Darkfall Online

Vulnerability hunting in an old MMO

Darkfall Online was an incredible MMO experience back in 2009. Most players could only speculate on the types of cheats that were possible with the game.

I decided to revisit the game years later and report my findings to the teams trying to revive the game.

The following findings and many more were submitted by myself and another researcher to third party teams licensed to run Darkfall Online on June 1st, 2016. Eventually the projects seemingly collapsed and thus have been disclosed publicly here.

Overview

The game’s core logic was implemented in a dll named sfmw.dll.

Radar

Checking the sfmw.dll strings we find a reference to “Could not decode positional data”.

Strings inside sfmw.dll

Following references to this string puts us in a function near the handling of decoded packets from the server.

Packet handler code

movzx eax, word ptr ds:[esi+e]

ESI in this context contains a packet structure. The WORD at offset +E is the opcode for the packet type.

With this information a malicious player could read memory in these structures (now decrypted by the client) to leverage any information they desired as (almost) all information exchange with the server happens here.

Here’s an example of the parsing of a player load and unload packet:

Breakdown of the bytes in a player packet

Loading custom game data files

The game files were encrypted as sfad archive files. Rather than modify or decrypt them on disk it was easier to dump them when the game had already done it.

A hint for where the processing function for the archive files is was found in the strings.

Strings inside sfmw.dll

The function eventually calls ReadFileW to read each file in the encrypted archive.

Breakdown of an archive file in memory

Following the filename pointer

Memory view of the file xml-files/common/specialeffect/effects_for_objects/air_elemental.xml

Following the data start pointer

Contents of the air_elemental.xml file in memory

With this information it was found to be possible to dump the files to disk, modify them and have them loaded at runtime to circumvent things like cooldowns on skills. (Note: the server maintained authority and enforced stamina and mana costs for skills).

Contents of archery.xml

<SFSkillTimerGeneral>
	<SFFloat Value="1.0" />

Modifying this allowed a player to shoot arrows with no cooldown and animation.

View Angles

The client was the authority on the view angle for the game. As such, it was uncovered a player could modify the position and angle a player aimed a skill. This allowed a theoretical malicious user to shoot their bow and tell the server the arrow originated from behind their target regardless of the direction they are facing.

Bank from anywhere

Player distance from bank was not enforced and as such a player could visit their bank from anywhere in the world.

GUID Spoofing

Player GUIDs were found to be spoofable and players could send actions on behalf of other players.