Keripo's Corner Figures, Dollfies, Projects, Gaming, and TYPE-MOON
This post was originally written for Guild Wars 2 (specifically in explaining why ArenaNet hasn’t stopped fly hackers stealing orbs in WvW yet), but applies to pretty much any and every online game with damage/fly/wall/aim-bot hacks.
In this post, there are two sections: “How does game hacking work?” and “What kinds of hacks are there?” I’m reposting it here after hearing about the recent Final Fantasy XIV hack as it is a “how-in-the-world-was-this-even-allowed-to-happen” example of a network connection hack described in the last section, although technically no game client is even needed in FFXIV’s case and no decryption is necessary due to the use of unencrypted JSON (plain-text XML format).
Part 1 – How does game hacking work?
Here’s a bit of insight from a programmer who’s messed with these kinds of things in the past. Allow me to give you a fun analogy.
Suppose you are the judge of a 1km foot race (“event”) with hundreds of participants trying to win and reach the end goal (in GW2, lets say the “orb’s location”). The winner is the person who reaches the end first. Because you don’t have enough assistants (“server resources”) to help you keep track of everything happening in the race (“game play”), you (“server”) give each participant (“players”) a GPS device(“game client”) to just report to you where they are at any given point in time, then update the status of the race (“server state”) based on those reports. You find out some participants cheated by using skateboards (“3rd party tools”) to gain an advantage. You kick those people out of the race (“ban them”) and take away their skateboards (“remove links on forums”). You then find out that some participants cheated by modifying their GPS devices (“game clients”). In response, you also kick those people out of the race and give everyone new, improved GPS devices (“game updates”).
No matter how hard you try to eliminate these cheaters, you find yourself always behind on the chase. No matter what you do to try and prevent bad things from happening, you can never fix the problem. Why is this? Because you made a bad design choice when making the rules of this race. You didn’t have enough assistants to help monitor the race, so instead of hiring more assistants, you let each racer do the location reporting for themselves. But because the status updates are done by the racer and not you, its impossible to guarantee that the locations they are reporting is correct. Sure, you can say “1s doesn’t make sense, he’s cheating!” but what happens when there’s lots of things to keep track of, and more interesting stuff thrown in? Add more and more rules and hire more assistants to check those rules?
This is what is happening in this game (and pretty much any other online game with “speed hacks”, “wall hacks” and all that jazz). The game server doesn’t do all the calculations – there are some which are client-sided (e.g. calculated by your computer), then reported to them. When you run forward, you aren’t saying, “I am running forward. Server, what’s my new position? I am still running forward. Server what’s my new position now?”. Instead, it is, “I am running forward, my GPS says that my last position was (x,y). I am still running forward, my GPS says that my current new position is (x,y)”. So what’s stopping you from tinkering with your “GPS” or even intercepting those messages and changing them? Nothing. Because those calculations are done client-sided, not server-sided. Can it be all done server-sided? Yes. But it is expensive. Not hard, just very resource expensive. More calculations for the server, and more internet bandwidth needed. Which results in heavier load on the servers as well as more lag for you. Can this be solved by buying more servers with better internet providers? Yes. But it is expensive. Its cheaper to just have the players’ computers do that extra math.
In most cases for MMOs, this is fine (for example, the server doesn’t care how much details you can see on that tree – it just tells you that there’s a tree here and its up to your computer to decide how to render it). When it comes to combat, however, it is not fine. And that’s when people notice and complain, and that’s what ends up getting abused and hacked. I’ve poked around and looked at the source code of some of those hacking tools written specifically for GW2. They are extremely simple. At the core, just a few standard system calls and a few magic numbers, no more than 10 lines of code. Simple enough that a high school kid with a programming book and some free time could understand it, figure out where those magic numbers came from, then write their own versions. There are hundreds of public tutorials explaining how its done (not for GW2 specifically, but for “memory hacking” and calculating “offsets” in general); its not a trade secret and it’d be ignorant to think ANet developers aren’t aware of this.
So back to the original question. Why won’t they just “fix” it? Sure, servers cost a lot of money, but they’re ANet, they have money! Well the actual issue is not lack of hardware. In fact, the issue isn’t even software. The root of the issue is bad design from the very the beginning. And to “fix” bad design, you have to come up with a new, better design. Which would mean completely rewriting how both the servers work and how your game client works. That’s not easy, and time and manpower required to make those drastic changes will total up far more than the price of a few more server racks. You spent many years developing a game off one design, and now want to completely scrap many things and restart with a new design? Not gonna fly with management, that’s for sure.
tl;dr – don’t expect “hackers”* to magically disappear one day and GW2 become free of exploits such as fly-hacks and the like. The game engine changes needed to “fix” the issue are major enough that its far easier to just spend time banning individuals while focusing on other fixable bugs.
~Keripo
* Note: I put the word “hacker” in quotes because in actuality, its just a bunch of lazy kids abusing tools they downloaded off the internet and clicking the “Go” button without understanding how the real hacking magic works. Unfortunately, mass media has far changed the meaning of the original term.
Part 2 – What kinds of hacks are there?For GW2 (as well as all other games), there’s three possible points of attack: the client, the system memory, and the network connection.
The client is the actual game executable/data file. For some games, the binaries aren’t encrypted (or using some weak encryption that’s been reversed already) and so you can actually modify the program directly (through decompiling it to assembly language, then recompiling) to disable some features. The most common usage would be for cracking programs; find the part of the program that does the registration check, change the JMP op code to a NOP op code (e.g. change the “go to serial number checking code” command to a “do nothing” or “return true” command), and there you go. For MMOs, and example would be circumventing collision checking for wall hacks, or circumventing the multiple-instances check for multi-client hacks. For GW2, I believe the game data is encrypted (don’t know how heavily), but client modification is usually messy to deal with and has to be redone every time they update the code.
The system memory is what’s stored on your computer while calculations are done. For most online games (such as GW2), this is the point of attack. To calculate how many jumps you’ve taken so far, for example, those values have to be stored somewhere on your computer. If the game uses a safe design, that modifyable value is stored on the server, and your computer stores a read-only copy. In unsafe (I use the term “unsafe” instead of “bad” here) game designs such the one used in GW2, the modifyable value is stored in your computer’s memory, modified by your game client, then sent to the server. This is what I meant by “calculated by your computer”. The point of attack in this case is not your game, but your actual operating system. The GW2 game client knows whats a “correct” value vs an “incorrect” one, but to your OS, its just a value. You can write 3rd party tools that will modify those values stored in memory, and as long as your OS is told that you, the computer owner, has those permissions, it won’t complain. Examples of this would be damage hacks, fly hacking, and pretty much every kind of hack you hear about for online games. Many games employ a second program as a “Game Guard” to protect the game’s memory from modification and check for irregularities; however, those are programs as well that can be disabled or modified because ultimately, its running on a computer that is in your control, not theirs. In GW2’s case, they don’t even bother running a game guard of sort. All you have to do is write a little program that calls a few OS-level system memory manipulation functions (openly available) and do something like change your current HP value from 54321 to 99999 (guaranteed to work on any crappy free-to-play online game).
The network connection is the link between your computer and the game servers. For the game servers to know what you are telling your character to do on your computer, your computer must send status updates to the game server (located in the middle of nowhere). In a safe situation, these would only be stuff like “I pressed W to move forward, I pressed F1 to cast skill 1”, then the server would respond with “Your character is now at location (X,Y). Your character just cast Magic Missile at the Darkness and dealt 321 damage”, after which your computer will say “okay, thanks, lets draw my character at location (X,Y) and play the ‘Magic Missile’ animation”. Because your game client depends on a response from the server, there’s a delay between you pressing W and you seeing your character move forward. To remove this delay, what some games (such as GW2) do is reverse the roles of the game client and server. Now the game client is the boss and knows where its going, while the server is the information hub, receiving your updated coordinates and broadcasting it to other players (sometimes without sanity checks). Now you ask, why isn’t this the main point of attack? Well there’s two things. First, the data is probably in some encrypted or compressed format that you’d have to read first. If you want to send modified data, you’d have to figure out how to encrypt and compress your modified data into the format they’re expecting; otherwise, it’ll be received and treated as junk/corrupt data. Second, the packets themselves are probably encrypted (very securely most of the time using standard encryption libraries). It’s not easy (or fast) to decrypt network packages containing encrypted data. Most of the time where you hear about it in the news (e.g. “packet sniffing”), you’ll realize that its not computationally easy and may require time. After all, since you have direct access to the source of the packets (the game client), why bother going through all the effort of intercepting the encrypted packets when you can play around with the content before it even gets packaged and sent off?
tl;dr: For online games such as GW2, 90% of hacks are system memory mods, 9% are game client mods, and 1% are network packet interceptions. Numbers pulled out of my ass but that’s pretty much how it is.
~Keripo
