Exploiting Online Games is the third book in series of titles by Greg Hoglund and Gary McGraw. Their two other books have previously been reviewed here at 404 Tech Support – Exploiting Software: How to Break Code and Rootkits: Subverting the Windows Kernel. These titles typically provide information for developers to take into consideration in their projects and for IT Professionals to use in their analysis of securing their environment. I am primarily reading these books for the latter reason and approach these reviews with that perspective.
Exploiting Online Games covers a variety of topics: the basics of online gaming and hacking, playing for profit, End User License Agreements, bugs in games, hacking game clients, bots, reverse engineering, modding, and security points for game developers. The basics explains some common terminology and clarifies the different types of online games including FPS (first-person shooters), MMORPGs (Massively Multiplayer Online Role Playing Games), and virtual worlds (like Second Life).
I picked up this book in the first place for two reasons; I had read and learned from the other two books and Second Life has been quite an issue of contention at work. I will not waste any breath (err… keystrokes) on repeating the arguments either way, but I deemed being aware of any possible risks from this insisted upon software to be a work responsibility of mine.
I am no stranger to online games (noob) as you might catch me on Team Fortress 2 a decent amount of time. I am well aware of MMORPGs and overhear many a-conversations about them, although I haven’t played one myself. That might change however with Champions Online or the DC Universe Online MMORPGs coming out as comic book heroes are a particular weakness of mine. Back to the book, that familiarity with games made the first few chapters feel very basic and even a little dated, though the book was only copyrighted in 2008.
Once you get into the meat of the book, it starts to get interesting. They discuss hacking clients a variety of ways such as changing the code of a client or intercepting and replacing the packets of network traffic on their way to and from the game client. There are is also discussion and examples of using and building a bot. The next section of the books dives deep into reverse engineering clients or servers and how this would apply to online gaming. They then branch off to briefly explain how it would apply to traditional software using the same client-server model.
The final topic in Exploiting Online Games is security pointers when it comes to online games. The majority of the final chapter is for online game developers but it also provides a quick checklist of security questions everyday gamers should be asking themselves. In the end, though, it still concludes like all software, is the security risk and the means to prevent it acceptable to you as a user/gamer.
To summarize, I think the Exploiting Online Games could have simply been an appendix to the Exploiting Software book as it follows along the same vein and many of the pages here are spent repeating the lessons learned in Exploiting Software. The main difference with online games is that you now have that same exploitable software now networked to multiple, even hundreds of other computers either via P2P or through a central server, all enforcing a standard version. There are other issues to take into consideration like economics (being paid to play or reselling virtual items for real money) and the value of “cheating,” but mostly it felt like a lot of skimming would have garnered me the same amount information for my purposes after previously reading Exploiting Software.