Travis Palmer - Deadly Lag: Behavioral Security, ARMA3, UDP, Bad Packets and Dead People

as much as i like to rave out for about an hour or two i don't think i really want to do that so i'm going to be giving a talk today that's uh well it changed over the course of making it originally this was going to be really heavily focused on behavioral security and i was going to get real into the nitty-gritty of this and there's a lot of like lovely theory about a lot of the things to do with this but unfortunately part of that was well i want an example for all these bits of theory and i chose my favorite video game arma 3 and then i started finding exploits in it and then i kind of started steering

the talk to something a little bit more fun so someone was kind enough to tell me that i probably should actually tell you folks where i'm going with this you don't want to waste your time so first off gonna give it way too many disclaimers uh there's really going to be way too many i will get through them as fast as i can but it's going to be what it is uh broader context what i wanted to originally frame the talk as i and basically the kind of idea the framing the way you can look at this and hopefully gather something useful out of it don't get me wrong a lot of you in this room may not learn something new

but at least you'll be i'm entertained to teach you a little bit about arma so you can at least understand what i'm going to be talking about i understand this is not a familiar game to majority of the people in the room so that is quite all right and i'm also going to be bringing back some exploits uh that far predate me which is amazing i they're still around they still work and of course i'm going to be looking towards the future a little bit and this is going to get back out into that broader context of the things that people don't think about that ruin everything and then about and then why all the way

back out

this is how you know there's good build quality in max so disclaimers round zero uh there's going to be a lot of rabbit trails on this i will not follow all of them all the way down there's going to be a lot of unappreciated and kind of clever ideas and i will get a little bit into them but not very far it's kind of what it is there's also going to be a lot of really niche considerations that i'm going to have to explain which is why there's a ton of rabbit trails i don't i wish i could do without them more importantly though there's going to be a lot of really grand and interesting

concepts that i do not have the time nor the or the capacity to dignify and explain with any amount so they're going to get cut short and there's another disclaimer so all of the opinions and statements made in this presentation are mine not cisco's cisco did not pay me specifically to pursue this research especially what's directly in this presentation and the assumption that a corporation would directly bring engineers to go things and hack things that are not directly in their financial interest is kind of ridiculous isn't that right talos folks stay awesome uh so there's always going to be guns and violence i keep it minimal as i can but if i'm going to show you what

it actually does in game it's gonna have to happen up here uh this is not to encourage cheating please you're shooting yourself in the foot both literally and figuratively you play video games for fun so as soon as you stop making it fun it stops being fun you ruin it uh no pubs were harmed in the making of this i worked with some folks in within my organization black widow company to keep this stuff in house for what test stuff we need to actually test and the rest of it was done entirely on a dirty net and not everything in here is a complete poc i'm sure travis goodspeed would probably hit me over the head with

a journal if he was here but he's not uh other things is i am not on the dev team i cannot give you perfect information a lot of stuff i have is based on public accounts public record things the devs have said so i guess you're probably wondering at this point why am i even qualified to talk on this so that's where my life went i wish that number was still accurate for those of you who don't want to do the math uh i've been working at cisco for a little under a year i've been playing this game for a little over a year in 40 hour work weeks no not all at once i've been playing for

about six years but let's get back in the broader context what did i really want to give you this talk about this is where we get into those grand and interesting concepts uh hats off to thomas thomas dullian now some of you who are remotely familiar with the paper that this comes from are probably already looking at me and me like travis non-finite state autonoma tell me more we're not going to go there period point you really need to understand is that if something is complex enough that a single human being cannot understand all the inner workings of it guaranteed no one understands the inner workings of it that's how the facts rolled out and even

worse as soon as you start getting more complex the boundary and this is a really good quote because this quote is directly true in my opinion is that as soon as you get beyond a certain boundary it is exploitable and people do not appreciate where that boundary is it is very low now there's the other part of this which is behavioral and this thing i'm not going to be able to give you answers for i don't think anybody can give you answers for it's how do we take code that we want to do not even the requirements i'm not even talking about the check boxes i'm talking about what is this thing and what do we want to do

and when we're done writing it how does it how does it avoid how do we avoid getting it to end up like a tomato with edge detect it is not a thing that is solvable i do not believe it ever can be solved and frankly you tell me a better word than behavior for what this is this isn't just about what it can do it's about what it ends up doing so part of this and part of the reason why i go down this is the best way to look at this is an industry that cares more about behavior now i i gave this talk uh just a little while ago cisco internal and really the core of it was

hey even cisco doesn't care about behavior that much we don't believe we don't believe in behavior anywhere near as much as some of the other industries do video games are great the entire gaming industry is behavior as soon as you get something that does not behave like it's supposed to the game is ruined the entire core product is a behavioral artifact so to speak and it's 26.7 billion dollars in just the multiplayer market of that and that's ballpark at best that's outdated so just because they have something that's really just because they have something that's necessarily different than yours doesn't mean that they don't care about the same things uh they have basically the same amount

of threat actors they basically have the threat actors going after the same things which is disruption causing money producing money in any way possible you exploit it you sell the exploits you get money and the always third for the lulls uh the kind of underappreciated one which is really unfortunate

so part of this i do have to actually give you guys a proper disclosure about how far down the rabbit hole i'm going here let's say this is the entire video game market i know it's a lovely graphic uh we're talking about a pc only game which is admittedly a large part of the market and this is probably not proper market share most of this is probably mobile but this is a military game this is a sandbox simulator that's pretty large and it is full scale and incredibly slow paced so this is really kind of small part of the market of that though this was made specifically by czechs who have a decommissioned tank this is an

incredibly small part of the market and uh i did so just just so little research on this graph but the important thing is and i'll bring this in the end arma 3 is the core of the market clearly i i don't think you could i don't think you could take those devs and make them any happier other part that we have to talk about and just have in the back of our minds the entire time here because part of this in video games you don't need a reverse shell to ruin it you just need to ruin the experience sometimes and people will pay for a performance even in the smallest bit it is kind of amazing

what gaming considers an advantage people will pay literal thousands of dollars for milliseconds of input delay of extra frame times they will push it to the absolute ends so if you get something that gives you an advantage in the middle of seconds it is worth thousands of dollars imagine how much you would be worth if you can get it in the seconds range and welcome to the high visibility black market i did not have to go very far to get this advertisement to pop up it's around everywhere i wasn't even in a hacking forum

so just before everybody falls asleep and or gets lost in their heads uh here's a good crowd exercise here's the call of duty period beer hosting model for call of duty 4 and modern warfare 2. there's a lot of things that are kind of wrong with this but i'm going to core it down to the one problem i think i see the most with this which is hostess algorithm will be picked based on a combination of centrality ping nat type upload speed and the host basically does everything sends the maps and parameters enforces the behavior reports malicious clients and does all the stat reporting what's the wrong with this model hands please you can shout it out if you like to

what if the host is the bad actor yes this is this entire model is based entirely around the security of the host if that host gets compromised you are completely sol centrality you're always close to somebody amazing how peer-to-peer hosting works naptype it's serious it's just checking if it's open it's checking if it can actually just host you get that done you're good and then the other thing is the upload speed which is reported it's not even a good estimation or a good guesstimation just pretty much the box has a real idea of how good its network is and then decides to report that up for matchmaking and this is a function of the ping and host speed so

imagine uh you compromise your playstation your xbox and you tell it it has a hundred terabytes of upload speed you're the host every single time it's amazing how that works and so this is naturally a problem if you're wondering why call of duty did not use the same model for pc it's because of this as soon as the host broke down there was nothing left so call of duty on pc was necessarily on dedicated servers which leads us to the other problem you can't really do that anymore you can't depend on purely just the host security and how hard it is to break the box to save you as soon as you start getting into modern

games it's going to be multi-platform because you have to make more money that way and guess what more money more problems thank you biggie uh also you wanted to be multiplayer because that's like a standard now supposedly of every single game it kind of has to be multiplayer and furthermore it has to be moddable so a lot of games especially arma the core almost all your content comes from mods skyrim folks you know what i'm talking about if you don't have this and especially holy grail if you can have both of these at the same time what could go wrong so this is where uh that's where i have to give you guys a little bit more now you understand

already that arma is a very military game it is uh off in the pigeonhole simulator land but you do have to understand a little bit of its background the company that made this game actually made proper military simulators used by the army marines and navy of the united states and probably a number of other countries as well i don't really want to do the research on all of it but you do need to know that the virtual battle simulator that they released and ended up turning into the consumer version of arma cold war assault and virtual battle simulator 2 which was a great upgrade way back when it's almost 10 years now uh to end up

turning into arma 2. so naturally when bds3 released with a brand new engine and deformation and all kinds of other stuff arma 3 was made out of bbs2 thanks guys i just whenever you want to get around to fixing that that'd be great there's a kind of there's a lot of inherited quirks from this though because the environment of a do it all in house military simulator well it doesn't really carry over into consumer products i i got to give all the props in the world the people who ever decided to start moving this engine over and try to lock it down because the idea for this was it was going to be on a closed network

for some military personnel who are doing training so you don't have to worry about the network you don't have to worry about the internet you don't have to worry about hardware and well because it's you know a military contract we're going to check all those boxes and we're going to make sure that they definitely have everything coming to us and we have everything they need yeah that's great except uh nature proprietary things uh no one else is looking at it which brings in the other fun this does have to be entirely on pc for its origin uh they're not they're not running playstation threes in the simulator section of military bases that's that's not a thing

uh there's also going to be a lot of surface area now let's talk about all this feature this game has voice over network custom maps join in progress dynamic scripting it's amazing mind you on the scripting yes it has its entire own scripting language which can be passed to clients dynamically joining middle of the game i don't know how much of this was in the military product but i know for a fact it was all of this and more and yes how how open is the scripting language very you've got basically everything you need here you've got can suspends you've got sleep statements you've got the ability to check whether or not you're on a

dedicated server you're able to do remote execution onto other machines yeah what could possibly go wrong there brings us lightly into arma had a lot of problems with script injection uh funny how that works when you have a dynamic scripting language and you can cause execution directly in other clients within the game normally people start abusing that and start doing it abnormally pretty quick thankfully biz has gotten pretty good at a lot of this and they've actually built a lot of protection in again not perfect information but they are able to actually get a pretty good sandbox around all of this i have not heard of any reports of people breaking out of the sandbox in any

meaningful way to be just executing whatever they want on machines but nonetheless they've got other protections in there too so they actually do have battle eye working with them as well as a completely independent watchdog program to basically pay attention to the core files check around check things around on the machine itself one of the things disclosed by the developers is back pretty early on when they had a lot of people cheating hackers would produce tools and then sign those tools because if you're a notorious hacker you wanted to know what's yours why not and so naturally this watchdog would just check the system for a signature oops you're banned there's also a lot of really kind of

cute things like basically the core trying to self-maintain and make sure that you're not messing with it i can't get too far into that because i don't actually know most of how it works but i do know how illegal action detection works which i think is a fantastic feature and should be honestly in more games and more obvious in more games basically checking on the server side hey hey server i just walked through a wall server says no you didn't that's a wall how did you no that's not how that works and unfortunately in this case i'm pretty sure this is entirely done with just ray tracing so if you decided to walk through a crack in the wall the

server would do a quick ray trace and be oh yeah yeah you're good it does some other stuff later on and tends to catch you doing that despite that but it doesn't do it immediately and a lot of games just don't do it period so there it's a lot of steps in the right direction there's also a lot of things that just prevent you from exploiting this game in general uh the packets are proprietary encoded we actually to my knowledge i don't think anybody knows what the encoding is currently which is a good sign the server is an absolute arbiter in all cases the server basically determines whether or not something really works the server also confirms all the client

states and this means every single file you join the server with is going to be hashed and then checked with signatures in the full works and it includes the mods too which means you can actually join the server with mods and have it be validated which is great because we we rarely ever play the game vanilla the server also has some level of script detection injection uh again shaky public knowledge but it does make sense if the server has a rough idea of how many scripts it's going to have and what it has in memory there's no way it's going to see something new come in that it's never seen before and be like yes that's very legitimate i should

totally accept that it doesn't it just outright rejects it and then probably kicks you off and bans you also the client has auto destruct now some people in the back who read that early have been like giving me this query eye look yes yeah that that is a real thing arma 2 was notorious for having multiple layers of drm if you were able to disable the first layer of drm you were fine and you're just able to start up the game without a license key and you just keep on cruising along of course you do that for a little while and then a kind of week goes by or maybe two weeks go by you kind of notice your aim

starts to get worse like not just like you might be bad today or you're just bad at shooting in general but no you're standing literally in front of a barn and cannot shoot the barn it is impossible and then you die and turn into a seagull this is not hyperbolic you literally turned into a seagull and then you could only ever be a seagull this is the greatest free trial and drm i've ever seen in a game it is a fantastic idea there's also the people barrier unfortunately because a lot of this game on multiplayer is going to involve other people playing the game they're going to see what you're doing and they know roughly what's legitimate and what isn't

so if you're going to do something you better be tricky about it because there's a lot of stuff to prevent you from doing nonsense uh there's kind of a slow pacing inherent in the game so people are gonna see things and they're gonna go the extra mile if reporting you on a forum takes five minutes cool you've been playing the game for about three hours so that's nothing i'll just hide in a bush for a bit real quick there's also various mods plugins and license scripts infinite star shout out they do a pretty good job of actually checking stuff in more specific environments to prevent people from doing stupid and silly things uh almost entirely private dedicated

servers means that there's always a server admin and an admin team who cares very deeply about you not being on their server and also it's full of really technical people and i'm not just you know stroking my own side here this is seriously actually quite ridiculous this is the quick reference for the controls now those of you who are shy on counting this actually isn't even all the controls in the game this is this really is like just the most used ones in all of three categories and they actually intended for you to cut this out and like have it on a little flip thing so you can have it like in front of your keyboard and then change it out

because that's totally a thing you need to be doing in life and death scenarios is reaching off of your keyboard flipping the controls and then squinting your eyes to try and figure out what's going on now mind you this is uh this gets worse with mods uh another pretty common mod called ace the advanced combat environment adds about another 20 controls on top of this now mind you you don't need all of these controls to play the game but that does bring our total number of controls above all of the controls for emacs we play this for fun a notoriously terrible well terrible for new people script editor or code editor or general editor should not be your

standpoint for what is fun there's also the eula and i'm purely putting this up here just to make sure that everybody knows i didn't break it [Music] basically your fundamentals here are you do not have the ability to translate reverse engineer disassemble decompile derive source code or anything of that sort without the prior written consent of the licensor i do not have the prior written consent uh there's also this bottom one which is uh you cannot exploit the program or any of its parts and this actually did concern me until i read the rest of it which is for any commercial purpose cool i'm an individual i'm kind of a personal person uh so i just won't

touch the binary i'm good so here's where it starts to get real uh i like graphs and visual things because they certainly help me this is going to be a pretty simple one and i'm just going to hide underneath the projector screen here uh this might be helpful let's assume let's assume an unsecured client and assume an unsecured server and then a whole bunch of in the open udp packets well let's add and start laying and they're added layers of protection first off we have some server enforced tasks and signature checks which does keep you from modifying a lot of things in the client you have a legal action detection on the server and the udp packets are

proprietary encoded you have a watchdog protected client core checking on the memory server's doing all the arbitration uh heuristic script injection on the server basically to prevent you from funneling new things in and a lot of heuristic environmental checks to prevent applications that are messing with the client or doing things they're not supposed to do on the client's network and there's also a lot of cheeky developer honeypots protecting client i'm looking at you self-destructing code and centralized reporting of all suspicious clients yes all the servers actually do phone home which is nice there is one thing wrong here um there's kind of not a lot of protections on that network code it's i think it's encoded and it's

definitely udp but is it exploitable well that funny thing um they brought the entire thing on udp they're seriously at no point do they ever send a tcp packet which means for those things that are kind of important like bullets they actually have to send this stuff along and it has to get checked so they actually reimplemented a lot of tcp back up at layer seven for those of you familiar with the osi model all the way up the application layer those of you who are not familiar with the osi model basically this means they can't see anything of what's going on at the network because that's how the osi model works and they re-implemented stuff

that's supposed to be very far down very high up it generally works out all right they don't need all of dcp and udp is very fast but it does cause some concerns if you start thinking about other things like locality this is pretty standard across a lot of video games how do you keep things moving smooth for all the players well if the server has to act every single foot step you take you're not going very far so naturally we have to give control over certain things to all the clients uh the server is obviously the final arbiter but that doesn't necessarily mean that it's the first don't die me now max this there's also kind of an issue here uh

with best effort fairness that falls out of this and to illustrate that i present to you the bullet time problem you're gonna have to forgive my drawings let's say on your client a guy comes in between two walls you shoot at him and you hit him good job you unfortunately on his screen uh he's already gone behind the wall he's completely clear and you're shooting thin air what happens server has to decide server has to decide in about less than half a second because anything more than that would be ridiculous while you're thinking about that how about another one and this is actually getting unfortunately pretty chopped off so i will do my best in a

local space here to hang this up uh let's say that guy actually made it around and on your client you didn't you still haven't seen him move and you're still shooting him and you've dumped about half the mag into him on your screen and you're starting to think that he might be superman and you're being very concerned meanwhile on your client he's gotten all the way around the wall and he's shooting back at you what happens now seriously you're the server and this actually happens well arma's answer is everybody dies like a good parent i so what the armor server actually ends up doing is it looks at all of this it looks at your story it looks at his

story and like a good parent it looks at both of them and says oh both of these are very good stories and both of these could be very legitimate so i will punish you both and you are both now dead this welcome to some uh exploiting welcome to some exploit necromancy i will not take credit for a lot of this and a lot of this is really old stuff and frankly is not even that technically crazy it it's really low bar the the bar is incredibly low here because the issue is is you can't necessarily fix it lag is an issue seldom abuse don't sell them abused intentionally some people still do though and it's always

present in everything because you cannot possibly fix this entirely if you start cutting on people who are lagging too much suddenly the majority of the rural united states can't play your game that's going to be a bit of an issue for your bottom line now this does of course bring up the other thing earlier udp does have other baggage which is acceptable losses and the server can't see anything of what's going on with that and because they rebuilt a lot of the tcp layers all the way up on layer seven on a stateless protocol if you start messing with the stuff on a lower level uh good good luck good luck really what happens is army is to cope with the

reality of a simulation that's not just a joke this simulation is happening sometimes seconds away from each other at light speed now mind you though i understand people are going to look at the globe and be like oh you can't possibly you know say their seconds between here and there fiber optic lines do a lot of zigzagging and not all of its fiber optic lines unfortunately so you do end up with some issues uh this is not new at all in fact it's so old that people have been attaching light switches to ethernet cords for a long time now there's obviously there's the obvious solution here as a hacker cheater whatever you want to call

it i'd rather not call it a hacker it's just cheating you can just interrupt all the traffic now there's actually some significantly allowed time gaps and a lot of games this is multiple milliseconds sometimes a second or more in default arma it's eight seconds now mind you there's some server settings that you can mitigate this with but they are not the defaults and uh yes this works in so many things it's unfortunate and it's important that people are aware of this so that we can all keep trying to fight it there is the major advantage of this which is rushing because if you're not giving other people information in regards to where you are if you walk into a building and see

where people are you can see where they all are and you haven't entered the building yet that's kind of an issue you can start shooting them you have not entered the building yet on their screen it's a problem there's the one drawback of it is that the world keeps on turning so i'm gonna run through uh i did actually make a script that i'm going to be using up in the upper right hand corner for a lot of this this is the server telling me where it thinks i am and is a script that is entirely running on my private server just so that you know we can have solid confirmation of this so i as long as i'm

walking down the street i get both updates and position updates and if for some reason i were to generally stop sending the server information

those position updates completely stop until the lag switch stops now some of you were looking at that we're like well why were you still getting updates yeah we'll get to that pretty soon i did not record this perfectly but this does bring in the interesting problem and that especially in the default arma settings uh you can kind of just cruise by hostels that are going down the street and basically be the invisible man it's really unfortunate that this is the thing you can do in the default arma just willy-nilly now mind you uh like switch does not fix everything and as uh where is about to become immediately clear uh if you don't have good gun play or

you're recording this at three in the morning you will still die even if you're point-blank range away from somebody because when the server starts talking back it changes how you're doing for a more obvious example if you decide to walk out in front of some folks and they were moving before you turn the lag switch on it's amazing the good parent arma is who informs me very quickly that i already have three magazines worth of bullets in my stomach and i cannot continue to exist mind you i did shoot them all in the head so they're dead too this is a problem gets worse so this is probably the immediate idea that you come up after this of like well

you know it's important for me to know where they are so if i can just not tell them anything and you know know where they are at all times i become john cena now this does uh you can do this more or less on a windows firewall but it really doesn't like doing this and that's probably just windows being windows but if you can see them move and they can't see you move this should be ideal should uh we'll get to that in a quick second but first of all i have to address this this is the more modern iteration of your family lag switch this is a foot pedal for you folks that can't see this very well

i kid you not this is actively being sold on ebay mind you these are not the brightest of people doing this when i said this was a low barrier to entry i was not kidding uh cut the outbound signal on the ethernet cord that's not how the ethernet protocol works this is still cutting both directions if you can't act a frame you don't get another one also a nice gift for your gaming friends or family play with your and hold on a minute what kind of person do you gift this to hi steve you seem like a horribly uh you know horrible gamer who can't you know do well on their own and is kind of prone

to cheating have a lag switch merry christmas uh please just just know but in the general case you can really do a lot with this especially in arma and especially on the default server settings uh even if you're a bad shot and recording this at three in the morning you can really just walk into the middle of hostiles and with clever use of the lag switch be generally pretty a-okay

and this is a lovely case of watching a server catch up the worst part about this is as long as you're giving information the server eventually the server is pretty a-okay with it it's not going to stop you not going to really give you huge amount of problems so you can really just cruise around do whatever you want this is the lovely point where i'd like to remind folks that the audio is not working so if you couldn't hear any of that i couldn't hear any of that all right we can run this presentation without audio but as a fair warning as we get later on there's going to be some sound effects that i have to produce with my

mouth and that's going to be bad for everybody involved uh there is the other part of this that people sell them think about which is stopping the download now you might think not getting information anymore is a problem but the thing is is you're still talking back to the server and the server is very happy when you talk to it which means you can do this for longer and of course you can do the other fun bit of this which is a basically client telling the server well what do you mean they're not there anymore i shot bullets at them and the server like a good parent says sci fine i guess you're you know this is

legitimate you haven't been uh receiving these updates and so you know naturally become one of the worst roles arnold schwarzenegger has ever played and the iceman natural application for this is sniping because and this is really not as far away as you need to be in order to be able to do this you can do this multiple kilometers out because bullet travel time it's real in arma but when the server catches up suddenly a dead body appears and everybody heard the sniper shot about eight seconds too late of course you can also do this if you're in an urban environment and let's say you know you hear a tank coming down the road i hear the audio it's very soft

and you happen to have some explosives now mind you this tank crew is still cruising down the road on their screen on your screen however you're really just going through the arduous process of setting up a sastra charge and finally your client does actually get angry at you for chopping this traffic off for so long but the tank is on its merry way and the server is quite pleased that you're finally talking to it in proper again

uh don't worry this uh there is zeus enabled so i can actually show you what happened that tank continued down the road like nothing was wrong because nothing was until it exploded randomly it's a problem seriously now mind you i as i've been clarifying uh there are settings to prevent this in arma version 1.56 i i love you bohemia and i love you finally giving us this granularity but it's a little bit late thankfully you can actually as a server admin really decide where you want to put the cutoff line where you're deciding that someone is no longer someone in idaho with a bad copper line from a t and is now someone who's genuinely abusing it so

you can do set things like the disconnect timeout how long of just no traffic send do we just outright do an action either kick you or log you silently how much dsync how many individual updates are not acknowledged by the client the maximum ping everybody knows what ping is hopefully and the maximum amount of packet loss how many packs are lost before the server basically says uh no and again these are all definable actions you can silently log people or you can kick them or you can instantly ban them uh there's you have to go through a little bit of extra work for the instant banning deal and it of course is only on your server

but you can always report this stuff on to publisher later on and if it's particularly rampant losing game copies over this is definitely a thing that can happen so obviously people are curious what the previous example looks like when the server is cracking down now i left the lag switch running a little bit long on this one but i'll tell you at which point the server has disagreed with my existence unfortunately you guys can't see it because this is a little bit short but there is a yellow chain that appears on the very corner that did not appear in any of the other previous examples that means the server knows that i'm not doing this right

or rather the client knows that the server knows that i'm not doing this right i'm long disconnected before anything happens and it immediately freezes and i can't do anything arma does a pretty good job once you actually give it the right settings so obviously this brings up the other question of like okay well there's other things you can do without knowing what the network traffic is like replay attacks and this was pretty bad in some of the call of duty games uh did i say one grenade no i meant a hundred grenades here you go server you said the first one was valid so the rest of these are probably valid too right thankfully you can't do this in arma

although it is in our understanding of the model very difficult to detect on the small scale uh it is very difficult to do this because you have to have to be able to read the packets and every single one of them is both enumerated and checksum so if you start messing with it it's not going to work out great for you now mind you you could do this with you know figuring out what the source code the networking no biz no we're not we're not looking at the source code just just go away it'll be fine i swear so naturally if we're not able to look at the source code if we want to do

anything remotely more complex we have to actually start pulling apart the network traffic anybody buy it for blind packet analysis no i'm not getting any excited looks this is a graph purely on just bitmap uh if you can't see anything important in this graph good neither did i this was very disheartening but if there's any propaganda in my field that has told me anything it is that offensive security says you must try harder now i was gung-ho about this i actually wanted to find something so i hunkered down i grabbed some caffeine i was ready to cook at this for multiple hours at a time and of course in my hubries i was i'm professional i can totally knock

this out in a day so i went back to wireshark and no i did not spill legos on my wire shark but and this is again this is really what's going to kill me there's a whole bunch of colors here i'm gonna have to use my hand for this because this just barely doesn't go the length uh all everything is redacted out in this but there's a lot of colors on the far left end of the length field here all you need to know is that everything that is the same color is the same length there's a whole bunch of length 24 stuff i'm almost entirely certain that these are the acknowledgement packets being sent either client to server or server

to client but there's a lot of other stuff and if you're noticing here for those of you can barely see it there's a lot of blue up there a concerning amount of blue in fact there's barely a there's barely a mix of color diversity in here at all how little diverse is it there's really not much going on here is there so this is moving in a server and of course i look at this and i'm immediately filled with both disappointment and glee because this is going to make my job incredibly easy because there's only really three types of packets that are coming in at any degree of massive frequency and as soon as i cross reference that with what

you're doing idle idling server yeah there's two of these bars the mac can hold up that are very very very suspicious i now have a 50 50 chance to catch all of the movement packets so yeah i'm totally connected and you're missing some my packets say it ain't so uh how does the server react to this about how you'd expect because it doesn't violate any of the existing server-side checks maximum paying while i'm still connected and the ping didn't change maximum packet loss well let's see my movement packets outbound uh versus 30 to 60 other people on a server and did i mention that there's updates for everything including vehicles bullets and falling rocks literally anything that

happens on the server has to make it to the clients so what ends up happening is you can do this borderline endlessly i'm going to give the uh course example here this is what happens when you walk out of a building towards ai and arma and they know what you're doing and they can see you and they can drop you immediately they're very vigorous with their firing but if you're doing this and blocking movement packets you really can just crawl out and if their positions changed you would see it and you'd be fine and you can really do just about whatever you want to do now i'm short on time here so i'm going to be cutting off the tail end of this

talk and we're going to be quickly breezing through a lot of the simpler stuff which is all right because i won't have to give many but basically as soon as the server finally does catch up your explosive starts on its timer and then goes off now mind you there's a more obvious case here of why are you using explosives just show me what you can do normally

and basically what you can do normally with this is you can walk out the front door and then just continue now the main important here and unfortunately this is going to eat a ton of time is because the main problem here is the length of time you can do this for and have the server acknowledge everything you've been doing because mind you you're still talking to the server the only thing the server isn't getting is your movement packets so all of those shots were registered with the server the server is just curious where you were when you shot them so when you tell the server everybody dies mind you this has been ex this already

has been disclosed to the publisher they have already gone through and fixed this uh there's another thing you can do with this too gunfire was of a stable length surprise if you can keep it from if you can keep people from knowing that you're firing bullets it's really hard for them to shoot back at you or know that you're shooting at them obviously this is pretty short time period that you have to do this in a reasonable case but there is a lot of legitimate ways to do this in the game i understand but you can still do it and all these packets were very discreet and they're very long classes uh so back out to the bigger picture and i

understand i'm going to cut the bottom part of this talk off so unfortunately you get don't get to know a ton about where we go out from here but the time sensitive operations can become adversarial any of them in the open case if you can think of any protocol that is insistent about people staying connected if someone can get in the middle there or you can hold your things until the absolute last second this can get adversarial very quickly also just because dropping specific messages is unusual doesn't mean you shouldn't have to account for it this is then getting back out into the blue side of this of maybe you need to write the code with a lot of exceptions

and a lot of checks network is hard but you have to do it and there's also the other problem of this which is you don't have to be a state actor to manipulate traffic everybody in this room ought to know this and i'm sure a lot of people do so the brief because i've been given the flag already the rest of this talk is purely based around the idea of messing with parameters the itty bitty little things i love to give it but i'm out of time so the fundamental here is basically changing things that you thought didn't matter like these small sub parameters that never get edited in the game like mass and orientation

and center of mass there's a lot of terrible things you can do with this but that's where i'm gonna have to leave it so any questions

all right [Applause]

you