A Push Token is an advanced technology for an easy-to-use and secure multifactor authentication (MFA): When a user tries to access protected content or initiates a transaction, a push notification is sent to the users registered mobile device, for instance a smartphone. Continue reading The basics of multi-factor authentication: What is a push token and how can businesses benefit of it?
With our blog post about binary patching, we saw how to edit the client binary to modify a function in our advantage. The change was minor, i.e. a single line in assembly. If we want to modify the function to add more complex logic and thus more assembly code, we will need to use code cave in order to avoid overwriting essential instructions for the game to execute properly.
The code cave technique consist of finding an area in the binary that is not used and add our assembly instruction in it. Then, in the function we want to modify, we overwrite one instruction to jump in our code cave. Our code cave should save the registers and flags and restored them at the end of it, as well as re-aligning the stack. Finally, we should also add in our code cave the overwritten instruction (used for the the jump) and jump back in the initial function.
This procedure is often used by malware developer to hide malicious code into benign applications. The problem with this solution is that it is easy the break the application, and also, it requires you to write your changes in assembly.
An easier solution would be to hook the library used by the client in order to “hijack” the execution flow and run custom code. With this solution, you write a new library in C/C++ and use LD_PRELOAD (in Linux) to load your new library before all others. This post will give you an example of how to use LD_PRELOAD in order to modify the logic of the game and be able to teleport wherever you want at any time and change your movement speed and jump height on the fly.
When running a video game or any application on your laptop, you execute instructions that has been writing by the developers for a specific purpose. Sometimes, the instructions restrict you: e.g. an evaluation version of an application that exit after 30 minutes, or your player in your MMORPG that cannot jump high enough to access hidden high location. The executed instructions are located on your computer, which you control. You can therefore change those instructions to bypass restrictions (e.g. cracking) but also to improve or add new functionalities. This requires you to open the binary, understand the functions (reverse engineering) and patch it.
In this post, we will not change complex logic of the binary, but simply modify one line in the instructions to improve the capabilities of our character by increasing its movements speed.
Players usually explore, interact and understand the game through the classical user interfaces. With Pwn Adventure 3, the inputs are the mouse and keyboard where the user can move and interact with the Pwnie Island world. The output is the rendered 3D graphics and the HUD interface. However, sometime, the output is not enough for the user to fully understand exactly what he has to do in order to finish a quest. Those kind of “secrets” are often used by developers to increase the difficulty of the game and/or to force the player to explore, try and discover new things in the game. Considering the game was released for a 2-days CTF, we don’t have much time. We want to be the first one to finish all quests. That’s where Reverse Engineering comes in handy.
The proxy developed in our previous post will allow us to intercept and modify the content of the network communication between the client and the game server(s), thus allowing us to spawn at any location, forge new elements on the map and pick up any object.
Now that we have reversed most of the network protocol between the game server and the client, let’s intercept and manipulate it. I personally prefer Python when it’s about to build quick and dirty scripts. Here we need to build an asynchronous proxy that handle binary data. In this case, I will use Python 2.7 with the native libraries asyncore, socket and struct.
Wireshark is one of the best – if not the best – packet analyser available. It allows you to capture the traffic sent from/to your machine and parse its content in order to have a human readable representation of it. At the moment, there are hundreds of supported protocols and media. Considering that the protocol of Pwn Adventure 3 is custom and not widely used, there is no dissector (parser) installed by default in Wireshark for this protocol. Eric – maetrics – Gragsone has already published a custom dissector in Lua, which was helpful for the realisation of this blog series. However, the dissector is missing some information that we covered in the last blog. Instead of re-using and improving the parser, we will start from scratch so I can explain the process and logic to build a Wireshark dissector.
We have seen in the previous post a methodology to reverse a network binary protocol. In the given example, we dissected the packet that updates our location in the game. We will continue reversing the protocol but this time with less details as I hope you now have a better understanding of the process.
In this blog post, we will look at the network traffic generated between the client and the PwnAdventure3 game server in order to reverse the protocol and understand its content. For this, we will use Wireshark and some methodology.
Welcome to this new blog series about Pwn Adventure 3: Pwnie Island! In this series, we will cover different aspects of security that we often have to deal with during our penetration test, such as network analysis, reverse engineering and packet tampering.