I, like many other hackers, am a pretty heavy gamer. I've tried every E-sport out there to see if I had the talent or drive to be good. Back in the day competitive Call of Duty was all the rage for my friends and I. As we were about to enter team deathmatch on Shipment (a map notorious for spawn camping), a player with a funky gamertag joined the lobby. As the game began immediately the game had banner that said "FREEZE BITCH".
Alright, this isn't Quake and i'm sure that devs at Infinity Ward didn't want a stream of text on the screen advertising someone's mod marketplace. Nor did they want people moon bouncing around the map with insta-kill on. This, like many other teens, was my first introduction into the power of game hacking. Though after a while it got irritating, the hacks were pretty dope to mess around with for a bit. Years later, I would come to do this on my own in the PC version of COD WAW. This series is to introduce people to some of the tools and methodologies of game hacking.
I got into game hacking because I was tired of doing the same challenges across multiple CTFs and needed a way to develop my skills without breaking the law. I had to be a good boy on the keyboard. Fortunately, game hacking incorporates a lot of skills that are used when actually attacking applications and networks. From conducting proper reconnaissance to reverse engineering protocols and game functions to anti-cheat evasion. We'll take a look at both offline and online hacks and ways to get the things you really want in games.
So, initially i'm gonna go for breadth rather than depth then dive deep later on the tools required. You will have to learn how to use these tools on your own. I am not your teacher, just a blogger. Given that lets jump right in.
This one is pretty straight forward. Cheat engine is memory scanner, hex editor, and disassembler that offers live memory modification. It's great because I can change values at individual memory addresses or step through pointers to reach the base address since most games have multilevel pointers. With the memory view function, I can view the entire address space for the game i'm hooked into and live modifications (came in handy with Resident Evil). I can also view the ASM and set breakpoints on functions for reverse engineering, even though I would much rather use ida or x64 debugger for that. Cheat Engine now also comes with a tutorial on how to use it, so it's extremely welcoming for noobies.
IDA Pro/Ghidra/X64 Debugger
For any game hacking, we need a debugger of some sort in order to find functions in memory, show the ASM flow, then make changes. These all hook into running applications and can view live memory dumps. It's much more preferable to use this instead of Cheat Engine for this as Cheat Engine will get caught by an anti-cheat like Punk Buster or what have you. They also offer a bit more functionality when reverse engineering functions like showing imports and exports or structures within the disassembled memory.
Beginners probably shouldn't jump right into network attacks. It's extremely low level as you will have to intercept the winsock function before the packet is encrypted in order to send your own packet, which as it sounds is fairly deep. However, This is a standard tool for network analysis. We can view the traffic that goes across the line for the entire machine or network if we want. The filtering in Wireshark is where that $cashmoney$ comes into play. Looking into live packet captures is going to be necessary as well since you're going to have scan for patterns that apply to in-game actions.
I am biased as I live off of the Sysinternals Suite for most of my hacking endeavors. This suite is intended for system administrators that need to trouble shoot windows environments for a number of different cases. Explore this suite as there are a ton of useful tools for a variety of things. Game hacking pertinent tools that I like to use are TCPView, procmon, procexp. These let me view what ports and handles are being opened by the game, what system DLLs are being accessed, and where the game is writing to for storage. Other things as well, but those are the main functions i'm looking for.
Your Favorite DLL Injector
You will need to create your own DLLs and inject them into a running process therefor I suggest you use a decent injector that doesn't suck. I use the injector from the GuidedHacking forums (guidedhacking.com). There are plenty of them out there, just make sure they aren't malicious towards your machine before downloading. You could also make your own if you have the time for that.
These tools are great and not the only tools available out there; however, I usually use these for my endeavors against games. Given that, the tools will not do everything for you. You need to have an in-depth knowledge of how memory works, how to read ASM, how network protocols are used to communicate, and a host of other topics that require a lot of learning. Remember, they are tools not paid hackers. Later on, as I do case studies into games, I'll go over how I use these tools in my attack flow against a game. Note that every game is different and when you identify a new target, you will have to restart your entire process over again to familiarize yourself with how the game runs.
Legal and you
We need to talk before you start. You can't do whatever you want on the internet. I always get the question, "Is game hacking legal?" Answer: Yes, as long as you don't do a few things. Don't enter the game's servers. Don't hack player accounts. Don't accrue a financial gain from selling in-game commodities. Here's a list of all applicable laws:
Copyright Law + Fair Use
Trade Secret Law
Contract Law (For when you sign that EULA)
Computer Fraud and Abuse Act
DMCA and Copyright law fall hand in hand. You can violate a copyright if you sell products for the likeness to a particular game. You're essentially profiting off of someone else's product in the eyes of US Judicial system. Remember, you didn't buy the game, you bought the license to use the software. Trade Secret Law comes into play when you start reverse engineering the game. Companies get real squirrely once you start decompiling their mess and adding your own flavor in their code. The Computer Fraud and Abuse Act (CFAA) will come in to play if you start accessing servers or other users in an unauthorized way, but you can hack without ever accessing another machine. Don't break into places you're not supposed be in the network. Finally, once you sign that EULA, you are playing under the companies terms and conditions, not your own. The law where the government will definitely step in and give you a felony is the CFAA. The others will most likely demand you pay a large sum to compensate for the money the company didn't generate as well as any restitution to other players affected. Check out the EFF's website for more on protectin' ya neck (https://www.eff.org/issues/coders/reverse-engineering-faq#faq1).
This seems like a good place to conclude our introduction. Later, Ill go into an overview of my attack methodology on a game. We'll analyze a sample attack surface and walk through some reconnaissance of an offline game.We'll see if I feel like doing a full post on reversing an in-game function for an MMO.