Skip to story Dozens of bears attacking a player in one Pwn Adventure scene. The only way to survive long enough to open the treasure chest is to hack the game's code.
To the average video gamer, Pwn Adventure 2’s bear challenge seems impossible. A horde of grizzly bears attacks you from all directions, and no matter how many bears you kill, more always seem to take their place. Even if you amass enough firepower to hold back the onslaught of claws, the dead bears suddenly revive after 90 seconds, pull out AK-47s, and waste your avatar.
Unless, of course, you’re playing Pwn Adventure with a hacker’s mindset. Then you might have reverse-engineered the game’s code and noticed that a bottle of healing wine you drank stored the variable that determined its power locally on your machine, not the game’s server. Change that variable from 10 to 100, and your player is suddenly invincible, ready to massacre as many zombie bears as necessary. In fact, after two minutes of easy bear murder, a treasure chest pops open to reveal a flag, and the challenge is over.
That healing-wine hack isn’t cheating, say Jordan Wiens and Rusty Wagner, the two former Raytheon security researchers who created Pwn Adventure. In this World of Warcraft-style game, hacking the game is the game. “The concept of the game is to look at the common security flaws that games have and make a challenge out of those flaws,” says Wagner, who presented the game along with Wiens at a talk at the Infiltrate security conference last week. “You take all these bugs we intentionally placed in the game, and through the course of playing, you abuse those bugs to win.”
In this World of Warcraft-style game, hacking the game is the game.
To any casual observer in the game, many of those players would seem to have super powers: moving at unnaturally high speeds, flying, and aiming their weapons with uncanny precision. In fact, those are all common tricks that savvy players have long used to cheat in other games, exploiting ways that the game’s server doesn’t check for changes in players’ individual software that offer unfair advantages.
In Pwn Adventure, those hackable flaws are intentional, Wagner says, and they’re only the most basic tricks for gaining an advantage in the game. Most of the challenges in Pwn Adventure actually require those hacks. (Spoilers ahead!) One treasure chest, for instance, can only be opened by finding an implementation flaw in its cryptographic protections. In the newest version of the bear challenge, the player has to trick the server into thinking he or she is at a different location, teleporting underground or into a treasure chest for protection.
Defeating one powerful fire monster requires understanding a security flaw that the user can infer, rather than see, in the game’s code. Only a certain ice weapon can damage the monster; shooting it with a fire weapon actually heals it instead. And when the monster loses half its health, it suddenly heals back to full strength, a seemingly impossible enemy to defeat. But boost the monster’s strength by shooting fire at it at the right moment, and its own healing process will push its health beyond one hundred percent and into the negative, a common mishandling of variables in software that breaks the boundaries of its health meter and kills the monster. “I love that one,” says Wiens. “You don’t actually have to [alter] the client, but you can still reverse engineer it.”The inevitable result of Pwn Adventure’s bear challenge if a player doesn’t know how to hack the underlying game.
Wiens and Wagner are both veterans of capture-the-flag, the traditional hacking competitions that hackers have staged at conferences for years. In 2009, their team of hackers won the competition at Defcon—the de facto international championship of the sport—and they came in second in 2013.
The two hackers see their game as the next step in that tradition: Two versions of the game are publicly available as free downloads, Pwn Aventure 2 and its sequel Pwn Adventure 3. The latter was released at hacker conference Shmoocon in January, where it was part of the conference’s “capture the flag” hacking competition for the second year in a row. At Shmoocon, more than 250 players were simultaneously inhabiting the game world, by Wagner’s count, and more than 1,200 people have played the game in total.
With Pwn Adventure’s game interface, Wiens and Wagner hope to make long-running capture-the-flag competitions more accessible for both players and spectators. Watching the older games has been hardly entertaining, as they showed little more than technical-looking command line tools, code, and reverse engineering applications. A game like Pwn Adventure, Wiens and Wagner hope, could make watching hacker capture-the-flag as exciting for spectators as the e-sport events that draw millions of fans.
“CTFs could develop into something like a real e-sport with announcers and people livecasting,” says Wiens. “For a younger generation, watching is almost as interesting as playing, and I think there’s a chance for CTF to take advantage of that too.”
In fact, Wiens argues there’s value in expanding hacker capture-the-flag that goes beyond entertainment. Like more explicitly educational games that teach kids to code, Pwn Adventure could serve as a powerful training ground for young hackers. Wiens believes that expanding the games could help fill the growing talent gap for security professionals in the American workforce. In fact, he and Wagner quit their jobs at Raytheon earlier this year to start their own government contracting business called Vector35, and hope to soon turn Pwn Adventure into an element of a training course in cybersecurity skills.
“For me, it’s partly that I’m an addict who wants everyone else to share his obsession,” says Wiens. “But everyone also talks about the shortfall of security practitioners, and the question of how to train all the hackers we need…In these games you’re developing real abilities that are important in the real world.”