Data Exposure and Countermeasures

Obviously you can search for and alter data at will in any target game program. But remember that the game program can also search memory. The game may employ countermeasures that search for modifications made to its own code or data (e.g., through the use of integrity checking), and it can also scan for any injected code or data that you have placed into memory (using active malware scanning).

Many of the techniques we show you involve altering code, tweaking data bits, and injecting threads or DLLs into the game process. All of this activity can and will be detected by some game software. The obvious example is Blizzard’s Warden, which protects the WoW game. There are ways to hide from and defeat many, if not all, forms of scanning, but some of them can get quite complicated.

Data at Rest, Data in Motion

Sometimes data are at rest, say, in the memory of your computer. Sometimes data are in motion, say, as they whiz by on the network connection between two communicating programs. If you focus only on data in memory, you’ll be missing out on half the fun. By modifying data in packets that are coming and going, you can deeply affect game play just as readily as you can when you change local instances of data in your computer’s memory. In fact, if you know exactly how a given communication protocol works, you can rewrite the game client with a stand-alone client of your own.² After all, what you really need is a program that takes in specific input and produces specific output.

Let’s make this concrete: Sometimes, by sniffing the right packets, you can determine the location of the secret potion without even using a de­bugger. Figure 6–9 illustrates an example of such a sniffer. The program, called WoWSniffer, clearly illustrates the ability to sniff chat messages in transit over the network. This is especially interesting because the communications over the network are supposed to be encrypted. Apparently, the author of WoWSniffer has cracked the encryption.

Figure 6–9 - The WoWSniffer program is shown here running against World of Warcraft. The messages displayed in the sniffer window have lots of information about the inner workings of the game client.

Looking Elsewhere for Data

Elsewhere in the book, we introduce the idea of aimbots. Recall that aimbots can provide a player with uncanny, superhuman aim. Aimbots work by detecting the 3D coordinates of your enemy and calculating at exactly what angle to point your weapon to hit him or her with the best possible shot. Automatically pointing your sniper rifle into your opponent’s left eye socket requires looking around in the data that store the 3D coordinates of objects being rendered in the game.

What makes aimbots particularly interesting is that they don’t just look at data in the game program; instead, they take advantage of how data interact with the video card. The video card itself has a boatload of onboard RAM that stores data structures for rendering 3D objects. (Of course, gamers make a point of having the latest in graphics technology to play their games.) As it turns out, aimbots can take advantage of the 3D data stored in the video card to find the 3D coordinates of objects in the game world. How creative!

Figure 6–10 shows how an aimbot can compute and maintain a carbon copy of all the objects being rendered in the video memory—even those objects not yet directly in the field of view. It does this by intercepting communications between the game and the Direct3D video library provided with Microsoft Windows.

Figure 6–10 - How an aimbot intercepts 3D coordinates as they are sent to the video subsystem in order to compute such things as enemy placement.