In the ever-evolving realm of digital entertainment, where creativity converges with cutting-edge technology, a subversive art form emerges — game hacking. Beyond the pixels and polygons lies a labyrinth of code waiting to be deciphered, manipulated, and reimagined. This intriguing practice not only kindles the flames of curiosity but also serves as a pivotal gateway into the realm of reverse engineering. Aspiring enthusiasts seeking to unravel the enigma of game hacking often find themselves treading the path of reverse engineering, a domain intertwined with the understanding of software, memory structures, and the inner workings of programs.
At its core, game hacking is a captivating pursuit that involves exploring the intricate tapestry of video games, probing for chinks in their digital armour, and bending the rules to one’s advantage. It’s the art of peering beneath the glossy surface of gaming universes to understand the mechanisms that govern them. Be it harnessing superhuman abilities, manipulating in-game economies, or altering the very fabric of virtual reality, game hacking offers an avenue for players to transcend the constraints set by developers.
One of the foundational concepts that underpins game hacking and reverse engineering is the storage of values in a game’s memory. Games, like finely choreographed performances, rely on the synchronisation of various elements. Whether it’s the player’s health, ammunition count, or the score, these values find their abode within the memory of a running game. Unravelling the enigma of memory storage not only grants insights into a game’s mechanics but also equips the budding hacker with the power to manipulate these values at will.
This blog post will serve as an introduction into game hacking/reverse engineering and the use of cheat engine. Towards the end of the post, Prism Infosec will look at tricks and techniques game developers can use to prevent tampering with their games. To follow along fully with this post, it is recommended that the reader has a basic level of understanding of reverse engineering.
Cheat Engine in a Nutshell
Cheat Engine is essentially a memory scanner and editor, acting as a bridge between the player’s intentions and the game’s codebase. The process begins by selecting a game process to analyse. Cheat Engine scans the game’s memory space, a realm where values like health, score, or resources reside. It does so by systematically examining memory addresses, each of which holds a specific value. By altering these values, players can, for instance, boost their character’s health, acquire infinite ammunition, or acquire unlimited gold.
Once the desired value is located, Cheat Engine reveals its true prowess: freezing, modifying, or even injecting new values into the game’s memory.
Starting off, we have the main Cheat Engine UI. Majority of the functionality will be glossed over for this post, but the core functionality will be focused on.
Highlighted below are the following functions:
A Practical Example
Finding values in memory
For this blog post, a third person, click and point style RPG game was chosen. The game lets users’ level up, collect weapons and defeat enemies, among a whole lot of other things.
During games, it is common for players to die a lot, but what if this could be prevented by giving the player infinite health or change it so the health value never drops? Using cheat engine it is possible to manipulate the health value to do so.
Conveniently, the game displays the value of the current players health when hovering over the UI elements.
For this game, it is assumed that the values of the data types will be 4 bytes in size. Below, by searching for the health value and clicking “First Scan”, a list of possible results are displayed. Note the “Address” column, which displays the memory address that holds the value. The “First” column is what the value was first observed as and the “Previous” column, is what the value was before it changed (or if it changed).
As the scan has generated over 125 results, it cannot be determined straightaway what the health value is. A good way to narrow down the results is to change the value in some way, in this instance, the player can take damage from a monster to decrease the value.
After taking damage, below in the bottom left hand corner, notice the health value has now changed to 318:
Scanning for the updated value in memory by selecting “Next Scan” (which searches based on the previously searched value to narrow down the search results), you will notice there is a change in the number of results, in this case there is now 3:
At this point, it still can’t be determined which address holds the health value, so the next step is to try and manipulate each one to see if it affects the on-screen value. By double clicking each value, they have now been added to the address list in the bottom pane in the main cheat engine window.
Using trial and error to manipulate the address’ and their corresponding values, should narrow down the health value. By clicking the toggle box in the left-hand column, it is possible to freeze a value. Freezing a value, means that in theory, it should not change:
Now, when taking damage again from a monster, the value should not change from 318. However, after taking damage, notice in the below screenshot that the health value has in fact changed:
So, it can now be ruled out that wasn’t the correct value. By rinsing and repeating the above steps on the remaining two address’, it is apparent that neither is the correct health value.
Where next?
Incorrect values
When trying to find a value in memory, it is often assumed what the data type will be, in this case, a 4-byte integer for the health value. In reality, most games will store values like health, in a float value.
When scanning memory concludes the wrong, or no results, it is often worth changing the data type to see if that will identify the correct one.
In this example, changing the value type to a float, gave 273 results. To not repeat the above steps to narrow down the results and save time, it can be assumed that two potential values have been identified:
After taking damage from an enemy:
With the two values identified, freezing one of the values should rule out the correct one:
By taking damage again, it can be determined which value is correct:
As the health decreased, the first value froze was incorrect. Freeze the next value:
Now entering combat and observing the health value, it is the correct value as no damage is taken:
Cheat Engine Debugger Functionality
Cheat Engine comes packaged with a built-in debugger, among many other things, that can allow the end user to walk through the underlying assembly code to gain a deeper understanding of the game’s functionality and logic.
Using the health value as an example, if we right click on the value and select “Find out what writes to this address”, cheat engine will launch the debugger and show what address’ interact with the health value:
Taking damage from an enemy should populate the debugger window with activity:
After taking damage, the debugger window will now show the address, opcodes and instructions which wrote to the health value address:
Selecting the “Show disassembler” option will display the assembly instructions listed above and surrounding instructions:
As the highlighted instructions above are the ones that write to the health value address and thus dictate the damage the player takes, it would be beneficial to remove these instructions, so the player takes no damage. Luckily, cheat engine has built in functionality to do this, by right clicking the instruction and selecting “Replace with code that does nothing”:
The result is that Cheat Engine has overwritten the assembly instructions with the “nop” keyword, which means “no operation” that will simply do nothing when ran:
Now, when going into combat, no damage will be taken:
Identifying structures and values in memory
Whilst using the methodology above to find other values, such as mana, or number of potions the player has, is still valid, there are easier methods to quickly find these values in memory.
When a game developer creates a player object, they will typically assign values such as health, mana, energy, experience, player name and more in the same class or structure. Using this assumption, after a value such as health has been located, the surrounding values in memory should all be relevant to the character in some way.
This can be seen in action by utilising the in-memory structure capabilities of Cheat Engine. Going back to the health value, once identified, right click and select “Disassemble this memory region”:
Select Tools menu at the top, then “Dissect data/structures”:
On the following screen, select the “Structures” menu and then “Define new structure”:
This effectively takes the current memory region, in this case from the health value and attempts to group other values in that memory region into a formatted structure as seen below:
A lot of the values displayed, such as float, byte, etc, will be Cheat Engine guessing the value types to display them.
Observing the values, one jumps out straight away, the mana value:
Scrolling further down the list, it is possible to see other values such as gold:
Changing the gold value:
Fame value:
Player strength values:
Messing with game memory values can mess up the fairness of the game, like changing scores on leaderboards or player stats. By falsifying values to impress friends or show off on online forums, messes with the trust among players and makes real achievements seem fake, causing doubt and breaking the friendly vibe among gamers:
To prevent efforts to hack or manipulate a game, developers have a few options:
Encrypted values:
Encrypting memory values makes finding initial starting values such as health, difficult to find. This adds an extra layer of complexity for hackers attempting to uncover sensitive information.
Code Integrity Checks:
Code integrity checks involve adding mechanisms that verify the integrity of the game’s executable code during runtime. This can include checksums or hashing algorithms that ensure the code hasn’t been tampered with. If a hacker attempts to modify the code, these checks will detect the alteration and can trigger anti-cheat measures or even prevent the game from running.
Anti-Cheat Software:
Dedicated anti-cheat software employs various techniques to detect and prevent cheating. This can range from heuristic analysis of running processes to signature-based detection of known cheats. Anti-cheat tools often work alongside the game client, scanning for unauthorised modifications or abnormal behaviour. When a cheat is detected, the anti-cheat software can take action, such as issuing warnings, suspending accounts, or banning players.
Server-Side Validation:
If a game utilises online connectivity and cross-play, server-side validation means that critical game actions and data are verified on the game server, not just on the player’s device. This prevents players from manipulating or forging data on their end. For example, if a player claims to have achieved a high score, the server verifies the legitimacy of the claim before updating the leaderboard. This approach minimises the impact of client-side hacks and ensures the accuracy of game state.
Randomised Memory Addresses:
Randomising memory addresses involves changing the memory location of key variables, functions, or data structures each time the game is launched. This makes it challenging for hackers to find and manipulate specific values consistently across different game sessions. As they need to identify new memory addresses with each playthrough, it significantly increases the complexity of reverse engineering and cheating attempts.
Anti-Debugging Techniques:
Anti-debugging techniques involve incorporating measures within the game’s code to thwart attempts by hackers to analyse and manipulate the code using debugging tools. These techniques can include checks for debugging flags, breakpoints, or hooks commonly used by reverse engineers. Employing anti-debugging measures adds another layer of defence, making it more difficult for hackers to gain insights into the game’s inner workings.
By implementing these measures in tandem, game developers can create a multi-layered defence against hacking and cheating. Each approach targets different aspects of the cheating process, from manipulating memory values to injecting unauthorised code, making it increasingly difficult for hackers to compromise the game’s integrity.
It becomes clear that gaming holds an enchanting allure, often hiding its intricate workings beneath layers of entertainment. For the average player, the inner mechanisms and logic remain concealed, like a well-kept secret. Yet, with the revelation of game hacking, an entirely new realm of exploration unfurls—a space where curiosity and creativity blend harmoniously. Game hacking offers an engaging and interactive gateway into the world of reverse engineering, unlocking the door to understanding the complex underpinnings that powers our favourite virtual worlds.
However, this fascinating journey comes with a significant caveat. The very thrill of game hacking that invites exploration can also exact a heavy toll on the gaming industry. The continuous battle against cheating siphons resources, both financial and developmental, as game studios invest in creating anti-cheat mechanisms and safeguarding the integrity of gameplay. Cheats, once unleashed, wield the potential to tarnish the reputation of games and cast a shadow over the experience’s players hold dear. This can ultimately lead to lost customers and a diminished community spirit, as the spectre of dishonest manipulation threatens to unravel the bonds that gamers share.
In conclusion, game hacking unveils a world of hidden marvels beneath the surface of gaming, offering an engaging pathway into reverse engineering. Yet, this path, while captivating, brings to light the real-world repercussions that cheats and hacks can introduce. The industry’s efforts to maintain a fair and enjoyable gaming environment stand in stark contrast to the shadowy exploits of malicious manipulation, reminding us that while curiosity may drive exploration, the ethical balance is essential to preserve the magic of gaming for everyone.
Blog post was written by Ben Allford of Prism Infosec.