The last year and a half I have been diving into game hacking. At my university I could choose to do a passion project as a course as long as I could get atleast one professor to be on board. The game hacking topic takes a lot of research and is very hard however so does university. Why not then just hack videogames on university time? So I did.

I decided that after having this course graded I would publish all the source code and texts related to this project and I hope you the end user will enjoy this project as much as I did making it. Everything can be found on my github.

Introduction

So from part 1 we learned a lot about games, how they work, how they are hacked etc. I couldn’t figure out how to hack Satisfactory.

A lot of time passed since I first wrote my posts. I have been busy with school and such, so I have either been to tired to write, there hasn’t been anythign to write about or there wasn’t any time.

Last time we wrote an external cheat for counterstrike. I have been studying the GuidedHacking forums some more and read up on internal cheats and ddl injections. It’s a topic I have kinda avoided earlier since I wanted to get an external going first. Apparently an internal has many huge features that externals doesn’t have like better performance, harder to detect by anti-cheat (if done propper) and you are closer to the process so you can rewrite the actual code of the game/program. Rake from the guidedhacking forums had this to say: ` Internal vs. External?

External External Hacks use WriteProcessMemory(WPM) and ReadProcessMemory(RPM) to interact with the game process’s memory. To do this you need to ask the kernel to give you a handle to the process by using OpenProcess() with the Process Access Rights you require, typically PROCESS_ALL_ACCESS. The handle is a required parameter for RPM/WPM. Kernel mode anticheats can easily block external hacks by using ObjRegisterCallbacks to block handle creation. Info from DouggemHacks. RPM/WPM is slow because you have the overhead of the API calls into the kernel. You should limit the frequency of these calls and store as much information locally as possible to increase the performance of your external hack. If the game has no method of detecting RPM making an overlay ESP is a good way of making an undetected external ESP because you only need RPM to be undetected.

Pros of external:

• In my opinion none compared to internal unless you just want to super quickly patch some bytes and then close the hack

Cons of external:

• Super easy to detect because of the open process handle
• Harder to use especially for beginners (WPM/RPM, getting the PID, blalba) though easy to master because it has no potential
• Less potential
• Slow

Internal

Internal hacks are created by injecting DLLs into the game process, when you do this you have direct access to the process’s memory which means fast performance and simplicity. Injected DLL’s can be made more sneaky by using different injection methods such as Manual Mapping. View the GuidedHacking Injector thread for more info Try a simple DLL hack source code for Assault Cube for learning purposes. When you are internal you create pointers to objects, typecast them and point them to objects in memory. Then you can access variables of that object easily through the pointer. ReClass is a great tool for generating classes from memory. This is an example of how to typecast variables in memory and modify them in an internal cheat:

DWORD* localPlayerAddress = (DWORD*)(0x509B74);
int * health = (int*)(*localPlayerAddress + 0xf8);  
*health = 1337;

Pros of internal:

• Sick performance
• Easy to start off with
• Much potential
• Can be super sneaky and almost impossible to detect if done properly

Cons of internal:

• Hard to master
• Easier to detect when you don’t know what you’re doing `

I have to get on this internal stuff!

Rewriting my CS:GO cheats for Internal

So first thing I did was taking the counterstrike cheat that was already made and make it internal. The process of doing this was easy since everything was kinda already made. Since the game will be injected and running as a thread on the actual process itself, there is no longer need for any read or write process memory. We can just directly set it like it was a variable.

void bunnyHop()
{
  vars.flag = memClass.readMem<BYTE>(vars.localPlayer + offsets.flags);
  if (GetAsyncKeyState(VK_SPACE) && vars.flag & (1 << 0))
  {
    memClass.writeMem<uintptr_t>(vars.gameModule + offsets.fJump, 6);
    Sleep(1);
  }
}

So instead of doing it like that, we do it like this:

void bunnyHop()
{
	vars.flag = *(BYTE*)(vars.localPlayer + offsets.flags);
	if (GetAsyncKeyState(VK_SPACE) && vars.flag & (1 << 0))
	{
		*(uintptr_t*)(vars.gameModule + offsets.fJump) = 6;
	}
}

Much simpler right?

Ok good, now how do we inject it?

I looked into it and injection uses mainly the VritualAllocEx(), WriteProcessMemory() and CreateRemoteThread(), more info here. The site does a very good job at explaining how everything works, so I don’t have to. At this point I’m gonna use guidedhackings injection tool to inject my ddls, but I want at some point later wanna make my own that also does it automatically so I don’t have to do it manually every time.

Lets do Skyrim!

So for this next segment I’m gonna follow Icew0lfs walkthrough of his making of Skyrim. He introduces us to a loot of amazing tools for gamehacking and ways to reverse engineer. Tools like ReClass.net, x64dbg etc. Very nice! I wanted to avoid copy pasting, so I will be trying my luck on Skyrim Special Edition and not the original skyrim game. The Special Edition is 64-bit while the old one is only 32-bit. This will make some changes to our code and I therefor have to actually think while following. You can think of this much like doing math tasks. Same method different numbers xD.

So first wanna find an entity list. I first tried to do this using multilevel pointers to a pointer list that points to the entities. I’m not yet pro with cheat engine, so there is an easier way to get the entities. Functions such as position, damage, etc. are often shared between all entities including the player entity like they were in Satisfactory. What I mean is that you pass the “actor” (who is gonna move) to the function, how much etc. What’s important here is who. So we can find one of these functions and see who accesses them. A function such as damage would be useless here since it would probably only be accessed when and if something takes damage. A position function would probably be accessed a lot more often. It might be accessed every time something moves or even every game tick.

Shared instruction for X, Y and Z position in Skyrim.

Hooks

A game hook is when you rewrite the games code at some point to jump to your code snippet then jump back and continue the code flow. This means that we can make a game function do something different, e.g., when we take damage in a game the code might look something like this; playerHealth - damage. If we place our hook here and jump to our code, we can make the code do something like this; playerHealth + damage. If we do this we heal everytime we take damage. (GuidedHacking, How to Hook Functions - Code Detouring Guide).

If we combine these hooks with our knowledge about shared instructions, we can use these hooks to grab entity addresses on the fly and add them to an “entity array”. When initially doing this I was struggling for about 5 months. When you hook in a game, you overwrite the code with a jmp to your hook and execute your own code. Since you are doing your own stuff, you will mess with the register values and they will change once you jump back. This will lead to unpredictable behavior, but most often crashing. To avoid this I push all the register values onto the stack and pop them off again once I’m done with my code and ready to return to the games code. Usually a hook will then look something like;

__declspec(naked) void entHook()
{
  __asm {
  // original bytes we overwrote from the game, aka stolen bytes
  movss xmm10, [rdi + 0x54]
  movss xmm11, [rdi + 0x58]
  movss xmm12, [rdi + 0x5c]
}
  __asm {
		push rax
		push rbx
		push rcx
		push rdx
		push rbp
		push rdi
		push rsi
		push r8
		push r9
		push r10
		push r11
		push r12
		push r13
		push r14
		push r15
	}

  // Our things

  __asm {
  pop r15
  pop r14
  pop r13
  pop r12
  pop r11
  pop r10
  pop r9
  pop r8
  pop rsi
  pop rdi
  pop rbp
  pop rdx
  pop rcx
  pop rbx
  pop rax
  jmp[jumpBack] // Jump back to our gamecode + the bytes we stole.
  }
}

Since we are overwriting gamecode with our own, we still also need to make sure that what we replaced also gets executed somewhere. Therefor we add these to the start of our hook. We also need to jump back to our gamecode. If we jump back to exactly where we jumped off from, we will be stuck in an infinite loop of jumping to our code and jumping back to our jump. Therefor we add the size of how many bytes stolen to the address of where we jumped from and jump there.

The x64 issue.

Inline assembly gives us the option to write assembly code in our c++ programs. This is important because it gives us control over how the code will look like after compile and it also gives access to registers. The problem with x64 inline assembly is that it has been deprecated for x64 and no longer supported. On microsofts website it says; Inline assembly is not supported on the ARM and x64 processors. The following topics explain how to use the Visual C/C++ inline assembler with x86 processors. My problem then was how to emulate inline assembly using e.g., bytecode and similar. I also needed access to the registers to save those register values to my array, but I couldn’t figure this out. After looking around I found out that swapping compilers could work. I first tried LLVM, but with LLVM clean assembly functions are required. I cannot mix c++ code and assembly here. After looking further I got a tip to use ICC (Intel C++ Compiler) which has the option to do regular inline assembly. I made a post about it on Guided hacking which could be interesting to check out.

Now that this problem was solved, it’s time to finish my hook. This is what I came up with;

std::vector<playerEnt*> entities;
playerEnt* entsptr;
uintptr_t jmpBackAddyEntityList = 0x0;

__declspec(naked) void entHook()
{
	if (entities.size() < 1)
	{
		entities.resize(256, nullptr);
	}
  __asm {
		mov[entsptr], rdi
		movss xmm10, [rdi + 0x54]
		movss xmm11, [rdi + 0x58]
		movss xmm12, [rdi + 0x5c]
	}
  __asm {
  push rax; save current rax
  push rbx; save current rbx
  ...
  push r14; save current r14
  push r15; save current r15
}

  bool alreadyThere = false;

  if (entsptr == nullptr || localPlayer == nullptr)
  {
    goto GIVE_UP;
  }

  distEnt = findDistance(localPlayer->xyz, entsptr->xyz);
  distEnt = distEnt / 100;
  if (distEnt > 160.0f || distEnt < 0.1f)
  {
    goto GIVE_UP;
  }

  for (int i = 0; i < entities.size(); i++)
  {
    if (entities.at(i) == entsptr)
    {
      alreadyThere = true;
      break;
    }
  }

  if (alreadyThere)
  {
    goto GIVE_UP;
  }
  else
  {
    for (int i = 0; i < entities.size(); i++)
    {
      if (entities.at(i) == nullptr)
      {
        entities.at(i) = entsptr; // insert
        break;
      }
    }
  }

  GIVE_UP:
	__asm {
		pop r15; restore current r15
		pop r14; restore current r14
    ...
		pop rax; restore current rax
		jmp[jmpBackAddyEntityList]
	}
}

First I’m making my array where the entities will be stored. If the array is uninitialized, I resize it to 256 entities. I did this because if not I was crashing due to trying to write to null… Next I save my entity to a variable and execute the original game code. Save my registers. Check that the entity that I got is not a nullptr (and that I exist. I need to check this because I’m using this later.). If nullptr I jump to GIVE_UP, restore the registers and jump back. The findDistance function checks the distance between me the player and the entity. There is no reason load entities that are super far away. The for loop checks if the entity is already in the array. If it is I give up. Next part just adds the entity into the array.

Now hooking with our hook we can get an entitylist.

The entities

Now that we have the entities, we can then reverse engineer the structure of the entities. Looking at the code earlier movss xmm10, [rdi + 0x54]. We can see that we have rdi + 0x54. Here rdi is the base of the entity going through this instruction and 0x54 is the offset from the base to whatever the instruction wants to update. In this case it’s the X axis. If we set a breakpoint on this instruction we can look at the rdi value and put it into e.g., REClassNET. Using REClass we can dissect the structure and then automatically generate code from this data.

Generating code from REclass I end up with something like;

class playerEnt
{
public:
	char pad_0000[84]; //0x0000
	vec3 xyz; //0x0054
	class locationPtrClass* locationPtr; //0x0060
	void* validationPtr1; //0x0068
	void* validationPtr2; //0x0070
	void* validationPtr3; //0x0078
	char pad_0080[368]; //0x0080
	class namePtrClass* namePtr; //0x01F0
};
class locationPtrClass
{
public:
	char pad_0000[40]; //0x0000
	char* location; //0x0028
	char pad_0030[24]; //0x0030
}; //Size: 0x0048

class namePtrClass
{
public:
	char pad_0000[40]; //0x0000
	char* name; //0x0028
	char pad_0030[24]; //0x0030
}; //Size: 0x0048

I now wanted to try to make an ESP or wallhack with this information. We have the entities, their positions, their names etc and their named location (e.g., “Riften”). To make an ESP I need something to draw on. When we made one for CS:GO we used ingame functions to make our entities glow through walls. I don’t know off any game functions that I can use for skyrim to draw them, so I gotta use my own. There are multiple ways to do this. Since the game uses DirectX11 we can hook this and draw our own stuff. Another way is to initialize your own graphics api and render ontop of the game. This is the method I went with.

Overlay

For the overlay I decided to just go with ImGui. ImGui is a gui library for c++. My first approach to making an imgui overlay I did using DirectX11. Making the overlay went fine, but drawing was not as easy…

Since it’s an overlay it also has its own window.

I tried to make some wrapper functions for DirectX, but it kept crashing my graphics drivers making everything super unstable. Basically forcing me to restart my computer.

I then tried doing OpenGL3 which I had better luck with. The Cherno has some amazing guides on how to work with opengl which was a huge help when writing wrappers! Now that we have an overlay and some wrappers, I can start to draw. First I did was figure out how to draw a line, then use that line wrapper to draw a box. Not I just have to write the ESP!

Writing the ESP

Writing the esp isn’t hard. We need a viewmatrix which you can find using the guide on guidedhacking, the entities locations, a world to screen function and something to draw on. Now that we have that, we can write our ESP fucntion. I’ll first do ESP lines because they are easy.

float VM[16];
void Cheats::ESPLines(bool run, int width, int height, float lineWidth, float r, float g, float b, float a)
{
	if (!initalized)
	{
		Cheats::initalize();
	}

	if (run)
	{
		memcpy(&VM, (PBYTE*)viewMatrix, sizeof(VM));

		for (int i = 0; i < entities.size(); i++)
		{
			if (entities.at(i) != nullptr)
			{
				vec2 vScreen;
				if (worldToScreen(entities.at(i)->xyz, vScreen, VM, width, height))
				{
						drawLine(width / 2, 0, vScreen.x, vScreen.y, lineWidth, r, g, b, a);
				}
			}
		}
	}
}

VM is our viewmatrix. Cheats::initalize(); just makes sure that we have our hook in place and gets our offsets etc. if (run) checks if our esp lines are toggled on or off. memcpy(&VM, (PBYTE*)viewMatrix, sizeof(VM)); copies the values from the games viewmatrix into our viewmatrix. if (entities.at(i) != nullptr) makes sure that the entity does exist. The rest translates our 3D positions to 2D so we can draw them on screen then draws it. This makes us some basic ESP lines.

I started writing this post early 2021 and it’s now mid 2022. In the meantime I have finished both this project and started working on more projects. At my university we can choose to have a “passion project”. In this project we can choose whatever course we want aslong as we can have a professor approve that project. I decided to choose game hacking as that project.

In this project I explored both Skyrim Special Edition and Final Fantasy XIV as games to hack. I also wrote a lot of prequisite knowledge for understanding which was mainly for my teachers to understand. Since this project basically makes this text redundant I suggest reading that pdf instead of this post. You can find the pdf and the source code related to the pdf here

I use a fairly minimalistic set up with i3-gaps. I like i3-gaps since it’s fast and it makes me not reliant on a mouse. More info on the github page. I also tried to make an install script for this which needs some work. It’s also nice for me since now I can easily get everything working on other computers I get. Anyways, you can check it out here if you are interested.

I recently got a new laptop. I decided that I wanted a powerfull, yet cheap laptop. I didn’t want to go for a gaming laptop since I find the look of them ugly, so I got a Lenovo Thinkpad. The model I got was the Lenovo thinkpad L15 AMD. I decided to go for this laptop for it’s proffesional looks, decent keyboard, IPS monitor, 8C/16T cpu, replaceable parts and all of this for a good price (compared to the competition).

First impressions

I ordered the laptop mid October 2020. There wasn’t anything special about the shipping time, just a few days. But it was delivered on the door which is cool. The laptop arrived in a cardboard box and the laptop was incased with high quality foam. There was nothing special about the unboxing which isn’t a bad thing. Everything was just as expected. I started up the computer and was prompted into the bios since I ordered a laptop without an OS. I got my installation media and started to install Arch linux on the thing. There wasn’t anything special about the installation, everything went smooth. Only thing that annoyed me was that the FN and CTRL key has swapped places which takes time to get used to. You can swap these in the bios, but that’s also annoying. The top of the laptop is a fingerprint magnet.

Small panel problem

Another thing I noticed was that when the screen was completely black, there was white beams coming from the corners of the IPS panel. This is backlight bleeding. This was bleeding at an unacceptable level. I called up thinkpad tech support. After calling I was moved over to the business wing instead of the consumer wing for the call since they were the only ones that dealt with thinkpads… The call went smoothly, the operator understood my issue, sent me an email which I answered with an image of my problem and got a replacement part ordered for free. The part wasn’t sent to me, but to a repairman who was sent to my door. The repairman swapped the panels, but failed to put back the frame. He asked if he could take the laptop with him for repair which he was allowed. A few days later the laptop came back in the mail and everything looked fine for a few days.

Sadly tho the repairman failed the repair and missed some plastic clips in the bottom left corner. I was now busy with finals and didn’t have time to look into it. Since it wasn’t fitted properly, every time I opened and closed my laptop the frame got stressed and worn until one day it cracked.

After my finals I got on call with Lenovo again and the called looked pretty much the same as earlier. They sent another repairman which arrived and fixed the issue on Christmas eve which was sick! This repairman was a little more experienced and fixed the issue swift and without any issues. 10/10!

Second impressions

Now that I have had some time using the laptop, I would say that it’s pretty decent. I haven’t had any issues with it expect for the rough start. I brought the laptop with me this Christmas and there wasn’t any complaints. The keyboard on this laptop is phenomenal. The trackpad is big and the left/right mouse button has a nice feel. There is also a middle mouse button. The backlight on the keyboard is only white, but works for late nights when it’s dark. The feel of the laptop is pretty standard. It’s all hard plastic, so don’t expect much, but the plastic doesn’t feel cheap, but sturdy. Battery life is very good and lasts me about a full day. If i wanted to summarize the laptop, I would say that it is boring. It doesn’t have anything that makes it flashy or standout. It just does what it’s supposed to do…

Nice features

The laptop I believe is pretty powerful for its pricerange. It rocks an AMD Ryzen 7 PRO 4750U, 16GB 3200mhz memory, 512GB NVMe ssd and a 1080p IPS panel. It also has smaller features such fingerprint sensor and a sim card holder. The I/O on this laptop is massive aswell. There are many usb ports on it, some usb-c, SD-card reader, HDMI and RJ-45. The headphone and mic is combined which I’m no fan of. From the store, the laptop has only a single ram chip meaning it’s single channel only. The ram slots are not soldered and therefor can be changed. Supports up to 64GB of ram. I myself am buying another 16GB 32000 Mhz stick to put in my empty slot giving myself 32GB ram on a laptop.

Getting replacement parts for the laptop is pretty easy. Most parts are also very easy to replace which was one of the criteria I had for getting a laptop. There is also a slot for an aftermarket laptop GPU if that’s something you want. Sadly the battery is glued to the chassis which I think is completely unnecessary. The laptop has a 720p camera which works for conversations, meetings etc.

Summary

To summarize the laptop it’s boring. It does everything you ask it to do. You can even game on it, although mainly e-sport titles as this doesn’t have a dedicated gpu, but uses vega 8 onboard graphics on the apu. For the price I bought it at, 1100$ (mind that this is Norwegian pricing). It was the best purchase for me. Similar laptops with same specs usually went for 1500$ and above. Looking at other people who has gotten the same laptop as me, the IPS panel is a little hit or miss. If there are specifics you wanna know, hit me up on twitter or discord.

Introduction

I wanted to learn C++, how computers work and reverse engineering. What comes to mind when combining these skills? For me the first thing that came to mind was game hacking. So where do I begin? I don’t know, but looking into it, LiveOverflow came into mind with his pwnadventure. From one of the episodes we were introduced to guided hacking. I then looked into it and found their playlist Start Here Beginner’s Guide to Game Hacking. So I started watching.

Before Guided Hacking even started showing how games are hacked he introduced us to how computers worked. I have previous experience in this topic from both university and my own research. Guided Hacking started with an introduction in how a computers memory works and how important the memory is for everything a computer does. Next he gives an introduction to different way games are cheated. Memory editing (editing values in memory), Assembly editing (rewrite the game’s code), hex editing (edit save-files and other on-disk resources) and packet editing (send modified information to the servers).

Hacking process

Find thing to exploit/hack -> Try to exploit/hack -> See if it worked

After looking trough his introduction on how to hack games I needed to learn C++. Off to learncpp.com I go! I have prior experience to programming before from python, java, assembly, bash, lua etc. learning basic C++ didn’t take long, but how C++ handled memory and pointers was new to me. And the windows.h header was another beast to tame. I headed off to my first challenge. I figured that making a cheat for Counter-Strike: Global Offensive was a good place to start since CS:GO is a game that has been done to death when it comes to making game cheats.

What are offsets?

Before attempting making a cheat for CS:GO I tried making one for a game called The Legend of Zelda: The Wind Waker. The game was emulated using the Dolphin Emulator. I found the address rupies in the game by using cheat engine scanning memory. Much like how I used to cheat in flash games in browsers as a kid. I successfully was able to create infinite rupies for the game writing this script:

#include <iostream>
#include <Windows.h>

int maxCash = 5000;
int addressCash = 0x803B4C0C; //address for rupies

int main()
{
  HWND hwnd = FindWindowA(NULL, "Dolphin 5.0 | JIT64 DC | Direct3D 12 (experimental) | HLE | FPS: 30 - VPS: 60 - 100%");
  if (hwnd == NULL)
  {
    std::cout << "Cannot find window!" << std::endl;
    Sleep(2000);
    exit(-1);
  }
  else
  {
    DWORD procID;
    GetWindowThreadProcessId(hwnd, &procID);
    HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
    if (procID == NULL)
    {
      std::cout << "Cannot obtain process ID!" << std::endl;
      Sleep(2000);
      exit(-1);
    }
    else
    {
      while (true)
      {
        WriteProcessMemory(handle, (LPVOID)ad_Cash, &maxCash, sizeof(maxCash), 0);
        Sleep(1000);
      }
    }
  }
  return 0;
}

Issue using this is that I’m using the address in memory where the rupies are stored. This address will be different every time I reboot the game. I need a way to find the address(es) where the rupies are stored from wherever in memory it is… Another issue is that for the rupies value to change it also needs an update of some sort e.g., spending or getting a rupie. So how do we solve our first issue? Entering offsets and pointers! We can find the rupies address from the games base address e.g., game.exe+0x3ACA0 where 0x3ACA0 would be the offset.

Playing with cheat engine

A year went by with me not doing anything related to this. I was very buzzy with school and was having a hard time doing extra courses. I’m not a very good student and will mostly focus on what interest me at the time. Anyways this section is dedicated to me learning about cheat engine. I believe many of us remember doing simple hacks for flash games getting unlimited X or doing Y.

At the time of writing this I have successfully made some cheats for CS:GO and I’m a little bit more familiar with how everything works. I can see why CS:GO has been cheated to death since it’s so easy to do! The VAC anticheat is also a joke according to the guided hacking forums. I haven’t learned about anticheats or how they are defeated yet, so to me they don’t exists.

Cheat engine is actually mega powerfull and is a huge part of game hacking. I really suggest learning how to use it and it has a fun tutorial

(you will find the tutorial in Help -> Cheat Engine Tutorial *).

Ok cool! Now we know a little about cheat engine, now how do we get these magic offsets? Easy! We just apply what we learned from the tutorial and then follow GuidedHackings guide on how to find offsets. The TL;DR of it tho is that you wanna find pointers to what you wanna find because everything is created dynamically. What we then need is a static address which will always be relative to a module e.g., client.exe + 0xD882BC will lead you to your player structure which contains your player vars. We can find these static addresses by using cheat engine searching for pointers. I’m not gonna go deep in on how to find these as the video in the link above is gonna explain this a lot better than I can ever type.

Writing CS:GO hacks!

So here we are. Lets make some cheats! First we get our offsets. At this point I wanted to write so code badly! I got all the offsets using a tool called hazedumper. I also picked up some headers from guidedhacking called MemMan which I picked up from their website somewhere. MemMan is very nice because it simplify the WriteProcessMemory();, ReadProcessMemory(); and the process of getting handles. e.g., instead of: WriteProcessMemory(handle, (LPVOID)ad_Cash, &maxCash, sizeof(maxCash), 0); I can simply do MemMan.writeMem(address, maxCash);

First I wanted to write a bunny hop script. To make this script, we first need to get a handle to the process. It’s nice to store all these vales in a class or a struct since these values will be used over and over. We also need a need to get the right module. Using MemMan we can get the process like this:

#include <iostream>
#include <Windows.h>
#include "MemMan.h"

MemMan memClass;

struct vars
{
  uintptr_t process;
  uintptr_t gameModule;
}vars;

int main()
{
  vars.process = memClass.getProcess(L"csgo.exe");
  vars.gameModule = memClass.getModule(vars.process, L"client.dll");
  return 0;
}

Now lets make our bunny hop script. First we need the offset to our player structure, the relative offset from out player structure to see what state our player is in (if in the air, on the ground, in water etc.) and we need a way to force a jump. I got all my offsets from hazedumper and will be using those and also save them in a struct for easy access.

struct gameOffsets
{
  uintptr_t lPlayer = 0xD882BC; // offset to player structure
  uintptr_t fJump = 0x5249B34; // offset from client to address storing jump value
  uintptr_t flags = 0x104; // offset from player structure to what state we are in.
}offsets;

struct vars // the saved variables from the offsets
{
  uintptr_t process;
  uintptr_t gameModule;
  BYTE flag;
}vars;

void bunnyHop()
{
  vars.flag = memClass.readMem<BYTE>(vars.localPlayer + offsets.flags);
  if (GetAsyncKeyState(VK_SPACE) && vars.flag & (1 << 0))
  {
    memClass.writeMem<uintptr_t>(vars.gameModule + offsets.fJump, 6);
    Sleep(1);
  }
}

int main()
{
  vars.process = memClass.getProcess(L"csgo.exe");
  vars.gameModule = memClass.getModule(vars.process, L"client.dll");

  while (true)
  {
    bunnyHop();
  }
  return 0;
}

We now have a basic bunny hop script working! We also needs to know what’s going on or else it is just copy-pasted code. When I first wrote this, I was confused about (1 << 0) in flags and why we wrote 6 into fjump… The gist of it is that (1 << 0) means that we are standing on the ground and we are writing 6 in to memory since that will do a jump and reset it back to 4. Why 4? Because 4 i believe is the “base” state and by 5 is spacebar down. In cheat engine, you will see that if you type +jump in the cs:go console you will jump and the address will be set to 5. If you try to jump again after, you can’t since it needs a -jump before you can jump again. Writing 6 into it, forces a jump and resets it back to 4.

I have made some others cheats for the game like a radar-hack, triggerbot, wallhack etc. It’s kinda funny to see how easy and effective these cheats are. For instance the radar hack just loops trough the entities in the game and sets a bool that they are indeed spotted to true. The wallhack I belive isn’t a true wallhack since it uses an in-game “glow” to work.

You might be wondering why this is in the game, but it’s actually very useful. In the game as it stands now, it is used to see players trough walls when you are a spectator, like when you are watching a game or when you are dead. I belive a true wallhack would be able to draw the entities for any game. This “glow” is true only to games with a glow function like cs:go. I don’t think this way of doing it is necessarily bad since this idea can apply to many games. Instead of using glow-effects, you can maybe force nameplates to render trough walls etc.

Applying knowledge elsewhere

So for now I have mostly walked in others footsteps. To force myself not to copy code, I decided that I wanted to do another game based on another engine. I decided that I wanted to try to make some cheats for a game called Satisfactory. It’s a game where you are supposed to build factories and make them as efficient as possible.

So what do I wanna hack for this game? The things I wanna be able to do are: god-mode, fly, teleport to begin with. So, for god-mode the first thing I needed was to figure out how I take damage to begin with. Health must be a decent place to start looking. To find the health address I started jumping off cliffs until I found my health address. I knew it was correct since changing it from 30 -> 50 worked.

Jumping off the cliff again while seeing what accesses this address yielded interesting results.

Viewing these addresses in the disassembler reveals a very fun function.

I tried to replace the function with a bunch of NOPs, this yielded very funny results. Now I no longer took any damage from any sources. Nice! Job done? Not quite. Funny thing is that all damage in the game uses that function… I need to figure out a way to check if it’s me that is taking damage. Looking at the function the first argument it takes is AActor damagedActor. Ok, need to check this argument. Looking at msdn for x64 calling convention, we see that the first argument gets put in the RCX registry.

I put a breakpoint on this function and jumped off the cliff again.

Great, now I have some value for the player. I tried to jump a few more times to see if the values looked correct, and I noticed something weird. On one of the jumps I died and the health address was no longer valid. The RCX value also changed. At this point I have no idea what’s going on as this is completely new. Anyways, I also wanted to test for the animals in the game. This was the closest thing…

Nothing weird going down there.

Registry values for the tests:

Well so what now? Nothing really. I tried looking into it and looked unreal engine up on GuidedHacking forums. I found a guide on how to hack unreal engine and was warned. Direct quote: Unreal Engine is Object Oriented Programming on steroids. Reversing it without understanding how the engine works will give you brain damage. I do not recommend anyone tries to hack UE games unless they are experienced hackers. You can use native methods to hack Unreal Engine games but we don't recommend it. The best method to hack these games is to dump an SDK using the Feckless SDK generator. Well I don’t know much about dumping SDKs or how to use them. I only know the conventional methods I have been thought, so I’m thinking about changing game. You are almost caught up to speed on where I stand. This article doesn’t give the full picture as I suck at writing and probably missed some parts… But I don’t really care. I wrote this for me.

Purpose

There isn’t really any purpose behind this post. You can view it as a tour, guide, experience, diary, whatever. But it is more for my own learning. I also wanted to have my work documented since undocumented work sucks. Much of the reason why I did writeups.

Credits!

I would like to thank GuidedHacking for teaching game hacking. I believe that this is the greatest source for learning game hacking. You should keep in mind if you ever decide to learn, guidedhacking will guide you, but won’t hold your hand.

Second I would like to thank Ferib for answering pretty much any of my questions on demand. If you are interested in reverse engineering and it’s applications, you can check out his blog.

My first writeup can be found Here

There will be more writeups comming in the future, but I’m currently working on making a writeup for the Fatty machine from Hack The Box first.

I made this website using the Hugo framework instead of writing up own html & css. I will use this website to post all my content, ideas and future projects. I will also add writeups for challenges at a later date, so stay tuned!

Check out whoami for more information about who I am.