Friday, November 27, 2009

Generic Game

I like playing card games, and lucky me, there is a huge variety of card games to choose from.
Some of the games I like to play got a PC version as well, Solitary, Harts or even Taki are all very common casual games to play on the computer. I tried to figure out the reason, why it is that all the PC version of the games are so doll, poorly implemented, and generally very limited. For example, there is a local law in the realty version of Taki that if someone is left with only one card in hand he must declare "Last card", or else he have to take another seven new cards. Now the problem with Taki PC implementations is that it does not aware of this law, and there is no way for players to add it to the game. Another example would be the luck of undo in the windows solitary game.

Now it's one thing to say, "Oh, look at all these crappy games", and another to show that it's possible to implement it fairly better with less effort. So, let me explain, what could be done better.
When some people are gathered around for a good game of Munchkin, the only thing that supervise the game, and make sure that everyone are playing by the rules, is the players themselves, and none but them. I suggest the creating of a new gaming system that would replace all other PC card games whatsoever. The new system would have no rules programed into it. That's right no rules. Living back the need for rules would make it much essayer to program. Rules are taking the most time and effort to program, one can compared it to a big state machine, which none likes to write down, and none should. Furthermore, the more options that the game has, such as the "Last card" rule in Taki, the more pain in the ass it is to program it, and the poor developers are doomed to always forget some rules that are found in the real world game. It's time to give the players back the control over the game, and untie the bondage. All we need is a system that supplies a full discloser on what’s going on in the game. In this new kind of system, none would be able to perform a move in the game without everyone else to know about it, but nothing would stop him from performing it. I believe it's cryptographically possible to create such an environment using basic concepts of modern cryptography. Moreover, it would be possible to prove that someone took a random card from a virtual deck of cards, but none would have the information on which card it is, but the player who got it.

Of course, we are still left with the problem of two players join forces to win the game together, but that is a none virtual world problem as well.

I say it's time for us to have a descent card games system, made specifically for card games, but not any one in specific. The platform would allow anyone to load any kind of cards he or she likes as long as that person got the cards pictures in his / her arsenal of cards. It would be possible to take a card and put it on a virtual game table, or to hold it in virtual hand. Any player would be able to see what’s going on the table and to count the number of cards the other players are holding in their hands. Many games got different common move, such as putting a card from your hand on the table sides up in one game and sides down in another, therefor configurability is highly important.

So who wants to write it down with me?

Wednesday, September 2, 2009

Sentrigo Passwordizer

I haven't posted for quite some time as my recent fun project failed to produce any worthwhile results. I hope to find the time to polish it, to be able to publish something.

Meanwhile some interesting stuff has happened at my work which is worth writing about.
I have found some security flaw in the all mighty SQL Server database, all versions included.
My company, Sentrigo, has asked me to write a Proof Of Concept which later we decided to make into a tool which mitigates the problem. We published the tool for free download on our web site http://www.sentrigo.com/passwords.
The tool created some buzz (We call it buzzwordizer), so I decided to write down what exactly stands behind it.

It appears that SQL Server is saving in memory all plain text passwords of any user that is currently logged in with a specific kind of authentication called native SQL authentication (enabled only in mixed mode). The passwords are saved intentionally in an internal data structure containing log-in information. That data structure is kept allocated in memory, it's not just some memory left-overs wandering around the free blocks in the heap. I know this for sure, because I have succeeded in writing a tool to jump through some pointers in constant offsets in memory, to get from the global sessions table to all passwords. Needless to say, I have never seen these passwords vanish from memory for as long as the user is still logged in.

There are only two ways to log in to SQL Server. One is this method and the other is Windows authentication, which lets Windows perform the entire process of logging in. The latter method is not flawed. Microsoft suggest that you use the Windows authentication method, and even refers to the other one as deprecated in some cases. Despite that, Sentrigo has learned that many users still use the less recommended method, because it is easier to configure.

Now, one may ask what is so wrong in saving plain passwords in memory? Every trained Ninja knows that a highly privileged log-in is required to gain access to process memory. And once such log-in is obtained, the sky is the limit for what the user can do with it. On the other hand, up until SQL Server 2008 there had been a SQL command called DBCC BYTES that allowed a privileged user to read the local process memory remotely. Notice that being a database privileged user does not necessary mean being a local machine administrator, on the contrary - some organizations separate the two for security reasons, which is violated by this flaw.
Furthermore, the flaw could be combined with some other flaw which provides only memory leaking, to create a remote passwords dumper, although I'm not familiar with any such flaws at the moment.

To summarize it I would like to quote my CTO Slavik Markovich, from one of the posts published about this bug:
"Developers go to great lengths to ensure passwords are not even transmitted in clear text (for example at the time of login), let alone stored in a readable form. Users have come to expect that their personal passwords, are exactly that –personal – and that not even administrators can see them. Exploiting this vulnerability, an administrator will be able to see the passwords of users and applications that have connected to SQL Server, all the way back to the last restart. We respectfully disagree with Microsoft’s view that since it requires administrative privileges, the risk is mitigated. Even if you trust your admins, there are plenty of hackers capable of gaining escalated privileges, who could now easily access other systems across the network using these passwords."

After all, I would not consider this as major security problem as remote code exploitation, but it does indicates low security considerations, and could lead to bigger problems.

The thing I have found the most amazing about it is the way the Microsoft Security Response Team downplayed it. I have met more than one guy from the team in the past, and I must say that the team includes some well trained Ninjas that really should be adored for their good understanding of technical and low level details. They are all well familiar with every security aspects, and they have done some miraculous work in the past. On the other hand, from my point of view, they got a big fail on bureaucracy. They were quoting stuff from their books about how you should always trust your Administrators, and by that, they have failed to address this bug in the correct manner. And last and not least, the bug is still there. Bruce, to me you are still a phenomenal Ninja.
Relevant links:
http://www.sentrigo.com/
http://www.sentrigo.com/passwords
http://www.slaviks-blog.com/
http://www.businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20090902005149&newsLang=en
http://searchsecurity.techtarget.com/loginMembersOnly/1,289498,sid14_gci1366853,00.html
http://www.securitypronews.com/insiderreports/insider/spn-49-20090902PasswordFlawFoundInMicrosoftSQLServer.html
http://www.eweek.com/c/a/Security/Microsoft-Downplays-SQL-Server-Database-Vulnerability-893487/

Friday, August 7, 2009

Anti Theft


Welcome to my 2nd post, and for this post I already would like to introduce a guest, so please welcome him with cheers and rise your cups of Grog for The Raven Shkol.
All Ideas and stories for this entry are credited to both me and Shkol all the same.

So, it all started not so long ago, when I got to become a victim to a crime activity. Someone broken to my apartment, while I was away, and stole my work's laptop. Actually he also took my lock-picking kit (Look at the Irony, my lock-picking kit got stolen)
Luckily me, I had backups of everything, and the laptop was not an expensive piece of hardware.
But, this incidence got me thinking on what could I do better to make sure this would never happen again.
Soon enough I called Shkol to the rescue, because he got quite a wide experience in getting robbed, mugged or strangled to death.
We found out that there are many really cheap and simple solutions, to make it much harder for someone to break to your flat.
But, this is not what we would like to discuss here. What we really would like to go over is the ideas we had gathered for protecting either computers or the information on them form physical thefts.

Some of the ideas we got were simple and wired at the same time such as:
Example (For desktop computers only) Buying heavy weights at the local sports store, I got me about 10kg. Put the weights inside the computer case. Make sure the weights are well tied to the case and invisible from out side. Hope, no one would be determined enough to steal such a heavy piece of metal.

While other ideas were as trivial as locking the computer to something with a chain or so, for most computers cases got a place to put a lock on. Although, these locks are so easy to overcome for the trained ninja, in my case a burglar would find the lock-picking tools in the drawer next to the computer (and if that is not enough, there is a beginners lock picking guide next to it).

Some solutions were involving software solutions to make sure no one can access your information even if he get to put his hands on your precious hardware.
Either by encryption, Yes, I know it's quite a dull one. Anyway here are some links to good implementations we found:
Another approach to the problem would be using a data bomb. Its seems like there are programs to erase all the information on the disk once someone is giving a wrong password 3 times or so.
Or a better way to get the same effect would be to change your login account to be hidden, and create a "honey-pot" user with no passwords and a startup script which makes a fresh new brick out of your box.

The clothing store solution; using a two small devices that starts an alarm once the distance between the two is more then an apartment length (which is very small, in my case). I would recommend putting one of the devices inside the computer case and the other buried under the tiles. Very good and cheap such devices could be bought from DealExtreme:
If we are looking for some sensors to monitor any move of the computer, one common device that is packed with sensors would be a cell phone. Even the simplest phone with camera has an accelerometer in it. The accelerometer could be used to identifying the computer is pulled up. And once the situation is recognized sending an SMS or performing a call to 911 with pre-recorded message could be nice (But try not calling 911 on false positives, ok).

But, lets just say that we deal with quite a determined scum, which was able to pass all of our defense systems (And was strong enough to carry 15kg computer, down the road). Is there a way now, to find the new location of our precious? Well in case you thought about it in advance, there are some. One can buy some kind of a GPS device to send in a Beacon once in a while, just hope the signal would be strong enough, and that it wont be pointing to location in the middle of the ocean.
I tend to think that a solution using an IPhone with the "Find My IPhone" app could give out good results, quick and simple.
The thing is that these days I tend to think it's possible to achieve same results using just WiFi. Cell phones with WiFi and GPS became very popular lately, and if someone would establish a project for volunteers to map the locations of most WiFi hotspots / home routers, it would be possible to identify the location of devices with just identifying which WiFis are around it. Unfortunately, someone told me http://www.wefi.com/ thought about it before me.

And now for a bit less practical solutions:
A really awsome project could be, to write a new BIOS firmware to hold a true password protection, one that is not as simple to overcome as removing the battery from the mother-board. Most of the complicated work has already done in projects such as OpenBios, and this could be really nice extra feature to add to it. Of course, it won't protect the information found on the disk (unless you add some kind of encryption to it), but it sure could make an untrained ninja to think he just stole a 10+ kg brick.

You can train your computer to remember which WiFis are found around it, and to ask for password to approve any work in a new WiFis environment.

Finnaly, here are some links to relevant websites, that are worth a better page rank:
http://www.bzeek.com/
http://www.loki.com/
http://www.wigle.net/

So, that's what we had to say on the subject, I would love to hear any new solutions to the problem, so feel free to drop me a message.
Assaf Nativ
(and The Raven Shkol)

Saturday, July 18, 2009

Flash games cheating on Facebook

Some time ago I told a friend of mine, that I can easily beat his score in Jet Man the Facebook game, by using the well known technique of cheating.
The guy said he does not believe me, because if I could do so, then other people could do so and then there should have been many better high scores on the world wide table.
Little did he know that I'm a well trained Ninja (Or pirate, I have this identity crises right now).
I was sure it is possible and very easy to achieve, though I hadn't done anything like it, just yet.
I was very enthusiastic about it, and about a year later I started working on it. By that time I had found out that there are many people who cheat on Facebook games, so I thought that now I have to prove my superior mind.
From small research on Google, I found that the subject is more common than what I thought at first. The potential of the matter can be described in the ad found on one of the top google results:

Quickly I discovered that all of these games are written in Flash with some help of Facebook lib or so.
I went through about 5 different ways of cheating before I found the one that fits, and I'm going to describe the entire learning process I went through for other people to learn from my mistakes and maybe give me some new techniques and ideas, because I'm really out of new ones by now.
My first target was How Big Is Your Brain, which would help me prove the fact that mine is the biggest.

Without further ado, my first attempt
Memory scanning. As old time cheats I thought this must be the easiest and the most nostalgic way to overcome the problem.
The concept is simple, just do as following:
  • Accumulate some points, search the number in the FireFox process memory. You would probably find more then one instances of the value.
  • Gain some more points.
  • Search for the new value among the addresses you got from the last step.
  • Repeat the process until you are left with one address containing the value of your current score.
  • Set the value to a big big number.
  • Enjoy the results.
  • Eat some pancakes, which is what every ninja do after a long day of games hacking.
One can use program like "Cheat Engine 5.4" which could be freely downloaded from http://www.cheatengine.org/ or a python win32 debugging module.

This method fails miserably due the fact that the Flash engine saves all values in memory encoded in some way.
Google suggested that the encoding method used to be the value multiplied by eight. The encoding has changed since, and no one has yet to reveal and publish what it is (you laze ninjas).
Beside that, all strings are encrypted, no one yet to publish how (You laze pirates).
I started reverse engineering the engine, but lacked the time to complete the task (laze me).
If anyone is interested on hearing more about that, just contact me by email or so.

Method number two, using r4zcheat
While researching the solution for the last problem, I stumbled upon an application called r4zcheat.

This neat tool, allows you to load a Flash applet and explore all the variables, their names and values and change whatever you like at real time. Isn't that awesome?!
The only problem with that is the fact that it loads the SWF file outside the browser environment, while all the Facebook games requires the browser to handle everything in communicating with Facebook.
I was not to give up just yet!
First I've asked the guy who wrote the r4zcheat to send me the source code, but till the time of writing these words, I yet to get any answer from him. For my good luck, the guy happened to be a true hard core pirate, so after I dulled him to death he was glad to send it to me.
Reading the code, I found out that it's only taking advantage of the well documented Flash API, mainly with the function GetVariable, which is called from the ShockwaveFlash object (Some kind of all in one object that is used for all the control over the Flash engine instance). The flash application does not work inside a browser because it needs to create the Flash instance to have a reference to it and to invoke its' functions. I have tried for a little while to hook the iExplorer process, and look for the Flash instance address in memory using some pattern searching, then call these functions from an injected thread, but it took me too much time, so I decided to try another approach.
Btw, I used iExplorer and not Firefox on this attempt because there are some differences on the use of Flash between the browsers, it seems like iExplorer is using the FlashXX.ocx file while Firefox is using NPSWF32.dll. I am not so sure what is the big difference, and why there are two kinds of ways to use the embedded flash engine.

And that would bring me to the 3rd attempt
Fooling around with pseudo random numbers generator.
Well I thought that If I'll just patch the flash random function to always return the same numbers, I would always get the same questions in the game, right?
This would allow me to just remember the answers to get a very nice high score (but still in the reasonable range), after all "practice makes perfect".
So back to disassembling the Flash engine. Without getting too much into boring details on how disassembling is done, I would say that I needed to find the code that is relevant to the random function, within the entire binary file.
First I dived into documentations reading about the Flash programming language which is called Action Script (the phase I like to call RTFM).
I found out that there are many versions for the language each supports a new set of opcodes, while fully backward compatible with the old ones.
By disassembling I easily found the main processing loop that reads the next instruction and execute it. The function, of course, is mostly made of a huge "Switch" like code that operate on every different opcode (I found that there are many ways to improve the code for Flash to make it run faster, but that's a different story).
I've investigated the function that handles the RANDOM opcode (0x30) to find out exactly were does it spit out the new magic figure.
Luckily I found an inner function that handles all the random functionality. This function was not aware of anything like the Flash stack or so, but just returned a value using the EAX register.
I've encoded a small patch in pure assembly (Arrr) to read the values from file, instead of using the random function.
Then I made a backup of the NPSWF32.dll file and applied the patch to it.
I'm not so sure about what have I done wrong on this attempt, I'm just sure it did not worked as I expected.
It appears that Playfish (The company which made the "How Big Is Your Brain" game) has implemented their own random function in Action Script that uses the time as seed and some extra stuff.
I tried to make some workarounds for this, but I failed.

What would bring me straight to my 4th attempt
Slowing everything down. It seems like that all the questions in the game are very easy, it's just the time limit that makes it hard, so I've decided to try to fix this problem once and for all.
I thought about it for a while, and realized that the Flash engine must use the Windows APIs to read the local machine time to implement timers (Actually there is another way using the RDTSC opcode to read the timer, but I had some hope that they don't do that because that would have required a solution in the form of a driver, which is a great pain in the ass).
The general principle behind this method is to hook the Windows API functions.
This task is very easily done using the the Microsoft Detour library (http://research.microsoft.com/en-us/projects/detours/).
The functions we would like to hook are:
There are more APIs made up for this purpose, but I've checked the NPSWF32.dll's import table, to make sure they are not in use.
Hooking those functions is something that takes some programming time, lucky for me at this point of the project my girlfriend dumped me, which left me much more time to work on a solution. (though it probably wasn't the best idea to ask her to proof this article...)
For a better understanding of the detour library, I would recommend the help file that comes with it, and many other tutorials living out there on the net, waiting for someone to read them.
I just hooked the SetTimer to set the user input to be twice the real input.
For the GetSystemTime, GetTickCount and timeGetTime APIs I've saved the first read.
Calculated the delta from each new call to the first one.
Set the result to be the first value plus delta / 2.
This approach has got me some good results, the game was about four times slower, and I was able to get myself a very good high score.
Only until I got to the end of the game to see a message that my score was not accepted for some reason.
Bummer server timeout or something.
I guess I could have sniffed all the packets sent from my game to the server and replay those in the right times, and hope they do not conceal any time stamps.
But I found this solution to be very dull, so I moved to the next attempt.
BTW, this approach has slowed FireFox down as well, creating some very kewl effects on some websites.

Number five, and final, disassemling Action Script
This solution is going through the following steps:
  • Get the SWF file of the game.
  • Learning Active Script assembly.
  • Finding a good flash disassembler.
  • Making a real time patches to the game.
The first part was easy, I used CacheViewer FireFox plug-in to get the SWF file.
But, 2nd part was not as easy as it might sound. It took me a while to find a good PDF file on the subject. The only thing I was able to find was the "Action Script 2 Virtual Machine overview" PDF file (http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf), which was quite good, but the game was using mostly Action Script 3 opcodes.
The second best thing I found was the source code of Flasm, which is an open source Flash files disassembler (http://www.nowrap.de/flasm.html). However the Flasm is currently missing some parts as well. So, currently I settled for these , but I'm still looking for better papers on the subject, so if anyone of you pirates out there got anything better, please, do share.
Finally I've stumbled upon the commercial Sothink SWF Decompiler program that had a free trail version, which happened to be very good.

The program had a decompiler option that gave out a very readable Action Script code. Thanks to the great extra feature of ASM view, it was very easy to locate the right point for patching.
By this method I was able to patch any code of the program but not the values nor the defaults of anything.
Further problems with this methods are:
  1. I can't insert code I can only patch ASM with equal amount of bytes.
  2. I should be very careful not to fuck up the stack.
  3. I had to either find a way to make FireFox load my patched SWF file or patch at run time by searching the bytes I want to patch with some memory trainer such as Cheat Engine.
  4. If I choose to patch at run-time, I had to do it when the code is already loaded, but not yet executed, or it would get optimized and harder to find in memory.
  5. Programming in Action Script assembly is hard, though, lots of fun.
To conclude, I would say that only my 5th attempt went by with good results, although, I do believe that with a little bit of an extra effort I could have make all the other attempts work as well.
I found out that many people are developing automated scripts to play the games for them, using many OCRs and other kinds of methods, this is a very vast and interesting technique that I might write about in a future post, because now I have lots to say on the subject, and little time to do so.
One might ask why Flash games and not something more interesting such as World Of Warcraft, and my answer would be using a picture from the outstanding web-comic XKCD:

That's it for now. Hope you enjoyed reading this post, and got a bit of inspiration on developing ninja skills.

And remember, it's only cheating if you get caught (Al Bundy).

Cheers,
Assaf.



Many thanks to Omer Enbar and Avital Zipori for reviewing and proofing my English.