- Chapter 1. Introduction
- Chapter 2. Investigation
- Chapter 3. POC and game hack
- Chapter 4. Experiments
- Chapter 5. Fixes, traffic analysis and Randy
- Chapter 6. Conclusion
This chapter is written for people who are not experts in computer engineering. Skip this if you understand what is:
- HTTP, WebSocket
- TLS and security certificates
- MITM attack
- main server (or simply server) is responsible for saving progress, purchases, finding matches, syncing attachments and skins, etc.
- dedicated server is a server that processes one specific match: movements, shots, hits, use of zip lines, etc. After the match is over, it transmits information to the main server and self-destructs.
- where 085 is the version of the game at the time of this writing. Take this as an example. All mentioned vulnerabilities are fixed in this version
- EAC is considered here as a black box that completely blocks access to game client and doesn't have any vulnerability. This article has nothing to do with protection rings and client side anti-cheat bypasses
- It is impossible to decrypt TLS traffic between the game and the server. Only the game server can decrypt TLS traffic.
From the logs it is quite obvious that the game uses HTTP to communicate with the server. Just look at this line:
[ApiCommon::LogState] Request id: 3EC97AE4-8B26-4220-AB10-4580E6B407A9 - POST /api/v1/users/login_queue/steam created
- 3EC97AE4-8B26-4220-AB10-4580E6B407A9 - request GUID (v4). Used to simplify debugging
- POST - HTTP request method
- /api/v1/users/login_queue/steam - HTTP path where data is sent during authorization
HTTP is the protocol used when you surf the web, listen to music through YT or Spotify, use web banking or government websites. However, it doesn't encrypt anything and anyone can read and modify the data. That's why HTTPS replaced HTTP.
However, the HTTP protocol allows the server to only respond to a request initiated by the game client. In order for the server to be able to send us information, WebSocket is additionally used. Without it, you will not receive any invitation to the squad, etc. It will not be considered in this article
To protect the traffic between the game and the server, the HTTP protocol is wrapped in the TLS protocol. TLS protocol provides encryption that is currently unbreakable.
However, how does the game know that the encrypted connection is with a real game server and not a fake one?
Special security certificates are used to solve this problem. In essence, this is a "document" that certifies that you are connecting to a real server.
Of course, if such a "document" is issued to itself or by an untrusted certificate authority (CA), this is a reason to terminate the connection and notify the user of the hacking attempt.
The list of trusted CAs is stored in the system files of the operating system.
However, some applications, such as web banking on smartphones, for better security, ignore system CAs and use only those that are set by developers directly in the application code.
Of course, Shatterline also uses this method because otherwise cheaters could add their own CA to the trusted list and Windows would "tell" the game that it is connected to a "real server", when in fact it is a proxy server, which after decrypting the traffic (since it is a "real server") repackaged it and sent it to the real server. This way we could read the traffic between the game and the server and even manipulate it.
In the same way, antiviruses check some suspicious traffic for bad stuff. This is why you can see Avast in the list of trusted CAs in the previous screenshot.
Basically, this is a classic man-in-the-middle (MITM) attack where the cheater attacks himself.
In fact, this is the nightmare of any game developer, because in this way the cheater can do almost anything with the game client and it will not be visible at all with any anti-cheat, since the "cheat" itself will work on another PC or somewhere in the cloud. If the developers realize that something is wrong, then they will not have any convincing evidence with the most advanced manual inspection of the PC. And even if they do realize it's a MITM attack, it will be difficult to ban the cheater because it would be necessary to prove that he was attacking himself in order to gain an advantage.
It is common knowledge that before russian invasion of Ukraine, the publisher of the game was Wargaming. Usually, Wargaming (WG) doesn't worry about cheaters, doesn't use anti-cheats and even allows mods in its multiplayer games like WOT, because in this game the client, for example, always displays the location of all the tanks it receives from the server and because the game server determines whether the player should see tank or not.
Also, to increase flexibility, WG uses the following scheme: before launching a game, the launcher asks the server for the game server host address and passes it as a launch parameter. The same scheme was used in the past project on which a part of the modern Frag Lab team worked at Crytek Ukraine.
Since the game is launched through Steam, not WG, the developers created an online.cfg file where they entered the online_server variable, which contains the server host address.
It was a huge mistake. The fact is that EAC doesn't check the integrity of this file, and even if it did, nothing would prevent us from changing the value of this variable in other configuration files, passing it as a startup parameter, etc.
This problem is solved in two ways:
- checking the end of the server address: playtest-rel085live.playtest-rel085.aws.fraglab.com
- server certificate thumbprint (hash) verification
The first method is simple and clear, but there is no guarantee that someone will not figure out how to change the value of the variable after checking it. Let's not forget that this is a variable, not a constant.
The second method is more difficult to understand, but much more effective. Each certificate has a unique thumbprint. Even if you create 2 certificates for the same domain name, they will have different hashes.
Of course, the developers used the second method. Now even if you hack Amazon π and issue a certificate for *.fraglab.com, you won't be able to intercept the traffic because the thumbprint will be different
However, let's go back to the time when hash verification was not yet added.
Amazon issues certificates for free, but allows them to be used only on its own services. That is why the following setup was made:
- certificate for *.playtest-rel085.aws.fraglab.com.liub0myr.pp.ua
- EC2 VM with OS Windows Server 2016 Standard
- Load balancer
Load balancer "balanced" all the traffic coming from port 443 to port 80 of the VM. In fact, it was used only to decrypt traffic.
Ok, we got the decrypted traffic, but that's only half the job.
Charles is an extremely useful, simple, productive, reliable tool that, unfortunately, few people know about.
Key Features:
- TLS Proxying β view TLS requests and responses in plain text (CA root certificate must be installed)
- Breakpoints - holds the package until the user manually changes it
- Reverse proxy - redirects all incoming requests to the specified server
- Rewrite - automatic change of the content (or part of it) of the request/response according to the template
- Block list - always returns 403
- Throttling - emulation of any connection quality
- Map Remote/Local - allows to redirect requests to another server (remote) or return a response directly from a file (local)
After the traffic was decrypted by the load balancer, it was sent to Charles. Charles made it possible to easily record requests and responses in the session dump and change their content.
I should note that I didn't get any anti-cheat blocking because I didn't have any cheats running on my PC. The only exception is the RDP client (mstsc.exe) π
It got to the point where I created an airstrike in PVP, could go through walls, teleport, kill anyone with one shot without even hitting an enemy!
The fact is that when the game "asks" the main server what inventory I have, part of the answer was replaced automatically using Rewrite. It said I had a bolt-action Reaper sniper rifle with the following configuration:
- it is a Firespray submachine gun π€£: damage and range taken from SR, the rest stats from SMG
- "Dragon's Breath" perk applied: turns bullets into explosive charges that cause area damage
- the following attachments are installed:
- sight, handle, silencer from Firespray
- 50-round magazine from a Pacifier assault rifle
- "Titanium pellets" attachment for the Black Falcon shotgun, which increases the number of pellets by 5 per shot, but in our case multiplies the damage by 6 (1+5)
Although the perk slightly reduces the damage, but we have a base damage equivalent to 6 shots from the most powerful sniper rifle in the game. Therefore, all enemies within a radius of 3-6 meters from the hit instantly died from one shot and it doesn't matter whether I hit the enemy or the wall next to him.
In the same way, I replaced abilities and ultimate abilities with test ones. In the video in chapter 6, I used teleport and airstrike from the prototypes of the Chosen (the character is only available in PVPvE mode).
Of course, the dedicated server checks the player's inventory before connecting player to the server, but previously there was a logical error that allowed when changing attachments for weapons in use to also change attachments and abilities for weapons and abilities to invalid ones, if they weren't in use at the time of the change. When changing attachments during the game, the client also sends information to the main game server for synchronization. If the request is unsuccessful, the game synchronizes the inventory with the server and at this stage the Rewrite occurs.
It was possible to run modes that aren't available (event modes, for example, Halloween in the middle of spring) and even modes, maps and PVE missions that haven't yet been presented in the game. The fact is that this is a playtest and the developers trivially forgot to remove them from the test public branch on the server. And all the "safety" from starting was the absence of a start button in the menu. For example, I asked the server to start searching for a PVP match, the packet came to Charles, I replaced the value with Hephaestus (which at that time wasn't even officially announced) and the game started searching in quick game for Hephaestus. Since the squad was complete, we immediately found a match and started playing an almost ready mission.
Of course, it took the developers some time to fix these and other minor issues not mentioned here, such as:
- a vulnerability that allowed to get the first place in the leaderboard after the end of the ranking match season
- falsification of game statistics
- receive rewards for tasks without completing them
- bypass the limit of game wallets
- the opportunity to give yourself boxes with rewards
However, after I completely lost access to the game (in technical terms, I wasn't banned) and the benefits I gained, like starting old modes that are now out of rotation or creating private rooms to just play around with bolt-action sniper rifles in "headshots only" mode.
At the same time, I already had a detailed traffic dump in a handy tool that actually turned into a REST API server documentation with detailed examples, and it was only a matter of time to create my own fake game client.
This emulator was named Randy. Part of its API is available here.
As we say in Ukraine, it is better to see once than read 100 times
Any software has bugs, but some of them can lead to significant consequences. Fortunately, I found them first and they were all properly reported and fixed.
- Igor Shchyryi and Frag Lab for quick responses and permission to publish this material
- to my friends who let me test the power of this cloud cheat on them
- Apla
- Ex3D
- LUBIMKA
- S.Y.B.
- SaNtA
- SteveAK (UA)
Used materials: