Writing Advanced Maplestory Cheats

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
the first time i remember looking at assembly wasn't cheat engine if you haven't had the pleasure of working with cheat engine you're probably missing out and i don't say this lightly it's genuinely a brilliant reverse engineering tool cheat engine is the classic game cheating tool built largely around a memory scanner you'd search for your health value as a 32-bit integer and it'd make a list of all integers with that value in memory and you'd narrow down the list by changing the value and searching for the change value i got relatively good at this as little as that may seem to be a skill sometimes you're searching for an unknown value like your x or y coordinates and you just blindly have to narrow down the list by searching for value increased and value decreased over and over but almost always you can find the value in question in under a minute and from that point you can set your memory breakpoints and soon enough you know roughly where code accesses and sets the value from there it's game time being a 12 year old skitty of course i wasn't doing much more than just finding some values in memory and modifying them maybe if i was lucky i could find a game simple enough that i could just set my health values that wasn't always the case the game i cheated at the most was a magical game called maplestory in reality it was quite a terrible game but the nostalgia makes it good i guess maplestory has an interesting client server model where effectively the server was a relay this made it exceptionally fun to cheat maplestory is a 2d platformer mmorpg where the only thing there was to do in the game was grind there were a few quests but we're talking in the dozens maybe low hundreds this meant that you would be sitting on one map small enough to fit on your screen killing the same monsters over and over for eight hours per level and that's only at level 70. the level cap was 200 there was also farming for your items where a 1 in 30 000 drop rate was pretty normal and items had a random stat range which could cause only 1 in 15 drops to actually be worth using this meant that getting an advantage was pretty valuable maplestory did have some client anti-cheat but it was relatively weak maple story cheats came in various forms the game could be pretty thoroughly cheated due to the client controlling nearly everything the positions of monsters the damage you do the damage you take etc this makes for such a fun game to cheat at the public cheats varied in complexity some were basic god modes which would stop you from taking damage or largely limit it some removed client-side delays in things like looting but the pinnacle of maple story cheats were the vac hacks short for vacuum these worked by moving items monsters or your player nearly instantly allowing you to suck mobs up into one location kill them and loot all of the items they drop these cheats were really not hard to find and could be obtained through various public forms with little more than a sign up and often not even that these cheats mostly came in the form of cheat engine cheat tables this was a small file that you would download and import into cheat engine it contained information about addresses names of the variables at those addresses such as character x is a 32-bit integer found at fubar for the more advanced cheats like the vax the cheat table would contain addresses and instructions to patch the traditional vax would typically overwrite a small bit of code with new code to execute sometimes a code cave was required which was simply a reasonably unused piece of code that you would replace with your larger script in x86 shell code then you'd hook the monster coordinate updating code and jump into that area i don't really know why these code caves were required as cheat engine would allow you to allocate memory in a remote process perhaps there were some anti-cheat detections around this or maybe that feature just didn't exist very early in cheat engine the community was mainly in support mode where people would update old sheet engine cheat tables by updating the addresses in many situations they would only update some of the addresses and certain sheets in the table would instantly result in an auto-ban you'd even see notes in the forms or on the cheat tables themselves mentioning to avoid certain cheats due to auto bans getting people too fast nevertheless this is what i grew up with i thought it was pretty lead at the time as i knew how to run cheat engine dodge some basic anti-cheat protections by renaming executables maybe i'd know how to find an address but in retrospect i wasn't all that leap hiya my name is brennan falk i'm a security researcher focused heavily on fuzzing and low level optimization i read extremely high performance fuzzers on the order of billions of fuzz cases per second on hundred core machines scalability and performance are always a focus of mine and take me down many interesting paths i'm a binary security researcher or application security if you call it that where i focus primarily on languages that get compiled to native code languages like c c plus plus rust etc i program primarily in rust however i used to be an avid c programmer at my day job i look for bugs in microsoft products and spend a lot of time figuring out how to fuzz targets which are typically unfuzzible like embedded devices or hard to reach areas in hypervisors and kernels my personal projects include many operating systems and hypervisors designed specifically for fuzzing i've also dabbled a bit into emulator development and i've written various interpreters jits and ils the pinnacle of my emulator research is vectorized emulation where i use avx 512 on intel processors to emulate 8 to 32 processors in parallel using vector instructions this is how i've gotten some insane emulation performance which gives me a lot of room to try exotic fuzzing techniques i specialize in snapshot fuzzing which is a form of fuzzing where instead of running an input through a program that is running normally on the system instead i take a snapshot of the process or operating system this includes the memory device state registers all those sorts of things and then that snapshot is moved into a controlled environment where execution is continued this means my bugs always reproduce as long as the emulator is deterministic i also can skip some of the expensive parts of the fuzzing loop like splash screens initializing parts of the protocol or just the program in general i consider snapshot fuzzing to be critical for fuzzing most operating systems and hypervisors and it leads to much higher fuzzing throughput and introspection for a hobby i stream hacking and programming on twitch and i upload the recordings to youtube i've gotten up to some fun projects from os development to printer exploitation to working on android oday well for old phones that is nevertheless i'm not here to talk about some crazy security research i have done instead i want to discuss how i've applied my hacking skills to random projects in my life hacking gives you superpowers hacking gives a level of understanding of computers that i don't think you can find elsewhere it gives you the ability to healthily question how things actually work in many roles you're expected to just learn how something works from the documentation or maybe a manager or senior employee just tells you how something works confidently even if they're wrong as hackers we know that sometimes these are not perfect we know that there are bugs in the operating system the application the processor the hardware the protocol specification has logic flaws almost everything is broken and does not work in the way it is intended to it is up to us to go and figure out how they deviate from how they should work i probably take it to an unhealthy extreme but this mindset has made me always double check the work that i use i always assume that things aren't working as well as they can as an optimization nerd this leads to me always questioning the performance of third party projects i pull in or even algorithms i implement i personally don't have much benefit from appearance of success or performance i'm not trying to convince someone to give me research grants or exaggerate performance claims for some other reason i'm more interested in how things actually perform on real data some of the most amazing parts of hacking to me are the generic problem solving skills i've become so used to having only weeks to crack apart a piece of hardware dump firmware off of it understand the os without any source symbols or function names to the point of finding a bug and exploiting it this often means acquiring a knowledge of an unknown target at a level comparable or one that exceeds the lead developer of the code itself it's such a beautiful process and that's what i love so much about hacking the scientific process is alive and well in hacking i always think back to my high school chemistry teacher mrs burns talking about how there's always an exception to every rule there's always some unexplained edge case something that is often ignored at a high level but absolutely exists at the end of the day rarely do i meet people who excel at finding these exceptions and living in the world of the unknown as well as hackers i don't really know what it is is it the rebel in us what is it that causes us to be okay with calling out the experts the designers the architects of all of the systems that we use daily let's go on an adventure a hacker applies the same mindsets to things that aren't directly hacking what happens you might be wondering why i brought up maplestory earlier well maplestory is one of those things that got me into hacking so every once in a while i like to revisit it i like to see how my skills have improved since being a skitty and using other people's cheats all the way to making my own well the other day i joined a maple story server with no intention of cheating at it at all and a day after joining i got a very suspicious direct message on twitter from the server owner it reads hey i run server and saw someone in my anti-cheat logs today googled the email address and just realized that you're that one guy who streamed cheat dev in rust while reversing the game from the ground up just wanted to politely ask for you to not do anything destructive folded hands thanks it's important to mention before i go into any of this i do maple story cheats for fun to me the fun part is the development the reverse engineering those sorts of things it's not the end game it's not the reward of getting an advantage at the game it's just a unique challenge because of this i don't give anyone else my cheats i make them for myself and for fun i sincerely appreciate the people who run the servers that i cheat on and i try to do my absolute best to minimize harm for example i'll try not to flood the market with cheap items please cheat responsibly maplestory can be cheated solo it's an online game but there's no forced interaction or cooperation like many multiplayer games so why have i gotten a reputation for hacking maplestory well it all starts when geeder was released a few years ago i thought it would be fun to take my viewers on a ride through memory lane and we'd work on some old school maple story cheats when gedra came out we opened it up in ghidra and used it as an opportunity to learn and show off the tool and it was a great example a 32-bit relatively simple game with a well-known issue of highly client-side controlled data this started off pretty lightly i wanted to make copies of the maplestory cheats i used when i was a kid the primary focus was about learning geidra and just having a good time but this lit a bit more of a spark than i expected i started off immediately by bringing back my best friend cheat engine and we went on a memory exploring adventure no pun intended cheat engine definitely still is my go-to tool for looking at arbitrary values in memory you just can't really beat its scanning performance with the sleek ui using cheat engine i was able to quickly find some interesting locations in memory and start looking at them in ghidra from a reverse engineering perspective starting off the maplestory executables were originally packed with themita a common commercial binary obfuscation tool maplestory had various anti-cheat protections in the form of drivers or other system scanners but when playing against my own locally hosted private server they are all off further i didn't have to worry about themida in this specific case as the clients have been modified over the many years to work better with private servers this often means that they were unpacked to be patched thus the executable loaded up okay in ghidra but as with any unpacked binary there are always some artifacts left in it especially when it comes to imports and exports also everything is stripped so it's not really the prettiest binary to look at luckily there are leaked full private symbols for one specific version of the maplestory client unfortunately it's for a much later version of maplestory after a pretty game changing patch but whatever the code is still similar enough for us to do our analysis ghidra didn't until literally a few days ago as of writing this talk have a way to forcibly load a pdb onto an executable if the executable didn't reference it correctly in its rsds section the rsds section is simply a section referenced in pe files that contains the unique id and path to the pdb which should be loaded for the binary since we're working in a very unique situation where we have a de-obfuscated official binary and we're trying to apply symbols from a private pdb symbol leak it's a bit messy this was one of the first uses of some of my elite hacking skills i had to modify this pe to convince gidra how to load the pdb for it of course i could fix surpatch guidra but that would require writing java instead i injected some extra data into the pe file and hooked it up to the pe header as an rsds section this was a bit annoying but it was a few dozen lines of code and a hacky python script and i was able to get full symbols in this maplestory client a quick side note for the people who really want to know the gritty technical details all of these versions of these clients i'm working with vary quite a bit i play on some v62 servers some v8 3 servers and the leaked client is a v95 client these span about a two year range of releases and most private servers run v62 or v83 some run some more exotic versions including some versions in the v30 range but at the end of the day i'm just going to consider them all to be maplestory all of these versions are old and are from prior to 2010 anyways back to hacking once i identified some of the codepaths associated with important things like monster lists for your map damage handling code packet sending and receiving decryption blah blah blah i started poking around more dynamically personally i can do some pretty amazing things in ghidra or ida but i really excel when i start getting my break points in and start poking things you think win bag script is some ugly mess well that stuff runs through my veins i can build some crazy dynamic breakpoints pretty quickly and i find that i navigate code best dynamically now i had to figure out how i wanted to implement these cheats i knew that i wanted to do some relatively advanced cheats as time went on so i wanted to build a good framework this is similar to when i'm writing an exploit i like to create a nice landing pad where i set up a comfortable shop in the target environment and i can start doing some serious development for maplestory i decided to do dll injection since i'm allergic to using third-party code i wrote both an injector and the dll to be injected to make it extra fun i did it all in rust i've gotten weirdly good at coercing rust into whatever shape i want i've even written some 128 byte constrained stage 0 arm shell code for a printer in it the injector is pretty simple if you've never written one all you need to do is load a dll in a remote process this can be pretty easily done by injecting some remote memory into another process with virtual alec ex and writing some shell code in with write process memory finally you can call this shell code with create remote thread all you need the shell code to do is simply invoke load library and your dll has been loaded into that remote application to be honest the windows apis make it quite nice you can technically just directly invoke load library with create remote threat but it's sometimes a bit nice to ship up a blob so you don't have to borrow some existing strings in the binary or data sections to use as the file name to load if you've never written a dll injector i highly recommend that you do there are many ways to do it and it's just kind of a fun simple project once the injector was written i could easily dynamically load code into a running instance of maplestory i was careful and made sure that i had a way to unload the dll dynamically by a key press or something so that i could do some rapid development in reality i ended up just crashing the client most of the time so this wasn't the best feature but the intent was there i made an api that allowed me to just give it an address to hook and a rust function to call back and from there it was pretty smooth sailing i added all of the basic cheats unlimited attack god mode and those boring easy cheats none of these cheats are really even worth talking about as they were just knocking out an instruction or maybe inverting a branch condition however the cheat that i really wanted to write was a vac hack i had never written one i started off in cheat engine looking for monster names as i needed to get the list of monsters from the map this took a few hours which was painful but eventually i found the map monster information in memory unfortunately it was a bit of a pain to deal with so i had a new idea why not simply hook the packet sending and receiving i don't have to worry about the encryption or decryption as i can simply hook it in the client after it has been decrypted or encrypted or wherever i want to hook in that chain writing my first vac was a lot easier than i expected the packet formats for maplestory were incredibly simple i simply needed to watch for the monster spawn and update packets to determine where the monsters were and their unique identifiers which are needed to address the monsters when you interact with them i started off by just moving my player by sending a move player packet which was pretty much what you would expect it's a packet with an x and y coordinate where you just control your player's position when you give me the source code to the private server i can simply figure out the absolute limits of the anti-cheat well it turns out that the private server i was running and i fingerprinted a few servers to be using had a few cheat checks mainly for some really aggressive cheats like instantly moving your character doing too much damage hitting mobs way above your level and those sorts of things but there were definitely some big holes the first big hole that i found was that the player position was unconstrained while moving the monsters around were bound by some reasonable limits the player position whatever you wanted it to be but at this point i realized that i could just send a movement packet to the server then send a damage message i had no reason to minim packets i was already sending as i could just send my own of course this is a few more hours of work as now i need to figure out how to send packets rather than just modify existing ones but the protocol was a lot easier than i expected i implemented this vac with the instant movement of the player to all mobs on the map followed by instantly damaging them and i'll just let the video speak for itself okay okay one two yes it killed all the monsters on the map holy it worked flawlessly this is about as advanced as i ever got with these dll injection cheats not because i gave up but because the gears were starting to turn in my head at this point i'd seen most of the packets that go from the client to the server and i realized something this protocol is incredibly simple so what do i do when i figure out the protocol is very simple well we can just write our own client we don't have to worry about client anti-cheat sketchy maple story binaries i don't even have to worry about having windows versus linux support if i can write my own client in rust that connects directly to the server and communicates with it i just kind of win i knew a decent amount about the protocol in the anti-cheat detections of the server and it turns out this workload wasn't too bad i had to figure out how to do maplestory encryption which is a combination of aes ofb and some weird encryption called shanda this crypto hadn't changed in many versions of maple story and thus i could effectively read the private symbolized implementation of the crypto as a reference it's really not that fun and at the end of the day it's 50 to 100 lines of code of some basic rotate and xor based in place encryption after i was able to communicate at a plain text level with the server and have all of the encryption abstracted by some fancy apis it turns out that logging onto a character takes all but a few packets maybe 200 lines of code needed to log your character all the way into a map at this point i could just grab the existing code i had written for watching monster spawn packets and injecting movement and damage packets and this was incredible my character would log into the game kill all of the mobs on the map and then loot all of the items on the map instantly oh yeah and during this whole process i found out that for some reason the server also had no damage rate throttling the server had some protections on doing too much damage on a single hit but there were no protections on doing many hits per second well there were protections but they were commented out but of course i wanted more i could instantly kill all of the monsters on a map that i was decently geared to kill but that doesn't really let me run a fresh character into a hard map to clean it up the server had a limit where you would get banned if you killed mobs that were too high level from you but i wanted to push all of the limits of the server exactly to where they were set remember the goal is to get the largest possible advantage without triggering any anti-cheat logging i was figuring out the perfect boundaries of the server side anti-cheat and there were really no concerns about the client as i controlled it all myself well looking at the server code there were some pretty interesting properties if you did 1.5x or more damage than the maximum damage you can do you would create a logging event on the server and if you did 5x more than your maximum damage you would get scheduled for an auto ban but wait if the server calculated your damage range correctly which they did why would you be allowed to do 1.5 x more damage without even causing logging to occur honestly i have no idea but it is how it is i'd imagine that they added some buffer room for if they got some of the math wrong server side since they had to reverse out the damage formulas from the client so now i can do the top end of my damage range multiplied by 1.49 x damage and i'm safe from even triggering a log event on the server but it gets even better maplestory has the concept of attacks which hit a monster multiple times most classes can hit a monster two times some can hit them up to six times but that's usually the limit in terms of the protocol this is encoded as a nibble in the damage packet meaning that you can do 0 to 15 lines of damage to a single monster the amount of lines of damage you can do varies by your skill but according to the server it doesn't matter you could do a simple basic single auto attack and tell the server that you hit the monster 15 times and it would be okay with it regardless of your class so combine this with the 1.5 x maximum damage factor in that your maximum damage is probably double your average actual hit and factor in now that we can hit 15 times per attack we can do about 45 times more damage than our character is capable of doing without triggering a single logging event on the server so now we can kill and loot the entire map instantly with no delay between damage packets doing 45 times more damage than i'm supposed to do per attack and i don't even trigger a single logging event on the server but this leads me to a new problem my advantage is too large i level up too fast and outgrow the maps that i am cheating on well luckily enough the server checks are once again in our favor maplestory maps are typically a few screen widths in size but the whole world is connected via portals which lead you to and from the next maps of course since the player position isn't checked as long as you don't move too much and entering a portal is simply a packet that you send when you're near a portal there's nothing stopping me from traversing the map automatically too and it turns out that this transaction when there's no client doing rendering and delays is basically instant i can traverse the entire world map killing all of the monsters in the maps looting all of the items and yeah from this point it's not really even worth discussing more i added some special features where i could mule items to npcs and other players to launder my illicit goods but at this point you get the point i have full control none of this is exploiting the server no dupes no hacks actually getting me to change the behavior of the server by means of database corruption or code execution just simply playing within the limits of the anti-cheat of the server unfortunately these limits are wide open and i'm allowed to kill the entire world map as fast as i wanted and when i say world map i don't mean that i can vac monsters and kill the whole map that i'm on but i can transition to other maps and do this for every single map in the game there's one limitation where the server won't spawn mobs until a player has been on the map for 10 seconds but luckily there were just enough maps to visit where this wasn't too much of a problem i added some special polish to the client such as adding support for multiple characters and i just spin up five characters on a cheap cloud machine that was pennies per hour the protocol was so lightweight and there was no rendering in my console based client that it didn't require any cpu power to run all of this all in all i think i exceeded the child and me's expectations of cheating at maplestory i'd argue that the game was solved at this point there was nothing i could do to avoid getting banned by a gm who just showed up to my map invisibly which generates truly no packets to me it's pretty obvious that i'm cheating but at this point i had such a massive advantage that i could just launder my mesos and move them to my actual characters which i played on legit but perhaps maybe had effectively infinite resources for perspective i purchased the most expensive item ever sold on this one server from another player and it was arguably worth about half of the server's market cap and i didn't even have the mesos yet i whispered him and i told him that i'd meet him to buy it in 15 minutes and in that time i was able to get all of the messages that i needed to do the purchase this introduced some illegal mesos into the market and i do not condone doing this i have not done it since and i find create and destroy items i make from cheating now once again i do this for fun i don't want to impact the server even economically it's just not right all of my cheats instantly leave maps or quit the game when players show up and that's not to protect my characters from getting banned but to not ruin the experience of other players unfortunately there are just so many edge cases to this whole story there are different clients different versions of the protocol different private servers private servers with non-public anti-cheats custom encryption all of these sorts of things i've had some fun with pretty much all of it and i've spent a decent amount of time reversing analyzing and writing these cheats and what's beautiful about it is all of this is possible because of the weird skills that i have learned as a hacker it's not just a one-way street i didn't just use my hacking skills to write these cheats i also improved my hacking skills when i wrote these cheats that's one of the beautiful things about working with low-level code and hacking the skills i learned from ghidra win bag rust writing injectors protocol analysis encryption all have increased my value as a hacker whether that's the skills that i have for next job or simply changing my mind to approach problems in different ways i've learned some pretty absurd skills that i would never even imagine learning for example one maplestory server i played or cheated on last year used custom encryption written in obfuscated c-sharp i've never reversed c-sharp before and i got very comfortable learning how to reverse it de-obfuscate it and ultimately port my custom client to that server too the direct message that i showed you earlier from that private server owner this month well unfortunately the custom crypto they added to the server was too complex for me to comprehend and figure out and unfortunately i just haven't been able to get any cheats to work on that server and then and i told him that i have no intention to cheat on this server and that's just not something that i would do because i don't cheat at games and i'm just i'm just a good person in general anyways this is what happens when a nation-state level hacker has some fun playing some old video games i think we can safely say that the state of the art of maplestory hacking has been advanced by the few weekends i've thrown into this and that's what blows my mind i'm really no expert in writing game cheats maple story is really the only game i've cheated at but the skills i have from hacking made it so easy to just completely change the definition of cheating at maplestory
Info
Channel: gamozolabs
Views: 46,115
Rating: undefined out of 5
Keywords: maplestory, cheating, hacking, cheat, hack, cheat engine, gameguard, vac, mesos, bot
Id: o9O3PjKgejs
Channel Id: undefined
Length: 35min 58sec (2158 seconds)
Published: Fri Jun 04 2021
Related Videos
Learn Reverse Engineering (for hacking games)
cazz
929K
Sounds Like Nintendo Is Being Smart with Switch 2 - Next-Gen Console Watch
IGN
97K
How is this even handheld?! - OneXPlayer X1
ShortCircuit
472K
Dell Has Destroyed the XPS - Dell XPS 16 (2024)
ShortCircuit
251K
10 Levels of Sleight of Hand
Daniel Roy
4.7M
Is your PC ready? Hellblade 2 Senua's Saga PC System Requirements Analysis
Daniel Owen
19K
Cheat Engine for Idiots
Kian Brose
1.1M
The COMPLETE FashionStory Guide | MapleStory
Myst
13K
Here is MY Perfect Nintendo Switch 2 Console
BeatEmUps
170K
15 years of MapleStory | Timeline | GMS | MSEA | Nostalgia
coppersan
414K
이게 뜨긴 뜨네
레고77
487K
Vì sao bạn HACK, CHEAT trong game ? | Giải Mã Bí Ẩn
Game Cực Hay
1.5M
I paid $40 for EXP in MapleStory because I hate training.
Senpapi
11K
Why You Shouldn't Nest Your Code
CodeAesthetic
2.5M
everything is open source if you can reverse engineer (try it RIGHT NOW!)
Low Level Learning
1.2M
Maple Story Heroes vs Papulatus
dray86
1.3M
The ESRB Just Leaked a First-Party Switch Game
TopicArlo
42K
Creating Link skills are super easy in New Age | Maplestory Hyperion
Daboki
21K
What is going on with gaming keyboards in 2024?
The Techne
588
when ANA realized WHY pro's keeps picking this HERO..
PLAYER PERSPECTIVE DOTA 2
7K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.