Monday, May 11, 2009

MMO Security

One of the hot WAR topics recently is a certain program that allows cheating. I will not be giving it free advertising, so lets call it Program X. Using Program X, a player can do funky things like fly around, teleport and other such things. Cheating programs are nothing new to MMO's, but this is the first big one for Warhammer.

Disclaimer: I have not inspected Program X, as I don't want it on my system at all. However, I do have experience with software protection.

Right now a whole lot of people are clamoring for Mythic to fix it, as they should be doing. Because Mythic won't discuss it (I wouldn't if I were them), maybe I can shed some light on what is going on.

The first step would be to reverse engineer Program X and figure out exactly what it is doing. This is not very difficult, but it will be time consuming. It is easy to spend weeks on this task, especially if the author included obfuscation. Mythic probably doesn't keep this expertise on hand, so someone either has to learn it or they have to bring in a consultant.

Program X is likely reading and writing to the WAR client's memory. This is a common thing to do for any malicious program and not limited to game security. The author had to do a bunch of reverse engineering of his own (which is against the EULA and possibly DMCA) to figure out where to make adjustments.

Once he has the locations, he can change the memory (RAM) as the game runs. Many MMO's do a lot of boundary checking in the client. By altering memory, those checks can be bypassed. Most of Program X's features are movement bugs, which involves boundary checking.

That is pretty much the How and why of Program X. Now for the fun part, how do you 'fix' this? Sadly, it is not easy. There are several possible methods.

Move checks to the server. Counting on the security of the client is a losing proposition. A malicious user will be able to bypass nearly everything on the client given enough time. Boundary checks could be moved to the server side. However, this comes at a rather large performance cost.

Encryption and Checksums. Using cryptography, you can encrypt or take checksums of memory to verify they have not been altered. This comes with a performance cost. Also, it is likely to be bypassed given enough time and effort.

Drivers. Operating System drivers operate at a higher level than programs and can be used to protect them. You are probably familiar with DRM's use. No one likes drivers added to their system. They can cause all sorts of stability issues. They are also not foolproof either.

Blizzard's Method. WoW battles with this problem all the time. Part of their solution is the Warden. Basically, the Warden will watch every process on your system looking for bad things. Does it have any business looking at what else you are running? That is something for you to decide. However, this system is not foolproof either.

PunkBuster. See Warden.

Sadly, this is a never ending battle for MMO's. Once Program X no longer works, its author will update it so it does, and the cycle begins again.

Hopefully this article has shed some light into the issues that Mythic (and other companies) is likely dealing with.


Funny, I thought we already had Punkbuster for this sort of thing... Could that be why the game runs so terribad? If PB is running, it isn't doing a very good job if a hack like Program X can break it.

I'm not sure how much of PB is running with WAR. Think of it like an Anti-Virus/Anti-Spyware tool. It can stop a lot of things, but the malicious writers find ways to bypass detection.

Nice overview Werit! Now, I'm no expert but I believe I read somewhere that PB has both server-based and client-based modules, so WAR might only have a partial implementation.

Since PB is a third-party provided solution, I'd guess there are lengthy discussions between Mythic and Even Balance regarding "contractual obligations" and the length of time various exploits are "in the wild".

That program has KEYLOGGER written all over it. At least that is what I think it really is. Offer people unbelievable things, make a movie to make it convincing, and bingo bango bongo you just got 10k idiots usernames and passwords. Maybe it is just a hack, but I wouldn't even come close to visiting the website if it was me. Even talking about it makes me want to run my virus scan.

Post a Comment