In-Memory Hacking / Manipulation - For Games.. and potentially other stuff.

Warning! This particular article is written purely for educational purposes and the author(s) has no intention to use the knowledge for any undoings.

We have all probably heard about e-Sports - how playing PC / Console games is now a professional occupation, so just a thought that it might be worthwhile to write an article about game hacking/tweaking which is a fun piece of nerdy knowledge that I've learnt since High School. Who knows if there might be implications for this in the future ?

Applications uses RAM / Memory to store data variables - You can access and manipulate these data in realtime.

In this article we will attempt to "hack" applications / data that runs locally on our PCs. To understand this better here's a quick summary of how Apps / RAM works:


  • - Apps need RAM / Memory to run. Amount of RAM is allocated by Operating System (OS).
  • - RAM / Memory is like a huge storeroom with lots of lockers - each locker has an unique ID/address 0x01, 0x02, ... etc. OS will allocate Apps to a set of unique lockers to use.
  • - Each locker (memory address) can assign to 1 App at anytime.
  • - OS will manage mappings of all the (App, Memory address) pairs.


Say you've started a Game application on your PC. OS has allocated a chunk of memory addresses for it. We can have another program (with sufficient system accesses + codes to communicate with OS) that access and modify data stored under these memory addresses.




Lets find a simple Browser-based game to try this out.

Browser-based game - Alien Complex

Most Web Browser games actually runs locally the PC. Here's a link to the game. We will try and hack this simple Top-down shooting game.


The hacking software we use here is Cheat Engine, a popular free software with functions to access/modify memory addresses for running Apps. It is commonly used for cheating in PC games =)

After installation, the first step is to select the application you want to manipulate. Firefox runs Flash games in a "plugin-container process", so we "select" this process from Cheat Engine.



Memory scanning - Locate correct memory address.

Now lets try to manipulate the Ammo for the Gun in the game. On the bottom-right-hand corner of screen, it says there are 28 ammos left. So how does Cheat Engine "CE" locate the Memory address holding the value "28" ?

One of the crucial function is Memory Scanning, which does this: "Given all the memory addresses for the App, please help to locate address holding value of 28"



73,630 addresses were found holding value 28, we wouldn't know which is the real address for the Ammo variable.

CE allows you to make immediate changes to the value on the address. We can guess and make some changes, but randomly changing addresses may Crash the application!.

CE has a cool function to keep track of address values over time. So in theory, when Ammo value changes, addresses that does not follow the delta can be ignored. End result is leaving the only 1 correct address representing the Ammo value.

  • - Initial scan of value 28 yield 73k matches.
  • - In the game, take a shot and ammo drops to 27.
  • - In CE, perform a scan now with value of 27.
  • - Any of the 73k addresses with 27 value will be stored, we have 248 addresses left.
  • - Repeat the process - In game, take shot and reduce ammo to 26, then perform scan, and finally we are down to 1 address



With the memory address located for the Ammo value, we can manipulate the value and cheat on the game! Check out the following video. We gave it a value of 100 and locking it.. In game, shooting will make it drop the 99 but not any further.

Interesting Fact to Note

Why does it show 99 on screen, but not 100 ?? This is probably because of game code sequence:

MouseClickShoot();
AmmoNew = Ammo - 1; // we are forcing Ammo=100
DisplayAmmoNewOnScreen();

is called after making a shot and then it displays the new value AmmoNew (which is 99) on Screen.


Applications

In summary we have seen how local memory data can be easily hacked. It is important to that in all software solutions, we must safeguard sensitive information stored locally. There are obfuscation coding and encryption methodologies to mask variables and prevent memory scans. These techniques comes with computation / performance cost, but for critical applications security is way more important.


Next Article.