"Imagine trying to play defense in football without ever studying offense. You would not know when a run was coming, how to defend pass patterns, nor when to blitz. In computer systems, as in football, a defender must be able to think like an attacker. I say it in my class every semester, you don’t want to be the last person to attack your own system--you should be the first.

"The world is quickly going online. While I caution against online voting, it is clear that online gaming is taking the Internet by storm. In our new age where virtual items carry real dollar value, and fortunes are won and lost over items that do not really exist, the new threats to the intrepid gamer are all too real. To protect against these hazards, you must understand them, and this groundbreaking book is the only comprehensive source of information on how to exploit computer games. Every White Hat should read it. It’s their only hope of staying only one step behind the bad guys."

--Aviel D. Rubin, Ph.D.
Professor, Computer Science
Technical Director, Information Security Institute
Johns Hopkins University

"Everyone’s talking about virtual worlds. But no one’s talking about virtual-world security. Greg Hoglund and Gary McGraw are the perfect pair to show just how vulnerable these online games can be."

--Cade Metz
Senior Editor
PC Magazine

"If we’re going to improve our security practices, frank discussions like the ones in this book are the only way forward. Or as the authors of this book might say, when you’re facing off against Heinous Demons of Insecurity, you need experienced companions, not to mention a Vorpal Sword of Security Knowledge."

--Edward W. Felten, Ph.D.
Professor of Computer Science and Public Affairs
Director, Center for Information Technology Policy
Princeton University

"Historically, games have been used by warfighters to develop new capabilities and to hone existing skills--especially in the Air Force. The authors turn this simple concept on itself, making games themselves the subject and target of the ’hacking game,’ and along the way creating a masterly publication that is as meaningful to the gamer as it is to the serious security system professional.

"Massively distributed systems will define the software field of play for at least the next quarter century. Understanding how they work is important, but understanding how they can be manipulated is essential for the security professional. This book provides the cornerstone for that knowledge."

--Daniel McGarvey
Chief, Information Protection Directorate
United States Air Force

"Like a lot of kids, Gary and I came to computing (and later to computer security) through games. At first, we were fascinated with playing games on our Apple ][s, but then became bored with the few games we could afford. We tried copying each other’s games, but ran up against copy-protection schemes. So we set out to understand those schemes and how they could be defeated. Pretty quickly, we realized that it was a lot more fun to disassemble and work around the protections in a game than it was to play it.

"With the thriving economies of today’s online games, people not only have the classic hacker’s motivation to understand and bypass the security of games, but also the criminal motivation of cold, hard cash. That’s a combination that’s hard to stop. The first step, taken by this book, is revealing the techniques that are being used today."

--Greg Morrisett, Ph.D.
Allen B. Cutting Professor of Computer Science
School of Engineering and Applied Sciences
Harvard University

"If you’re playing online games today and you don’t understand security, you’re at a real disadvantage. If you’re designing the massive distributed systems of tomorrow and you don’t learn from games, you’re just plain sunk."

--Brian Chess, Ph.D.
Founder/Chief Scientist, Fortify Software
Coauthor of Secure Programming with Static Analysis

"This book offers up a fascinating tour of the battle for software security on a whole new front: attacking an online game. Newcomers will find it incredibly eye opening and even veterans of the field will enjoy some of the same old programming mistakes given brilliant new light in a way that only massively-multiplayer-supermega-blow-em-up games can deliver. w00t!"

--Pravir Chandra
Principal Consultant, Cigital
Coauthor of Network Security with OpenSSL

If you are a gamer, a game developer, a software security professional, or an interested bystander, this book exposes the inner workings of online-game security for all to see.

From the authors of the best-selling Exploiting Software, Exploiting Online Games takes a frank look at controversial security issues surrounding MMORPGs, such as World of Warcraft^™ and Second Life^®. This no-holds-barred book comes fully loaded with code examples, debuggers, bots, and hacks.

This book covers

• Why online games are a harbinger of software security issues to come
• How millions of gamers have created billion-dollar virtual economies
• How game companies invade personal privacy
• Why some gamers cheat
• Techniques for breaking online game security
• How to build a bot to play a game for you
• Methods for total conversion and advanced mods

Written by the world’s foremost software security experts, this book takes a close look at security problems associated with advanced, massively distributed software. With hundreds of thousands of interacting users, today’s online games are a bellwether of modern software. The kinds of attack and defense techniques described in Exploiting Online Games are tomorrow’s security techniques on display today.

The next wave of computer crime

Online games are, as the term implies, video games played over the Internet. Many of them have associated online communities that reach well beyond the closed world of traditional single-player home games. The most popular, World of Warcraft, boasts more than 10 million players worldwide.

While the world of online gaming is built to entertain, its creators and players fight the same IT threats as business-oriented networks. Today’s 12-year old who is hacking World of Warcraft simply to cheat at the game could, in a couple years, be targeting corporate networks to more nefarious ends.

While the game attackers’ goals are different, this book demonstrates the lengths to which they are willing to go to access a system. Those tactics are likely forerunners of software and network security challenges to come in other online arenas.

In Exploiting Online Games: Cheating Massively Distributed Systems, authors Greg Hoglund and Gary McGraw offer a look at those threats. The book’s 10 chapters provide a comprehensive overview of everything from game hacking 101 to reverse engineering.

The authors explain in depth why and how online games are a harbinger of software security issues to come, and manifest some that already exist. They describe how gamers have created billion-dollar virual econ-omies, how to build a bot to play a game for you, why players cheat, and even how game companies invade players’ personal privacy.

Most important, the authors describe how game creators overcome a security issue only to have it defeated by the hackers. Sound familiar? This never ending "Spy vs. Spy" scenario is obviously frustrating to the game creators and underscores the critical importance of building effective application security into the fabric of the game.

Both Hoglund and McGraw have written extensively on the importance of software security. The sooner you and your software developers read their most recent book, the better off your software infrastructure will be. Your software is critical to your organization; protect it as well as the gamers do.

Self Promoting Cut and Paste Mess

By the way, you can read more in my book . . .
If you want to know more, buy . . .
Discuss further in my book and every other book printed by my publishing company . . .

This book is a mess of poorly explained code snippets and self promotion. Also, it focues 90% of its hacking on WoW. If you don’t know anything about World of Warcraft, then you will be completly lost. I have /timeplayed 1000 hours, so I could follow all of the WoW references, but unfamiliar readers will not understand large parts of the book.

Half of the work in this book is just cut and pasted from code scattered on the internet. If you don’t know C++, how to exploit the Windows OS, or modifying memory, these walls of code don’t make much sense.

This is the first book I have ever returned. The constant self promoting and lazy cut and paste code just frustrated the hell out of me.

MMO Macro and Botting guide

I thought the book would contain more about FPS cheating and less about WoW. It’s 90% about WoW. I don’t work on an MMO so I got bored fast.

Not a horrible book, but not great either. I preferred Hoglund’s Rootkit book since it had more generic approaches to subverting win32 processes.

If you work on an MMO, you should probably pick this one up.

Great look under the hood of games.

I really appreciated the detail the authors went into in order to explain how to pull off certain exploits. It was obvious that they had really tried them all hands on.

Definitely a must read

This book is a must read for anybody interested in online games or software security. Non-technical readers can skip over the detailed code for exploits, and will still gain an excellent overview of the problems that online games face. Those interested in understanding the problems in detail will undoubtedly enjoy the code as well.

One of the main problems discussed by the book is that online games include a lot of game logic on the client side to provide a responsive and enjoyable experience for players. However, the problem from a software security perspective is that attackers can modify the client-side logic to change some of the rules of the game to their advantage. Of course, client-side trust issues are a widespread problem in software, and are not limited to online games alone. The book discusses many other problems with online games (and massive distributed systems in general) as well.

This book has at least two advantages over many other software security books. Firstly, it should appeal to a wider audience that includes millions of online game players, thus increasing general awareness of software security issues. Secondly, it does not shy away from providing full source code for actual exploits, which should help software developers better understand what their software is up against.

Dissapointing

Well, the title says it all. The book talked about some useless topics such as why to cheat and about cheating. It also showed source code from other peoples programs (already open-source), and somewhat explained what each part of it does, but didn’t go in to details (users like me who don’t know about memory modification didn’t understand it at all). Not to mention that all of the programs they use as an example will get you banned because of Warden. They don’t talk about the biggest problem with botting which is how fast you will get banned without protection.

I actually write bots for World of Warcraft using Innerspace (and ISXWoW). If you really want to bot and don’t know enough to modify memory and reverse engineer large scale programs, look into those instead of this book.

Another excellent work for the software security community

Although I’m not a computer gamer, I am immensely impressed by what goes into on-line games -- and amazed at the huge communities of folks that can enjoy their efforts. What a great audience to communicate the software security lessons to!

On-line games, particularly the newer, massively networked ones, are obviously ripe for attackers to dupe. Even though they’re intended to "just" be games, real attacks can take place that have serious consequences to the communities that play these games.

More importantly, though, by demonstrating problems in these for-fun pieces of software, Gary and Greg have done a great service to everyone who works in software. The mistakes made in on-line games are, without a doubt, rooted in software issues that are found in "real world" software as well.

This is a great opportunity to explore the sorts of software security problems that plague far too many of our systems, from games to mission critical enterprise applications, today.