Omnihack

Time limit: 90 minutes per binary. If nothing by then, move on.

Step 1 - Triage the binary (10 min max)

# Security checks
checksec --file=target.exe    # or DIE, CFF Explorer
strings target.exe | grep -iE "api[_-]?key|secret|token|password|debug|admin"
python -c "import pefile; pe=pefile.PE('target.exe'); print([s.Name.decode().strip(chr(0)) for s in pe.sections])"

Decision gate:

• Found hardcoded secrets/keys? STOP. Write finding. This is a quick win.
• Found debug symbols or debug mode flags? Prioritize - easier reversing.
• Anti-cheat driver detected (EAC/BE/Vanguard signatures)? Read anticheat-bypass.md before proceeding.
• No interesting strings? Continue to Step 2.

Step 2 - Static analysis in Ghidra/IDA (20 min max)

1. Load binary, let auto-analysis complete
2. Search for imports: recv, send, WSARecv, InternetOpenUrl, HttpSendRequest, CreateFile, RegOpenKey
3. Find cross-references to crypto functions: CryptEncrypt, CryptDecrypt, BCryptEncrypt
4. Locate authentication functions (search strings: "login", "auth", "session", "token")
5. Check for client-side validation functions that should be server-side

Decision gate:

• Found unencrypted network calls with auth data? STOP. Trace the data flow. Write finding.
• Found client-side-only validation (no server check)? STOP. This is bypassable. Write finding.
• Found weak/no crypto on sensitive data? Continue to Step 3 to confirm.

Step 3 - Crypto and auth analysis (15 min max)

1. Trace crypto key derivation - hardcoded key? Derived from predictable input?
2. Check if auth tokens are validated client-side only
3. Look for XOR-only "encryption" or custom crypto
4. Check certificate pinning implementation (bypassable?)

Decision gate:

• Hardcoded crypto key? STOP. Extract it. Prove decryption. Write finding.
• No server-side token validation? STOP. Forge a token. Write finding.
• Solid crypto? Move to runtime analysis.

Step 4 - Dynamic analysis setup

import pymem
pm = pymem.Pymem("target.exe")
base = pm.process_base.lpBaseOfDll
print(f"Base: {hex(base)}")

Step 5 - Memory scanning (20 min max)

1. Identify interesting values (currency, health, rank, permissions)
2. Scan for the value, change it in-game, scan again to narrow
3. Find the memory address, trace what reads/writes it
4. Check if the value is server-authoritative or client-authoritative

Decision gate:

• Client-authoritative game value (currency, items, stats)? STOP. Modify it. Confirm server accepts it. Write finding.
• Server rejects modified values? Note the validation and move on.

Step 6 - Process manipulation

1. Test memory write on identified addresses
2. Check for integrity checks (hash validation on memory regions)
3. Try freezing values (write loop)

Decision gate:

• Can modify game state that persists server-side? STOP. Document the modification chain. Write finding.
• Integrity checks block writes? Try Step 8 (DLL injection for in-process bypass).

Step 7 - Network interception (20 min max)

# Capture game traffic
wireshark -i any -f "host game-server.com" -w capture.pcap
# Or for HTTP(S)
mitmproxy --mode transparent --ssl-insecure

1. Identify the protocol (HTTP/WebSocket/custom TCP/UDP)
2. Capture auth flow - how are sessions established?
3. Capture game actions - what data is sent for purchases, trades, combat?
4. Try replaying packets (purchase replay, action replay)
5. Try modifying values in transit (price, quantity, target ID)

Decision gate:

• Packet replay works (duplicate purchase/action)? STOP. Write finding.
• Can modify values the server accepts (negative price, other user's ID)? STOP. Write finding.
• All values server-validated? Document the protocol for future reference.

Step 8 - DLL injection (only if Steps 5-7 found bypasses blocked by integrity checks)

1. Choose technique: CreateRemoteThread (simplest), manual mapping (stealthier)
2. Write DLL that hooks the integrity check function
3. Inject and verify bypass works
4. Re-test the blocked modification from Step 5/6

Decision gate:

• Integrity check bypassed, game state modifiable? Write finding with full chain: injection + bypass + impact.
• Anti-cheat blocks injection? Read anticheat-bypass.md. If expert-level kernel work needed, note it and move on unless bounty justifies the effort.

Attack Surface Checklist

Test each. Check it off or skip with reason.

• Hardcoded keys/tokens in binary strings
• Client-side-only auth validation
• Weak/custom crypto on sensitive data
• Client-authoritative game values (currency, items, stats)
• Packet replay attacks (purchase duplication)
• Value tampering in network traffic
• Unsigned DLL loading / DLL search order hijack
• Debug endpoints or admin functionality left in release build
• Race conditions on currency/item transactions
• Leaderboard manipulation via stat inflation

Proof Requirements

Every finding needs:

1. Reproduction steps a triager can follow without Ghidra expertise
2. Before/after evidence (screenshots, memory dumps, packet captures)
3. Server-side impact proof - client-only modifications are not findings
4. GIF or video of the exploit chain if it involves multiple steps