In this article we will attempt to "hack" applications / data that runs locally on our PCs. To understand this better here's a quick summary of how Apps / RAM works:

• - Apps need RAM / Memory to run. Amount of RAM is allocated by Operating System (OS).
• - RAM / Memory is like a huge storeroom with lots of lockers - each locker has an unique ID/address 0x01, 0x02, ... etc. OS will allocate Apps to a set of unique lockers to use.
• - Each locker (memory address) can assign to 1 App at anytime.
• - OS will manage mappings of all the (App, Memory address) pairs.

Say you've started a Game application on your PC. OS has allocated a chunk of memory addresses for it. We can have another program (with sufficient system accesses + codes to communicate with OS) that access and modify data stored under these memory addresses.

Lets find a simple Browser-based game to try this out.

Browser-based game - Alien Complex

Most Web Browser games actually runs locally the PC. You can search the game on Google here. We will try and hack this simple Top-down shooting game.

The hacking software we use here is Cheat Engine, a popular free software with functions to access/modify memory addresses for running Apps. It is commonly used for cheating in PC games! DANGER: Most operating system, anti-virus software will flag Cheat Engine as Virus, use it at your own risk!

After installation, the first step is to select the application you want to manipulate. Firefox runs Flash games in a "plugin-container process", so we "select" this process from Cheat Engine.

Memory scanning - Locate correct memory address.

Now lets try to manipulate the Ammo for the Gun in the game. On the bottom-right-hand corner of screen, it says there are 28 ammos left. So how does Cheat Engine "CE" locate the Memory address holding the value "28" ?

One of the crucial function is Memory Scanning, which does this: "Given all the memory addresses for the App, please help to locate address holding value of 28"

73,630 addresses were found holding value 28, we wouldn't know which is the real address for the Ammo variable.

CE allows you to make immediate changes to the value on the address. We can guess and make some changes, but randomly changing addresses may Crash the application!.

CE has a cool function to keep track of address values over time. So in theory, when Ammo value changes, addresses that does not follow the delta can be ignored. End result is leaving the only 1 correct address representing the Ammo value.

• - Initial scan of value 28 yield 73k matches.
• - In the game, take a shot and ammo drops to 27.
• - In CE, perform a scan now with value of 27.
• - Any of the 73k addresses with 27 value will be stored, we have 248 addresses left.
• - Repeat the process - In game, take shot and reduce ammo to 26, then perform scan, and finally we are down to 1 address

With the memory address located for the Ammo value, we can manipulate the value and cheat on the game! Check out the following video. We gave it a value of 100 and locking it.. In game, shooting will make it drop the 99 but not any further.

Interesting Fact to Note

Why does it show 99 on screen, but not 100 ?? This is probably because of game code sequence:

MouseClickShoot();
AmmoNew = Ammo - 1; // we are forcing Ammo=100
DisplayAmmoNewOnScreen();
is called after making a shot and then it displays the new value AmmoNew (which is 99) on Screen.

Applications