Full Report
Remember iddqd and idkfa? Those are two strings were etched into my brain at a very young age where fond memories of playing shareware Doom live. For SenseCon ’19, Lauren and Reino joined me as we dove into some reversing of chocolate-doom with the aim of recreating similar cheats. The results? Well, a video of it is shown below. We managed to get cheats working that would: Increment your ammo instead of decrement it.Increment everyone’s health for the amount it would have gone down for. Yes, you read right, everyone.Toggle cheats just like how they behaved in classic doom. The source code for our cheats live here if you want to play along, or maybe even contribute new ones :)
Analysis Summary
# Tool/Technique: Frida Instrumentation for Chocolate Doom Cheats
## Overview
This summary details the process of reversing and modifying the behavior of the game "chocolate-doom" (a historically accurate recreation of classic Doom) on Windows to implement custom cheat functionality, mimicking classic cheat codes like `iddqd` and `idkfa`. The primary tool used for dynamic binary instrumentation and patching was **Frida**. The goal was to increment ammo instead of decrementing it, increase health globally, and toggle cheats based on user input sequences.
## Technical Details
- Type: Tool / Technique (Runtime Instrumentation & Binary Modification)
- Platform: Windows (targeting `chocolate-doom.exe`)
- Capabilities: Dynamic binary instrumentation, memory scanning, code tracing, runtime patching via JavaScript injection.
- First Seen: Techniques demonstrated at SenseCon 2019 (November 2019 based on publication date).
## MITRE ATT&CK Mapping
This activity aligns primarily with defensive evasion, discovery, and modification techniques, applied to a benign target for research purposes.
- **TA0005 - Defense Evasion**
- T1055 - Process Injection (Indirectly, as Frida injects instrumentation)
- **TA0003 - Discovery**
- T1046 - Network Service Scanning (Similar concept used in memory scanning via CheatEngine to find offsets)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (The environment where the tools run)
- **TA0004 - Privilege Escalation** (If applied to higher-value targets, though not explicitly the goal here)
- T1055 - Process Injection
## Functionality
### Core Capabilities
The project involved reverse engineering the target game by:
1. **Memory Scanning and Offset Identification:** Using **CheatEngine** to locate memory addresses related to game states, specifically the ammo count.
2. **Code Tracing:** Identifying the specific assembly instruction responsible for decrementing ammo by watching writes to the identified memory address within CheatEngine. The identified instruction was located at `0x0430A2c`.
3. **Dynamic Patching via Frida:** Using **Frida** to inject customized JavaScript logic into the running process to execute new functionality instead of the original code path.
4. **Cheat Implementation:**
* Incrementing ammo instead of decrementing.
* Incrementing *everyone's* health upon the expected health decrement event.
### Advanced Features
1. **Custom Cheat Activation using Runtime Logic:** Instead of hard-patching opcodes, the authors intercepted the `cheat_compare` function (responsible for reading cheat input).
2. **Frida JavaScript Execution:** The researchers executed custom JavaScript logic within the game's context to validate user input sequences (e.g., `iddqd`).
3. **Input Validation Workaround:** Due to repeated calls to `cheat_compare` with the same keycode, a custom function (`getCheatFromBufWithChar()`) was implemented to only record unique ASCII printable characters entered to correctly build the cheat string buffer, avoiding character addition limitations.
4. **Toggle Functionality:** Routines were created to both apply the required patches (to enable the cheat) and later undo those patches when the cheat sequence was entered again (toggling the effect).
## Indicators of Compromise
Since this was a proof-of-concept research exercise modifying a local game process, traditional malware IOCs are mostly absent.
- File Hashes: Not provided for the specific instrumentation scripts or modified memory states.
- File Names: `chocolate-doom.exe`, `frida-windows-playground/doom-cheats.js` (the instrumentation script).
- Registry Keys: Not applicable.
- Network Indicators: None mentioned.
- Behavioral Indicators: Runtime instrumentation injection into a running user-mode process (`chocolate-doom.exe`); modification of memory access patterns (e.g., instructions that should subtract now add values).
## Associated Threat Actors
This technique was demonstrated by security researchers associated with SensePost for educational purposes and reverse engineering research. No known threat actors are associated with using this specific exercise in malicious campaigns.
## Detection Methods
Detection focuses on monitoring runtime instrumentation or unauthorized memory manipulation tools:
- **Signature-based detection:** Signatures for known Frida loaders or injection mechanisms running on the endpoint.
- **Behavioral detection:** Alerts triggered when standard executables (like games) suddenly receive external script injections or demonstrate unexpected modifications to core arithmetic operations (e.g., detection of hooks/breakpoints set by instrumentation tools).
- **YARA rules:** Not applicable based on the provided context.
## Mitigation Strategies
The core mitigation strategy revolves around process security:
- **Prevention measures:** Employing application control (whitelisting) to restrict the execution of unauthorized dynamic instrumentation tools (like Frida client components or CheatEngine).
- **Hardening recommendations:** Implementing robust exploit mitigation technologies that focus on preventing unauthorized code injection into live processes.
## Related Tools/Techniques
- **CheatEngine:** Used initially for memory scanning and identifying the write location of the target value.
- **IDA Freeware** and **WinDBG:** Mentioned as tools considered for initial reverse engineering, though Frida was the required tool for dynamic patching implementation.
- **Frida:** The primary tool used for dynamic instrumentation.
- **Classic Doom Cheats:** `iddqd` (God Mode) and `idkfa` (All weapons, ammo, keys, and armor).