Hacking "AAA" Unreal Engine Games with... Python? - Ross Simpson | BSides Cape Town 2023

hi everyone thank you very much for coming to my talk titled hacking AAA games with python my name is Ross I do devop stuff in the cyber security industry I do coding in Python Java typescript they tend to be sort of crossplatform scripting language not so much compiled language stuff um I do work with some really big sometimes boring products like Salesforce and service now some interesting ones like Google Chronicles s and I also do cloud and kubernetes stuff like so many of us do these days I've got no SCP I do pen testing on the side I'm into Retro Computing and that kind of all wraps up into a bit of an interest in game

hacking it's not something I'm particularly good at or overly passionate about but certainly a hobby of mine I'm still on uh the site formerly known as Twitter I'm on masteron I've got a Blog where I've got some game hacking posts on there if you're interested to take a look and I can't settle on an avatar so it'll be one of those three that you see on the side this kind of all started for me years ago with a Nintendo uh many many years ago uh I think we all know the game Super Mario Brothers and you may remember you start with three lives a couple of years later I found out about a device called The Game Genie which let

you enter cheat codes so you could have nine lives or infinite lives or all kinds of other superpowers and it felt a little bit like some magic spell that you were able to cast on the game to get this to work I was incredibly young I didn't understand how it worked I just knew you plug the game cartridge into the game genie and The Game Genie into the Nintendo I've since learned that that code is actually just an encoding of a an address or offset in the game cartridge and a value that should be used in place of the original value and when you think about it it's a little bit like a common tool we use today burp

Suite because it handles the request to the cartridges memory or ROM but when it identifies that certain address rather than returning the correct number of lives it returns a different value modifying the response this start off is a lightning talk about something that I had nothing to do with other than I found online I thought it was really cool and noteworthy it's evolved a little bit into more Discovery and learning that I've done on my own I don't really know what I'm talking about but hopefully it's enough to spark some interest for you guys as I say it's about something I found game hacking is surprisingly difficult something like Mario Brothers everything was in a fixed Place nothing

was Dynamic you could do a bit of work it would work everywhere Every Time games get patches modern applications use all kinds of dynamic uh allocation for memory and things like that so so evolving Beyond some very trivial hacks is a very sudden massive step to the next level but I found this open source external Unreal Engine ESP hack framework and it kind of blew my mind so I thought I wanted to talk about it to this kind of an audience because um it made me look at things a little bit differently and offered a lot of possibilities I think even if you're not into gaming or game hacking you can possibly take something away from this

and build some kind of Cool Tools you might not know what a whole lot of those work mean uh so we're going to take a very quick look at that so an ESP hack as it says extra sensory perception the general idea is it tells you stuff about or in or around the game that you wouldn't normally know they often look something like this so you can see the blue boxes and the blue little wire skeletons this is the Players teammates the red ones are the enemies none of them would normally be visible but this hack is allowing this person to see what's happening in the game beyond what the game intended they often have things like the name of the

other player that you're seeing perhaps the weapon they're holding the the remaining Health that they have there's another game same thing they have a lot in common health bar wireframe for the for the model skeleton and you can see all the players needless to say gives you a very unfair Advantage but these are quite complex they're typically compiled code as I mentioned I tend to do scripting in uh multiplatform languages not really getting deep into sort of 132 apis and binaries and things like that they're commonly dll file that gets injected into the Windows application space you need a separate loader to inject the dll that's often flagged as mware technically puts you at some kind of a

risk because those need to run as elevated Privileges and then they make changes to the game itself so you might be susceptible to crashes uh they hook functions change functions um sort of affecting stability these are often used in FPS games with have three dimensions so when you want to calculate how far you are away from something you're doing that on three different planes if you want to represent that in 2D then you have to convert all these 3DS to 2DS and calculate scaling I don't really know or want to do all of that the framework however might offer us something ESP hacks are also very easy to detect as I said they inject a dll

this is a normal Windows Behavior an application can see what dlls it has in its namespace so a game with antiche software could detect unknown or unsigned or suspicious dlls and flag you as a potential cheater perhaps ban your online account or revoking your license or something like that they can also monitor their own internal functions so an ESP hack would often hook open gel drawing functions text rendering functions and if the text rendering function is receiving a parameter saying something like ESP hack 2000 by Bob the game might think that's suspicious and go hey that's not one of our strings we wouldn't be rendering that something's been tempered with and that could also flag your account or just crash the game

or something like that you might also make a mistake and betray yourself uh going to take a look at a video quickly of someone playing a game with an ESP hack you'll see some of the things that I've mentioned some little wire skeletons moving around some health bars um and the beauty of this is It's only relevant for the player her teammates or enemies don't have the same gaming experience she does she's got an unfair advantage and uh she feels safe in this what she didn't realize though is while streaming her streamers see everything she sees the game's output has changed for her and everyone watching her and unfortunately not only does she lose the round she kind of

loses her entire streaming career so uh you won't find her streaming anymore whoopsie uh I said AAA game in the title the game I'm talking about in this case is sea of Thieves it's a firstperson shooter style hack and slash uh open world whole lot of fun pirate themed game it's not as competitive as some of the uh sort of csgo styles you respawn when you die there's no concept of rounds you lose your treasure but you go and kill the person who killed you to get your treasure back and it's whole lot of fun this is what it looks like this is from the official trailer lots of freedom to have a whole lot of fun um

but yeah you run around as pirat doing fun things Wikipedia says a AAA game is produced or distributed by a major publisher this game is distributed and published by a very small company that you might have heard of Microsoft please don't sue me and it's made in the Unreal Engine which is a framework that lets people very rapidly create games you don't have to code your own game engine you download this sign up sign a bunch of license agreements and it gives you a lot of the basic tools that you need to get going and a lot of really really really big games use this so we're going to be focusing on SE of Thieves but a

lot of this is sort of reusable uh I think bigger picture not just one single game here and this specifically is a framework somebody's written some code and this was going to be a lightning talk Talking just about the code but we're going to look at a few other things the guy's name is Doug the Druid on GitHub the S refers to Sea of Thieves like I said it's a framework totally open source uh feel free to go ahead and look at it what I really like about this is it's not packaged as a cheat for people to have an unfair Advantage it's distributed as code and it's disarmed it says right there in the read me you

can't use this until you get into the code debug it understand it fix it toggle some Flags add some code and I think that's a really nice way you know we often say for educational purposes only and distribute a button you know click here to denial of service someone uh the author I've actually chatted to him very nice andere guy and he really wants people to learn and grow from all of this so the framework is for unreal engines in this case it's configured for sea of Thieves but presumably could work with a wide range of games given that they could be written in real engine and it only reads memory so that makes it an

external hack there's no DLS being injected there's nothing being changed there's no chance of crashes there's not very much to be detected and yet it functions like an ESP showing you other elements of the game that you would not normally be able to see and at this point I started getting confused because that doesn't really make sense it's not true to what I know about ESP hacks and how I would have gone about doing them I hinted at this previously it also handles all the 3D calculations and plotting lot less likely to be detected and it's all python code so you don't have to go through the process of compiling something hopefully safely eject the dll

you loaded inject the new version of your DL as you're figuring things out and crashing the game in between with a very slow uh feedback loop it's python you just kill the script make some changes and run it again and I just I couldn't figure this out I sort of read this twice and it just it doesn't align how how do you change the game without changing the game so let's take a look at the game this is OBS open broadcast studio common streaming uh uh tool capturing the game window not my whole Windows desktop just the game window so there's multiple ways you could be streaming as it says here this is stream St safe this is the game it

looks exactly like the game would normally look we're sailing around we're all alone we're not any thread of any players bothering us not a lot to see but the hack is actually running at the same time this was recorded just the game window I was also recording my entire what Windows would consider display and things are going to look a little bit different that square bsides logo is not in my slide that is rendering on screen look at the yellow and orange dots you might catch some text next to the yellow dot um and a player list on the right so I get an idea of how many people are around me how many people are on the ships as you

might guess those orange mark markers are other ships the yellow marker is another player within range to prevent cheats they don't tell you in the game where all the players are until they're really close to you so that's why it sort of pops in and pops out a little bit you couldn't do this with that other streamer's uh hack it was modifying the game this works very differently I saw this and I still just didn't get it so let's look and see what it does it's python as I said it uses the C types Library which brings python data types that are aligned with C objects your native uh sort of lower level language types and access to the 132

apis that sort of made sense to me we need to do some pretty lowlevel stuff in order to make hacks so that sort of settles that first first concern I had and this is where things get cool it uses a library called piglet to create an overlay which is kind of like another screen in front of your screen the framework then scans the game memory looking for other game objects such as a ship calculates their position is it close enough that we care and want to do something about it or is it just something that we ignore again taking care of that pesky 3D math for me when it finds something that it's configured to respond to it's able to draw a redot

uh dot in its layer which is separate from the games layer and plot things like a label or a distance or a name but if you've got a window open in front of another window how do you interact with the window behind it without switching to it like if you have notepad open in front of your game you can't have both at the same same time amazingly Piglet and the framework kind of take care of that for you all the key presses and mouse movements go through the overlay into the game so you have a totally normal gaming experience but it's kind of like an augmented visor augmented reality visor that you have in front and what's really amusing as well

is if you switch out the game like pop ck. EXE the overlay stays up reading the game showing you what's happening in the game world so you can kind of keep an eye on your ship know if someone's cominging while you're doing something else like browsing the net I was talking to a friend of mine who's more like a mentor he's actually the one who got me into this game and telling him about this framework and the data that we can get out and then he said these four very dangerous horrible Words which normally mean I have to do a bit of work so in the game you have a compass there's one on your ship there's one

that your character if you're off the ship can hold uh to get your bearings use this to navigate around the world or dig up treasure or things like that but sometimes you run into storms and your compass just doesn't work and this can be quite frustrating and cost you literal real time because you know you get turned around travel the wrong distance and you have to when the storm passes get back on track and waste a bit of time and he said what if we got the compass data out and pipe it to a real compass well luckily a compass in this context only works on one axis so that's not too bad and it happens to be in the

framework that we've got a variable that just tells us where the camera's positioned so that solves it but I don't really have a compass but we could improvise and maybe we could call this print out from the game a compass and uh we might have a friend like Dale a Raspberry Pi Pico a Serial port a server motor and only need to add just a few lines of python to Doug's framework to have a working real life compass that responds to what's happening in the game thank you now you don't actually have to have the compass out in the game this is actually bound to your camera so it's almost like you're freeing up an

inventory slot you could be equipping a different item in the game without forfeiting the benefit of having your compass so that's sort of the one part that's the framework and specifically piglet I think the whole overlay thing is really really cool but now I want to know how this works so I understand how it can be an ESP hack in kind of a readon mode but let's get a bit deeper we're going to kind of work backwards and drill all the way down to sort of the first line of python it's going to get a thech Technical and I am sorry if you find this boring so part two how does it actually work let's talk Unreal

Engine there are at least three major versions of the Unreal Engine around three four and five and even within those versions or sub versions and they all do things a little bit differently so if you want to hack a game much like if you want to hack or debug an application you need to know how it works so you kind of need to know what version it is unreal 5 is a Hot Topic at the moment so a lot of games might advertise you might find on Google in news articles that they're using the new Unreal five game engine but how do you know otherwise well it turns out it's quite simple you find the

exe file you right click on it you go to the details Tab and the advertise this hey my file version is this so that solves our post toal now we can look at a game figure out what engine is and choose how we want to go and hack it within the Unreal Engine itself uh there's probably a common path of attack that we want to perform there is a u world or a g World which represents the game world as you might imagine what it looks like what it involves ultimately this is the game from a game Studio perspective it's the part inside of the Unreal Engine that they've added within the world is a

level literally like a Mario level but ultimately it's a container of all the things that are going to play out some games might have one level some might have multiple and within that level are all the levels objects those sound pretty straightforward the problem is these objects are kind of abstract types so we might be able to find them but we don't really know what they are or what they do so there's this other thing called the G name which is basically an array of strings each object points to an element in that array so if you find that and you find that and you do the lookup now you can kind of unmask these

things you get a name for all the objects now we can decide hey we want to go and plot a marker for ships so we can filter out 99% of the events that we're seeing or finding or objects and just focus on the ones we want to program for the problem is we need to find things like the GW world the level the objects in the game's memory how do we do that it's effectively a black bar box is compiled code so we need to find the code which references the unreal engines GW property which points to the randomly allocated memory address where the data actually lies and this is where things get really complicated especially if

you're trying to do it all manually but it turns out uh there's ways of doing this so a lot of patterns are already found and published for games so a lot of the ground workor might already be laid for you in the case of Co thieves and as Doug's framework users people have already done some of this work and they publish patterns you'll see question marks are sort of wild card matches and ultimately if you scan the whole of the game's memory for these bites you will find some code that matches hopefully just one result and that's sort of your entry point where you're going to start working and digging a bit deeper but if it's a

custom game or a friends game or maybe it's a CTF that someone's made for a conference um then you kind of have to do all of this on your own so we're going to skip ahead a few steps but you can get access to the Unreal Engine source code and if you find something in the source code that referenced the thing that you're interested in you can go about finding that for yourselves you don't have to pay any money or sign anything too scary you can link your epic account to your GitHub account and they'll give you access to their code so in this case I've identified a function which I think is quite interesting F

engine Loop tick if we scroll down a little bit we see there's a u World property which points to gor and again the G world is the game world that's the thing we want get access to the problem is we found code on GitHub in a very generic library that tens or hundreds or thousands of games all use we've got an exe how do we draw a parallel between potentially any game that's been compiled versus this one set of source code we kind of need to find a mapping here well how do we normally go from source code to Binary or hex code we compile it so let's take the Unreal Engine let's make a game with the same

version that we found out a few steps ago we can enable an option for debug files for our own game we can open our game in a debug tool such as gidra IDE and do a bit of reverse engineering with our debug file so we're going to search again for the F engine Loop tick function and on the left you see we're searching it for all the functions we find it and you can see that red box is the U World proxy gworld uh property that we were looking for great that doesn't help us a whole lot it's our own little game it's isolated but if we look at the bites around that we look at what

the codee's doing I'm not asking you to read assembly just look at sort of those hex characters in in the sort of left column there we can sort of pull those out and everywhere that there's a refence so that g World U World proxy that's a dynamic thing it's going to be somewhere in memory it's going to be specific to our build of the file so we just replace all of those with question marks we're just looking for enough bites around this space that we can use so now that I found some bites and honestly this is my first time doing this so I'm surprised that it worked and it was this easy but you find these

bites in our exe now let's go hunting in the Target game and see what it does but first I wanted to prove this to myself so I had my first game that I built with debug mode enabled and I created a totally new one same Unreal Engine same version new source code different template different type of game different compilation different flags and sure enough I find exactly the same code although the offsets are a bit different and the memory addresses are a bit different so at this point I have a string of bytes I can search for to zero into some specific code um and it works pretty well not see of Thieves because they use their own modified hacked

version of Unreal Engine but a different Unreal Engine game uh I went and grabbed that exe this is a game called High life which you get off steam pulled it in and uh I did find the code it was a little bit different these bytes are three Bs that one's a 3 three so all we do is we swap our 3B and our string with a question mark and now I've got a unique fingerprint that works in two of my games and a steam bought totally external massive app uh or massive game and I'm sort of able to zero in on that property that I need to go about hacking unfortunately we need to do this for a bunch of other ones

we're not going to do it but the process is much the same so for example I found there um f object array which get lets us get objects we likely want games levels things like that assuming we can get all the data out of an Unreal Engine we still need to know what's actually in the game what do they call their objects what type of objects are there weapons ammo packs what properties do they have do they have superpowers that's all really hard to go about reverse engineering um so people have made unreal dumpers and these are generally game agnostic again it depends on the version but it's able to do like a whole lot of reverse

engineering and they tend to Output what's called an SDK a bunch of files often meant for people using C C++ c um so you get to know the literal names of things the properties the data sizes and makes a really nice uh SDK if you're going that route Doug the Druid maintains one for sea of Thieves so if you want to go create your own sea of Thieves hack not even using his code he at least makes all the data available to you so you know what you need to work with just a little bit deeper than that is actually python doing things I touched on this already it uses C types uh and you can use a library called PSU

tools and this is the part that actually lets you get an access to to the process to read its memory to get various offsets and that's what makes it happen um just to show a few well so over to you I would say if you want to play with something like this let's take the framework and make it work for a different game why not create an overlay maybe you don't want to do anything with Unreal Engine just take the the piglet layer make your own overlay for any app steam Discord they've all got overlays I know they do things differently but there's a lot of useful uh things for that you could have Doug's framework or a

version of it post to your stream perhaps on Twitch or to Discord when things happen in the game when you get attacked when you die when you unlock achievement you're able to Now hook and read all these things and you can just use Python to write out to something else is python everyone's doing AI in Python well what if I don't know we started doing machine learning or or passed all the data to chat GPT there's some 132 apis that you can use to same key presses back so now you can kind of change this ESP hack to an evil evil Aimbot that shoots for you and does very things for you what about accessibility mods

vibration force feedback flashing lights playing sounds for people who have disabilities you could also do something kind of crazy like this guy not an Unreal Engine but it's python so why not make a rest API for your favorite game so your friends can follow along or who knows I think we a little bit of time so more stuff what next there's a lot of really good tutorials online by these two guys around G and G names and how they work far more than I could really go into but it does a really good job of explaining why you need them how to find them different strategies again a lot of the time there are already um sdks or patents published

online so you often don't have to do a lot of the work yourself um but really really good videos and understanding the Unreal Engine this Unreal Engine dumper supports multiple versions it's kind of my go-to because it just supports the most games a lot of people write an an Unreal Engine dumper for a certain game sea of Thieves as I says said has a few twists so there are a few that only able to dump sea of Thieves but this is just a really good tool if you're getting into this and you want to pull that information out of an Unreal Engine game and see what's happening cheat engine totally separate from python is just a very generic

cheating tool it's got a built-in debugger a whole lot of really awesome features and it's also got what they call cheat tables which is a way of storing rules preset cheats or some basic scripts and someone's done what I think is incredible and taken the unreal dumping logic brought it into cheat engin so through one app in real time without writing any code you click a few buttons and all of a sudden you're in a debugger window and everything's named and you're hunting for G object and instead of all these Dynamic random addresses you're scrolling past really useful objects you're finding functions and you're just knopping out stuff and that's just an absolute GameChanger so

just inside of cheat engine using it to look at code using it to write my own cheat table that changes a few lines of assembler I've been able to make a hack for the game high on life normally you're not able to shoot when you're out around the city you can't shoot the civilians when you go indoors the gun disarms it actually moves out the side you can't shoot but we can just disable those methods and again I found all this in cheat engine mostly just clicking around a bit of right click uh replace with code that does nothing and all of a sudden I'm bypassing game functionality that would normally provide a kind of a

locker um I've got a video stuck in the way but there was another link there sorry so I don't I don't have the the last one but there's something called an unreal Locker when you're building an Unreal Engine game there's a whole lot of debug functionality there's a console uh there's a whole lot of functions for spawning objects randomly when you use an unreal Locker you're able to put that back in the game so we're talking a game that you've bought of steam you're running it hasn't shipped with these features is able to re-inject all of those so you can just spawn objects or items on demand um you don't even have to write sort of the

hack yourself so it just makes it really easy to cheat a whole bunch of games a little bit disclaimer should maybe come first please don't cheat in multiplayer games I know we've demoed some of that today but it really affects the experience for other people if people stop playing your favorite game and you've got no one to play against you're going to stop playing your favorite game if people stop playing your favorite game it's going to stop getting improvements patches and new content please don't affect servers profits or things like that or it really will go away but also don't think that game hacking can't teach you Real World skills I'm talking reverse assembly binary analysis all kinds of things

we haven't even touched on games that make API calls or say Network traffic there's so much there so go have a play learn about 132 apis learn a bit about assembler even if it's just learning about logical jumps or commenting out code um yeah it's just really really rewarding so I hope that's inspired you a little bit I hope that's sort of broken open a little bit how many of your games work um thank you very

much any questions uh oh yes

ask I haven't but I been around for a long

time and passw anything whatever you store in memor absolutely even with Max originally you could access memory yes without being switched up you know without you having access to the OS so you know in that kind of

techologies totally automated so I me you know it's not just about exactly so he was just asking about a tool called volatility and the data that you can find in memory um a small thing I did with this with cheat engine is you can't in this game c of Thieves you can't all join the same server so you can't easily play with your friends but obviously through looking through the memory you can see which server you're on so you can write a little script that does it all for you you see what server you're on your friend runs the same script if you're not on the same server you can each take turns jumping around

till eventually without having to look in game you know you're on the same server so yeah by reading the memory something's not exposed to you you can sort of get a desired outcome cool thank you so much [Applause] everyone