Ten Ton Hammer Book Review:

Exploiting Online Games:
Cheating Massively Distributed Systems

by Jeff "Ethec" Woleslagle

July 23, 2007 - First of all, let's make it very clear that Ten Ton Hammer doesn't condone hacking, exploiting, cheating, or otherwise altering or automating gameplay in ways directly or tacitly forbidden by game developers.

We took up the book Exploiting Online Games by Greg Hoglund and Gary McGraw both to keep up on the industry and to discover how, despite the talented minds and heaps of cash developers regularly pour into data security, hackers still routinely slip through the screen, enabling cheaters to outperform honest players and, more seriously, provide secondary market resellers with relatively low cost access to virtual goods. At many points during my reading of the book, I was sickened by the sheer amount of resources put towards security that assuredly could be better spent designing a fun game, were it not for cheaters of all stripes. I'm angered like a little kid who arrives at his favorite playground to find it's become a construction site, but I'll do my best to remain objective.

	Title:	Exploiting Online Games: Cheating Massively Distributed Systems
	Authors:	Greg Hoglund, Gary McGraw
	Released:	July 21, 2007
	Buy it at:	Amazon ($44.99 MSRP)

I also wish to make it clear that my programming experience amounts to two semesters of C++ in college eight years ago, and most of what I knew is lost to me. Therefore I'm going to assume that the substantive amount of code included in the book - roughly 20% of the book is code at a probable conservative guess- works as intended. This isn't token code, either. While exact memory addresses are blacked out, included in the well documented code is everything from how to run a private World of Warcraft server to a roughshod primer in assembly code.

But my intent in this review is to critique the book and its authors on their own terms: whether or not the book is of equal value to those promoting online security and those who subdue it. The author pointed out the "yin and yang" symbol on the cover as a pledge of sorts (p. 326), equal offense and defense, black hats and white hats – so I'll attempt to take them at their word.

Because it's there…

Hackers have never been short on raisons d'etre, but kitting out a single character or account is hardly worth the many hours it takes to reverse engineer software, debug and disassemble the game's executable and its dependencies, and so on, all the while dodging the security countermeasures. Another possible motive is money. With the billion dollar virtual item industry, there's financial impetus a-plenty.

But like most white-collar crime, hacking is moreso about the challenge and the status that comes from a successfully doing what no one else has done. There's a lively subculture to turn to for support, adoration, and approval, and beyond that, it's hard to imagine a larger anonymous software "theater" for exploiters than a game like World of Warcraft. 

Beyond that, if government systems are a hacker's Mt. Everest, financing networks their K2, then MMORPGs and online games are like to Mount Rainer – a beefy and constantly evolving challenge that doesn't punish mistakes nearly as harshly as the big boys. Early in the book, the authors note that the most a wayward hacker could reasonably expect was in effect a virtual slap on the wrist – a banned account. Few enterprises and next to no individuals have been sued- much less arrested- for hacking an MMO, yet MMOGs are considered a "bellwether for other kinds of modern software" (p. 17). For these reasons, security will be a constant concern for MMOG developers for years to come, and Exploiting is a timely book indeed. But timely for whom?

Questionable Sympathies

Though the authors don't portend to approve of hacking online games in the early chapters, offering a bromide about how knowledge is power for those on the "white hat" side of the data security line (i.e. those defending "massively distributed real-time systems" against attack) and that "ignoring the problem or threatening people who talk about vulnerabilities is no substitute for building more secure games," (p. 17) their supposedly objective stance would be better served if they offered hints as to how to block an proposed attack. Instead, those interested in data security should be prepared to read between the lines.

Here's one example of questionable sympathies: A botnet attack on the logon process is suggested to create lag on the game servers, thus allowing for a better chance for executing a successful "duping" exploit (creating copies of a virtual item through illegitimate means). The smart move is what many developers have already done: move the logon process to its own physical server. Thus such an attack (while annoying for folks wishing to log in) won't affect server-side processes related to the game itself. In other points of the book, a developer might learn best practices by learning what reverse engineers hate: "function chunking" and "variable reuse" (p.284) as two examples.

But other instances of language sympathetic to hackers are rife. "Unfortunately, you can't hack WoW simply by overwriting your hitpoints with a new value because the server keeps the hitpoints on its end," (p. 153) and "Care must be taken when developing and using aimbots to ensure that their superhuman potential does not become a giveaway" (p. 35) represent two instances of an obvious authorial lapse from "white hat" to "black hat."

But game developers won't find many counters to malicious attacks in the book, not unless the book's authors had first butted heads with a successful defense. One such defense was the Blizzard's "Warden" technology. Instead of confronting the process-scanning spyware head-on, the authors take half a chapter to rant about the legitimized invasion of privacy- as if the authors were on firm enough moral ground to be making accusations themselves. The result feels like a justification for hacking and reads like any number of second rate hacker's manifestos scattered around the Internet. No sympathy is found, however, for the paying gamer that can't finish a quest due to a botter's interminable presence over a spawn point, or a legitimate gamer who can no longer afford the auctionhouse due to goldseller inflation.

While Warden does meet any reasonable criteria of spyware and is pretty shady in and of itself, one can assume that the technology (which wasn't a part of WoW at launch) was developed as a countermeasure to hackers and exploiters whose disruptive attacks were in some part to blame for crippled login processes, game performance, and the negative effects of a highly inflated economy throughout 2005. The effects have anything but dissipated, but kudos to Blizzard for grabbing a bigger bat to defend legitimate players. At any rate, the authors later explained how to use kernel-subversive techniques such as using a virtual machine (VM) to render a bot invisible to Warden. Honest players can rest assured that these methods aren't the domain of the garden-variety hacker, nor do they seem especially distributable.

Non-Sequitors

I don't pretend to be an expert on any of the many topics presented in the book, and if I were assigning a point rating in this review I certainly wouldn't deduct for what I'm about to draw out, but there are two points which should have been better explained. In Chapter 8: Reversing, the authors write "A security analyst needs to focus attention on the entire program and all of its intricacies; a hacker can go for the high-value targets and ignore the rest. Software security is completely lopsided and unfair in this respect, but that's just how things are." (p. 262) Now, if you were a security analysts with limited time and resources focusing on something as complex as an MMO, wouldn't you focus your efforts on those high value targets and work your way down?

Another instance of "this doesn't follow" is in the explanation of packet encryption between client and in Chapter 6. "Because of the way the communication works, the endpoints need to know about what kind of cryptography is being used as well as secrets like crypto keys. In other words, the game client itself must know how to decrypt said traffic." I know very little about cryptography, but it stands to reason that you could break that rosetta stone in two, giving half to the server and half to the client. Grab a different key and do the same for traffic heading the opposite direction (if data really needs encrypted from the server to the client, perhaps to protect the user from malicious hackers). Perhaps there's a reason why this isn't possible, but the authors didn't elaborate.

From the Bunny Slope to Double Black Diamond programming... and back

As said before, the amount of raw code in the book (some of which is assembly code, no less) is daunting. I was on the brink of saying that non-programmers need not apply, but those who want to hack badly enough will probably pick up what they need from the laundry list of hacker-friendly software and impressive number of URLs sprinkled throughout the book. But after a docile 5 chapters of technical considerations and legal concerns, the learning curve goes through the roof at the beginning of Chapter 6:  Hacking Game Clients. Non-programmers may apply, but those unwilling to whip out their compiler won't get much (except maybe some handy definitions to phrases like "Z hacking", "emulation servers," and "variable reuse" (p. 284) to impress your friends) out of the latter half of the book.

And, as a single bonus for casual gamers, the checklist on the last pages is an extremely insightful gamer security checklist that goes way beyond "Don't give out your password to anyone!" The practice of modding, an often EULA-friendly means of altering game elements and the interface, is given a once over in chapter 9 as well.

All in all, it's fairly obvious that this is a book written for knowledgeable programmers who want to explore the MMORPG dark side rather than gamers interested in countervailing exploiters or simply being in the know. Definitions for MMO jargon such as "agro" (aggro) and "ad" (add) are provided, but programmer patois like "instantiate" and "stack" pass by without help. Hardcore and casual MMO gamers, you are not the target audience.

Developers can glean some best practices out of the text at intervals, but as the title implies, this is much closer to a recipe book for online mayhem than a manual for securing your online game.