This video is about a fun little side project that I did.
We are going to have a look at an Auto Trading Bot that is being sold, or actually was sold,
to people for the game Guild Wars 2.
Which is awesome btw.
Play it.
So a friend mine told me that this bot has a funny little design issue I should check
out.
And so that's what we are going to do.
Guild wars 2 Auto Trading Bot, is a fully autonomous buying and selling trading post
bot for Guild Wars 2.
They offer a free trial and it can be run in the background, and obviously its supposed
to make you a lot of gold.
They also claim that because it doesn't do any memory reading or writing, like hooking
into the engine, that the bot would be hard to recognize by ArenaNet - the developer of
Guild Wars 2.
And there is a video how it works.
You can see that you have a lot of different ways to configure it and when it's running
it will basically simulate clicks in the game as if you would perform those actions.
So a very simple bot that doesn't do anything really advanced.
Obviously I don't want to run this binary on my regular machine, because I don't trust
it, so I'm downloading a free Windows VM that microsoft offers for developers.
First I want to get some tools I might need to analyse this binary.
It's very likely that it will communicate with a server, for example the Guild Wars
2 API to pull item prices.
But yeah, I admit, I already know from my friend that they also have their own server
they communicate with.
And a great free windows tool for that is Fiddler.
On the download site of the bot it also says that the .net framework is required, so I
assume it might be a .net binary, so I'm also downloading .net reflector, which is
a tool to decompile and analyse .net code.
Ok, so then we can download the bot and have a first look at it.
We unpack the archive.
And we find a couple of interesting files.
There is the main .exe, here is a libarary to parse JSON data, a OCR, optical character
recognition library, along with a folder named tessdata, whcih reminds me of tesseract which
is a popular OCR framework.
And they probably use to analyse the text in the game window.
And there is a MouseKeyHook, which they might even inject into the game to simulate the
mouse clicks?
Well that would certainly be fairly easy for ArenaNet to identify, though I believe ArenaNet
actually doesn't care, because fighting against these kinds of things is always an
arms race you just pour in money and cheaters will always find new methods.
I think they are clever enough to fight cheaters and botters, that have actual negative impact
for the game, on another level.
You will see later that these botters here are absolutely irrelevant for ArenaNet.
Ok so let's have a first run.
We start Fiddler and make sure we have SSL interception enabled and then start the bot.
Uh, Windows Defender prevented the app from being run, because it's not know.
SmartScreen knows the hashes of programs a lot of people use and trust, so this is probably
an indication that this bot is NOT a wide spread thing.
Only a few people use it.
Ah look there is a first request going out to the auto-trading-bot website.
Check version.
And it displays a Terms of Use prompt.
So cute.
As if they run any kind of legit company that cares about legal matters.
Ok and then there is a login window, but we obviously don't have a subscription for
it.
If you try to login we can see another request going out to check_login_data.
Cancelling the login will start the trial.
OK!
So let's do that.
Mh it asks us for our API key.
GW2 offers a JSON api that you can use to query your account's information.
For example there is this AMAZING site called gw2efficiency where you can use your API key
to see all sorts of statistics and information about your character.
Of course the bot would use it to look into trading post things.
Maybe pull the current buy orders or so.
And we can click a bit around and investigate the possible features.
But we see no new requests so far.
Ok, so far nothing too interesting.
Like I already mentioned a friend told me about something funny here, so I know what
to look for and we haven't found it yet, so I keep exploring.
It has to do with the server they are using.
So far we have seen two API request to their server, but we don't really have a full
running bot here where we could see more.
So let's try to find other endpoints.
Next I decided to see what .net reflector does with the .exe file.
I pull it into here… ehm…
GW2-ATB.exe is not a .net module?
Oh Oh….
That's not what I was hoping for.
Mh…
Ok next I download IDA free 5.0 which can disassemble 32bit applications.
BTW there is a new free version now, version 7 which can disassemble 64bit.
But here I have to use the old one for 32bit.
Then I load the .exe into IDA and try to get a first feeling of it.
I'm looking for hints if it might be packed or obfsucated, or maybe I can even find already
what I'm looking for with the strings.
I don't have a lot of experience with Windows binaries, so I have a lot more assumptions
and guesses than when I would look at a linux ELF binary.
But I find the patterns up here kind of irregular and weird and I think that should be a sign
that something fishy is going on.
And especially because I can't find the auto-trading-bot website or the API calls
in the strings, which we know must be in there is most likely evidence for obfuscation.
Ok…
Let's try something else.
Let's start the bot again and have a look at the task manager.
We can actually create a dump of this process.
I have never done this before, I actually don't know what it does but I assume it
dumps the process memory, I just knew the menu item was there.
Please wait while the process is written to the file.
And now we have a .DMP file here.
It's over 300MB, so I assume it's a full memory dump.
My assumption is that, if it's a basic packed binary, then once the bot is running all the
strings are unpacked and in cleartext in memory.
So I hope that we can now fairly easily extract the strings from the dump.
Though I'm bit unsure about it, because I don't know if that's like a raw binary
dump or if it's some kind of compressed file format that requires tools.
But anyway next I'm getting a hex editor to look at it, and I think HxD is pretty nice.
After installation just when I thought about opening the dump, I also noticed another functionality
of the hex editor.
Under Extras you can select "Open RAM", and then I can select the Auto trading bot.
So we can apaprently direcly read the RAM which hopefully contains the unpacked strings.
And now we can simply perform text searchs in there.
For example we know the API endpoints had /scripts/ in the path, so we can search for
that.
And look we find instances of that.
Here is even the http url with the check_version API call.
So looks like in this general address area we have interesting strings.
So I'm just copying that part into a new file to more easily work with it.
I call it now simply memory.dump.
And then I can write a bit of python code to extract those strings.
So we read the raw bytes.
Each character has 2bytes, and so it's always a null byte and the character byte.
And each string is separated by a null byte, which means between each string are three
null bytes.
Makes sense right, so we split the whole data up like that.
And then we we write out all strings that are in ascii range.
And the output file is now easier to explore and we can search for the API calls.
And there they are.
There are the official guild wars 2 APIs, and there are also the auto-trading-bot script
api calls.
And look, we haven't seen those calls before.
Set and get_online.
So we can extract all new endpoints we have found and have a look at each of them.
Get online users sounds really interesting, so let's see what happens when we visit
the link.
But it's nothing.
But if you have a look at the API calls that we know, then we see that they were POST requests
AND included an authentication parameter.
So what we can do with fiddler is we can select one of our previous succsessful calls and
select "Replay" and we want to edit the request.
And then we change the API call to get_online_users.php And that worked!
The response contains all online bots.
And the crazy thing is.
It returns them with their GW2 API KEY.
This is ridiculous.
The bot developers gave us an easy way to track each bot user, not only the amount of
online users, but also gave us their official Guild Wars 2 API key, so we can look up their
characters, how much gold they have, what kind of items they trade, their character
names, the guilds they belong to, everything.
So this was in november 2017.
And I have written a script that checks every hour the logged in users, and then uses their
API key to pull their currently traded items.
Knowing the items they are ordering and selling, and how much gold they have, I can calculate
a liquid net-worth of the account and track how effective this bot actually is.
So we can see how rich these players are, and how long they were active.
Now in february 2018. about three months later, the bot has actually shut down and is not
being sold anymore.
Which is kinda sad, I had hoped to collect data for much longer timer, but at least we
got some data.
But the video is getting pretty long now and I would like to show you a bit more, so I
create a part 2 bonus video talking about the findings.
Không có nhận xét nào:
Đăng nhận xét