Cool to see some of my work make it into a LiveOverflow video. I made the HRH mod(indicated by the gray hrh icon in the top left) and found some of the addresses for the auto splitter, specifically the overlays pointers. Funny thing, the loadingScreen pointer is actually pointing to the length of a string, not an id but hey it works.
I wonder where the line would be drawn between a TAS and a standard speedrun for a game where the whole point is to write code to cheat your way through it.
Previously I came back to mess with cheat engine because I started watching new Guided Hacking series and you posted video about CE, now I started speedrunning and here's a video about Livesplit... Somebody is watching me
I started my "hacking" journey with NES romhacking, at that time I felt like this was pointless, like, "why am I hacking games from 1980s, when I could be more productive", now you made me look at it as my first experience with assembly (granted, 6502 was a really simple architecture) and pointers and other basics of what was mentioned in this video.
Aside from Autosplitters, finding memory addresses can also be useful in Speedrunning for better understanding the game by watching values for things that aren't directly visible in the game. For example watching how exactly sprint stamina decreases/increases, how values related to glitches change or what affects experience points. Sometimes it can even be useful to actively change those values when testing or practicing the speedrun. Of course in actual speedruns (not testing/practice, but actually going for a time) most of these things are not allowed. Rules depend on the individual game community, however often only values that are already apparent from playing the game are allowed to be watched via third-party tools, like 100% Checklists automatically tracking completion of the game (which could also be done by checking stuff off on a piece of paper) or the mentioned Autosplitters. In some cases even these tools can be problematic, e.g. if an automatic split reveals some information about the game's state you wouldn't immediately know otherwise, but usually they are just a big help by not having to remember to press a split button all the time. Some communities allow additional information read from memory to be displayed (e.g. movement speed), some are a bit more strict.
The one example I know of where internal values are allowed to be visible in speedruns, Half-Life, does this via a mod to the game itself instead of a third-party tool (afaik). That's yet another route that communities might take.
Well I wouldn't really say speedrunning tools are a "valid use case", but I would be really interested in knowing some! There must be some good reason they added potentially dangerous stuff like that, but I can't make up any example right now...
the problem with this is that it's not intended by the devs. if you'd use this on a game with an anti-cheat, you will get banned; which would be a bit unfortunate for just showing your friends which level you're at
This is awesome! Computer science student here. Spend the last 2 days with Cheat Engine, Guided hacking and a lot of games :D So cool to look at your own programs from another perspective! Thanks @LiveOverflow
THANK YOU for showing this type of info. It has long been guarded, and not shared, because people feared what would happen if they showed others how to hack at this level. I think what you're doing is great, because you're giving people the tools, information, AND showing them how it can be used for helpful productive things. So happy I found this channel.
This is quite well known. There's a good book on this topic if you want even more detail: www.amazon.co.uk/Game-Hacking-Developing-Autonomous-Online/dp/1593276699
If this information was well-guarded, then cheating in games would be far easier than it is currently. But you can't keep secrets like this. Different people can come up with different methods of getting the same results. One person may find an exploit in new hardware, and never reveal it while someone else may just stumble upon the same exploit some time later. It happens.
I love how you basically figured out Livesplit without even downloading it. One common use for GlobalHotkeys is resetting btw. For Portal (which has a really awesome autosplitter), I used to have a reset hotkey that I had also bound in the game to close the current game session and delete my common quicksaves, so I could start a clean run, which I later also added to the bind ingame and the autosplitter picked up the map change and started livesplit's timer again
I've personally been using your videos to help me figure out and learn reverse engineering and hacking for speedrunning. It's nice to see this coming full circle and now the content I watch for speedrun game hacking is talking about game hacking for speedruns.
This video has also helped me to understand how many glitches such as wrong warps in old games have been found! By exploring memory in ways like this, speedrunners can hunt for potential exploits to send them quickly towards the end of the game, even directly to the credits in some cases, if they can find a way to use in game techniques to change the right memory values.
For everyone interested, there's an easier and faster way to get the correct addresses. Find out the object base address first. This address is ALSO an offset. It's an offset from the base address of the exe or module the address is in. Getting the base address of an exe or dll isn't hard nor complicated. Then, once you have a way to reliably get the base address, add the object offset and from there add whatever offset you like to get the correct address every time. No pointer scans required. Also in CE, add a new address manually and type ""+ to get it calculated by CE
@@DrewTNaylor It starts out tedious, but after awhile it becomes an instinct. Multiple times I've seen speedrunners performing live at marathons instinctively reach for their nonexistent split button (or foot pedal!)
very nicely made. when i was younger, i was in "warrock" game hacking scene. Maybe someone remembers ElitePVPers. I used the same methods. but sometimes you need to find some "injection methods" - luckily i wasnt the only dev, so i had some partners, who created injectors, which i was able to use, to modify memory data without getting cought from the anti cheat :D Oh this was an awesome time.
Donald Trompetas Go on unknowncheats and watch some of the guided hacking RUclips channel videos. You’re going to want to understand how memory works and be familiar with C/C++ (or C#). Some modern online games have anti cheat measures that won’t be easy for a newbie to circumvent (don’t ruin people’s day though, if you do cheat online - don’t rage cheat at least).
I remember using this as a little kid to get infinite sunlight in Plants vs. Zombies. Thank you for making this video. Brings back memories of my little hacker self.
Speedrunner also do other security related stuff and abuse mechanics. For example Zelda Speedrunner actively attacking the the memory allocator. They repeatedly leaking memory to get the heap increasingly fragmented until there isn't a contiguous region of memory large enough to load obstacles. The result is that some obsticals will not load and are not there and the Speedrunner can go faster! :D That's so f****** cool :D I love this stuff!
there are very legitimate uses for game hacking tech. I've used it both in private server projects for LoL and for writing an evolutionary AI for Super Hexagon. Both were great projects in which I learned a lot and provided no harm to any competitive community.
@LiveOverflow When I watched through ur pwn adventures 3 playlist I was especially interested in the proxy u wrote. I tried to write my own proxy (not only for a game but for every connection from my pc to external IP-addresses and failed hard. Since this can be a useful tool for analyzing the packages sent and received I would very much appreciate a video of you writing such a proxy. Love ur content! Keep it up
Speedrunners borrow a lot more from the infosec community than just for creating autosplitters. Hell, there's a whole class of speedruns based around arbitrary code exploits. Although not for Windows specifically.
Huh this was a weird video to watch. There is actually an issue with some auto splitters giving speedrunners more information then they should have, like if a glitch made it so you couldn't see where you were going, but the auto splitter splits when you get to a certain area or something. I can't remember exact examples. And as you accurately put it, LiveSplit is just game hacking, so some communities don't allow it.
I made a tool that tracks the amount of kills I got in a game, for no reason other than to just have cool statistics to display on stream. I was told, rightfully, that it could be used to see whether you got a blind shot or not. I modified the tool to be disabled during the part where the player does the blind shot.
@@LotsOfS I always figured it'd be neat to have a program displaying extra info on stream but with the player not able to see it, just to be more interesting for the viewers.
you could also rescan in the pointer scanner after restarting the game and instead of pointer scanning you can use the debugger to get all the addresses and offsets etc.
@@NtQueryInformationProcess yep, using the debugger to find the pointer is so much more reliable than the pointer scan. everytime someone uses the pointer scan I die a little inside
I love these vids. I am currently learning game hacking as we speak. I wanna become really good at it so that I can hack online games and bypass anti-cheat but not in the usual way of ruining everyone's experience and selling them. just for myself in PVE related activities to speed up grinding and/or farming. plus reverse engineering is just fun for me.
It might also be useful for machine learning. Imagine you get values in memory, and use them as inputs to train your AI. Way better than just taking screenshots of the game and splitting it, etc
yeah 100%. It's useful whenever you wanna interact with another process that isn't designed to be interacted with. Frida (frida.re) uses techniques like this and I've used it modify apps before to reverse engineer apis or remove annoying features. Also, I saw that michael reeves video about fortnite where a real gun shoots him when he takes damage and he uses screenshotting whereas it would have had a lot less latency and required less processing if he had hooked the damage function or something in game ( Granted that might be hard for fortnite but just an example).
It sounds a bit like you're missing the i in variable. (sounds like varable) Even so, awesome content! Interesting to see some cheat tools that are being used nowadays.
There's also cool versions of auto splitting that works for consoles - it can either rely on a homebrew that reads RAM, or compares screenshots to the capture output
Hey man. I love your videos but I have a question. Lets assume one is good at hacking (mainly managing to gain access to networks). How does one get into the industry? Are certificates necessary ? Can one simply become a pentester by knowing this stuff ? As far as I remember, I remember reading in a comment that you are from germany. I don't know if thats true so I am typing in english.
the offset from edi was indeed +0x180, but earlier on is the instruction "add edi -70", so that might change the offset to be +0x110. What do you think?
I have a feeling that many MMO accessory tools are using the same tech. For example, in FF14 people use tools to track and broadcast hunting objects and team damage/tanking/healing stats. I don't think FF14 has built in API (e.g. WoW) or log (e.g. Elite: Dangerous) for that, so maybe they are just hooking to the process to do all the job.
I find the timing of this video amusing, as I've been working with livesplit-core and a PoC version of livesplit one desktop (all written in rust) to have working autosplitters on linux. I think the API still needs work to obtain feature parity, etc, but I've already been using it with Portal.
This episode was very enlightening, although I really had made the connection there. What interests me most (and what I learned) is this very interesting CreateRemoteThread function to spawn a thread inside another process? Can all OSes do that, is it a standard way to inject code into things, and why (or how) can/can't this be patched up by game anti-cheats? Thanks for the great video :-)
Well all OS's need to have memory management so that should be self explanatory but aside from that most, if not all decent anti-cheats protect against these kind of things. The ways the anti-cheats block them is quite simple it's a kernel driver that blocks the use of WINAPI, you can't just say "hey program change this memory from an unsigned program with out a big bully from kernel space saying forbidden and given you a basic memory access violation or something. Other things they may use are File Integrity Checks, Detecting Debuggers, Stops debugger from attaching, Detect Cheat Engine & memory editors, Signature Based Detection, Detect DLL injection, Detect Hooks, Memory integrity checks and Statistical Anomaly Detection. What I currently use to bypass this when you take use of already signed programs and drivers such as drivers from intel and discord which already have access to these sorts of things and then exploit them to run my own read and write process memory. Hope this helps - Calvin.
@@calvinspear6707 Wow, very insightful comment, thanks a lot! So there's two things to unpack here - the first one is, why would opening a thread in a remote process be a necessity for OS memory management? It feels a bit insecure in and of itself, but then again, attaching a debugger to a running process is often a very welcome functionality, and so is tracing its execution, so I guess it's allowed unless explicitly prevented, which I assume can be done at application level (in userspace)? Which leads me to the second thing - essentially the way you bypass kernelspace protections (I assume things like BattlEye?) is by hijacking code that already runs in kernel space, and therefore code that is signed, so that you can essentially read and write anywhere in memory? Sounds very complicated, at least for the intel drivers, maybe less so for discord but I didn't realize they had a kernelspace driver running?
@@xhir0 you dont even need to make a program to do that. you can simply disable the code that accesses the address and then it can never change unless you change it
@@Airyz developed cheats aren't just cheat engine's source code with modifications. You make your own gui, your own way to find the games process id, and addresses. Then you can write and read to memory at those addresses.
@Vorname Nachname I'm not sure what you mean, you can easily scan a process's entire memory for a specific pattern in milliseconds. It's not much different to how cheat engine would scan for any value. It's also less likely to break during a game update like offsets, depending on the game's design and what kind of memory you're scanning for.
You should also tell the people about actually reversing the code you found with the debugger instead of playing arround with cheat engine. IMO cheat engine is good for fast trial and error or testing, but actually reversing the code beats any tool - especially when updating the code on a new patch :P
1) ASLR in Windows is not system-wide, every Executable or DLL file can have ASLR enabled or not (it's enabled by adding the /DYNAMICBASE flag in msvc while compiling). 2) Even if the base is dynamic, and the address where GameLogic.dll is mapped changes, the pointer path taken starts with "GameLogic.dll"+offset, not with a fixed address, Cheat Engine or other software can calculate the pointerpath by replacing "GameLogic.dll" with its base address (with just a call to GetModuleHandle in the context of the target process, or from its PEB->Ldr.InMemoryOrderModuleList), then, from there, it's easy to get to the variable.
It is "fixed" sometimes, but not in this particular case. The reason the pointer path works is because the pointer is always at a certain address _relative_ to the beginning of GameLogic.dll, and the WinAPI function GetModuleHandle can be used to find out the address where that DLL is loaded. So since we can find out where that DLL is, we can find out where the pointer is. Every time the game is started, GameLogic.dll creates the value for the menu position at a random address. It then keeps track of that random address using a _pointer._ The pointer is always at a certain address relative to the beginning of GameLogic.dll. So for example, let's say it is 1024 bytes after the beginning of the DLL. Every time the game wants to know the menu position value, it needs to find out where that value is located, since the value is in a random location. It looks at GameLogic.dll + 1024 bytes, and there is the _pointer._ The pointer gives the address of the actual value, so it then looks there next and finds it. If we know where the pointer is, relative to the DLL start, then we too can reliably find the value's address. Now, DLLs themselves don't reliably load at any particular location, but Windows always keeps track of where they're loaded, so it can tell us if we call GetModuleHandle. But thanks to Virtual Address Spacing, if the pointer is in an EXE, we don't even have to do that, as we have a guarantee it will be loaded at the same place every time. So in that sense, it is possible for the pointer path to be truly "fixed"
Philipp The Cat Am auto splitter might want to do something when a function is called, or there might be data stored in TLS that can’t be accessed completely externally IIRC.
you should really try to avoid using the pointer scan... it's easier and smarter to find a pointer by attaching cheat engine's debugger. In this video you show that the code accessing this variable is mov[esi +180],edx. in this scenario its much smarter to now scan for the value stored in esi and continue this process until the register appears in static memory inside GameLogic.dll. doing this you can be absolutely certain that you have a correct path as you are accessing the variable in the same way the game is accessing it
What is the best way to compile Cheat engine ones self because I want it but I do not Trust the Exe or the Creator for that matter so I would not only have to compile it myself but become familiar with what is a rather large codebase and know it inside out before deciding to use it before I can trust it. Can anyone recommend where to start because it is programmed in multiple languages and idk really how to handle the mess that is Cheat engine Github.
@@1e1001 Yeah idk man, I found nothing about it to feel trustworthy. I would rather build it myself and know the project before every dealing with that because not only does every antivirus go off around that thing but every website damn near that the creator of it links people to they are also riddled with malware so either it is trustworthy or the creator is pulled the wool over a bunch of peoples eyes. I was about to get CE until I went to the forum in which the creator was linking people to different places and most of the places he was linking people on sites he created Alarm bells were screaming all over my computer because he had so much malware all over the place and we are not talking about CE malware, we are talking god knows what that was triggering all these safe search things. Something is highly highly shady about CE and its creator and because of that I just can not in good conscious run anything made by him. Wish I could because I love using hexeditors but at the end of the day I could likely just create one myself and use it faster than I could learn that mess of a project that is CE.
Can you please explain how to take the entire point scanner results and how to make a CE trainer and attach it to the game process and make it work I have like 3600 result from point scan and I can't just double click them all XD Thanks
You can also leave the scan result open and close/-reopen the game. Then filter out the wrong ones. And repeat. The list should shrink to a few really nice ones.
Even when actually using Cheat Engine to cheat, discovering the pointer paths is very useful. I... may or may not have been using Cheat Engine to cheat in Maple Story when I was younger. (Don't judge) I had no idea how it works, I just downloaded a list of pointer paths with a nice description and there you go. (Typical script kiddie. Rather literally) Even if you use it for yourself (in single player games, of course), you probably don't want to rediscover the addresses every time. Gets tedious. On the topic of Maple Story, they ended up separating the European and US server due to so many European cheaters. I think people just didn't really report cheaters. I saw a cheater just slashing at the air and killing mobs, with normal players just standing there and complaining how unfair it is, but not reporting him. (Actually saying they don't want to report him) Meanwhile, I was watching this unfold from below the map... They couldn't have reported me if they wanted to, but for some reason they didn't even bother reporting that guy...
Can you redo Pwn Adventure 3 series but hack/exploit minecraft. Many views because minecraft popularity right now + the kids that want to go on servers and hack. Anticheat will stop them instantly. If you do this do it on self hosted normal server with no anticheat and fly enabled :/
Hi, my name is Rifqi and I'm from Indonesia, help me sir, currently in my country everyone is playing Higgss domino island, can you make a cheat / mod apkk / trick trick that is not detected and can be used in the game? please help sir, so that our family life can change,,. I hope there is a way or trick / application that you gave...
Cool to see some of my work make it into a LiveOverflow video. I made the HRH mod(indicated by the gray hrh icon in the top left) and found some of the addresses for the auto splitter, specifically the overlays pointers. Funny thing, the loadingScreen pointer is actually pointing to the length of a string, not an id but hey it works.
Ooh i know this trouble haha. If some value for some reason doesn't seem to have a usable pointer jidt use something else that changes
So... Ready to create a ASL for speed run Pwn Adventure 3: Pwnie Island ?
I wonder where the line would be drawn between a TAS and a standard speedrun for a game where the whole point is to write code to cheat your way through it.
Previously I came back to mess with cheat engine because I started watching new Guided Hacking series and you posted video about CE, now I started speedrunning and here's a video about Livesplit... Somebody is watching me
Oh shit, he found out!! Plan B!!
He's hacked you dude
lol it's just the youtube algorithm mining you for your data, you're perfectly safe 😏
Someone must be observing your pointer paths!
I started my "hacking" journey with NES romhacking, at that time I felt like this was pointless, like, "why am I hacking games from 1980s, when I could be more productive", now you made me look at it as my first experience with assembly (granted, 6502 was a really simple architecture) and pointers and other basics of what was mentioned in this video.
Aside from Autosplitters, finding memory addresses can also be useful in Speedrunning for better understanding the game by watching values for things that aren't directly visible in the game. For example watching how exactly sprint stamina decreases/increases, how values related to glitches change or what affects experience points. Sometimes it can even be useful to actively change those values when testing or practicing the speedrun.
Of course in actual speedruns (not testing/practice, but actually going for a time) most of these things are not allowed. Rules depend on the individual game community, however often only values that are already apparent from playing the game are allowed to be watched via third-party tools, like 100% Checklists automatically tracking completion of the game (which could also be done by checking stuff off on a piece of paper) or the mentioned Autosplitters. In some cases even these tools can be problematic, e.g. if an automatic split reveals some information about the game's state you wouldn't immediately know otherwise, but usually they are just a big help by not having to remember to press a split button all the time. Some communities allow additional information read from memory to be displayed (e.g. movement speed), some are a bit more strict.
The one example I know of where internal values are allowed to be visible in speedruns, Half-Life, does this via a mod to the game itself instead of a third-party tool (afaik). That's yet another route that communities might take.
Most Auto Splitters don't actually inject anything into the game. Instead they simply rely on ReadProcessMemory to follow the pointer paths.
It's almost as if Windows added these API's because they have valid use cases and not just for malware writers to use.
Well I wouldn't really say speedrunning tools are a "valid use case", but I would be really interested in knowing some! There must be some good reason they added potentially dangerous stuff like that, but I can't make up any example right now...
@@DOENERUSCHI mostly debuggers I think
@@DOENERUSCHI debugging
The same method could also be used to add Discord Rich Presence (The thing that shows which level you are playing on) support to basically any game
Yep! I'm writing an internal Discord RPC mod for a game. (Cube World). Dealing with binary is cool tho.
the problem with this is that it's not intended by the devs. if you'd use this on a game with an anti-cheat, you will get banned; which would be a bit unfortunate for just showing your friends which level you're at
Yes. Cube World doesn't have any anticheat nor modding system. People are just blackboxing the game since 2013.
Vorname Nachname Anticheats will still get pissed off because of wallhacks and such that CAN work without writing.
I did this for Puyo Puyo Tetris!
9:49 "If you browse a bit more...
"
scroll down 400 lines
Being an embedded systems engineer really helps here in these videos.
haha
This is awesome! Computer science student here. Spend the last 2 days with Cheat Engine, Guided hacking and a lot of games :D So cool to look at your own programs from another perspective! Thanks @LiveOverflow
THANK YOU for showing this type of info. It has long been guarded, and not shared, because people feared what would happen if they showed others how to hack at this level. I think what you're doing is great, because you're giving people the tools, information, AND showing them how it can be used for helpful productive things. So happy I found this channel.
This has not been guarded at all, if you were interested in game cheats you could get this info on any game hacking forum
Also this is surface level
This is quite well known. There's a good book on this topic if you want even more detail: www.amazon.co.uk/Game-Hacking-Developing-Autonomous-Online/dp/1593276699
If this information was well-guarded, then cheating in games would be far easier than it is currently. But you can't keep secrets like this. Different people can come up with different methods of getting the same results.
One person may find an exploit in new hardware, and never reveal it while someone else may just stumble upon the same exploit some time later. It happens.
I love how you basically figured out Livesplit without even downloading it. One common use for GlobalHotkeys is resetting btw. For Portal (which has a really awesome autosplitter), I used to have a reset hotkey that I had also bound in the game to close the current game session and delete my common quicksaves, so I could start a clean run, which I later also added to the bind ingame and the autosplitter picked up the map change and started livesplit's timer again
I've personally been using your videos to help me figure out and learn reverse engineering and hacking for speedrunning. It's nice to see this coming full circle and now the content I watch for speedrun game hacking is talking about game hacking for speedruns.
This video has also helped me to understand how many glitches such as wrong warps in old games have been found! By exploring memory in ways like this, speedrunners can hunt for potential exploits to send them quickly towards the end of the game, even directly to the credits in some cases, if they can find a way to use in game techniques to change the right memory values.
Please do more game hacking love it.
Brilliant video! This was very well balanced between looking at code/tools and then showing WHY it mattered. Good job
For everyone interested, there's an easier and faster way to get the correct addresses. Find out the object base address first. This address is ALSO an offset. It's an offset from the base address of the exe or module the address is in. Getting the base address of an exe or dll isn't hard nor complicated. Then, once you have a way to reliably get the base address, add the object offset and from there add whatever offset you like to get the correct address every time. No pointer scans required. Also in CE, add a new address manually and type ""+ to get it calculated by CE
So that's what speedrunners use for time splitting. Really interesting stuff.
some speedrunners, a lot of (mainly console game) speedrunners use manual splitting
RedMikePumpkin Manual splitting sounds tedious. That explains why some speedruns have moments where the runner forgets to do a split.
@@DrewTNaylor It starts out tedious, but after awhile it becomes an instinct. Multiple times I've seen speedrunners performing live at marathons instinctively reach for their nonexistent split button (or foot pedal!)
thechucknorrisofNSMB Foot pedals would make it a lot easier.
very nicely made. when i was younger, i was in "warrock" game hacking scene. Maybe someone remembers ElitePVPers. I used the same methods. but sometimes you need to find some "injection methods" - luckily i wasnt the only dev, so i had some partners, who created injectors, which i was able to use, to modify memory data without getting cought from the anti cheat :D Oh this was an awesome time.
This is the topic that I was waiting for ! Thanks for making a video about it :)
speedrunning and hacking, my two favorite things!
Those are my favorite type of videos! Keep it up
I really like these series and I'm finally learning game hacking properly.
Please keep making them! They're really usefull
Donald Trompetas Go on unknowncheats and watch some of the guided hacking RUclips channel videos. You’re going to want to understand how memory works and be familiar with C/C++ (or C#). Some modern online games have anti cheat measures that won’t be easy for a newbie to circumvent (don’t ruin people’s day though, if you do cheat online - don’t rage cheat at least).
back in my time we used to call aslr: DMA: Dynamic Memory Allocation.
I remember using this as a little kid to get infinite sunlight in Plants vs. Zombies.
Thank you for making this video. Brings back memories of my little hacker self.
Speedrunner also do other security related stuff and abuse mechanics. For example Zelda Speedrunner actively attacking the the memory allocator. They repeatedly leaking memory to get the heap increasingly fragmented until there isn't a contiguous region of memory large enough to load obstacles. The result is that some obsticals will not load and are not there and the Speedrunner can go faster! :D That's so f****** cool :D I love this stuff!
there are very legitimate uses for game hacking tech. I've used it both in private server projects for LoL and for writing an evolutionary AI for Super Hexagon. Both were great projects in which I learned a lot and provided no harm to any competitive community.
Thankyou LiveOverflow!!
noch nie selbst Code angefasst, aber deine Videos fesseln mich immer wieder
I love that intro so damn much.
@LiveOverflow When I watched through ur pwn adventures 3 playlist I was especially interested in the proxy u wrote. I tried to write my own proxy (not only for a game but for every connection from my pc to external IP-addresses and failed hard. Since this can be a useful tool for analyzing the packages sent and received I would very much appreciate a video of you writing such a proxy. Love ur content! Keep it up
Your explanation and conclusion is the best💖
No one:
Absolutely nobody:
LiveOverflow: *POINTER PATHS*
Awesome video! Been extremely interested in all of your recent videos.
Speedrunners borrow a lot more from the infosec community than just for creating autosplitters. Hell, there's a whole class of speedruns based around arbitrary code exploits. Although not for Windows specifically.
e.g.: smw 0 exit
Here is a link to what is, for today's purposes, a list of all such known exploits: tasvideos.org/Movies-C3050Y.html
Huh this was a weird video to watch.
There is actually an issue with some auto splitters giving speedrunners more information then they should have, like if a glitch made it so you couldn't see where you were going, but the auto splitter splits when you get to a certain area or something. I can't remember exact examples. And as you accurately put it, LiveSplit is just game hacking, so some communities don't allow it.
Oh hey, thanks!
I think the fair question to ask is, why did you blow up Ryder's car?
I made a tool that tracks the amount of kills I got in a game, for no reason other than to just have cool statistics to display on stream. I was told, rightfully, that it could be used to see whether you got a blind shot or not. I modified the tool to be disabled during the part where the player does the blind shot.
@@LotsOfS I always figured it'd be neat to have a program displaying extra info on stream but with the player not able to see it, just to be more interesting for the viewers.
you could also rescan in the pointer scanner after restarting the game and instead of pointer scanning you can use the debugger to get all the addresses and offsets etc.
@@mrdkaaa huh? i am
@@NtQueryInformationProcess yep, using the debugger to find the pointer is so much more reliable than the pointer scan. everytime someone uses the pointer scan I die a little inside
Awesome video! This kind of content is why I'm here. :-)
I wish Cheat Engine would be on Linux :D Gameconqueror doesn't have that much functions and tools :(
www.cheatengine.org/forum/viewtopic.php?t=582759&sid=c0cda86d513e76498067b26f4fe6dfb6
Awesome explanation of all components
I love these vids. I am currently learning game hacking as we speak. I wanna become really good at it so that I can hack online games and bypass anti-cheat but not in the usual way of ruining everyone's experience and selling them. just for myself in PVE related activities to speed up grinding and/or farming. plus reverse engineering is just fun for me.
It might also be useful for machine learning.
Imagine you get values in memory, and use them as inputs to train your AI.
Way better than just taking screenshots of the game and splitting it, etc
yeah 100%. It's useful whenever you wanna interact with another process that isn't designed to be interacted with. Frida (frida.re) uses techniques like this and I've used it modify apps before to reverse engineer apis or remove annoying features. Also, I saw that michael reeves video about fortnite where a real gun shoots him when he takes damage and he uses screenshotting whereas it would have had a lot less latency and required less processing if he had hooked the damage function or something in game ( Granted that might be hard for fortnite but just an example).
It sounds a bit like you're missing the i in variable. (sounds like varable)
Even so, awesome content! Interesting to see some cheat tools that are being used nowadays.
There's also cool versions of auto splitting that works for consoles - it can either rely on a homebrew that reads RAM, or compares screenshots to the capture output
I would love more tips and tools to make stuff like this
Hey man. I love your videos but I have a question. Lets assume one is good at hacking (mainly managing to gain access to networks). How does one get into the industry? Are certificates necessary ? Can one simply become a pentester by knowing this stuff ? As far as I remember, I remember reading in a comment that you are from germany. I don't know if thats true so I am typing in english.
the offset from edi was indeed +0x180, but earlier on is the instruction "add edi -70", so that might change the offset to be +0x110. What do you think?
I didn’t notice :O
I have a feeling that many MMO accessory tools are using the same tech. For example, in FF14 people use tools to track and broadcast hunting objects and team damage/tanking/healing stats. I don't think FF14 has built in API (e.g. WoW) or log (e.g. Elite: Dangerous) for that, so maybe they are just hooking to the process to do all the job.
I find the timing of this video amusing, as I've been working with livesplit-core and a PoC version of livesplit one desktop (all written in rust) to have working autosplitters on linux. I think the API still needs work to obtain feature parity, etc, but I've already been using it with Portal.
livesplit one desktop?
@@1e1001 so, livesplit one is currently just a timer that runs in the web browser, right? One of the developers has a version that runs 100% natively.
You can use signature scanning to search adresses
you are my best teacher :3
That's really cool! So how would you go about searching for pointer paths from a programming language? I guess I can scavenge through LiveSplit's API
This episode was very enlightening, although I really had made the connection there. What interests me most (and what I learned) is this very interesting CreateRemoteThread function to spawn a thread inside another process? Can all OSes do that, is it a standard way to inject code into things, and why (or how) can/can't this be patched up by game anti-cheats? Thanks for the great video :-)
Well all OS's need to have memory management so that should be self explanatory but aside from that most, if not all decent anti-cheats protect against these kind of things. The ways the anti-cheats block them is quite simple it's a kernel driver that blocks the use of WINAPI, you can't just say "hey program change this memory from an unsigned program with out a big bully from kernel space saying forbidden and given you a basic memory access violation or something. Other things they may use are File Integrity Checks, Detecting Debuggers, Stops debugger from attaching, Detect Cheat Engine & memory editors, Signature Based Detection, Detect DLL injection, Detect Hooks, Memory integrity checks and Statistical Anomaly Detection. What I currently use to bypass this when you take use of already signed programs and drivers such as drivers from intel and discord which already have access to these sorts of things and then exploit them to run my own read and write process memory. Hope this helps - Calvin.
@@calvinspear6707 Wow, very insightful comment, thanks a lot! So there's two things to unpack here - the first one is, why would opening a thread in a remote process be a necessity for OS memory management? It feels a bit insecure in and of itself, but then again, attaching a debugger to a running process is often a very welcome functionality, and so is tracing its execution, so I guess it's allowed unless explicitly prevented, which I assume can be done at application level (in userspace)? Which leads me to the second thing - essentially the way you bypass kernelspace protections (I assume things like BattlEye?) is by hijacking code that already runs in kernel space, and therefore code that is signed, so that you can essentially read and write anywhere in memory? Sounds very complicated, at least for the intel drivers, maybe less so for discord but I didn't realize they had a kernelspace driver running?
Sehr geiles Video! Du hast fast keinen Akzent! 😎👍🏼
i liked the video when he said "more pwn adventure 3"
Very interesting, I think making a simple c++ program to change and find these values would be cool. :)
Xhiro lol you can look cheat engine it is open source
@@alword I meant to make programs that can hold the value at a certain a address
@@xhir0 you dont even need to make a program to do that. you can simply disable the code that accesses the address and then it can never change unless you change it
@@Airyz developed cheats aren't just cheat engine's source code with modifications. You make your own gui, your own way to find the games process id, and addresses. Then you can write and read to memory at those addresses.
@@xhir0 im well aware. I have made many of my own. And you can achieve this easily through your own code
I'm sitting here watching this video with my serious face pretending that I understand what I watch so my friends will be like wtf are you watching.
You could also scan the Memory with a Signature how maybe the player obj might look like and get the addr from that. *pow* Mindblowing
@Vorname Nachname I'm not sure what you mean, you can easily scan a process's entire memory for a specific pattern in milliseconds. It's not much different to how cheat engine would scan for any value. It's also less likely to break during a game update like offsets, depending on the game's design and what kind of memory you're scanning for.
You should also tell the people about actually reversing the code you found with the debugger instead of playing arround with cheat engine.
IMO cheat engine is good for fast trial and error or testing, but actually reversing the code beats any tool - especially when updating the code on a new patch :P
This is fascinating
But why would the pointer class's address be fixed ?! Doesn't ASLR scramble everything ?
1) ASLR in Windows is not system-wide, every Executable or DLL file can have ASLR enabled or not (it's enabled by adding the /DYNAMICBASE flag in msvc while compiling).
2) Even if the base is dynamic, and the address where GameLogic.dll is mapped changes, the pointer path taken starts with "GameLogic.dll"+offset, not with a fixed address, Cheat Engine or other software can calculate the pointerpath by replacing "GameLogic.dll" with its base address (with just a call to GetModuleHandle in the context of the target process, or from its PEB->Ldr.InMemoryOrderModuleList), then, from there, it's easy to get to the variable.
@@redouanered7950 I figured that much, but how does it know where GameLogic.dll is loaded ?
@@Wyvernnnn Windows has a function that can give you the base address of a module
It is "fixed" sometimes, but not in this particular case.
The reason the pointer path works is because the pointer is always at a certain address _relative_ to the beginning of GameLogic.dll, and the WinAPI function GetModuleHandle can be used to find out the address where that DLL is loaded. So since we can find out where that DLL is, we can find out where the pointer is.
Every time the game is started, GameLogic.dll creates the value for the menu position at a random address. It then keeps track of that random address using a _pointer._ The pointer is always at a certain address relative to the beginning of GameLogic.dll. So for example, let's say it is 1024 bytes after the beginning of the DLL.
Every time the game wants to know the menu position value, it needs to find out where that value is located, since the value is in a random location. It looks at GameLogic.dll + 1024 bytes, and there is the _pointer._ The pointer gives the address of the actual value, so it then looks there next and finds it.
If we know where the pointer is, relative to the DLL start, then we too can reliably find the value's address.
Now, DLLs themselves don't reliably load at any particular location, but Windows always keeps track of where they're loaded, so it can tell us if we call GetModuleHandle. But thanks to Virtual Address Spacing, if the pointer is in an EXE, we don't even have to do that, as we have a guarantee it will be loaded at the same place every time. So in that sense, it is possible for the pointer path to be truly "fixed"
nice video, i didnt know about this
but the detour stuff isnt exposed to the autosplitters, is it? And wouldnt reading the values from the game rather use ReadProcessMemory?
Philipp The Cat Am auto splitter might want to do something when a function is called, or there might be data stored in TLS that can’t be accessed completely externally IIRC.
@@thomhughes4617 Yes, thats what a detour can do, but that isnt really exposed to the asl scripts.
I love this!!!
Fraps and other video recording software uses game hacking techniques too
How? I wanna know. Please
you should really try to avoid using the pointer scan... it's easier and smarter to find a pointer by attaching cheat engine's debugger. In this video you show that the code accessing this variable is mov[esi +180],edx. in this scenario its much smarter to now scan for the value stored in esi and continue this process until the register appears in static memory inside GameLogic.dll. doing this you can be absolutely certain that you have a correct path as you are accessing the variable in the same way the game is accessing it
pwn adventure is my favorite game
pwn adventure is the only game
Pwn Adventures TAS when?
Any good tool for finding pointer paths in Linux?
Honestly, from clicking the video with just the knowledge of the title alone, I thought i was going to see an EZScape or Apollo Legend video.
Just noticed that RUclips has unsubbed me from your channel. Subbed again wtf
Thanks for this video. I don't know what to say more.)
It would've been great if you would've created a livesplit script for any game in this video, to show how to apply the knowledge first hand.
So you saying I can hack by modifying livesplit to change the value instead of read the value?
please continue
Interesting!
Please talk about XIGNCODE
How does bottom up aslr change this
Hi, could you check out the puzzle site ae27ff and maybe show us your thought process while solving? A livestream of this for example would be great!
What the heck, I got unsubscribed somehow? Good thing this showed up in my recommended feed!
when are you making a video game cheat, would be amazing
What did/are you studying?
This is giving me Game Genie flashbacks en.wikipedia.org/wiki/Game_Genie
its not the tools that are harmful, its the people that use them
What is the best way to compile Cheat engine ones self because I want it but I do not Trust the Exe or the Creator for that matter so I would not only have to compile it myself but become familiar with what is a rather large codebase and know it inside out before deciding to use it before I can trust it. Can anyone recommend where to start because it is programmed in multiple languages and idk really how to handle the mess that is Cheat engine Github.
the exe is trustable
@@1e1001 Yeah idk man, I found nothing about it to feel trustworthy. I would rather build it myself and know the project before every dealing with that because not only does every antivirus go off around that thing but every website damn near that the creator of it links people to they are also riddled with malware so either it is trustworthy or the creator is pulled the wool over a bunch of peoples eyes. I was about to get CE until I went to the forum in which the creator was linking people to different places and most of the places he was linking people on sites he created Alarm bells were screaming all over my computer because he had so much malware all over the place and we are not talking about CE malware, we are talking god knows what that was triggering all these safe search things.
Something is highly highly shady about CE and its creator and because of that I just can not in good conscious run anything made by him. Wish I could because I love using hexeditors but at the end of the day I could likely just create one myself and use it faster than I could learn that mess of a project that is CE.
Factorio best game change my mind
Alexandru Ene Agreed
Alexandru Ene Looking back i should have said "i can't change your mind because it's the truth"
The factory must grow! Go back to your iron mine!
No need to, It is the best game.
My friends ........ There is nothing that cures depression better than 16hours of Factorio a day
nice!
Pwn Adventure 3 speedrun?
game.startCredits();
@@unflexian Not sure about you, but I'd watch it.
Never search for 0 at the start.
Love From India
Can you make video about D3D hooks
that is so interesting.
You rock
But what should i learn to understand all your videos
Can you please explain how to take the entire point scanner results and how to make a CE trainer and attach it to the game process and make it work
I have like 3600 result from point scan and I can't just double click them all XD
Thanks
You can also leave the scan result open and close/-reopen the game. Then filter out the wrong ones. And repeat. The list should shrink to a few really nice ones.
Even when actually using Cheat Engine to cheat, discovering the pointer paths is very useful.
I... may or may not have been using Cheat Engine to cheat in Maple Story when I was younger. (Don't judge)
I had no idea how it works, I just downloaded a list of pointer paths with a nice description and there you go. (Typical script kiddie. Rather literally)
Even if you use it for yourself (in single player games, of course), you probably don't want to rediscover the addresses every time. Gets tedious.
On the topic of Maple Story, they ended up separating the European and US server due to so many European cheaters. I think people just didn't really report cheaters. I saw a cheater just slashing at the air and killing mobs, with normal players just standing there and complaining how unfair it is, but not reporting him. (Actually saying they don't want to report him)
Meanwhile, I was watching this unfold from below the map... They couldn't have reported me if they wanted to, but for some reason they didn't even bother reporting that guy...
Inb4 people now accuse every speedrunner for cheating
Can you redo Pwn Adventure 3 series but hack/exploit minecraft. Many views because minecraft popularity right now + the kids that want to go on servers and hack. Anticheat will stop them instantly. If you do this do it on self hosted normal server with no anticheat and fly enabled :/
Hi, my name is Rifqi and I'm from Indonesia, help me sir, currently in my country everyone is playing Higgss domino island, can you make a cheat / mod apkk / trick trick that is not detected and can be used in the game? please help sir, so that our family life can change,,. I hope there is a way or trick / application that you gave...
how come you decided to demonstrate pointer scan with CE rather then reclassex?