hack.lu: Hacking an MMORPG
Benelux Hackers united @ hack.lu
Next week (17/10), one of our cyber security analysts will give a workshop at the 13th edition of the IT security conference hack.lu (Luxembourg).
Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society. Earlier this year, our analyst decided to reverse engineer Pwn Adventure 3, a purposely hackable MMORPG designed by Vector35 for the Ghost in the Shellcode 2015 CTF.
He ended up finishing the entire game and decided to build a course out of it to teach the basics of reverse engineering libraries and binary network protocols with fun hands-on labs.
What awaits the humble visitors:
- First, you will have a closer look at the network communication between the client and the game server.
- You will be taught a methodology to isolate data and slowly dissect the custom binary protocol used.
- Once the protocol partly reversed, you will build a Wireshark parser (dissector) from scratch in order to start analysing the protocol itself and have a human-readable representation of the communication.
- For further tests, you will create an asynchronous proxy in Python for intercepting the network traffic in order to successfully modify and/or inject packets, which will allow you to spawn anywhere on the map or collect any object.
- In the next part of the workshop, you will reverse engineer the client/server logic in order to highlight “secrets” to finish a few quests and identify vulnerabilities in the game.
- You will also build your own tool with the Keystone and Capstone libraries to patch the binary and become a Superman (running faster, jumping higher).
- Finally, you will compile a new library that will contains some custom features (e.g. teleport anywhere), then hook the game logic in order to hack the game “on the fly”.
So, if you are at the hack.lu this year, do not miss the opportunity to know a bit more about reversing video games and meet our analyst!
More on the event at the hack.lu homepage.
Bild: ©iT-CUBE SYSTEMS AG 2017