Debugging EA’s Steam knock off

The Battlefield 3 beta is over. Now all i have is their stupid knock off of steam until the 28th when the release Bf3 to the masses.

After some careful manipulation (setting the 3rd byte of the PEB to always return FALSE like noted in my last paper) I was finally able to browse the client with Immunity, rather than with a kernel debugger. Much more stable in my opinion. First impressions? Very heavily threaded. Something like 30 threads are created on startup. This gets confusing as hell when you pause execution and want to back track.

The program was made with QT, the C++ library from Nokia. This means it might be portable to other distributions such as Linux, though I wouldn’t hold my breath. Since its made in C++, I’ve been hunting up and down for bugs. I’ve seen some interesting things so far. The instant messenger service can be sniffed since its unencrypted, same with some other protocols(auth).

I’m hoping to find some memory corruption bug just for the sake of doing so. I know its a client, but client side exploits are popular these days. Gone are the low hanging fruit, but my hopes are high.

 

I will keep you all updated of my progress.

— progress update.

 

I left out some stuff. This binary is 30 MB in size. Typical of C++ applications that include the kitchen sink.

 

First off, this does NOT appear to be made in house by EA. All the references to libraries and directory structures left in by the original dev team suggest otherwise.

The company appears to be called ebisu / hudson. Ebisu For those of you who aren’t too bright, its japanese. The EbisuĀ  isthe Japanese god of fishermen, luck, and hard work,as well as the guardian of the health of small children.

The binary comes with a multitude of 3rd party libraries. So far I have identified an XML parser lib not updated in the last 5 years, OpenSSL, A custom web browser going off the name ‘IGO’, QT libraries, and some product called radare. Radare is a disassembly / reverse engineering frame work. This is suspicious, but probably makes sense why it was so difficult at first for me to debug the app. Check it out http://www.radare.org/y/

I also saw references to the XMPP protocol for use with their messaging system. Gtalk / jabber use this, though for some reason this communication is unencrypted.

 

What about that XML parser I said earlier. I see numerous references to lib2xml. I see multiple schemas supported, but the main one appears to be Relax NG (see http://relaxng.org)

What I have so far gives me a lot of avenues of attack roads. I can attack the XML parser, I can attack the web protocols, I can attach their custom browser with a slew of browser attacks (xss, injection, overflows, etc), and I can also go after all the custom calls I see to the EA server. Lastly I can go after their instant messanger setup made against the XMPP standard. Its like 5 apps in one.

 

Once again, anything else I encounter will be updated here, unless of course EA sues me or sends a cease and desist letter for breaking their EULA. Then again, who reads this blog anyways? Bots, and maybe some lone wolf.

 

 

2 thoughts on “Debugging EA’s Steam knock off
  1. The last part made me laugh :). Btw, what do you mean by ‘Typical of C++ applications that include the kitchen sink’?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.