Hack’em to Sack’em

 

Ever got stuck in a game? Felt like you ran out of health or ammo too soon? Too bored to play the game legitimately?

Go on.

Go on.

Well, that is what cheat codes are for. But not all games have credible cheats. That’s where external hacks such as trainers and aimbots come in. Yeah, because hell with the developer,his fault he made this level difficult.I’ll fucking use a hack.

Those ‘hacks’ make our life easier but wouldn’t it be awesome if you could make your own hacks according to your needs and show them off to your friends(and to pickup nerdy/hot chicks too )? Using game hacks downloaded off of the internet always made me feel guilty, and they should, but then again, winning in a game using hacks made by someone else doesn’t make you better than the opponents in any way but making your own hacks to pawn them; well that counts for something.Right? Panzy-ass gamers, begging others for making hacks or using their stuff as it is, are called ‘leech’. It is frowned upon and we will try to not be a ‘leech’ as far as possible.

20140529065153-FreedomBraveheart

To all those who soil their pants at the mention of hacking- lookup what it really means before crying ‘wolf’. It is more sophisticated and easy to learn.I must inform you beforehand once you are through with this article and you have good grip over memory hacking, Don’t expect a call from FBI or CIA begging you to hack into super-villian alien organization. You can still brag about hacking a game though. That’s cool too, Trust me. It is.

This article will focus mostly on multiplayer game hacking but I’ll link a similar app to hack simple android games too.

Requirements:

1)      Don’t be a retard.

2)      A good enough PC to run a compiler/debugger alongside the game you are trying to hack(If you are aiming for a high end game for the new CoD series or Battlefield and such, your setup better be worth almost ₹60k or over,Simple logic bigger the whale bigger the boat).

3)      Some knowledge of the game you are trying to ‘hack’.

4)      Time and patience, it’s gonna be a lot of trial and error, be good at brute forcing.

5)      An internet connection, to Google all your doubts. (Hail Google. Who else can help in times of misery?)

6)      Shitload of caffeine and a nice playlist if you plan to go deeper into it  (That’s what she said).

What you’ll achieve by knowing a little about memory hacking:

1)      Guilt free way to win in games. (Well, guilt of being a leech)

2)      Reason to show off in front of friends.

3)      Scare the shit out of some noobs.

4)      Make others whine and flame and feel stupid (Satisfying, Eh?).

The real stuff:

So, fair warning. You will need to give this thing a good dedicated time to learn.(It’s easier you are smart.Duh.) You want it? You ready to put some effort? Then, I say you will have fun learning this. Now, let’s get down with it.(That’s what she said)

Here’s what happens when you run any application on your PC (MAC users can gtfo). The contents of the application get loaded into the memory (RAM) where the processor can perform all sorts of operations on them. All the variables and functions and modules (the .dll files) get memory addresses allocated (we’ll just call them addys,cute?huh?) based on their size and type. Memory addys are always referred to as hexadecimal integers (0x), so get good at hex tables.(Number system of 16. For eg: 0 in decimal is

Consider any FPS (First Person Shooter) multiplayer game, and you will have the most obvious variables like health, ammo, position, angles and loads more. All those game trainers that give you infinite health or ammo, they just make the value at the corresponding addy stay the same even when it is supposed to change (mostly decrease). Those aimbots read your position and the enemy’s position from memory and calculate the angle you should be aiming at and write the value to the required memory location to make your player in game aim at the enemy. The logic behind them is this simple.

However, it takes some knowledge of a language to code in to make a decent looking hack, which we will NOT be covering in this tutorial. It’s more important to get good at finding the addys and making proper data structures before we start coding to use them.

It is not important that you know C++ or any related language but a little knowledge about assembly(ASM) language will come in handy… here’s why-

Languages like C++ are higher level languages where statements are just like how we would describe a problem in English but with a shitload of rules (syntaxes). But the computer does understand that language directly. All it knows to process is machine code (1011101010101101111101) which can also be represented as hexadecimal, obviously. Earlier, I said that the applications get loaded into the memory where operations can take place on them, but for arithmetic operations, even the memory isn’t enough, the values memory addresses get loaded into ‘registers’ where math can be performed on them. On our machines, registers are hardware that store 16bits of value that may represent an integer, float, string, etc.

ASM is a language of very limited keywords to use and every command has a corresponding hex notation that the processor can understand and perform. It is inhuman to write codes directly in ASM and that’s where higher level languages come in. A compiler converts the higher language source code into highly optimized binary code that the machine understands. Ideally, no program can ‘decompile’ machine code entirely but you can see the machine code and try to figure out what the source could be… this is called ‘Reverse Engineering’. Viewing/editing the assembly of a running application is called ‘debugging’. You’ll understand this shit better when we get to hacking a game for real.

For this tutorial, we will try to hack a game called Assault Cube. This is the simplest example of what a FPS game is and it’s like the “Hello World!” of game hacking. Download the game and these 2 programs that we will need for this all kinds of memory hacking – Cheat Engine and OllyDbg.

Cheat Engine (CE) is an easy to use tool to find some basic addys and freeze their value and also perform some basic debugging.

OllyDbg is a much more advanced debugger used for more than just games… we won’t touch Olly unless we absolutely have to.

I’ll post some screenshots of what I made when I started learning this shit using these exact same things.

This was just the intro, the real procedure will be smaller and quite easy if you read everything so far.

Hacking this shit:

1)      Fire up the game and play around for a few minutes. Try some game modes and different weapons. Play against some bots, see how retarded they act sometimes.

1

2)      Open Cheat Engine.

3)      Click on the magnifying glass thingy scanning a computer button.

4)      A process list pops up. Select the game process and click open. You can find the game process using task manager, if you don’t know what it is.

4

5)      In the value field, enter the current ammo of your weapon, in this case 5. Let the value type be ‘4 Bytes’ which is standard for integers. Ammo is obviously an integer value, you don’t fire half a bullet.

6)      Click “First Scan”. It will scan the memory addys accessed by the game for a value matching 5 and then list those addys on the column to the left. Don’t be surprised to get a high count of addys on your first scan.

6

7)      The addys in green are ‘static’ and the others are ‘dynamic’. Static addys are addys that will hold the value of the same token even if you restart the game. Dynamic addys may or may not hold the value for the same shit after a game restart, in this a case we need a pointer that will lead us to the correct addy every time, I’ll explain properly later. The addys coloured red are the ones that have changed value.

8)      Now fire a bullet so your ammo count reduces, in my case it becomes 4. You can fire more than one, no one gives a fuck, but don’t be a retard and empty your entire magazine (it’ll still work but you’d be stupid to do that). Enter the new value of ammo in the value box and click “Next Scan”, this will scan the addys on the left for a value matching 4 in my case.

8

9)      You can ignore the red ones as they changed their value without us shooting. Shoot again and check for a new value (in my case 2, might be different for you) to make sure we have the right ammo addy. Select the addys left in the list (should mostly be 2) and drag them down into the big white box or just click the red arrow thingy.

9

10)   Change the value of one of those addys by double clicking on them. Change it to any random number greater than the previous value, not too big though (the game may have a max limit on weapon ammo). See if the exact same change is reflected in the game.

10

11)   The ammo in game changed to the new number! Take a few shots to make the change wasn’t just visual (Sometimes when the value is changed the in game change is only visual i.e. it doesn’t work when you take some shots, because the addy was holding the variable responsible for the visual value not the real one). Delete the other addy as it is of no use.

 

12)   What addy you got is just a false summit. Sorry! We are not done yet.Can you guess why it is false summit? As I talked about earlier, this addy was not green when you found it. This means that if you close the game and look at the value at the same addy again, it won’t lead you to the ammo value. If it was static (green), we would find the same variable’s value at this addy every time.(True Summit) So… we cannot find this value manually again and again, you can’t show it off to your friends like that. We will need a pointer that will point us to the right variable everytime.

13)   So… what’s a pointer?
It’s a variable that stores the address of another variable (thereby ‘pointing’ to it).So take a piece of paper and ‘write’ out where you live, now throw that paper somewhere, That paper is your pointer. No matter what you are doing. The paper will lead us to you. Since addys(where variables live) are always expressed as hex, the value of a pointer is also expressed as hex (just a notation, value is still the same in decimal or hex but don’t ever forget the 0x before hex).
While we’re at this, let’s talk about data structures too. Here’s how most games store all the data for a client(player or a bot) (health, ammo, client num, team num, position, angles, velocity, etc.) – position is an array of 3 floats (X, Z, Y) or (X, Y, Z) call the axes whatever you want, doesn’t matter. So if you find the addy for X, that (addy for X) + 4 = (addy for Z) and that (addy for X) + 8 = (addy for Y) as the size of one float is 4 Bytes. Similarly you have your 2 angles in float (MOUSEX and MOUSEY) i.e. (θ and φ) stored next to each other. The addys for health and ammo won’t be far away either. All these addys are always at a fixed distance away from each other. We define a PLAYERBASE addy that marks the start of all the info about our player, and we define an offset for each variable we need. The offset is the distance from the base to the variable’s addy, always read out as hex. When the game tries to change the value of any variable, say health, a register first points to the PLAYERBASE and then the offset is used to give the correct addy.

14)   Why did I bother explain this shit so much?
Because we don’t always look for a pointer to the health addy directly, we find the offset first and the (health addy) – (offset) = PLAYERBASE.(getting it?) And we look for a pointer to the PLAYERBASE which can lead us to a whole lot of important variables addys if we know their offsets.So what we do is, We search for one attribute, trace it back to the base. Once we have the base we have all the attributes. (Weirdly, I feel a little evil ) So let’s just do this thing to understand it better. Blindly do what I say for your first try, you’ll understand it as you do it.

15)   Right click on the addy we have in CE and select “Find out what writes to this address”. This will show you the ASM instruction that is responsible for writing to this address. Click yes on the message that pops up. Now, a window appears, which will show the instructions that are writing to the addy holding ammo value. Go in the game and fire a shot and come back to this window, an instruction should appear in the window. Click on stop.

15

16)   The instruction is dec (esi), which means it will decrement the value stored at the addy pointed by register esi by one.
Obviously this is how your ammo decrements by one each time you shoot. Let’s try something here… select the instruction and click on “Show disassembler”. Double click on dec (esi) and change it to inc (esi), which obviously means what you think it means.
Add a comment in the comment field next to it so you know this is the addy to look for to find ammo.

16

17)   Go in the game, take some shots, and see that our ammo is now increasing instead of decreasing!
If you scroll up once is the ASM that we were looking, just above dec (esi), you would find an instruction referring to (esi + 14). 0x14 is the offset for ammo.*Bruce Willis’ voice* Now let’s get that pointer.
Right click on the ammo addy we have in our list and select “Pointer scan for this address”. Select “Stop traversing a path when a static has been found” and select “Pointer must end with specific offsets” and type 14 in the new box that comes up. Change the “Max level” from 5 to 2. Click “OK”.

17

18)   A window will appear a list of pointers. Double click any of the pointers starting with “ac_client.exe”.

18

19)   And we found our pointer, now close the game and open it again, load the process in CE and keep the addys in the list.
We see that the old dynamic addy is now holding some shit value, while our pointer leads us to the correct one! (Found your paper!!)
The pointer has 2 offsets…  It is a second level pointer. It points to a pointer that points to the right addy!

19

20)   Do the same to find your health and ammo for pistol and so on. CE can save all the addys in a .CT file, or you could save them in a text file. Change the value type to float and scan type to increased/decreased/changed/unchanged value. With a little logic, you can get the addys for position and mouse angles too!

21)   Another way to get those addys would be to use CE’s “Data Dissect” tool.
Double click the saved pointer and change the offset from 14 to 0.
Note down the addy that it’s pointing to (P->).
Click on “Memory View”, then “Tools” menu and then “Dissect data/structures”.
Put in the addy you wrote down seconds ago.
“Structures Menu” and then “Define new structure” and just click ok/next and you’ll get this…

21

22)   This is a gold mine…    look how the variables in here change based on your actions and get the offsets or important variables.
Figure out how to store them in a fashionable way in CE.

23)   Click on the small box next to the pointer to freeze the value of that addy.

24)   And You are good to go.Go show off. Pick up chicks.

25)   You can practice with small games or other things. Steps remains the same, but challenges are fun. Good luck

26)   Post any doubts/suggestions in comments.

And there’s a lot more to making a memory hack than this.

If asked for, I would like to  make another in depth tutorial on using CE and introduce OllyDbg too.
Watch this guy’s CE tutorials to know some more features of CE, Fleep Hacks.
He also did tutorials on OllyDbg that are very helpful.

Please have look at  GameKiller. It is used for hacking Android Games.
I hope I covered most of the basics in here. Tell me what you liked , Tell me what you didn’t.

Keep in touch and we’ll have some more fun.

                         -By Harsh Daga. 

 

PLEASE FOR THE LOVE OF GOD LIKE US ON FACEBOOK! https://www.facebook.com/captainknowledge

And stay updated with our latests posts and plans.

Also , Twitter : https://twitter.com/Capn_Knowledge

Check out our exclusive Android app :  http://goo.gl/URslq7

And please leave comments suggesting what you would like to read next.

This article was written by a guest writer. Do you have any thing you would like to share?

WANT TO WRITE FOR US AS A GUEST WRITER ? EMAIL US AT captainknowledge1@gmail.com

 

Advertisements

2 Comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s