Hacking a game with DLL injection [Game Hacking 101]
Vložit
- čas přidán 27. 08. 2024
- Implementing a game hacking trainer for Age of Empires by using Dynamic Link Library (DLL) injection. The injected DLL enables the player to toggle the "reveal map" and "no fog" cheat codes on and off by pressing the F6 key.
DLL injection is a useful technique, used by game hackers and malware authors alike. The DLL injection process enables you to force some process into running your own code. Once the process is running your code, you can do and access anything that the main process can.
🎮 Game Hacking 101 Playlist ➝ • Game Hacking 101
👮 Fair use of copyrighted material in the context of Age of Empires (video game); en.wikipedia.o... / en.wikipedia.o...
⛔ Material presented for offline learning purposes only. No content regarding modern online games or detection bypass techniques will be discussed.
🏆 The 247CTF channel is dedicated to teaching Capture The Flag fundamentals. If you want to improve your technical skills and succeed in Capture The Flag competitions, make sure to subscribe!
🏁 The 247CTF is a free Capture The Flag learning environment where you can improve your technical skills by solving challenges and recovering flags. You can join now for free at 247CTF.com/.
📺 Subscribe for more Capture The Flag videos!
🏆 Solve CTF Challenges ➝ 247CTF.com/
🐦Stay up to date ➝ / 247ctf
🥰 Support the 247CTF ➝ / 247ctf
💬 Discuss and learn ➝ / discord
📌Free flag ➝ 247CTF{9719c5ddf317154473d334f47a77ac6a}
📝 Icons made by Freepik & Monkik from Flaticon.com
🚨 247CTF’s channel videos are intended for educational purposes only. Methods and techniques discussed are not to be used for illegal activities against unauthorised systems.
![Reverse Engineering hidden game cheat codes [Game Hacking 101]](http://i.ytimg.com/vi/w7gBkVXuDSQ/mqdefault.jpg)
![Reverse Engineering hidden game cheat codes [Game Hacking 101]](/img/tr.png)
🤖🤖🤖 Who knew malware authors and game hackers aren't so different after all? 🤖🤖🤖
Hey, Do you have any plan to give your programming course on YT? It seems you have deep skills of hacking so please share so that we can also learn.
NOTE: if you're trying to DLL Inject an 32 bit game, compile the code AND the DLL in 32 bit. This will save you A LOT of debugging hours.
PD: Very nice tutorial! thanks to you i was motivated to pickup a very old project, which extends the functionality of an old but loved game of mine (Burnout Paradise)
This is actually one of the best tutorials I have ever seen. Short, clear and perfect pace
Thanks!
For you to copy and paste LMAO
all them scriptkiddies@@aidan41
feedback: you have an icon for a questionmark and a checkmark. whenever you come up with an idea, you use the checkmark, as if you had already finished the execution of said idea. it would make more sense to introduce a lightbulb or a though bubble icon whenever you talk about a new concept/idea.
Thanks for the feedback! Now if only I could draw..
@@247CTFI have the same problem😂
Cheers dude! I'm currently writing a mod engine for a game with a friend and because of you i can start learning c++ the way i like (by doing stuff) :D
i watch dll injection tutorial for "educational" purpose 😏
Script kiddie
@@schittPosts101 no worry kid, i got the *C programming language👍👌* directly into my brain, with a lot of cafeine lol
@@darkfllame LMK when you go straight to the diet coke to finish by deadline xD
@@schittPosts101 okay xd, i'm making a programming language with zig and don't really have a deadline so anyway
@@darkfllame i code in pure binary im better then you
So why do you need to use the WriteProcessMemory and ReadProcessMemory functions? The DLL is running directly in the memory of our game so. Why are we not able to treat the address like a pointer and directly write/read to it?
Good point! As long as we can write to that memory location we can use more native functions. WriteProcessMemory handles some of the leg work for us automagically if it's not, so for a beginner video this was an easier approach!
Thank you for your answer. I really enjoy your videos. Keep up the good work!
@@dasphantom0439 Thanks, will do!
Nice video! A few criticism that I hope to be constructive: I would point out why you created a thread after the injection. I would say that writing with pointers is cleaner and gives the viewer a better understanding of whats going on but doesn't really matter
Great point! I'll use pointers moving forward, a few people have made a similar comment.
How do you locate the address of the patch without knowing it in the first place? And how do you know what values to overwrite it with to achieve the function you want?
This is where the previous part comes in. Before U inject a dll, u should use cheat engine to make a script. With Dat script, u can then see the bytes of the new opcodes and the adress changed, and there's ur answer
That's right - there is a playlist for the series, if you watch it in order the current video (usually) builds on the previous one.
Great tutorial!
I wonder what machine you used to test the DLL injection, because I'm running into a problem with CreateRemoteThread(). Both my DLL and Injector are 32bit running on Windows 10 and I received Access Denied Error with the function. :((
The code in the video is 'bad', there is no error checking on the responses from the function calls - you should start there and use GetLastError to try and find the problem. If you have an EDR or similar running on your system, that may be blocking these types of calls too.
Let's say a game is running in unreal engine, and want to access the debug console. However, after injecting my script, and checking the log Im told console wasnt able to be reenabled due to code not being present. Is the code set by the devs, or is it more of a universal code? Also could you say examine the executable in a hash editor and maybe discover said code? Like it has to be in a mem block at some point right?
Don't know much about Unreal Engine - good luck.
nice video. Just found out about your channel. You surely deserve more recognition. I hope it comes eventually :)
I hope so too!
Wouldn't piggybagging on one of the existing dll's be better? So for example it probably uses winmm.dll or some d3d dll. If you put that in the same directory as the executable; it'll get loaded first. You stub/forward all the functions and put your own stuff in one of the ones that gets called. That way you don't need admin elevation to inject yourself into the other process
That is another option sure, but you don't need admin rights to inject into another process you own
instead of using hardcoded patch size you could utilize vectors which automatically resize themself to match the contents required space :)
(and why not use an unsigned long long (uintptr_t) for the patch address? It wont be negative and can get really big if you have a lot of RAM available)
Edit: The amount of ram doesnt really matter, its because of the userland virtual address range
TIL, thanks!
hey can anyone help me hack state of survival game its only p2p and its server sided or if anyone knows how to cheat in sos or inject using tools
@@muhammadziyad3648 if the game is fully server sided than there highly likely won't be a lot of useful stuff you can do from the client side. Would recommend to take a look at package modifying or in case you just want to cheat in that one specific game without actually caring about learning that type of stuff, let it be.
can you guide me about package modifying cause i want to hack a specific server sided game @@tacillo
I compiled a test dll with visual studio 2022, and the exe is crashing with 0xc000007b error on start, what I am doing wrong?
"The error code means an invalid image format. Specifically, you are attempting to start an application which is designed to run on 64-bit operating system. But your computer is running 32-bit Windows."
Just wanna say your videos are great they combine two great things and hacking the game is just getting your money's worth.
Thanks for the feedback!
How do you find out what patches you need to do?
i.e. at 7:00, where did you get all the data for the memory hacks?
Take a look at the previous videos in the series for context!
Nice stuff, but you don't actually need to read the original game bytes to toggle the trainer on/off... use the power of XOR :P
Awesome tip! This is a good improvement to the trainer for sure! Will implement this in the next video!
Thank you so much I finally understand how byte patching works
Gonna have to rewatch this video. The info here is too good to pass up.
Earned a new subscriber. Nice video!
Hey, nice video, I am a total noob with C++, in the Injector.cpp file, on line 28, what is the full line? I tried to figure out that myself but I had no success. Do you mind helping? :D
Code is in Patreon
I hope you still read the comments.. At 05:39, why did you use write process memory instead of memcpy or so, the dll is already executing in the game's memory space, so how come?
No real reason, Windows error codes could be more useful if I handled them. I use memcpy in a different video and someone asked in the comments if I could also use WPM, so I did that in this video instead.
@@247CTFyeah fair. Thanks a bunch for clarifying it
feedback: whenever you talk about states or a procedure, i state machine graph would look even cooler.
Thanks for the feedback! Do you have a timestamp for an example?
@@247CTF 7:54 sure, it's just three simple steps, but it feels like you're going into more complex examples in the future with these "our program will do this/that" explanations.
I thought windows will always give you random memory addresses, but you apply patching to the same address all the time. I don't get it.
It's a virtual address, not a physical one. So it doesn't depend where into the RAM the process is loaded, it always sees itself with the same addresses.
@@misch2 what do you mean sees itself, when he specifies the exact address. Try to define a variable and it will have different addresses on each run, even if it's virtual memory.
Depends if the binary / DLL is compiled with ASLR or not
hey I wanna inject a modded directX dll into a game to force it to run on a lower feature level GPU..
How can I force the game to use it rather than the one in sys32
Is injection the solution? because your injector ran after the game opens
But the game in my case doesn't open because it detects a lower FL
It depends a bit on the application.. You might need to binary patch, might not: learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order
You could also try a loader like DxWnd
feedback: i find the music a tiny bit too distracting. maybe lowering it like 30% would help. but maybe that's just me.
Thanks for the feedback! Will lower the background sound in the next video!
can i deal with mono.dll like you used the LoadLibraryA and run it in thread inside the target process but i will use for ex mono_get_root_domain ???
You want to do this with .NET? You can achieve a similar effect but the process is slightly different, there are some examples on GitHub you could check out. The bonus is .NET makes the reversing step easier (usually).
Nice tutorial !. It's possible to inject a .Net Framework DLL ?. Thx
Yes, it's a different method but you can - there are a few projects from GitHub that will show you how this works
Hey yall remember if your directory uses '\'. just make it a raw string like : R"(your string here)";
2:53 i cant see full line of code for hProcess :skull:
💀
💀
@@tr1ngle Be a patrion and get it all there. do yall not listen XD
Also your inner loop for testing is way faster this way.
🥷
hey can anyone help me hack state of survival game its only p2p and its server sided or if anyone knows how to cheat in sos or inject using tools
Is it possible to do this in an online games like ragnarok online?
It is but you may be banned ;-)
Great video!
Thanks!
whats the differnce how dll injector and lua injector work
Don't know much about lua injectors, I would guess it's injecting lua script instead of compiled code?
Is it always possible to inject DLL into a process?
I would expect most modern games would either prevent or detect this naive injection approach. There are methods to block direct DLL injection, but if you can install kernel drivers you could still achieve the same effect! We can explore this in a future video!
Can this be done for Age of Empires II: The Conquerors?
Probably something similar, I've never looked..
@@247CTF I have already tested time ago and it works.
Thank for the video, but can you share your code ? i tried to do but do not understand why it does not work. iam on win10 x64.
5:48
Thanks for your information and useful video.
Does anyone have an edited dll file which I can toggle in-game while playing?
When you say toggle, do you mean toggle functionality on/off or toggle the DLL being injected/not injected?
@@247CTF functionality I meant. I found some dll injector tools more useful than the one I built but it causes heavy lag in-game, may be the dll file doesnt work well in win 10
@@phamquochung4908 Sleep might help you out, depending on what you are trying to do. Failing that, the next video in the game hacking series will include functionality toggles so you can see how that works!
do you give me code in video ?
It's available for Patreon supporters, but all the code is shown on screen
@@247CTF no not "ALL the code" since you cut out hProcess..
@@TibiaOTarena Lmao
Can you share for me code?
you can find the code in his patreon
🙏
Good. I wait for love from you 💝💖
@Wanna Chill Yeah, but that are they phishing for? Just views? They all have the same playlists with the same league of legends gameplay videos with sex thumbnails.
Can I hack fortnite vbucks?? Pls answer
Possibly?
Probably not.
Because they're stored on a server, the way the program works in this video is editing your local machine's memory
@@SkyenNovaA Send a request to the server. That might work
Really nice 👌 😍💋 💝💖❤️
Typical Gamehacker