BSides Prishtina Live Stream

foreign good morning okay good morning messages good morning and welcome to the second and final day of besides Pristina 2023 I hope you have enjoyed yesterday's session and you have learned new things for those that were yesterday we had some incredible speakers who have touched on different uh compelling topics today as well we have a range wide of speakers there are workshops and also the capture the flag competition that is taking place outside on a hall I would like to take a moment to thank the organizers of besides Christina this is the second edition and each year is getting better and better I would also like to thank University of Pristina our host for providing this venue to us to our team speakers thank you for being here I know that few of you guys flew from Europe even from U.S uh also thank you to our sponsors you can see over here some of them have been with us for the second year thanks to those as well and then thank you for being here for taking your time this is our last day of this Edition before we dive in into our program just let me go through some like household rules I would ask you please to turn your mobiles your cell phones into a silent mode also if you need to move around please do so in between the breaks it's so disturbing like going in and out when there's a speaker presenting also I would like to ask you something if you need to go out and if you're standing make sure that your chair leg doesn't do this as you can see we have a streaming going on uh we have like YouTube channel so we want to avoid any like background noise and so on emergency exits on this way across the hall uh you have it on your left restrooms and then on the hall you have two desks one on the far end on the left hand side there are workshops taking place you need to be registered for those and then on your right hand side there's another desk for the CTF competition and for those also you need to be registered without further Ado let me introduce you the first Speaker or first Speaker it's Max and he's going to be talking about building chat box in Java Max floor is yours foreign good morning uh thank you for coming to this talk and today we'll be discussing building Bots for Java Games a beginner's guide um before I start one common pattern you'll see throughout this talk is me tying it back to security somehow as this is a security conference at the end of the day um so moving forward here's the agenda for today's talk first we'll talk about the disclaimers we'll introduce the game that we'll be writing the bot for we'll talk about some of the techniques we'll be using and finally we'll get into building the bot so quick disclaimers um as we are writing Bots you know it can the legal territory is questionable so whatever you learn here just do it at your own risk and I don't do this for my day job so this is a pure hobby of mine so it's not affiliated with my employer in any way shape or form if my employer is listening to this talk um so let's start off with the meme to kind of light in the mood so um some of you may have seen this meme it's how to draw an owl so step one just draw two circles and then step two draw the rest of the owl so the purpose of this meme is to kind of convey the challenges that speakers face when talking about you know such dense topics as this you can break a lot of the topics in this talk out into their own sections that will be hours long though my goal is for this talk to be of all levels and while you may not understand what is happening under the hood you will understand or sorry while you may not understand why we're doing something in the hood you will understand what is happening so let's introduce the game um so the game that we're gonna be working with is RuneScape some of you may be familiar with this game if not I'll give a quick tldr so RuneScape was released in 2001 um it's been regularly updated to this point in fact 10 years ago it was split into two there's the more modern version which has you know what you expect the modern games such as graphics and you know gameplay mechanics and there's the old school version um so RuneScape itself is point and click meaning that to interact with the game you basically point at the screen and you click what you want to do so for example if you want to interact with the monster you click on the monster if you want to interact with the player you click on it this is a little bit different from your typical games where you use the wasd keys to move while on RuneScape the only time you really use the keyboard is to move the camera or to speak with other people or I guess type to other people so the reason it's actually point and click is the history behind RuneScape is that actually started off as a browser game and that's what gained so much popularity is because back then you could actually run it on low end machines and have a fully fledged game in the browser you know typically you have these browser games which are just like mini games but this is an actual full MMO in the browser and this is where it gained its reputation as being the gamer people played at the library or people played it at school um the game itself is written in Java there's an asterisk because the old school version is written in Java while the newer version is obviously written in C plus plus and the game itself follows the client server architecture pattern meaning for every one server there's many clients and but the quick caveat is that we're actually not going to be writing a bot for the real RuneScape we're going to be writing about for what's known as a RuneScape private server so let's talk about what RuneScape private servers are so rsps is an acronym for RuneScape private server and really what it is it's a version of RuneScape that's not ran by the official developers but rather individuals who basically reverse the game and were able to write their own version of the game um it typically features custom content and a different style of gameplay so that's what makes these games so alluring is that for example in RuneScape it was one of the first I think concepts of a freemium game which means that you it's free to play but eventually you hit a paywall and if you want to continue you have to buy membership the difference between RuneScape private servers though is that typically they would actually give you all the membership content and all the features for free the pay model was sorry the revenue model was a little bit different in the sense that you could pay for like custom items you know because people value exclusivity and as proven by nfts in the recent past you know people want to have one of one of everything there were lots of different private servers like actually they've been dying recently but in the past there have been thousands on the left you see some of the more popular private servers back in the day some of these are from like 2007 all the way to now and um so RuneScape itself had I think around 100 I had actually hundreds of thousands of players but the difference between RuneScape and RuneScape private servers is that private servers actually only had like around a thousand players but the games felt more populated because RuneScape would split these players across different worlds so you would have maybe 100 worlds with a thousand players on each of them while on RuneScape private servers you would only have one world with a thousand players so you felt you know it was a little bit it was a lot more dense and last but not least there's different revisions AKA versions of RuneScape private servers so a revision is RuneScape a version of RuneScape so for example maybe you like the version of RuneScape in 2007 maybe you like it in 2009 so that's what's known as revisions so moving forward so let's discuss some of the techniques we will be using today that will allow us to write the bot so first and foremost is reflection so reflection there's Reflections in other languages so for example a language may have its own variant of reflection so go laying python Ruby has reflection as well um basically what it is is a technique allowing runtime inspection and manipulation of objects methods and Fields basically what this mean is that while the program is running you could get the value of whatever you want at the current time and you can actually modify it reflection has a close cousin called introspection and I think introspection is what python has is basically why are you not able to modify the value you're able to actually see the value you'll see reflection commonly used in Frameworks and libraries that deal with you know serialization testing and you know stuff along those lines one limitation to know about reflection is that new logic cannot be introduced what that means is that I can't inject entirely New Logic into the client so I can only use what's there and this will come in handy later and last not but least sorry last but not least um um reflection may cause some performance overhead so really based on the number of values you're trying to access with reflection it the performance the more you're trying to get the more it can be impact your performance and an extension of the last point is that anytime you use reflection to access a value of something you're only accessing the value at that current state and time you're only getting that state at the current time meaning if the value does change for example like a player's Health in the game constantly changes then you'll have to use reflection to retrieve it again so you're basically um having to keep constantly reusing it and reflection will be the technique that we actually will use to write the bot today um so here's an example of reflection so in the first case you see that we're instantiating an instance of the runtime exact class and what this will allow you to do is just execute a method or sorry execute execute a command and as shown in Rio's wonderful talk yesterday about hacking Cobalt um they if you took a close look Cobalt actually uses reflection to instantiate the objects um the arbitrary objects that he would pass using the object HTML tag so so let's talk about where you may see reflection in the real world so if you've ever had a deal with deserialization leveraging deserialization in Java you may have most likely used the tool called why so serial if you're not familiar with why so cereal it's basically a tool that you can use to generate deserialization payloads that when evaluated by the Target will result in active exploitation so here's a gadget for Commons collections five so common collections is a popular set of Library published by the Apache Foundation that just adds like utility and helper methods to Java and so the one thing you should note about here is that on line six oops sorry we're instantiating an instance of the bad attribute value exception class and then on line seven we're getting the declared field vowel you can see there and then finally we're setting a value using it so you may be wondering why are we using reflection to do this right it's a little bit of an Overkill it seems like well if we take a closer look at the actual class definition of bad attribute value exception you'll see on line 11 that the um the value actually has the private modifier meaning if you're familiar with object oriented programming it means you're not able to access this value directly and this value can only outside of this class so the value can only be accessed inside the class unless there's mutator methods like headers and Setters but that's out of scope for this talk um a second technique we'll be using um that you will commonly come across is called instrumentation um so what instrumentation really allows you to do is add new logic to whatever you're instrumenting and like I mentioned earlier one of the limitations of Reflections is that you're only able to reuse existing logic well here you're actually just able to add any arbitrary logic you want into the application um so instrumentation is commonly used for monitoring tracing and profiling so for example if you want to you know Trace um sorry like trace the metrics of your app how long does you know a specific method run for example you will be using instrumentation for this um it's you'll commonly come across this as called injection because you are injecting code essentially and one of the most popular forms of instrumentation are actually Java agents which itself is another topic that can have its own talk and basically what you just need to know is that you're able to attach a Java agent to an existing Java program and it's able to inject into that program and in our case the most common use case to use instrumentation is to inject mutators such as the Getters and cider methods so for example if the class has a field that's only private we can inject a getter method that can now return that object and one last thing to leave off about in instrumentation is that it's typically faster than reflection and that's because when you are injecting getter insiders you're able now you're directly you have direct access to the fields rather than using reflection to get them and um so today we actually won't be demonstrating reflection um or sorry we won't be using injection to write the bot due to time constraints so let's examine a real world um example of instrumentation so hopefully everyone can see this so oops so basically here's a basic Java program all it does is print hello besides Christina to standard out and let's see the code it's or let's see it run so here we are compiling it and we're running it so right like I said it's going to just print besides Christina and I ran it twice just to show you there's nothing happening under the hood so now let's look at the agent that we're going to use so the first thing you should examine the only thing we're going to use with this agent is we're going to connect to the main method and then what we're going to do is insert the last line goodbye Pristina 2023 and we prepend this agent tag to it just so you can for visibility just so you can see that this is the agent that's actually doing it so and then obviously we um then it manipulates the by code and all that stuff so let's run it um so actually now I show the original code again so this is the main method that we're going to be instrumenting and we're just going to insert that system.out.printline goodbye besides Christina so let's do this um so here's how we run the Java agent we pass it an argument called Java agent and we point it to our agent and as soon as it executes you now see it insert goodbye besides Christina 2023 and I think I'm going to run the pro the original Pro oh no that's it so that's an example use case of using a Java agent um so let's get into building the bot so what is the client itself so the client is a picture of it you see to the left and it's essentially a graphical user interface that the player interacts with in order to play the game so if you think about it in a way the client constrains what the player is able to do and what they're not able to do and what I mean by this is that for example if the player doesn't have an item in their inventory they are not able to equip that item or if the player is not able to you know the view distance of what they're able to see if something's happening far off they're not able to see that because they're only able to play the game the way that the client wants them to play the game and because of this the client can be thought as an intermediary basically a middleman between the player and the game so let's talk about oops I didn't realize it was not a full screen so let's talk about maybe let me provide an analogy that maybe a lot of people some people may understand is that essentially the browser like your web browser is a client and the website that you're interacting with can be considered the server so in the same sense the browser comes with the engine which is able to render JavaScript and because of that you're now able to have client-side code and what's happening is for example there are cases where the client side is able to control what how the user is able to interact with the website so in this example this is a simple HTML form and basically it has one input field and what it does is before the player or sorry before the user submits the form it will check if the input field has a single quote and basically what this is is the ultimate SQL injection protection right who needs sanitization or prepared statements when you can do something like this because if we're talking in the sense where the client has full control that means the player like in RuneScape they're not able to directly interface with the server they have to go through the client but just like many of you may know that it's so here's an example like where I type in test with a single quote and it tells me single quotes are not allowed so would this protect against SQL injection no and that's because what you're able to do is maybe use a lower level like curl for example which doesn't support JavaScript you send data directly to the server or if you really wanted to you could just send raw HTTP requests you can get really really low on how you get around this and we're actually going to be using this to be able to interface with the client all right sorry interface with the server and just like with any other client server communication that exchanges user input always trust but verify the data so let's talk about how the actual Runescape or RuneScape private server client Works under the hood so the game itself is a Java applet which is bound to a dream frame a jframe and the jframe itself is a container which contains all the interface components of the game so you like your health for example it draws the Sprites in it and so here is an ex and last but not least um the jframe is also able to receive events such as like Mouse clicks or keyboard input and so here's an example of how it may work under the hood at a very simplified level So within the client I want to equip an item so in this case the Santa hat and what happens is that a listener is invoked when I click it which then processes the action it checks hey what action do you want to process each action has a code associated with it an integer so in this case it's going to be a quip item and then it's going to run a series of tracks first it's going to say okay if you want a crypt item we'll remove your item from the inventory and then we'll update your the player's appearance to show the equipped item what's actually happening is before these checks are ran the client sends a packet to the server and this is how the package structure looks like so the first value here is the op code so opcode 41 means equip item the second value is the item ID so what item do you want to equip so in this case the item id you may see it here it says 1050. right there and then the last two values are not important it's just basically the interface ID you can ignore them and what happens is the server receives that packet it then says okay the player wants to equip the item cool so then we're going to perform some checks does the player have an item in the inventory um Can the player wear the item like you know maybe there's some stats associated with the item that the player may need like requirements and if so okay cool let's send the packet back to the client telling everything is okay and now we'll update every other player to show that you've equipped the item so let's talk about some of the layers that we'll be writing about for so we'll be writing a bot for each of these layers today so you may have heard the term if you're familiar with game hacking uh you may have turned heard the terms of external and internal in the context of C plus plus game hacking it's not the same here as in lik