Go back to overview

Webinar Catchup: Art of Online Game Hacking

15 July 2021

Recently, our COO and Co-Founder, Mathieu Huysman, held a webinar discussing the ins and outs of online game hacking.

In case you missed it, you can find the archived stream below. Otherwise, we thought it would be good to summarise and revisit some key points our expert ethical hacker and cybersecurity specialist touched on.

Why do people hack?

This is something we often hear. Why do people do this? Why do they compromise peoples’ livelihoods, the work of the developers, the fun and safety of the players?

There are a plethora of reasons, but we often pin it down to four or so. These would be the most common or significant reasons for hacking.

Cyrex has a lot of experience in a wide variety of ethical hacking, and we fully believe in the mentality of keep your friends close and your enemies closer. We know these motivations well; we’ve seen them repeatedly in the many underground hacking circles.

Prestige – Best of the best

Firstly, prestige. There are many hackers and malicious actors who hack simply to be the best in game. This is for the advantages of significant skill or time investment. But instead achieved through an underhanded method such as cheating or hacking. This mentality doesn’t directly cause problems but indirectly, it upsets the game’s ecosystem. It can be endlessly frustrating to watch cheaters or hackers benefit happily from their abuse while an honest player is stuck struggling through it all.

Financial Gain – Money, money, money

This is absolutely the largest group when it comes to hackers and cheaters. A quick google search will immediately result in an out-of-game marketplace to buy whatever you want, without having to work in-game. Or you can easily find aimbots, wallhacks, and other cheats to grant an easy and significant advantage.

The real danger to the game is unbeatable players, as well as those making real-world profit by abusing your in-game systems. If they can easily replicate or duplicate expensive items and sell them for real-world currency, you will see problems as more flock to the money-making scheme.

Education – Time to learn

We often see hackers target games in the pursuit of bettering their coding and hacking skills. This all stems from a harmful mentality, “it’s just a game.”

People look for real world ways to test themselves and see banking applications, for example. And next to it, a multiplayer game. There is a strange mentality that directly harming the game via hacking is somehow okay because “it’s a game.”

There’s no difference. You’re still actively and directly harming all those involved. There is a safe way to do this, via ethical hacking. If you do seek to better your own skills in this way, please be careful. You can report all vulnerabilities you find to the developers and keep the knowledge of said vulnerabilities to yourself. There is even the potential of a reward as a bug bounty if you manage this.

Malicious Intent – Ruination and harm

The last and worst motive for hacking is simply just to cause problems. These could be individuals or larger groups and could have any reason for targeting your game.

They might have issues with you or a player, they might just be bored. Nonetheless, these people are just out to cause harm and ruin the fun and hard work of the players and developers.

How do hackers break in?

With the knowledge of why hackers hack, now we can move onto how they do it. This is best heard from our COO himself, as it can be tricky to explain easily!

Effectively, the player connects through the game to the server side. On the server side, the back-end connects to the player via API and/or web sockets. The gameplay connects via UDP or TCP. Hopefully, the server side is as secure as possible!

Whenever the player takes an action, a packet will be sent from the player to the server. This will be verified and sent back. Most hackers ignore the communication protocols, this step in between player and server side. Instead, they focus on the player side. They modify the game itself.

They do this by reverse engineering or decompiling the code.

What about anti-cheat?

Well, because most hackers approach via client side – it does help to stop most opportunistic hackers. But in Cyrex, we’re firm in the belief that there is a dangerous misconception about anti-cheat.

Anti-cheat is keeping us safe.” We hear this all the time and many claim it is the ultimate security solution. While they absolutely deserve a presence regarding security, they are not a complete solution.

Because it relies on client-side security, it is more security by obscurity. And once bypassed, with time and effort, it is completely defunct. Then it becomes a scaling cyber arms race of patch against hack.

Then, how does Cyrex hack in?

Because anti-cheat is very much a surface level for security, we work on a more efficient method. We use Cyrex Protoceptor – a Man in the Middle interception tool. We’ve discussed Man in the Middle attacks and gameplay security before. Between this webinar and our articles, you can get a very quick and thorough introduction to this concept and how we go about our hacking stages.

Effectively, our Protoceptor places us between the player and server side. We completely bypass anti-cheat and can jump straight to the main lines of communication. We can see each request and how the server responds. From there, we can easily have control over what requests reach the server and what kind of responses reach the player.

Finishing up

Cyrex has worked on an array of games across a variety of platforms, genres, and concepts. We are so thankful for the confidence of our clients and partners and them believing in us to secure them against malicious actors.

 
This was just a summary, so to hear the full webinar, you can see it below. To read more about our work, we have a portfolio of some of our clients available as well. Finally, if you’d like to see anonymised security reports of our previous work you can click here. And otherwise, if you have any questions, we’d love to hear from you.