Cheat Engine

Alweul · How do I cheat? Reputation: 0 Joined: 01 Dec 2015 Posts: 4

So I think it's safe to say that modern game hacking is a game between two players: the hacker and the developer.

When hacking a game for the first time the first thing you should even think about is:

"Whats my attack vector"

Well, most people jump straight into injecting, live editing, and patching. Local side execution. That's why there are programs like easy-anti-cheat and BE. But let's take a step back from the typical "hacking" used in game breaking and cheating.

First let's get our objective, which is usually: Do anything you can to give yourself the upper hand.

So, let's identify things that can give us an upper hand:

So where can we find all of these values?

So I constantly see the first two approaches being taken.

On the first approach you do something, get a value, do something again, see if the value changed, see if you can change its value in memory, if not trace it for other values; something has to hold this value and something has to read from it. If I can change the value, I can hack the game.

On the second approach it's kinda similar. You find an action in the code execution and change it to do what you want, (Such as finding the action that lowers health when you take damage and changing the operator so you gain health instead) usually with debugging.

The biggest issue with these two approaches is that the developer has more access to their own code than you ever will. You start hacking, they start logging; eventually, they figure out how you did it, they close your hole. Either they add some fancy pointer work, implement an anti-cheat, or flat out move the code execution server side. What now?

Well, let's take a look at our third attack vector: Network Communication.

First things I notice is that most "anti-cheats" invade your computer looking for evidence of your cheating. Most people choose to play the game of cat and mouse where you find a new way to get around the anti-cheat, and then they patch it.

But how often have you looked at what data they are sending from the client over your network?

Does that packet that you just sent contain a bullet fire event? Does it tell the server where your firing? Do you tell the server that you were attacked, or does it tell you? There are TONS of new approaches in the network AND they have one distinct advantage:

Unlike code execution modification and memory editing, network communication modification can be done to benefit a user on a different computer. The anti-cheat is restricted to the computer you approve it on; With the correct network setup you can route traffic into a subnet that the anti-cheat can NEVER even see. Then, using that subnet, you promiscuously detect and modify that data.

Let's take your typical FPS:
You normally repeat actions to find your position values and viewport values in memory. But instead, let's go to your second computer, use Wireshark, and collect all data going to the game server. Let's start making small captures during specific actions, look for the pattern and see if we can't replicate the action.

Problem 1: The net code is encrypted.
Solution 1: Your client decrypts it somehow so it must be possible to take that decrypting execution and emulate it on a different computer right? (Can be somewhat difficult, but no harder than trying to bypass anti-cheat in most situations)

So now that we've replicated the action, let's find out how much we can change it before the server gets confused and says no. Some instances, it's the client that says no; please keep that in mind.

It takes a bit of trial and error but it shouldn't be too hard to patch those packets if you know what you're doing.

How I got this to work:

The very first time I tried to emulate network activity I managed to do exactly what I describe above with my phone and my computer and was able to manipulate in-game purchases. (Oh you bought 10, then 20 gems. Then suddenly the third approved transaction came through with a few modifications... Open my game and I receive an approved transaction for 1,000,000 gems. My phone was not rooted, so memory and code execution modification was much more difficult to access. I could repeat this approved transaction to the client as many times as it asked for approval, so I completely spoofed the end server with my own computer and made as many requests as I needed to get through the game. But there were some issues:
1: Different phones required different types of emulated network activity to recreate this, so one solution does not fit all.
2: This won't work if the game holds values on the server side and only updates the client.

Now the questions:

How viable is this method?
How many of you managed to get it to work?
Have you ever been banned for hacking with packets? (If so, have you tried the packet modification from a downstream subnet? Were you careless? Did you scuzz?)
Are there distinct advantages of the other methods that I am completely missing?

STN · Posted: Sun Oct 09, 2016 11:03 pm Post subject:

What is BE? Shocked