Given the recent hack to the blog , and also given the recent news of the decompiled Eve Online client, it seemed like a good time to go over some of the ways in which a virtual world gets hacked. 鉴于近期哈克向博客 ,也鉴于最近的消息, 该解编前夕上网用户,它好像一个好时机到了一些如何在一个虚拟世界中获得砍死。
The interesting thing, of course, is that all the hacks I am going to talk about are actually not hacking the virtual world at all; they instead attack the client , which is your window into the world, and also your waldo , your means of exercising control over what happens in that world.有趣的事,当然,这是所有骇客我要谈谈,其实是不是黑客的虚拟世界在所有,他们不是攻击客户端 ,这是您的窗口,融入世界,也是您的瓦尔多 ,你的手段控制权发生什么事在这世界。 And that’s because…和这是因为…
The client is in the hands of the enemy.客户端在手中的敌人。
– The Laws of Online World Design -法律的网上世界设计
You’ve probably heard that before — I wasn’t the first one to say it, but it constantly gets misattributed to me.您大概也听说之前-我不是第一个说,但它不断得到m isattributed给我。 That particular phrasing may have originated with Kelton Flinn , but I am sure many of us came up with it independently.特别的措词可能源自凯尔顿弗林 ,但我相信我们许多人想出了它独立。
The first thing to realize is that encryption of the data stream isn’t going to stop anyone serious .第一件事,以实现是加密的数据流是不会阻止任何人都严重 。
Here’s the diagrammatic way to look at it.这里的图解的方式看待它。
- You generate data.您生成的数据。
- You put it in a packet.你把它放在一个包。
- You encrypt the packet.您加密的数据包。
- You send it over the wire.您发送的,它比钢丝。
- It gets to a user’s computer.愈用户的计算机。
- The client reads the encrypted packet.客户端读取加密的数据包。
- The client decrypts the packet.客户端解密数据包。
- The client does something.用户端的东西。
Really, anything after “it gets to a user’s computer” is in the hands of the enemy.真的,什么都后, “它愈是在使用者的电脑”是在手中的敌人。 So that means that you are encrypting the packets, handing the user a decrypter called a client , and thinking that encryption helps.因此,这意味着你是加密的数据包, 交给用户一decrypter所谓的客户端 ,并且以为加密帮助。
The hackers can choose to do is read the incoming packets out of client memory after decryption, instead of sniffing the stream directly.黑客可以选择要做的就是阅读外来的封包走出客户端的内存后解密,而不是吸流直接。 But really, all this does is raise the bar a bit on the hacking skills required.但说真的,这一切是否是提高酒吧有点对黑客所需要的技能。
To top it off, encryption can be slow, if you’re talking a real-time sort of situation.顶部它关闭,加密,可缓慢,如果您所说的一个真实的时间排序的情况。 You may not want to spend the time in encrypting if you need a fast response.您可能不希望花时间在加密,如果您需要一个快速的反应。
Packet stream sniffing: getting more info than you should 包嗅探流:获得更多信息比你应
This one was a problem early on in EverQuest and is still an issue in many FPSes.这一个是一个问题,早在无尽的和仍是一个问题,在许多fpses 。 In short, you should not rely on the client to filter information.在短期内,你不应该依赖于客户端过滤的信息。 Assume that anything that comes down the wire is visible to them.假设的东西归结为导线,是有形给他们。 We speak of “culling” the data that is sent down, basically reducing the set.我们讲的“扑杀”的数据发送,基本上减少。 Even on the client, we do culling, so that we don’t draw everything in the dataset the client knows about.甚至在客户端,我们做扑杀,使我们不借鉴一切在DataSet的客户端知道。 In an FPS, you typically cannot do a lot of server-side culling — everyone on the map is “visible” to the client, because everyone is moving so fast that you can’t really do any line of sight culling on the server.在一新鲜粮食店,你通常不能做了很多服务器端扑杀-每个人都在地图上是“有形”到用户端,因为大家都正在如此之快,你真的不能做任何路线的视线扑杀在服务器上。
In EQ, the way this manifested was every mob in the zone was sent to the client.在情商,这体现的方式是每一个暴徒在开发区内被发送到客户端。 This meant a hack could make a minimap that showed every mob.这意味着黑客可以作出minimap显示,每暴民。 You could see repops at a distance.你可以看到repops在距离。 But wait, it gets worse.但等待,这进一步恶化。 You could also see everything they carried .您也可以看到的一切,他们进行的 。 So you could cherry-pick the good loot in advance.所以你可以用樱桃挑选良好的掠夺在前进。
Packet filtering: dropping stuff you shouldn’t 包过滤:下降的东西你不应该
Sometimes the server tells you things you just don’t want to hear.有时服务器告诉你的东西,你刚才不想听。 One such thing might be “no, you can’t go there.” This is the classic wall hack.一这种事可能是“不,你不能去那里” ,这是典型的墙哈克。 Usually, you move, and do a local client-side collision check.通常,您动议,并做了本地客户端的碰撞检查。 You also send off a request to the server for your movement, so that the server can verify whether you can go there (after all, you might have — horrors — hacked your client to not do collision checks).您还欢送请求到服务器,为您的运动,使服务器可以验证您是否可以去那里(毕竟,你也可能-恐怖-砍死的客户端以不碰撞检查)。 The server will send back a “no, you are still over here” message, resulting in being rubberbanded back to where you were.服务器会发送回一个“没有,你还在这里”的讯息,导致在被rubberbanded回到那里你。
Unless you simply ignore that message, and merrily keep going.除非你根本不理会这项讯息,并merrily继续进行。 This will allow you to explore all of the static dataset that your client has loaded.这将允许您探索所有的静态数据集,您的客户端已载入。 You won’t see any newly streamed objects in the right place, of course, because as far as the server is concerned, you didn’t move.您将不会看到任何新的流对象,在正确的地方,当然,因为到目前为止,作为服务器而言,你没有提出动议。
Simply dropping packets can be pretty powerful if the engineers were sloppy and relied on the client to correct itself after being told it was naughty.只是下降的数据包可以相当强大,如果工程师们马虎和依赖于客户端,以正确的本身后,被告知这是顽皮。 A common way you can use this to greater advantage relies on the fact that we often do let the client be semi-autonomous about movement.一种常见方式,您可以使用此更大的优势,依赖于一个事实,即我们常做,让客户得到半自治的有关运动。 You can move around on the client with far more granularity and with much more rapid changes in direction than you can on the server.您可以走动,在用户端更具有深远的粒度和与更迅速的变化方向,比你可以在服务器上。 Instead of tracking your every move, we instead subsample it, basically.而不是跟踪你的一举一动,我们不是子 ,基本上。 We rely on simple metrics like “you can’t move that far that fast” to verify whether or not you are in fact cheating in your movement.我们依靠简单的数据一样, “你可以不动,远远得那么快” ,以确认您是否是在作弊,其实在您的运动。
But if you collided with something, were told to bounce back, but then moved to a position on the other side of the wall, the next movement might fall within acceptable parameters, and then you may have moved through the wall.但如果你相撞的东西,被告知反弹,但随后转移到了一个立场,另一边的墙上,未来运动可能属于可以接受的参数,然后你可以提出通过墙。
Packet altering: changing what you hear 包改变:改变什么你听到
Alternatively, you could actually alter the packet before it gets interpreted.另外,您真的可以改变数据包之前,它得到解释。 This basically lets you get the client to dance to your tune.这基本上可以让您获得客户端的舞蹈到您的调子。 Maybe you want a nice big waypoint on top of your quest target.也许你想要一个好大的路点再加上你的追求目标。 Maybe you want to change what zone the client thinks it is loading you into in order to let you tour somewhere you normally cannot get to.也许你要改变什么区客户端认为这是加载到你在为了让您游览某处,你通常无法进入。
Representation altering: changing what you see 代表性的改变:改变你所看到的
Messing with the data stream isn’t the only thing within your power.梅辛与数据流是不是唯一的事,您的权力。 Lots of folks in FPSes did things to change the visibility level of what was around them.很多乡亲在fpses没有的东西,改变能见度的水平,什么是他们周围。 Replace all the walls with transparent textures, and you will have a much better idea of where everyone is.更换所有的墙壁与透明的质地,和您将有一个更美好的想法,每个人都是。 Replace small meshes with big ones, or camo-colored textures with bright pink ones, and everything gets easier to spot.取代小网格大,或camo色纹理与光明的粉红色,和一切得到更容易点。
Triggering 触发
Of course, why give yourself the work?当然,为什么给自己的工作呢? Just have the client automatically send back responses instantly when it gets a particular packet or message.刚才有客户端自动传送回即时的反应时,得到某一特定的数据包或讯息。 This form of automated triggers is, of course, a key element in building bots.这种形式的自动触发的,当然是一个关键因素,在建设程序。 In an FPS, autoaim is an example.在一新鲜粮食店, autoaim就是一个例子。 The accuracy of something happening with a trigger is far far higher than what it is when a mere human is at the wheel.准确性的东西,发生与触发是远高于是什么时,仅仅是人类在车轮。
Spamming 滥发电邮
A lot of times, the servers aren’t hardened properly against receiving more commands in a given span of time than they expect.很多时候,服务器不硬化,妥善对收到更多的命令,在一个特定的时间内超过他们的期望。 Letting the client handle cooldown timers would be an example of a mistake like this; if you can control the upstream, you can bypass the cooldowns.让客户端处理降温定时器会的一个例子是错误的一样,这;如果你可以控制上游,您可以绕过cooldowns 。
The Warden and other tricks 典狱长和其他招数
Of course, there’s countermeasures.当然,还有的对策。 The countermeasure used by Blizzard (and by Steam, for that matter) is to run a separate process that monitors whether the main app is being messed with.对策所用的暴雪(和水蒸汽,因为这件事)是一个单独的运行过程进行监测是否主要应用正在搞砸。 This is a common practice in Korea as well, and there’s FPS servers that require you to run Punkbuster , etc. From the WoW TOS:这是一种普遍的做法在韩国以及,并有的新鲜粮食店的服务器要求您运行punkbuster等从哇服务条款:
# WHEN RUNNING, THE PROGRAM MAY MONITOR YOUR COMPUTER’S RANDOM ACCESS MEMORY (RAM) AND/OR CPU PROCESSES FOR UNAUTHORIZED THIRD PARTY PROGRAMS RUNNING CONCURRENTLY WITH WORLD OF WARCRAFT. #运行时,该程序可能会监控您的计算机的随机存取存储器( RAM )和/或CPU的进程,为未经授权的第三方程序运行的同时,与魔兽世界。 AN “UNAUTHORIZED THIRD PARTY PROGRAM” AS USED HEREIN SHALL BE DEFINED AS ANY THIRD PARTY SOFTWARE, INCLUDING WITHOUT LIMITATION ANY “ADDON” OR “MOD,” THAT IN BLIZZARD’S SOLE DETERMINATION: (i) ENABLES OR FACILITATES CHEATING OF ANY TYPE; (ii) ALLOWS USERS TO MODIFY OR HACK THE WORLD OF WARCRAFT INTERFACE, ENVIRONMENT, AND/OR EXPERIENCE IN ANY WAY NOT EXPRESSLY AUTHORIZED BY BLIZZARD; OR (iii) INTERCEPTS, “MINES,” OR OTHERWISE COLLECTS INFORMATION FROM OR THROUGH THE PROGRAM. 一“未经授权的第三方党纲”作为此处使用的应定义为任何第三方软件,包括但不限于任何“ addon ”或“按付款当日价格计算, ”在暴雪的唯一的决心: (一)使或便利作弊任何类型的; (二)允许用户修改或黑客的魔兽世界界面,环境,和/或经验以任何方式不明确授权的暴雪;或( iii )拦截, “地雷” ,或以其他方式搜集资料,或通过该计划。 IN THE EVENT THAT THE PROGRAM DETECTS AN UNAUTHORIZED THIRD PARTY PROGRAM, BLIZZARD MAY (a) COMMUNICATE INFORMATION BACK TO BLIZZARD, INCLUDING WITHOUT LIMITATION YOUR ACCOUNT NAME, DETAILS ABOUT THE UNAUTHORIZED THIRD PARTY PROGRAM DETECTED, AND THE TIME AND DATE THE UNAUTHORIZED THIRD PARTY PROGRAM WAS DETECTED; AND/OR (b) EXERCISE ANY OR ALL OF ITS RIGHTS UNDER SECTION 6 OF THIS AGREEMENT, WITH OR WITHOUT PRIOR NOTICE TO THE USER. 在一旦该程式侦测未经授权的第三方程序,暴雪可能(一)沟通信息回暴雪,包括但不限于您的帐户名称,详细了解了未经授权的第三方程序检测,以及时间和日期未经授权的第三方程序检测;及/或( b )行使任何或所有其权利根据第6条本协议的,或未经事先通知给用户。
How does it do this?它如何这样做呢? Well, actually, by using many of the same techniques as described above .好,其实, 使用的许多相同技巧如上文所述 。 Basically, it kind of hacks you .基本上,这种骇客你 。 It checks to see if stuff is running in WoW’s memory space.它会检查,看看是否东西是运行在Wow的记忆体空间。 It checks the title bars of any window you have open and compares the text of that window title (hashed) against a blacklist of cheating programs titlebars (also hashed).它会检查标题栏的任何窗口中,你有开放的和比较的案文指出,窗口标题(虚线)对黑名单作弊程式titlebars (也虚线) 。 And it actually checks some of the code of every program you have running and checks to see if that code is on its blacklist too.它实际上是检查的一些守则,每个程序你有运行和检查,看看是否能代码是就其列入黑名单。
Needless to say, the Warden is also in the hands of the enemy ; although I wouldn’t have the slightest clue on how to do it, you could theoretically either hack the Warden itself, or hack the apps that the Warden is checking, so that they display false or different information.不用说, 典狱长,也是在手中的敌人 ,虽然我不会有丝毫的线索,就怎样做,你可以在理论上无论是哈克舍监本身,或开刀应用程序,该舍监是检查,所以他们展示虚假的或不同的信息。 At that point, it’s an arms race.在这一点上,它的军备竞赛。
There’s already programs to watch the Warden watching you , for example.还有的已经节目观赏舍监看着你 ,例如。 And Blizzard’s response was to make a bunch of different versions of Warden , so it’s harder to find and watch; and also to — surprise, encrypt the stuff sent back.与暴雪的回应是,使一批不同版本的舍监 ,因此它的难找到,并观赏;也-突击,加密的东西送回。 Of course, you could go back to square one, packet sniff, and filter out the Warden reports… la di da.当然,你可以回到广场一,包嗅探,并过滤掉舍监报告信息… La邸大。 Or make the cheat app polymorphic itself.或使作弊亚洲浆纸多态性本身。 Or…或… …
It’s all very Orwellian — but players seem to value a game environment with less cheats more than they value their privacy, though admittedly, freaking out over an app reading window titlebars and then not actually telling anyone about it unless it finds a match may seem a bit paranoid.这一切都非常奥威尔-但球员似乎价值的游戏环境与少作弊以上,他们的价值他们的隐私,虽然无可否认,再用了超过一读应用程序的窗口t itlebars然后实际上没有告诉任何人关于它,除非它认为比赛可能似乎有点偏执。 Then again, what if someone hacked a popular WoW fansite or guide site and stuck a banned string in the titlebar?再说,如果有人窃取热门哇fansite或指南网站和坚持一个被取缔的字符串在标题? Could happen…可能发生的…
In the end, you just cannot trust the client .在最后, 你就不能信任的客户端 。 Everything Warden protects against fundamentally needs to be guarded against on the server.一切舍监保护对从根本上需要加以防范的服务器上。 In the Web world, you just have to assume that the browser could be any damn thing at all — after all, I could write a simple web browser in about five minutes.在网络世界,你刚才要承担该浏览器可以是任何可恶的事情全部-毕竟,我可以写一个简单的W eb浏览器在约五分钟。 And in the future, we may well have to design our games with this sort of capability in mind.并在未来,我们可能要设计我们的游戏,这种能力在铭记。
Take the example of the small herb to harvest.采取的例子,小药草收获。 The hacks described would do things like auto-detect that the herb is around, auto-collect it, pick it out of a crowded area.该所描述的骇客会作更多事情,例如自动侦测到的药草是左右,自动收集,挑选出来的一个拥挤的地区。 The “game” lies in it being hard to find or see. “游戏” ,关键是它正在很难找到或看到的。 In the security world, this is called “security through obscurity,” and it’s generally assumed to be a waste of time.在安全理事会的世界,这是所谓的“安全通过隐晦” ,它的普遍假设是浪费时间。 (This also raises the question of why we are building games out of something like herb-finding.) The secure way is for the client to not even know. (这也提出一个问题,为什么我们正在建设的游戏出来的东西,像药草调查) ,安全的方式是为客户端甚至不知道。 Have real herbs and fake herbs use the exact same client-side representation in every way.有真正的草药和草药使用假完全相同的客户端代表以各种方式。 Only the server knows the difference.只有服务器知道的差异。
We don’t generally do this because, well, we want to have static data and dynamic data we stream.我们一般不这样做,因为,那么,我们希望有静态数据和动态数据,我们流。 We want to be able to precache most of the world, and only stream down the stuff that can change, like herbs you can pick up.我们希望能够precache世界上大多数,只有流下来的东西可以改变,如中草药,您可以拿起。 It’s cheaper in bandwidth, by a lot; it offers better performance; you get much faster load times.它的便宜,在带宽,通过了很多;它提供了更好的表现;你快得多加载时间。
In other words, we create these vulnerabilities for ourselves because, well, we want to trust the client.在其他换句话说, 我们创造这些漏洞为自己 ,因为,那么,我们要信任客户端。
In the end, the most hack-free virtual world is likely to be the one with completely open source clients , completely public and open protocols, and no attempts to cheat by having the client do any heavy lifting.在年底,最哈克-免费的虚拟世界中很可能是一个完全开放源码的客户 ,向公众完全开放的议定书,并没有企图作弊,由客户端做任何重型起重机械。 In fact, WoW itself has taken very big strides towards this with their open UI system, which enables officially sanctioned plug-ins which do quite a lot of the things that were formerly done by hacks.事实上,在哇本身已采取了非常大的步伐,朝着这个与他们开放的UI系统,从而使官方认可的插件,其中做了不少事情,以前所做的骇客。 The reason this will likely be safer is simply because when the terminal is dumb, you are forced to put the smarts on the server — and the server is a lot easier to make secure.的原因,这可能会更安全的原因很简单,当终端是哑巴,你是被迫把SMARTS的服务器上-和服务器是一个容易得多,使安全。
The challenges, however, are not small if you want to really go whole hog and make everything driven by the server.的挑战,但是,不小如果你想真的去整猪和作出一切驱动的服务器。 Everything would need to be streamed.一切便须流。 Everything sent to the server would need to be verified.一切发送到服务器将需要得到证实。 And game designers would have to assume they could not rely at all on anything in the visuals as a gameplay mechanic, nor on anything related to speed of cognitive processes (eg, time spent “figuring something out” would not be a good mechanic, since many things could be offloaded to the client, providing instant reaction times).和游戏设计者将须承担他们无法依靠在所有事情上,在视觉上作为一个游戏机械,也没有对任何与速度的认知过程(例如,所花的时间“计算出来, ”不会是一个好技工,因为很多事情可以卸载到用户端,提供即时反应时间) 。 It would all make for a far more asynchronous world.它将所有作出了更为异步世界。
But that design constraint might also push towards designing cleverer gameplay, rather than gameplay that can be completely undone by knowing where stuff is, picking important stuff out from the crap, and going clicky-clicky on something fast enough.但设计约束也可能推动设计聪明的游戏,而非游戏,可以完全复原知道那里的东西是,挑选重要的东西从crap ,去clicky - clicky对一些不够快。
A pipe-dream?管道的梦想呢? Probably.可能。 We loves us our herb-hunting, our big graphics, our lagless client-side movement, and we seem quite willing to put up with being spied on in exchange for knowing that only bad-ass hackers are cheating, instead of damn near everyone.我们热爱我们的药草-狩猎,我们的大图形,我们lagless客户端运动,我们似乎很愿意把与被间谍就在换取知道,只有坏-驴黑客作弊,而不是可恶附近的每一个人。 
到图书馆和有经验的杜威十进系统。 他翻查了他所有的来源和网上做了大量的剪切和粘贴为他的论文。 出于某种原因,这是可以接受他的老师… … 。 我想的第一件事,我要尽在grahow入侵一mmogiven最近哈克向博客,也鉴于最近的消息,该解编前夕上网用户,它好像一个很好的时间,走的一些方法在这虚拟世界中获得砍死。 有趣的事,当然,这是所有骇客
[ … … ] raph koster给你一个简短的补习就如何哈克mmos 。 [ … … ]
del.icio.us /埃默里四月18raph的网站»如何哈克一mmothere的程序已经观看舍监看着你,例如。 与暴雪的回应是,使一批不同版本的舍监,因此它的难找到,并观赏;也-突击,加密的东西送回。 …的
[ … … ]作弊可能较少关注的社会软件比游戏(虽然也有例外,采取digg例如) 。 对于那些有兴趣更多地了解这一点, raph koster最近发布一个复杂的考试黑客和作弊的mmogs 。 [ … … ]
[ … … ]博客帖子由游戏设计师raph koster (最后在线和现在metaplace名利)会告诉你如何! [ … … ]
新闻项目你想步行通过墙壁在mmo ? 如何在医疗意义上的地点,所有良好的下降在一区,或使无形的东西,非常,非常明显的? ablog postby游戏设计师raph koster (最后在线和现在metaplace名利)会告诉你如何! 无可否认, koster并没有真正进入详细的。 另外,他的努力,以帮助开发,避免黑客入侵的问题,不给内秘密的秘诀,到黑客的攻击。 它的
[ … … ]客户端的东西。 thú v ? ? ? 您的b ? n có次? 谭国焕的KH ? o thông田池钛?吨: http://www.raphkoster.com/2008/04/17 … O型哈克-一- mmo / [ … … ]
[ … … ] framerates ,而且它不会触发反作弊工具,如punkbuster或魔兽世界中的warden.the产品目前正处于测试阶段。 您可以申请试用版或更新[ … … ]
[ … … ]一些讨论,刚才为什么地球上我要把所有的用户请求参数,在url.http : / / www.raphkoster.com/2008/04/17/ho … ck-an-mmo/if您已登录到游戏,你基本上可以访问任何带刚操纵的网址。 如果[ … … ]
[ … … ]如何哈克1 mmo 2008年4月17日(访问了5387倍)标签:作弊,无尽的,黑客,法律的线上世界的设计,大众设计,大众科技,哇[ … … ]
[ … … ]产卵的位置… … )到客户端。 作为raph koster是喜欢提醒脂肪酶,游戏客户端“是在手中的敌人” :每一次开发卸载1运作到客户端,为了节省的CPU周期为爱[ … … ]