This workshop will cover the basics of reverse engineering a (M)MORPG (Pwn Adventure 3 from Vector35). While reversing a video game might not seem interesting for some security professionals, the techniques and methodologies we will cover are similar to what we see in a penetration test of a client-server application. Below is a summary of the different chapters:
Reverse Engineering Network Protocol: We will go through the methodology used to reverse engineering unknown binary protocol. Like most of RE task, it is based on the ability of the analyst to raise accurate assumption. Once the assumptions raised, we need to find a way to isolate the data and analyze the changes in the network traffic to identify where it is located. Once identified, we need to understand how the data is represented (integer, string, little-endian, etc).
Building Wireshark Parser: Now that we have reversed most of the network protocol, we will build a Wireshark dissector plugin in Lua. In the end, we will have a complete parser to analyze the custom protocol.
Asynchronous Proxy in Python: We will build an asynchronous proxy in python in order to intercept/inject the network traffic. We will be able to get any weapon, manipulate the spawn location, etc.
Reverse Engineering Binary: In the next part of the workshop, we will reverse engineering the client/server logic in order to highlight “secret” to finish quests and identify vulnerabilities in the game.
Binary Patching: We will manually patch the binary to become a Superman (running faster, jumping higher). We will then create a patcher in python with Capstone and Keystone.
Library Hooking: Finally, we will hook the library in order to hack the game “on the fly”.
Prerequisites : Client side for Pwn adventure 3 from Vector35
About Antonin Beaujeant @beaujeant
Antonin Beaujeant is a penetration tester at SecureLink (Germany). He first worked as a research engineering for the Catholic University of Louvain (ULC) - Belgium where he published the paper: "A Survey of Security and Privacy Issues in ePassport Protocols" for the ACM journal. He then worked 4 years as penetration tester for Adidas GROUP. Now, he works for SecureLink as a penetration tester and build training for the "Information Security Hub" in Münich.