How to find exploits in video games
(shalzuth.com)186 points by shalzuth 6 days ago | 36 comments
186 points by shalzuth 6 days ago | 36 comments
Joel_Mckay 3 days ago | root | parent | next |
"build tools that enable me to do security testing on them"
I gather you write cheat exploits... and if public... eventually the players account/GPU/IMEI risks getting permanently banned/flagged.
It is always easier to break something, than to build something stable. People may focus resources on better content, game-play, and performance. Or play wack-a-mole with hostile Desktop/Mobile users...
Thus, some folks won't ever patch exploits... just shadow-ban the users running them...
Have a nice day =3
njbooher 2 days ago | root | parent | next |
As someone who does security testing for video game service backends, I benefit significantly from all the reverse engineering and tools the hobbyists and cheaters build, and always enjoy reading more stuff.
johnisgood 2 days ago | root | parent | prev |
Yeah and you end up with one of the worst client-server architectures that RDR2 has.
Joel_Mckay 2 days ago | root | parent |
"client-server architectures"
Actually, public-key-signed object-p2p exchange systems allow for all sorts of fun. Even if people fiddle with the state exchange, the time+last_event indices can flag lag switchers, and signature audits detect memory patchers...
My point was, one doesn't need to lock the door if you own a alligator farm. =3
shipscode 3 days ago | root | parent | prev | next |
Thanks for the write up! This is really interesting and a great piece of knowledge to have out there. Funnily it similar to mobile app reverse engineering workflows.
Levitating 3 days ago | root | parent | prev | next |
I love the briefness of your post. Your code and method are clearly conveyed.
caporaltito 3 days ago | root | parent | prev |
Very interesting
malkia 3 days ago | prev | next |
I had a wonderful app MS-DOS resident (TSR) on my PC that when pressing a key would do a snapshot of the whole memory (or specific area) to disk, to a file. So if you play a game, and lose a live, or HP points, you keep on pressing this, and then there were tools to do the diff.
There was one game that was storing the lifes as actual text - Ninja or something....
So last year my son was hacking some games, and nowadays there is a similar tool too - also based on diffs - though with me back then it was only 640KB, and nowadays we are looking towards 8-16GB if not more!
Somehow this technique still works for some games, but with way more gotchas...
memesarecool 3 days ago | root | parent | next |
CheatEngine (80mb) is very widely used nowadays and does memory dumps and comparisons. A very useful tool not only for game reverse engineering.
maeil 2 days ago | root | parent |
That's a broad use of "nowadays", haha. Following step-by-step Cheat Engine tutorials to use game hacks (MapleStory and Gunbound) was my first brush with coding/system internals when I was a child. This must have been around 2006 and it was already the most popular tool back then, though I remember there were loads of forks to bypass what must have been primitive anticheat systems that scanned for whether Cheat Engine was running.
pajko 3 days ago | root | parent | prev |
Used to do this in my childhood with save files. Save the game in Alone in the Dark, shoot the shotgun, save, shoot again, save, then proceed to look for the differences.
samwhiteUK 3 days ago | root | parent |
I remember using CWCheat on PSP in the WWE games to create my own custom modes, adding ladders to Royal Rumble etc. Great fun
nottorp 3 days ago | prev | next |
> The game monetizes through pay-to-win microtransactions
IAP fests are not games. Let's start using "gacha" or something for them.
krageon 2 days ago | root | parent |
Addiction-based exploitation. Perhaps the word "garbage" applies well to it. Or in a good reality, "criminal".
codiumm 3 days ago | prev | next |
>but since the game is built on Unity, it was relatively easy to bypass these restrictions and enable system proxies. There are many others that do il2cpp mod tutorials, and I recommend those, with the key part being hooking HttpClientHandler.SendAsync.
I could only find il2cpp tutorials that I could not get them to work. What is the non-il2cpp way? This should be a separate post and a new submission to HN.
Which il2cpp tutorial works?
3abiton 3 days ago | prev | next |
It's really interesting to see people enjoying/more interested in breaking a game vs playing the game.
lunchmeat317 3 days ago | root | parent |
You should check out Tool-Assisted Speedruns om tasvideos.org, then. They use some of these techniques to do RNG manipulation, among other things, to improve game times.
dvh 3 days ago | prev | next |
From the end user perspective "let's game it out" is a must see YouTube channel.
joshua_delgad0 3 days ago | prev | next |
[flagged]
alphan0n 3 days ago | root | parent | next |
In most cases, in the US, reverse engineering is not illegal.
joshua_delgad0 3 days ago | root | parent |
[flagged]
shipscode 3 days ago | root | parent | next |
Terms of service breaches are not typically a criminal manner in the USA. Perhaps it could be a civil matter if you create financial damages. Even in that area, the cases are usually decided in the courts on a case-by-case basis.
Generally, code is free speech, and the right to free speech protects this in America.
alphan0n 3 days ago | root | parent | prev |
Are you under the belief that terms of service can dictate or supersede US law? Thankfully that is not the case.
brokenmachine 3 days ago | root | parent | prev | next |
My PC my choice.
Der_Einzige 3 days ago | root | parent |
Microsoft violated the NAP by forcing me to update and greying out the "remind me later" button.
johnisgood 2 days ago | root | parent |
You are free to not use their products, however.
3 days ago | root | parent | prev | next |
123yawaworht456 3 days ago | root | parent | prev |
why are you larping a lawyer, bro
joshua_delgad0 3 days ago | root | parent |
[flagged]
sourcepluck 3 days ago | root | parent | next |
In the third sentece of the piece, it says:
> "This exploration is purely for educational purposes."
123yawaworht456 3 days ago | root | parent | prev |
for the hell of it?
and even if it was unethical, unethical !== illegal.
dmafreezone 3 days ago | prev |
[flagged]
Loocid 3 days ago | root | parent | next |
This is overly defensive. They never said that Unity was the only engine that exposes intermediate code, just that it was an attack vector because the game was built with Unity. It's a perfectly valid thing to point out. You didn't come to the defence of Lua just because they decompiled some Lua scripts.
mbowcut2 2 days ago | root | parent | prev |
Brand new account + strange overreaction = maybe bot?
dmafreezone 4 hours ago | root | parent |
I make a new account any time my karma gets too high. I’d rather not be a sheep, thank you.
shalzuth 6 days ago | next |
I wrote a short blog post about my thought process on how I reverse engineer video games and build tools that enable me to do security testing on them. It’s a bit brief on purpose, as reading the code is expected. Let me know your thoughts and what would make it better.