java. Brian D.

About me

I'm Brian, also known as java, an experienced software engineer from Ireland with a passion for C#, C++, reverse engineering, and cybersecurity, focused on building scalable, high-performance tools and applications.

Projects

Note: This is just a small portion of my work that I felt like sharing. Most of these repositories have been made private due to exclusivity or because they were created as part of commissioned work.

XOR Packet Verification in GOW (Gears of War)

8 Aug 2025 - 10:28 • written by java

In this post, I will talk about how I found a critical vulnerability in Gears of War's multiplayer networking, rooted in its native UObject system and replication framework.

This exploit allowed malicious attackers to inject forged packets that could trigger server-side events without proper authentication, replaying of captured packets to repeat one-time actions, and real-time manipulation of replicated actor properties.

What is Gears of War?

Gears of War is a third-person shooter developed by TC (The Coalition) and Epic Games, built on Unreal Engine 3.

The game's multiplayer system relies heavily on UE3's replication layer—a networking framework designed to synchronize actors, variables, and gameplay events between clients and the server. This system automatically propagates state changes to connected players.

First thought

After dumping the game, I used UE3-specific analysis tools to map key structures such as UObject and identify core replication functions, along with UE3-specific type libraries for UObject and FName parsing.

I then used a small dynamic memory introspection tool to extract the GObjects and GNames arrays.

From there, I targeted UObject::ProcessEvent, the core function responsible for dispatching native and UScript calls. Using a signature, I mapped out the base UObject structure:

UObject structure analysis

I located a function responsible for verifying packet integrity. This function implements a simple XOR checksum:

XOR checksum function

The checksum key is derived by XORing the player's UID with the system tick count, then taking the least significant byte. Since both values are predictable or observable, the key can be easily guessed. Combined with the limited 256 possible XOR checksum values, we can forge packets that pass the integrity check, allowing modification and injection of arbitrary data.

With a reliable write-what-where primitive in place, the next step was to modify and inject arbitrary data by routing all multiplayer packets through a custom proxy. There, I intercepted legitimate packets, removed their checksums, recalculated them using the static XOR key, and reinjected the forged packets. The server accepted these altered packets without error.

Client-supplied data must never be trusted without strict, server-side validation.

Now what?

This issue has been responsibly disclosed to the TC (The Coalition) team in accordance with their security reporting guidelines, and it was addressed quickly and transparently.

God is great.