Pwn Adventure 3: Pwnie Island

What is Pwnie Island?

Pwn Adventure 3: Pwnie Island is a MMORPG game designed to be hacked. There were different versions of this game that can be run on Windows, Linux and MacOS. We choose the Windows version since this is the most popular OS for games.

Setup

docker compose up -d runs into this error: "Cannot create container for server master: invalid mount config for type bind: bind source path does not exist: /root/PwnAdventure3/postgres-data". Just create an empty postgres-data directory inside PwnAdventure3/.

We set up the client on Windows. The /etc/hosts file is at C:\Windows\System32\drivers\etc\hosts. Make sure you open a text editor with admin privilege in order to edit this file. For example, you can open sublime with admin privilege first, then go to Open -> Open File and open hosts file.

Debug: SSL issue

Another caveat is the server cert expired after November 2024:

First you go to ./PwnAdventure3/server/MasterServer on your vps / server machine, and you will see server.crt and server.key. To create a new certificate while reusing your existing key, you need to generate a certificate signing request (CSR) from your old key and then self‑sign that CSR. In other words, you’ll keep your current private key (server.key) but issue a new certificate (server.crt) with updated validity dates. For example, you can run (after you back up the old cert):

# Generate a new CSR using your existing server.key:
openssl req -new -key server.key -out server.csr \
  -subj "/C=US/ST=DC/L=Washington/O=Ghost in the Shellcode/CN=master"

# Self-sign the CSR to generate a new certificate valid for 10 years (3650 days):
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

Replace the old server.crt in ~/PwnAdventure3/client/PwnAdventure3_Data/PwnAdventure3/PwnAdventure3/Content/Server with this new server.crt. Then you would transfer the newly generated server.crt back to your game machine, for me it is my main windows machine:

scp -r <username>@<vps_ip>:/root/PwnAdventure3/server/MasterServer/server.crt .

On a Windows machine, you can add your self‑signed certificate to the Trusted Root Certification Authorities so that the client (or any application using the Windows certificate store) will trust it:

Locate your certificate file: Make sure you have your certificate (for example, server.crt) accessible.
Double-click the certificate: This opens the Certificate window with details about the certificate.
Click “Install Certificate…”: This launches the Certificate Import Wizard.
Choose the store location:
- If you want the certificate trusted for the current user only, select Current User.
- If you want it trusted for all users on the machine, select Local Machine (you may need administrative rights).
Select “Place all certificates in the following store”: Click the radio button for this option and then click Browse….
Choose “Trusted Root Certification Authorities”: In the dialog that appears, select Trusted Root Certification Authorities and click OK.
Finish the Wizard: Click Next and then Finish. You may receive a security warning; confirm that you want to install the certificate.
Restart your game client: Done!

Debug: "Waiting in connection queue"

If you get stuck at "Waiting in connection queue" after character creation, there are 2 possibilities:

Make sure server.crt is replaced both at your game client (for me it is the windows machine) and at ~/PwnAdventure3/client/PwnAdventure3_Data/PwnAdventure3/PwnAdventure3/Content/Server on your vps (where you run docker)

I did both options above so I am not sure which one worked, but I successfully logged in at the end.

Game Architecture

Programming language and framework:

The game launched is written in Mono, which is a cross-platform .NET framework.
The underlying game engine is Unreal 4, but we don't attack the engine itself because net code and game logic are completely custom.
The game logic is written in C++. This is expected since Unreal 4 is the game engine.

Based on common game hacking techniques, there are a few things that we can do:

Try speed hack, health/mana hack, teleport hack, fly hack
Figure out how to patch game binary
Write a proxy to discover the data format of client-server communication
Maybe we can do DLL injection

Game strucutre

The game is structured in 3 parts:

Client
Master server
Game server

note: The following information is purely build on assumptions and not from the official documentation.

Client

The client is the game you are running on your computer. It's basically the application responsible render the 3D environment, capturing your mouse and keyboard to move your character, establish the connection to the server, etc.

Master server

Whenever the user click on "Play game" (online), the client will first establish a connection with the master server. The master server is responsible to store and manage your account:

Your credentials
Your characters (name, color, face, etc)
Your inventory
Your team
Your quests progression
Your achievement
The locations you've already visited

So whenever you first authenticate, the master server will verify your credentials then show your characters. Once you decide to join the world of Pwnie Island, the master server will send your inventory, quests, achievement, etc; and redirect you to the game server.

Game server

The game server is responsible for the instances. In order to avoid having too many players and enemies all together on the same map (instance) - which would not only overload the network traffic and CPU usage of the server but the client as well - the game server will dispatch the players on different game instances. Each instance is managed by one game server. The game server is responsible for keeping track of the players and enemies location on the map. It is also responsible to keep track of the states of the elements (e.g. the dropped loots, switches, enemies and player health/mana, etc).

Previous/home/ret2basic.eth NextPrep: Speed Hack

Last updated 3 months ago