Windows Game Hacking with Ghidra and Cheat Engine


Let’s have a look at some windows game hacking
by revisiting Pwn Adventure 3 – the game that was made to teach game developers about what
can go wrrong. We have solved all available challenges already
on Linux and you can find the whole walkthrough as a playlist in the description. I didn’t do the hacks on Windows because
I only have a basic knowledge about it. For example I know about DLL injection, tools
like Cheat Engine and some of the Windows API, but that’s about it. And especially the tooling and the process,
is very different on Windows and Linux. But because Linux and Windows run on the same
PC architecture, we have of course some similarities. I know how C and C++ programs work. I know about memory and pointers. I can read assembly. I understand structs and classes in memory. But once you get into other process details
like DLLs, shared libraries, the heap, threads, and so forth, it gets very different. So given my Linux experience I will have a
good foundation, but I will also have to learn a lot. Also one sidenote, a lot of people scoff at
Windows and Windows users when it comes to hacking. “Real hackers use Arch Linux”. But in reality, the game hacking community,
has created some incredible debugging and analysis tools for windows. Going really deep. I’m not sure but I would lean so far out
of the window (heh, pun) to say, that the tooling on Windows for analysing software
or in particular games, especially software without source code, is much more advanced
than on Linux. And I think a tool that immediately jumps
to mind is Cheat Engine. So let’s check it out I remember playing around with Cheat Engine
when I was a teenager and didn’t understand a thing about memory, assembly and other lower
level stuff about programs. But already then it felt intuitive and logical
to use. At least the basics. I think that just shows how great of a tool
it is. So what is it? This is Cheat Engine. The basic idea of this tool is to find the
address of certain values in the game’s memory. And you do this by repeatedly eliminating,
or separating, or sorting out values. To do this CheatEngine offers various Scan
Types and Value Types. At the top you can see that I have attached
with this button to the Pwn Adventure process. So Cheat Engine searches through the game’s
process memory. Let’s try it out. Let’s take the health, which right now is
at 100. We search the value 100. We assume health is stored as a 4 byte value. First Scan. But we find thousands of values. However you can already see a few values now
updated. This is the current value in memory, and this
is what it was when the search was done. So with the next scan we can filter, or search,
on those results and we could just search again for 100, or we could say that the value
has not changed. No difference in this case, just wanted to
show a different scan type. And we sort out a few memory locations, but
we are still at over 9000! Mhmh… we can also go into the game and move
and jump around hoping that that could affect any of those values. Nothing directly visible here, but when we
redo the scan we are now in the 8000s. So it helped. But you see, it will be tough to find now
the right health value. So that’s why you want a value that you
can somehow affect. You could affect the health by taking damage,
but unfortunately we are just at the start of the game, so we can’t do this right now. Instead let’s look for something else. Let’s start over and do a new scan. I want to find the address in memory that
stores the current selected skill or weapon. 1,2,3,4,5,6,7,8,9 or 0. We have selected 1, and we could now search
for the value 1. But if you have experience with programming
and you imagine this to be an array, we actually don’t not know if this is stored as a 1
or maybe as an array index of 0. And if you think this further, it could also
be a linked list, which would mean the current selected skill could also be a pointer, just
pointing to that object that represents that skill in memory. So it’s perfectly valid to make an assumption
that it is 1, and then start searching like that. And maybe that works or you restart and try
0. But you could also try to go with an unkown
initital value. First scan. It takes a bit. Because it now indexed over 168 MILLION addresses. This is what Cheat Engine makes such a great
tool. It’s not difficult to read a processes memory. We have done that on linux with GDB aaaaalll
the time. Examining memory. And of course we could write scripts or tools
to automate such a search. But the software engineering along the algorithm-,
and memory-, optimization to make this as efficient and usable as Cheat Engine does
it, is not trivial. That’s why this is an awesome tool. Anyway, let’s continue. So we haven’t changed the selected skill
yet, but we move around a bit, and so we can now filter out ALL the dynamic memory values
by searching for unchanged value. Ooof… still 167 million. That didn’t help much… But that makes sense. We searched for an unkown value and then filtered
for all the unchanged valkues. And all the assembly code of the binaries,
the pwn adventure binary, all the loaded dlls, all the loaded resources and 3D objects are
all unchanged data in memory, right? So we want to get rid of those. Which means we should somehow change and affect
the skill selection by switching the skill around. Ok we clearly changed the value now and we
can search for a changed value. BOOM! From 167 million down to 291 thousand. And you can already see some red colored values
that updated and changed. So let’s quickly scan for unchanged values. Down to 229 thousand. Just repeat the same search a bit. Down to 203 thousand. Let’s walk around a bit and pay attention
to the values. As soon as we moved, those all changed! But we didn’t change the skill. So now we can filter again for unchanged values. 100k left. Now switching some skills. Moving around. But back to skill 2. So it’s unchanged. Doesn’t help much. Well, let’s change it again and select skill
3 and search for a changed value. WOW! Down to 262. WE could now almost look through that by hand. We changed to the second skill and immediately
those values updated here. Going back to 3, it’s 0. So it seems to be directly affected by the
selected skill. However going to the 5th skill, we notice
the value stays 0, like when we had skill 3 selected. Which means we should search now for changed
values. Down ti 94. Let’s keep doing that, switch to skill 6. Changed value scan. Down to 10! Skill 7, scan for changed value. Skill 8. Changed value. Skill 1, change value. But looks like nothing happens anymore. And there it is! So switching the skill we can see the numbers
update. And the idea to imagine this value we look
for to be an array index seems true! Because skill 1 is a zero. Skill 2 is a 1. And so forth. The other value here I’m not sure. It doesn’t look like a pointer, because
a pointer should move by the pointer size. On 32bit it should move by 4 bytes, so +4. But it’s also always just +1. So no clue. But whatever. We can also now add this address to the address
list here. So at this address in memory, we have apparently
the value stored that indicates the selected skill. This went pretty well. But sometimes when you search for values,
the same value shows up in multiple places in memory and they could just be updated,
but are not the real source variable. But when we change it, we see that the game
also updates the selected skill. This means that this is the real root value. Beyond this cheat engine offers a lot of other
interesting tools to explore this further. For example “we can find out what writes
to this address”. “This will attach the debugger of Cheat
Engine to the current process. Continue?” Yes. There we go. Now let’s go to the game and once we change
the skill, we see an entry in our list appearing, counting how often this instruction was executed
and wrote this address. So this move instruction moved a value from
edx into the memory refrenced by ESI + hex 0x180. Here we can also see a few of the surrounding
assembler code and here the register values. We said EDX is the value that is written,
so it in this case it was the number 1. And ESI is an address. And the value was written at the offset hex
0x180. Now I’m not a 100% sure if this is the case
here, but most likely this means that ESI is the pointer to some object in memory. Maybe the player class. And this player object might have a variable
to indicate the current selected skill, and it is at offset 0x180. assembly is hardcoded fixed data, right? So that can tell you a lot. For example we could imagine this to be a
function in C++ like, set_selected_skill, and it takes a number, and assigns it to the
player’s member variable. The compiler of course knows how the Player
object looks like. It knows that at offset 0x180 is the player’s
selected skill. So it simply compiles a move based on the
players object start address. Does that make sense? And you can explore this assumption by looking
at the memory. We can see here Cheat Engine’s Memory View. We go to the address of ESI, and so here it
is. And now look at what comes after that start
address. We see my player name and my team name. LiveOverflow and PwnSquad. We can apparently also see the location we
are at. LostCave. We can also see here a value that seems to
rapidly count up. So this could be a timer of some sorts. The other highlighted value here is the address
we have stored in our address list. So this is the selected skill. We can see it change when we change it ingame. But we don’t see anything update when we
look around or walk around. So the player’s position doesn’t seem
to be stored right there. We can also look at the Memory Regions to
find out where the code that accessed this memory belongs to. It staretd with hex 0x618…. Something. And there are a lot of memory regions for
a game. But here it is. It seems to belong to the GameLogic.dll. And if you have watched my PwnAdventure series
on linux, you know that the GameLogic is a very important part for the game. You can also use this information to kickstart
static analysis. Let’s try to find this function that wrote
the skill number in a disassembler. Here I have loaded the GameLogic.dll into
Ghidra. The free reverse engineering tool from the
NSA. And when loaded it loads the dll at a certain
address. So we can’t simply go to the address that
cheat engine told us.because of ASLR on windows, the dll was loaded somewhere else in memory. But we saw which address in the memory view
of Cheat Engine. Here is the the Memory Map as shown by Ghidra. And with this house symbol, representing the
BASE, you can actually move the whole dll around. So we can now enter the real base address
in memory, and Ghidra will relocate the binary. And now compare the memory map of Ghidra to
the real process memory map. You can see how all the sections of the .dll
where really loaded into the memory of the game. Anyway. Now we can be lazy and simply go to the address
Cheat Engine told us. So here it is! I have deliberately renamed the GameLogic.dll
to game.dll, just because the PwnAdventure game shipped with debug symbols in the .pdb
file. This way we can have more the experience of
reverse engineering a closed source game without symbols. So here is the function. Ghidra also comes with a decompiler so you
can see here that this line writes the skill number. So like I said, there is a good chance that
ESI was somehow the pointer to some kind of Player object. So we could just assume that iVar1 is a player
object. iVar1 + 0x180 is the selected skill. And so we can also ask Ghidra to automatically
generate a structure – a struct. Like in C. Basically automatically create
a class. Now of course ghidra doesn’t know how this
class looks like, but based on the decompilation it can assume that this offset 0x180 was actually
a variable inside that Player struct. So you see the code changed from this addition,
to accessing a member variable of Player. And then we can rename that field, and for
example call it skillId or itemSlot. This is cool right? I have to make it clear. I’m not 100% sure that this is really a
player object, and I don’t know how really that variable is called. These are just assumptions based on the evidence
we have collected. But in the process of reverse engineering,
we might also invalidate this assumption because we learned even more details. Doesn’t this almost feel like investigating
a crime scene or doing science. And you need quite a bit of creativity too. You try to come up with a gooddiea to collect
data and evidence and you come up with assumptions, that are for example based on your programming
experience, and create a mental model, and then you collect more data that either confirms
your assumptions or you adjust your model. And you keep repeating that. You can see that some people can find this
to be really fun. Like a puzzle or a point and click adventure
game. But this is basically how reverse engineering
of a game or some program can look like. If this process seems fun to you, checkout
the YouTube channel GuidedHacking and Stephen Chapman. They make a lot of videos about various games
and show you how they approach it. Also… just a small PSA. Please don’t become an asshole game hacker. With that I mean, 1st. don’t ruin online
games. Even cheat engine officially says don’t
ask about hacking online games (and typically they have anti debugging and detections in
place that stop this easily anyway). There are of course always tricks to get around
stuff, but don’t bother asking people about that. If you play around with that alone, fine. With enough experience you can do that yourself. But selling hacks is shitty. And don’t ask for online game hacks. You can have enough fun and learn enough with
normal non-online games. Or stuff like Pwn Adventure. And 2nd. Like I said I explored these tools when I
was a teenager and eager to learn. And I found these game hacking forums. But they were full of entitled pricks and
elitists who didn’t want to share anything. If that was you, and now you watch my videos
for other hacking content, screw you! I’m branded by you! But that’s why I appreciate Guided Hacking
and Stephen Chapman so much. Because their videos are exactly the videos
I wish I had found when I was a teenager. And I can only imagine the impact they have
on the new generation. Because many security researchers have had
their origin in game hacking.

100 comments

  1. Years before, I used to hack into an pay to win game called RoboCraft, I was a 13 yo kiddo looking to get free stuff on the game and one of my friends found a solution…

    They come up with something called "Winsock Packet Editor", Currently, I barely remember on how that was working but I found a video about it
    https://www.youtube.com/watch?v=zlWMr19Yb6w (Really shit video)

    As far I remember, We had to kind of intercept the package and make the server thinks that we played more than we really played…

    Anyway, I would appreciate if you can make a video about the WPE and if possible, mention this exploit 🙂

  2. Sounds very similar in functionality to how Action Replay and similar devices used to "find" cheats on the Amiga and other machines like the consoles.

    You enter the current "value" it finds locations that hold said value, then you continue playing and ask the engine to scan again and tell it the current "value". Eventually it narrows down the lots of memory locations that match until you get a very small number. WIth a bit of assembly looking around or experimentation like changing each memory location you can eliminate the others and figure out the true memory location.

  3. Cheat Engine is a really versatile tool, not just for games but for every type of software!
    You can quickly patch running code to bypass/modify functions, like bypassing licenses, demo mode or locked features you just want to quickly bypass without making something more permanent. Or you run into a bug when developing, or you want to introduce a problems whilst neg testing – Cheat Engine is a powerful tool.
    The only thing that really sucks with it is that it's written in Pascal. I'm old so I've used Pascal plenty in my life, but honestly I was glad to abandon it in the early 90's because there were no descent dev tools for it. Delphi tried but compared to Dev Studio it was a joke, but this doesn't matter when you're just using it and not developing for it.

  4. YAS FINALLY, THANK YOU VERY MUCH. Can you make it to a full series? I really want to learn more about this topic, and can you a make a series where we make our own tools(very very basic) like cheat engine?

  5. linux people are dunmbasses.

    only idiots would jse and prefer a system where you need to input commands into the command tool to literally open a folder.
    windows can do that with a double click! 😛

  6. there's a cheat engine-like program in linux, called Game Conqueror that uses scanmem at the backend. but it's less features than cheat engine.

  7. Such a throwback, used to do a LOT of this and even made a few bots for online games that used memory values.
    But honestly, dont trust ANYONE you download from (hacking) forum. Most of them have viruses. … hmm would make for a fun thing to analyse too !

  8. online game hacking scene is full of idiots. arrogant idiots. and they think, they are the biggest hacking criminals on earth, because they make 1k/month by selling this shit. i got no respect for those kiddies.

  9. This is the video i was waiting for a long time. If only you could make a series on Cheat Engine, explaining how to use this tool to hack or disassemble games. Like making making health not decrease without searching for values every time. I have tried to learn this before, but there is just not enough material on this that would be understandable to beginners.

    UPD:
    After watching Stephen Chapman's video on Lua trainers, i still didn't solve the other problem i had with cheat engine – that is when games have display value different from real value, that sometimes is behind some kind of defense(or just shitty code like in SPAZ).

  10. Mega geiles Video. Hab selber bisschen mit Cheat Engine rumgespielt, aber mich nie an das reverse engineering gewagt.
    Mega informativ.

  11. I tried doing what you did in your playlist, but i wanted to play with my friends. I set up a virual machine and i could connect to it.
    I made sure to set up the port forwarding on my router and everything. They could not connect.
    canyouseeme.org says that the port is open, but when i do an nmap, it says it's closed.

    I'm not sure what the problem is but i already struggled enough with setting up the server so i gave up.

  12. Cool video. I think for Game Hacking Windows makes more sense, as for Game Development Unity is unavoidable. Arch is great for Pentesting if you don't want to use a VM that is bad on cracking performance, since the AUR has all the Pentest Tools available and it is very convenient unlike Debian/Ubuntu or others where you spend countless time setting up PPAS (Katoolin is outdated and unmaintained).

  13. When you didn't know the meaning of the extra variable, I think it was the character used to store the numbers in the game, that's why the bits updated incremently 🙂

  14. Just start learning assembly yesterday, and my god the assembly part of the video start to make sense. Before it was just a bunch of mumbo jumbo.

  15. Can you help me make a anti cheat client for csgo community, I dont like elitist cucks either(esea), freedom of knowledge is #1

  16. I was never entitled, i alway try to help, however some people are very rude in the way they demand you show them stuff. And some don’t wanna put in the work but wanna have all your glory. How to behave of this happen?

  17. oh my god the game hacking forum stuff is too real. some of those people are real scum. oh boy thanks for that good laugh

  18. I did an neural net work AI to play a game, I had to reverse engineer the game wrote in c++, using cheat engine and IDA. 🙂

  19. How would you go about saving your findings such that when you open CE a month later you can load up all the right value without troubleshooting?

  20. 7:37 I was thinking about how you said that the way you searched for the selected item index loaded in basically all stored memory in the game. Because of that, I think that the other value that was related to the selected item slot might be the highlight that is displayed over the selected item.

  21. I use cheat engine to do stuff in games. For a novice "coder" like me, it really shows how nice a tool it is.

  22. Why you all seems to hate everyone that play around with online games ? It is way much more funny!!! And challenging also. Btw there aren't only cheat and hacks to take advantage on pvp (which are for real loosers), but also other kind of nice stuffs.

  23. Most of the hacking forums were like that. I wish I found better side of hacking community way sooner. It was all chops-and-sticks and taught me nothing.

  24. Cheatengine comes with built-in game like tutorial. I really liked it! Enjoyed solving the problems more then playing games nowadays.

    Also, if you're new to all of this, and also want to learn programming, you can check out my tutorial on https://www.udemy.com/less-than-3-hours. It got 4 bad feedbacks, so it might be terrible 🙁

  25. Skid0verflow presents… ( to the pajeet wannabe hackers who watch him)

    Cheat Engine 101 wahoo!

    I know I normally shill linux all day when i'm trying to flex my slightly above average IQ, but i'm gonna use windoze cuz cheat engine no workie on binux.

    btw I got this all from guidedhacking and the cheat engine tutorial.

    One last thing guys, don't cheat online, people who sell hacks are lame cuz they won't share with me or tell me how to! So I learned to use cheater engine all by me self!

    Remember to subscribe and give me money as a reward for letting you witness my intellect.

  26. I think Cheat Engine might have been inspired by MAME's built in cheat search, which has the same kind of "unknown initial value" features but with fewer options. I used to use it for all sorts of arcade games in the late 1990s 🙂

  27. Me before the video: oh cool I know cheat engine and programming this should be interesting
    Me halfway through: what

  28. You should code a very basic MMORPG using a combination of C# and cheat engine, that'd be really cool to see! 🙂

  29. I don't want to be an asshole but windows 10 is based of linux 😀 Thats why you are able to run linux on top of Windows. And also check out the Windows Powershell commands and the error handling!

  30. Outstanding vid in explanation of the fundamentals in using these software engines. How there are many avenues and routes to take to achieve the same goals. This channel is a treasure of knowledge and is an asset to all of us. keep up the awesome work pal!

  31. If you're looking for a Cheat Engine equivalent on Linux – try GameConqeror. It's not perfrect, but it does the job!

  32. Whats the difference between hacking an online game in order to complete the content easier (like WoW?) vs hacking an offline game.. ?

  33. The tools for hacking games at least is more advanced on windows for a simple reason…. most games are played on windows. Because of this, it’s only natural that most tools will have been created to be used on windows.

  34. I trust Cheat engine about as much as I trust a hooker with bumps on her junk. I can't get it to compile and the creator and the sites it is located on are obviously shady as fuck and everyone just keeps saying "Its a false positive when it comes up as a virus ignore it" HA Absolutely not, that shit ain't no false positive.

  35. 14:42 SO true! "gamedeception" comes to mind. As a kid I wrote a little program and posted it there. A moderator demanded that I remove the GPL copyright header…. Such assholes!

  36. Cheat Engine reminds me of high school days when i used to speed hack the game so that i can make highscores

  37. People developing hacks for games is what evolves anti cheating measures, even though the people who code hacks are indeed scummy, you can't get better at something if there's no competition fighting you and forcing you to improve.

  38. I remember using Cheat Engine 10 years ago to cheat at a little game called Liero X. I'd give myself infinite health and stuff. It would only work on hosted games though, not games I joined, haha.

  39. Also just a quick fyi, stuff that get changed (health, stamina) generally are stored as hex values. You can get around this pretty easy, but often you can find the displayed value as '4 bytes' but nothing happens because the actual game data is stored as hex. If you search for all data types, you can often run into parallels in data, but don't be fooled, they are usually all the same address.

  40. great video! maybe try showing usage of tools like ReClassEx for a future video? it ends up very useful in game hacking when reversing structs

  41. Hi LiveOverflow I watched some of your videos and I really appreciated them. Hacking and coding is such great stuff which are really interesting. I'm wondering If I'm too old with my 22 years to start and learn all that stuff and become good at it. May you and some of your viewers can give me some advice! Thanks!

  42. Hey, I don't know if it's your choice but your video titles and descriptions are automatically translated to my language (probably Google Translate) and it's really a shitty translation. I'd recommend to stop that feature if you can.

  43. its easy to find the health…if u look for a value of 100…which then changed to (for example) 96, after u take damage that makes your health drop to 96.
    i DONT think there are many other values that change from 100 to 96, exactly like your health just did, and are NOT health…

  44. Oh my headache you're so right yet so wrong it hurts.
    You found the Output variable. If you change it it will change the total.

    Next don't use what has access to this variable you will get a lot of useless data instead use what writes to this address then you can go up the pointer tree. Eventually you'll hit a static number which is usually the source pointer.
    Then you can make the adjustments. Write your injection so on.
    The address is written in assembly in the cheat engine but it is written in hex code in the dll. Cheat engine allows you to auto translate with a single tick box.
    ESI isn't necessarily just the player. Be careful if you don't want to make all your enemies into unkillable one shot gods.
    The offset is an important part of pointers. Pointers (in windows at least) attempt to prevent hacking.
    There are also several pointers with the same (encrypted or not) information to prevent hacking. CSGo and Overwatch have over 500 pointers in relation to ammo capacity alone.

    Now please remember everyone hack safe, hack smart, and hack legally.

Leave a Reply

Your email address will not be published. Required fields are marked *