BSides Cairo 2022: Your game is my game. Reverse me if you can!

okay uh I guess like maybe a lot of people like games with spazini and yeah

have you cheated before cheated in a game I was trying to uh she she could when uh actually Chef Yami cheating in one of the big games yeah someone is uh very honest he made his own cheat cheat engine nice okay okay or cheap

not yet yeah maybe maybe after the course of the of the presentation

we as Technologies we uh The Entity of the college which you can think about it has a antivirus for games wearable future of the uh David cheating uh and the use of machine learning for foreign opportunities um presentation I would then slides in if you if you're a a young security researcher an Italian student uh with this application maybe you would like to go for literally statistic maybe you like to do malware analysis reverse engineering and how's our presentation maybe there is a other opportunities B A and B that is gaming it's a huge Market officials information security uh career opportunity research opportunities maybe you don't know about it maybe maybe you can start your career after this

presentation in in this area um and I hope this is this could be the purpose of the presentation a lot after finishing the presentation you do your hacks and you do your cheat no it's in vegan um I would like advantages that your opportunity in defeating and defending against not building your security phone definitely uh to defend against the cheat and helping your career you will have to understand that it cheats and then say well information security opportunities with technique with Technologies where you search

why why people do cheating um the cheating is comes from the natural um competitive nature of the game the game is very competitive you play game against an AI in your computer like that up onto a match I went into UK in a league or a tournament and usually uh only one when our team when rotating the nature of playing games is actually competitive and in the competition the human nature illness there's a competition they will try to find a way to win and this may be a legitimate ways to win that winter really they couldn't play in games how sometimes you do uh a legal way to win and accessing to cheat unless electricity cheating they

basically when they have a cheap tool they have an access to unfair advantage and do they allow them to uh to break the competition um that comes from from that's about why they do cheating there is main two reasons players how many players the player status so when you when you cheat you win and when you win you become on the top of the world thank you this is the winner and he's playing so good and this gaining like personal personal status

which basically means when you when you play very well other people like watch you uh maybe maybe in the winter games you're streaming but they tell you it watches like or you're streaming this translately financial game uh maybe when you play a tournament and then you win that tournament you get a trophy when you win in that tournament uh when you play you just like the play for play for cash some some people play and then and then they can cash 30 minute game Studio publisher I'll uh play another player that loses uh the games so I'll be telling either player status and become on the top of the permits of the uh the winning the winning status

and and Prestige as a as a as a top player uh when that somehow we translated into detects of flus I will get more uh views by when you're streaming your your games so how is big is the uh gaming a cheap Market uh is it a big problem necessarily family cheat and the developer cheat is it a big Market the question is really important um how big is this economy the reality is the game is cheating work it is huge it's actually multi multi-billion market economy uh there is an illegal companies and and you know type of crime groups that build uh cheating for their major games we get that to be yeah

um esport leads in a subscription based business model and they give you support uh you will see a couple of couple of screenshots main a company called engine awning and this company developed a cheat for Call of Duty uh patent field and all of that dates and now usually as I said subscription-based we developed a tool for um Call of Duty Warzone we add an Indica fully subscription for 30 days subscription for fifty dollars our lifetime subscription for 500 uh for 500 dollars and lifetime subscription from the game and we will have to bypass and patch in the whole world oh uh if there's a new version of the game maybe you could have like half price on a new

uh version of the game how big is this Market and the companies that producing the game like Activision and for the game of the game of Call of Duty they have an also against the engine owing company and they requested in that lawsuit which is there and they requested whatever sheep energy 700 million uh in damage the flame effectivision and Call of Duty the damage for use in that game is actually causing the company 700 million dollars what we clearly we actually do looks within the U.S court and they want to take it down and then they they pursue and ride against the company owning this this engine [Music]

[Music] in a single week and then there's other weeks they take like 50k and then 40K and so on so this you can imagine how huge this problem in a single game so imagine the other the other teams so have the gaming cheat category works out in again uh cheating in general you can think the museum in the cheats Diamond they have two main categories knowledge base when you apply in game a cheap tool they get to gain more knowledge about the player out there anymore visibility when you can see and you can open the map and you can see the other player how they move inside the map how does that wall hacks and all

hacks meant that you can see the player across across the world because they technically they had some um or being assistant which is you apply hack as a import our Trader Port which allows you to shoot directly at a at a player our enemy uh out the handed person of your of your mouse just like moving automatically to the object or display and usually in input will trigger both it it requires a lot of like trigonometry computation uh you're injecting a code inside the game binary and then that code search for the X and Y and Z coordinate for the Crosshair of the player with the player crochet so it's searched for in the memory uh

Crosshair and then search through X and Y and Z coordinate and then to compute the shooting Ray which is calling the pitching and rolling and then uh trigger the function that do a shooting which is maybe do kill or do hormone in technical how this function is doing for this basically assisting the user to automatically trigger um on the Crosshair of the player how a layer to aim change the cursor I would know when to hover in cursor into into that that is a game a game assistant so how it technically works is they did this channel there is usually three ways for building a a game achieved an interview in memory manipulating a data structure of the game Elizabeth if

you want to reach out the object to battle player you will have to search for crosshairs and that requires an into social memory of the game process and identify where is the string of the Crosshair the root from this part you start to reverse engineering the tool and and start to see how objective and play it out our enemy our player our player entity already and then you start to reverse engineering and build your injected DNL to manipulative data structure how to modify rendering engines of of uh of the game uh with every certain slides I need to see a player in the hallway uh behind the wall rendering engine how we gain engines and then when you when you draw a wall D

using opengl and then you do another rule behind the first Hole uh an openglib function to render this object will function DB if we have parameters depth function depth function it means how deep I need to see a random object behind other objects foreign

I can see the player behind the wall I can see the other player behind the wall and show one to abuse and game events through hooks usually call it a game without hooks which is um get more information about the game and and sometimes this event the books leak uh information about the game that can be used by by the cheater in the village notification and game d is a first person shooter game a game this assaulty Cube usually assaulty Cube to stack them for a game happening tutorial images

function but as you can see I can see the player I can see anything when I can a game on the right this is when I manipulated the the functions now depth function as you can see you know what it's technically player for actually it's not much would be for object to object where I can buy once I disable the depth function I see I need to see other objects I need to see a render player behind uh behind them and this is how it works like simply manipulating and rendering so how the cheating work so we understand right now uh a major technique they implementally cheap there is usually two or three ways for

building the cheap I would hack a user mood injection and this is basically very similar to malware analysis so you inject a dll inside the game and that dll search for the code of the functions like this function and then when it reaches the function VB change and control flow graph our web override in a function parameters depths Leslie that's always change the control flow graph uh [Music] a trampoline I would just like a jump into other like remote functions we need to stack them for um the cheats not killing a user I mean a player I'm not buying anymore so I search in the game binary function laterally apply and and dynamics of like shooting and killing

and then a change in control flow graph level user know what me uh what's that means to avoid this user is being said I can do user mode injection for searching for an object a variable from memory to gain more gold I'll gain more life until I search for objective how many lives I have in the game I've had many lives how many goals I have and then increase the content of this particular variable in but sometimes the game itself is actually protected by an antivirus which basically the anti-chief through the technology some of this entity products in memory and in order to modify a game process I need to use I need to do a little bit of

kinetics application I can expectation like um using vulnerable kernel so that they can inject code in the kernel mode and then it to bypass technology of the operating systems a process code with kernel guard and any of these like kernel technology for uh tutorials injection using DNA injection techniques so how the game actually protecting uh their binary and source code and secondary

um the game engine how the game producer I will the company is developing the game name and there are different ways for protecting the kids um I will tell you is sometimes a native Computing security measures and techniques and I wanted to developed games for the windows you can rely on a uh you're running the game on a Windows 10. you rely on a current notifications protection with internet level protection to avoid injecting a DNA in the game process and game memory how and enter to load any other unsigned kernel drivers that can attack the actual game so this is the one so you're relying data operating system techniques for uh protecting the game when a

containment game developer they do other things for checking the Integrity of the game uh and then they do process and memory check something in this end when the game starts the game the tip that calculates the Integrity of the memory and allocated memory they have we compute hack designers and say very basic and simple in CRC hashes and then every time interval a game developer they start to scan his own memory game and then recomputed CRC hash well our CRC hash that whatever then there is something malicious have been injected into the game binary and then it disabled the game it stops the game it disconnects from the server whatever the action they want to do so they do a lot

of like regular time based interval uh Security checks a technique can tell it after the the game player and the developer they write the code and build all the the wallet and do the game physics and building the story and the game is becoming very easy and then they compile the final version they start to add anti-reverse engineering and anti-debugging technique engineering they knew what are this uh to me so maybe using a package to pack a game binary itself maybe a virtual machine based backup they start to add in anti-debug technique it acted in now had to give that yeah the reverse engineering we have the analyzing game we load the game binary for debuggers

x64 debugger when they win dbg the game stops from the execution because if you if you lose it into debugger this means you're trying to reverse engineer a full protection usually that means and try to stop how um delay the process of reverse engineering and identifying the secrets of of the game so this is a kind of the binary protection um another techniques which is a lot of like game developers especially the big games and while honestly on-demand encryption and detection on demand encryption decryption it means in Lafayette or secret of the game our information like a string you do not decrypt in a string without unless it needed a player entity and this player entity

has a Crosshair s build player and this is actually a string so that string is always encrypted and only decrypted unless it'll move I will cursor behoove player in this case it'll give engine be the decrypted crosshairs we move away from the player entity but just like decrypting and destroying that string and menu so you you are not leaking uh we need to accept that to control a game content in in memory and just like decrypting when it needed there is an object and player entity the variables we extract and server communication and and and play in a multi-uh esport league strategy game that is

basically meaning corrected and and that black part with the map start to decrypt when you're just like progress across the map and then it goes a valley Shadow they have been decrypted again so in demand encryption and decryption is very important to stop the basic and Achieve layer and string search using a tool they um cheat a cheat engine so in addition to the binary protection a lot of the companies of big game studios protection so after they write all this was good maybe in a seashore maybe in a C plus plus regardless of whatever the programming language they take the actual social code and then they transform it they add more macro Obsession use it maybe an ldm compiler

what they tell you the second generated code is becoming harder to understand and harder to um being analyzed by the creative that you combine obstacles binary which is really hard to analyze and then they add the anti-reverse engineering and anti-debanking technique which is becoming really hard to analyze and that takes time to reverse engineering and extracting the secrets of them but in addition to all of this dedicate our Technologies in academic game especially in the big player game they do have a spare continuous multi continuous mounting is always collecting the data Main and gameplay and then send this data to the server side and do emulation in a match I will need and then um the data about the position of the

player the shooting the aiming at the player how many players do how many dollars you do how many goals you have calling data without the GUI is being sent to the server and the server do an emulation and then if there is a differences then the server may decide there is a chance that this player is actually achieving and there is a system say OverWatch system that is implemented in big in in big games this OverWatch system is collecting what they call Demo files demo files is is simply logs about you so if you play a game with OverWatch system uh is enabled in the game so it collects a game ID a player ID and

player session how many players you have how many dies your positions every 15 seconds and you connected that into a Telemetry our logs file that is being encrypted and then in the server side if the machine learning the model decided that you are cheating that demo file send to the server side and then human analyzer maybe they soak better for game the investigate and look files that and then decide that you are cheating and then they give an action to ban you from from playing from playing games or whatever actually the the company and the policy and they have been decided so what is the current state of the anti-cheat technological product um as we said

um there is Esports and e-leads there is a big esport for games like Counter-Strike csgo and the company is doing that uh Esports and cheating the uh Esports and dig they face it they have their own cheating so they actually build the entity engine for CS go and for other game which is a kernel mode or user mode that protects you and usually in enter cheat engine that as I said think about the antivirus it checks for dealing injection it checks for a condensed application uh it checks for any manipulation for any Hawks and all the stuff that the antivirus is doing um and then when they detect any cheat they send that information to the server

and there's a server Banning view are just like disconnecting you for connecting customers so Esports they have their own games like uh esea I will face it they have they build their own anti-chief technology that they use in any League the Counter-Strike GO or any other game we'll see games is specific to engines our user mode um entity technology involved if you play any game comes from ball usually you see back is coming as part of the game um vac is a usual route it checks for user good injection it's a good user mode like cooking with video game they have their own version which is um Vanguard and then Vanguard is actually kind of wood injection and you see

Vanguard in Wolverines again but also there's a generic antiviruses the easy anti-cheat and petal eye and this is most of the common genetic terminal mood and the cheap technological product easy entity this is a new company we have been um come to the market I think 2013 or 14 uh we easy entity they have been acquired by epic games as part of the epic epic strategy and usually if you use the the engine like an unreen how you develop a game and enter gaming studio developing for um epic usually you have an access to easy entity engine The Source engine that you can Implement all the function calls and and embedded the The Collection Telemetry in in from the game

side and easy enter cheat mode would be a big game like fortnite gears and the division in hello and the huge number of games easy entity yeah battle I is actually much older but like it's less popular than easy entity now goodbye with games like BSA fortnite and Publishing so this is a kernel mode antivirus for gains that genetic you know that if you build your own game if you're a gaming studio you can have a license for easy and platform I and then you can implement it probably will have a license for easy entity that you can use it for um game security adaptation and then there is a server side which is as a fair ride fair

fight fair fight is a server-side emulation and when you implement the fair fight it takes screenshots from the player and pull statistics about the player to the server side and make the emulation and apply multi multi-layer machine learning model to detect if there's a if there's a layer is trying to to cheat um so it's a it's a more less evasive it's not it's not a scanning the memory a small kernel mode it's not injecting anything in the memory they're just taking data and then analyzing that data on the server side and then take that information and you know decide if the user have to be banned or not and there's a lot of like lists invasive

technologies that server size that you buy from and many other topology that that rely in the end the point antivirus style detection it doesn't work especially with the the streaming lower prism of games what we tell you we need to rely more on the um server-side emulation and machine learning model for detecting the cheating is actually much better than um looking for the basic dll injection and losing vulnerable uh kernel driver and so on and so forth but the problem is the cheating actually starts to change using the machine learning and it's not only using deal injection executed there's actually a machine learning driven driven achieving and one of this examples is Jan Jan import that Jan import is a public

research just like publish maybe three four three four months ago and it using the generative at Brazilian Network and the computer vision to start looking for the object of the game and then make a uh Amar karala the player of the enemy and automatically make an important trigger bot so there is no security violation here there's no DNA injection there is no um manipulation of the kernel it just like an AI and machine learning uh learning and identifying and generating adversarial object entity that actually played the game and the paper of the the Gen imported actually from the paper and they they they apply the paper in an older style game similar to to do

but also it's not about only the chief like two three days ago opened AI one of the major drivers in the machine learning and and aoi world they come up with a system called an vbt and vbt is is a learning uh system that learn how to play Minecraft by watching videos of Minecraft so that AI system it gives him a huge amount of like a player playing Minecraft and then that video pre-training system they start to learn how to play Minecraft it goes without saying that is actually the publication is online I think the GitHub code for uh training is is available then it goes without saying we can train a system to play hello I'll play Battlefield I'll

trade whatever the game that you're doing and that game is act that player like an AI player may be much more hardcore and much more like um good player than any human player and then the question is are are we approaching are we how we detected without machine learning versus a human and if we detect it is it is it bad can we block him and what is the situation to poke him hell missile and what had the act as a player in a seeming and in the back end the vbt training I will do that with playing on behalf of this human player it's actually very complicated which is which make the process of identifying the

hacking and she is becoming harder and harder by the ML and by the stream type everything is moving to the cloud if the game is is moving to the stream mode so identifying the cheater is a problem and the detection technique and the detection technology um and the pro that is actually in a in a bad position because you don't know how to deal with this new threats about the cheating and about security process violation so what's your career opportunity and what I need to start doing uh research in this area you need three things you need cheat engine the tool for searching the memory and identifying the game secrets you need this is simpler maybe

either rule maybe uh whatever data pool uh R2 I have the tools date and then you need a debugger with dvg x64 dbg and whatever and then you do you you take a game maybe an open source of games like assaulty queue maybe any other game like a small game like on Mario and I started to search for that game memory and start to build your own um a cheese to it there's a couple of books available online one of the one of the books called game hacks I think it's published um it's a good it will give you all the basics you need there is a huge number of forums and tutorials with YouTube

that allows you to build the game and in general this kind of the tutorial are kind of the Skins it doesn't difference then what you do for learning how to do exploit development malware analysis uh server side of network side completion testing quality technique is actually transferable to if you want to build a career and the um and the game uh empty cheating and game defending so what about the career opportunities there is a huge career possibility here every major institutes every I wouldn't say Commandments the middle size Studios and small science studies usually search for people like have an information security engineering it's not only about defending against cheating but also the the game server Diamond uh

when you build the game and then you have a multiplayer game those game server is targeted by the DDOS attacks uh they talk about why um um Bots that try to flood and can can the server and a lot of like penetration testing happen on the server side to ensure that the server is secure but also those games developer and Studios I need when I when I ship a new game no one reverse engineer it no one will temper the game no one will extract the secret because if if the new game and someone came and said well I can't kill that game I can reach out to the 1100 in 30 minutes so no one will play the game

so usually all the game studio so at smaller and medium-sized or even the big player they look for people for reverse engineering in existing achieve know how the cheat works and develop a mitigation and detection technique for the existing product that's very similar to the antivirus you see look for the new viruses malware you understand how the model will work you build the view detection you write a detection for your engine in this case you can build for your own problem so there is a huge carry opportunity for information security related to be anti-chief and reverse engineering we feel highlighted 10 years I yield petition testing with a network nutrition testing we um a security audits from the server

side and and for the Asian side so I think it's a huge opportunity and then there is more career um well will come in unfortunately maybe it's not in Egypt or maybe in a little bit in the in the Middle East for the most of the gaming Studios or wood as a robot is it in Turkey us and definitely China and Asia is a huge market for the gaming Studios and publisher and all of those development all right I think I finished on time I'm talking about India I hope um you learned something interesting I hope you could uh interesting information and yeah if you have any question let me know

um okay yes

foreign

the the gaming industry is becoming bigger than it is a big fund and um for a small startup for the games uh he usually this one actually acquiring the company has been said uh so they uh they put a big stick in ESL which is an esport I think the the biggest take as wealthy companies that face idea face it which is uh they do esport and league tournament they have their own entity they come with technology they come with with cheap and they realize

a small gaming Studios and medium-sized gaming

studiosis multiple companies a few very few companies are they changing their their cheating Dynamics yes of course recently had their own problem they had their own kind of games so I'm not sure if promoting the cheating problem they have a cheating problem probably they will have a cheating or what what they do if they are building their own technology um um yeah potentially yeah when you when you're becoming a bigger company you'll have to build your own technology and you will have to defend against the fuse of uh of your game and the opportunity for the individual yes absolutely the more there is a Acquisitions and the small companies came into the market that's usually uh more career

opportunities

[Music]

they will destroy the economy and ecosystem for them maybe the uh the lawyer man will just go and then you know find find the find a way to build to develop yes totally agree totally agree and I was correct um

foreign

[Music]

I may be able to help uh I'm I'm not that expert in the games yeah I think I I have a basic information so maybe I can help now I had them I think attention

okay