Research into the game Darkfall Online to help thwart cheaters.

a month ago

Latest Post Design+Innovation for COVID-19 by Colin Senner

Darkfall Online was an incredible MMO experience back in 2009. Most players could only speculate on the types of cheats that were possible with the game.

I decided to revisit the game years later and report my findings to the teams trying to revive the game.

/* 
The following findings and many more were submitted by myself and another 
researcher to third party teams licensed to run Darkfall Online on June 1st, 2016. 
Eventually the projects seemingly collapsed and thus have been disclosed publicly here.
*/
Disclosure

Overview

The game's core logic was implemented in a dll named sfmw.dll.

Radar

Checking the sfmw.dll's strings we find a reference to "Could not decode positional data".

Following references to this string puts us in a function near the handling of decoded packets from the server.

Packet handler
movzx eax, word ptr ds:[esi+e]

ESI in this context contains a packet structure.  The WORD at offset +E is the opcode for the packet type.

With this information a malicious player could read memory in these structures (now decrypted by the client) to leverage any information they desired as (almost) all information exchange with the server happens here.

Here's an example of the parsing of a player load and unload packet:


Loading custom game data files

The game files were encrypted as sfad archive files.  Rather than modify or decrypt them on disk it was easier to dump them when the game had already done it.

A hint for where the processing function for the archive files is was found in the strings.

The function eventually calls ReadFileW to read each file in the encrypted archive.

Following the filename pointer
Following the data start pointer

With this information it was found to be possible to dump the files to disk, modify them and have them loaded at runtime to circumvent things like cooldowns on skills. (Note: the server maintained authority and enforced stamina and mana costs for skills).

...
<SFSkillTimerGeneral>
	<SFFloat Value="1.0" />
...

Modifying this allowed a player to shoot arrows with no cooldown and animation.


View angles

The client was the authority on the view angle for the game.  As such, it was uncovered a player could modify the position and angle a player aimed a skill.  This allowed a theoretical malicious user to shoot their bow and tell the server the arrow originated from behind their target regardless of the direction they are facing.

Bank from anywhere

Player distance from bank was not enforced and as such a player could visit their bank from anywhere in the world.

GUID Spoof

Player GUIDs were found to be spoofable and players could send actions on behalf of other players.

Colin Senner

Published a month ago