Video Game Hacking

https://ucla.zoom.us/j/96080046396

​

A Brief History

The earliest form of video hacking.

• Mainly used for testing purposes
• Save points
• Examples -
• Action Replays
• Cheat Codes

​

Peek & Poke

• Look at the memory at a specific address
• Modify the memory at a specific address

​

Online Hacking

• Artificial Lag
• Look ahead
• Aimbot / Triggerbot

​

​

​

What is an aimbot?

“An aimbot or auto aim is a type of computer game bot most commonly used in multiplayer first-person shooter games to provide varying levels of automated target acquisition and calibration to the player. “ - Wikipedia

​

Snaps onto the head of the target. Often results in jerky motion. Additional features may include ESP, Trigger bot, etc.

Extrasensory perception (ESP) - allows you to see typically hidden objects

​

Triggerbot -

Fires as soon as the enemy is in the line of fire

Internal vs. External Hack

Internal Hack

• Hard to detect
• Injecting DLLs into the game process
• Better performance
• Calls the game function directly

External Hack

• Separate process from the game process
• Needs to gain access through a pipe line
• Easy to detect/hard to execute

​

CSGO Demo

1. Use Multi-Byte Character Set
1. Project -> Properties -> Advanced
2. Ensure you are running as admin
• Project -> Properties -> Linker -> Manifest File -> UAC Execution Level -> Require Administrator
3. Build solution in Visual Studio
4. Specify the .dll path in your injector
5. Launch CSGO with -insecure flag
6. Inject!

Link to aimbot

​

Internal Aimbot

Note: Offsets may change upon CSGO update, check HazeDumper

Multi-level pointers explained

• Pointers that point to… other pointers!
• Often used in games, example: the player!
• Actor->Player->Health
• Actor->Player->Inventory->Ammo
• Bone Matrix (which we will talk about)

​

Adapted from: C++ What is a Multi Level Pointer? Tutorial | Guided Hacking

What is a handle?

• In Win32 programming, a handle represents a resource managed by Windows
• Sort of like a pointer (but you can’t deference it)

What is a DLL?

• Dynamic-link library
• Code can be used by multiple programs simultaneously
• Useful for games!
• We can use DLLs to do things we aren’t intended to do
• DLL Injection!

Process 1

Process 2

What is DLL injection?

• DLL injection – force a process to load a DLL
• Allows us to run code within the address space of a process
• Multiple methods in Windows:
• DLLs in registry key:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs
• DLLs in registry entry:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLL

At least they’re trying

Sample Injector Concept

OpenProcess()

VirtualAllocEx()

WriteProcessMemory()

CreateRemoteThread()

Step 1:

Step 2:

Step 3:

Step 4:

Host Process

​

Host Process

​

Host Process

​

DLL

Host Process

​

DLL

Sample Injector Code Overview

• Sample Code w/ comments: https://paste.ee/p/4k2dB

Method 1: Creating an internal aimbot

Overview:

1. Find closest enemy to player
2. Calculate vector from player’s view angle to enemy’s head
3. Rotate player view angle to that vector

​

Entity List

Entity* player

​

Entity* player

​

Entity* player

​

Array of entity pointers

0x10

0x10

Finding closest enemy

1. Loop through all players in the entity list

​

• Get position of player

​

• Pythagorean Theorem

​

Pitch and Yaw

• Pitch is look up and down about the x-axis
• -90° < x < 90°
• Yaw is looking left and right about the z-axis
• -180° < x <180°

x

z

Calculating View Angles

• Draw vector from your head to enemy head
• Find 𝝰 (pitch)
• CSGO uses degrees
• Pitch is negative as you look up

Equation: asin(z / hypotenuse)

​

​

-3, -2, 1

A (you)

B

2, 2, -3

View offset

𝝰

vecOrigin

z

hypotenuse

View Angles (cont.)

• Use same method to find yaw
• Find 𝞫 (yaw)

Equation: atan(y/x)

A (you)

B

View offset

vecOrigin

x

y

𝞫

How to find enemy head

Bone matrix

• Array of bone objects
• Each bone contains xyz coordinates
• Represents a position on a skeleton
• Bone matrix
• Different models have different bone IDs

Bone Matrix (cont.)

• Bone matrix is defined as a 3x4 matrix
• Containing 12 float values in total
• Matrix size is 0x30
• 0x0C is offset to x-coordinate...

​

​

Adapted from: Guide - How to find the Bone Matrix & Use m_dwBoneMatrix | Guided Hacking

Summary (Internal)

1. Scanned game to find closest enemy to player
2. Calculate pitch and yaw from player head to enemy head
3. Set player view angles to calculated view angles
4. Define main method in DLL

Creating an External Aimbot

Main difference between External and Internal

1. External hacks require functions like ReadProcessMemory() and WriteProcessMemory()
2. We need to find the World 2 Screen translation to calculate the distant to aim.

Method 2: Creating an external aimbot (Henry)

Overview:

1. Attach to the process
2. Find the closest enemy and get his coordinate
3. Get the head bone of the player
4. Calculate the world to screen position
5. Calculate the view angle to fire
6. Fire

Establishing a Connection

https://www.youtube.com/watch?v=AgxvGOGkMHk

Unlike Internal,

We first need to establish a connection with the process.

​

For this tutorial, we will be using NullBase. Essentially a library with functions that we will need.

​

https://github.com/NullTerminatorr/NullBase

Need to XOR the game name to match the encoded one.

​

Get the base module address with the getModule function.

Finding the closest enemy

• Loop through the entity list
• Get the bone id from the player
• Calculate the World position to the center of the screen
• Calculate the angle needed to move the mouse to head

What is World to Screen?

The world of the object is in 3D

We need to cover it to 2D plane

In Internal hacks will have the view angle available, but in external hack we will have to calculate the angles ourselves.

World to Screen / The Angles

When we look at the screen we are looking at the 2D - screen.

​

There is a line of sight that normally points into the screen.

​

We need the yaw and pitch from the look at vector and the yaw and pitch from camera to the object

​

World to Screen

We can obtain the relative by subtracting the camera to local with the cam to object.

After some trig adjustment, the range of the Yaw goes from [-pi, pi]

Conversion the RelYaw to Screen

RelYaw / (xFov * .5) => [-1, 1]

(RealYaw + 1 )/2 => [0,1]

Lastly multiply by the width of the screen to get the x position

RelPitch = RelPitch / (yfow * .5)

RelPitch = (RelPitch + 1)/2 * height

​

https://www.scratchapixel.com/lessons/3d-basic-rendering/computing-pixel-coordinates-of-3d-point/mathematics-computing-2d-coordinates-of-3d-points

Preventing Hax0rs (Mark)

• Hackers are mostly a concern in multiplayer games with servers
• “Never Trust the Client”
• Most Anti-cheat techniques revolve around using the server to validate player input
• Ex. rather than having a client report its world position, have it report its inputs to reach that position
• e.g. “Pressed Forward for 0.5s” instead of “Moved to position (x y z)”
• Tradeoff with latency
• Line of sight calculations can help detect wall hacks
• Limit information to the client
• Only send what is needed for a given client
• e.g. don’t send enemy positions when they are in Fog of War (LoL, Dota, etc.)

​

Other Methods

• Asset validation can ensure clients are not running modified code
• Checksum to see if there are any modified chunks of code
• Aggressive kernel-level monitoring (Valorant’s Vanguard system)
• Human replay review
• CS:GO’s Overwatch system
• People are generally pretty good at knowing when someone is hacking vs good at the game
• Machine learning analysis
• Valve applies data from Overwatch cases to train ML models to detect cheaters

Your turn...

Download the challenge game here

​

​

Some tips

1. Download Visual Studio
1. Install .NET Framework for C# development
2. Use .NET 4.0 Framework
2. Download dnSpy
3. Download mono injector
4. Use starter code

​

Thank you!

​

Download the challenge game at acmcyber.com

​

Attendance Code:

not_responsible_for_your_vac_ban

​

Sign up for Cyber Newsletter Here!

Follow Studio on Instagram!