MMORPG Bot Reverse Engineering and Tracking
Key Takeaways
The video demonstrates reverse engineering and tracking of a MMORPG bot using tools like Fiddler, .NET Reflector, and HxD, and explores the Guild Wars 2 API and bot detection techniques.
Full Transcript
this video is about a fun little side project that I did we are going to have a look at an auto trading bot that is being sold or actually was sold to people for the game Guild Wars 2 which is awesome by the way play it so a friend of mine told me that this bot has a fun little design issue I should check out and so that is what we are going to do Guild Wars 2 Auto trading bot is a fully autonomous buying and selling trading post bot for Guild Wars 2 they offer a free trial and it can be run in the background and obviously it's supposed to make you a lot of gold they also claim that because it doesn't do any memory reading or writing like hooking into the engine that the bots would be hard to recognize by ArenaNet the develop of Guild Wars 2 there's a video how it works you can see you have a lot of different ways to configure it and when it's running it will basically simulate clicks in the game as if you would perform those actions so a very simple but that doesn't do anything really advanced obviously I don't want to run this binary on my regular machine because I don't trust it so I'm downloading a free Windows VM that microsoft offers for developers first I want to get some tools I might need to analyze this binary it's very likely that it will communicate with a server for example the Guild Wars 2 API to pull item prices but yeah I admit I already know from my friend that they also have their own server they communicate with and a great free Windows tool for that is fiddler on the download side of the body it also says that the dotnet framework is required so I assume it might be a dotnet binary and so I'm downloading dotnet reflector which is a tool to decompile and analyze net code okay so then we can download the button have a first look at it we unpack the archive and we find a couple of interesting files there is the main exe here's a library to parse JSON data OCR optical character recognition library along with a folder named test data which reminds me of tesseract which is a popular OCR framework and they probably use that to analyze the text in the game window and there is a mouse key hook which they might even inject into the game to simulate the mouse clicks well that would certainly be fairly easy for an owner to identify though I believe ArenaNet actually doesn't care because fighting against these kinds of things is always an arms race you just pour in money and cheaters will always find new methods I think they are clever enough to fight cheaters and bottles that have actually negative impact for the game on another level you will see later that these bottles here are absolutely irrelevant for ArenaNet okay so let's have a first run we start fiddler and make sure we have SSL interception abled and then start the bots Windows Defender prevented the app from being run because it's not known smart screen knows the hashes of programs that a lot of people use and Trust and so this is probably an indication that this spot is not a widespread thing only a few people use it ah look there is a first request going out to the auto trading bot website check version and it displays a Terms of Use prompt so cute as if they run any kind of legit company that cares about legal matters okay and then there is a log in window but we obviously don't have a subscription for it if you try to log in we can see another request going out to check login data canceling the login will start the trial ok so let's do that hmmm it asks us for our API key Guild Wars 2 offers a JSON API that you can use to query your accounts information for example there is this amazing site called GW to efficiency we can use your API key to see all sorts of statistics and information about your character of course the bot would use it to look into trading postings maybe pull the current buy orders or so and we can click a bit around and investigate the possible features but we see no new requests so far ok so far nothing too interesting like I already mentioned a friend told me about something funny here so I know what to look for and we haven't found it yet so I keep exploring it has to do with the server they are using so far we have seen two API requests to the server but we don't really have a full running but where we could see more so let's try to find other endpoints next I decide to see what dotnet reflected us with the Exe file I pull it into here GW - ATP Exe not a dotnet module uh-oh that is not what I was hoping for hmm ok next I download either Free 5.0 which can disassemble the to bid applications by the way there is a new version now version 7 which can disassemble 64-bit but here I have to use the old one for 32-bit then I load the exe into Ida and try to get a first feeling of it I'm looking for hints if it might be packed or obfuscator or maybe I can even find already what I'm looking for with the strings I don't have a lot of experience with Windows binaries so I have a lot more assumptions and guesses then when I would look at the Linux elf binary but I find the patterns appear kind of irregular and weird and I think that should be a sign that something is fishy going on and especially because I can't find the auto trading bot website or the API calls in the strings which we know must be there is most likely evidence for obfuscation okay let's try something else let's start the but again and have a look at the task manager we can actually create a dump of this process I have never done this before and I actually don't know what it does but I assume it dumps the process memory I just knew the menu item was there and now we have a dot BMP file it's over 300 megabytes so I assume it's a full memory dump my assumption is that if it's a basic packed binary then once about is running all the strings are unpacked and in clear text in memory so I hope that we can now fairly easily extract strings from the dump now I'm a bit unsure about it because I don't know if that's like a raw binary dump or if it's some kind of compressed file format that requires tools but anyway next I'm getting a hex editor to look at it and I think hxd is pretty nice after installation just when I thought about opening the dump I also noticed another functionality of the hex editor under extras you can select open Ram and then I select the auto training' bot so we can apparently directly read the RAM which hopefully contains the unpacked strings and now we can simply perform text searches in there for example we know the API endpoints head slash script / in the path and so we can search for that and look we find instances of that here's even the HTTP URL with the Czech version API call so looks like in this general address area we have interesting strings so I'm just copying that part into a new file to more easily work with it I call it now simply memory dump and then I can write a bit of Python code to extract those strings and the output file is now easier to explore and we can search for the API calls and there they are there are the official Guild Wars 2 AP is and they are also the auto trading bot script API calls and look we haven't seen those cost before set and get online so we can extract all new endpoints we have found and have a look at each of them get online user sounds really interesting so let's see what happens when we visit the link but it's nothing but if you look at the API calls that we know then we see that they were post requests and included an authentication parameter so what we can do with fiddler is we can select one of our previous successful calls and select replay and we want to edit the request and then we change the API call to get online users dot PHP and that worked the response contains all online BOTS and the crazy thing is it returns them with that gw2 API key this is ridiculous the bot developers gave us an easy way to track each bot user not only the amount of online users but also gave us their official Guild Wars 2 API key so we can look up their characters how much gold they have what kind of items they trade the character names the gilt they belong to everything so this was in November 2017 and I've written a script that checks every hour the logged in users and then uses the API key to pull their currently traded items knowing the items they are ordering and selling and how much gold they have I can calculate a liquid net worth of the account and track how effective the spot actually is so we can see how rich these players are and how long they were active now in February 2018 about three months later the board was actually shut down and it's not being sold anymore which is kind of sad I had hope to collect data for much longer time but at least we got some data but the video is getting pretty long now and I would like to show you a bit more so I create a part 2 bonus video talking about the findings [Music] you [Music]
Original Description
A friend told me that a GW2 trading bot implemented a dumb API. We are going to find and use it to track the bot.
Play Guild Wars 2:
https://account.arena.net/register
Fiddler: https://www.telerik.com/fiddler
.NET Reflector: https://www.red-gate.com/products/dotnet-development/reflector/
HxD: https://mh-nexus.de/en/hxd/
IDA Free: https://www.hex-rays.com/products/ida/support/download_freeware.shtml
Windows VM: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
-=[ 📄 P.S. ]=-
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#ReverseEngineering
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from LiveOverflow · LiveOverflow · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
LiveOverflow - Trailer
LiveOverflow
Introduction to Linux - Installation and the Terminal - bin 0x01
LiveOverflow
Writing a simple Program in C
LiveOverflow
Writing a simple Program in Python - bin 0x03
LiveOverflow
Live Hacking - Twitch Recording overthewire.org - Vortex 0x01-0x03 (3h)
LiveOverflow
Reversing and Cracking first simple Program - bin 0x05
LiveOverflow
Abusing the exception handler to leak flag - 32C3CTF readme (pwnable 200)
LiveOverflow
ROP with a very small stack - 32C3CTF teufel (pwnable 200)
LiveOverflow
Uncrackable Programs? Key validation with Algorithm and creating a Keygen - Part 1/2 - bin 0x07
LiveOverflow
Uncrackable Program? Finding a Parser Differential in loading ELF - Part 2/2 - bin 0x08
LiveOverflow
Syscalls, Kernel vs. User Mode and Linux Kernel Source Code - bin 0x09
LiveOverflow
Smashing the Stack for Fun and Profit - setuid, ssh and exploit.education - bin 0x0B
LiveOverflow
Live Hacking - EFF-CTF 2016 - Level 0-4 (Enigma Conference)
LiveOverflow
First Stack Buffer Overflow to modify Variable - bin 0x0C
LiveOverflow
First Exploit! Buffer Overflow with Shellcode - bin 0x0E
LiveOverflow
Buffer Overflows can Redirect Program Execution - bin 0x0D
LiveOverflow
Doing ret2libc with a Buffer Overflow because of restricted return pointer - bin 0x0F
LiveOverflow
Reverse engineering C programs (64bit vs 32bit) - bin 0x10
LiveOverflow
pwnable.kr - Levels: fd, collision, bof, flag
LiveOverflow
Reverse Engineering and identifying Bugs - BKPCTF cookbook (pwn 6) part 1
LiveOverflow
Leaking Heap and Libc address - BKPCTF cookbook (pwn 6) part 2
LiveOverflow
Arbitrary write with House of Force (heap exploit) - BKPCTF cookbook (pwn 6) part 3
LiveOverflow
Live Hacking - Internetwache CTF 2016 - web50, web60, web80
LiveOverflow
Live Hacking - Internetwache CTF 2016 - crypto60, crypto70, crypto90
LiveOverflow
A simple Format String exploit example - bin 0x11
LiveOverflow
NEW VIDEOS ARE COMING - loopback 0x00
LiveOverflow
HTML + CSS + JavaScript introduction - web 0x00
LiveOverflow
The HTTP Protocol: GET /test.html - web 0x01
LiveOverflow
Building Poor Man's Logic Analyzer with an Arduino - Reverse Engineering A/C Remote part 1
LiveOverflow
What is PHP and why is XSS so common there? - web 0x02
LiveOverflow
Introducing the AngularJS Javascript Framework - XSS with AngularJS 0x00
LiveOverflow
Sandbox Bypass in Version 1.0.8 - XSS with AngularJS 0x1
LiveOverflow
Capturing & Analyzing Packets with Saleae Logic Pro 8 - Reverse Engineering A/C Remote part 2
LiveOverflow
XSS Contexts and some Chrome XSS Auditor tricks - web 0x03
LiveOverflow
Previous Bypass is now fixed in version 1.4.7 - XSS with AngularJS 0x2
LiveOverflow
New Sandbox Bypass in 1.4.7 - XSS with AngularJS 0x3
LiveOverflow
The Heap: what does malloc() do? - bin 0x14
LiveOverflow
The Heap: How to exploit a Heap Overflow - bin 0x15
LiveOverflow
Reverse Engineering with Binary Ninja and gdb a key checking algorithm - TUMCTF 2016 Zwiebel part 1
LiveOverflow
Scripting radare2 with python for dynamic analysis - TUMCTF 2016 Zwiebel part 2
LiveOverflow
Live Hacking - Internetwache CTF 2016 - exp50, exp70, exp80
LiveOverflow
Sandbox bypass for the latest AngularJS version 1.5.8 - XSS with AngularJS 0x4
LiveOverflow
Channel is growing and Riscure hardware CTF starting soon - loopback 0x01
LiveOverflow
Explaining Dirty COW local root exploit - CVE-2016-5195
LiveOverflow
What is CTF? An introduction to security Capture The Flag competitions
LiveOverflow
The Heap: How do use-after-free exploits work? - bin 0x16
LiveOverflow
The Browser is a very Confused Deputy - web 0x05
LiveOverflow
The Heap: Once upon a free() - bin 0x17
LiveOverflow
Simple reversing challenge and gaming the system - BruCON CTF part 1
LiveOverflow
int0x80 from DualCore lent me his lockpicking set and I'm a horse - BruCON CTF part 2
LiveOverflow
The Heap: dlmalloc unlink() exploit - bin 0x18
LiveOverflow
MD5 Length Extension and Blind SQL Injection - BruCON CTF part 3
LiveOverflow
TCP Protocol introduction - bin 0x1A
LiveOverflow
Socket programming in python and Integer Overflow - bin 0x1B
LiveOverflow
Linux signals and core dumps - bin 0x1C
LiveOverflow
[Live] Remote oldschool dlmalloc Heap exploit - bin 0x1F
LiveOverflow
Riscure Embedded Hardware CTF setup and introduction - rhme2 Soldering
LiveOverflow
Rooting a CTF server to get all the flags with Dirty COW - CVE-2016-5195
LiveOverflow
How to learn hacking? ft. Rubber Ducky
LiveOverflow
Format String to dump binary and gain RCE - 33c3ctf ESPR (pwn 150)
LiveOverflow
More on: Tool Use & Function Calling
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
The AI Moat Paradox: The Better Models Become, the Less Models Matter
Medium · AI
170,927 AI Papers Reveal the Biggest Research Shifts of the First Half of 2026
Medium · Machine Learning
170,927 AI Papers Reveal the Biggest Research Shifts of the First Half of 2026
Medium · Data Science
[PoV] When Everyone Is Smart, No One Is
Medium · AI
🎓
Tutor Explanation
DeepCamp AI