- Joined
- Jun 8, 2007
- Messages
- 1,985
- Reaction score
- 490
Note: This is a failed attempt at reverse-engineering, but I decided to share it anyway.
Hey guys, I thought I'd share this game I've been playing, and one I was testing the security of to find any vulnerabilities and what-have-you. It's an 8-bit MMO with retro graphics and retro gameplay- open-world with no restrictions on PVP, and you interact with mobs by talking to them in-game, the same way you would talk to a player. No sub-windows pop up so you can concentrate on the game itself, and be ready for PVP at any time. The game is
The client was recently ported to JavaScript and canvas. After breaking through the minification, I was able to view (more/less) the source code of the client, and I quickly started listening to all the packets, and summarizing them to clean up the noise. The packets are not encrypted, but this is admirable, as you all should know encryption is merely patch-work security that is able to be bypassed, usually very easily (because the client has access to the decryption function and key one way or another, in order for the game to be playable). The lack of encryption made it apparent to me that the game had rock-solid security, as I could see what packets the server and client were sending to each other, and the actual data that was being transferred with ease.
The server sends 3 kinds of packets (not counting the initial connection/handshake packets).
The client sends user-input packets only.
The client has no knowledge of the game what-so-ever. All the client knows is that the server is going to send one of those 3 types of packets, and each one has sub-types the client is concerned with. The client doesn't know what items you have in your inventory, it doesn't anticipate a user is going to keep walking a certain direction, it doesn't know the velocity of a fireball- nothing. All the client knows is that the server told it to draw some pixels on the screen in a certain order, and to play a sound file, or to write text on the screen in a set location. The client knows where you click, but it has no knowledge of what item you actually click on, or whether or not there is an item there at all- the client is as dumb as the monitor on your desk- all it see's is pixels.. The server handles all of the game logic. The lack of encryption made me concerned at first, but shortly after my concern I was thrilled to see this design. The server doesn't even send image data- it sends numbers necessary for the client to draw the images itself! Idk, it fascinates me.
There are far too many games that fiddle with encryption and efficiency, trying to cram game logic into the client to save some load on the server in exchange for security. I just wanted to share my findings for this game, so you all can see how a game like this should be developed. Security like this is done at the very beginning of the game development process, and patch-work security is nowhere near a substitute for this rock-solid design.
Hey guys, I thought I'd share this game I've been playing, and one I was testing the security of to find any vulnerabilities and what-have-you. It's an 8-bit MMO with retro graphics and retro gameplay- open-world with no restrictions on PVP, and you interact with mobs by talking to them in-game, the same way you would talk to a player. No sub-windows pop up so you can concentrate on the game itself, and be ready for PVP at any time. The game is
You must be registered to see links
.The client was recently ported to JavaScript and canvas. After breaking through the minification, I was able to view (more/less) the source code of the client, and I quickly started listening to all the packets, and summarizing them to clean up the noise. The packets are not encrypted, but this is admirable, as you all should know encryption is merely patch-work security that is able to be bypassed, usually very easily (because the client has access to the decryption function and key one way or another, in order for the game to be playable). The lack of encryption made it apparent to me that the game had rock-solid security, as I could see what packets the server and client were sending to each other, and the actual data that was being transferred with ease.
The server sends 3 kinds of packets (not counting the initial connection/handshake packets).
- Sound data - What sound file to play, when to play it, etc.
- Server Message - Is the server going to go down in 10 minutes? Is there a latency correction stall? Was there a crash? etc.
- Drawing data - Draw rectangles, draw pixels, what color to draw, begin of draw, end of draw, etc.
The client sends user-input packets only.
- Keyboard events.
- Mouse events and cursor position.
The client has no knowledge of the game what-so-ever. All the client knows is that the server is going to send one of those 3 types of packets, and each one has sub-types the client is concerned with. The client doesn't know what items you have in your inventory, it doesn't anticipate a user is going to keep walking a certain direction, it doesn't know the velocity of a fireball- nothing. All the client knows is that the server told it to draw some pixels on the screen in a certain order, and to play a sound file, or to write text on the screen in a set location. The client knows where you click, but it has no knowledge of what item you actually click on, or whether or not there is an item there at all- the client is as dumb as the monitor on your desk- all it see's is pixels.. The server handles all of the game logic. The lack of encryption made me concerned at first, but shortly after my concern I was thrilled to see this design. The server doesn't even send image data- it sends numbers necessary for the client to draw the images itself! Idk, it fascinates me.
There are far too many games that fiddle with encryption and efficiency, trying to cram game logic into the client to save some load on the server in exchange for security. I just wanted to share my findings for this game, so you all can see how a game like this should be developed. Security like this is done at the very beginning of the game development process, and patch-work security is nowhere near a substitute for this rock-solid design.
Last edited: