As games evolved, cheats evolved with them. From simple button press combinations that trigger built-in cheat codes, to elaborate, fully automated bots, that can quite literally play at a competitive level. GamePwn at its core is a really straightforward process. A utilization of various techniques to interact with and modify video games. Whether that be via an exposed Mod API or Framework, binary modifications, memory manipulation, packet interception and modification, etc. GamePwn is an extensive, and very interesting field. There is a lot of technique overlap with infosec, such as reverse engineering a game to understand how certain things work, and then the GamePwn part would be to engineer a cheat that can change how that thing works, to the way you want it to. A lot of GamePwn techniques can also be utilized to find exploits in-game, such as integer overflows.
One of the most common GamePwn Techniques is Memory Manipulation. These techniques revolve around "snapshotting" the game's memory at various stages in order to filter down a specific value that you can manipulate. Say you are playing a game and currently have $25’000 in-game. Your first scan will snapshot every memory address that currently holds the value of $25’000. After buying something in-game, that initial $25’000 has changed, and is now $20’000. Back in Cheat Engine, you then scan for the new value, being $20’000, and Cheat Engine will check all addresses captured in the previous scan for the new value, and remove the ones that no longer match up. This process repeats, until the millions (potentially billions) of addresses in the initial memory snapshot, are eventually whittled down to a handful, or even 1, and once the correct address has been identified, it is then possible to change your in-game money to whatever value you want!
This approach requires several assumptions to be made about the target, and requires even more trial and error.
What is the value you are looking for?
a. Is it known, such as a visible value on screen?
b. Is it unknown, such as the coordinates of the player in the game world?
What is the value type (how is it stored in memory)?
a. Is it a whole number, aka 1/2/4/8 byte(s)?
b. Does it have a decimal or is it a percentage, aka a float or a double?
It might take many attempts to find the address that correlates to the value you are wanting to modify. More often than not, there will be multiple addresses that all reflect the same value, and it's a process of elimination to isolate the specific address among those.
Cheat Engine is by far the de facto "industry standard" for GamePwn. It bundles together essentially every possible tool that could be required, into one neat little package.
The main workflow revolves around scanning the game’s memory, and then expands upon that with a full-featured debugger, scripting engine, and other tools. Its main use is, however, centered around Memory Manipulation.
It also comes bundled with a great tutorial program to get you started with how it works. It will prompt you to load the tutorial on first start, or it is accessible via the "Help" menu at any time. Newer versions also support Windows dark mode, so no more melting your eyes at 4am during a long GamePwn session 😁. Cheat-Engine also offers remote server functionality, allowing you to use it on mobile devices.
BEWARE! THE CHEAT ENGINE INSTALLER IS BUNDLED WITH ADWARE/PUP (Potentially Unwanted Programs), BE SURE TO PAY ATTENTION TO THE OPTIONS SELECTED DURING THE INSTALLATION PROCESS!
Many games these days also offer some sort of moddability, official or otherwise. This allows skilled developers to build their own functionality into the game directly. Example: The Elder Scrolls V: Skyrim's Levelers Tower. This mod was built using the Creation Kit (Skyrim’s SDK) that allows for modification of skills, abilities, finances, spells, etc. all by using a building built into the game world! For further information, Leveler's Tower | The Elder Scrolls Mods Wiki is worth a read.
Every game is different, and many won’t offer mod support, but it's a really interesting field to explore for those games that do.
Binary Modification applies mostly to mobile games, where modifications are made to the game's binary directly, in order to provide the desired functionality. Example: A mobile tower defense game, where collecting a single in-game collectable will add +10000 instead of just the standard +1. This is often the simplest solution to achieving GamePwn on Mobile devices.
The process itself can actually be pretty complicated, as it requires the distributed game files to be disassembled, decompiled, reassembled, recompiled, and redistributed. There are also questions about the actual legality of the process itself when it comes to redistributing the modified game, so be aware.
Apktool is a great toolset for working with Android-specific games. It’s a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to their near original form and rebuild them after making modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc.
Packet editing enables GamePwn against games where information is stored on a server, such as online games, by intercepting and modifying the data flowing between the client (game) and the server. Example: Collecting 100 gold in a game sends a packet to the server, letting it know to increase the player's gold total by 100. By intercepting that packet, it is possible to change the value for the server to increase by, or replay the packet multiple times.
AppSec Labs has a really great, open source, packet editor that is a great base to build the tools you will need on top of.
Most cheats are just applications that view or modify a program's memory. The anti-cheat software attempts to identify when processes are obtaining a handle on the game process, which is required for examining the memory. One way around this is to utilize a PCI Card which plugs into your computer just like a graphics card, and provides a second computer with Direct Memory Access (DMA) over USB. An example card that does this is the Spartan-6 FPGA card. From here, the cheater can read the game processes memory and manipulate it in any way they want. If they don’t make any modifications to memory and are happy with just having a “game radar” that shows them where items/players/etc are, there is little the anti-cheat software can do to detect it. The cheaters that do this will often “flash” their PCI Leech device to appear as a normal PCI Device.
Game Engines are what power games. They provide the framework, bundling things like rendering engine used to generate all graphics in game; a physics engine, used to implement things like collisions/gravity in game, advanced spacial audio systems, etc; for developers to focus more on the game features they want to develop and implement than the how they will go about achieving it. In the current game market, whether it be mobile, console, or desktop, there are two giants when it comes to game engines - Unity Engine and Unreal Engine. Given the cost and time investment it takes to develop a "AAA" game engine, most companies will opt to utilize these commercial offerings. However there are a few exceptions, such as EA’s Frostbite engine, which the Battlefield games run on.
Given the extensive use of both Unity and Unreal, it opens up some really interesting GamePwn possibilities, since there are some very interesting tools and techniques that have been developed to target the engine rather than the game. These techniques differ quite a bit from what can be termed as "external" approaches such as Memory Manipulation, since they are "internal" to the game itself.
There is also a limitation on the access of certain information, meaning that hooking a game and reading and writing memory external to the process limits the type of modifications possible. For example, it's really difficult to track all objects in a game to create an AimBot or Wallhack, just by reading and writing to memory, and depending on the game engine, not worth the time investment at all. The far easier way would be to inject something into the game process that will be able to reference classes and methods within the game. With that access, now the hacker can directly read the positions of all objects, realtime, and then act on that information with minimal performance impact to the running game.
Unity is a .NET based game engine, and is one of, if not the, most popular cross-platform game engine currently available. Being .NET based, that means that a lot of existing .NET tooling will work with the majority of Unity games. Things like DnSpy, dotPeek, and ILSpy all offer insights into the game's code base via decompilation and debugging. They also offer the possibility of modifying the assemblies directly, but that also means that every game update means having to remodify the binaries again. The more efficient approach would be to utilize a framework that enables runtime injection, making modifications much more update resistant.
These frameworks manage the injection of written plugins/mods into the game process. There are several such frameworks available for Unity, two of the most mature and stable are:
Due to how dotnet functions, you start by spinning up a new C# project and directly reference the game libraries within the GameName_Data/Managed folder in the game directory. All of the libraries within that managed folder contain all the game logic and related dependencies. Using a decompiler, such as DnSpy, which has been revived by the DnSpyEx project, allows you to explore the decompiled logic of the game, allowing you to fish out the classes and methods you need to construct your cheat!
NB: Please be aware where you download DnSpy by DnSpyEx, from. There is a known malware-riddled version in circulation. A clean source is linked above.
IL2CPP is a transpiler built into Unity, allowing the conversion of managed .NET code to fully native, and is becoming increasingly popular amongst developers due to the added security and performance gains. This adds a significant complication to the process of attacking Unity engine games, since decompilers and other dotnet tooling will no longer work. However, both MelonLoader and BepInEx have experimental support for Unity games, where they implement a workflow to somewhat reverse the managed code back to a workable API layer that can be imported.
It is worth noting that both frameworks are still very much experimental, and could very well not work at all. In such cases, it's really good to try tools such as il2CppInsector, that offer different techniques to tackle IL2CPP built games.
For as long as there have been video games, there have been people who want to gain an advantage in those games. There are times where cheating is perfectly acceptable, such as cheating money in a Sims game, a wholly single player experience. The issues start to arise when those advantages are gained in a competitive multiplayer experience, such as Fortnite.
To combat such behavior, games implement anti-cheats, and they come in many forms. From highly complex driver based solutions, such as BattlEye, to less complex solutions, such as Unity Anti-Cheat Toolkit. The anti-cheats themselves employ a wide array of techniques in order to identify would-be cheaters.
A simple example is value obfuscation, where you have a value displayed in-game, such as Health, and trying a memory search in Cheat Engine for the Health value displayed, doesn’t return any usable results. That’s because the value that is shown in-game is not the actual variable that stores the real in-game Health value.
If you're interested in those techniques, this research paper, performing a comparative study of anti-cheat methods in video games, is recommended reading.
Let’s put theory into practice, and get started with the new game hacking challenges on Hack The Box! Have fun!
Hassassin, Mar 16, 2023