BSides Rochester 2017: David Kukfa: The Hardest CTF I've Ever Done: My Experiences Reverse Engineeri
Show transcript [en]
my name is Dave was called harness CTF ever done they created my experiences reverse engineering MMORPG you guys didn't get enough game backing that I've got good news enough back again I'm a senior I see sex offenders RIT is my last semester here I'm like upset and reverse engineering and I have a blog which I'll be posting this slide deck gun after the conference and I'm also on Twitter if any of you were at Twitter in it so a little bit about what we're going to be talking about today this whole project is basically a an ongoing project I've had for the past two years for a first engineer of dead MMORPG so I'm going to kind of go over like the
game itself what a server and me later it is like a private game server go over like a high-level overview of the actual animal interesting process and some tools that you can use I know Nate just touched on a few of those but chemical or the whole wide range of tools that you can use to accomplish this kind of stuff and then we can kind of dive in the technical details so the actual like nitty-gritty details of the diversity process for my specific animal experiences and sir mishaps I ran into there a little musing from a security perspective Google demo the project and the work that we have done so far and then talk about some of the
legal implications of doing something like this and then we'll have some time for questions at the end so I will survey together before we get going are dirty and the mole players in the crowd said cool few hands awesome any CTF players ah cool sweet any combine them to any game hackers awesome cool so hopefully after this talk that should change so talk a little bit about the project itself the game itself is called dungeon runners this was produced by game company NC stuff in 2007 so I guess a bit older about the same time as they expand actually so the game is an MMORPG and if anybody's not familiar that's basically this huge online world where
thousands of players can all interact with one another and so they interact with this virtual surf and sea world the game is accustomed engine which was actually sort of torn down and used for a bunch of different games before it came became dodging runners so sort of scrapped in between them and picked up for another game and sort of handed off between different devs until it find them had done this final project and then the game was shut down in 2010 unfortunately due to lack of profit so the game publisher pretty much just killed it off and shuts out a service for the game the problem is being that since this games that my RPG it's pretty
much reliant on those servers there to actually be playable so everybody has the Steam client but there's really no back-end server for the connectives so it's pretty much just dead weight in the games pretty much done players can't really do anything without that server being there so this sort of brings us to this concept of a super emulator which is what a lot of other players and reverse engineers try to do when they get to this point my dam is shut down and I still implant so the sir regulator is basically an attempt to recreate that and server back-end when we came to the Pentagon and this is this whole server the whole entity of the game servers actually
comprised a bunch of different smaller components that are generally referred to by generic to the game server so in reality like there's lots of different components such as like an authentication server and that different service for different zones and stuff after you connect to and all of these use a custom communication protocol and usually so what office isn't documented online a lot of this is closed source and that kind of stuff and then on top of that there's all sorts of design issues such as Licari actually an architect this thing is scale how are you going to make this playable and there's hundreds or maybe thousands of players trying to connect to this like how are you gonna design the database
there's all sorts of stuff going to make this a big complicated problem so interaction trying to retrieve this game server the amount of reverse engineering that's involved is really really you know you have to pretty much reverse all the services don't think man this is a very very complex problem so when you talk about that reverse engineering process from a very high level it's pretty much just taking something apart to see how it works and then trying to put it back together again and trying to do it at this this huge scale of an MMORPG is really really long difficult process and involves a lot of guessing checks sort of stuff so like you're not going to be able to figure
out every little thing that little detail of these games and it's more like if you get something that works I know what it's doing like I put these bytes in this protocol and it seems to work but other than don't know what this is doing a lot of times I'm just gonna have to take that role with it so that kind of makes this service kind of happy and they're not generally gonna perform the same way as they actually game server themselves because the beginning company obviously knows more because they have the source good but generally it's like if you can get it to work then you know whatever you like just roll off the punches so from a high level like
what are the things you look like when you were first engineer this typically gonna set up a protocol analysis so if you said that are all these components on the game server and they all use this custom protocol or the community so at this point like our job is pretty much just trying to figure out what do what the different components setup with wire what does the the game client send the game server what's the game server sent back in order to actually make this game clock so in order to determine this you're gonna look at the game traffic that's going back and forth between the client server and trying to identify certain packets so you can see like you
know want to log in obviously certain packets are being sent you can sort of identify that general structures or kinases this is a login packet like this probably contains my usually a good password stuff like that and then after that you've sort of looked at the actual structure of the packet so okay I know this logs me in like what are these different points represent or you know try and identify like some common fields in the packet like that user name goes here in the password it was here trying to break that down even further a little bit and then after that we can sort of move on to other things like encryption and checks and I lose
we have connection handoff so like you're connecting to your authentication server and eventually like once you find a Katy to choose a game server to choose like a wallet to load into maybe you're gonna disconnect from that auth server and then reconnect on super games through the connections got a switch basically between those different components and we're identifying where that happens and why and then last thing stuff like serialization so like if you have these these objects they're being stored server-side like a game character for example how are you going to break that down to a binary representation and then send that over the wire so that's basically obscure ization process so let them in here we have this picture of
example game traffic in length the whole goal of its particle analysis phase is basically to figure out that okay we've got all these points like what does this mean one of these were these plates controlling whether they do in the game in terms of link agenda password that is autonomy to answer the world that was what does this do base whatever his wife's doing so that's the goal in space and this is where a lot of our personal universe is going to be so this is a very very long point of this whole process so after that once we sort of identified the end that communication from our goal we can move on server design fit so this is where we
know how to stuff talks and basically mean to just architect this whole back-end we've been talking about trying to reverse engineer so like I said that the whole process with MMORPGs in trying to make their back into the very very complex sort of area where game companies will spend like years and like hundreds of thousands of dollars in order to actually be a solid brazilian team server so then they turned a team of us as a reverse engineer trying to retreated that sort of magic that they've done that's a very very complex processes because there's so much stuff going on so like I said there's lots of servers back-end in terms of authentication like your actual gameplay
server stuff that like your databases sudden you know just closed like a single song like a map in the game because all sorts of different components that are on this back-end and with the sort of the VR protect us in a way that's scalable and resilient because if people start liking them in a team there's one hundred or thousand players that stuff stops working or not gonna be very happy and the stuff that goes into this is like your your actual database design so like a manic go with me sequel server or no sequel server technology or newer technology how are you actually gonna structure your coats like the my my did efficient use and
stuff like that that's also basically who's on the flag for the players which is not very fun there so all the stuff is really important and again this is a very very complex sort of design which you're not to take into account once you actually figure out how everything talks to one so after that point you know how everything stopped talking one another and we had our server built up but now we can basically just fill it with data so you basically trying to be treated that gaming world that was taken down on the server side so a lot of stuff is going to be start client-side just good pretty much like any game assets so but
if you ever download the game and you're wondering why is this like 30 gigabytes this is why it's a lot of the stuff I'm here to score that in the actual client instead of stored on a server transport over the wire so a lot of the stuff is this store client-side which is really good in this space because otherwise you'd be doing a lot of data entry so the stuff that you might have to end up adding that in this stuff like your friend earlier version inventories let me talk to my commander what kind of stuff they have to beautify your question so when you're actually in the comments on the query and Obispo County
enemies are there like how do they interact with players and stuff up in the actual moon and drops that come from killing an enemy and then if you have a particularly rough you might have to doing some other stuff such as late how are you maps laid out so when you do this one you might have to like specify where everything is in the mantle Mike works here and here and there's a question here like you might have to actually part go that into the map data back and server-side stuff late where NPCs are located and also dialogue between like your NPCs in your place yeah oh yeah yeah couldn't be cruising a lot of those for sure so in order to
actually accomplish this there's a lot of different tools that you can use so basically that the journal pocket term is in the the bullet text editor selector disassembler it's basically a tool it's going to take your compiled machine language and turn that back into your something language so that's still not however like C++ code for example when it's going to make it sort of more human readable so this is something that you saw and then Nick stock so we saw x86 assembly for example just so sometimes it's gonna take with your compiled and binary and turn it back near the x86 assembly code so these tools are generally refer to static analysis tools because they're looking
at the game when it's not running this then it's binary format on this so some tools they can do this RI de binary ninja to kind of other ones the copper a trainer mature newer so I was pretty much like the goats elector the gold standard almost but it's also very expensive your debugger is going to do something different so that's actually going to run your program and then look at the state s and you know sort of like step through the different 86 of some instructions and look at how stuff changes after each and start to make use of stuff way the curl instructions being executed the actual values of the registers that what's a memory all that
stuff is going to be changing as you run your program and you can use your debugger single with that so another hand this is called dynamic and because the program is actually running and it's dynamic and it's not just sitting on disk so you actually see what happens when the program is executing so when your game is running and some tools for this again that goes into butter as well there's all a big barbecue Sun diffusing there's gdb and the next 60 45 for Windows and then lastly your packet sniffer basically you want to take a look at that traffic that's going across the way our seeking to do for upon bosses so you're pretty much we needed
packets that firm order to look at what's actually going on network so common examples Wireshark that's for a lot of us have used there's TCP dump as well filter and then your hex editor is actually looking at niculae ting that binary idea that sent over the wire in hexadecimal format that's those hxb from Windows which I really like there is M which has a hex more than there's also hack speed intersects so then we kind of dive into the actual technical sort of going details of the whole process so now I was starting out I pretty much just had the storm in the game client so the game plan was distributed with the game there's pretty much no server for
it to connect it was pretty much like here you go you just a plan to recreate the server side so the actual game server itself the probe the communication protocol that used was not published it was all proprietary that's private information that was not public back together whatsoever there's an important distinction between the game server and the authentic server for this before we talk about a bit but the actual game server where but pretty much the most of the actual game was implemented was not public information and there were no packet capture also so I didn't have like a known good reference some like here's what this package should look like and here's how you should retrieve this on
your service that depend on this information I'm just really really know known good examples again makes things very very difficult because that's pretty much what a lot of the existing insert regulators have built off of so somebody would miss building up workshop and then have a legitimate client legitimate server and then look at the traffic that goes back and forth but see the responsible server and send and they try and emulate that by writing their own program so they try to emulate those no server responses and when we don't have those and that's basically a lot more reverse engineer at work and a lot more time it takes that actually get to that state I've been on the other hand
we didn't have debug symbols for the binary so if you look over on that far right window over there functions of knowing ida to see that there's like 34,000 functions those are all loaded from that PDB file over there that basically shows what the functions were we're calling they were compiled and what memory locations are located at so this is very very helpful because we've actually seen you know what what the actual game programmers like name their functions we could get a little more information about the primary itself so you know this is all very very important for reverse engineering standpoint and I haven't really seen many other games that actually [ __ ] with
these debug symbols like the nominator booths that people can actually do percent unit games so I don't know this is just a mistake here this was you know just like a gift to people we were trying to reverse engineer this thing or not but like they're an era so we're happy and then there's also the other things importance the proposed blog out about the game itself so if you look down on the bottom there we can see that the game actually blogs functions are doing what for some important questions of our meeting so that we can see over here there's this internal game speed that's changing through go to one and one minute zero resurrection bought into
the game so we can see what function is actually causing those like state changes and this is the sort of blogging for minutes whatever at least when you're trying to debug issues which will see a lot of my future too so because starting out I really didn't know much about reverse engineering and you know kind of where we can take this project down from the dead tells us trying to figure out so first off like when determining the in binary you would only wanna that's launched from the publishers that proprietary oral application so basically this thing will just load up and they're sharing a bunch of different things the publisher has and you click one and it hit play
and the actual game binary for the specific game so for judgments would open up from that so the the actual game launcher itself didn't run because it was trying to connect these like HTTP endpoints from ten years ago so for my 2007 events since taken down so of course the game didn't rob from this automated low den birthing bed so in order to dinner on this and this business through the binary contenders take a look at the command-line options so I'm the bottom here I found this this thing on the string is called ran through watcher there's basically just as passed from the actual game launcher to the game and are the salic a this was
actually run from them the NCsoft game launcher so if you just supply this with boots right up so that's going at the game run the other problem was the game was trying to connect to this off the runners that comment which is pretty much taken down after the game went down so again trying to connect the stuff that just doesn't exist and normally get around that there's this donors that CFG file which was in the config files in the game within the game assets and you can basically just change that over to you with a server and land in whatever the place where you wanna host a private server so that's cool because you don't
have you actually don't have to like patch the binary usually like that like you can we're gonna just change the county file trying to connect to whatever you specify very cool so at this point like we know how to open our am read everything connected servers but now we have to actually understand protocol its user which was that really hard your stuff that's talking about in the beginning so sir click you know me like we're ready to take this on is this protocol that no any what it's doing like they can really take a look at anything to packet captures weirder like so I didn't like through the the binary night and I was sort of looking through
the functions and I kept seeing this recurring trend of this function of starting with Lin L AM L 2 and these functions are located right next to the actual authentication function on the binary so like I'm sitting here looking at these thinking artists you know there's got to be some importance to this like this plus like this might be connected somehow and didn't bit of googling and it turns out these were the firm to another game called lineage to an off anybody who's heard of that before but this is another more popular that's made by NC stock so this was from released in 2003 that's actually still being developed so the standards have several different
releases we're going to use and each of these are kind of different protocol for each different movie so beginning but the good thing is that these have all been on first engineered and publicly documented so the protocols reach these different businesses all that we know so I'm sitting here looking at this thing okay we've got two different games both my the same publisher and I'm seeing these references to Lin out sue within Don Reiter's like maybe dungeon writers could have borrowed that authentication server from image to so you know sort of the thought process here is that conversion that's early early private server from and this like stamina locally and see if that actually worked
my dad will try to reverse it here so I set off on Google again like trying to pull through all his old files from like 1450 trying to find a lineage to server from around that same time which was a total thing yes because all those things relate well I'm dead for my 10 years ago and it's really you know a lot of just throwing stuff in the archive.org and trying to pull all these old like files from history it was a total pain so archivado artists legislature defendant you're trying to reverse engineer who gave you tenement if it's really really helpful and i ended up claiming this lazy officer ever written in java from
like 2004 so i dental of us ancient JD King and I'll set up I'm like the local machine than man feeling pretty good so usually I'm gonna really did we're just used to seeing us connecting that world thing where it sort of hangs me was trying to connect to like I think I just set up a good basic pieces in here so normally you're just like conk out at this point doesn't have an actual officer connectors tiny jerk but when we actually stand up the state is to server to get a little bit further so we get this connecting the world screen with the blank was the world's to connect to so like after getting here I just
freaked out at this point I think I like almost that flipped my chairman hasn't run around the house is this a few weeks to actually gets even seen this actually work was like really really cool so yeah this is a really good sign so we're actually starting to make some progress here at this point so it turns out that those runners did actually use that leads to authentication protocol and tips on a bunch of other NC South everyone's actually did the same thing too so on lots of lots of other days that just pull this lineage to server and just like truck spread in their date as well which is really interesting so anyway like punch Reuters and the lands to
server did sure the same protocols are just cool the problem was the limits to server was late honestly major lineage to right so it wasn't like directly 100% compatible right out of the box with doesn't winners so like like we saw before some things just didn't work because it's not doing the things a little bit differently if it's still use the same protocols so like your son everything else list before there was just one of the things that didn't work or out of the box so instead of like trying to sort of troll through this like 14 year old codebase and changed all this lineage to like Java code understand a thing how about I just know I'm an officer and
like implement these protocols in them you know a way that I can understand better rather than trying to understand this whole code base so the good news was like I said before like all these protocols we need to do have been reverse-engineered and publicly documented before the bad news was the only person that was entirely in Russian so this is a little interest that you like this is all from 2007 instead they throw us into like Google Translate and just try and like do the best that I could have it if anybody knows Russian please send me an email but yeah it's a bunch of Google Translate I was this like this who's able to take these protocols and just
make my own Python version at the server so basically a clan would log in and the server would send the client list of the game world to be in service and then a client of picked when they connected it the problem here was the actual authentication packets from the client did not exactly follow the Swedish to burn across spec so the problem was when the clan basically separates its credentials you basically couldn't decrypt those and look at the plain text version of the Quran Shoeless based on the information privately on suspect so when you're trying to actually indicate your players if you're going to need that information remember the sermon link yeah is this is this player
actually says he is so so the problem here is just a username password fields within the protocol were just decrypted new IDs unintelligible like blocks of data so sometimes definitely open like this they need to figure out how doesn't understand the encryption doesn't straight a little bit away from the from language to spec so again like back to iOS sir through the writer in there was poking around for functions in Reddick Optus again this is where those debug symbols showed up because without those are basically have no idea that this function was called seonhwa and so particularly at these functions that I find the cinema logical function which again looks like it'll be pretty helpful
for us given our our predicament here and within that function there's a call to desk right black within the altitude s encrypt class so those are few things that sort of jump out here that first of all peasant and if we're calling desperate blocking you know maybe something within our modern function is encrypted with DES probably like a generic password so sort of kept falling down a little bit more and I was looking at the class the functions that of the melty desert critter class and that fellows des key init function so since this is a symmetric key algorithm the same key that's in this client is going to be on the server as well so it can pull the
encryption key from the actual and we can just pretty much read about that in the server and to be able to decrypt our credentials so I'm going with this des key init function and I found this cool block the basically kept referring to this this binder right here and we're basically just pull a bite out of the attitude I think is like trying to find anything both astray or something so to pull up I got down to the string and we move better and pull right out there by now so it kept referencing this byte array this this address here and I keep thinking like okay you know this is gotta be our keenly if this isn't the
best team in Washington saponin these bytes I'm trying to fill the string like this is probably the encryption key so I go to this point array and I find the word test and caps with lights and it turns out that this was indeed our encryption
this has been an escape when I get enough to roll the punches here back in the daylight security for this games probably wasn't the utmost priority so when I throw us in and it starts working which is really cool so kind of recapping what we found out so far by the algorithm is deaths our symmetric Keys test with the four no bites does anyone want to take a stab at the border of operations sort of given our track record so far close yeah yeah you see the yeah yes so if anybody's not familiar DCP that's pretty much what bad because we take a look at this the signature so this is the talks penguin and the far right we encrypt using a
motive operation pretty much anything other than ECB but if you look at the middle one this is this this image of a good'n left putting cryptid with the ECB mode of operation so the problem here we can sort of see that like this is food they like the tux penguin and the problem of this is he can basically pull out different different patterns essentially within the encrypted data so you get pretty much did like a pretty good idea that this image is being corrupted is the taxpayer so again like it's you know not the best from a security standpoint but again roll with the punches here just trying to get her game worked in and the block size for
the DES ever is 8 bytes of 64 bits so given our lineage to protocol spec the server's s another interesting problem here so if we take a look at our actual blog and specification within the protocol the max length of the username can before and characters in the max length of the password can be 16 characters so for a total size connects both these opportunities 30 characters and since the game is ASCII encoding the next 30 plates and our block size is 8 bytes so that means we can encrypt data that's in slopes of 8 bytes pretty much the feed point 16 bytes 24 bytes to 32 West with the data basically bits divisible by 8
we can encrypt it using this block cipher so the problem here comes with you know basically our graduate is not always going to be divisible by 8 perfectly so that sort of creates this interesting scenario like what are we gonna do when it's not a perfect multiple of 8 so you might think like at this point you would just run down maybe add some extra points to the end to actually get to that block of eight so we can encrypt the whole thing but it turns out that this was also not the case so if we have our 14 character username here on a 16 character password for a total of 30 characters this would
be encrypted by the game and I took this snippet to show what's being sent over the wire so if you look at the first 14 characters here the username basically there's a bunch of random stuff there's some non-critical characters and they can copyright symbol and stuff that looks nothing like our username so I could take a look at the password we're going pretty strong we got like a not credible like a paragraphs alone stuff we're going pretty strong up until by number 24 and after that you see our pas SW which looks a little familiar because that's the second half of our password some of the issue here was the gate one who would just let the extra like spill
work from the from the password just hang open in like so sort of took a while figured out what was going on here and you know and took one that we just included with us they can my god there's there's no way that this could actually be the case but it turns out like here we go yeah the password just saw that hangs out over that 24 bite range which is again kind of interesting but like whatever so there's a way we ended this onto our server and at this point like pretty much the authentication servers largely like a solve problem so again with the player log in the game server the officer would send the list of game
worlds and the player basically connected one and then after the player chose that one wants to connect it was basically disconnecting the officer and then connect to the game server so this year here is a name server uses a whole different network all set but doesn't mimic LC like this is a whole new basically custom proprietary protocol that uses for the national game server so you guys were kind of back in that beginning stage like I had thing where everything gets started on this like this is a whole weekend pretty much 10 sheets and we need to now that we kind of have to just reverse engineer this all for a common to maintenance a whole new separate
things we've already learned so far so starting out I pretty much to try the basic approach of like just trying to copy the protocol of the niche to which again because of there's two separate protocols they really get us too far but the cool thing was the actual game logs that were very verbose and told us a lot of information actually printed out what was going wrong as we were trying to use this Frank torticollis so it's an example here we can see that our basically trying to log in and the game basically this cuts our connection because packet size is three to seven oh five six exceeds the max size of whatever in the game close to the
connection this is all start from the game box so the important this is we can basically use this to figure out what is going wrong in our server as we're trying to implement that and then this sort of fix these problems that we're having and worked out like the the correct structure of the packets and trying to figure out the communication protocols of this unknown game server so like for example for the specific issue you see this number of three to seven seven oh five six and if you change that it's hex then we get three two zero one zero zero we can basically look within this the slate this sunlights never sending from the server side and trying
to identify that 3-byte both Chong can then see like okay what if I modulate like this this value don't change this to like the exceeded max around what a fine there just put some data in front of that and put some data after that basically just sort of modulate things a little bit and then go back to run again okay this is the game worker you know what information have you getting walks you can start do this gets and shake back and forth so then this is the most efficient process of trying to reverse engineer this game but it's a way to make progress and like when you don't really have anything else is this thing
really pretty much like your only option right so you kind of get doing this this gesture check mentality and it can basically worked out the protocol from that point but the bad news is like it's not always that easy they will always have that information in the box in order to land so but sometimes the game will just not log anything and has an issue with you know just a good sort of the face which actually not seeing the demo but but it pretty much doesn't block everything within what you said okay I don't have any like I'm just gonna stop we're just gonna wait for you to send the right thing or something like that and you're not actually
sending the right thing go straight there for hours so I'll be lounging that just take your debugger and just dive in and see like what's actually going wrong so when you're gonna surround a large game area at this like why my date for example is like I think six minutes for a binary search like I've heard of some other ones being like you know hundred kilobytes made here a few kilobytes the command side of the application this is like huge like this doesn't really really made by the Athenians like 34,000 functions so this sort of problems have where do I you didn't there's all this like attack service of the main you're iterating diving what kind of options
again by the functions that are related to the issue that I'm having so like if I'm having an issue blogging in like I look further seven block and function stuff that's not within the function a room something like that just trying to pick out like okay this one looks beautiful on this one this one and just sort of generate that list of a guy these are partials that are probably made into two they show me having so from there you can sort of this sort of sift through like in here this is somewhere and sort of go through like static analysis and you see that guy one of these questions actually do because it's just a wrapper like a basic Windows
API caller is just like really complex function with a bunch of switch state minutes early what is the actual code for these functions and from there like you can sort of ask these questions like okay is there a possible link check your at a condition of this function and failing or not meeting like this kind of deserve a switch they've done on that Center and values here were something like that and you can sort of find like okay as the game looking for an expected value here look for my sending is zero when someone or something like that anything you got all this through our foundation of static and dynamic analysis so at this point once they
actually identified like Pearson becomes a problem points basically just sent one should upgrade points when the actual ones burger and then just run your game and see like okay we're the actual values of obscenity server and like how do these compare it to the expected values that the clients looking for and you can sort of again go back and forth okay if I go back to my server current modulate this value what's actually going to come with that on the client I can they want to pass this check my so I'm going to sort of again go back and forth and trying to figure out okay where I need to change it as the sportiness it's not working
method and stuff like that so again like very very time-consuming process so the score back and forth piñas there lately inefficient but it's pretty much all you have at this point so I did like if you wondered why some of these projects take three four or five years to even get off the ground and again you know basically functionally you can walk again and make move around with your characters stuff like that just because this process takes a very long time to sort of figure out these issues everything and then they didn't like the high level developer see what was really disorganized service big a joke from the get-go this is a total pain in the ass
reverse engineer and it makes your job that much harder so you're gonna be very very familiar with these steps if sort of shiny code then they shut that off the table so eventually have to doing this for a while it's basically able to identify they support different packet structures that the game used to communicate so these are generally the same with small sort of tweaks or changes in between each so an example of this is like we have one by two basic identify some packet type three bytes of like unknown I don't know what the house is doing whatever I put there it seems it works I'm just going to leave it again that's really kind of training for this
for these kind of projects like if you don't know what it's doing it again for your outlets work anyway sometimes just gotta roll with it four bytes for the compressed size of our packet natural packet data below for once for the you compress size and under actual compressed packet data below that and it uses zealand with default compression i believe so again like this there are sort of small subtle changes in between each of these of the German office one variants like we failed before the other self is a different variant but the interesting thing about this was the actual packet table was basically like you could send whatever you want but the interesting thing was that packet type was tied to a
specific packet structure what I mean by that was like what say you're trying to use packet type 0 X 2 to send your data but that can only be used with like packet structure number 4 for example so it's tied to that specific packet structure it was kind of interesting they're kind of kind of worth knowing I guess but the actual meat of the protocol is in these what's known as channel types where the section that game Somozas channel types so basically like the actual packet data or the payload at the end of that we'll start out with the one blank channel type which basically specifies which is what I think it's best positive where you
want to send that actual packet within those multiple components of your game server so again like there's multiple servers such as my peers your authentication server your game server its own servers and stuff like that there's pretty much just this one like almost load balancer you think of it as at like the young I'd like the perimeter not the game server networking about basically 10 you on your packets and what I think you would do with that one let's look at that channel type and decide where to route it internally based on what channel you're trying to send this data to so again from sifting through the anybody I found a bunch of different channels that can be used for
this so the the important ones the note here are character manager client which is basically in under your character selection on your client entity manager which manages like yours we're playing a game so like other players and monsters and feathers and stuff like that and then they're so inclined just basically for entering and leaving different signs in the game you can sort of think of those with maps so after that you can basically send the actual data that you want to communicate to that specific channel so these usually start out with a one-line identifier for what type of packet of what type of data will be something so like for example to feel like going to
character means your client from before there's all sorts of different basically types of packets that you can send that's you can simulate zero X zero for connected basically came in here the client there's a disconnected on the other side of that there's character created which is basically like you're treating the character on your game binary and you try and send it over to the server for storage and there's got characters based on the other side of that so you plug in a digital list of characters back to the client and there's another one so that answering the actual character creation screen so these are actually followed by the actual data that you lead for that
specific packet so it frozen info for a character creatively you'd send here of 0 X 2 for like I created character but then you would also sound like your actual character and serialized for me because that you need the service store that's going to block that can your characters actually like bear on a server just get deleted so as we're sort of doing this enough and piecing enough of these different channel types together or basically simulate like some super basic game functionality so in terms of like character civilization and the seven characters over the wired that one talked about like three weeks to do was just a lot of reverse engineering frustrating treating a character so you
create a character on the Clanton's sending it over to the server and the server stores it and then actually sending the character listed back to the server to the client so obviously like this isn't enough to make like a full game out of it there's still a lot of work to be done so actually like going into a zone created their dream entities so like other players and like monsters and sub to be attacking actually games so that you can't have a game just your one player running around very much I mean think of the problem that you like synchronizing the multiple clients within the actual game environment so I think if you're just playing by yourself
and it's like really it's fun then like the whole point memos have multiple different clients since I sort of handle that communication between the clients and the server's I made sure that everything's at safe which again is a whole nother problems because of how complex these games are engineered and then I thought that just like properly artifact we the server that we talked about before us so we asked that actually implemented these son the sort of protocol in this this like communication structure in every single server on the back in in order to be like scalable and resilient basically like not having players laying all the time and stuff like that so that's gonna show the progress that made so far at
this point so again there's not a whole lot of stuff to show but there's very basic root basic sort of like proof of concept here so if you open up our dungeon writers config file we can see that it basically directed our authentication server to the local IP address that's on a scale item femm in VMware sargans like we'll go into take down to that old bike authentication server and then we're here just tap over that server that we can start mostly as a Python script so there's a log in the server for handling the authentication and then there's a gateway server basically the game server at this point so both of these are listening on set the ports in the same
box so if you go over here and watch your game plan
it is going to send us
here [Music]
so this point will get played on the world in this character no basically trained across in the world so I send the loot so independent and this is where things sort of stop so at this point this is basically when I start on that before where things will just sort of hang there and you don't really know what's going on because it's not going to give you any error messages or it's not gonna give you any you know anything about logs or anything like that and I'm basically just print them like go ends land I'm here for a few weeks so I basically try and send all this information over here to try and prompt
it's all okay how could you actually like Lord in that world that I was telling you about before and they'll just sit there through nothing so again like this is one of the problems of the whole like reverse engineering thing is grim so yeah at that point like that's pretty much on the expense of the server that we created so far so again it's that much good to work in progress so so now that we've shown the minimal fruits of my labor here we can talk about how we to get sued for it so in terms of like dating companies they usually don't like these kind of projects so when it comes down to actual game server emulators
like that's a huge intellectual property issue for anybody that's in the legal space that instantly raises like red flags really these companies will literally fight tooth and nail intellectual property which sucks if you're like a college fitness trainer for a centenary game so sometimes in these videos might be more relaxed about this summer really cool like encourage people to make model to make you know extensions and like open source stuff for the games but some are very very close then gathering juice it's really a toss-up of the type of game company that you're working with so some famous examples of when things went wrong in 2016 there's a wild private server called not sourest I think I'm saying
that right but that's basically like a huge bullet warcraft private server that and over 150,000 active users and I think 800,000 registered users they were shut down by Blizzard 2012 theres a maplestory private server that got hit with a 2.6 million dollar lawsuit 2009 there was a private server or the paid eighty eight million dollars the blizzard and then in 2008 there was a gentleman who made a world of warcraft bots not even making a server emulator purchased oh yeah basically like I've been Nick was talking initially that a one-minute can play the game for each we didn't sort of deep hacking tools with a 6-2 Blizzard and the things that sucks is all these dollar amounts is when did
I do not have so far again soon that pretty much would not end well for me as you saw a particular MIT doesn't have too friendly with history so we started off of 2006 with a nice FBI investigation of coal raid and then this cease and desist after that your bunch of different games basically the takeaway point is is that really don't like this kind of stuff and some this put a mix of games that are like still active in something our shut down it's like it served you know both sort of the sides of the story they really just don't like to be their way across the border there's been some recent BFF exemptions so this 2014
they actually wanted a recent DMCA exemption in terms of video game archiving and with that basically infallible decide it wants to reduce that sort of legal gray area or uncertainty that comes around our vs. engineering games for preservation purposes which is then the real key word here so the system for creating emulators of things already existing or trying to steal business or stuff like that this is basically just an organ for people like me you just won't play the games they can play any work because the servers have been shut down so I started thinking the kicker gear was this was pretty much not intended to apply to games with a persistent worlds they call
it which is basically the definition of MMORPG meeting like you bought in and like you do stuff in the name and you've logged out like all that stuff that you did is Savior on the server side as well as everything else that the players did to impact the world like the other the other people so this whole persistent worlds things pretty much like for Jesus like specifically not intended for that type of thing so this is sort of under the debated with don't like people like this exemption is not intended to to cover like a mimosa regulators so again like kind of sucks because like if you do end up in court and you can't really like use this to
defend yourself I specifically like in terms of my game I've actually tended to reach out to menses up multiple times instead I came out right by this intellectual property because you know it's pretty much sitting there I mean you know if they still have it anymore like they did server binaries and stuff like that but it's pretty much it's been sitting there locked away for like almost 10 years now I'm not really doing much so there's a community of light [ __ ] like 250 players the rubber ducky of this camera Seaver my opinion would it be able to plan and pretty much every attempt that made in order to reach out to to the game publishers just kind of
an answer so again that kind of sucks because we're sort of about universe engineering which is pretty much like a plan for the foreseeable future just to keep sort of gone down this path and trying to make more progress actually diversity is one of the main things I'm trying to do is actually avoid actual piracy of the game assets so like pretty much everything I've created is just sort of mimicking that game protocol so I'm not actually taking like copyrighted code that was all - Aesop's or not they were distributing the game client like pretty much I don't want to - why nothing like a piracy lawsuit on top of that family so pretty much kind of a way to taking
NCsoft own property and just to be at open source again or whatever and then the other thing is my name is meant to be like I'm literally doing this just to be able to play the game again so there's a lot of servers that have sort of gone to this huge high profile boss is because they've been taking subscribers away from them from the Polish over there creating emulators for games that are already are gonna miss me I already have like subscriber base so when these games are still functional and these basically players away from that that's when we didn't come with Derek man so again I'm trying to point that entirely I don't actually like you kind of just hope for
the best at this point like we've seen before like a lot of times they'll throw us a synthesis that even in the sorta lot of times and the progress for fracturing this project so yeah I think I'm kind of hoping that doesn't happen you know if you see my name in like the New York Times remember for getting sued for like a million dollars then you know you're there first right trying to avoid it so any any questions are sort of talks for like baskets are gonna - unless the mix of both like last time I played this was resin for Tina thanks this was a few years before sort of went on like I lost interest over the
years using each grade or whatever and I sort of look at the stuff like our own 2013 and 2014 and I was like just curious that through the Google owns like open game like shut down the God's actually goes pretty fun to play and I can look into a little more there's actually some way that started this project before me in there like I like what if we just created a server I mean that's really more about it like turns out that the person actually started this whole effort pretty much started it and just ended drop it because like as we you've seen before like it took way too much time and we just didn't have it
action continued work Hamlet so I serve like kind of like you know I'm in this whole computer security to like maybe I should try to figure out like how this works and see if I can like try my hand at this so from there I pretty much just learn leg I think I still have like a bookmark in my magic Dunsfold but what is x86 assembly or slowing down pretty much starting from link that basis level and then just try to like work my way up so you know sort of like an angular project and you know I said like it's been going on for two years now so I came out to learn since things that
gotten like a lot you know higher obviously public I'm still trying to I learned a lot from doing this from Leica from like reverse engineering perspective also just you have to be able to play the game yeah actually the most progress of this that I ever have in terms of like actually reverse situation with the officer and the game server in the past nine months I think but like six months maybe but either way like that's it's been a lot more recently than I previously so that then to day to year date Marcus basically when I looked at it was just like kind of like I wonder what reverse engineering is so that's kind of been
like more recent and done the latter but yes that's been a total of two years
there's been a few people that have contributed a little bit like there's something else that started and actually made some considerable progress but then again the key engine driver just do the time thing and there's people have sort of helped tattling on and off over the years kind of it's mostly been might be certainly in efforts at this point there's been a lot of people it looked like the game community to reach down sounds like a you know that can I help you along it sort of comes down to like okay thing yeah I got love you cannot like do you know anything about reverse engineering they're like no what's that so like there's some I'm sort of waiting for
that poorly maybe would have come look the data entry for for something that would I can sort of get more like really involved but at this point it's really just like a concentrated like reverse engineering a really technical problem so it's kind of hard to get help like that but there there have been a lot of motivated people that have been interested in helping which is nice yes
yes then just think because these are all individually you'd like to see living Crips and throw into one huge file that's like 600 megabytes or something bad so sterling pawn through a little bit of trend you know I see what's going on I really think it's worth like a server issue that could not send a packet to telling one of the math files rather than the
yeah and then like it gets hard because it just sits there and does nothing that's sort of where you hit that one you'd be like you know story genius or something they're gonna get past this oh yeah yeah try to isolate some I get my go through that same process try to isolate some function that I think might be the problem I really haven't been able to find anything specifically like this what I'm trying to go too much detail agrees to select a few functions that are actually related to the actual logo world class with a link with other functions like none of those have really proven to be too fruitful so it's sort of just like you know kind of it's dumb
for the past few months just trying to make the progress of that so I guess my next sort of thing that I've been thinking on how to make progress with this is just to take another game it's totally like separate from this that might not the protocols were didn't translate like 1:1 which is sort of stealing art what do they do it all over the world try and take some like high-level examples in the city okay a mission to try and find a packet like this within my neighbor someone cool yeah
so it's kind of an interesting thing for whatever sort of research not like this really no that's fine answer this is pretty much all this is legal stuff there's really no like defining yes you can do this is we can't until actually it's sell in court so there's been a few different approaches to it there's this one guy by the name of Frank Springer that's actually done something similar to another another game where it pretty much was created like he pretty much represented the whole game but in order to keep the bidding suit he just kept it locally and then released occur at all but you can like it's really cool to got it working but it kind of sucks because
it's like wow like it's pretty much the whole point of light and all right is to be able Italy playing with other people so if you just start playing with yourself and your only server there's a lot of difference that people have taken so not really like a fine way I see people coming in for the closing remark so I'm gonna unplug for now but if anybody has any questions feel free to come talk to me afterwards about the attorney weapons you guys might have much appreciated
[Music]
Related talks
49:29
53:02
55:21
28:47
47:05
51:46