Hacking a game with DLL injection [Game Hacking 101]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] in the previous video of this age of empires game hacking series we binary patched the main game executable in order to create a permanently modified version of the game binary which always has cheats enabled specifically for this series the reveal map and no fog cheats if you haven't watched that video go take a look now because in this video we are going to take the next step rather than binary patching and messing with the game executable directly we are instead going to solve this problem in a more dynamic and less disruptive way using dynamic link library or dll for short injection why well for an old game which isn't being updated binary patching is unlikely to cause any real issues but what happens if the game is updated and our patches are overwritten by the update but what happens if some anti-cheat checks are verifying the hash sum of core game files or even simpler what happens if we have a number of cheats and we want to be able to enable and disable them at specific times in this specific case for such an old game these are theoretical problems for our binary patching solution but let's over engineer something anyway using dll injection to create an age of empire's trainer before we get into the details we first need to understand what dll injection actually is dll injection is a useful technique used by game hackers and malware authors alike the dll injection process enables you to force some process into running your own code once the process is running your code you can do and access anything that the main process can this is really useful for us right we want to be able to modify how the process executes on the fly and dll injection allows us to do just that there are a number of ways the dl injection can be performed some of which are noisier and easier to detect than others but for our use case let's keep it simple and have our injection work like this first we want to find the age of empire's process id based on the binary name of empiresx.exe this is the process which we will be injecting into we can find this process id by enumerating over each running process and comparing the name of the executable file for the process with the process name we are searching for assuming only one instance of the game is running and that the process name is unique once we find a match we have likely found the process id for the game now that we have the process id we can open a handle to that process allocate memory for the dll write the name of the dll into the age of empires process then create a new remote thread to actually execute the dll ignoring error codes and after some cleanup that's it for the injection step that's all we need to do in order to be able to execute code from within the process space of another application but what code are we executing exactly we just set up the injector but we don't actually have a dll2 inject what happens when we inject a dll anyway well like most things it sort of depends but with our injection approach we will be attaching the dll directly to the age of empires process and creating a new thread when a dll is attached or detached from a process like this a specific dll main entry point is called so dll main is where we need to set up the brains for our trainer this dll main function is what will get called when we inject into the game and then start our thread and from here we can start messing with the way the game executable actually works let's first create a test dll to make sure our injector works as expected and then we can also see some simple dll injection in action this test dll will alert with the windows message box once it is executing from within the age of empire's process space the dll will also look for the user pressing the f6 key every time this key is pressed a windows message box will pop up again if we compile the dll compile the injector run the age of empire's game and then perform our injection we can see that the dll injection process works as expected we have successfully injected a dll into the game process when the dll is first injected we can see the message box and then every time we press the f6 key from within the age of empire's game we see the message box pop up again this is really useful right we can use that f6 key as a cheat toggle every time our injected dll identifies that the f6 key has been pressed we can toggle our reveal map and no fog cheats on and off now that we know the dll injection process is working we can start actually working on making our trainer more useful in this case more useful means enabling functionality which will binary patch and unpatch the live game process in memory while it's running in order to do this the injected dll needs to be able to read from and write to bytes so let's create that functionality and also set up a simple data structure for our memory hacks all source code created as part of this game hacking youtube series will be available to 247 ctf patreons if you enjoy this channel want easy access to the source code and support content creation take a look at the patreon link in the video description below for our memory hack data structure we need to store a few things the address where we want to write data which is the location of our patch address which we found in a previous video the data we want to write to that location which is our game patch and the current data stored at the location before the patch which is the original unmodified game functionality once the data structure is defined we can initialize the data for our memory hack specifically we need to set up the locations and patch bytes for each of the game draw functions we found previously specifically we need to set up patches for revealing tiles on the main map revealing objects on the main map removing fog of war on the main map revealing tiles on the minimap and lastly removing fog of war on the minimap in order to be able to toggle our hack on and off we need to store the original game data by storing the original game data our toggle can write either the patched or the original bytes each time the f6 key is pressed in order to do that we first need to read the current original data stored at the patch address before we override it now that everything is initialized and set up we also need to create our actual patching function depending on the toggle state our patch function will enumerate over each memory hack then modify the game bytes to either patch or unpatch the game once the patch has been applied we'll also toggle the patch state that way we can track progress and apply the right patch next time this function is called to recap the process flow of our trainer is as follows create an injector to inject our trainer dll into the age of empires process once injected store the current value of the bytes stored at the patch address which are the original unpatched bytes for the game wait for instructions from the player to toggle the reveal map and no fog cheats on and off by pressing the f6 key so ignoring error codes again let's test it out let's compile the trainer start an age of empire's game and inject the dll into the process our dll is injected but we can see that nothing has changed in the game world but if we press the f6 key we can see that the no fog and reveal map cheats are now toggled on in the game world looking at the patch address for revealing the tiles on the main map directly in a debugger we can also see that the patch bytes have been applied to the binary on the fly as expected the benefit of this approach being we are now performing this patching without affecting the main game binary on disk and we can also use this same dll injection technique for the next video in this game hacking series 2 which will focus on adding resource hacking capabilities to our trainer as well there is a disadvantage though of performing our toggle hack this way which we can see when we toggle the cheats back off by pressing the f6 key again the minimap and also the main game view if we don't move our mouse haven't been restored properly to their unpatched state this is because we are not directly triggering a redraw of the view we are just patching bytes within redraw functions which means that the state of the view as it's seen by the player is not always being updated however we can see that when we move our mouse around the main game view or if the diplomatic stance between players is changed this does trigger a redraw of the game world which then directly updates the player's view in both the main map and the mini-map this bug in our trainer could be fixed by directly triggering a redraw of the game world after toggling our patch but that's a topic for another reversing video if you made it this far thanks for watching it really helps the channel grow if you comment like and subscribe below also if you are interested in solving capture the flag challenges across a range of traditional jeopardy based categories including reverse engineering make sure to check out [Music] 247ctf.com [Music] you

Info

Channel: 247CTF

Views: 80,925

Rating: undefined out of 5

Keywords: Capture The Flag, Computer Security, CTF, Game hacking, Age of Empires, DLL injection, Dynamic Link Library injection, How to hack a game, Hacking age of empires, How to hack game of empires, reveal map cheat, no fog cheat, windows, game hacking, windows game hacking, how to hack a game, game hacking basics, hack age of empires, age of empires hack, game hacking tutorial, game hacking for beginners, binary patching

Id: KCtLiBnlpk4

Channel Id: undefined

Length: 10min 58sec (658 seconds)

Published: Thu Jan 14 2021