by Anthony “RedHatAugust” Radzykewycz
Before We Begin
Before beginning this article, we need to cover some things up front. First and foremost, the author and OffSec are not condoning game hacking. There are ethical concerns regarding the driving of costs of overhead in the gaming industry due to the constant battle against cheaters, bot creators, crackers, and the like. There are also issues with affecting the games in a negative way for other players that only want to play the game for its intended value. Game hacking can, more times than not, ruin the experience for other players due to destroying the notion of fair competition and the need to build up skills in the game of choice in order to prove the best players in the community.
Despite the ethical concerns, this article can serve a few purposes:
- Provide current and future game developers an insight in how a piece of game hacking works in order to better prepare countermeasures against the hacks.
- Provide insight in a way to analyze computer programs to determine key pieces of information in memory and how this data can be manipulated in real time to achieve results that are outside the normal program design.
- Satiate a curiosity in how game hacking works through a program and its memory contents to create the cheats.
Again, we don’t condone using this knowledge to hack other games. We would rather you, as the reader, take this understanding to analyze computer programs that can be reported under the responsible disclosure process to help better security issues in the world. Although the author nor OffSec have any concrete methods for game developers to prevent this method of hacking, we encourage those building games to consider the contents and try to come up with creative solutions to combat game hacking.
Setting up the Game and the Tool
The game that will be analyzed is called AssaultCube. If you’d like to work through the process along with this blog article, you can find the latest download at https://assault.cubers.net/download.html. The version that will be used in this article is v1.3.0.0 on Windows. This is the latest version at the time of this publication. Let’s take a quick moment to install the game. After opening the downloaded exe file, the following dialog window appears.
Let’s click Next.
We are now faced with the licensing agreement. I wanted to take a moment to point out that modifications to the binary – in order to gain an unfair advantage over others – is directly against the license agreement. For this article, we are dissecting a portion of game hacking to learn the methodologies and the workflow of someone analyzing binaries to modify attributes in memory. With this understanding that we will not incorporate these skills in an unethical manner and/or a manner in which violates this agreement, let’s click I Agree.
We’ll keep the default components, and click Next again.
For this article, the default installation directory will be chosen.
Let’s click Next to continue.
Let’s keep the name the same as the default name.
Finally, we can click Install to install the application.
With the installation completed, we’ll click Next again.
The last dialog window indicates this is the end of the installation. Let’s click Close to close the dialog window. This automatically opens a browser page to show the release notes for the version downloaded.
An issue we will face later is the fact AssaultCube will start in Fullscreen mode. This makes it difficult to work with our other application. Before we get to installing our binary analysis application (Cheat Engine), let’s open AssaultCube and put it in Windowed mode.
Opening the game brings us to a map with the menu open.
Let’s choose the Settings menu option by using the
keyboard arrow keys and <ENTER>.
Let’s press <ENTER> on Video settings…
We can now press the down arrow key to the Fullscreen option and press <ENTER> to deselect it. After this, we can arrow down to Apply now! and press <ENTER>. In the case of this article, the screen width and height were changed to 1920×1080, as well.
We now have a running game in Windowed mode. In order to get out of the game and back to the Windows host, we can press <ALT>+<TAB> to quickly switch between our running applications.
The binary analysis tool we will use to inspect the memory addresses related to the game is called Cheat Engine. You can find the latest version of Cheat Engine at https://www.cheatengine.org/downloads.php. Version 7.4 was used in this article.
When attempting to install Cheat Engine, your antivirus software may detect it as a threat. Exceptions for the file need to be made before it can be installed.
After the exceptions are entered, let’s open the installation executable. English is chosen for this article’s installation language.
The welcome dialog window appears. Let’s click Next.
In this article, the additional software installations are going to be left out. With this, we’ll Skip All. After this is clicked, the installation will start automatically.
We can now click Finish to complete the installation.
Again, exceptions may need to be made with the antivirus software in order for this application to start. This concludes the setup for the game and the tool we will use to manipulate the memory of the game binary.
The Game Hack Objective
The game hacking objective in this article is to control the ammo count for the primary rifle. If we can locate the memory address related to the ammunition, we can modify that value to add more ammo in our gun or keep the value constant at a specified number.
Attaching the Game Process
After installing Cheat Engine, AssaultCube may have crashed. Let’s make sure that Cheat Engine is running and visible.
Now that Cheat Engine is verified as running, let’s reopen AssaultCube. If it opens in Fullscreen mode, follow the same steps in the setup section to get it in Windowed mode.
Now that both applications are running at the same time, let’s switch back to
Cheat Engine by pressing <ALT>+<TAB>.
In Cheat Engine, we will click the Select a Process button.
Let’s highlight the process with ac-client.exe in it and click Open.
Even though it looks like nothing changed in Cheat Engine, the process
name shows that we successfully loaded the game process.
Searching for the Ammo Count
Before we can begin to search for the ammo, we need to identify how much ammo we have in our current weapon. Let’s switch back to the game and press the <ESC> key to get out of the menu.
As we can see in the bottom middle of the game window, we have 20 rounds of ammunition in the rifle and 40 more rounds in reserve. We are only interested in the amount of ammo loaded in the gun for this article. With that, we can run our first scan of memory addresses in Cheat Engine and specify 20 in the Value textbox. With that, we can click First Scan.
In this article demonstration, 6,965 memory addresses related to the game process have the value of 20. Let’s change the amount of ammo we have in our rifle by firing a couple rounds in the game.
Now there are 18 rounds in the rifle. Let’s change the Value textbox
to 18 and click Next Scan.
Surprisingly, this lowered the memory address list to 2 entries. This normally wouldn’t be the case. In a normal event, we would lower the ammo count even lower and do another scan with Next Scan. We can now highlight and right-click the two memory addresses that were found.
We now can click on Add selected addresses to the addresslist. This will add
the entries to the bottom pane of Cheat Engine.
If everything went correctly, one of these addresses in the addresslist should be
the memory address responsible for the ammo count for the rifle.
Controlling the Ammo Count
Controlling and modifying the ammo count can be done in a couple of ways. If we want to be more careful with not crashing the game, we can simply switch back to the game and fire more rounds. Let’s do this now.
In this case, we fired 2 more rounds and now have a total of 16. Both of our stored memory addresses show the value of 16, as well. It doesn’t look like firing more rounds will make an immediate differentiation between the two stored memory addresses.
Another way we can find out which memory address is responsible for the ammo count is to double-click on the memory address value field in the addresslist and change the value. If the value also changes in the game, we can deduce that the memory address modified is responsible for the ammo attribute. Let’s change the value to 999 on the first listed memory address and see what happens.
We can see that the second memory address value remained at 16 and the value of the ammo count changed to 999 in the game. To make sure this is correct, let’s fire a few rounds in the game and inspect Cheat Engine and that value again.
The values do correlate and the second memory address can be ruled out. With this, we can rename the first memory address to ammo and remove the second memory address from the list. To change the name, we double-click the Description field of the memory address and enter the string we’d like to name it.
Another way to control the ammo is to have infinite ammunition. To keep the value constant, we can check the active box. It’s difficult to show this in a blog format, but clicking this box will make it so that the memory address is always changed to the specified value despite how many rounds are fired.
When firing in the game, the value may change one or two values lower as the original code is decrementing the value based on how many shots were fired. It is quickly returned back to the specified value after that though. In the case of how it is set now, the ammo count will always be returned to 993.
Conclusion
Despite the ammo count being only one attribute we modified, we could work through the same process and workflow to find the values for health, armor, other items’ ammo counts or supply, coordinates within the game to create a ‘flight’ mode, and more.
Outside of game hacking, Cheat Engine can also be used to analyze memory of other applications to find strings within the application and control those parameters. This may be helpful in lowering the bar from a standard debugging tool, depending on what we are trying to find within an application.
Thank you for taking the time to check out this article. Again, we don’t exhibit this information to encourage game hacking and gain that unfair edge. Instead, we hope you take this information to think of new and creative ways to protect current and future games from the ability to complete the steps provided above. The author and OffSec do not condone, promote, or encourage hacking games in unethical ways. We encourage you to consider Cheat Engine as a utility that could be used to debug memory addresses and provide a different perspective on finding bugs within other applications that are not games.
About the Author
Passionate about learning and sharing knowledge, Anthony Radzykewycz (AKA RedHatAugust) grows others surrounding him at every opportunity.
Currently, his full-time role is as a Content Developer with Offensive Security. He also teaches part-time as an adjunct professor at GateWay Community College, where he is the Linux Program Lead Instructor and paves the way for the Cybersecurity Program. With a heartfelt belief that learning comes from doing, Anthony has been committed to interactive learning where the goal is not to repeat terms and regurgitate, but to get your hands on a keyboard and prove your skills. With this in mind, Anthony competes regularly at his local security conference, “CactusCon.” He also competes in various events at DEFCON. Excited about networking, he is always looking to expand relationships across the community.
If you’d like to get in contact with Anthony, you can message him on Twitter (@RedHatAugust) or e-mail him at RedHatAugust @ protonmail.com.