Defensive Fuzzing [ Game Hax ]

UnwittingAPT_LuckyMe · July 4, 2019, 8:20pm

Hello World!

Thought that the 0x00sec hive mind might be able to point me in the right direction. Long story short, I’m looking to do some fuzzing for a pc game which allows custom code [ mods ] for things such as icons for in-game items. I’ll mention the exact game name if you want, but I figured I’d leave it off for now so as to bypass any possible legalities.
[ SWIM doesn’t want to have to say SWIM everytime he speaks about SWIM, etc… ]

Shouldn’t be difficult to find if you simply look up games that are based off the minecraft crafting with blocks and throw zombies into the mix.

As I said, I’ve been supporting the game since it’s early inception, but left off for quite awhile once my computer starting showing signs of compromise when connecting to online servers. Given the alpha state of the game [even today] I figured they just needed time to get their code in order.

Fast forward to lately, and given the fact I’d planned to rewipe my PC shortly, I threw her in and started getting my gaming binge on.

After awhile I found a neat server with a bunch of people that have presence on a lot of survival games [ark, some pirate thing, this, etc.] and decided that since they’ve seem to got a name to defend they should be safe[ish]/[er] than most.

These guys have been busy, they’ve got people that dive into the XML and item sets to be able to turn on stuff that the official release hasn’t enabled, but the code is present and good to go. Along with that, they seem to of put together there own ICON sets which is heavily advertised to download and install.

As any good security person is aware, this is an excellent attack surface and has inspired me to dust off some of my skills that I’ve been letting gather dust.

My plan is to setup my machine to do some automated fuzzing. First I want to figure out how to do some testing of the icon rendering to see if there’s anything to dive into for potential crashes and then move onto [what I’m thinking] will be the easier thing and do network based fuzzing from an emulated server.

the network fuzzing I’ll probably just try to setup Boo/sully fuzzing and go from there given I’ve prior experience in that arena [OSCE study]

The thing that has me stumped, is the icon fuzzing. The game itself takes quite a bit of time to start / restart / get into a new world and each icon to fuzz would [I’m guessing based off of play experience] require a restart of the game.

The icons can be in JPG / GIF / BMP / [maybe] TIFF.

So this is where I seek the experience of the others! If someone can point me in the direction of where to begin, I’d highly appreciate it.

hostile.node · July 5, 2019, 11:43am

I have not tried anything like this, so this is entirely guesswork…

Normally textures are loaded from the HD into memory, then that memory gets copied again into video memory in a format the graphics card can handle (e.g. glTexImage2D()). The memory where the texture was originally loaded into is normally released after that call.
Does the game have any console command which reloads the UI, for example?
What are they using to load those textures? Very few game teams will write their own loaders for something like JPG. If you find the library, you might be able to build a small application which fuzzes it directly, without requiring the rest of the game.

UnwittingAPT_LuckyMe · July 5, 2019, 2:17pm

Excellent and thought provoking points. You’ve given me a few places to begin researching, which is far more than I had.

Thank you.

wntrmut · July 5, 2019, 3:41pm

I’m not certain what fuzzing 7DTD is going to achieve, but if you’re looking to understand how your PC was showing signs of compromise, you should start by reviewing with the mod files you’re downloading,

We can assume that the devs are implied trustworthy (and lazy… still in EA 5 years now wtf) as they don’t want to lose their cash cow, so they wouldn’t poison their own well in most cases, this leaves the core game modifications, supported or unsupported, to exploitable attack surface.

Throw any odd files through VT for a quick and dirty analysis, look for common malware strings, C2 server call outs etc, if you already have a sample computer infected, intercept network traffic at your router and inspect what it’s sending.

That is the defensive portion of this conversation… if you’re looking to harness these exploits for yourself, then that’s a different, non-defensive conversation.

UnwittingAPT_LuckyMe · July 5, 2019, 9:28pm

claps 4 wntrmut
Told you it wouldn’t be difficult to find

As for why, I doubt they’ve changed their base code quite so much. It was in the early days of the game that signs of compromise where apparent. I am not saying that I believe the mods to be malicious in nature, simply that downloading and allowing foreign code packs to be ran inspired my memory to throw the tidbit of why I’d originally gave the game a rest.

While I am not saying that the code isn’t to be trusted, I think it’s safe to say the devs are doing their best to hopefully keep things secure.

You do have an excellent point in that I should of named my thread better. At this point, I’m doing what I can to keep lit the fire to push myself in a practical manner to invest time into skill development.

I’m not sure of the protocol here, but let me know if I should mark the thread closed or use it as a place to bat idea’s back and forth.

system · July 8, 2019, 9:28pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.