MMORPG Bot Reverse Engineering and Tracking
Vložit
- čas přidán 8. 02. 2018
- A friend told me that a GW2 trading bot implemented a dumb API. We are going to find and use it to track the bot.
Play Guild Wars 2:
account.arena.net/register
Fiddler: www.telerik.com/fiddler
.NET Reflector: www.red-gate.com/products/dot...
HxD: mh-nexus.de/en/hxd/
IDA Free: www.hex-rays.com/products/ida...
Windows VM: developer.microsoft.com/en-us...
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#ReverseEngineering
Bonus video with the analysis of the collected data will come within the next 24h.
TL;DR summary: If you are a Guild Wars 2 player, don't worry about bots like that. It's child's play. Don't request ArenaNet to waste any resources on it.
great work
you mean: "learn how to speak English properly"?
What's wrong with his way of speaking? He (and most Germans) speaks English better than many people in the world, including me. And I'm pretty good!
As bad as yours?
We all understand the video in English, you need global awareness education, English is not the main language of the world and should not be enforced because someone said so
I just wanna say that I have watched several tutorials on reverse engineering binaries and I REALLY enjoyed your video because you not only showed what you did to find certain bits of information, but you explained your entire thought process AND you told us the things you did that didn't actually work. 99% of tutorials -- even the good ones -- often leave out explanations of the dead end roads they went down. And the reason that's so important is it helps people who are trying to learn reverse engineering the mindset/thought process they should have when approaching the subject. It's easy to mirror something you watch in a video and think you understand it only to try it on something else and quickly realize you don't really know where to begin or how to approach it. This is the first video I've come across of yours and I'm definitely checking out more after I write this, but I'm really hoping that you take this approach in all of your videos. If not, you should. This is super helpful and you're definitely onto something with this style of talking about a subject. Sorry for the long comment, but I just had to say this. Cheers!
I don't even play GW2, yet this was utterly fascinating. You're a goddamn wizard.
The way that you talk through your way of thinking is so good. Makes it so easy to follow your thought process and your reasons for doing things.
Your strings are wide which is why IDA didn't notice them. You just need to tell IDA to include wide strings in the strings window (right click and configure)
thanks I'll keep that in mind
@@inx1819 What are you debugging?
I love these videos. As large a python application developer, getting to explore more about this very unknown world (at least, to me) is super interesting. Keep the videos coming!
3:31 Sending login credentials over HTTP? Oh boy...
Well there's an endpoint that returns all users and their api keys.. HTTPS is a detail here, lol
lmao
George Gougoudis I left this comment before I saw the end, the logged in users endpoint is unbelievable!
Phishy...
these are no real login credentials.
Super interessting! And crazy how it was possible to extract such valueable and private information. I bet there's thousands of other companies doing something similar.
You showed me nothing I didn't already know, except how to put what I know to use! I appreciate the candor of narration as you work through the problem. That is one of the most important things for people to see, it's OK if you don't know precisely what they next thing you click on is going to do, that's how you learn. Great video, thank you.
Great video. i really enjoy you reverse engineering these types of MMO bots, i would love you try doing it for more bots as its also very educational :D
Your videos are very informative. It's almost like you have to play detective to discover what you did. Of course, having the right tools under your tool belt also helps ;) Keep up the great videos!
great documentation of your workflow. thanks
Couple tips for Windows executable reverse engineering.
1) There are many programs you can use to check how an executable is compiled and packed, couple of my favorites are Detect it easy and peId.
2) You can use Process Hacker 2 to find strings in memory of an executable.
Great video btw!
do more bot videos on popular mmos, this is interesting stuff
@ID3301 only really counts for online games tbh
Hearing that makes me think of someone I used to watch, but yeah this is very interesting
Really cool video, I like how you went the extra step and tracked thos bot users for data
This guy could get employed by Microsoft Apple Google and Amazon all by himself and save these companies trillions ... He is mind-blowing smart. I use computers since i'm a kid and have strong knowledge about pretty much every computer related stuff but in this video I quickly realised how much of a noob I was. This video made me humble so bad. I'm shocked. Wow.
I would like to see more game related reverse engineering videos. Keep it up.
Super cool video, and absolutely hilarious that such a simple request gave you the bot user's account APIs. Talk about a botch job from the bot developer!
One of the best channels about reversing on youtube. Thanks for the video
I don't think there is a single video of yours that hasn't had a #MindBlown moment for me. I know you think this is a bit mundane, but like all your work, yet again opening a whole world to my view.
Thanks, keep up the great work!
Very cool my friend, subscribed - wish there was more content like this!
You've inspired me to get back in GW2 after almost a year of not playing it, thanks
How didn't I know about fiddler earlier? I love it and constantly mess around with it now! Danke dir
Just found your channel. Seems to be educative and I believe I will learn a lot. Keep up the good work.
Really interresting video.... I'm subscribing to see what's next :) And i will come back on your videos to see what else you have to teach.
Thanks for the share, keep on the good work, keep giving us your taught process (mostly why i subscribed!)
Good luck on CZcams
I legit spit my coffee out watching this at 7:30 in the morning when I saw you replay and edit the request to get the online users.
0_0 I don't know how I ended up here but I couldn't stop watching. This reminds me of how many different programs I find myself using from start to end with making game assets.
I would have never thought to reverse engineer the bot program to get all the api calls to their server. that's awesome.
You deserve so many more subscribers. Please keep this content going :D
Very good video about deep programming knowledge, without getting complex.
It helped me!
Awesome video as always.
Guild Wars 2 is a great game, as well.
You're so awesome. I love your videos so much! So much to learn, and I really like the way you present the information.
This is just... WOW. Dude you're awesome. Keep it up!
You should do more of these documentary's where you reverse engineer a program in the wild.
By the way, you can just load the memory dump into ida see the disassembly of whatever they tried to obfuscate/encrypt. Ida can also find strings in there, no need to do it manually.
Andre Taulien It's cooler that way
so many Lithuanians in the comment section, damn
Hello LiveOverflow,
Like you I have analyse two bots from an other game, but in fidler the first bot use https and the second encrypted packet (TCP or UDP). My question is, how to decrypt these packets ? Thank you :)
how do i edit and replay a XHR ??
i need it for uhhh.... something
how could you know if with deleting the username and password parameter will discover the entire API key?
Thanks for this amazing video, you never fail to deliver :D
Fun fact: You just gave pirates a head start in pirating the bot.
so it can be pirated
Fun Fact: he just gave the devs a free access key to ban all those players too....
What is written at the end of the 2 sentences in python "raw = open ..." and "with open ..." ?
This is some impressive work man!
Super interesting. Thank you for this.
For string searching I like ProcessHacker 2 - double click on the process>Memory>[Strings...]>Set the settings>Optionally filter output.
You could open the memdump (Yes it's a full memory dump) in IDA and let it automatically find/analyze the binary.
I love your videos, i just got into the security market and i'm learning from 0 your videos will surely help a lot i've always wanted to make bots for games for the sake of it but never did it. I would love if you could make a video about android apps pen testing
I learned a lot today, thank you for this video :)
As the bot requires validation to work, you can remove it by checking for strings related to the login page on IDA, the newr adresses will be the validation ones, then you just need to make it return true
WoW, That is really amazing. It's inspiring.
Just awesomely crazy... Good job.
Ich habe keine Ahnung von GW2 und auch nicht vom Programmieren, aber es ist interessant und einigermaßen verständlich für mich.
Dankeschön. =)
I'd love it if someone posted this video on the site where the bot was sold.
I don't think they'd be all to happy with it if they found out it just spits your API keys out on request.
I enjoyed this video!
I will watch more of your videos :)
How did you use the same url to load different pages? Ida version 5.0 and 7.0?
Old recording vs new recording ;)
Dein Video ist Gold wert, konnte dadurch echt viel lernen, danke^^
Subbed! Awesome videos ;) GW2 reddit brought me here!
Your a boss man! This made me happy to watch.
Thanks for the video, very interesting!
Could you explain that hexdump cleaning script, how it works?
where do you learnt all of this?
Okay.. I didn't like the video until you got the entire list of users.. and then geeked out graphing some data.. You earned my like.. Thumbs up clicked :P
Very interesting. I used to make wallhacks for Soldier Front and aimbots for Gunbound when I was younger... much profits. These videos make me want to get back into it.
I have 0 dev experience and I dont play gw2. I watched the entire thing. Time to get control of my life.
Far, far above my level of knowledge and interest, however well explained and interesting to see what you discovered, even if I could not emulate this myself.
Nice, I'm always learning something ;)
And I'm always a bit suprised to read german Text. Well, I already know you live in Germany, but your englisch is perfect. BTW: I'm German too
I think the developers of the trading bot are german. that's why the text was german in the TOS
LiveOverflow Well, some of youre programms are german too, aren't they?
yeah good job explaining your approach, and what tools you used.
Is it possible for you to look into some of the EVE online mob grinding bots? I've run into a couple on my space travels and I'm curious if I can help stomp them out.
Bro i need video for format encrypted flash drive not in my pc it encrypted from unknown pc it work fine but it's encrypted can't format.will u please add a video solving this issue.
WoW nice Love this video, thanks for showing me something new :D
I love your channel so, so much
I'm glad you waited for the service to shut down before doing this, a buddy of mine found this issue and showed me how to perform it ages ago. We always used to mess with those filthy cheaters. >:)
What mouse do you have?
Very interesting.
Good job
The mouse key hook actually uses Windows API to intercept and maybe send raw input, no injection required.
I have no idea what is going on or where I am but I like this video, even though I understood none of it. I found it enjoying and your voice soothing. Keep making videos, 4am me is out & won't remember this comment :)
I love this video. Please make more videos like this xD
Hello there! can you share the python code that you use to convert the dump to strings? Thanks in advance!
I can recommend ILSpy
Smartscreen primarily checks code signing certificate of the program (see the Publisher) - not much of hashes and how many are using it. To avoid the smartscreen you must supply your app (with certificate) to Microsoft.
Visual Studio should be able to open the memory dump, and also let you step thru it if you want. (I really hope this is available in the community version)
Man!!I wanna be able to do all this. You're a genius
Continue watching the channel, check a few other data forensic channels, check out the free online universities for Computer Forensic courses and you'll be a good way on the way to be able to do all these things.
There are a few hacker conventions that also give good info on how it all works, with videos freely available here on CZcams. Check out things like DefCon.
It's not about being genius. Everyone can learn that just not everybody wants to.
morphman86 can you please suggest me any of those universities? Thank you
Udemy is a good one as well as nullbytes own university. I believe its skill stack. some of the packages you can find are like....idk 16$ for 100s of lectures and online classes. You arnt bound to them like a real college or university. There's no tests, no quizzes, no grades. Its all just based on you learning material. Access anywhere, any time.
Exactly my thoughts, and even the comment 'I do not know how this works so I fiddle with it'; made me feel aware that this guy is good in being resilient and really good in self teaching.
You can do something similar with savewizard, a ps4 save editor?
Is there any SQL-injection in that login url lol?
I'd love to see tutorials on somehow recreating a private game server for a game that has been long since died and has no official servers or any servers.
That was so interesting and fun to watch! The thing is, if I had attempted to do this kind of research, I would have given up after the first 5 minutes, because I know nothing about the workflow and how to interpret findings and outputs of these various programs (even most of the shown programs I did not know). So can you give a short explanation of how you collected this mass of knowledge over time?
Ps: Schland :D
guess how many times I attempted projects like this and gave up? Every time you do that, you learn a tiny little bit more. and at some point you succeed.
I have no idea whats going on and yet i am going to watch part 2
5:06 that looks alot like some kind of assembly. is it?
If the memory contains non-obfuscated data you could have easily debugged using some tools like OllyDbg or even Cheat Engine (even if OllyDbg provides a list of strings really similar to the IDA one)
Your open song
Did you make that or is there a name for it
It’s a royalty free song from CZcams. Is called “The End” or something.
Excellent video! Best reverse engineering channel!
The dump format isn't raw, it's stores all sorts of information other than the memory like open handles and threads.
I just realized that I had watched this video before, not knowing about GW2 and I'm quite intrigued by how games' economy works, but not the games itself (since I'm not MMORPG kind of player)
Then two years later I've already addicted to it and then stumbled this video again browsing GW2 economy subreddit
How the table have turned... I'm gonna watch it again
I'm more interested on unpacking that binary files. The crazy thing, I did some reversing on a private server of a game launcher back then, what I didn't expect after unpack the binary was that the launcher uses somekind of remote sql to fetch the login data. I can even see the database and it's password for connecting to remote server.
what was the code for the strings.py?
Im trying to do the samething lmao but I think python 3 is diff from the python ver he is using.
This is what I have so far:
import os
def is_ascii(s):
return all(ord(c) < 128 for c in s)
def main():
filename = 'mem.txt'
if os.path.exists(filename):
os.remove('mem.txt')
raw = open('mem.dump','r',encoding='utf-8', errors='ignore' )
print(raw)
myLines=raw.readlines()
print(myLines)
raw.close()
with open('mem.txt','w') as f:
for word in myLines.split("\x00\x00\x00"):
if is_ascii(word) and len(word)>5:
f.write(word.replace("\x00","")+"
")
main()
BEST CHANNEL EVER IN THE HISTORY OF CZcams AND HUMAN CIVILIZATION
send the graph to data is beautiful.
it's hard to really stop injection from happening, when it comes to the mouse clicks you have to rely on the system flag to tell if the clicks are authentic, these need to come from certified drivers (although you can also just patch whatever checks for the flag on the client)
a bit late you probably know it: there's also hardware route of custom usb hardware and external hardware OCR, best way is always in game design
If you're dealing with .NET assemblies, don't bother with Reflector, take a look at dnspy.
Cubinator73 dnspy, ilspy and greywolf are my go-tos for messing with .net.
Greywolf by Digital bodyguard lets you patch the il and export the exe, great for messing with execution flow and logic, or in my case patching out an annoying taskbar notification thing for a driver utility.
dotpeek also pretty good, there's also apps strictly for strings. If you install flare vm you get tons of malware analysis tools.
you are defo in the top 5 Comp Sci/Software Eng/Hacking channels.
DUDE YOU ARE A FUCKING BOSS. I'm super inspired to try some of these tools. Thank you so much. Love your channel.
Thanks for the video! you big helped
Could you post your Python code onto pastebin? I'd like to use it as a base to clean up other hex dumps if possible. It would be much appreciated