0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/363 Thanks! 1 00:00:11,390 --> 00:00:13,669 All right, so my name is Matthew Halter, 2 00:00:13,670 --> 00:00:15,769 CHAC, security technician 3 00:00:15,770 --> 00:00:17,869 with Security Innovation, and just as 4 00:00:17,870 --> 00:00:19,309 we get started here, you might notice the 5 00:00:19,310 --> 00:00:21,199 mouse cursor pop up on the screen have 6 00:00:21,200 --> 00:00:23,029 got this awesome little presentation 7 00:00:23,030 --> 00:00:25,169 remote that likes to do that. 8 00:00:25,170 --> 00:00:26,779 It's a nice old feature, but it's 9 00:00:26,780 --> 00:00:28,189 probably going to get annoying and I can 10 00:00:28,190 --> 00:00:29,149 stop it. 11 00:00:29,150 --> 00:00:30,150 Sorry. 12 00:00:30,890 --> 00:00:32,658 So anyway, I'm a security technician with 13 00:00:32,659 --> 00:00:33,559 security innovation. 14 00:00:33,560 --> 00:00:34,909 I've just got to give them a little bit 15 00:00:34,910 --> 00:00:37,039 of a shout out because, one, 16 00:00:37,040 --> 00:00:38,329 they're paying for me to be out here. 17 00:00:38,330 --> 00:00:39,829 And two, they gave me a couple of weeks 18 00:00:39,830 --> 00:00:41,389 of work, just kind of spent some time 19 00:00:41,390 --> 00:00:43,699 working on this project. 20 00:00:43,700 --> 00:00:45,709 So, yeah, I basically do the testing 21 00:00:45,710 --> 00:00:46,710 application stuff. 22 00:00:48,110 --> 00:00:50,059 And I am Joseph Tatiara. 23 00:00:50,060 --> 00:00:52,189 I'm a security consultant with Bioactive 24 00:00:52,190 --> 00:00:53,990 and Metal Gear Solid. 25 00:00:57,500 --> 00:00:59,629 All right. So just as we said again 26 00:00:59,630 --> 00:01:01,579 here, this isn't a development talk. 27 00:01:01,580 --> 00:01:02,569 I mean, we're not going to be talking about 28 00:01:02,570 --> 00:01:05,029 the programing like no client server 29 00:01:05,030 --> 00:01:06,799 or anything like that. 30 00:01:06,800 --> 00:01:07,879 There are other companies that you 31 00:01:07,880 --> 00:01:09,439 probably go to if you want something like 32 00:01:09,440 --> 00:01:10,969 that. We're also not going to be talking 33 00:01:10,970 --> 00:01:12,529 about exploitation. 34 00:01:12,530 --> 00:01:14,219 I mean, there are some experts that we've 35 00:01:14,220 --> 00:01:15,649 come across, but that's not what our 36 00:01:15,650 --> 00:01:16,579 talks about. 37 00:01:16,580 --> 00:01:18,169 It just kind of a cool little project, at 38 00:01:18,170 --> 00:01:20,359 least to us that we basically 39 00:01:20,360 --> 00:01:22,939 just rebuilt a server from the client 40 00:01:22,940 --> 00:01:24,059 will go into a little bit more on what 41 00:01:24,060 --> 00:01:26,309 that is. And I mean, if you do a lot 42 00:01:26,310 --> 00:01:28,099 reverse engineering, you're probably not 43 00:01:28,100 --> 00:01:30,169 going to get a whole lot out of this. 44 00:01:30,170 --> 00:01:31,759 We're not getting super technical. 45 00:01:31,760 --> 00:01:33,859 It's it's basically 46 00:01:33,860 --> 00:01:35,119 something that we realized that there was 47 00:01:35,120 --> 00:01:37,519 nothing really talking about 48 00:01:37,520 --> 00:01:39,619 doing, like trying to rebuild the server. 49 00:01:39,620 --> 00:01:41,299 So we want to give something back to the 50 00:01:41,300 --> 00:01:42,300 community with that. 51 00:01:43,390 --> 00:01:45,559 So the basic project, Save MGO dot com 52 00:01:45,560 --> 00:01:47,419 was back in 2006. 53 00:01:47,420 --> 00:01:49,069 I use place online game middle gear 54 00:01:49,070 --> 00:01:50,149 online. 55 00:01:50,150 --> 00:01:52,249 And I mean, I was a teenager at 56 00:01:52,250 --> 00:01:54,469 the time, just love playing this game and 57 00:01:54,470 --> 00:01:56,449 it got shut down after only a year of 58 00:01:56,450 --> 00:01:57,979 being online. 59 00:01:57,980 --> 00:01:59,359 So I'm like, well that sucks. 60 00:01:59,360 --> 00:02:00,499 Now I want to play it again. 61 00:02:01,520 --> 00:02:03,889 It took quite a while, but over the last 62 00:02:03,890 --> 00:02:05,689 couple of years now we start rebuilding 63 00:02:05,690 --> 00:02:07,099 and basically just rebuilt the server 64 00:02:07,100 --> 00:02:09,079 after it was already taken down. 65 00:02:09,080 --> 00:02:10,879 So unlike a lot of private servers, I 66 00:02:10,880 --> 00:02:12,919 mean, we didn't have a live server to 67 00:02:12,920 --> 00:02:13,939 kind of work with. 68 00:02:13,940 --> 00:02:16,039 We were just left with the 69 00:02:16,040 --> 00:02:19,009 client, the client binaries 70 00:02:19,010 --> 00:02:20,990 and not a whole lot else kind of go from. 71 00:02:23,590 --> 00:02:24,969 So the initial problems that you're 72 00:02:24,970 --> 00:02:27,069 running into when trying 73 00:02:27,070 --> 00:02:29,229 to rebuild these servers is the 74 00:02:29,230 --> 00:02:30,249 least for our case. 75 00:02:30,250 --> 00:02:32,829 The real server was offline. 76 00:02:32,830 --> 00:02:34,359 We weren't rebuilding. 77 00:02:34,360 --> 00:02:36,489 Like all the Warcraft where we had an 78 00:02:36,490 --> 00:02:38,709 active server we can start playing with. 79 00:02:38,710 --> 00:02:40,299 We had nothing. So we had a minimum 80 00:02:40,300 --> 00:02:42,369 packet capture that somebody 81 00:02:42,370 --> 00:02:44,409 from the team had from years before. 82 00:02:44,410 --> 00:02:46,539 And in this case, the 83 00:02:46,540 --> 00:02:48,489 game had no land play. 84 00:02:48,490 --> 00:02:50,020 So we were pretty much stuck. 85 00:02:51,490 --> 00:02:53,589 We actually brought back two 86 00:02:53,590 --> 00:02:54,759 versions of the game. 87 00:02:54,760 --> 00:02:57,099 The original version was on the two 88 00:02:57,100 --> 00:02:59,019 and the sequels on the three. 89 00:02:59,020 --> 00:03:00,879 So for the two version, 90 00:03:01,960 --> 00:03:04,539 you know, there is no official debugging 91 00:03:04,540 --> 00:03:07,179 and interface it kind of difficult, 92 00:03:07,180 --> 00:03:09,039 but we were able to do some memory dumps 93 00:03:09,040 --> 00:03:10,419 with an emulator that made our lives a 94 00:03:10,420 --> 00:03:11,529 little bit easier. 95 00:03:11,530 --> 00:03:13,089 And for the three, 96 00:03:14,260 --> 00:03:15,849 the game was actually removed with an 97 00:03:15,850 --> 00:03:18,429 official update. So we had to 98 00:03:18,430 --> 00:03:20,559 use an older version of the game and 99 00:03:20,560 --> 00:03:22,809 also put custom firmware onto the console 100 00:03:22,810 --> 00:03:25,059 so that we could, you know, 101 00:03:25,060 --> 00:03:27,159 run unsigned code and analyze the 102 00:03:27,160 --> 00:03:28,930 binaries and play with it from there. 103 00:03:31,860 --> 00:03:33,779 So some of the initial high level 104 00:03:33,780 --> 00:03:35,909 overview, we're going 105 00:03:35,910 --> 00:03:38,159 to start by redirecting the traffic to 106 00:03:38,160 --> 00:03:40,259 our controlled server so we actually see 107 00:03:40,260 --> 00:03:42,719 what is happening, what's going on. 108 00:03:42,720 --> 00:03:44,429 We'll go ahead and implement known 109 00:03:44,430 --> 00:03:46,649 protocols, HP, stuff 110 00:03:46,650 --> 00:03:48,749 like that, that we can just get up 111 00:03:48,750 --> 00:03:50,429 and running with and then start to 112 00:03:50,430 --> 00:03:52,079 implement unknown protocols once we 113 00:03:52,080 --> 00:03:53,340 actually figure out what they are. 114 00:03:55,770 --> 00:03:57,929 So traffic direction, 115 00:03:57,930 --> 00:04:00,989 it's pretty simple, nothing special, 116 00:04:00,990 --> 00:04:03,329 you can start by patching 117 00:04:03,330 --> 00:04:05,279 the binaries. The issue is for something 118 00:04:05,280 --> 00:04:07,469 like the two that's not too 119 00:04:07,470 --> 00:04:08,129 realistic. 120 00:04:08,130 --> 00:04:10,229 You can't really patch a binary, 121 00:04:10,230 --> 00:04:12,029 press it to a disk and meld the disk out 122 00:04:12,030 --> 00:04:13,210 to your friends or anything. 123 00:04:14,340 --> 00:04:15,639 You'll have to find a different way. 124 00:04:15,640 --> 00:04:18,449 In our case, we just did it by DNS 125 00:04:18,450 --> 00:04:20,549 for the it's a little bit different since 126 00:04:20,550 --> 00:04:22,859 we can just set up a 127 00:04:22,860 --> 00:04:24,419 hyperlinking people and download a biner 128 00:04:24,420 --> 00:04:25,709 and throw it on their console. 129 00:04:25,710 --> 00:04:27,779 You could patch it, but DNS is 130 00:04:27,780 --> 00:04:28,469 easy. 131 00:04:28,470 --> 00:04:29,459 It's simple. 132 00:04:29,460 --> 00:04:30,989 It's what we recommend. 133 00:04:32,890 --> 00:04:35,139 So the first protocol that we took 134 00:04:35,140 --> 00:04:38,169 out was done. It's really a non-issue. 135 00:04:38,170 --> 00:04:39,819 You can run around with a simple 136 00:04:39,820 --> 00:04:42,430 stuntwomen or pointed to a public server. 137 00:04:43,660 --> 00:04:45,189 I believe we just pointed to a public 138 00:04:45,190 --> 00:04:46,519 server and I took care of it. 139 00:04:46,520 --> 00:04:48,969 It's pretty basic stuff 140 00:04:48,970 --> 00:04:49,970 gets you through. 141 00:04:51,550 --> 00:04:53,859 Yeah, we sort of just point the stunts 142 00:04:53,860 --> 00:04:55,059 are off to a public server. 143 00:04:55,060 --> 00:04:56,589 Now, obviously, once we have the server 144 00:04:56,590 --> 00:04:58,779 software running our own, I mean, there's 145 00:04:58,780 --> 00:05:00,579 plenty of services available for that. 146 00:05:00,580 --> 00:05:02,139 And we've got the next guy. 147 00:05:02,140 --> 00:05:03,939 The first challenge really that we came 148 00:05:03,940 --> 00:05:06,039 up with are came up against 149 00:05:06,040 --> 00:05:08,079 was the dynamic network authentication 150 00:05:08,080 --> 00:05:10,149 system. This is what Sony kind of uses to 151 00:05:10,150 --> 00:05:12,619 prevent cheating online and piracy. 152 00:05:12,620 --> 00:05:14,079 That's where they're going to do the disk 153 00:05:14,080 --> 00:05:16,629 search thing. Like, is this a real disk? 154 00:05:16,630 --> 00:05:17,819 Should this used to be online? 155 00:05:17,820 --> 00:05:18,849 That's, I believe, where they do the 156 00:05:18,850 --> 00:05:20,559 bands like where they check with your 157 00:05:20,560 --> 00:05:22,089 consoles banned from going online, things 158 00:05:22,090 --> 00:05:23,589 like that are all in there. 159 00:05:23,590 --> 00:05:25,929 So bypassing this 160 00:05:25,930 --> 00:05:27,819 in the case of Melgar online, one, 161 00:05:27,820 --> 00:05:29,859 basically we'd get to this point and it 162 00:05:29,860 --> 00:05:31,329 would just say this game is no longer 163 00:05:31,330 --> 00:05:33,249 online, get out. 164 00:05:33,250 --> 00:05:35,289 It won't give us a chance to prove who 165 00:05:35,290 --> 00:05:36,819 real disciplined, give us a chance to get 166 00:05:36,820 --> 00:05:38,369 any information. 167 00:05:38,370 --> 00:05:40,509 All it did was basically 168 00:05:40,510 --> 00:05:42,519 block. So we had to find our way around. 169 00:05:42,520 --> 00:05:44,589 We couldn't just use the piracy bypass 170 00:05:44,590 --> 00:05:46,329 where you just patch the old parts of the 171 00:05:46,330 --> 00:05:49,209 disk to return positive information. 172 00:05:49,210 --> 00:05:50,210 You're good to go. 173 00:05:51,190 --> 00:05:53,439 So the bypass for games no longer online 174 00:05:53,440 --> 00:05:55,809 is kind of something new. 175 00:05:55,810 --> 00:05:57,739 I worked for quite a while on this. 176 00:05:57,740 --> 00:05:58,779 This was kind of the first thing where 177 00:05:58,780 --> 00:06:00,999 I'm just kind of heading hitting this 178 00:06:01,000 --> 00:06:03,490 wall and having a bunch of issues. 179 00:06:06,740 --> 00:06:09,309 I said I really never actually 180 00:06:09,310 --> 00:06:11,089 matches I want to I have a nice, pure 181 00:06:11,090 --> 00:06:13,459 server where you just pop the disc and no 182 00:06:13,460 --> 00:06:15,769 no action is just pop your game in 183 00:06:15,770 --> 00:06:17,599 connects, you know, change the DNS and 184 00:06:17,600 --> 00:06:19,709 you can play and try and do that. 185 00:06:19,710 --> 00:06:21,079 I mean, we did find some useful 186 00:06:21,080 --> 00:06:23,509 resources. Sony SDK is kind of public. 187 00:06:23,510 --> 00:06:25,819 There's documentation for this. 188 00:06:25,820 --> 00:06:27,259 But ultimately, we just weren't 189 00:06:27,260 --> 00:06:29,149 successful at all with actually trying to 190 00:06:29,150 --> 00:06:31,339 do this and trying 191 00:06:31,340 --> 00:06:33,169 to recreate that part of the server. 192 00:06:33,170 --> 00:06:35,419 I mean, eventually I plan to come back 193 00:06:35,420 --> 00:06:37,099 to this, but at this point, we haven't 194 00:06:37,100 --> 00:06:38,029 done it. 195 00:06:38,030 --> 00:06:40,219 But I did manage to find in the code 196 00:06:40,220 --> 00:06:42,799 is this new DNS connect, 197 00:06:42,800 --> 00:06:44,659 just those drinka laying around code. 198 00:06:44,660 --> 00:06:45,979 And if you follow it around, look at 199 00:06:45,980 --> 00:06:47,149 words of reference from 200 00:06:48,530 --> 00:06:51,049 unifying this function 201 00:06:51,050 --> 00:06:52,909 that basically it's like, well, what 202 00:06:52,910 --> 00:06:54,799 happens if you return zero zero being a 203 00:06:54,800 --> 00:06:57,799 nice return code to try 204 00:06:57,800 --> 00:07:00,139 to patnaik that let us kind of patch 205 00:07:00,140 --> 00:07:02,419 out the actual DNA, check 206 00:07:02,420 --> 00:07:04,729 it, get to the DNA would be like, here's 207 00:07:04,730 --> 00:07:06,799 DNS and there goes. 208 00:07:06,800 --> 00:07:08,749 It wouldn't do anything if baseballers 209 00:07:08,750 --> 00:07:10,699 patch it out. But of course, the issue is 210 00:07:10,700 --> 00:07:12,799 we've already mentioned is you can't 211 00:07:12,800 --> 00:07:15,019 distribute this, you can't press 212 00:07:15,020 --> 00:07:16,699 your own disks and just kind of pass it 213 00:07:16,700 --> 00:07:18,529 out to everybody to play with. 214 00:07:18,530 --> 00:07:20,149 But there are these cheap devices. 215 00:07:20,150 --> 00:07:22,429 I don't know how many of you play like, 216 00:07:22,430 --> 00:07:23,539 you know, in some of the old consoles, 217 00:07:23,540 --> 00:07:25,609 like the game jany with the nets 218 00:07:25,610 --> 00:07:27,919 or game sharks 219 00:07:27,920 --> 00:07:28,969 or anything like that. 220 00:07:28,970 --> 00:07:29,970 Magic. 221 00:07:30,500 --> 00:07:32,359 Yeah, there are these codes. 222 00:07:32,360 --> 00:07:33,409 You just kind of enter them. 223 00:07:33,410 --> 00:07:34,999 And if you don't know what they are, they 224 00:07:35,000 --> 00:07:36,829 look like they're just magic. 225 00:07:38,050 --> 00:07:40,339 If you look at these cheats here and 226 00:07:40,340 --> 00:07:41,629 they're just numbers, I mean, if you 227 00:07:41,630 --> 00:07:43,219 don't know what you're looking at, it is 228 00:07:43,220 --> 00:07:45,239 pretty much it's magic. 229 00:07:45,240 --> 00:07:47,589 But what does that lets you overwrite 230 00:07:47,590 --> 00:07:49,309 it? There's a lot of things that you can 231 00:07:49,310 --> 00:07:50,729 do with it. But one of the things that 232 00:07:50,730 --> 00:07:52,369 lets you overwrite the four bytes of 233 00:07:52,370 --> 00:07:54,469 memory at the 234 00:07:54,470 --> 00:07:56,299 most mean you can do like just one byte 235 00:07:56,300 --> 00:07:58,129 if you want to. You can do a bunch of 236 00:07:58,130 --> 00:08:00,349 things so we can use 237 00:08:00,350 --> 00:08:02,539 those cheats. I mean, these few cheats 238 00:08:02,540 --> 00:08:05,299 here, this is actually setting up a 239 00:08:05,300 --> 00:08:06,300 return 240 00:08:07,400 --> 00:08:08,989 or I guess it's setting one off the 241 00:08:08,990 --> 00:08:11,119 registers to zero, doing 242 00:08:11,120 --> 00:08:13,489 a jump back to the return address 243 00:08:13,490 --> 00:08:16,309 and then just a no off at the end of it. 244 00:08:16,310 --> 00:08:18,050 So baseball, these works you've got 245 00:08:19,280 --> 00:08:21,259 the first character represents what type 246 00:08:21,260 --> 00:08:22,639 of cheat you're trying to do. 247 00:08:22,640 --> 00:08:24,859 So see as a condition, it's checking 248 00:08:24,860 --> 00:08:27,079 if you know the value of memory address 249 00:08:27,080 --> 00:08:29,209 A is equal to be run. 250 00:08:29,210 --> 00:08:30,649 The rest of these codes and two is 251 00:08:30,650 --> 00:08:32,999 telling you to overwrite the four bytes 252 00:08:33,000 --> 00:08:35,298 that address A with values that B. 253 00:08:37,169 --> 00:08:38,459 So I thought that was kind of cool, it's 254 00:08:38,460 --> 00:08:40,558 just I mean, they were magic to me until 255 00:08:40,559 --> 00:08:42,869 I started looking at this and 256 00:08:42,870 --> 00:08:44,879 then going on to the three. 257 00:08:44,880 --> 00:08:47,579 You're dealing with the PSN networks 258 00:08:47,580 --> 00:08:49,739 no longer DNS and the PC 259 00:08:49,740 --> 00:08:52,139 network is currently offline, 260 00:08:52,140 --> 00:08:53,140 I think, but 261 00:08:54,900 --> 00:08:57,419 it's use for account services, 262 00:08:57,420 --> 00:09:00,209 profile friends, list matchmaking 263 00:09:00,210 --> 00:09:02,819 on certain games, commerce, 264 00:09:02,820 --> 00:09:04,530 the store, all that crap. 265 00:09:05,580 --> 00:09:08,099 So looking through the binary, 266 00:09:08,100 --> 00:09:10,199 there's this cute little call for 267 00:09:10,200 --> 00:09:12,299 start dialog, I think. 268 00:09:12,300 --> 00:09:14,609 And if you 269 00:09:14,610 --> 00:09:17,019 look at it, it reads a nice struct. 270 00:09:17,020 --> 00:09:18,779 So there's two different network types. 271 00:09:18,780 --> 00:09:19,889 For three games, 272 00:09:21,720 --> 00:09:23,999 the type zero 273 00:09:24,000 --> 00:09:25,619 would be a network game, so 274 00:09:26,880 --> 00:09:28,529 it would go to that side. 275 00:09:28,530 --> 00:09:30,779 It would initially initiate your network 276 00:09:30,780 --> 00:09:32,729 device. It would check if your Ethernet 277 00:09:32,730 --> 00:09:34,979 or Wi-Fi is connected to an IP 278 00:09:34,980 --> 00:09:36,989 and continue execution of the code. 279 00:09:36,990 --> 00:09:38,759 But if it is a type one, which is PSN 280 00:09:38,760 --> 00:09:41,009 game, it does the same as not. 281 00:09:41,010 --> 00:09:42,929 But then it also checks if you have a on 282 00:09:42,930 --> 00:09:45,659 account registered on the system 283 00:09:45,660 --> 00:09:47,699 and if you don't, then it forces you to 284 00:09:47,700 --> 00:09:49,679 create one. If you do, then it checks to 285 00:09:49,680 --> 00:09:51,029 see if you're authenticated. 286 00:09:51,030 --> 00:09:53,579 So lucky for us that was 287 00:09:53,580 --> 00:09:55,590 the patch just changing it to a zero. 288 00:09:56,850 --> 00:09:59,129 And then the issue that you run into 289 00:09:59,130 --> 00:10:02,039 is all the other network profile calls 290 00:10:02,040 --> 00:10:04,859 are not loaded because it 291 00:10:04,860 --> 00:10:07,799 never loads up the PSN libraries. 292 00:10:07,800 --> 00:10:09,029 So you just have to go through the rest 293 00:10:09,030 --> 00:10:11,459 of the binary and pacis out fulfill 294 00:10:11,460 --> 00:10:12,389 them in some way. 295 00:10:12,390 --> 00:10:14,010 In our case, it was pretty simple. 296 00:10:15,060 --> 00:10:16,859 We had one for obtaining your network 297 00:10:16,860 --> 00:10:17,879 I.D. 298 00:10:17,880 --> 00:10:20,009 We just bypassed it 299 00:10:20,010 --> 00:10:21,329 and then the other one was checking for 300 00:10:21,330 --> 00:10:23,489 your age restriction for chat and 301 00:10:23,490 --> 00:10:25,409 stuff is it's a mature game. 302 00:10:25,410 --> 00:10:27,239 So everyone's over 18. 303 00:10:27,240 --> 00:10:29,039 Now, if you're doing something like Call 304 00:10:29,040 --> 00:10:30,869 of Duty where it actually uses PSN for 305 00:10:30,870 --> 00:10:33,209 matchmaking, it would be probably 306 00:10:33,210 --> 00:10:34,469 significantly more involved. 307 00:10:34,470 --> 00:10:36,029 But we lucked out. 308 00:10:36,030 --> 00:10:38,219 So like I said, 309 00:10:38,220 --> 00:10:40,409 for the PS3, you can actually patch 310 00:10:40,410 --> 00:10:43,289 the binary and distribute it 311 00:10:43,290 --> 00:10:45,539 there. ELF binaries, they're packed. 312 00:10:45,540 --> 00:10:47,609 The only thing is that it requires custom 313 00:10:47,610 --> 00:10:49,439 firmware to free to actually run the 314 00:10:49,440 --> 00:10:50,579 unsigned code. 315 00:10:50,580 --> 00:10:52,859 So if you're running just a 316 00:10:52,860 --> 00:10:55,109 standard PS3 with official firmware, 317 00:10:55,110 --> 00:10:57,509 you won't be able to run our passion play 318 00:10:57,510 --> 00:10:58,589 player the game. 319 00:10:58,590 --> 00:11:00,029 But if you are if you do have custom 320 00:11:00,030 --> 00:11:01,649 firmware at home, you can go to save 321 00:11:01,650 --> 00:11:03,569 them. Vodacom, download the patch and 322 00:11:03,570 --> 00:11:04,570 start playing. 323 00:11:05,940 --> 00:11:07,979 So the next protocol we take care of is 324 00:11:07,980 --> 00:11:10,379 it should be pretty simple 325 00:11:10,380 --> 00:11:12,269 for Mejía want it. 326 00:11:12,270 --> 00:11:14,819 The basic account management 327 00:11:14,820 --> 00:11:17,039 registration passwords from 328 00:11:17,040 --> 00:11:18,539 Jota is a little bit more. 329 00:11:18,540 --> 00:11:20,459 It would check the version of your game 330 00:11:20,460 --> 00:11:21,690 to see if you needed an update. 331 00:11:22,770 --> 00:11:24,419 And also this reward shop. 332 00:11:24,420 --> 00:11:25,949 It was this instore shop where you can 333 00:11:25,950 --> 00:11:28,109 buy like hats and shirts and 334 00:11:28,110 --> 00:11:30,239 other crap with points that you would get 335 00:11:30,240 --> 00:11:31,240 from killing people. 336 00:11:33,040 --> 00:11:35,829 So some of the simple guesswork 337 00:11:35,830 --> 00:11:38,079 that we did, little guesswork 338 00:11:38,080 --> 00:11:39,129 was just useful. 339 00:11:39,130 --> 00:11:41,709 So when you're 340 00:11:41,710 --> 00:11:43,929 toying with this stuff at home, you 341 00:11:43,930 --> 00:11:45,999 can try things like we just give it 342 00:11:46,000 --> 00:11:48,139 X 30, which is the ASCII zeros 343 00:11:48,140 --> 00:11:50,439 response and it would continue or 344 00:11:50,440 --> 00:11:52,329 normal or something or just a one and 345 00:11:52,330 --> 00:11:54,399 just kind of toy with it. 346 00:11:54,400 --> 00:11:55,809 The other thing is, if you have live 347 00:11:55,810 --> 00:11:57,999 debugging, which if you have a three 348 00:11:58,000 --> 00:11:59,829 console, you can do a lot of debugging 349 00:11:59,830 --> 00:12:02,289 and makes your life a little bit easier. 350 00:12:02,290 --> 00:12:04,149 You can do things like break on, send 351 00:12:04,150 --> 00:12:06,669 request or receive a response, 352 00:12:06,670 --> 00:12:08,109 stuff like that, and then start to step 353 00:12:08,110 --> 00:12:09,429 through the functions and see where the 354 00:12:09,430 --> 00:12:10,389 computers are. 355 00:12:10,390 --> 00:12:12,249 So, for example, there's a picture of a 356 00:12:12,250 --> 00:12:14,439 graph there and into a large switchgrass 357 00:12:14,440 --> 00:12:15,969 at the bottom. 358 00:12:15,970 --> 00:12:17,949 This is where we just kind of broke on to 359 00:12:17,950 --> 00:12:20,019 you or I'll decode what next 360 00:12:20,020 --> 00:12:21,519 and then saw the switch case. 361 00:12:21,520 --> 00:12:23,679 Those are all authentication errors. 362 00:12:23,680 --> 00:12:25,989 So you either authenticated or 363 00:12:25,990 --> 00:12:27,099 the password is wrong. 364 00:12:27,100 --> 00:12:28,899 The username didn't exist and there is a 365 00:12:28,900 --> 00:12:31,319 session already active, all that crap. 366 00:12:32,440 --> 00:12:33,580 So you can figure that out. 367 00:12:34,600 --> 00:12:36,909 But lucky for us, since we 368 00:12:36,910 --> 00:12:39,159 are controlling the new server, we 369 00:12:39,160 --> 00:12:41,499 don't have to actually reverse 370 00:12:41,500 --> 00:12:43,719 the entire logic. 371 00:12:43,720 --> 00:12:45,009 We just need to triscuit. 372 00:12:45,010 --> 00:12:47,069 So an example 373 00:12:47,070 --> 00:12:49,479 of the logic, we can receive the request 374 00:12:49,480 --> 00:12:51,129 and then we can just validate it on our 375 00:12:51,130 --> 00:12:52,089 back end. 376 00:12:52,090 --> 00:12:54,699 So when the server gets username 377 00:12:54,700 --> 00:12:56,799 with password B, we can do all 378 00:12:56,800 --> 00:12:58,909 the logic and we just send a generic or 379 00:12:58,910 --> 00:13:01,089 a generic success code so you can kind 380 00:13:01,090 --> 00:13:03,759 of use the shortcuts to get 381 00:13:03,760 --> 00:13:05,649 get stuff working without killing 382 00:13:05,650 --> 00:13:07,779 yourself over the binary. 383 00:13:09,550 --> 00:13:11,299 Next main issue is SSL. 384 00:13:13,400 --> 00:13:15,519 Unfortunately the 385 00:13:15,520 --> 00:13:17,939 for the PS3 they did a serpent 386 00:13:17,940 --> 00:13:20,049 incorrectly, so we just kind of 387 00:13:20,050 --> 00:13:22,029 hitting a wall that somehow did it 388 00:13:22,030 --> 00:13:23,889 correctly in the year 2008. 389 00:13:23,890 --> 00:13:25,149 No idea how. 390 00:13:25,150 --> 00:13:26,150 And 391 00:13:27,280 --> 00:13:29,499 so we had to patch it out once again. 392 00:13:29,500 --> 00:13:31,119 That's actually the main reason you need 393 00:13:31,120 --> 00:13:33,219 custom firmware, some of 394 00:13:33,220 --> 00:13:34,389 the other options. If you're doing a 395 00:13:34,390 --> 00:13:36,669 different project, could you buy the 396 00:13:36,670 --> 00:13:38,739 domain? Could you do 397 00:13:38,740 --> 00:13:41,319 a self sensor, downgrade 398 00:13:41,320 --> 00:13:42,320 it, whatever, 399 00:13:43,630 --> 00:13:45,189 take over everything. 400 00:13:45,190 --> 00:13:46,629 Is that legal? That's right. 401 00:13:46,630 --> 00:13:47,630 So, 402 00:13:49,210 --> 00:13:51,219 all right. So most of you are still here. 403 00:13:51,220 --> 00:13:53,379 That's kind of the dry stuff going 404 00:13:53,380 --> 00:13:55,689 through all that. No end protocols 405 00:13:55,690 --> 00:13:57,699 now we're kind of going to get into is 406 00:13:57,700 --> 00:14:00,039 the game protocol itself that custom 407 00:14:00,040 --> 00:14:02,349 made? I think some people have quite 408 00:14:02,350 --> 00:14:05,109 the Konami secure communication protocol. 409 00:14:05,110 --> 00:14:06,759 I don't think there is an official name 410 00:14:06,760 --> 00:14:09,259 for it, but basically 411 00:14:09,260 --> 00:14:10,239 it's their game protocol. 412 00:14:10,240 --> 00:14:11,769 It's what they're using. And this has no 413 00:14:11,770 --> 00:14:13,299 documentation, nothing really available 414 00:14:13,300 --> 00:14:15,009 except for looking at what the client 415 00:14:15,010 --> 00:14:16,409 actually starts sending out. 416 00:14:17,620 --> 00:14:19,989 So, of course, if you can have packet's 417 00:14:19,990 --> 00:14:22,059 servers, dad can't really get packets, 418 00:14:22,060 --> 00:14:23,199 but we have them. 419 00:14:23,200 --> 00:14:24,939 Everything becomes much easier to look 420 00:14:24,940 --> 00:14:27,069 the packets going in, see what comes 421 00:14:27,070 --> 00:14:29,440 out, figuring out that transformation 422 00:14:30,730 --> 00:14:32,649 is just coming down to kind of examining 423 00:14:32,650 --> 00:14:34,330 and comparing everything. 424 00:14:36,230 --> 00:14:37,729 So these are some of the pacts that we 425 00:14:37,730 --> 00:14:38,979 would get sent out. 426 00:14:40,690 --> 00:14:42,039 I don't know how many of you here kind of 427 00:14:42,040 --> 00:14:44,379 read Hecks fluently and 428 00:14:44,380 --> 00:14:46,349 now can just look at this like, oh yeah, 429 00:14:46,350 --> 00:14:47,829 I get that. 430 00:14:47,830 --> 00:14:49,629 But if you're normal, you kind of have to 431 00:14:49,630 --> 00:14:51,219 go, OK, well, there are some numbers. 432 00:14:51,220 --> 00:14:53,319 I mean, maybe you recognize now. 433 00:14:53,320 --> 00:14:55,839 Forty one. You know, the a 434 00:14:55,840 --> 00:14:57,339 you recognize a few letters in. 435 00:14:57,340 --> 00:14:59,589 There are some things, but it helps 436 00:14:59,590 --> 00:15:01,059 if you just look at the ASCII, so. 437 00:15:02,440 --> 00:15:04,030 This really doesn't make sense either, 438 00:15:06,610 --> 00:15:08,679 but there is the A I got that one right. 439 00:15:10,540 --> 00:15:11,919 Well, you guys look that. But if you look 440 00:15:11,920 --> 00:15:13,569 at this long enough, you start comparing 441 00:15:13,570 --> 00:15:15,759 what's coming out. And these are just how 442 00:15:15,760 --> 00:15:17,080 kids being sent from the client 443 00:15:18,430 --> 00:15:20,379 server we're not replying to, but it's 444 00:15:20,380 --> 00:15:21,849 trying to send these things out. 445 00:15:21,850 --> 00:15:23,439 You start noticing some patterns in 446 00:15:23,440 --> 00:15:26,109 there. You see the Z, the P 447 00:15:26,110 --> 00:15:28,149 that P, and you see that guy repeating. 448 00:15:28,150 --> 00:15:30,159 And then in the same column, you start to 449 00:15:30,160 --> 00:15:31,659 know some patterns. 450 00:15:31,660 --> 00:15:32,709 That's five seventy. 451 00:15:32,710 --> 00:15:34,059 While you look the numbers we saw that 452 00:15:34,060 --> 00:15:35,679 you start seeing like eighty five comes 453 00:15:35,680 --> 00:15:38,019 up next and you start noticing more 454 00:15:38,020 --> 00:15:39,970 and more the af the eighty five. 455 00:15:41,560 --> 00:15:43,659 And if you haven't seen this before or 456 00:15:43,660 --> 00:15:44,979 if you have seen this before, it's really 457 00:15:44,980 --> 00:15:46,749 easy to know what's going on. 458 00:15:46,750 --> 00:15:48,609 But if you have seen this before by waste 459 00:15:48,610 --> 00:15:50,439 a lot of time trying to see like that, 460 00:15:50,440 --> 00:15:51,669 you see the pattern, you know there's 461 00:15:51,670 --> 00:15:53,769 something, but you're not quite 462 00:15:53,770 --> 00:15:55,089 sure what it is. 463 00:15:55,090 --> 00:15:56,769 You've got no no bytes in there if you 464 00:15:56,770 --> 00:15:57,939 notice. 465 00:15:57,940 --> 00:16:00,519 And you've got kind of that repeating 466 00:16:00,520 --> 00:16:02,649 four byte set 467 00:16:02,650 --> 00:16:04,359 of characters or four bytes, 468 00:16:05,590 --> 00:16:07,659 it's X or they basically just had a hard 469 00:16:07,660 --> 00:16:09,999 coded key in there, which was the five 470 00:16:10,000 --> 00:16:12,159 seventy eighty five AF and 471 00:16:12,160 --> 00:16:14,559 they just X or the packets with that key 472 00:16:14,560 --> 00:16:15,580 over and over again, 473 00:16:16,780 --> 00:16:19,059 you know, very, very secure protocol. 474 00:16:20,320 --> 00:16:22,120 So you're on the X or. 475 00:16:29,380 --> 00:16:30,909 You're on that excellent things start to 476 00:16:30,910 --> 00:16:32,559 make sense, this is another packet 477 00:16:32,560 --> 00:16:35,199 because the client one 478 00:16:35,200 --> 00:16:36,579 doesn't really help too much in this 479 00:16:36,580 --> 00:16:37,719 case. 480 00:16:37,720 --> 00:16:39,429 We did actually get a packet capture at 481 00:16:39,430 --> 00:16:41,169 one point after the project had been 482 00:16:41,170 --> 00:16:42,669 running for a little while. 483 00:16:42,670 --> 00:16:43,929 So I didn't have a whole lot of 484 00:16:43,930 --> 00:16:45,399 functionality then. 485 00:16:45,400 --> 00:16:46,759 Have a great game, didn't have join the 486 00:16:46,760 --> 00:16:48,129 game, didn't have anything you'd want as 487 00:16:48,130 --> 00:16:50,199 a server, but it was a packet 488 00:16:50,200 --> 00:16:51,459 capture that helped us a little bit. 489 00:16:51,460 --> 00:16:53,169 This is one of those packets where you 490 00:16:53,170 --> 00:16:54,789 can kind of notice something letters 491 00:16:54,790 --> 00:16:56,259 there. This makes more sense than the 492 00:16:56,260 --> 00:16:58,719 other packets I you could see mmHg 493 00:16:58,720 --> 00:17:01,639 three Snake Liquid, 494 00:17:01,640 --> 00:17:03,909 MGE three league 495 00:17:03,910 --> 00:17:04,838 having played the game. 496 00:17:04,839 --> 00:17:06,848 I know those are the lobby names and you 497 00:17:06,849 --> 00:17:08,559 can see chips in there. 498 00:17:08,560 --> 00:17:10,180 Those are fairly clear. 499 00:17:13,450 --> 00:17:14,889 I guess I'm getting ahead of myself here. 500 00:17:14,890 --> 00:17:16,209 I'll get back to this package a little 501 00:17:16,210 --> 00:17:18,219 bit later, but we're going to actually 502 00:17:18,220 --> 00:17:19,719 reversing this part. 503 00:17:19,720 --> 00:17:21,759 But in terms of the protocol itself, 504 00:17:23,589 --> 00:17:24,848 this is what's going to come about. 505 00:17:24,849 --> 00:17:26,469 These are, again, the packages being sent 506 00:17:26,470 --> 00:17:28,088 by the client. 507 00:17:28,089 --> 00:17:29,829 It looks really nice like this, as have 508 00:17:29,830 --> 00:17:31,839 been really easy to look at and try and 509 00:17:31,840 --> 00:17:34,059 see things that are popping 510 00:17:34,060 --> 00:17:35,669 up. Little patterns. 511 00:17:35,670 --> 00:17:37,119 You've got a counter there, you know, 512 00:17:37,120 --> 00:17:39,070 two, three, four or five one. 513 00:17:40,120 --> 00:17:41,469 You can kind of make a guess there. 514 00:17:41,470 --> 00:17:43,599 That's probably some type of sequence 515 00:17:43,600 --> 00:17:45,609 counter at this point. 516 00:17:45,610 --> 00:17:46,839 It's just guesswork trying to figure out 517 00:17:46,840 --> 00:17:48,399 what's going on there. But it's a 518 00:17:48,400 --> 00:17:49,479 reasonable guess. 519 00:17:50,500 --> 00:17:52,389 And you look at this one, you know, it 520 00:17:52,390 --> 00:17:54,639 gets bigger as the 521 00:17:54,640 --> 00:17:56,139 package gets larger. 522 00:17:56,140 --> 00:17:57,760 Perhaps it's some type of size. 523 00:17:59,970 --> 00:18:01,289 These events took a little bit longer, 524 00:18:01,290 --> 00:18:02,939 but they seem to be like a command 525 00:18:02,940 --> 00:18:05,009 identifier, whenever it send the 526 00:18:05,010 --> 00:18:07,079 same command, they'll send out 527 00:18:07,080 --> 00:18:08,009 the same first number. 528 00:18:08,010 --> 00:18:09,389 Some of these other parts will change 529 00:18:09,390 --> 00:18:11,309 with those first or that first. 530 00:18:11,310 --> 00:18:12,569 Who will say the same? 531 00:18:14,110 --> 00:18:16,119 And then you're left with a larger 532 00:18:16,120 --> 00:18:18,309 payload area at 533 00:18:18,310 --> 00:18:20,739 this point, don't get into that content 534 00:18:20,740 --> 00:18:22,569 a bit later in your life with these 535 00:18:22,570 --> 00:18:24,069 things that are kind of random. 536 00:18:25,780 --> 00:18:27,849 And if, like, I have no idea what these 537 00:18:27,850 --> 00:18:29,949 numbers are, what 538 00:18:29,950 --> 00:18:31,959 I tend to do when I see random numbers, 539 00:18:31,960 --> 00:18:34,389 my first thought every time, 540 00:18:34,390 --> 00:18:35,390 our prime numbers. 541 00:18:36,430 --> 00:18:38,559 This is not prime, but that's my thought 542 00:18:38,560 --> 00:18:40,389 every time. And it's been right once. 543 00:18:42,630 --> 00:18:44,099 So I always think of problems, but the 544 00:18:44,100 --> 00:18:45,659 other thing you've got to look at is just 545 00:18:45,660 --> 00:18:47,459 take them out, stop looking at it, as I 546 00:18:47,460 --> 00:18:48,899 just have, and maybe this looks a bit 547 00:18:48,900 --> 00:18:50,250 more familiar to most of you. 548 00:18:52,290 --> 00:18:54,389 It's basically an MD five of the 549 00:18:54,390 --> 00:18:57,029 header and that payload area. 550 00:18:57,030 --> 00:19:00,509 So it's not it's somewhat random, 551 00:19:00,510 --> 00:19:01,649 depending on how you want to count the 552 00:19:01,650 --> 00:19:03,719 collisions, but you start kind 553 00:19:03,720 --> 00:19:04,739 of figuring out the protocols as you 554 00:19:04,740 --> 00:19:06,209 start comparing these packages, start 555 00:19:06,210 --> 00:19:07,229 being and figure things out. 556 00:19:07,230 --> 00:19:09,269 You see the headers always a by command 557 00:19:09,270 --> 00:19:11,339 identifier, the length, 558 00:19:11,340 --> 00:19:13,169 the sequence that hash followed by the 559 00:19:13,170 --> 00:19:14,170 payload. 560 00:19:15,340 --> 00:19:16,719 So now as we start jumping into the 561 00:19:16,720 --> 00:19:18,609 actual payloads, if you've got the 562 00:19:18,610 --> 00:19:19,929 package capture, I've already kind of 563 00:19:19,930 --> 00:19:21,999 mentioned this, it's really easy to just 564 00:19:22,000 --> 00:19:23,709 look at. You can replay the packet. 565 00:19:23,710 --> 00:19:25,449 You can send them over and modify little 566 00:19:25,450 --> 00:19:26,949 things. You could see what happens. 567 00:19:26,950 --> 00:19:28,579 And you're just trying to determine that 568 00:19:28,580 --> 00:19:30,069 transformation coming between those 569 00:19:30,070 --> 00:19:31,070 packets. 570 00:19:32,050 --> 00:19:33,339 So we start looking here. 571 00:19:33,340 --> 00:19:34,340 I mean, these are 572 00:19:36,160 --> 00:19:37,359 some of the actual packets coming 573 00:19:37,360 --> 00:19:39,189 through. And you'll see, like, you know, 574 00:19:39,190 --> 00:19:40,989 the commands always seem to be since 575 00:19:40,990 --> 00:19:42,759 twenty one, the server reply. 576 00:19:42,760 --> 00:19:45,489 This is from our packet capture of 577 00:19:45,490 --> 00:19:47,199 the few packets that we had and the 578 00:19:47,200 --> 00:19:49,149 server reply with 02 and 03. 579 00:19:49,150 --> 00:19:50,679 It's a pattern that we start noticing in 580 00:19:50,680 --> 00:19:51,759 the of stuff came up. 581 00:19:52,870 --> 00:19:54,549 And then we also notice the blue numbers 582 00:19:54,550 --> 00:19:56,619 there, the sequence of adding up 583 00:19:56,620 --> 00:19:58,220 and each one had its own sequence. 584 00:19:59,740 --> 00:20:01,299 So this is back to that same packet I 585 00:20:01,300 --> 00:20:02,300 showed earlier. 586 00:20:03,820 --> 00:20:05,709 Looking at a nicer format, you can see 587 00:20:05,710 --> 00:20:07,389 the league are you can see the lobby 588 00:20:07,390 --> 00:20:09,490 names, you could see Yipes and KDDI 589 00:20:10,990 --> 00:20:12,669 see those things there if we pull out 590 00:20:12,670 --> 00:20:13,989 those numbers, I mean, it's pretty easy 591 00:20:13,990 --> 00:20:16,029 to guess the first bit there. 592 00:20:16,030 --> 00:20:17,079 The snake. 593 00:20:17,080 --> 00:20:19,509 Like what? Those are lobby names 594 00:20:19,510 --> 00:20:21,249 at this point. We had never seen the gate 595 00:20:21,250 --> 00:20:22,569 in the count. 596 00:20:22,570 --> 00:20:24,009 But you can kind of make the guess that 597 00:20:24,010 --> 00:20:25,329 those are probably just servers that they 598 00:20:25,330 --> 00:20:27,879 used in the back end or communication 599 00:20:27,880 --> 00:20:30,369 for authenticating and 600 00:20:30,370 --> 00:20:32,469 for the log in for some of the back end 601 00:20:32,470 --> 00:20:34,629 services. The IPS are pretty obvious. 602 00:20:34,630 --> 00:20:36,639 Some of these other numbers, though, 603 00:20:36,640 --> 00:20:38,949 you've got zero. One, two, three, four, 604 00:20:38,950 --> 00:20:41,259 five. The first numbers, obvious 605 00:20:41,260 --> 00:20:42,999 thing is it's probably an ID 606 00:20:44,290 --> 00:20:46,629 just counting up incrementally. 607 00:20:46,630 --> 00:20:48,819 These ones were a little bit different, 608 00:20:48,820 --> 00:20:51,639 though. You've got zero one to two to 609 00:20:51,640 --> 00:20:53,649 two to two for all the other leagues 610 00:20:53,650 --> 00:20:54,999 going in there. There's actually normally 611 00:20:55,000 --> 00:20:57,069 ten lobbies being sent up, most of 612 00:20:57,070 --> 00:20:58,070 them out. 613 00:20:58,630 --> 00:21:00,819 So you can look at that and 614 00:21:00,820 --> 00:21:02,169 gain maybe some reasonable guess. 615 00:21:02,170 --> 00:21:03,759 There are some educated guesses that are 616 00:21:03,760 --> 00:21:05,949 zero and one refer to that game and 617 00:21:05,950 --> 00:21:07,779 how we had never seen these before. 618 00:21:07,780 --> 00:21:09,969 We can just replay that every time. 619 00:21:09,970 --> 00:21:11,859 And then the two is probably the league 620 00:21:11,860 --> 00:21:13,569 are the lobbies that are actually showing 621 00:21:13,570 --> 00:21:15,639 the snake, the liquid and all 622 00:21:15,640 --> 00:21:16,640 of that. 623 00:21:18,070 --> 00:21:19,959 These numbers, though, haven't quite 624 00:21:19,960 --> 00:21:22,149 figured out exactly why they are, but 625 00:21:22,150 --> 00:21:23,199 there seems to be like some type of 626 00:21:23,200 --> 00:21:24,789 globally unique identifier. 627 00:21:24,790 --> 00:21:27,999 One, two for the account 628 00:21:28,000 --> 00:21:30,219 lobbies are. But ABC, you're kind 629 00:21:30,220 --> 00:21:32,439 of missing everything before, 630 00:21:32,440 --> 00:21:33,639 eh? 631 00:21:33,640 --> 00:21:35,919 My guess is that the Japanese server, 632 00:21:35,920 --> 00:21:37,509 which was up before this one, would have 633 00:21:37,510 --> 00:21:39,969 had the idea with those 634 00:21:39,970 --> 00:21:41,919 numbers and then the Arrow and the North 635 00:21:41,920 --> 00:21:43,059 American service having their own 636 00:21:43,060 --> 00:21:45,129 identifiers, just the Gessen's, 637 00:21:45,130 --> 00:21:46,179 those numbers actually didn't actually 638 00:21:46,180 --> 00:21:47,859 have anything or didn't impact the 639 00:21:47,860 --> 00:21:49,959 gameplay itself. So wasn't too 640 00:21:49,960 --> 00:21:51,069 much of an issue that we don't know 641 00:21:51,070 --> 00:21:53,199 exactly what's going on. 642 00:21:53,200 --> 00:21:55,329 And then the other one zero zero 643 00:21:55,330 --> 00:21:56,829 nine zero zero. 644 00:21:58,340 --> 00:22:00,279 Gain educated guess from having played 645 00:22:00,280 --> 00:22:02,169 nine, probably the amount of players in 646 00:22:02,170 --> 00:22:04,419 there, so we start modifying some 647 00:22:04,420 --> 00:22:07,359 things, set up my own IP and they're 648 00:22:07,360 --> 00:22:10,119 giving the CD, PFG 649 00:22:10,120 --> 00:22:11,919 and a CD. 650 00:22:11,920 --> 00:22:13,629 One note about the CDF. 651 00:22:13,630 --> 00:22:14,630 Gee, 652 00:22:16,390 --> 00:22:18,579 I don't go for that because we change 653 00:22:18,580 --> 00:22:20,229 all of these things, though. 654 00:22:20,230 --> 00:22:22,359 We immediately saw it being replayed out, 655 00:22:22,360 --> 00:22:23,809 their lobby, a lobby, be a lot. 656 00:22:23,810 --> 00:22:26,799 We see exactly what we'd expect. 657 00:22:26,800 --> 00:22:28,749 We did notice that it didn't care if you 658 00:22:28,750 --> 00:22:29,949 had no bite in there or not. 659 00:22:29,950 --> 00:22:31,989 If you see a slow way longer than the B 660 00:22:31,990 --> 00:22:34,449 and C lobby names, just 661 00:22:34,450 --> 00:22:35,859 some place they cared about the normal, 662 00:22:35,860 --> 00:22:37,599 some places it didn't. 663 00:22:37,600 --> 00:22:39,519 It's kind of an interesting thing that we 664 00:22:39,520 --> 00:22:41,019 were able to exploit later on. 665 00:22:42,750 --> 00:22:43,890 So that was easy. 666 00:22:53,450 --> 00:22:55,549 So that was an example when we 667 00:22:55,550 --> 00:22:57,109 actually had packets with the packet 668 00:22:57,110 --> 00:22:59,179 capture, a little bit of 669 00:22:59,180 --> 00:23:00,949 Hardaway's when we were just in the blind 670 00:23:00,950 --> 00:23:03,319 and we don't have a packet capture. 671 00:23:03,320 --> 00:23:05,659 So how can you determine payloads, 672 00:23:05,660 --> 00:23:08,119 you know, are the and a special 673 00:23:08,120 --> 00:23:09,979 type of encoding. 674 00:23:09,980 --> 00:23:11,959 So, Jason, whatever. 675 00:23:11,960 --> 00:23:13,249 Are they encrypted? 676 00:23:13,250 --> 00:23:14,599 What's going on? 677 00:23:14,600 --> 00:23:15,829 There's a link in there. If you download 678 00:23:15,830 --> 00:23:18,049 the slides for Aniceto right up on crypto 679 00:23:18,050 --> 00:23:20,089 stuff that's over my head, you can 680 00:23:20,090 --> 00:23:21,090 download it if you want. 681 00:23:22,040 --> 00:23:23,749 So what do you do? 682 00:23:23,750 --> 00:23:25,969 Like, there's no known format, but we 683 00:23:25,970 --> 00:23:27,589 at least know just from looking at the 684 00:23:27,590 --> 00:23:29,179 earlier payloads that the first four 685 00:23:29,180 --> 00:23:31,399 bytes or normally some sort of error 686 00:23:31,400 --> 00:23:33,439 code and if they're all zeros and that's 687 00:23:33,440 --> 00:23:35,539 a success, and then the server 688 00:23:35,540 --> 00:23:37,849 command is usually plus one 689 00:23:37,850 --> 00:23:39,169 of the requests. 690 00:23:39,170 --> 00:23:40,639 So that's why you saw the two thousand 691 00:23:40,640 --> 00:23:42,919 two than twenty three twenty four 692 00:23:42,920 --> 00:23:43,920 for the responses. 693 00:23:45,530 --> 00:23:48,009 So we just started experimenting. 694 00:23:49,520 --> 00:23:51,469 You know, if something came through and 695 00:23:51,470 --> 00:23:53,239 we had no idea what it was, give us some 696 00:23:53,240 --> 00:23:54,829 zeros and see if it continues. 697 00:23:54,830 --> 00:23:55,830 Right. 698 00:23:56,720 --> 00:23:58,879 If the the next command 699 00:23:58,880 --> 00:23:59,839 you just added one. 700 00:23:59,840 --> 00:24:01,969 If it was correct, it would go go on. 701 00:24:01,970 --> 00:24:03,379 If it was incorrect, you might get an 702 00:24:03,380 --> 00:24:04,819 error display back to the user or 703 00:24:04,820 --> 00:24:06,259 something like that. 704 00:24:06,260 --> 00:24:08,029 So we were able to go ahead and start 705 00:24:08,030 --> 00:24:10,279 looping identifiers to 706 00:24:10,280 --> 00:24:12,319 see if they were even valid or not, 707 00:24:12,320 --> 00:24:14,899 because the gate server would respond 708 00:24:14,900 --> 00:24:17,029 with the command that you 709 00:24:17,030 --> 00:24:19,279 gave us. So if we gave it 710 00:24:19,280 --> 00:24:21,619 to two to two and 711 00:24:21,620 --> 00:24:22,999 it would just not respond because it 712 00:24:23,000 --> 00:24:24,799 wasn't expecting about two to three, it 713 00:24:24,800 --> 00:24:25,999 would come back and say we weren't 714 00:24:26,000 --> 00:24:27,769 expecting that. So, you know, that that's 715 00:24:27,770 --> 00:24:29,450 at least a valid command identifier. 716 00:24:30,560 --> 00:24:32,659 So it's kind of similar to the HP 717 00:24:32,660 --> 00:24:33,660 crap. 718 00:24:34,160 --> 00:24:37,249 Do some guesswork, blank responses 719 00:24:38,360 --> 00:24:38,859 you can do. 720 00:24:38,860 --> 00:24:41,989 No, nobody's expertize 721 00:24:41,990 --> 00:24:45,019 fake successes and just kind of 722 00:24:45,020 --> 00:24:47,569 try to continue to gain from moving on. 723 00:24:47,570 --> 00:24:50,059 This is similar to before where 724 00:24:50,060 --> 00:24:52,039 we didn't really kill ourselves trying to 725 00:24:52,040 --> 00:24:53,809 reverse every single piece of logic. 726 00:24:53,810 --> 00:24:55,909 We just wanted to get it to work to play 727 00:24:55,910 --> 00:24:56,910 again. 728 00:24:58,070 --> 00:25:00,229 So we already talked about that. 729 00:25:00,230 --> 00:25:02,119 OK, so explain items. 730 00:25:02,120 --> 00:25:03,769 Here's an example of a payload that we 731 00:25:03,770 --> 00:25:04,979 didn't really have. 732 00:25:04,980 --> 00:25:07,039 Um, you look at 733 00:25:07,040 --> 00:25:09,439 it and you have the 734 00:25:09,440 --> 00:25:10,519 initial number at the beginning of the 735 00:25:10,520 --> 00:25:11,449 twenty four. 736 00:25:11,450 --> 00:25:13,549 We just assume that that's a number 737 00:25:13,550 --> 00:25:15,979 of items that you own. 738 00:25:15,980 --> 00:25:18,049 And we knew that just from the 739 00:25:18,050 --> 00:25:19,069 account that we had. 740 00:25:19,070 --> 00:25:21,259 And then the first bite 741 00:25:21,260 --> 00:25:23,299 you can see is starting to ascend. 742 00:25:23,300 --> 00:25:25,489 And then the four bytes after that, 743 00:25:25,490 --> 00:25:27,349 they seem to be slightly different. 744 00:25:27,350 --> 00:25:29,449 That turned out to be color codes 745 00:25:29,450 --> 00:25:30,799 for the different items. 746 00:25:30,800 --> 00:25:32,599 So we just started playing with that and 747 00:25:32,600 --> 00:25:33,949 sending it to the client and seeing what 748 00:25:33,950 --> 00:25:35,899 changes were being made. 749 00:25:35,900 --> 00:25:38,269 So, for example, for the headgear 750 00:25:38,270 --> 00:25:40,369 we just sent, that we have zero for 751 00:25:40,370 --> 00:25:42,559 the beginning. No, and nothing showed up. 752 00:25:42,560 --> 00:25:44,359 So we have none. 753 00:25:44,360 --> 00:25:46,459 But now when we add one, we got a 754 00:25:46,460 --> 00:25:47,809 little cool. 755 00:25:47,810 --> 00:25:50,059 So then you can just start a 756 00:25:50,060 --> 00:25:51,349 new birdying through these different 757 00:25:51,350 --> 00:25:53,569 values and figuring out what 758 00:25:53,570 --> 00:25:54,679 pieces go to where. 759 00:25:54,680 --> 00:25:56,809 So three leads to that 760 00:25:56,810 --> 00:25:58,909 color, seven leads to that color, 761 00:25:58,910 --> 00:26:00,949 and you can start mapping out everything. 762 00:26:00,950 --> 00:26:03,019 And then for the shirks, for example, 763 00:26:03,020 --> 00:26:05,419 we put zero, but some stock 764 00:26:05,420 --> 00:26:06,889 item came up. 765 00:26:06,890 --> 00:26:09,049 So it really helped us out as there 766 00:26:09,050 --> 00:26:10,789 are different portions in the game like 767 00:26:10,790 --> 00:26:13,189 this where if you give it unexpected 768 00:26:13,190 --> 00:26:15,469 data, they had a stock 769 00:26:15,470 --> 00:26:17,209 response that would just deal with just 770 00:26:17,210 --> 00:26:18,199 so the game wouldn't crash. 771 00:26:18,200 --> 00:26:20,299 And so that's what 772 00:26:20,300 --> 00:26:22,309 you're seeing there, just give you some 773 00:26:22,310 --> 00:26:23,629 sweater. 774 00:26:23,630 --> 00:26:24,829 But then when you add one, then you 775 00:26:24,830 --> 00:26:26,989 suddenly have a t shirt and start mapping 776 00:26:26,990 --> 00:26:28,759 it out. So this is kind of something 777 00:26:28,760 --> 00:26:29,760 funny. 778 00:26:30,980 --> 00:26:32,359 Nobody knew about this. 779 00:26:32,360 --> 00:26:33,679 We just found it in the files while 780 00:26:33,680 --> 00:26:35,959 enumerating. This was like never released 781 00:26:35,960 --> 00:26:37,909 at some sort of Japanese like Gressler 782 00:26:37,910 --> 00:26:38,910 mask or something. 783 00:26:40,940 --> 00:26:42,979 It's kind of cute. I don't know. 784 00:26:42,980 --> 00:26:45,109 So what was interesting is as 785 00:26:45,110 --> 00:26:47,359 we were going through all these, 786 00:26:47,360 --> 00:26:49,969 we realized that there were actual DLC 787 00:26:49,970 --> 00:26:52,189 items and DLC game modes 788 00:26:52,190 --> 00:26:54,529 that didn't even come out until later 789 00:26:54,530 --> 00:26:56,629 versions of the game, which was kind of 790 00:26:56,630 --> 00:26:58,639 like a dick move because you knew that, 791 00:26:58,640 --> 00:27:00,709 hey, they had this stuff in 1.0 and 792 00:27:00,710 --> 00:27:02,119 you had to pay later to get it. 793 00:27:02,120 --> 00:27:03,979 So that was kind of interesting 794 00:27:06,110 --> 00:27:07,729 because you see, it's a slow and tedious 795 00:27:07,730 --> 00:27:10,519 it's not too difficult just 796 00:27:10,520 --> 00:27:11,989 having to map it all out. 797 00:27:11,990 --> 00:27:14,689 So what about a little bit more complex 798 00:27:14,690 --> 00:27:15,690 payloads? 799 00:27:16,720 --> 00:27:18,859 You still don't have a packet, but simple 800 00:27:18,860 --> 00:27:20,749 basic guessing might not work. 801 00:27:20,750 --> 00:27:21,919 Right? 802 00:27:21,920 --> 00:27:24,049 So one example is the friends 803 00:27:24,050 --> 00:27:26,149 list. We know the 804 00:27:26,150 --> 00:27:28,129 reason. We know it's a friends list and 805 00:27:28,130 --> 00:27:30,289 other things like the gear is 806 00:27:30,290 --> 00:27:31,309 we're watching the packets. 807 00:27:31,310 --> 00:27:32,989 And as we go through the menu options and 808 00:27:32,990 --> 00:27:34,009 have friends list, then we see the 809 00:27:34,010 --> 00:27:35,689 command center. 810 00:27:35,690 --> 00:27:38,119 So we started sending this simple 811 00:27:38,120 --> 00:27:40,429 basic guesses back the node 812 00:27:40,430 --> 00:27:42,829 by its and is whatever 813 00:27:42,830 --> 00:27:44,389 and nothing's working. 814 00:27:44,390 --> 00:27:46,219 We just keep getting this error. 815 00:27:46,220 --> 00:27:48,439 So then we went back and started 816 00:27:48,440 --> 00:27:50,089 actually looking at all the different 817 00:27:50,090 --> 00:27:51,899 types of packets that we're seeing. 818 00:27:51,900 --> 00:27:54,539 We're seeing a client update packets 819 00:27:54,540 --> 00:27:56,609 which are saying, you know, 820 00:27:56,610 --> 00:27:58,829 I'm the client and this 821 00:27:58,830 --> 00:28:00,569 is whatever is going on and that's a 822 00:28:00,570 --> 00:28:02,339 client request packets like I am the 823 00:28:02,340 --> 00:28:04,439 client, what are my settings or what 824 00:28:04,440 --> 00:28:05,859 do I have here in the service? 825 00:28:05,860 --> 00:28:08,279 My response back and then list 826 00:28:08,280 --> 00:28:10,409 packets which are saying, 827 00:28:10,410 --> 00:28:11,879 hey, I'm going to start sending you a 828 00:28:11,880 --> 00:28:14,279 bunch of data and then the next command 829 00:28:14,280 --> 00:28:15,989 is sending the data and the command after 830 00:28:15,990 --> 00:28:17,380 that is, OK, I'm finished. 831 00:28:18,480 --> 00:28:20,819 So that's what we went with. 832 00:28:20,820 --> 00:28:22,829 We went ahead and took the first command 833 00:28:22,830 --> 00:28:25,529 and ran it through Sarahs 834 00:28:25,530 --> 00:28:27,629 took this second command after and just 835 00:28:27,630 --> 00:28:29,189 left an empty payload. 836 00:28:29,190 --> 00:28:30,659 And then the third command after that 837 00:28:32,340 --> 00:28:33,329 as a success. 838 00:28:33,330 --> 00:28:35,849 And we have a new friends list. 839 00:28:35,850 --> 00:28:37,829 So then we can start playing from there. 840 00:28:37,830 --> 00:28:40,079 What happens when we start 841 00:28:40,080 --> 00:28:41,699 going through that middle of this data 842 00:28:41,700 --> 00:28:42,879 and filling it with stuff? 843 00:28:42,880 --> 00:28:44,789 So it's filled up with a bunch of errors 844 00:28:44,790 --> 00:28:47,009 and we have friends. 845 00:28:47,010 --> 00:28:49,139 So now we're going to start 846 00:28:49,140 --> 00:28:51,479 mapping it out. And we went ahead and 847 00:28:51,480 --> 00:28:53,649 as you can see, split up the bytes. 848 00:28:53,650 --> 00:28:55,769 You can see where it's going and and 849 00:28:55,770 --> 00:28:57,420 what data is going where. 850 00:28:58,650 --> 00:28:59,939 You can tell it's not starting. 851 00:28:59,940 --> 00:29:02,129 It is. It turns out there's 852 00:29:02,130 --> 00:29:04,259 a bunch of data in the background that 853 00:29:04,260 --> 00:29:06,899 listed, you know, 854 00:29:06,900 --> 00:29:08,699 where your friend was currently playing, 855 00:29:08,700 --> 00:29:10,829 what lobby is and what room he was in 856 00:29:10,830 --> 00:29:11,759 and all that. 857 00:29:11,760 --> 00:29:13,919 And then the data was just 858 00:29:13,920 --> 00:29:14,909 there, player name. 859 00:29:14,910 --> 00:29:16,949 But that's kind of how we mapped out what 860 00:29:16,950 --> 00:29:17,950 was what. 861 00:29:19,400 --> 00:29:20,400 So you 862 00:29:22,770 --> 00:29:24,779 see, having that output to kind of play 863 00:29:24,780 --> 00:29:26,669 around with, you can experiment, you can 864 00:29:26,670 --> 00:29:28,919 send different data and 865 00:29:28,920 --> 00:29:29,849 it becomes easy. 866 00:29:29,850 --> 00:29:32,429 You just look at what changes and 867 00:29:32,430 --> 00:29:33,419 it works. 868 00:29:33,420 --> 00:29:35,309 But joining a game, I mean, this is what 869 00:29:35,310 --> 00:29:36,899 you want with a game server. 870 00:29:36,900 --> 00:29:38,669 You want to be able to join a game, play 871 00:29:38,670 --> 00:29:40,139 with other people. 872 00:29:40,140 --> 00:29:42,059 And yeah, we could create a game at this 873 00:29:42,060 --> 00:29:44,129 point. We could run around in the map on 874 00:29:44,130 --> 00:29:45,130 our own. 875 00:29:45,870 --> 00:29:47,549 But you're not playing with anybody. 876 00:29:47,550 --> 00:29:48,839 You're just running around on a map 877 00:29:48,840 --> 00:29:50,369 alone, forever, alone. 878 00:29:52,230 --> 00:29:53,819 So anyway, for joy and game, I mean, it 879 00:29:53,820 --> 00:29:56,069 was it was a complicated set of packets 880 00:29:56,070 --> 00:29:58,229 that actually end up being several packs 881 00:29:58,230 --> 00:30:00,629 that need to be responded to. 882 00:30:00,630 --> 00:30:02,729 So there's no pack that 883 00:30:02,730 --> 00:30:04,499 we can work from, no packet log. 884 00:30:04,500 --> 00:30:05,789 It wasn't something that we could easily 885 00:30:05,790 --> 00:30:07,410 guess. There's nothing similar. 886 00:30:08,910 --> 00:30:11,079 Just have to start working 887 00:30:11,080 --> 00:30:13,419 out there, so there are several menu 888 00:30:13,420 --> 00:30:14,799 items here, these kind of helped us 889 00:30:14,800 --> 00:30:16,629 figure out what it was trying to do at 890 00:30:16,630 --> 00:30:18,190 certain points or a game. 891 00:30:19,300 --> 00:30:20,589 We need first try and join. 892 00:30:20,590 --> 00:30:22,479 The game would actually send the same 893 00:30:22,480 --> 00:30:24,549 request as if you had selected the host 894 00:30:24,550 --> 00:30:27,189 info button. So you can guess and 895 00:30:27,190 --> 00:30:28,509 you try and join the game. First thing it 896 00:30:28,510 --> 00:30:30,400 does is it tries to get the host info. 897 00:30:32,110 --> 00:30:33,759 Makes sense. I mean, and with the host 898 00:30:33,760 --> 00:30:35,859 info we're able to play around with, ah, 899 00:30:35,860 --> 00:30:37,809 we can see that data so we can experiment 900 00:30:37,810 --> 00:30:38,829 and we can figure this out. 901 00:30:38,830 --> 00:30:40,809 That pack of itself was easy to figure 902 00:30:40,810 --> 00:30:40,899 out. 903 00:30:40,900 --> 00:30:43,119 Just play around with the data, see 904 00:30:43,120 --> 00:30:44,120 what happens. 905 00:30:45,100 --> 00:30:47,199 The next step was players that, 906 00:30:48,520 --> 00:30:49,520 again, if you 907 00:30:50,920 --> 00:30:52,299 inside the player list, you can make the 908 00:30:52,300 --> 00:30:52,539 player? 909 00:30:52,540 --> 00:30:54,669 S request. We knew what it was, we 910 00:30:54,670 --> 00:30:56,499 didn't know the proper response. 911 00:30:56,500 --> 00:30:58,899 And this is actually probably 912 00:30:58,900 --> 00:31:00,549 the most difficult part to figure out. 913 00:31:00,550 --> 00:31:02,409 And this is another place where we didn't 914 00:31:02,410 --> 00:31:03,640 figure it out yet 915 00:31:04,710 --> 00:31:06,669 of a request of players. 916 00:31:06,670 --> 00:31:08,829 That's right. We know generally what it's 917 00:31:08,830 --> 00:31:10,879 trying to send, just not the exact form 918 00:31:10,880 --> 00:31:12,429 at this point. 919 00:31:12,430 --> 00:31:13,509 So we started looking, though. 920 00:31:13,510 --> 00:31:15,879 We are looking at doing some 921 00:31:15,880 --> 00:31:16,899 static analysis. 922 00:31:16,900 --> 00:31:18,919 They're just looking at the shelf. 923 00:31:18,920 --> 00:31:20,349 That's why there's no debugging 924 00:31:20,350 --> 00:31:22,539 functionality on the table. 925 00:31:22,540 --> 00:31:24,789 But what we did have was 926 00:31:24,790 --> 00:31:26,919 the emulator for the best. 927 00:31:26,920 --> 00:31:28,959 You could load that off my laptop. 928 00:31:28,960 --> 00:31:30,879 I can start the game. 929 00:31:30,880 --> 00:31:32,709 And if you make a safe state, it'll 930 00:31:32,710 --> 00:31:35,499 actually stay the emulators 931 00:31:35,500 --> 00:31:37,299 version of the memory. 932 00:31:37,300 --> 00:31:39,429 So somewhat accurate, at least 933 00:31:39,430 --> 00:31:41,739 let us see the code after it was unpacked 934 00:31:41,740 --> 00:31:42,740 in memory. 935 00:31:45,110 --> 00:31:47,179 So the next thing then, if you got 936 00:31:47,180 --> 00:31:49,129 the code or the disassembly, not 937 00:31:49,130 --> 00:31:51,319 necessarily the code, you can 938 00:31:51,320 --> 00:31:53,599 start looking for, try and find that code 939 00:31:53,600 --> 00:31:55,799 path where your interesting code is. 940 00:31:55,800 --> 00:31:57,499 So what you can do is you look at nearby 941 00:31:57,500 --> 00:31:59,719 strings in this type 942 00:31:59,720 --> 00:32:01,489 of game, you're not really having to make 943 00:32:01,490 --> 00:32:03,199 nearby strings. But we did know that the 944 00:32:03,200 --> 00:32:05,749 request is that forty one point three. 945 00:32:05,750 --> 00:32:07,369 So that was the number we can look for. 946 00:32:07,370 --> 00:32:09,439 Turns out that happened several thousand 947 00:32:09,440 --> 00:32:11,899 times in the file and wasn't helpful. 948 00:32:11,900 --> 00:32:13,489 But the extra code that we mentioned 949 00:32:13,490 --> 00:32:15,529 earlier, that was four bytes. 950 00:32:15,530 --> 00:32:16,909 That only happened a couple of times. 951 00:32:16,910 --> 00:32:18,499 So we can actually follow those, 952 00:32:19,700 --> 00:32:22,069 the XO and we could follow it along 953 00:32:22,070 --> 00:32:24,259 until we found where those where that 954 00:32:24,260 --> 00:32:27,069 other number came up in this nice little 955 00:32:27,070 --> 00:32:28,459 flick switch area. 956 00:32:28,460 --> 00:32:29,359 It's just branching. 957 00:32:29,360 --> 00:32:31,699 If the numbers are if the comparison 958 00:32:31,700 --> 00:32:33,919 comes out to zero 959 00:32:33,920 --> 00:32:35,299 and you follow that along, you see a 960 00:32:35,300 --> 00:32:36,300 function call. 961 00:32:37,790 --> 00:32:39,829 So again, we couldn't figure out exactly 962 00:32:39,830 --> 00:32:41,179 what was going on there. 963 00:32:41,180 --> 00:32:43,279 But what happens again if we just return 964 00:32:43,280 --> 00:32:45,439 zero so we know that's all 965 00:32:45,440 --> 00:32:46,609 it's doing. It's always looking if 966 00:32:46,610 --> 00:32:48,739 something's just zero or not 967 00:32:48,740 --> 00:32:50,989 equal to zero point. 968 00:32:50,990 --> 00:32:53,119 So you can either follow 969 00:32:53,120 --> 00:32:54,439 through and figure out exactly what 970 00:32:54,440 --> 00:32:56,569 little check is going wrong, which is 971 00:32:56,570 --> 00:32:57,650 the ideal case. 972 00:32:58,850 --> 00:33:00,949 Or and then determine what data 973 00:33:00,950 --> 00:33:02,209 would make it pass. 974 00:33:03,600 --> 00:33:05,129 Ultimately, we couldn't figure out what 975 00:33:05,130 --> 00:33:06,599 data would actually make this pass. 976 00:33:06,600 --> 00:33:07,579 We did have to patch it. 977 00:33:07,580 --> 00:33:09,389 That was just returning zero. 978 00:33:09,390 --> 00:33:11,489 We just want to play, just patch it out, 979 00:33:11,490 --> 00:33:12,059 get going. 980 00:33:12,060 --> 00:33:14,069 I spent a lot of time trying to do this, 981 00:33:14,070 --> 00:33:15,779 though. I mean, I wanted to do this 982 00:33:15,780 --> 00:33:18,419 server as pure as possible 983 00:33:18,420 --> 00:33:19,889 is doing everything myself. 984 00:33:19,890 --> 00:33:21,959 It's made me take 985 00:33:21,960 --> 00:33:23,459 a whole off extra time. 986 00:33:23,460 --> 00:33:25,049 So we end up patching this game just a 987 00:33:25,050 --> 00:33:26,579 little code. 988 00:33:26,580 --> 00:33:27,899 We can't, like add a of extra 989 00:33:27,900 --> 00:33:30,029 functionality, but we can patch a few 990 00:33:30,030 --> 00:33:31,169 things here and there. 991 00:33:31,170 --> 00:33:32,699 So this is something that we decide to do 992 00:33:32,700 --> 00:33:33,700 that for. 993 00:33:34,360 --> 00:33:36,489 So now we have a request in 994 00:33:36,490 --> 00:33:38,169 the game, information, we have a 995 00:33:38,170 --> 00:33:39,699 requesting the players, we have a 996 00:33:39,700 --> 00:33:41,919 requesting the player information 997 00:33:41,920 --> 00:33:44,169 of the host, which is the fact 998 00:33:44,170 --> 00:33:46,329 that we dispatch and now it send another 999 00:33:46,330 --> 00:33:48,369 new packet request or another request 1000 00:33:48,370 --> 00:33:50,769 coming out. Forty three, twenty. 1001 00:33:50,770 --> 00:33:52,299 Of course, these identifiers, I mean, 1002 00:33:52,300 --> 00:33:55,269 forty three usually are the first two 1003 00:33:55,270 --> 00:33:57,399 names are usually correspond to groupings 1004 00:33:57,400 --> 00:33:59,799 like authentication was always twenty, 1005 00:33:59,800 --> 00:34:01,959 forty three generally had to do with your 1006 00:34:01,960 --> 00:34:03,849 game set up. 1007 00:34:03,850 --> 00:34:04,809 So forty three twenty. 1008 00:34:04,810 --> 00:34:06,159 It's something about the game but we 1009 00:34:06,160 --> 00:34:07,389 don't really know what 1010 00:34:08,800 --> 00:34:10,599 that's going to try to use some external 1011 00:34:10,600 --> 00:34:13,059 resources so it could jump towards 1012 00:34:13,060 --> 00:34:14,229 googling. 1013 00:34:14,230 --> 00:34:15,669 Yeah. And this being kind of a private 1014 00:34:15,670 --> 00:34:17,888 protocol, not a whole lot 1015 00:34:17,889 --> 00:34:19,509 of information, but there was a game that 1016 00:34:19,510 --> 00:34:22,388 came out shortly after 1017 00:34:22,389 --> 00:34:24,039 middle gear on line one, which is pro 1018 00:34:24,040 --> 00:34:25,509 evolution soccer. 1019 00:34:25,510 --> 00:34:27,369 And this game was like five months after 1020 00:34:27,370 --> 00:34:30,129 I had a or a PC version. 1021 00:34:30,130 --> 00:34:31,689 So someone had already kind of figured 1022 00:34:31,690 --> 00:34:33,908 out some of the protocol and that 1023 00:34:33,909 --> 00:34:34,899 a lot of it was different. 1024 00:34:34,900 --> 00:34:36,429 But there were some similarities. 1025 00:34:38,520 --> 00:34:41,039 And Melgar online, too, was still online 1026 00:34:41,040 --> 00:34:42,749 at this time, but I didn't like that 1027 00:34:42,750 --> 00:34:44,309 game, so I was even trying to build that 1028 00:34:44,310 --> 00:34:45,310 server. 1029 00:34:46,290 --> 00:34:48,209 But it had that particular package, so 1030 00:34:48,210 --> 00:34:50,218 just using that external resource, we are 1031 00:34:50,219 --> 00:34:52,349 able to figure out what 1032 00:34:52,350 --> 00:34:53,729 it was and what was asking for was 1033 00:34:53,730 --> 00:34:55,948 basically IP information, 1034 00:34:55,949 --> 00:34:58,289 the host external and internal 1035 00:34:58,290 --> 00:35:00,359 IP for connecting to it 1036 00:35:00,360 --> 00:35:02,069 to actually play the game. 1037 00:35:02,070 --> 00:35:04,409 So we actually had the client 1038 00:35:04,410 --> 00:35:06,089 trying to connect to the host, which is 1039 00:35:06,090 --> 00:35:07,139 exactly what you want. 1040 00:35:07,140 --> 00:35:08,669 But the host would certainly just send 1041 00:35:08,670 --> 00:35:09,680 40, 30, 40. 1042 00:35:10,890 --> 00:35:12,149 It's like you're connected. 1043 00:35:12,150 --> 00:35:13,629 All right, you're talking to each other. 1044 00:35:13,630 --> 00:35:15,179 Why do you need to ask the host or 1045 00:35:15,180 --> 00:35:16,409 something else? 1046 00:35:16,410 --> 00:35:18,519 And Melgar online, too, didn't have this 1047 00:35:18,520 --> 00:35:20,010 revolution. Soccer didn't have this. 1048 00:35:21,060 --> 00:35:22,379 I think I looked at a number of other 1049 00:35:22,380 --> 00:35:23,729 games actually try and figure out 1050 00:35:23,730 --> 00:35:25,109 something that maybe came out at the 1051 00:35:25,110 --> 00:35:27,569 right time, a portable 1052 00:35:27,570 --> 00:35:29,939 office, another Melgar game. 1053 00:35:29,940 --> 00:35:31,889 It did have this. 1054 00:35:31,890 --> 00:35:32,789 Nothing had this. 1055 00:35:32,790 --> 00:35:35,879 It just this unexpected packet coming in. 1056 00:35:35,880 --> 00:35:37,979 There's no error message because it's 1057 00:35:37,980 --> 00:35:39,179 the host asking for this. 1058 00:35:39,180 --> 00:35:40,529 Well, it's already in the game, so it's 1059 00:35:40,530 --> 00:35:41,579 not going to display anything. 1060 00:35:41,580 --> 00:35:43,499 It just want to ignore the client if it 1061 00:35:43,500 --> 00:35:45,569 doesn't get the right response and the 1062 00:35:45,570 --> 00:35:47,340 payload is just the player's ID. 1063 00:35:48,420 --> 00:35:50,519 So the kind of obvious guess there 1064 00:35:50,520 --> 00:35:52,379 is, maybe it's asking, is this player OK 1065 00:35:52,380 --> 00:35:54,279 to join? So send it a success. 1066 00:35:54,280 --> 00:35:55,280 That didn't work. 1067 00:35:56,810 --> 00:35:59,089 So I'm sorry to follow through, 1068 00:35:59,090 --> 00:36:01,309 looking at the assembly again, 1069 00:36:01,310 --> 00:36:03,019 this guys sitting in there, we found the 1070 00:36:03,020 --> 00:36:04,429 forty three four when these were all in 1071 00:36:04,430 --> 00:36:06,109 the same place, by the way, once we found 1072 00:36:06,110 --> 00:36:08,089 the one area we could see all of these 1073 00:36:08,090 --> 00:36:10,579 commands, we see our branches, 1074 00:36:10,580 --> 00:36:11,989 we see where jumps to. 1075 00:36:13,930 --> 00:36:15,669 And it makes a lot of calls, but was 1076 00:36:15,670 --> 00:36:17,499 never checking the return values of these 1077 00:36:17,500 --> 00:36:20,259 calls, I would read for bytes 1078 00:36:20,260 --> 00:36:22,749 after the initial 1079 00:36:22,750 --> 00:36:24,219 success code. 1080 00:36:26,080 --> 00:36:27,370 So you start looking. 1081 00:36:29,280 --> 00:36:31,349 And what we end up realizing was 1082 00:36:31,350 --> 00:36:33,329 basically that with just throwing those 1083 00:36:33,330 --> 00:36:35,669 four bites, what it's asking 1084 00:36:35,670 --> 00:36:38,009 for is basically an echo, send 1085 00:36:38,010 --> 00:36:39,929 it back the players idea that trying to 1086 00:36:39,930 --> 00:36:40,930 join. 1087 00:36:42,420 --> 00:36:43,619 And that was basically our structure. 1088 00:36:43,620 --> 00:36:45,699 So from that, it was the only power 1089 00:36:45,700 --> 00:36:47,169 to do that. So stupid. 1090 00:36:47,170 --> 00:36:49,259 Yeah, it's so it 1091 00:36:49,260 --> 00:36:50,159 took a while there. 1092 00:36:50,160 --> 00:36:51,689 This was my breakthrough. 1093 00:36:51,690 --> 00:36:54,089 I make sure I had two weeks to 1094 00:36:54,090 --> 00:36:56,159 work on the server 1095 00:36:56,160 --> 00:36:57,750 for more from my employer. 1096 00:36:59,100 --> 00:37:01,139 This was where I spent most of that time 1097 00:37:01,140 --> 00:37:03,809 figuring this out, took 1098 00:37:03,810 --> 00:37:05,939 pretty much week and a half of solid 1099 00:37:05,940 --> 00:37:08,009 time just to figure that little thing 1100 00:37:08,010 --> 00:37:10,259 out. So we're jumping through this really 1101 00:37:10,260 --> 00:37:12,509 quickly, but it took us a lot longer 1102 00:37:12,510 --> 00:37:14,339 than what you're seeing here. 1103 00:37:14,340 --> 00:37:15,509 So we were successful. 1104 00:37:15,510 --> 00:37:17,489 We finally had the game connect when we 1105 00:37:17,490 --> 00:37:19,439 figured out that response and we were 1106 00:37:19,440 --> 00:37:22,139 able to actually, you know, play 1107 00:37:22,140 --> 00:37:23,249 a bit. 1108 00:37:23,250 --> 00:37:25,349 So we've got is a quick video from 1109 00:37:25,350 --> 00:37:26,350 the server. 1110 00:37:29,590 --> 00:37:30,789 I don't know how many of you have 1111 00:37:30,790 --> 00:37:31,930 actually played the game over. 1112 00:37:36,000 --> 00:37:38,219 I mean, just most people don't really 1113 00:37:38,220 --> 00:37:40,319 know the game, so this is what it 1114 00:37:40,320 --> 00:37:42,539 looked like, you fight after 1115 00:37:42,540 --> 00:37:43,540 a frog. 1116 00:37:56,520 --> 00:37:58,379 So we on for that. 1117 00:37:58,380 --> 00:38:00,469 So, um, so what's next? 1118 00:38:00,470 --> 00:38:02,789 We got the actual game working and 1119 00:38:02,790 --> 00:38:04,709 I actually like Samjhauta too, so I got 1120 00:38:04,710 --> 00:38:05,759 that up and running because he didn't 1121 00:38:05,760 --> 00:38:08,039 want to. So what's 1122 00:38:08,040 --> 00:38:10,559 next from there? As you can see, there's 1123 00:38:10,560 --> 00:38:13,559 a map for one of the guys on the team. 1124 00:38:13,560 --> 00:38:14,999 There's a team, about five of us that 1125 00:38:15,000 --> 00:38:16,569 worked on this. 1126 00:38:16,570 --> 00:38:18,719 Um, he started going through 1127 00:38:18,720 --> 00:38:20,849 the actual game 1128 00:38:20,850 --> 00:38:23,039 files, which had their own sorts of 1129 00:38:23,040 --> 00:38:24,779 like encryptions and encodings. 1130 00:38:24,780 --> 00:38:26,239 And it was a completely different world 1131 00:38:26,240 --> 00:38:27,959 doing. Probably give your own talk on 1132 00:38:27,960 --> 00:38:29,519 just those files, but I thought it was 1133 00:38:29,520 --> 00:38:31,140 pretty neat, so I thought I'd mention it. 1134 00:38:32,280 --> 00:38:33,989 And right there you can actually see that 1135 00:38:33,990 --> 00:38:36,299 he pulled out a map and 1136 00:38:36,300 --> 00:38:38,339 was actually able to make modifications 1137 00:38:38,340 --> 00:38:40,259 and loaded up a custom map in the game. 1138 00:38:40,260 --> 00:38:42,479 So, you know, just 1139 00:38:42,480 --> 00:38:44,039 kind of acting on everything at that 1140 00:38:44,040 --> 00:38:45,849 point. We might even have a custom game 1141 00:38:45,850 --> 00:38:48,149 modes. And but it's 1142 00:38:48,150 --> 00:38:50,069 just kind of you just keep running with 1143 00:38:50,070 --> 00:38:51,070 it. 1144 00:38:54,620 --> 00:38:56,780 See, I've already touched on this, but 1145 00:38:57,950 --> 00:38:59,779 for each of the games, Melgar on line 1146 00:38:59,780 --> 00:39:01,699 one, they talk about 10 months of work 1147 00:39:01,700 --> 00:39:03,049 off and on. I mean, this wasn't like 1148 00:39:03,050 --> 00:39:05,479 eight hour days every day for 10 months, 1149 00:39:05,480 --> 00:39:07,369 but off and on work for about ten 1150 00:39:07,370 --> 00:39:08,899 minutes. And they'll go online to talk 1151 00:39:08,900 --> 00:39:11,179 about it. The same amount of time 1152 00:39:11,180 --> 00:39:13,069 in this little talk here, we've shown 1153 00:39:13,070 --> 00:39:15,469 about six different commands, whereas 1154 00:39:15,470 --> 00:39:17,269 in the actual servers we deal with about 1155 00:39:17,270 --> 00:39:18,289 80. 1156 00:39:18,290 --> 00:39:19,939 So there's a lot of stuff missing here. 1157 00:39:19,940 --> 00:39:21,319 This is just kind of an overview of some 1158 00:39:21,320 --> 00:39:23,479 things that we found helpful, a lot 1159 00:39:23,480 --> 00:39:25,819 of headaches, a lot of frustration and 1160 00:39:25,820 --> 00:39:28,189 no real existing reference 1161 00:39:28,190 --> 00:39:30,049 material for us to work from. 1162 00:39:30,050 --> 00:39:31,369 Nobody really talks about building 1163 00:39:31,370 --> 00:39:32,539 servers from something that's all right 1164 00:39:32,540 --> 00:39:34,579 down. I mean, you've got some talks on 1165 00:39:35,750 --> 00:39:38,119 building like private servers for 1166 00:39:38,120 --> 00:39:39,739 games are already up or you can just look 1167 00:39:39,740 --> 00:39:41,869 at what the server response, but 1168 00:39:41,870 --> 00:39:43,129 nothing really about this. 1169 00:39:43,130 --> 00:39:44,959 And the other thing is people are crazy 1170 00:39:44,960 --> 00:39:46,249 at times. 1171 00:39:46,250 --> 00:39:48,439 A lot of trolling at people 1172 00:39:48,440 --> 00:39:49,819 when we are looking for the PAC captor 1173 00:39:49,820 --> 00:39:51,229 had a lot of people come in saying they 1174 00:39:51,230 --> 00:39:53,179 had it, oh, just let me grab it. 1175 00:39:53,180 --> 00:39:54,709 And they disappear from our scene for the 1176 00:39:54,710 --> 00:39:56,899 next year and just 1177 00:39:56,900 --> 00:39:58,849 leave us there or in a lot of random 1178 00:39:58,850 --> 00:40:00,319 people that want to sue you. 1179 00:40:00,320 --> 00:40:02,419 For some reason, they're not even related 1180 00:40:02,420 --> 00:40:03,469 to a company either. 1181 00:40:03,470 --> 00:40:05,089 To some dude on RC who's going to sue 1182 00:40:05,090 --> 00:40:06,139 you? 1183 00:40:06,140 --> 00:40:07,129 I don't know. 1184 00:40:07,130 --> 00:40:08,239 Yeah, whatever. 1185 00:40:08,240 --> 00:40:10,609 Or we had one guy who spent 1186 00:40:10,610 --> 00:40:12,289 a lot of time trying to convince me that 1187 00:40:12,290 --> 00:40:14,389 he was talking to Konami and how they 1188 00:40:14,390 --> 00:40:16,159 were getting ready to prepare a legal 1189 00:40:16,160 --> 00:40:18,409 suit against us and 1190 00:40:18,410 --> 00:40:20,179 how he want me to remove his account 1191 00:40:20,180 --> 00:40:21,499 because of this. He didn't want to get 1192 00:40:21,500 --> 00:40:23,509 tied in with it. So I remove his account. 1193 00:40:23,510 --> 00:40:25,339 He comes back a few days later asking for 1194 00:40:25,340 --> 00:40:27,049 me to let him back on. 1195 00:40:27,050 --> 00:40:29,090 So he wasn't really talking with Konami. 1196 00:40:30,140 --> 00:40:32,239 And the other real issue there is 1197 00:40:32,240 --> 00:40:34,609 copyright DMCA running 1198 00:40:34,610 --> 00:40:36,079 these servers in the US. 1199 00:40:36,080 --> 00:40:38,149 We have to deal with DMCA. 1200 00:40:38,150 --> 00:40:39,769 We have to worry about that. 1201 00:40:39,770 --> 00:40:42,319 And there is an exception for 1202 00:40:42,320 --> 00:40:44,419 building things like this as long as you 1203 00:40:44,420 --> 00:40:46,429 don't violate the terms of service. 1204 00:40:46,430 --> 00:40:48,379 In our case, since the server was down, 1205 00:40:48,380 --> 00:40:50,449 it would when you first 1206 00:40:50,450 --> 00:40:52,459 connect to the server, it would request a 1207 00:40:52,460 --> 00:40:54,799 policy text file from 1208 00:40:54,800 --> 00:40:56,239 the server. It was a nexus. 1209 00:40:56,240 --> 00:40:58,489 So we were on the server. 1210 00:40:58,490 --> 00:40:59,899 We control the terms of service that 1211 00:40:59,900 --> 00:41:00,920 we're agreeing to. 1212 00:41:09,780 --> 00:41:11,669 So, of course, that was basically not 1213 00:41:11,670 --> 00:41:13,289 much of an issue where the issue does 1214 00:41:13,290 --> 00:41:15,479 come up for us was Sony, 1215 00:41:15,480 --> 00:41:17,819 their DNA, as mentioned 1216 00:41:17,820 --> 00:41:19,979 early on, that the 1217 00:41:19,980 --> 00:41:22,349 terms of service for that were still 1218 00:41:22,350 --> 00:41:24,689 potentially valid, although 1219 00:41:24,690 --> 00:41:26,729 the terms point to a nonexistent URL. 1220 00:41:26,730 --> 00:41:29,379 So I don't know where that stands. 1221 00:41:29,380 --> 00:41:30,059 So. 1222 00:41:30,060 --> 00:41:31,619 Well, actually, I was going to say this 1223 00:41:31,620 --> 00:41:33,540 is fairly recent, but 1224 00:41:34,710 --> 00:41:36,119 I got in communication with this guy, 1225 00:41:36,120 --> 00:41:37,559 reached out to me who was doing a similar 1226 00:41:37,560 --> 00:41:39,779 project for an old 1227 00:41:39,780 --> 00:41:41,999 MMO, Commodore 64, 1228 00:41:42,000 --> 00:41:43,259 bringing that back up. 1229 00:41:43,260 --> 00:41:45,489 And he reached out to the EFF and 1230 00:41:45,490 --> 00:41:47,639 they came to us 1231 00:41:47,640 --> 00:41:49,679 because this although we did similar work 1232 00:41:49,680 --> 00:41:51,239 and they're trying to actually push 1233 00:41:51,240 --> 00:41:53,489 through an exception for 1234 00:41:53,490 --> 00:41:55,019 projects similar to this, where it's 1235 00:41:55,020 --> 00:41:57,209 software that is no longer managed 1236 00:41:57,210 --> 00:41:59,099 in the original company and just is doing 1237 00:41:59,100 --> 00:42:01,259 nothing with it, that you can 1238 00:42:01,260 --> 00:42:03,329 kind of reverse and run it up there as 1239 00:42:03,330 --> 00:42:04,529 long as obviously you're not taking 1240 00:42:04,530 --> 00:42:05,819 payments or anything for it. 1241 00:42:05,820 --> 00:42:07,650 But I thought that was kind of cool. 1242 00:42:09,030 --> 00:42:10,949 So, yeah, I mean, there's a lot more to 1243 00:42:10,950 --> 00:42:13,889 this than just what we've shown here. 1244 00:42:13,890 --> 00:42:16,079 But it was it was fun, 1245 00:42:16,080 --> 00:42:17,609 at least looking back on it was fun, 1246 00:42:17,610 --> 00:42:18,610 maybe not at the time. 1247 00:42:19,950 --> 00:42:21,389 So it's just some credit. 1248 00:42:21,390 --> 00:42:23,489 Sarabi, the two of us here, 1249 00:42:23,490 --> 00:42:25,139 he was mostly folks on Melgar online, 1250 00:42:25,140 --> 00:42:27,209 too. I did the first 1251 00:42:27,210 --> 00:42:29,279 game gigahertz gangster 1252 00:42:29,280 --> 00:42:30,629 Darick. 1253 00:42:30,630 --> 00:42:32,279 He wore Dacron both. 1254 00:42:32,280 --> 00:42:34,469 He was the only guy working with me first 1255 00:42:34,470 --> 00:42:35,639 on the Melgar line. 1256 00:42:35,640 --> 00:42:37,829 One server, the fog 1257 00:42:37,830 --> 00:42:39,809 did another two game. 1258 00:42:39,810 --> 00:42:41,879 They revived that one resident evil 1259 00:42:41,880 --> 00:42:42,880 break. 1260 00:42:44,640 --> 00:42:46,289 And he helped us out actually really 1261 00:42:46,290 --> 00:42:47,819 early on with something groundbreaking 1262 00:42:47,820 --> 00:42:50,009 with that initial DNA area, some 1263 00:42:50,010 --> 00:42:52,199 of the first protocol stuff 1264 00:42:52,200 --> 00:42:53,879 he did, some of the initial groundbreaking 1265 00:42:53,880 --> 00:42:54,880 there. 1266 00:42:55,470 --> 00:42:57,089 I mentioned pro evolution software in 1267 00:42:57,090 --> 00:42:59,100 that server that was done by Helstone, 1268 00:43:00,660 --> 00:43:03,059 which I just kind of randomly contacted 1269 00:43:03,060 --> 00:43:05,129 him on Twitter like you did the server. 1270 00:43:05,130 --> 00:43:06,719 Is this true about the protocol? 1271 00:43:06,720 --> 00:43:08,819 Is this true? And I I don't 1272 00:43:08,820 --> 00:43:10,149 know what he was thinking at first, but 1273 00:43:10,150 --> 00:43:11,519 it took a little while before he finally 1274 00:43:11,520 --> 00:43:13,109 responded to me and I was able to balance 1275 00:43:13,110 --> 00:43:14,369 a few questions off them. 1276 00:43:15,390 --> 00:43:16,739 And we've got what the fuck are you 1277 00:43:16,740 --> 00:43:19,099 thinking? One, he's helped out with 1278 00:43:19,100 --> 00:43:21,449 two of the three stuff, some Melgar 1279 00:43:21,450 --> 00:43:22,739 online to stuff. 1280 00:43:22,740 --> 00:43:24,929 And our crazy 1281 00:43:24,930 --> 00:43:27,059 friend Jay, who was doing the math work 1282 00:43:27,060 --> 00:43:28,380 in the off the file stuff. 1283 00:43:29,580 --> 00:43:32,279 And one thing I forgot to mention is the 1284 00:43:32,280 --> 00:43:34,379 three work, this guy 1285 00:43:34,380 --> 00:43:36,659 over here, there's a lot of great artist 1286 00:43:36,660 --> 00:43:37,229 groups. 1287 00:43:37,230 --> 00:43:39,569 If you're ever analyzing three LFS 1288 00:43:39,570 --> 00:43:41,699 or libraries, they'll just 1289 00:43:41,700 --> 00:43:42,899 map out all the functions for you. 1290 00:43:42,900 --> 00:43:44,249 It's excellent. So you should have good 1291 00:43:44,250 --> 00:43:45,359 download that if you're ever going to 1292 00:43:45,360 --> 00:43:46,360 look into it. 1293 00:43:48,040 --> 00:43:50,169 And yeah, so, 1294 00:43:50,170 --> 00:43:52,719 um, I guess if anybody has any questions 1295 00:43:52,720 --> 00:43:54,399 that could obviously just e-mail us or 1296 00:43:54,400 --> 00:43:56,619 reach out to us on Twitter or 1297 00:43:56,620 --> 00:43:58,209 come up in front of everybody and ask. 1298 00:44:09,940 --> 00:44:12,069 OK, thank you very much for that 1299 00:44:12,070 --> 00:44:14,949 applause and thank you very much 1300 00:44:14,950 --> 00:44:16,269 to our speakers. 1301 00:44:16,270 --> 00:44:19,239 Any questions I see 1302 00:44:19,240 --> 00:44:20,469 microphone for 1303 00:44:21,640 --> 00:44:22,659 hello. 1304 00:44:22,660 --> 00:44:24,969 Hello. So you've spoken 1305 00:44:24,970 --> 00:44:27,069 a lot about the protocol joining the 1306 00:44:27,070 --> 00:44:29,469 games and, you know, 1307 00:44:29,470 --> 00:44:30,969 enumerating servers. 1308 00:44:30,970 --> 00:44:32,799 How more complicated is it once you're 1309 00:44:32,800 --> 00:44:34,539 actually in the game? What do the clients 1310 00:44:34,540 --> 00:44:35,949 send to the server? 1311 00:44:35,950 --> 00:44:38,169 Like how much of the actual game logic 1312 00:44:38,170 --> 00:44:40,419 is on the server or is that 1313 00:44:40,420 --> 00:44:42,639 really just passing messages between 1314 00:44:42,640 --> 00:44:43,569 clients? 1315 00:44:43,570 --> 00:44:44,919 Please, a bit quieter. 1316 00:44:44,920 --> 00:44:47,229 So the the server 1317 00:44:47,230 --> 00:44:49,269 protocol or the protocol that we reversed 1318 00:44:49,270 --> 00:44:51,639 was actually the controller, the gate 1319 00:44:51,640 --> 00:44:54,639 one that actually got to the gameplay. 1320 00:44:54,640 --> 00:44:55,689 That was a separate protocol. 1321 00:44:55,690 --> 00:44:57,129 That was all peer to peer. 1322 00:44:57,130 --> 00:44:59,559 So once the actual consoles communicated, 1323 00:44:59,560 --> 00:45:01,659 they hosted their own games. 1324 00:45:01,660 --> 00:45:03,789 We started looking into that a little bit 1325 00:45:03,790 --> 00:45:05,679 just for shits and giggles to kind of 1326 00:45:05,680 --> 00:45:06,819 like play around the game. 1327 00:45:06,820 --> 00:45:08,919 But to actually get it 1328 00:45:08,920 --> 00:45:10,719 all up and running, it was the main 1329 00:45:10,720 --> 00:45:12,789 controller just to get the consoles 1330 00:45:12,790 --> 00:45:14,859 communicating because everything 1331 00:45:14,860 --> 00:45:16,449 was hosted locally. 1332 00:45:16,450 --> 00:45:17,450 Oh, cool. Thank you. 1333 00:45:18,760 --> 00:45:19,760 OK, 1334 00:45:20,920 --> 00:45:23,739 can you give the Oscars 1335 00:45:23,740 --> 00:45:26,009 a bit more quiet, please, by 1336 00:45:26,010 --> 00:45:27,339 way of going out? 1337 00:45:27,340 --> 00:45:29,499 I see microphone one. 1338 00:45:29,500 --> 00:45:30,519 Hey, great work. 1339 00:45:30,520 --> 00:45:32,619 You did just the point. 1340 00:45:32,620 --> 00:45:34,809 If you run into legal troubles of 1341 00:45:34,810 --> 00:45:37,119 the German National Library is allowed 1342 00:45:37,120 --> 00:45:39,219 to crack copyright 1343 00:45:39,220 --> 00:45:41,409 protection on at least 1344 00:45:41,410 --> 00:45:43,299 on books and music. 1345 00:45:43,300 --> 00:45:45,689 So I 1346 00:45:45,690 --> 00:45:47,949 don't know if the same situation applies 1347 00:45:47,950 --> 00:45:50,229 in the US, but national 1348 00:45:50,230 --> 00:45:52,569 libraries, museums would definitely 1349 00:45:52,570 --> 00:45:54,189 be the place to look for because they do 1350 00:45:54,190 --> 00:45:56,019 have some exceptions. 1351 00:45:56,020 --> 00:45:58,209 Yeah, one thing with what we've got with 1352 00:45:58,210 --> 00:46:00,309 DNS system is you can 1353 00:46:00,310 --> 00:46:02,800 actually use our bypass to do any piracy. 1354 00:46:04,120 --> 00:46:05,649 It doesn't actually like you do that, but 1355 00:46:05,650 --> 00:46:06,729 it is a break of the system. 1356 00:46:06,730 --> 00:46:08,979 So it is maybe it's not a gray 1357 00:46:08,980 --> 00:46:10,869 area. I tend to think of it as one. 1358 00:46:12,280 --> 00:46:14,529 We've taken a few steps kind of make 1359 00:46:14,530 --> 00:46:16,779 it not necessarily difficult 1360 00:46:16,780 --> 00:46:18,249 to take a legal action against us. 1361 00:46:18,250 --> 00:46:20,349 But I mean, we won't take donations, so 1362 00:46:20,350 --> 00:46:21,969 there's no profit in coming after us. 1363 00:46:21,970 --> 00:46:23,949 Besides the negative publicity for taking 1364 00:46:23,950 --> 00:46:24,950 down the server, 1365 00:46:26,230 --> 00:46:27,849 obviously they still can deal with their 1366 00:46:27,850 --> 00:46:30,039 you know, Sony can do what they want. 1367 00:46:30,040 --> 00:46:32,139 Yeah, the company is well aware of the 1368 00:46:32,140 --> 00:46:33,339 project. 1369 00:46:33,340 --> 00:46:35,499 They have not publicly acknowledged 1370 00:46:35,500 --> 00:46:37,149 it. Well, actually, they did on Twitter 1371 00:46:37,150 --> 00:46:39,489 last week, but they 1372 00:46:39,490 --> 00:46:40,719 they won't really discuss it. 1373 00:46:40,720 --> 00:46:43,059 Actually, I was in Seattle this 1374 00:46:43,060 --> 00:46:44,589 like a year or two ago, and the 1375 00:46:44,590 --> 00:46:45,879 developers from the team were there for 1376 00:46:45,880 --> 00:46:48,129 Pasek. And I just 1377 00:46:48,130 --> 00:46:50,109 like kind of walked into the VIP area and 1378 00:46:50,110 --> 00:46:51,159 was chatting with them. 1379 00:46:51,160 --> 00:46:52,719 And we went out partying all night and 1380 00:46:52,720 --> 00:46:53,919 getting drunk and stuff. 1381 00:46:53,920 --> 00:46:56,019 And I kind of kept open communication 1382 00:46:56,020 --> 00:46:57,549 with them. And when I was working on 1383 00:46:57,550 --> 00:46:59,949 this, we were kind of chit chatting. 1384 00:46:59,950 --> 00:47:01,749 And then I sent like a question about the 1385 00:47:01,750 --> 00:47:03,879 protocol, as I had noticed this, 1386 00:47:03,880 --> 00:47:05,769 like, could you give me some info? 1387 00:47:05,770 --> 00:47:07,449 And it's just been like radio silence, 1388 00:47:07,450 --> 00:47:09,069 just like immediately stopped 1389 00:47:09,070 --> 00:47:10,149 communicating with me. 1390 00:47:11,230 --> 00:47:12,939 But but other than that, the company has 1391 00:47:12,940 --> 00:47:14,589 been, like, totally cool about it. 1392 00:47:15,880 --> 00:47:18,279 And they're the new version 1393 00:47:18,280 --> 00:47:19,749 of their games actually coming out soon. 1394 00:47:19,750 --> 00:47:20,949 They just released a trailer for it. 1395 00:47:20,950 --> 00:47:23,019 So we'll have to revive that one soon. 1396 00:47:23,020 --> 00:47:24,099 So we'll see. 1397 00:47:26,200 --> 00:47:29,109 OK, microphone too. 1398 00:47:29,110 --> 00:47:30,069 Hi, thank you. 1399 00:47:30,070 --> 00:47:32,169 And I have a question because 1400 00:47:32,170 --> 00:47:34,089 somebody already mentioned libraries, 1401 00:47:34,090 --> 00:47:35,769 national libraries and stuff. 1402 00:47:35,770 --> 00:47:37,989 And, um, I actually 1403 00:47:37,990 --> 00:47:40,179 wonder if there's a place maybe like 1404 00:47:40,180 --> 00:47:42,839 libraries for Ethernet 1405 00:47:42,840 --> 00:47:45,519 that captures of the games that are 1406 00:47:45,520 --> 00:47:48,099 basically so that somebody like 1407 00:47:48,100 --> 00:47:50,319 players can send in the captures 1408 00:47:50,320 --> 00:47:52,299 such that once a server goes down, it 1409 00:47:52,300 --> 00:47:54,549 will still be able to to reverse 1410 00:47:54,550 --> 00:47:55,839 engineer something. 1411 00:47:55,840 --> 00:47:58,059 Because I imagine that for for some games 1412 00:47:58,060 --> 00:47:59,889 that are down already and where you 1413 00:47:59,890 --> 00:48:02,139 didn't get to make enough captures, it 1414 00:48:02,140 --> 00:48:03,639 becomes very, very difficult. 1415 00:48:03,640 --> 00:48:05,709 And I would actually love to see the 1416 00:48:05,710 --> 00:48:07,749 possibility of many games that I love 1417 00:48:07,750 --> 00:48:09,189 coming back. 1418 00:48:09,190 --> 00:48:11,139 Like there's this, uh, German game I 1419 00:48:11,140 --> 00:48:13,239 think Battleford was, which was shut 1420 00:48:13,240 --> 00:48:14,689 down a year ago or something. 1421 00:48:14,690 --> 00:48:16,059 And I was very sad about it. 1422 00:48:16,060 --> 00:48:18,459 And but I imagine it's very difficult 1423 00:48:18,460 --> 00:48:20,859 now to to somehow bring it back. 1424 00:48:20,860 --> 00:48:22,299 Yeah. You know, that would actually be 1425 00:48:22,300 --> 00:48:24,369 really awesome if people were to do that. 1426 00:48:24,370 --> 00:48:26,139 I'm not aware of any sort of, like, 1427 00:48:26,140 --> 00:48:29,379 database of packett capturers for games, 1428 00:48:29,380 --> 00:48:30,609 but it would be awesome because the 1429 00:48:30,610 --> 00:48:32,679 moment we came out 1430 00:48:32,680 --> 00:48:34,479 with this and went on Reddit and kind of 1431 00:48:34,480 --> 00:48:35,949 did like a little write up, he did. 1432 00:48:35,950 --> 00:48:38,049 And that's kind of what sparked the talk, 1433 00:48:38,050 --> 00:48:39,819 is that little Reddit right up got so 1434 00:48:39,820 --> 00:48:40,820 popular. 1435 00:48:41,530 --> 00:48:43,299 There were like tons of people like you 1436 00:48:43,300 --> 00:48:44,979 like, oh, we'll revive this random guy 1437 00:48:44,980 --> 00:48:46,179 and revive this, revive that. 1438 00:48:46,180 --> 00:48:48,039 And that's like, well, there's only two 1439 00:48:48,040 --> 00:48:49,509 of us and I've never played that before, 1440 00:48:49,510 --> 00:48:50,889 so I really don't care. 1441 00:48:50,890 --> 00:48:51,890 But 1442 00:48:53,320 --> 00:48:55,629 yeah, like, it would be cool if we had a 1443 00:48:55,630 --> 00:48:56,799 bunch of packets like that because, for 1444 00:48:56,800 --> 00:48:59,349 example, we were stuck with no packets. 1445 00:48:59,350 --> 00:49:00,579 And the moment we figured out the 1446 00:49:00,580 --> 00:49:03,339 structure and the idea, we could have 1447 00:49:03,340 --> 00:49:05,439 knocked it out in no time if we 1448 00:49:05,440 --> 00:49:07,089 didn't have to sit there and figure out 1449 00:49:07,090 --> 00:49:08,440 80 different commands or. 1450 00:49:09,850 --> 00:49:11,199 So it would be really also might be 1451 00:49:11,200 --> 00:49:12,619 something you should start up. 1452 00:49:12,620 --> 00:49:14,679 Yeah, it definitely does 1453 00:49:14,680 --> 00:49:16,419 not exist right now. 1454 00:49:16,420 --> 00:49:18,219 It's something I actually thought about a 1455 00:49:18,220 --> 00:49:19,719 little bit, trying to start something, 1456 00:49:19,720 --> 00:49:21,519 but I haven't gotten around to it. 1457 00:49:21,520 --> 00:49:23,979 Is it legal to do packett captor's 1458 00:49:23,980 --> 00:49:25,929 or shouldn't? I'm not a lawyer. 1459 00:49:25,930 --> 00:49:28,209 So with that 1460 00:49:28,210 --> 00:49:29,919 I don't see why I can. Captor's shouldn't 1461 00:49:29,920 --> 00:49:32,109 have an issue. I mean, most places will 1462 00:49:32,110 --> 00:49:34,069 log their own traffic like see that. 1463 00:49:34,070 --> 00:49:36,129 So I can't see the characters being an 1464 00:49:36,130 --> 00:49:37,779 issue. The servers can be a problem, but 1465 00:49:37,780 --> 00:49:40,299 the characters shouldn't be problematic. 1466 00:49:40,300 --> 00:49:42,489 As far as I know, the app 1467 00:49:42,490 --> 00:49:44,589 is like, for example, for 1468 00:49:44,590 --> 00:49:46,869 the MGO to stuff 1469 00:49:46,870 --> 00:49:48,369 like somebody had a pocket capture, but 1470 00:49:48,370 --> 00:49:49,869 they didn't have a capture of the actual 1471 00:49:49,870 --> 00:49:51,879 game that is out of bag after the 1472 00:49:51,880 --> 00:49:53,319 authentication and all the Web stuff 1473 00:49:53,320 --> 00:49:53,889 before. 1474 00:49:53,890 --> 00:49:55,119 But it was all behind SSL. 1475 00:49:55,120 --> 00:49:56,319 So it's like it was pretty much 1476 00:49:56,320 --> 00:49:57,909 pointless. Right. 1477 00:49:57,910 --> 00:50:00,099 So but yeah, that would be cool. 1478 00:50:00,100 --> 00:50:01,779 And if people actually got captured of 1479 00:50:01,780 --> 00:50:04,149 the correct data, it would help out a lot 1480 00:50:04,150 --> 00:50:05,500 and teams could run with a. 1481 00:50:06,820 --> 00:50:09,129 So that's everything, 1482 00:50:09,130 --> 00:50:10,149 OK? 1483 00:50:10,150 --> 00:50:12,429 The signal and the signals that we 1484 00:50:12,430 --> 00:50:14,919 got for externalize signals 1485 00:50:14,920 --> 00:50:16,299 questions. 1486 00:50:16,300 --> 00:50:19,059 Yes, is the first one is 1487 00:50:19,060 --> 00:50:21,159 there was a presentation at the twenty 1488 00:50:21,160 --> 00:50:23,639 nine. So if we all thought, yes, if we 1489 00:50:23,640 --> 00:50:25,599 reverse engineering protocols using, 1490 00:50:25,600 --> 00:50:26,739 that's up. 1491 00:50:26,740 --> 00:50:27,939 I never tried it. 1492 00:50:27,940 --> 00:50:30,369 But I want to know if 1493 00:50:30,370 --> 00:50:32,049 you have tried it and if. 1494 00:50:32,050 --> 00:50:34,300 Yes, if you did find it helpful. 1495 00:50:36,010 --> 00:50:38,229 I've not I not understand 1496 00:50:38,230 --> 00:50:39,230 what you said. 1497 00:50:42,340 --> 00:50:44,439 Did you hear some of 1498 00:50:44,440 --> 00:50:47,049 it gave repeated 1499 00:50:47,050 --> 00:50:49,209 there we try what did 1500 00:50:49,210 --> 00:50:51,759 you try to call nets up? 1501 00:50:51,760 --> 00:50:53,229 Oh, net spark. 1502 00:50:53,230 --> 00:50:55,539 That's up to you, 1503 00:50:55,540 --> 00:50:56,540 sir. Said. 1504 00:50:57,630 --> 00:50:59,469 Oh, is that like a tool for reverse and 1505 00:50:59,470 --> 00:51:00,579 protocols? 1506 00:51:00,580 --> 00:51:01,779 If it was. No, no. 1507 00:51:01,780 --> 00:51:04,059 Did not. We just did what we showed 1508 00:51:04,060 --> 00:51:06,219 you. Just kind of line in pockets 1509 00:51:06,220 --> 00:51:08,649 up and I guess we did an 1510 00:51:08,650 --> 00:51:09,519 old man style. 1511 00:51:09,520 --> 00:51:11,019 I don't know. I also there's cool tools 1512 00:51:11,020 --> 00:51:12,489 out there. You should use them. 1513 00:51:12,490 --> 00:51:13,490 I'm not aware of any. 1514 00:51:14,770 --> 00:51:16,299 I should Google more often. 1515 00:51:16,300 --> 00:51:18,110 We learned a lot as we did that 1516 00:51:19,540 --> 00:51:20,829 it was a learning experience. 1517 00:51:20,830 --> 00:51:22,599 So I'm sure some of the things we've done 1518 00:51:22,600 --> 00:51:24,669 are more effectively 1519 00:51:24,670 --> 00:51:26,349 done by someone with more experience. 1520 00:51:28,140 --> 00:51:30,269 Yeah, another question, uh, 1521 00:51:30,270 --> 00:51:32,469 is I noticed earlier 1522 00:51:32,470 --> 00:51:35,059 that the game used only five to protect 1523 00:51:35,060 --> 00:51:37,169 pect integrity, but do you 1524 00:51:37,170 --> 00:51:39,479 think the truth and the five, would 1525 00:51:39,480 --> 00:51:41,879 it make more sense to use 1526 00:51:41,880 --> 00:51:44,039 a small ACLC 32 to save 1527 00:51:44,040 --> 00:51:45,449 some bullets in the stream? 1528 00:51:47,130 --> 00:51:49,139 I mean, I guess it would make more sense 1529 00:51:49,140 --> 00:51:50,939 if you were the person designing. 1530 00:51:50,940 --> 00:51:52,349 That's just what the design they want 1531 00:51:52,350 --> 00:51:54,509 with the first game was actually that 1532 00:51:54,510 --> 00:51:56,789 five of the payload plus 1533 00:51:56,790 --> 00:51:58,559 the header in the second game was an 1534 00:51:58,560 --> 00:52:00,809 empty five of the payload headier plus 1535 00:52:00,810 --> 00:52:04,049 in my case, like a 16 bickie. 1536 00:52:04,050 --> 00:52:05,729 But that's just what they ran with. 1537 00:52:05,730 --> 00:52:07,859 But I guess, yeah, if you 1538 00:52:07,860 --> 00:52:09,929 could do a simple CRC check 1539 00:52:09,930 --> 00:52:10,919 and it would run with it. 1540 00:52:10,920 --> 00:52:11,909 I don't see why not. 1541 00:52:11,910 --> 00:52:13,379 It would be less. 1542 00:52:13,380 --> 00:52:14,729 Less of a size. 1543 00:52:14,730 --> 00:52:15,730 Yeah. 1544 00:52:18,280 --> 00:52:21,249 Well, sort of, yeah, 1545 00:52:21,250 --> 00:52:24,119 another one would 1546 00:52:24,120 --> 00:52:26,319 would want to know personal, 1547 00:52:26,320 --> 00:52:28,719 heartfelt debulking option, perhaps 1548 00:52:28,720 --> 00:52:29,720 Tretick. 1549 00:52:30,550 --> 00:52:32,589 Could you say the last word again, 1550 00:52:32,590 --> 00:52:33,409 Jaedicke? 1551 00:52:33,410 --> 00:52:35,559 I'm not on the to 1552 00:52:35,560 --> 00:52:36,539 for sure. Yeah. 1553 00:52:36,540 --> 00:52:37,749 The for the two. 1554 00:52:37,750 --> 00:52:39,759 There is some homebrewed for debugging 1555 00:52:39,760 --> 00:52:41,749 interface, though. 1556 00:52:41,750 --> 00:52:43,839 Some people used for the 1557 00:52:43,840 --> 00:52:44,840 PS3. 1558 00:52:45,970 --> 00:52:47,799 I was actually able, with the custom 1559 00:52:47,800 --> 00:52:49,869 firmware put on the debug 1560 00:52:49,870 --> 00:52:52,119 firmware, which 1561 00:52:52,120 --> 00:52:54,189 let me hook debugger up 1562 00:52:54,190 --> 00:52:56,679 straight to the port and just debug it 1563 00:52:56,680 --> 00:52:58,839 with the leaked debugger that I didn't 1564 00:52:58,840 --> 00:53:01,389 use that's available 1565 00:53:01,390 --> 00:53:02,649 online if you Google. 1566 00:53:02,650 --> 00:53:04,709 And and that was so it 1567 00:53:04,710 --> 00:53:06,999 was pretty, pretty much easy. 1568 00:53:07,000 --> 00:53:09,129 But for the US to but we 1569 00:53:09,130 --> 00:53:10,629 didn't do anything. The hardware was for 1570 00:53:10,630 --> 00:53:11,529 this. 1571 00:53:11,530 --> 00:53:13,569 We didn't have to use geotag or tap into 1572 00:53:13,570 --> 00:53:15,459 the board at all or do any sort of 1573 00:53:15,460 --> 00:53:18,429 signals. It was a Stalter homebrew 1574 00:53:18,430 --> 00:53:19,779 and the disk. 1575 00:53:19,780 --> 00:53:21,789 So yeah, he kind of mentioned there, 1576 00:53:21,790 --> 00:53:24,039 there was a kernel patch 1577 00:53:24,040 --> 00:53:25,629 at the pastilla. 1578 00:53:25,630 --> 00:53:27,989 Sony uses our own debugging interface, 1579 00:53:27,990 --> 00:53:30,580 I think it was called Decmil or DMCA, 1580 00:53:31,630 --> 00:53:33,459 and it was basically our own little 1581 00:53:33,460 --> 00:53:34,719 communication thing going on there. 1582 00:53:34,720 --> 00:53:36,819 The PCs officially didn't support it, but 1583 00:53:36,820 --> 00:53:38,739 some kind of reverse engineered that and 1584 00:53:38,740 --> 00:53:40,149 added support. 1585 00:53:40,150 --> 00:53:42,339 If you can modify console and then 1586 00:53:42,340 --> 00:53:43,839 you can kind of flash stuff your own 1587 00:53:43,840 --> 00:53:44,840 stuff into it. 1588 00:53:46,030 --> 00:53:48,069 So that was actually used the little bit. 1589 00:53:48,070 --> 00:53:49,689 It was fairly late in the project. 1590 00:53:49,690 --> 00:53:51,349 We had figured most of this out. 1591 00:53:51,350 --> 00:53:53,229 It did help with some of the steps, 1592 00:53:53,230 --> 00:53:55,359 though, so it's not the 1593 00:53:55,360 --> 00:53:57,489 JTA, but that was something that wasn't 1594 00:53:57,490 --> 00:53:58,490 mentioned here. 1595 00:54:00,740 --> 00:54:03,099 And the last question 1596 00:54:03,100 --> 00:54:05,349 can be, so 1597 00:54:05,350 --> 00:54:08,259 can you imagine a framework 1598 00:54:08,260 --> 00:54:10,539 or two to help so we will 1599 00:54:10,540 --> 00:54:12,730 continue of political 1600 00:54:14,470 --> 00:54:15,880 an API to help? 1601 00:54:17,200 --> 00:54:19,269 I couldn't imagine it because each 1602 00:54:19,270 --> 00:54:20,799 game is going to be completely different, 1603 00:54:20,800 --> 00:54:23,389 like for for this case, 1604 00:54:23,390 --> 00:54:25,529 what we're dealing with as a kinami 1605 00:54:25,530 --> 00:54:26,679 like protocol. 1606 00:54:26,680 --> 00:54:28,809 So maybe we can toss 1607 00:54:28,810 --> 00:54:30,189 something together and it would help you 1608 00:54:30,190 --> 00:54:32,319 reverse Konami games that use the 1609 00:54:32,320 --> 00:54:34,149 same type of server. 1610 00:54:34,150 --> 00:54:36,189 But I would almost put it in the same 1611 00:54:36,190 --> 00:54:38,499 boat of like a Web application. 1612 00:54:38,500 --> 00:54:39,819 You know, you can write like a burp 1613 00:54:39,820 --> 00:54:42,249 extension to do something very specific 1614 00:54:42,250 --> 00:54:43,389 on something that you're using. 1615 00:54:43,390 --> 00:54:45,609 But unless somebody has the same 1616 00:54:45,610 --> 00:54:47,019 exact thing they're doing, it's not going 1617 00:54:47,020 --> 00:54:48,249 to be useful. 1618 00:54:48,250 --> 00:54:49,689 I'm assuming people will have to kind of 1619 00:54:49,690 --> 00:54:51,279 like roll with their own. 1620 00:54:51,280 --> 00:54:53,829 So, I mean, I'd plug in there. 1621 00:54:53,830 --> 00:54:55,959 You know, there's things like that 1622 00:54:55,960 --> 00:54:57,969 Wireshark plug ins like I did when I was 1623 00:54:57,970 --> 00:54:59,619 working on looking at that protocol. 1624 00:54:59,620 --> 00:55:01,689 I had a Wireshark extension 1625 00:55:01,690 --> 00:55:03,789 on there, but it would only be useful 1626 00:55:03,790 --> 00:55:05,919 for the economy, the economic protocol. 1627 00:55:05,920 --> 00:55:08,289 So it really depends on what 1628 00:55:08,290 --> 00:55:10,509 what they're trying to reverse. 1629 00:55:10,510 --> 00:55:12,609 I don't know, like if if all the call of 1630 00:55:12,610 --> 00:55:14,799 duty games use the same type 1631 00:55:14,800 --> 00:55:16,839 of network code, like maybe you could do 1632 00:55:16,840 --> 00:55:18,639 something where it helps you reverse all 1633 00:55:18,640 --> 00:55:20,799 those or or other other 1634 00:55:20,800 --> 00:55:22,329 family of games. In this case that helped 1635 00:55:22,330 --> 00:55:24,849 us reverse all the Konami 1636 00:55:24,850 --> 00:55:25,749 type games. 1637 00:55:25,750 --> 00:55:26,750 So. 1638 00:55:28,080 --> 00:55:29,589 But yeah. 1639 00:55:29,590 --> 00:55:30,590 OK. 1640 00:55:31,430 --> 00:55:34,189 All questions then then 1641 00:55:34,190 --> 00:55:36,709 I'd say, thank you very much 1642 00:55:36,710 --> 00:55:38,429 for this exciting talk from.