Welcome to the guide on Windows Game Hacking With Gidra And Cheat Engine. I will discuss some tactics with the help of the code vein cheat engine.
Let’s look at some windows game hacking by revisiting Pwn Adventure 3 – the game that was made to teach game developers about what can go wrong. We have solved all available challenges already on Linux. I didn’t do the hacks on Windows because I only have basic knowledge about it.
For example, I know about DLL injection, tools like Cheat Engine, and some of the Windows APIs, but that’s about it. And especially the tooling and the process is very different on Windows and Linux.
But because Linux and Windows run on the same PC architecture, we have, of course, some similarities. I know how C and C++ programs work. I know about memory and pointers. I can read assembly.
I understand structures and classes in memory. But once you get into other process details like DLLs, shared libraries, the heap, threads, and so forth, it gets very different. So given my Linux experience, I will have a good foundation, but I will also have to learn a lot.
Also, one side note, many people scoff at Windows and Windows users when it comes to hacking. “Real hackers use Arch Linux.”
But in reality, the game hacking community has created some incredible debugging and analysis tools for windows. They are going deep.
How I Do That With Code Vein Cheat Engine
I’m not sure, but I would lean so far out of the window (heh, pun) to say that the tooling on Windows for analyzing software or, in particular, games, especially software without source code, is much more advanced than on Linux.
So let’s check it out. I remember playing around with Cheat Engine when I was a teenager and didn’t understand memory, assembly, and other lower-level stuff about programs. But already then, it felt intuitive and logical to use. At least the basics.
I think that shows how great of a too-lit is. So what is it? This tool’s basic idea is to find the address of absolute values in the game’s memory. And you do this by repeatedly eliminating, separating, or sorting out values.
To do this, Cheat Engine offers various Scan Types and Value Types. At the top, you can see that I have attached this button to the Pwn Adventure process.
Also Read: What Is AR Zone App
What Is Code Vein Cheat Engine?
It is searches through the game’s process memory. Let’s try it out. Let’s take the health, which right now is at 100.
We explore the value 100. We assume health is stored as a 4-byte value. First Scan. But we find thousands of deals.
However, you can already see a few values now updated. This is the current value in memory, and this is what it was when the search was done.
So with the next scan, we can filter, or search, on those results, and we could search again for 100, or we could say that the value has not changed.
No difference in this case; I just wanted to show a different scan type. And we sort out a few memory locations, but we are still at over 9000! Mhm… we can also go into the game and move and jump around, hoping that that could affect any of those values.
Nothing is directly visible here, but when were do the scan, we are now in the 8000s. So it helped. But you see, it will be tough to find now the excellent health value. So that’s why you want a deal that you can somehow affect.
Why Code Vein Cheat Engine Is Such A Great Tool
You could affect your health by taking damage, but unfortunately, we are just at the start of the game, so we can’t do this right now. Instead, let’s look for something else.
Let’s start over and do a new scan. I want to find the address in memory that stores the current selected skill or weapon. 1,2,3,4,5,6,7,8,9 or 0.
We have selected 1, and we could now search for the value 1. But if you have experience with programming and imagine this to be an array, we don’t know if this is stored as a 1 or maybe as an array index of 0.
And if you think about this further, it could also be a linked list, which would mean the currently selected skill could also be a pointer, just pointing to that object representing that memory skill.
So it’s perfectly valid to assume that it is one and then start searching like that. And maybe that works, or you restart and try0.
But you could also try to go with an unknown initial value. First scan. It takes a bit. Because it now indexed over 168 MILLION addresses.
This is why the Code Vein Cheat Engine makes such a great tool. It’s not difficult to read a process’s memory. We do that on Linux with GDB all the time.
We are examining memory. And, of course, we could write scripts or tools to automate such a search.
But the software engineering and the algorithm-, and memory-, optimization to make this as efficient and usable as Cheat Engine does is not trivial. That’s why this is an excellent tool. Anyway, let’s continue.
So we haven’t changed the selected skill yet, but we move around a bit, so we can now filter out ALL the dynamic memory values by searching for unchanged values. Of… still 167 million. That didn’t help much… But that makes sense.
We searched for an unknown value and then filtered for all the unchanged values. And all the binaries’ assembly code, the pwn adventure binary, all the loaded DLLs, all the loaded resources, and 3D objects are all unchanged data in memory.
So we want to get rid of those. This means we should somehow change and affect the skill selection by switching the skill around. Okay, we changed the value now, and we can search for a changed value.
Okay, we changed the value now, and we can search for a changed value. BOOM! From 167 million down to 291 thousand. And you can already see some red-colored deals that are updated and revised. So let’s quickly scan for unchanged values, down to 229 thousand.
Give Attention Again To The Values With The Help Of Code Vein Cheat Engine
Just repeat the same search a bit down to 203 thousand. Let’s walk around a bit and pay attention to the utilities. As soon as we moved, those all changed! But we didn’t change the skill.
So now we can filter again for unchanged values. 100k left. We are now switching some skills and moving around. But back to craft 2. So it’s unchanged. Doesn’t help much. Well, let’s change it again and select skill3 and search for a changed value. WOW! Down to 262.
We could now almost look through that by hand. We changed to the second skill, and immediately those values were updated here. Going back to 3, it’s 0. So it seems to be directly affected by the selected skill.
However, going to the 5th skill, we notice the value stays 0, like when we had talent three selected. This means we should search now for changed values, down to 94. Let’s keep doing that, switch to skill 6.
We have changed the value scan. Down to 10! Talent 7, scan for changed value. Skill 8. Changed value. Gift 1, change value.
But it looks like nothing happens anymore. And there it is! So switching the skill, we can see the numbers update.
The idea to imagine this value we look for to be an array index seems right! Because gift 1 is a zero. Skill 2 is a 1. And so forth.
The other value here, I’m not sure about the. It doesn’t look like a pointer because a pointer should move by the pointer size. On 32bit, it should carry by 4 bytes, so +4.
But it’s also always just +1. So no clue. But whatever. We can also now add this address to the address list here.
So at this address in memory, we have the value stored that indicates the selected skill. This went pretty well.
Sometimes, when you search for deals, the same value shows up in multiple places in memory, and they could just be updated but are not the real source variable.
But when we change it, we see that the game also updates the selected skill. This means that this is the real root value.
Beyond this, Cheat Engine offers many other exciting tools to explore this further. For example, “we can find out what writes to this address.”
Let’s Go To The Game Again
Now let’s go to the game, and once we change the skill, we see an entry in our list appearing, counting how often this instruction was executed and writing this address.
So this move instruction moved a value from edx into the memory referenced by ESI + hex 0x180.
Here we can also see a few of the surrounding assembler codes and here the register values. We said EDX is the written value, so in this case, it was number 1. And ESI is an address. And the deal was written at the offset hex0x180.
Now I’m not 100% sure if this is the case here, but most likely, this means that ESI is the pointer to some object in memory. Maybe the player class.
And this player object might have a variable to indicate the currently selected skill, and it is at offset 0x180. Assembly is hardcoded fixed data. So that can tell you a lot.
For example, we could imagine this to be a function in C++ like set_selected_skill, and it takes a number and assigns it to the Player’s member variable. The compiler, of course, knows what the Player object looks like.
It knows that at offset 0x180 is the Player’s selected skill. So it merely compiles a move based on the Player’s object start address. Does that make sense? And you can explore this assumption by looking at the memory.
We go to the address of ESI, and so here it is. And now look at what comes after that start address. We see my player name and my team name. Live Overflow and PwnSquad. We can also see the location we are at. Lost Cave.
We can also see here a value that seems to count up rapidly. So this could be a timer of some sort. The other highlighted value here is the address we have stored in our address list.
So this is the selected skill. We can see it change when we change it in-game. But we don’t see anything update when we look around or walk around.
So the Player’s position doesn’t seem to be stored right there. We can also look at the Memory Regions to determine where the code that accessed this memory belongs to.
It started with hex 0x618…. Something. And there are a lot of memory regions for a game. But here it is.
GameLogic.dll
It seems to belong to the GameLogic.dll. And if you have watched my Pwn Adventure series on Linux, you know that the Game Logic is an essential part of the game. You can also use this information to kickstart static analysis.
Let’s try to find this function that wrote the skill number in a disassembler. Here I have loaded the GameLogic.dll into Ghidra. The free reverse engineering tool from the NSA. And when loaded, it loads the dll at a specific address.
So we can’t simply go to the address that Code Vein Cheat Engine told us. Because of ASLR on windows, the dll was loaded somewhere else in memory.
But we saw which address in the memory view of Cheat Engine. Here is the Memory Map, as shown by Ghidra. And with this house symbol, representing the BASE, you can move the whole all around.
So we can now enter the real base address in memory, and Ghidra will relocate the binary. And now, compare the memory map of Ghidra to the whole process memory map. You can see how all the sections of the .dll were loaded into the game’s memory. Anyway.
Now we can be lazy and go to the address Cheat Engine told us. So here it is! I deliberately renamed the GameLogic.dll to game.dll, just because the Pwn Adventure game shipped with debug symbols in the .pdb file.
This way, we can have more experience in reverse engineering, a closed-source game without symbols. So here is the function. Ghidra also comes with a decompiler, so you can see here that this line writes the skill number.
So like I said, there is a good chance that ESI was somehow the pointer to some Player object. So we could assume that iVar1 is a player object. iVar1 + 0x180 is the selected skill.
So we can also ask Ghidra to generate a structure – a struct automatically. Like in C. Basically, automatically create a class.
Of course, the guide doesn’t know what this class looks like but based on the decompilation, it can assume that this offset 0x180 was a variable inside that Player struct.
So you see the code changed from this addition to accessing a member variable of Player. And then we can rename that field, and for example, call it skilled or item Slot.
This is cool, right? I have to make it clear. I’m not 100% sure that this is a player object, and I don’t know how realistic that variable is called. These are just assumptions based on the evidence we have collected.
Process Of Reverse Engineering
But in the process of reverse engineering, we might also invalidate this assumption because we learned even more details.
Doesn’t this almost feel like investigating a crime scene or doing science? And it would help if you had quite a bit of creativity too.
You try to come up with a good idea to collect data and evidence, and you come up with assumptions based on your programming experience and create a mental model.
Then you collect more data that either confirms your beliefs or you adjust your model. And you keep repeating that.
Conclusion
You can see that some people can find this to be fun. Like a puzzle or a point-and-click adventure game. But this is basically how reverse engineering of a game or some program can look like.
Even Code Vein Cheat Engine officially says they don’t ask about hacking online games (and typically, they have anti-debugging and detections in place that stop this quickly anyway).
Of course, there are always tricks to get around stuff, but don’t bother asking people about that.
Suppose you play around with that alone, okay? With enough experience, you can do that yourself. But selling hacks are shitty.
And don’t ask for online game hacks. You can have enough fun and learn enough with regular, non-online games. Or stuff like Pwn Adventure.
As I said, I explored these tools when I was a teenager and was eager to learn. And I found these games, hacking forums.