views:

1505

answers:

5

I plan on writing an automated bot for a game.

The tricky part is figuring out how they encoded their protocol... To make the bot run around is easy, simply make the character run and record what it does in wireshark. However, interpreting the environment is more difficult... It recieves about 5 packets each second if you are idle, hence lots of garbarge.

My plan: Because the game runs under TCP, I will use freecap (http://www.freecap.ru/eng) to force the game to connect to a proxy running on my machine. I will need this proxy to be capable of packet injection, or perhaps a server that is capable of resending captured packets. This way I can recreate and tinker around with what the server sends, and understand their protocol encoding.

  1. Does anyone know where I can get a proxy that allows packet injection or where I can perform packet injection (not via hardware, as is the case with wireless or anything!)
  2. Where of if I can find a server/proxy that resends captured packets (ie: replays a connection).
  3. Any better tools or methodologies for pattern matching? Something which can highlight patterns from mutliple messages would be GREAT.

OR, is there a better way to decipher this here? Possibly a dissasembly strategy (via hooking a winsock function and starting the dissassembly from there) ? I have not done this before so I am not sure. OR , any other ideas?

+5  A: 

A) I play a MMO and do not support bots, voting down... B) Download Backtrack v.3, run an arpspoof on your default gateway and your host. There is an application that will spoof the remote host's SSL cert sslmitm (I believe is the name) which will then allow you to create a full connection through your host. Then fireup tcpdump/ethereal/wireshark (choose your pcap poison) and move around do random stuff to find out what packet is doing what. That will be your biggest challenge; but proxying with a Man in the Middle attack on yourself is the way to go.

C) I do not condone this activity, this information is only being provided as free information.

Suroot
I play many MMOs and support bots, countering your vote down.
Sparr
Haha, I appreciate your opinion; and bots are the reason you can play many MMO's. But I actualy voted this article up. The reason I up voted instead? Because my background is in network security, so I love breaking networking protocols. Decoding protocols is FUN!!
Suroot
Suroot -- what is a good method for analyzing various packets and comparing them simultaneously... I guess that I am kind of like a beyond compare for multiple files...
Zombies
D) Promise me you wont do it. :)
Flinkman
@Zombies, I'd say that using tcpdump and reading the .pcap file with ethereal (now Wireshark) to see what happens in the tcp stream.
Suroot
+12  A: 

Network traffic interception and protocol analysis is generally a less favored method to accomplish your goal here. For most modern games, encryption is a serious factor, and there are serious headaches associated with the protocol analysis for any but trivial factors of the most common gameplay scenarios.

Most modern implementations* of what you are trying to do rely on reading and manipulating the memory space and process of a running client. The client will have already done all the hard parts for you, including decrypting the traffic and sorting it into far more easy to read data structures. For interacting with the server you can call functions built into the client instead of crafting entire series of packets from scratch. The plus to this approach is that you have to do far less work to interpret the data and produce activity. The minus is that there is often some data in the network traffic that would be useful to a bot but is discarded by the client, or that you may want to send traffic to the server that the client cannot produce (which, in my own well-developed hierarchy for such, is a few steps farther down the "cheating" slope).

*...I say this having seen the evolution of the majority of MMORPG botting/hacking communities from network protocol analyzers like ShowEQ and Odin's Eye / Excalibur to memory-based applications like MacroQuest and InnerSpace. On that note, InnerSpace provides an excellent extensible framework for the memory/process-based variant of what you are attempting, and you should look into it as a basis for your project if you abandon the network analysis approach.

Sparr
By reading the memory spaec of the client, do you mean to crack the encoding or to run the bot? The problem with this implementation is that the bot now requires the client, as well as all of the resources taht client requires (gpu, cpu, entire screen, lots of memory, etc).
Zombies
Your question implies a misunderstanding. As far as I know, no one has ever deciphered a closed-source MMO game protocol sufficiently to actually replace the client with a standalone bot. Every implementation I have seen, network or memory based, requires the original client to be running.
Sparr
Hm, I have seen many bots which seem to be aware of their surroundings and know how to walk to locations. I assume they know how to see the x/y coords that the server tells the client where the player char is.
Zombies
They read the x/y coords from the network traffic to the client or from the memory of the client. Either way, the client is still running.
Sparr
Perhaps they run multiple VMs, because normally I see like 4-6 of them at once.
Zombies
More likely they just have 4-6 computers. I know at least half a dozen people who run 5-man raids in WoW by themselves, with 5 semi-autonomous bots on 5 computers.
Sparr
I fleshed out the body of my answer and got a -1... not sure how I should take that.
Sparr
+7  A: 

As I've done a few game bots in the past (for fun, not profit or griefing of course - writing game bots is a lot of fun), I recommend the following:

  • If you can code and there isn't cheat protection preventing you from doing it, I highly recommend writing an injected DLL for the following reasons:
    1. Your DLL will be able to access the game's memory space directly, and once you reverse-engineer the data structures (either by poking around memory or by code disassembly), you'll have access to lots of data. This will also allow you to bypass any network encryption the game may have. The downside of accessing process memory directly is that offsets and data structures change between versions - however, data structures don't change very often with a stable game, and you can compensate offset changes by searching for code patterns instead of using fixed offsets.
    2. Either way, you'll still be able to hook WinSock functions using API hooks (check out Microsoft Detours and the excellent but now-commercial madCodeHook).
  • otherwise, I can only advise that you give live/interactive packet editors like WPE Pro a try.

In most scenarios, the coolest methods (code reverse-engineering and direct memory access) tend to be the least productive. They require a lot of skill (to understand the code) and time, both initially (to go through all the code and develop code to interact with the data structure) and for maintainance (in case the game is being updated). (Of course, they sometimes do allow doing cool stuff which is impossible to do with the official client, but most of the time this is obvious as blatant cheating, and likely to attract the GMs quickly). Most of the time bots are made by replacing game graphics/textures with solid colours, and creating simple "pixel" bots which search for certain colours on the screen and react accordingly (e.g. click them).

Hope this helps, and remember - cheating is only fun when it doesn't make the game less fun for everyone else ;)

CyberShadow
Would it be possible to run a game client and all of its graphics while not displaying the graphics to the screen? Hence you could run multiple copies + the orig computer user would never even see the game on screen?
Zombies
Of course. You can use any number of methods, starting with complete virtualization (running each copy in a virtual machine, for best compatibility), running it on different desktops or terminal sessions, or simply hiding the window with the ShowWindow() function - depending on the game.
CyberShadow
>If there isn't cheat protection preventing you from doing itI do not quite understand. Are you talking about third party memory monitoring programs? Do they really work well enough to prevent this completely or are they simply blacklisting certain programs from memory?
Zombies
The more popular ones do both. Most of them employ a set of generic protection methods, such as monitoring API function addresses (to thwart API hooks), or even load a kernel-mode driver to get a much higher degree of control over the system.
CyberShadow
They usually also scan running processes for certain strings, to identify processes they wouldn't like to see running on your system (e.g. debugging and reverse-engineering tools).
CyberShadow
Usually complex anti-cheat systems result in a constant struggle between "bypassers" (hacks that allow starting the game without the anti-cheat system, or with most of its functionality disabled), and anti-cheat updates that counter these bypassers.
CyberShadow
Do you know any communities/forums that discuss these subjects in particular?
Zombies
There are lots, it's just hard to find some that aren't crowded by clueless kids just trying to cheat in their favourite game. For the same reason, the so-called "elite" ones are closed to the public. I know of the Cheat Engine forums, but there should be more to find by simply searching the web.
CyberShadow
+2  A: 

There are probably a few reasonable assumptions you can make that should simplify your task enormously. However, to make the best use of them you will probably need greater comfort with sleeves-rolled-up programming than it sounds like you have.

First, it's a safe bet that the encryption they are using falls into one of three categories:

  • None
  • Cheesy
  • Far better than you are likely to crack

With the odds of the middle case being very low.

Next, it's a safe bet that the packets are encrypted / decrypted close to the edge of the program (right as they come in, right before they go out) and that the body of the game deals with them in decrypted form.

Finally, the protocol they are using most likely consists of either

  • ascii with data blocks
  • binary goo

So do a little packet sniffing with a card set in promiscuous mode for unencrypted ascii. If you see some, great, you're ahead of the game. But if you don't give up the whole tapping-the-line idea and instead start following the code as it returns from the sending data out by breakpointing and stepping with a debugger. Figure the outermost layer or three will be standard network stuff, then will come the encryption layer, and beyond that the huge mass of stuff that deals with the protocol unencrypted.

You should be able to get this far in an hour if you're hot, a weekend if you're reasonably skilled, motivated, and diligent, and never if you are hopeless. But it is possible in principle (and doubtlessly far easier in practice) to do it this way.

Once you get to where something that looks like unencrypted goo comes in, gets mungled, and the mungled form goes out, then start worrying about what it means.

-- MarkusQ

MarkusQ
I typed in a phrase such as "THIS IS A TEST" via the game chat while capturing packets and noticed that it was not encrypted. Additionally all of the packets have a very similar structure.
Zombies
chat and game play may be on different channels, with different protocols.
Robert Gould
RG is right, but as long as you are making progress, keep at it. The trick is correctly identifying when you are barking up the wrong tree and trying something else, without just giving up every time you hit a speed bump.
MarkusQ
A: 

Sounds like there is not encryption going on, so you could do a network approach.

A great place to start would be to find the packet ID's - most of the time, something near the front of the packet is going to be an ID of the type of the packet. For example move could be 1, shoot fired could be "2", chat could be "4".

You can write your own proxy that listens on one port for your game to connect, and then connects to the server. You can make keypresses to your proxy fire off commands, or you can make your proxy write out debugging info to help you go further.

(I've written a bot for an online in game in PHP - of all things.)

Daniel Von Fange