How I Defeated an MMO Game Hack Author

A fun story, making a wrong right.

Back in the days there was an explosion of MMO web games on Facebook and Google Plus. There was a sci-fi themed game that I played with several colleagues now and then. You would build bases, buy upgrades, weapons, join teams and then do PvP against other players.

One day a colleague of mine found he could use Cheat Engine to scan the memory of the Flash application and change some values in order to get an upper hand and win PvP matches. Turns out the devs neither did nor verified the PvP battles server-side. It was all done client-side and after the battle the client was sending the server info about who won. A fix would require a complete rewrite of the game logic.

We had several weeks of "fun" beating the shit of everyone in our game world. The devs attempted to make some fixes - make it harder to load the flash file, obfuscated (Base64-encoded) the JSON data sent to the client - this was a funny one, since it was irrelevant. In the end, as the author here says, it was no longer fun, so eventually we stopped playing.

Many years ago I played a silly game "Clash of Clans"-type game (it was a knockoff). The game itself wasn't super fun (build things, wait for them to finish or pay to speed up, PvP, clans, etc) but I played it for a few months on and off. Randomly one day I decided to hook up a network proxy to the game and look at what data the game sent/received.

It turned out that when you queried the map it returned a ton more data than it displayed (data you would normally need to scout for). Also a ton of endpoints, like the one to load your own town's info, would also work if you used an enemy's town id (but with your auth key still). There was little to no verification/authentication blocks that I ran into.

I spent the next 2-3 weeks writing little CLI tools to talk to the API cultivating in a small suite of web-based tools that used assets I ripped from the game to display info (using the currency icons, using the building sprites, etc) until I got bored of the game and the reverse engineering and just walked away. It was fun for a little bit operating with perfect knowledge and using some of that info to put my thumb on the scales for myself and my clan but in the end it become more work than fun and so I stopped.

I appreciate your story, I am curious how you feel about exploiting in games today? I don't want to dramatize it too much since it's pretty contentious online, but obviously, your fun was at the expense of others. So I am curious if that is something you considered at the time or grew out of doing?

The engineering aspect of exploits has always been fascinating to me, and I sometimes mess with singleplayer games. But given how competitive and serious games get these days the idea of exploiting online feels a bit more than just silly fun.

I can see how this might read as a veiled dig but it's not. As one tinkerer to another, it's a rare opportunity to ask.

This is very familiar. I spent a few weeks on a mobile game hiding various values in memory (using lua metadata magic to make it transparent to the designers!) Eventually it turned out the best thing to be done was just to ban all jailbroken iOS users and be done with it.

> I don't understand why some people feel the need to cheat in a game; I also think that cheating gets boring fast, and likely most people just move on. The whole point of a game, especially one based more on skill than luck, is the challenge; if you remove that, the fun rapidly vanishes.

My friends would bring their computers to my house and we'd hack/cheat online games not because we were interested in the games, but because we were interested in the social experience of what we were doing. We weren't focused on the game; instead, we were focused on teasing & laughing with & at each other.

The gaming industry makes a fortune from pay-to-win mechanics, which is just sanctioned cheating. The same people that buy in-game coins, gems, gold, stars etc. for cash are also willing to pay for third party cheats.

The Web equivalent is to ban China, Russia, SEA, South America from being able to use your Web service.

Actually super effective

As effective as using an atomic bomb to kill flies!

not every 'cheats' are equal, some lets you get an unfair advantage in PvP

but for most people, its because it provides some nice quality of life improvements, example:

- improved inventory management

- auto loot

- quest tracker

- enhanced HUD

I've never been a fan of "banning" users, make your server authoritative if you care about that kind of things, or better, listen to your players feedback

The process of modding a game and using cheats is the exact same: DLL injection, or MITM proxy for packets manipulation, so don't assume everyone has evil intentions only because of a open port ;)

Example of well intentioned modding community for Online games:

TrackMania: https://openplanet.dev/plugins

WoW: https://www.wowinterface.com/addons.php

I like cheating because I like winning and I like easy games. I played Elden Ring and I would never have enjoyed it at the default difficulty, so I gave myself tons of health and power, and I loved the game with the bosses taking half an hour or so, rather than days, to defeat.

I wouldn't go that far. The number of jailbroken phones was a fraction of a percent of our user count, but 100% of our known cheater count. Every single one.

how was the jailbreak state detected?

1. When you're looking at a screen, sometimes it's difficult to image that on the other side of the screen there is another real person.

2. There are some cultures where cheating and bullying aren't considered bad things per se, but rather as demonstration of cleverness and power.

3. Some people develop proper sense of empathy later in their lives, later than when learn how to interact with the world, which is one of the reasons why teenagers in general are such pain in the ass. Some people never actually feel empathy, and simply don't care about other people.

BTW in real, physical sports, there's little room for "sportsmanship". It's all about winning, it doesn't matter how, and people with most medals are people who understand this the best. You can especially see this in sports where raw muscle power is more important than skill and technique, for example cycling. What makes you think that gaming would be any different?

> I found an API in Windows that let me see what ports were open. It was simple enough to discover what IP addresses they were using. Anyone with open ports to those IP addresses had to be running the hack application.

the hunter becomes the hunter

Agree that there are a great many reasons to "cheat" - as a kid reverse engineering and pwning or applying that knowledge to games I played was formative, with the goals of the game a useful starting motivation.

With online games making things not fun for others is not as good. Unless it's really funny.

Isn't that primarily a single player game?

Cheating in those is fine. In fact, I think single player games should have cheats built in.

I got stuck on The Legend of Zelda: Skyward Sword because I just couldn't quite get the timing right to pull off some move needed to get past on of the bosses. I would have been able to do it when I was younger but apparently slowed down a little when I got older. I tried many times then gave up and never finished the game.

It would have been great to have a way to tell the game that I just cannot get past that point and have it then provide some other way to continue the game. Maybe nerf that boss so I could kill them. Maybe reveal a quest that will get me something equivalent to whatever I'm supposed to get for killing the boss.

It's competitive multiplayer games where cheating can be questionable.

Yes it's single-player, I play offline. I agree, different people like different difficulties, and as long as you aren't ruining anyone else's game, do what you enjoy, but some of my friends are just appalled that I want to enjoy a game without "putting in the hard work".

If I wanted a job, I'd get one.

A bunch of the filesystem was visible to all apps that isn’t visible on a regular phone. I’m sure someone smart could have gotten around the detection, but nobody cared enough to do so.

I barely play games theses day, so no. I imagine I could have fun exploiting some non-AAA games for fun and learning, do so some rev engineering on ws protocols and such, but presently it’s not on my list at all.

About this particular story - I didn’t care too much back then, honestly. Neither the devs I assume, because they knew there was cheating going on. I think they kept our accounts because we were spending handsome money buying ingame upgrades, boosts etc.