Table of Contents
- Hack the Vote CTF "The Wall" Solution
- Creating A Kewl And Simple Cheating Platform On Android - DeepSec2014
- Breaking The Game
- DEF CON 23: Shall We Play A Game
- I'll show in this talk that playing on custom game servers and playing community created maps could easily lead to code execution on our machines - more so, in most cases without the need to bypass the operating system's exploit mitigation techniques. My targets include popular games and game engines like CryEngine 3, Dota 2, Garry's Mod, ARMA3 and Digital Combat Simulator. I'll show a wide range of script abuse from a simple direct command execution in an unrestricted scripting environment through brute forcing a security camera via HTTP requests to complex script sandbox escapes.
- Gotta catch-em-all worldwide - Pokemon GO GPS spoofing
- How to hack an MMO - Raph Koster - 2008
- Exploiting Game Engines for Fun and Profit
- Fuzzing Online Games
- How to Hack Local Values in Browser-Based Games with Cheat Engine
- [Fragging Game Servers](https://www.youtube.com/watch?v=bRM4J-LphUw - DEF CON 17)
- From hardware interaction to network protocols, this talk will present the inner workings of the Source Dedicated Server (used for games such as Left4Dead and Team Fortress 2). This talk will discuss some of the weaknesses in these game engines and ways they are exploited in the wild. A tool designed to dissect and analyze client/server communications will be released during the talk. We'll also provide some pragmatic advice for deploying game servers and release a white paper describing a secure configuration guidelines for the Source Dedicated Server.
- DEF CON 20: Fuzzing Online Games
- DEF CON 19: Hacking MMORPGs for Fun and Mostly Profit
- Online games, such as MMORPG's, are the most complex multi-user applications ever created. The security problems that plague these games are universal to all distributed software systems. Online virtual worlds are eventually going to replace the web as the dominant social space on the 'Net, as Facebook apps have shown, and this is big business. MMORPG game security is something that is very important to game studios and players, yet bots and exploits continue to infest all major MMORPG's, the creators and maintainers of the next generation of MMORPG's will need to understand software security from the ground up or face failure. The problem extends from software bugs such as item or money duplication, to mechanical exploitation such as botting, which leads to economic forces and digital identity theft. There is upwards of a billion dollars at stake, for both game hackers and game operators. Both Josh and Kuba have explored game hacking from both sides, and this talk presents a pragmatic view of both threats and defenses.
- Reverse Engineering
- Non-Specific Tools
- PINCE is a gdb front-end/reverse engineering tool focused on games, but it can be used for any reverse-engineering related stuff. PINCE is an abbreviation for "PINCE is not Cheat Engine". PINCE's GUI is heavily "inspired(;D)" by Cheat Engine.
- x64 manualmapper with kernel elevation and thread hijacking capabilities to bypass anticheats
- MTuner is a C/C++ memory profiler and memory leak finder for Windows, PlayStation 4, PlayStation 3, etc.
- Nintendo Gameboy/Pocket/Color/Advance
- Nintendo 3DS
- Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain
- We demonstrate an attack on the secure bootchain of the Nintendo 3DS in order to gain early code execution. The attack utilizes the block shuffling vulnerability of the ECB cipher mode to rearrange keys in the Nintendo 3DS's encrypted keystore. Because the shuffled keys will deterministically decrypt the encrypted firmware binary to incorrect plaintext data and execute it, and because the device's memory contents are kept between hard reboots, it is possible to reliably reach a branching instruction to a payload in memory. This payload, due to its execution by a privileged processor and its early execution, is able to extract the hash of hardware secrets necessary to decrypt the device's encrypted keystore and set up a persistant exploit of the system.
- ARM9Loader Technical Details - GBAtemp
- Throwback: K9Lhax by Bruteforce
- A heap overflow in tag processing leads to code execution when a specially- crafted m4a file is loaded by Nintendo 3DS Sound. This bug is particularly good, because as far as I can tell it is the first ever homebrew exploit that is free, offline, and works on every version of the firmware for which the sound app is available.
- Luma3DS is a program to patch the system software of (New) Nintendo 3DS handheld consoles "on the fly", adding features (such as per-game language settings and debugging capabilities for developers) and removing restrictions enforced by Nintendo (such as the region lock). It also allows you to run unauthorized ("homebrew") content by removing signature checks.
- Nintendo Entertainment System
- Nintendo Super Nintendo
- libdragon is meant to be a one stop library providing low level API for all hardware features of the N64.
- FAT64 is a FAT32 library for use on the 64drive, a development cart for the Nintendo 64. It is used by the 64drive bootloader and menu.
- Nintendo Gamecube
- Nintendo Wii
- Dolphin is a GameCube / Wii emulator, allowing you to play games for these two platforms on PC with improvements. https://dolphin-emu.org/
- wiihacks forum
- The Homebrew Channel
- The Homebrew Channel - open source edition
- Wiiuse is a library written in C that connects with several Nintendo Wii remotes. Supports motion sensing, IR tracking, nunchuk, classic controller, Balance Board, and the Guitar Hero 3 controller. Single threaded and nonblocking makes a light weight and clean API.
- Nintendo WiiU
- Anatomy of a Wii U: The End...?
- Nintendo Switch
- Console Security - Switch Homebrew on the Horizon
- Nintendo has a new console, and it's more secure than ever. The Switch was released less than a year ago, and we've been all over it. Nintendo has designed a custom OS that is one of the most secure we've ever seen, making the game harder than it has ever been before. In this talk we will give an introduction to the unique software stack that powers the Switch, and share our progress in the challenge of breaking it. We will talk about the engineering that went into the console, and dive deep into the security concepts of the device. The talk will be technical, but we aim to make it enjoyable also for non-technical audiences.
- Nintendo_Switch_Reverse_Engineering - dekuNukem
- A look at inner workings of Joycon and Nintendo Switch
- Experimental Switch emulator written in C#
- yuzu is an experimental open-source emulator for the Nintendo Switch from the creators of Citra. It is written in C++ with portability in mind, with builds actively maintained for Windows, Linux and macOS. The emulator is currently only useful for homebrew development and research purposes.
- This is a repo for a work-in-progress customized firmware for the Nintendo Switch.
- PSP / PS Vita
- Hacking the PS Vita
- Playstation Portable Cracking [24c3]
- VITA2PC is a tool allowing to stream PSVITA/PSTV to your PC via WiFi.
- Homebrew enabler for PS Vita
- This homebrew can dump some PS Vita shared modules
- vitastick is a plugin and an application that lets you use a PSVita as a USB controller. It uses the UDCD (USB Device Controller Driver) infrastructure in the kernel to simulate such controller, and thus, the host thinks the PSVita is a legit USB gamepad.
- Sony PlayStation 1
- Sony PlayStation 2
- Sony PlayStation 3
- Sony PlayStation 4
- Cheat Prevention Software
- Valve Anti-Cheat Untrusted Bans (VAC) CSGO
- How ESEA detects cheat software in its online gaming league - Let's get physical!
- Before we dig in, this post should not be construed as an attack on ESEA, anti-cheat software, or fair gaming in general. It is simply an analysis thereof, detailing what the ESEA driver does on your machine. Although analysis will make attack vectors clear and obvious, no code or detailed explanation of how to leverage these points will be given.
- Inside Blizzard: Battle.net
- This paper intends to describe a variety of the problems Blizzard Entertainment has encountered from a practical standpoint through their implementation of the large-scale online game matchmaking and chat service, Battle.net. The paper provides some background historical information into the design and purpose of Battle.net and continues on to discuss a variety of flaws that have been observed in the implementation of the system. Readers should come away with a better understanding of problems that can be easily introduced in designing a matchmaking/chat system to operate on such a large scale in addition to some of the serious security-related consequences of not performing proper parameter validation of untrusted clients.
- An Objective Analysis of the Lockdown Protection System for Battle.net
- Near the end of 2006, Blizzard deployed the first major update to the version check and client software authentication system used to verify the authenticity of clients connecting to Battle.net using the binary game client protocol. This system had been in use since just after the release of the original Diablo game and the public launch of Battle.net. The new authentication module (Lockdown) introduced a variety of mechanisms designed to raise the bar with respect to spoofing a game client when logging on to Battle.net. In addition, the new authentication module also introduced run-time integrity checks of client binaries in memory. This is meant to provide simple detection of many client modifications (often labeled "hacks") that patch game code in-memory in order to modify game behavior. The Lockdown authentication module also introduced some anti-debugging techniques that are designed to make it more difficult to reverse engineer the module. In addition, several checks that are designed to make it difficult to simply load and run the Blizzard Lockdown module from the context of an unauthorized, non-Blizzard-game process. After all, if an attacker can simply load and run the Lockdown module in his or her own process, it becomes trivially easy to spoof the game client logon process, or to allow a modified game client to log on to Battle.net successfully. However, like any protection mechanism, the new Lockdown module is not without its flaws, some of which are discussed in detail in this paper.
- Breaking The Game
- Reverse Engineering
- Source SDK Server [Security Research Repo] - pyperanger
- +1,000,000 -0: Cloning a Game Using Game Hacking and Terabytes of Data
- In this talk, I'll provide a window into the warchest my team used to generate over a million lines of code. In particular, we created and used game hacks to process data from tens of millions of hours of in-game data and use the results to generate copies of a game's map, monsters, quests, items, spells, non-playable characters, and more. We also used a wiki crawler to obtain a large amount of data, generate additional code, and guide our cheat scripts in what to look for, clarify, and ignore. After explaining our end-game vision, I'll dive deep into the architecture of the game client, server and protocol. Once that's out of the way, I'll talk about the different types of hacks we used, how they work, and what data they were able to obtain. Once that's out of the way, I'll round out the story by explaining exactly what type of data we gathered and what parts of our toolkit we used to gather it.
- Game Trainers
- Universal Elite Game Trainer for CLI(linux game trainer)
- Bypassing kernelmode anticheats via handle inheritance (across sections)
- An usermode BE Rootkit Bypass
Game Programming Papers
- The TRIBES Engine Networking Model or How to Make the Internet Rock for Multiplayer Games
- This paper discusses the networking model developed to support a "realtime" multiplayer gaming environment. This model is being developed for TRIBES II, and was first implemented in Starsiege TRIBES, a multiplayer online team game published in December '98. The three major features of this model are: support for multiple data delivery requirements, partial object state updates and a packet delivery notification protocol.
And because hacking is easy; the Tegra X1 Bug.
Tegra X1 RCM forgets to limit wLength field of 8 byte long Setup Packet in some USB control transfers. Standard Endpoint Request GET_STATUS (0x00) can be used to do arbitrary memcpy from malicious RCM command and smash the Boot ROM stack before signature checks and after Boot ROM sends UID. Need USB connection and way to enter RCM (Switch needs volume up press and JoyCon pin shorted).
Reminder: Real hackers hack in silence. You all suck.