Rush B, Blyat! - Game Hacking for Noobs

yo yo and what's up welcome to my talk on game hacking i do computer stuff and i also have a blog and if you want to know more on game hacking and the stuff i'm going to present today you can also read my blog post which you can find on this link that's me 12 years old wondering how wall hacks and aimbots and all these cool hacks for counter-strike work and now one year later i have decided to create some hacks myself and present my results

cheating is actually quite popular in professional counter-strike goal gaming as you can see right here this guy was called cheating on a tournament and kicked out immediately and of course it's also profitable to create sheets and sell them and also to use them because if you win in the tournament you can get lots of money also i think those techniques i'm going to use for game hacking are quite interesting because you can transfer them to stuff like malware creating malware writing and antivirus evasion there are a few tools you're going to need for example i'm using virtual studio i'm creating all my hacks in c plus plus and you also need a debugger for the

games themselves i use x60 64 debug and you also need a reverse engineering tool of choice for example radar cutter guitra either whatever you need and a really handy tool is cheat engine it allows you to scan game memory for known values and you can basically find all those memory structs and objects using a simple scan of cheat engine there are few types of game hacks that you can create one of them being internal which means you're injecting custom code into a games process and run inside of that memory segment and also there's the external hack which reads and writes memory of another process externally you can also use something like frida to instrument your games

but i'm knowing not going to go into that today the first hack i have created is for a game called cheddar knight jedi academy it's based on the it tag 3 engine people also call it the quake 3 engine when you're creating hacks you need to be aware which game engine is in use you're going to use a different approach for id tag 3 engine based games compared to something like counter-strike go or other games you need to have a basic understanding of the game architecture and the rough program flow for example for the id tech 3 engine based game star wars there's the main executable it's called yam.exe and there's a server virtual machine

and some client virtual machines and also virtual machines they use bytecode to be portable across different devices that's part of the game engine itself and the important thing is that they are implemented in own dlls and the most important one for game hacking for this engine is the c game virtual machine the virtual machines and the main executable they can call themselves for example it's possible that the main executable performs a call inside of the dll and of course the dll can also perform callbacks to the main executable so for example if the main executable wants a new frame of the game to be rendered it calls a function of the c game virtual machine and

delegates the task to this virtual machine the c game qvm is implemented in the cgamex 86 dll file and it has exactly two exports which you can list using radar 2. the dll entry export and the vm main exports are helpful when creating hacks so for example the vm main export is being called by the main executable to perform calls inside of this dll and the prototype of it is like this you specify a command in the form of an integer and you can pass two addition at 12 additional integers as parameters which is like a generic way to perform calls into this qvm and the handy thing about this is that this function gets called

for things like a new game is being loaded or a new frame is being drawn on the screen which you can now intercept when you're creating hooks so for example if you're creating an aimbot you wanted to perform calculations each frame and check whether the view has to be adjusted to automatically aim at an enemy's head or something like that and then there's the dll entry export it allows the z game qvm to perform callbacks into the main process so for example if a new player is being added to the screen or if a player moves on the screen or new game data is being received from the server then this qvm will perform callbacks into the main executable

this is the prototype for dll entry and one important thing is that it receives a function pointer from the main executable that points back to a function inside of the main executable so you can use this one to perform callbacks but more importantly you get notified in case an entity is added to the screen or it moves as i already said so you can manipulate this broken flow in order to display an entity on top of wars which is the main goal of a wall hack so let's see what happens as soon as the main executable wants to call dll entry it loads this dll inside of its process space and it calls the windows api function

get proc address with the argument dll entry this call returns the address of the dll entry function inside of this dll which the main executable can now use to actually perform the call so the plan is to create a hook and get proc address for the main executable and return our own function in case the main executable wants to perform a call for dll entry the actual code of the hack has to be injected into the game process and for that you can use an easy method like dll injection which causes a dll to be loaded inside of the target process and to be called for this you need a loader and a dll itself

i've created my own loader which basically follows a standard technique called load library you open the games process using its pit and you get a handle to it you're getting the address of the load library function inside of the kernel 32 dll install it in this in this value next you're allocating memory inside of the target process you're allocating max path bytes and you make it writable next you're writing to this process memory and you're writing the path to your dll into it and lastly a call to create remote thread is done which causes the game to call the load library function on the path that's passed to it so it loads the dll and starts at the dll entry point and

you can verify that it's working by spawning a message box or something like that of course this technique is not very stealthy so do to bypass any anti-cheats you may do some additional work for the hooks themselves you can use a library like m hook or you can implement this functionality yourself i've used the m m-hook library for my project and it has an api that you can pass the original function address and the function that has to be called instead and that's it so now with the call to get proc address being hooked you can check where the dll entry is being requested and you can replace the returned address with your own hook dll

entry function and for all other cases you just call the original get proc address and let it handle the rest so now with the hook being set up i wanted to create a wall hack and i've integrated the official sdk for this game to have all flags and values available that i'm going to use now and i proceeded to intercept the function that adds entities to the screen i've created my own function called syscall hook which gets called instead of the original syscall handling function and i've created one case where i'm going to execute my own code and that's the case as soon as the command equals this value and this tells the game engine

that the entity that's in arc 0 is going to be added to the screen and i'm just i'm hijacking this value and i'm adding another engine flag to it and this flag tells the game to ignore any dev information for an entity which causes it to be rendered on top of the screen for for all walls or items or other things this is what it looks like in action you can see those enemies through balls and i've also added some custom shaders for enemies so you can actually see who's an enemy and who's a friend the other hack i've created is an aimbot for counter-strike go and for the linux version of it you need some tooling for this to make

all this game hacking stuff work you need cheat engine and you need access to the proc maps file of this game so you can see where shared objects are being loaded into the general plan to create an aimbot is to find your own player inside of the memory and get those coordinates from it so you can actually see where you are on the map you need to do the same for all enemies so you need to get those coordinates as well then i proceeded to calculate who's the nearest enemy and then i adjusted the aim to this exact enemy

so now it's required to find the own player inside of the memory of the game and i knew that there's a shared object it's called client panorama client and some functionality is actually directly handled by this shared object instead of the main executable of csgo so then in cheat engine i've selected this shared object and i've performed some memory scans inside of it i've searched for known values such as the health of my player and then i've decreased the player's health by jumping off a ledge or typing in some commands in console and then i've performed a new search and i did it all over again and then you eventually end up with a list

of maybe a few addresses that contain the actual health of your player now the problem is that as soon as you restart your game most of those addresses will become invalid since game will be mapped to a new location in memory and all those shared objects as well what i did was i added all addresses that contain the health to the address list of cheat engine and i've restarted the game a few times and some pointers actually it was only one remained valid across multiple game restarts that's what's called a static pointer that you're going to rely on to always find your player structure in memory if you don't have a static pointer it will be

really difficult for an external hack to do stuff reliably i did the same for enemies as well i've created a game with bots and i've typed in some commands so that they are frozen and then i push them up hills and push them down and i perform some scans in cheat engine to see increasing and decreasing values you need to do that all over again and eventually you'll end up with values that seem to be coordinates and you can verify it by displaying them on the screen and pushing the enemy and yeah you can then watch the memory changes live and verify that you've found the real address of an enemy in memory for csgo there's a structure in memory that

contains all enemies in an array and the object i have i found on this gift that i'm showing here is inside of this array so i can just loop over this array and get all enemy structures in memory and with that of course or coordinates of them and now you can calculate the 3d distance from u to the nearest enemy so you take all enemies perform this calculation and you take the minimum of this calculation and then you have the nearest enemy now the last remaining thing is to actually calculate the angle you need to look at to automatically aim at an enemy's head the first thing that's calculated is a delta which means you're taking your x y and z

coordinates and you subtract them from the ones of your enemy which makes you in this imaginary triangle the new origin so next you know this value and this value so you know two sides of this triangle and there's one side missing the next calculation it does exactly that it calculates the remaining side of this triangle and now it's possible to calculate the two angles you need to look at the enemy these are those calculations right here and the third value is always zero because the game has a 3d coordinate system and the screen only has two x and y if you want to know more about this calculation i have some good references at the end of my talk i will upload the

slides directly after my talk has started now that those camera angles are known there's only one thing missing and that's actually setting the camera angles programmatically from outside of the game's process and for this i've also used cheat engine again there's a command inside csgo to display all positions and view angles on the screen so i've enabled this option and i've used cheat engine to scan in the memory for those view angles of my current player that i displayed on the screen and then i froze those addresses and now i couldn't move the crosshair in the screen and then i've just unfroze half of my address list and i've checked if i can move the crosshair again and if you follow

this procedure you end up with one static pointer to an address that contains the view angle which you can just use inside of the hack and you write a value to it and the game will just adjust your view to it and that's a quick demo for the for the aimbot it tries to automatically aim at the enemy's head and if of course it's super unsteady it doesn't check whether an enemy is actually seen on the screen or if he's behind a wall you would need to do some additional work here to make that work but you can actually use it online i've tried it you only get banned because people complain that you're cheating because

it's quite obvious but the entity didn't detect this external hack so a few words about detection some people say vac or the valve anti-cheat that's used for csgo is a joke because it mainly uses signature based approaches to detect known cheats which means that if you're using public code you're going to get banned but if you're using your own code then it's going to be fine as long as you're hooking functions inside of the middle so it can detect where the function gets hooked by checking the first few bytes at the prologue of this of this function but if you're going to just hook existing functions in the middle of it it's very hard to detect it and currently

that's the approach you're going to use and of course you can also use all those fancy malware techniques like polymorphism or manual mapping which you're using to implement the windows api called load library yourself without actually calling load library so you end up with your dll being injected into the game but it's not going to show up in the list of loaded modules so you can use that to evade some anti-cheats so that's it if you have any questions you can ask in the chat right now read my blog posts or all those references i've put on this slide and don't cheat at land parties

oh

cheater

he's gone [Applause] [Music] take your nail computer

[Applause] hey