma comment(lib, "detours.lib")

// Classes
class TCPSocket {};
class Player {};
class Actor {};

// Structs
struct Vector3 {
    float x, y, z;
};

// Typedefs
typedef bool(__thiscall *SendFunc)(TCPSocket *, const void*, unsigned int);
typedef bool(__thiscall *RecvFunc)(TCPSocket *, void*, unsigned int);
typedef bool(__thiscall *CanJumpFunc)(Player *);
typedef bool(__thiscall *PlayerChatFunc)(Player *, const char *);
typedef void(__thiscall *PlayerFastTravelFunc)(Player *, const char *, const char *);
typedef void(__thiscall *ActorSetPositionFunc)(Actor *, Vector3 *);

// Globals
SendFunc RealSend;
RecvFunc RealRecv;
CanJumpFunc RealCanJump;
PlayerChatFunc RealChat;
PlayerFastTravelFunc PlayerFastTravel;
ActorSetPositionFunc ActorSetPosition;
Player *playerObj = 0;
TCPSocket *clientSock = 0;
std::ofstream DbgLogger;

Unintended Bugs

OmniTheft

Bearly Assasinated

Flying Bodies

Eggcellent Solution

Cheat Engine

Spelunking

Useful CTF Tools

More CTF Resources

Meta

Thanks to:
Dragon Sector Escape from Minecraft Writeup used with Permission:
    http://blog.dragonsector.pl/2014/02/ph4quals-escape-from-minecraft.html
Made with:
Spacemacs: https://github.com/syl20bnr/spacemacs
Org-Reveal: Export from org-mode straight to reveal.js html5 presentations:
    https://github.com/yjwen/org-reveal
Using images from:
Free Labor Image: https://www.flickr.com/photos/donkeyhotey/5501554002 (CC BY)
Toy Soldiers: http://www.flickr.com/photos/janramroth/2264184078/ (CC BY)
Any Bonds Today: http://en.wikipedia.org/wiki/Any_Bonds_Today (PD)
It's Got Me Again: http://en.wikipedia.org/wiki/It%27s_Got_Me_Again! (PD)
Confused: https:[email protected]/7658225516 (CC BY-SA)
Bugs: https://www.flickr.com/photos/jurvetson/3097134746/ (CC BY)
Thief: https://www.flickr.com/photos/fhke/3335949405 (CC BY-SA)
Golden Gun: https://www.flickr.com/photos/mrgarethm/14592496766 (CC BY)
Flying: https://www.flickr.com/photos/scion02b/2765655302/ (CC BY)
Eggs: https://www.flickr.com/photos/erix/131405474/ (CC BY)
Engine: https://www.flickr.com/photos/michchap/14607705463/ (CC BY)
Cave: https://www.flickr.com/photos/watchsmart/2059057874 (CC BY)
Bees: http://wikimedia.org/wiki/File:-_Bee_swarm_on_a_bicycle_(1-5)_-.jpg
  (CC BY-SA)

Random 1

Random 2

Random 3