I spent four years in developing game hacks( 2006 – 2010), it’s a precious experience in my life. I still can remember days that spent 10 hours continuously in front of computer debugging games, analyzing anti-cheats, writing anti-anti-cheats. Wholeheartedly devoted on a goal, if ran into a problem, google it, ask it, learn whatever needed, repeat until the goal is achieved — It’s my definition of hacker’s spirit.
I have learned so many hacking techniques in this four years, analyzing disassembled code, debugging, data structure reconstruction, packing/unpacking, function hijacking, rootkit, etc… I don’t have enough time to explain them here, I will just list major game hack I have written and mention the core techniques used.
- Wall transparent: hook Opengl API, glDisable, glCullFace etc…
- The “dot” on head, and the bracket, aimbot: read player entity data structure, map 3d world coordinate into 2d screen coordinate, draw or aim.
- Anti screenshot: anti-cheat had become smart, admin will send a message to client, force taking screenshot and upload to server. I hooked related function and disabled all visual effect before new frame is rendered and screenshot taken.
- Speed hack: player can run n times faster, hook WinAPI QueryPerformanceCounter.
- anti-anti-cheat: the anti-cheat client keep updates and my hack also keep updates. It’s a continuous battle. The anti-anti-cheat flavor of my hack is like “building house over rocks”, comparing to another more “through” way, analyze authorization encryption of the anti-cheat client, simulates a fake anti-cheat client.
- I have built a authorize system for this hack, and hired two people advertising and selling them.
- It was the best anti-anti-cheat hack for Counter-Strike in China. You can still find some content by Google.
This game is similar to the famous Defense of The Ancients, but uses the background of the China’s first of the five great works of traditional prose fiction, Romance of the Three Kingdoms. That’s why I like it!
It’s a little messy and has a lot of Chinese characters which you may not understand, but don’t worry I will explain :)
- We are in debug mode of the hack, the red words are part of the object entity( memory address, name, blood) for debugging use.
- This hack is a maphack which displays player information on screen, and can automatically trigger attack action by it’s built in naive AI.
- Worth to mention, it’s the first hack for this game, I have no documentation but reverse engineered everything by myself.
- The server of this game also has some bugs on packet verification, I also created gold-hack, and can enter “secret map”, anyway, I did not release them:)
- I built a authorizing system( taken from the Counter-Strike project), and a activation system in ASP, sold to 200+ users.
Warcraft III Hack
Such a wonderful game! This screenshot is a maphack which reveals the hidden units under the fog of war. There are a lot of war3 maphack over the internet, mine is particularly interesting in one point.
- Anti-detection: there are a lot of anti-cheat platform of this game. For example, Holdfast, ZMR, VS are from China, and Garena for world wide gamers. I wrote platform dependent anti-anti-detection. Worth to mention, Garena use rootkit driver protection( driver has ring0 privilege in Windows so user mode hacks can hardly against them). So I also wrote a driver using SSDT hook to disable the protection.
Anyway, maphack is not overall interesting. I had brought a dead war3 exploit back to life.
This is how the old exploit work:
- War3 had a bug in checking the consistency of script section of the map file, people could use a modified map playing with other players using standard map.
- Some function in war3 jass script language can change shared variables( possibly, gold), such as StoreInteger, SyncStoredInteger.
Then, Blizzard fixed this bug, script section different player’s map must be same. Exploit dead!
This is how I bring it back:
- Jass script language must have a translator built in War3 to understand the script and dispatch parameters to different built in functions.
- I hacked the translator and found out the correspondence of script function and it’s real binary implementation, and hooked them.
Well, I didn’t published this hack but I indeed had a lot of fun with my friends using it. This hacking method should still work for the current war3 version.
I have some other hacks but due to time limit I can’t write out them all, hope you enjoyed my share of experience :), discussions welcome!