SpeedRunners: The Hackers of the Gaming World - Nunudzai Mrewa

Perfect. Okay. So, any gamers in the audience? Any gamers? Okay. Good number. So, how about any speedrunners? Speedrunners. Okay. So, like Oh. Oh, here we Okay, that's cool. So, like if you're a gamer, it means you play games regularly, right? And you for the most part you enjoy them, right? So, when it comes to speedrunning, these are people who play games, right? but with the goal of completing a game as fast as possible, right? And they use various techniques and various, you know, tools and all. And we can learn a lot from these speedrunners, right? Because these guys are the hackers of the gaming world. They use certain techniques that us within cyber security, within like

the space of game development or software testing, we can learn from them and make our software better. So prepare to be amazed. So speedrunners, the hackers of the gaming world. My name is Nunai Mora. And if you can't pronounce my first name, please just call me Noo-Noo. So I'm a cyber security professional. So it's a fancy way of saying I'm into cyber security and I do pentesting. Yeah. For now. So I'm more on the gray hat side where I'm trying to think of you know ways of um trying to push cyber in the main a or like in the in the public space for more policies and so on. So I am also a community

organizer. I just love to give back to the community. So I'm from Zim. So like I organized Pyon Zim and I and next year I'll be doing more of like organizing meetups and just trying to empower the youths, right? and just spread if it's technology or just spread knowledge and I love playing games for the most part unless I lose then man playing games is not enjoyable so speedr runninging is the art of completing video games as quickly as possible right so it it means that if you're going to complete a game as fast as possible you need different types of techniques different types of tools right for you to expedite gameplay and depending on the game

you're saying there are different types of speedruns, right? And for you to do well, you need to master the game. You need to know it. You need to know the game better than the back of your hand, right? You need to know every exploit, every small um um what you call every small sequence, right? So, it means everything you do in the game has to be perfect. It has to be perfect. So, depending on the game you're playing, you can speedrun based on a certain character, right? So maybe if it's speedrunning Mario using Luigi, right? Or speedrunning Mario using Mario, right? Then for you to complete a game as fast as possible, it depends if

you're going to complete the whole game because games have the main quest and then there are like some collectibles you can um also complete and also side quests. So if you're going to complete 100% of the game, it means you're going to do everything right for you to complete 100% of the entire game. Then there's any percentage run, which means you're going from start to the finish. Then there's the low percentage game, but this really depends on the type of game you're playing because some games say, "Okay, you need to speedrun it using a certain um weapon, right? Or using a certain path or a certain route." Now, my focus area would be will be on

platformer games. So, if it's a platformer game, think of something like Mario, right? Then if it's a dungeon crawler game, think of something like Hades where you're in a dungeon and you fight enemies and the enemies drop loot or or they drop something that can um help your character shortterm, long term. Then open world games like GTA. So, an open world game is something that's nonlinear. So, in a sense that if if it's a game like Mario, the start, right? You start at one point and you reach the end. But if it's a game like um GTA, yes, there's a start and finish, but you can start one quest, you can leave that quest, you can go to another

one, so you can branch out. So it's not as linear, right? And it's more open to the options. So what makes a speedrun successful? I did my research. So number one, you need to understand the game mechanics. So in games, we have what's known as character abilities. Does your character have a special move? Does your character have a different types of attacks? A light attack, a heavy attack? If an attack is fast, if it's slow, can your character dash? So, you need to understand your character abilities very well, right? As well as the physics engine. So, in life, you have physics, which means if I throw something up, it should come down. And in games is the

same way. So, I I noticed that when I'm playing online games, I like to use the smaller characters. So in most cases, the female characters are the smaller ones right? So why if I'm trying to aim or shoot an object and the object is is this big, it means they have to move out of the way a lot more. But if the object is this small means, you know, you can dodge attacks and you're more agile, right? And this is especially effective when you're trying to clear a jump or some certain obstacle, right? Which means you need less momentum because you weigh less, right? Simple physics. Now, in every game, there's one thing that stands in your

way, the enemy. Right? So, it depends with the type of game, but there's always an enemy you have to defeat, right? So, some speedr runners say, "Look, defeating this enemy takes too long. I'll avoid combat altogether." Which means that 5 minutes is completely avoided and you move on to the next phase, right? Or if your character is overpowered right? where the five minute battle could be just one minute or less. Right? Then another thing that's important is you should be able to predict the enemy attack patterns. So imagine you um you're low on health, you have one HP left, and you beat the boss, but only to find out that the boss has a second phase, right? So in the second

phase, it means that they're dealing more damage, they are taking less damage, and they're moving faster. So imagine my shock after all that effort, and I'm realizing the music just became more intense, and the fighting just started again. The enemy has a bigger health bar, right? So of course, the first time it hurts. So just imagine my face, then my horror right there. So the first time, yes, it it hurts. It's painful, but it's a learning experience. Then any game you play has a level. They have level layouts. There could be powerups, right? There could be things you can collect, right? So, in in some games, they use what's known as an RNG, random number generator, right? And

these they calculate how often to give you certain powerups. So, there's some abilities that are more common. Some are rare, some are ultra rare, and so on. So, if you could manipulate the game or time it well, you can say, "Okay, I'll move from this level. I'll get this power up. It can help me in the future." Right? Then, if your game has a shortcut, definitely use it. Then, if your game has a segment that's hard, always have a save file for you to go back to it and practice. So, that's enough of theory. So, I took all this and I said, you know what? Let me speedr run Hades. So Hades is a 2020 dungeon crawler, right? So it was

developed by Super Giant Games. So initially my run was 45 minutes. Then I cut the time down to 25 minutes. And what's the first thing you do when you achieve something? That's right. You show off. So just for, you know, bragging sake, here's the proof, right? So, of course, it says attempt number 51, but it's a new save file. So, I think I tried maybe 150 more times or maybe 200 just to, you know, achieve this, right? So, time for showing off, right? So, I I searched for a site where, you know, speedrunners post information and where they collect data. So, I said, "Hey, speedrun.com is the best place, right?" Cuz imagine they have 3.7 million runs,

34,000 games, and 1.5 million users. So if I'm going to show off, I'm going to show off to millions of people. So surprisingly, the top 500 people under 10 minutes. The next 500 people were under 20 minutes. So if I added my performance, I'd be in 1,876th place, which is a fancy way of saying second from last. At least I'm not lost, right? Yeah. But yeah, this was uh this really humbled me. This really humbled me. So then I I asked myself, what's missing? So I attempted speedrunning without seeing what other people are doing because on the website there's a section for guides, for resources, for forums, right? And in the guide, it's a 20page document saying,

"Okay, if you use this weapon, if you if you have certain abilities, you collect your your enemy, well, your character will be a lot stronger, right?" They had documentation for how to speedrun a game. Like, do you know how crazy that is, right? I know like there's documentation for code, but for a game, right? And there even resources to say, "Hey, if you want to trigger a bug or a glitch, do this." Right? So, I was amazed. Like honestly, I was amazed because the community itself, the speedrunning community thrives on knowledge sharing, right? Which is something I I never did. I never pursued the knowledge and I went in blind. And it's a lot similar to how some of us be

in cyber security or when you're taking on a new challenge, we always go in blind, right? and you don't realize hey there's a community of people who've gone before and who who've done these things and who we can ask who say hey I want to do this but I'm not sure right what are some of the common mistakes we make right how can I not make the same mistakes you did right so the speedr running um community has like events and and competitions similar to how us in security or infosc we have CTFs and they have writeups right we have writeups we walkthroughs in the speedrunning community, they have videos, right? And in the video, they

show you what buttons were pressed, right? So, if you're playing a game like um Elder Ring or a game in the Soul series where you know that if your enemy hits you twice, you're dead, right? So, if you watch how other people play the game, you can learn, right? Maybe to you it's a nightmare, but if you can consult a knowledge base with research, you can go further. and you can go for it as well as watching live streams and joining you know these online communities. So there was a missing ingredient and a lot of um speedrunners they use what's known as a glitch right or a bug. So for the context of my presentation I'll be

using those two words interchangeably. So in this case it refers to an right behavior within a game's code. So speedrunning. So for our context, unintended behavior within a game, right? So as a hacker, you want to exploit a vulnerability. You want to exploit a a weak point, right, in in software, right? But as a speedrunner, you also want to exploit something, but it's more a glitch or a bug. So I find these parallels really interesting, right? So for example, there's what's known as sequence breaking. So, usually in a game early on, right, you need to fight, fight, fight. Then you beat a certain boss. The boss drops loot, they drop a weapon to make you stronger,

right? But if you can break that sequence, you can get the weapon or the power up faster, which means your character is stronger at an earlier time and you can move even faster, right? Then for Super Mario, like the really old Super Mario games, these games have um bugs where remember there's a physics engine, right? So in the physics engine, there are rules of momentum, of gravity, right? But there's what's known as a backwards long jump because there was a bug where if you if you're going to jump backwards, there was no like limit, right? There's no speed limit when you jump backwards, which is like a crazy oversight, right, in a game. So on YouTube they're like

crazy videos of people going up a flight of stairs in 1 second by just using a backwards long jump. It looks really weird, you know, because the animation isn't made for you to do that and move fast backwards, but it works, right? So as well as the back hopping technique, it uses the same exploit or or the same bug, right? So what are some of the lessons we can learn from the speedrunning community right? So for this one, right, I have this idea, right, that if you make a game, you work for a game studio, they pour millions of dollars, right, into making the game, right, into testing, they do internal testing, then when it's released to the public, speedr

runners find bugs, right? So why don't we do a paradigm shift within our own industries that look when we are testing software from you know our own companies. Let's look for bugs. Cuz yes, for us, we're used to looking for vulnerabilities, but what if we look for those movements or the unintended behaviors within applications, right? The ones that are not as uh sought after, the ones that won't have as much um you know budget for, and let's see how an attacker can exploit those. So in this context, I'm thinking more of vulnerability disclosure programs or bug bounty where you say, "Hey guys, look, here's the low tier, high tier and and so on." But if you can

find a bug and turn it into a devastating exploit, we'll reward you, right? Because if I'm a hacker, I'll go for the easiest path. Then if I see like, oh, there's this bug, I'll say, how am I going to use this bug to make a critical exploit? Right? So that's one um idea I have. Then another one is that most of these bugs they happen because of the game mechanics cuz games have multiple elements, right? There's the physics engine, you know, there's the story, there's the audio, it's basically so much code, right? And the code has to work, right? This function calls this function. So what if we also had bug bounty for certain game mechanics,

right? For for certain areas in the game. That way if we can understand bugs in games because games are just software, we can transfer those skills to other areas. It be software testing or devs, right? And of course we we need to give a special reward of turning a bug into a devastating attack. So bugs can be framed. Okay, it depends where. But when there's a bug, we always frame it differently, right? Of course, it's a feature in this case, but depending who you are and the line of work you're in, the bug can be framed differently. So, imagine finding a data corruption bug in a game or an arbitrary code execution in a game, right? Imagine if

you could run code, any type of code you want in someone else's game or you could manipulate memory through a game. So this tells me that if I can manipulate a game, right, I can launch attacks through games, right? Because if you see arbitrary code execution, right, this means this is uh very deadly, right? in terms of um how critical it is and there are examples of how bugs affected other systems right so the the onboard oxygen um system so basically in jets right when you go at a certain speed and at a certain altitude the air is thin which means you need a constant supply of oxygen can't be too little can't be too much be just Right.

So, this bug um wasn't calibrated enough to give the constant supply of oxygen. So, some pilots they felt lightheaded because of too little oxygen. Some pilots just felt weird or sick because of too much oxygen, right? And and then um the crowd strike bug, right? Of course, flights were cancelled and like businesses couldn't operate, but bugs can affect us in um various industries, right? Some are more life-threatening and some are just more light-hearted where like, oh, I can, you know, eaves drop on you and so on. But you see how bugs it can affect our systems or our applications or anything with code can be affected in various ways. So it's now up to us to say hey if the traditional

model of security focuses heavily on identifying and patching vulnerabilities then there's a compelling face to shift that towards glitch hunting. Right? So, as I mentioned, games can become an avenue for attack, right? So, actually this year, I think in November, right, there was a malicious mod for the game city skylines 2. So, a mod mod just stands for modification. So, it's external from the main game. So, a mod can be like more for your quests, more for um your texture, right? So a mod just adds a certain feature to your um game. So the game developers and the and the modding community are independent. So a mod can have access to the source code and add

features in the game. Right? So the modern community and the the developers, they have an unspoken rule that yes, of course, we give you permission and we trust you, but in some cases, trust is all you need to fool someone, right? Because imagine if a malicious mod is put in a game, right? It can execute code. So it depends with uh how malicious the attacker is. So for Dota 2, the malicious actor, they added code to go to that person's GitHub account. So for you, you're like, okay, my game is just doing it regular update, but then there's a back door that's that's going to execute code or run some specific commands. Then imagine you're at some tournament,

right? and you're the top, you know, you have sponsors there, people are supporting you, and then the game is hacked, right? And the tournament is moved and is shifted. This was the case for the Apex Legends tournament. So, in a statement, the person was asked, "Why did you hack the game?" And they said, "Oh, it's for fun and the game is vulnerable. The g the the devs need to fix it." Right? So if it's a tournament world stage, right, the top of the top, then your reputational damage is just intense, right? Because so many sponsors, so many people are watching. So when it comes to how bugs can affect you, fixing the reputational damage is a

lot more difficult because once I lose trust in you, you can't just give me like a patch to say, "Oh, no, it's fine. I'll just put a little bandage." You know, it's more longlasting and long term. And when it comes to that, it means it's more it's it's harder to forget, right? So if speedrunners can find games and software, it tells me that we need to test software or we need to make better software, right? So we need to do the same thing that speedrunners do. We need to pressure test our games, right? We need to have that bug hunting mindset. So there's this bot known as task or tasbot. It's a typo taskbot. So essentially tasbot

works by emulating how you and I play games and going faster faster and faster to try and emulate what's not possible by a human being. So the creator of Tasbot made this because he said, "Hey, these speedrunning records aren't real, right? These people were cheating, right?" So by doing that of course he did uh catch the people who were using tools to you make their character faster than what's humanly possible. But in our software let's have some way of doing a a test right and and also include speedr runners right. We need people who can who can put our software to the test, right? We need new approaches that can give us new insights onto why a game

would have bugs whilst it's released to the public. And of course, the most obvious is don't rush, right? If you're going to if you're going to make something, don't rush. So there's this game called Myth. So it was myth one. So it was a first person shooter and at the time it was quite new. So it was loved, you know, by the gamers and so on. So the devs said, "Hey, let's release a sequel." And they rushed the sequel because the goal was to capitalize on the success of the previous game, right? So yeah, game is released and the game is doing well, but when a user would uninstall the game, it would wipe their

hard drive clean. And that's something that malware does. Like you the most devastating malware will wipe your drive. So imagine like it's just your computer or a company machine, then it turns into a brick, right? Crazy. Crazy. But like these are some examples that remind us that let's not rush. if you're making software. Let's make sure it's up to standard. So, actually, um, there's a game I play, it's called Skyrim, right? So, Skyrim is known as one of the buggiest games out there. And, and the gaming studio is known for making buggy games right? So, one thing I would do is that I would go into an an online space and ask a random person, hey, my game is not

working. It's crashing. And, you know, they'll say, hey, you know what? Do this and do this. And I realize that I trust a random person on Reddit than the devs, right? And it's it's weird, you know, if I say it out loud, but we need to have a system whereby when our applications or when things don't work, of course, yes, our users should trust us as well as we need to we need to engage the community and have communitydriven solutions because let's not let users trust some random person on the internet for financial advice, right? Let's have our communities and let's be more thorough, right, when we're helping out our users. So there's some research by the

University of Bristol. So they say if you can understand buggy games, you can you can understand buggy software in general, right? So it looks like there's some transferable skills now. Are there any World of Warcraft players? Okay. Have you heard of the corrupted blood incident? Yeah.

Okay. So, imagine um you're playing a game, right? And then you activate a debuff, right? So, a debuff is something temporary, right? So it could be like slower health regeneration, slower movement speed for your your enemy, right? So what would happen if this debuff spread to your own character and to other characters within the game? Sound familiar? What would happen if this debuff spread from city to city? Sound familiar? What would happen if this debuff only wore off when your character died? Some players heard heard about this and they said, "You know what? I'm not going anywhere. I'm staying in my house. I'm not going outside." Some people said, "Hey, you know what? I I

heard about how it's spreading. It's spreading from this person. It's the endgame characters who are spreading it." Sound familiar? Some people said, "You know what? I don't care. I'm going to spread it to everyone." Right? So other players said, "Look, I'm going to heal you. Even though it's not going to work, they said, "Look, I'm going to heal you. I'm going to help you." Right? So this mirrored the real world, how when there's a pandemic, right, there's panic and there's chaos, right? How there's altruism and heroism, and how there's community communication and community response. So I realized that because there's something at stake here. There's your character, you know, there's your progress. There's so much

you've done in the game. There's something at stake. And a lot of people or players in this case said, "I don't want to lose them." Right? So for us, we learned that this uh incident could um predict how we will react do react to any pandemics. But then I had another idea. Imagine if we could use a virtualized environment to better understand how malware, you know, spreads, right? Where we have real systems where we simulate our real systems and say, "Hey, let's launch the most devastating malware, right? And let's see how our users will react. Let's see how our system will react. Let's do some tabletop exercises. Let's test our red teamers. Let's test our let's test our policies as well to

see what happens, right? Because if we if we can take a virtual event so seriously, it means that hey, we can use virtualized environments to map out how people react and so on. So let's use that in the context of cyber security especially where you hear research about you know fishing training does it work or like uh it's it's not effective enough. So for this it's a very fine line because there's a lot of research on both sides that says it works so well and then you hear research that says it doesn't work at all. So I was thinking if we could uh take our employees and put them in a virtual environment where there are

stakes and say hey let's do a fishing attack let's test how they react then we can see real insights real reactions and real data from these people so speedrunners gamers they can teach us a thought about not just how to speedrun games but just lessons that transcend the gaming industry. So we need to take these lessons and say hey how can apply how can I apply this into my industry into my world or into my life. So with that I leave you guys with a question. What do you speedrun? What do you hack? Not in the malicious sense of course. And what do you break? If you're going to speedrun anything, speedrun towards greatness. If

you're going to hack anything, hack your potential. And if you're going to break anything, break the rules and forge a path ahead. Thank you. [Applause] Questions? Does anybody have questions or comments? Yes. Yeah.

Mhm.

how much

[Music] um at the moment I'm not too sure on that on how far is it but I know like a lot of speedrunning communities or speedrunners they frown upon people who use these two assisted runs cuz they are not real speedr runners, right? They aren't really doing it for real, right? But I'm I'm not too sure on how far on the scope, but I'll just have to do some research and get back to you. Any other questions?

All right. Thank you. [Applause]

Across the attack surface, scattered products and siloed views create blind spots that feel unstoppable. The deadliest risks are in these gaps where attackers move in. It's time to unify fragmented snapshots into one allseeing view of risk and unleash a platform born with one intention. Isolate and eradicate your priority exposures from IT infrastructure to cloud environments to critical infrastructure and everywhere in between. This is Tenable. Your exposure ends here.