Java Business coder looking for entry hooks into game hacks + some questions

06/11/2019 11:09 Fantastix#1
Hi, not sure if its better fit to talk in german or english, guess i ll go with english


so i am a mid level java developer, thats been writing business logic in java/js/typescript(angular)

and recently got hooked into a game..

i am interested in the gamehacking topics and was browing through the forums which left me with couple of questions..

i m not very fluent with c#/c++ (last i ve done something in those languages has been about 5+ years ago), but i am really excited to get deeper into that material

i have been playing with cheat engine a little bit (really powerful tool :D)

so my questions would be


1) is there a general consensus regarding best practices about the architecture of a bot?

2) dll injection only applies hooking common methods that are in a dll right? but if the program uses methods that are not in a dll, there are more work involved (more debugging/decompiling works)?

3) any more readingn sources into that topic? (i saw the stickied threads)

4) so afaik anti cheat programs scans your memory to detect common cheat structures? do they have the access rights to see my memory dump? Oo

5) ideally a bot lies between the UI-Layer and the method calling layer, basicly simulating the call of an action as if the user send that command to the game via the UI?
so what i want is to find the memory adresses of those methods and call them with my bot?

6) i need to read the gamestate correctly in order to act, so reading the gamestate also requires memory hacking, but how the hell do i find information about game states like the position of my character, i have no clue where to start here, since the value can be ANYTHING basicly



thanks in advance

edit: basicly to summarize

ideally if i got the decompiled code: read it to understand how the program works, helps a ton (there are decompilers out there, but might be obfuscated)

then:
read the state of the game
bot state should match game clients state (e.g. login state, we read games memory if its in the login state and inject it with the necessary information e.g. login information etc..)

?
06/11/2019 15:04 warfley#2
Quote:
Originally Posted by Fantastix View Post
1) is there a general consensus regarding best practices about the architecture of a bot?
Lol, this question can only come from a java developer :D
Depending on the kind of bot you surely have similar architectures for similar problems, but afaik the gamehacking scene is more of an "artists ground", software engineering with all it's patterns and best practices hasn't come to us yet

Quote:
Originally Posted by Fantastix View Post
2) dll injection only applies hooking common methods that are in a dll right? but if the program uses methods that are not in a dll, there are more work involved (more debugging/decompiling works)?
DLL injection is a powerful tool as it allows you to write a program as a DLL and than, by injecting, executing it in the targets virtual memory. This allows you to fully access any resources of the process, as you are part of the process. You can use it to hook functions, you can also use it as a simple memory hack. As soon as you are in the targets memory space, you have full control over everything, thereby dll injection is always a good solution (if it's easy accomplishable)

Quote:
Originally Posted by Fantastix View Post
3) any more readingn sources into that topic? (i saw the stickied threads)
Modern operating systems by Tanenbaum has really opend my eyes how an OS and processes on modern OS'es work. Really about game hacking I don't know. Also looking into reverse engineering can be quite helpful

Quote:
Originally Posted by Fantastix View Post
4) so afaik anti cheat programs scans your memory to detect common cheat structures? do they have the access rights to see my memory dump? Oo
Well, anticheats do much more, and they evolve. For example they check the hash of all loaded libraries to make sure you didn't replace a DLL with your own so you could bypass the DLL injection protection. It really depends on the AS

Quote:
Originally Posted by Fantastix View Post
5) ideally a bot lies between the UI-Layer and the method calling layer, basicly simulating the call of an action as if the user send that command to the game via the UI?
so what i want is to find the memory adresses of those methods and call them with my bot?
First of all, most games don't have a UI layer as you usually have with frameworks. So every game kinda has to implement the menus, controls, etc. all for itself (sure common engines have common functionality, but the overall architecture is for the programmer to decide). Games work much more like oldschool Windows 3 GUI applications written in Basic. (i.e. polling of events, and handling everything yourself).

But you can still hook/intercept or call the games functions by yourself, if you can find them. This is called reverse engineering, and isn't easy. You can for example run the process in cheatengine, IDA Pro or Binary Ninja, and check which code gets executed on which actions. But overall this is not simple

Quote:
Originally Posted by Fantastix View Post
6) i need to read the gamestate correctly in order to act, so reading the gamestate also requires memory hacking, but how the hell do i find information about game states like the position of my character, i have no clue where to start here, since the value can be ANYTHING basicly
Debug your game (e.g. with cheat engine), run around and check which memory location changes with values that fit your movement. Maybe you have to chase some pointers to get the root pointer(somewhere located in .DATA or the stack).
Usually games are written in C++ (or any other compiled language) meaning it's likely that there is somewhere a continious block of memory that contains all infos of a character (i.e. the C++ character object). Than it's highly likely if you have x and y coordinates that the z coordinate is located somewhere near

Quote:
Originally Posted by Fantastix View Post
ideally if i got the decompiled code: read it to understand how the program works, helps a ton (there are decompilers out there, but might be obfuscated)
I started to become a fan of Ghidra for reverse engineering (don't do it often, but for a noob like me ghidra is quite awesome), it has a great decompiler to C (as im really bad at reading assembly), and has a lot of usefull features (like constructing the CFG, etc.) and is completely free and open source. But it doesn't have a debugger, so you need some other tool for this (I think for game hacking cheat engine is quite good, im usually sticking to gdb, but im not into gamehacking so much)


Edit: something i just recalled, there is this game [Only registered and activated users can see links. Click Here To Register...] which was developed for a CTF challange and is only beatable by hacking the game. It covers nealy everything from packet manipulation, memory manipulation, reverse engineering etc. and there are a tone of solutions out there if you can't solve it. I think this will teach you all the basics. The real problem is then getting past the anticheat in a real game
06/12/2019 01:28 FMaki#3
1.) There's a bunch of people injecting their dll and doing shit without creating a new thread, another bunch at least create a new thread and then create some kind of trainer with a loop and calling GetAsyncKeyState every time checking for some keys, and some put some sleep calls in there... Does that sound like best practices? Ofc you should respect some basic coding practices. Doing callbacks instead of polling for a key is not as straining on resources and you should prefer to do that. But it costs time and some skill many just don't have. And that's just one example. So if you want some good architecture you probably need to find it yourself. And your first solution will probably always be a mess anyway.

2.)You can do nearly everything with dll injection. And there are too many ways to do the injection itself. You can manipulate data, you can call dll functions and you can call game functions. You're right with your decompiling/debugging. You need to know the calling conventions, parameters of the function and the position of the function in your code. It's kinda complicated and you need some advanced knowledge about pointers to make it work.
Code:
int* someVariable = = (int*)*(int*)((DWORD)foundPattern + 0x33);
That's some normal code in most hacks (although you can make it look pretier)

3.)Regarding Reverse Engineering, most people recommend Lenas tutorial. But before that(and anything else regarding game hacking) you need some fundamental knowledge of c++, so something like "c++ primer" is something you should read aswell. Obviously you can nearly skip all of the easy stuff like control structures, but especially pointers are really needed. For game hacking itself, there's enough tutorials online, just start looking into basics things. If you want you can start with some external hacking with WriteProcessMemory and ReadProcessMemory. You can start with some internal hack aswell, just skip external. Dll injection, manipulation of data (just getting the address and calling "*variable = 20;"), hooking of dll functions(you can use a library aswell for something like that and it's easier cause you can look at the header file to see the parameters and dll normaly wont use __thiscall aka classes). And then just go deeper and deeper, diffrent injection methods, calling game functions, disabling anticheats. And msdn, the microsoft developer network is your best friend,

4.)Some anticheats are installed as drivers, they can basically do whatever they want. They don't operate in user mode and can read all memory of user mode applications. They're malware in itself.

5.)Find the memory adress, find out the parameters, find out the calling conventions and sometimes find the pointer to some of the pointers(for example you probably need a pointer to your own character to call the move function on it) and then you can call it. There are some other methods aswell. For example you could go for a packet based bot, intercepting packets send to the server and manipulate them. You "only" need to hook the send and recv function for that(normally the data is encryped, so it isnt that easy).

6.)You actually wrote the programm you need/can use for that already. Use cheat engine. Stand somewhere and search for an unknown initialized value, move and search for an modified value, repeat until you have a few adresses left. Now you have some game state you can read and manipulate if you want to. After that, you need to find a base pointer. And if you don't want to update that value every patch, some additional pattern searching to automatically find that values. But that's some advanced thing. Start simple. You get a feeling for most things after a while. Like most games store their Position in a Vector3 with float values, in memory that are 3 floats one after another. So if you move on a plain field, two of them should change. That's some little things that can help you find that value.
And reverse Engineering can give you that value aswell if you find the functions using it you can "steal" it from there. But normaly you will do it the other way around. If you have reversed already a few things you can guess some things that way. And with time you will find some patterns. Having programming knowledge with a professional background can help. For example an seemingly empty function getting called from nearly everywhere with some string doing nothing is a prime example of something like that

Code:
void printDebugString(char* string) {
    #ifdef DEBUG
    printf("%s", string);
    #endif
    return;
}
If you have already seen something like that it's easier to guess. At least sometimes it helps
06/13/2019 15:49 Fantastix#4
thanks for the replies, i reliazed that i almost know nothing :D, so i ordered tanenbaum, it was a book i should ve read 10 years ago, but i was lazy then... :D
06/14/2019 19:41 Omdi#5
This is to be honest the wrong forum to get started in gamehacking.
You should look on UC there are tons of tutorials and resources you can learn from.