Vulnerability hunting in an old MMO
Darkfall Online was an incredible MMO experience back in 2009. Most players could only speculate on the types of cheats that were possible with the game.
I decided to revisit the game years later and report my findings to the teams trying to revive the game.
The following findings and many more were submitted by myself and another researcher to third party teams licensed to run Darkfall Online on June 1st, 2016. Eventually the projects seemingly collapsed and thus have been disclosed publicly here.
The game’s core logic was implemented in a dll named sfmw.dll.
sfmw.dll strings we find a reference to “Could not decode positional data”.
Following references to this string puts us in a function near the handling of decoded packets from the server.
movzx eax, word ptr ds:[esi+e]
ESI in this context contains a packet structure. The WORD at offset +E is the opcode for the packet type.
With this information a malicious player could read memory in these structures (now decrypted by the client) to leverage any information they desired as (almost) all information exchange with the server happens here.
Here’s an example of the parsing of a player load and unload packet:
Loading custom game data files
The game files were encrypted as sfad archive files. Rather than modify or decrypt them on disk it was easier to dump them when the game had already done it.
A hint for where the processing function for the archive files is was found in the strings.
The function eventually calls
ReadFileW to read each file in the encrypted archive.
Following the filename pointer
Following the data start pointer
With this information it was found to be possible to dump the files to disk, modify them and have them loaded at runtime to circumvent things like cooldowns on skills. (Note: the server maintained authority and enforced stamina and mana costs for skills).
<SFSkillTimerGeneral> <SFFloat Value="1.0" />
Modifying this allowed a player to shoot arrows with no cooldown and animation.
The client was the authority on the view angle for the game. As such, it was uncovered a player could modify the position and angle a player aimed a skill. This allowed a theoretical malicious user to shoot their bow and tell the server the arrow originated from behind their target regardless of the direction they are facing.
Bank from anywhere
Player distance from bank was not enforced and as such a player could visit their bank from anywhere in the world.
Player GUIDs were found to be spoofable and players could send actions on behalf of other players.