Monthly Archives: June 2012

Code Caves, Utilizing – Game Hacking(JMP Method)

Code caves are areas of memory that are unused by a process.  These areas come in handy when editing process execution because when editing a game’s code-flow at run-time, we are limited by the amount of space allocated for the original opcodes.  In most instances, if we modify an area of memory containing a 3 byte instruction with a 5 byte opcode, we unintentionally overwrite 2 bytes of the next instruction in the routine.  Needless to say that this can lead to issues if we overwrite something important and at the very least it will lead to the program not behaving as intended originally.

In order to avoid this issue, we can use code caves.  A code cave is simply a place in the game’s memory layout that is either full of instructions that don’t do anything important, or is simply empty.   The technique is rather simple:

  1. We find an empty space(or code cave) in the game’s memory.
  2. We overwrite an instruction in the original code to jump to that empty area.
  3. We fill the code cave with our code.
  4. We jump back to where we left off in the original code.

GameHacking Basics-Memory Editing (Linux)

There are many many ways to use game hacking in order to get a game to do things that the developers didn’t intend.  Among those many things, memory editing sits at the very bottom of the simplicity scale.  This article covers the basics of gamehacking, showing you what it is, and how to do it.

Background

On a very basic level when an executable is running, all the dynamic data of the executable will be in memory.  Computer memory is just a series of boxes, all of which have an address, and all of which contain a value.  The value can be something useful, or it can be garbage, since memory is not usually “zeroed out” after use.  It is this memory that will be the target of our game hacking tutorial.

A game is an executable like any other.  As such, all the values used in the game can be found in memory.  Things like HP, ammo, etc are all stored in memory.  Through game hacking, or more specifically memory editing, we can alter those values.

Memory editing is the process of finding out in what box the value you want to modify is at, and modifying it.

GameHacking Tools

To follow this tutorial in game hacking you should have:

1. A Linux machine(Although you can do the exact same thing on windows using tools like CheatEngine).

2. scanmem (a memory scanner for Linux which will allow you to do some basic gamehacking)

3. Cube 2: Sauerbraten

(The game that will be the victim of our game hacking example)

Lets Begin!


The first thing you want to do is find out what the process id of the game you are working on is.  scanmem will need this number in order to confine its memory scans to your application.   In this case mines is 13935.

gamehacking

Once you have that run scanmem and type “pid 13935”.  This lets scanmem know that the process you are interested on is the one with the process id of 13935.  It goes without saying that this number will be different for you, and it will change every time you restart the game.  If it all goes well you will get a message telling you that the maps file for the process has been opened and how many regions it has available.

gamehacking

After you’ve told scanmem what process you are interested in, you then pick something in the game that you like to change.  What we are looking for are parts of the game’s data that will be the target of our gamehacking.  For example, I chose ammunition since I seemed to be running low on that often.   Take note that my current ammunition is “38”,  that is the amount that is currently inside one of those boxes I told you about in the introduction.

gamehacking

And so we feed 38 to scanmem, telling it that we are looking for all addresses that have the value of 38 in it.   After scanmem performs its search, we fire off one bullet, leaving the ammunition value at 37 and perform another search.  You can tell scanmem that the number has decreased by 1 by typing “-1” or simply that it has decreased by typing “<“.  Scanmem has now narrowed the amount of boxes to 199, which although still too many to manually inspect, is a lot less than 501,000.

        gamehackinggamehacking

We continue doing this until we have a handful of matches, preferably 1 or 2.  gamehacking

If you end up with just one value you can go ahead and do “watch 0” and you should see the value changing when you fire off shots.  This means you have the right number.  gamehacking

If that is not the case just repeat the process, it can take a few tries sometimes.  Once you have identified the right address all that is left to do is to set the value it points to to whatever you want.  We will use 2000 for this example.  You do that by typing “set 0 2000” (if you have more than one address) or simply “set 2000” if you only ended up with one result.

And that is pretty much it, we now have 2000 bullets to use in the game.

gamehacking

[Closing]

It should be obvious to you that throughout this tutorial I was playing a single player game and that this is a very basic tutorial on gamehacking. How useful this technique is in multiplayer games depends on how much of the work the server is doing vs. how much of the work is offloaded on the clients.  You will find that in most instances in multiplayer games memory editing won’t be very useful, but it can come in handy sometimes.  I recommend that you use this tutorial as a building block in your game hacking career.

Many years ago I used memory editing in order to create characters with maxed stats in a multiplayer game called Neverwinter Nights.  It worked because the character creation was done client side, and the stat limits were enforced through the game’s UI.  By editing the memory and bypassing the UI I was able to send to the server characters that had illegal stats.  Once accepted by the server, however, my characters would become part of the server character database and when I logged in the server would just pull whatever stats were saved with the character and hand them back to me.

In the next articles I will show you how to do more advanced things in game hacking, like using an interactive debugger to find game functions and how to modify the game at run-time to achieve effects that you cannot achieve through memory editing.