7 min read game hacking

Getting Started With Game Hacking on PC

Getting Started With Game Hacking on PC

This is the resource I wish I had when I was getting started in hacking video games. Specifically, hacking PC video games on the Windows operating system. This article aims to give you a roadmap forward to becoming a video game hacker, along with plenty of resources to dive deeper.

Beginner

Want to become invincible, have unlimited ammo, or just be super rich in your game? This section is usually all you’ll need.

Modifying values in memory

When you’re playing an offline game (and even with most online games), every value you see in the game is stored in memory. So the first thing you’ll need to do is learn how to find those values and modify them. The most common tool to do so is Cheat Engine.

Cheat Engine has its own built-in tutorial for finding and modifying in-memory values. It’s not exactly straight-forward to complete as a beginner though, so here’s an excellent walkthrough video by the ever helpful Guided Hacking.

Believe it or not, that’s really all you need to do basic game hacking. Yay! 🎉

Aside: Cheat Engine

Cheat Engine is completely free, and supported by bundled software and Patreon donations. As with anything, if you find it’s of value to you, please consider donating. It’s also open-source, and oddly written mostly in Pascal (although almost everything outside of the core is written in C & C++).

Intermediate

This section is all about how to do some more interesting and creative game hacks, as well as how to bypass common restrictions game developers put into their software. It’s at this point that you’ll need to start looking at assembly code. But don’t worry, it’s not as complicated as you may think (especially if you have experience with at least one other high level programming language). There are only a small handful of instructions that come up often:

  • mov
  • lea
  • jmp/jxx
  • cmp
  • test
  • add/sub/mul

A good reference for the x86 & amd64 instruction set can be found here: https://www.felixcloutier.com/x86/.

Debugging & reverse engineering

If you want to understand some more complex logic in a game, you’re going to need to look at the disassembly of the binary (the assembly code). That means attaching a debugger and setting breakpoints, so you can walk through the exact steps that a game takes for a given functionality. Sometimes you may not be able to debug the source code (see the section on anti-debugging later on), or you may just want to graph out how different functions interact in the game; in this case, you’ll want to use a static disassembler.

Personally, I go for debugging first, as I can usually get a much better understanding for how a game works by watching it as it runs through specific functionality. I then switch to the static disassembly later on if I want to really get an understanding for a specific section of the binary.

Once you become proficient at following through the assembly of a program, you can do fun things like this…

Debugging tools

Cheat Engine works really well as a debugger, and it includes pretty much everything you need.

I also like to use x64dbg, as it includes a lot of great features (for example - open multiple dump memory dump tabs at once, built-in scripting support, and an ecosystem of great plugins like xAnalyzer). x64dbg also displays the meaning of every assembly code as you step through it, and it also translates the values for you (i.e. it fetches the value of a pointer), which is really helpful.

You could use WinDbg, but it doesn’t handle anti-debug measures very well, and the interface isn’t nearly as intuitive as x64dbg.

Static disassemblers

The best free static disassembler out there right now is probably Ghidra, and it’s pretty good.

The gold standard disassembler is IDA Pro, but be prepared to spend an arm and a leg (in the ballpark of $2000+ USD per year).

Binary Ninja is also a good commercial option, but it’s lacking the vast plugin ecosystem that IDA Pro (and even Ghidra) has, and they don’t (at the time of writing) have any Windows API function signatures like IDA Pro does with FLIRT that eases a lot of Windows-based reverse engineering.

There’s also a free version of IDA that is great as a standalone disassembler, but you don’t get any plugin support, no decompiler, and you’re locked at an older version of the product.

Resources

To see debugging and light reverse engineering in action, I would highly recommend checking out Chris Fayte’s Cheat The Game YouTube channel.

For some more advanced reverse engineering videos (with excellent video quality and editing), check out LiveOverflow’s YouTube channel.

Bypass anti-debug

Many games come with a range of anti-debug measures that are designed to prevent you from attaching a debugger to the game. If you want to learn more about the exact types of measures they take, I would highly recommend Peter Ferrie’s “The Ultimate Anti-Debugging Reference” [pdf]. But if you just want to get on with debugging your game, I’d recommend just doing the following:

  1. Add ScyllaHide as a plugin to x64dbg.
  2. Launch your game using x64dbg. This will launch it with the anti-anti-debug measures in place.
  3. (Optional) Detach from your game in x64dbg and attach using your debugger of choice.

You can find some more information about ScyllaHide, as well as the anti-debug measures they counteract in their documentation [pdf].

Automating with Cheat Engine

Cheat engine has a LOT of functionality. When you’re looking to do some more complex hacks, you’re going to start using the auto assembler to modify assembly instructions (and not just data types) in memory.

I don’t think there’s anyone better than Stephen Chapman for showing you how to do this. In fact, he put together an entire YouTube playlist of Cheat Engine tutorials that I would highly recommend. He uses Cheat Engine almost exclusively in his videos, so it’ll give you a good idea of some of the magical things you can do with just one tool.

You can make entire trainers in Cheat Engine.

Cheat Engine even supports Lua scripting, which makes it much easier to customize the functionality of your game hacks. There is an extensive set of both documented and undocumented Lua functions already built-in.

If you want to see just how much you can do with Cheat Engine, check out this cheat table for Sonic Adventure 2. I’ve yet to see a more advanced and comprehensive cheat table.

Once you get beyond simply finding and replacing values in memory, Cheat Engine can pretty much help you do anything else you want with most games.

Automating with C++

If you’re really hardcore, you can automate any of your hacks with C++, mostly using the Windows API directly. I won’t go into too much depth here, but you’ll mostly be using OpenProcess() to get a handle to the game process, ReadProcessMemory() to read the memory from the game process, and WriteProcesMemory() to write to the game process' memory. This method is known as an “external” hack because you’re performing your actions from outside of the game process. You can do what’s called an “internal” hack, where you first inject your own cheat process into the game process, and then read and write memory from inside the game’s process.

Exactly how to do an internal or external hack goes a little beyond the scope of this article, but if you’re interested in doing this, here’s an example of an external hack using the Assault Cube game on Windows, including source code. This article builds on that to perform an internal hack, including source code.

Why would you use C++ over Cheat Engine? It usually comes down to more low-level Windows API access (usually to bypass anti-cheat), or just personal preference. Cheat Engine is enough to do most game hacks, until you get into the more advanced game hacking…

Advanced

Some advanced topics that go beyond the scope of this beginner resource include:

  • Bypassing anti-cheat. Many online games include anti-cheat measures that go way beyond simple anti-debug tricks. More modern online games are also moving to anti-cheat solutions that operate in kernel mode, which makes it even trickier to bypass without writing your own Windows kernel driver, or exploiting a vulnerability in an existing kernel mode driver (here are a few you can use). If you’re interested in seeing how this is done, Secret Club has a whole bunch of high quality articles on bypassing kernel mode anti-cheat software.
  • Visual overlays. If you want to do something like an ESP hack (see where everyone is on the map) without writing to the game’s process (for example, to prevent tripping anti-cheat software), you’ll need to start writing overlay windows using something like Microsoft DirectX.
  • Network interception & modification. With online games in particular, some data may not even be exposed in client-side memory. In these cases, you’ll need to intercept and modify traffic sent to the game servers. In most cases (but not all) these days, that traffic is encrypted, and the SSL certificate is usually pinned in the app, so traditional SSL interception measures won’t work. Luckily, the traffic needs to be decrypted at some point in memory, which means you can still read and modify that data if you know where to look.

Other resources

Here are some resources that I haven’t mentioned in the post, but are still noteworthy:

Welcome to the wonderful world of game hacking!

Published by:

Aaron Hnatiw