Bootdisk

Cheap Game & Reversing Programming

Monthly Archives: October 2010

First step: analyzing the client

The first to do when you want to write a hack for a game is to analyze the client files.

I always try to find the lazy solution to all the games: monitor the screen and send input commands.
That’s a common approach to write a hack/tool/etc. However, it will require your computer to be “stacked” and if that game has a protection you won’t be able to do this.

If you still want to do something based on the screen then you need to research about the game rendering system. Why rendering system? Because you can write a proxy dll and intercept the drawing calls, for example: OpenGL. On Quake I, II and III, Half-Life it was the most common way of doing Colour based Bots (aka AimBot) and Wall Hacks. What’s the purpose of a proxy dll? How does it work? A proxy dll is an dll that’s between the game rendering system and the real rendering dll. OpenGL uses “opengl32.dll” so our dll is going to be called “opengl32.dll”. IMPORTANT: YOU DON’T NEED TO REPLACE THE ONE THAT’S UNDER WINDOWS\SYSTEM32, you just need to copy your proxy dll to the same path of the application.

This dll has to do two things:

  • Load the real “opengl32.dll” that’s under WINDOWS\SYSTEM32
  • Create the same methods as the real dll has
  • For every method, call the method inside the real dll

This takes some time but once you’ve it done you will be able to do at least a Wall Hack.

All the above part is to have a fast solution but if you want to go further then you will need to do more research like:

  • Debug the game’s executable
  • Reverse the client data files
  • Write a proxy

Debug the game’s executable

To achieve this goal we will need OllyDbg. It will works most of the times until you face a packed executable in which case you wouldn’t be able to understand anything. How to know if it’s packed? download the PEiD and you will know with which packer it was packed. Trace back and down the routines, strcmp and strcpy routines are easy to recognize.

Reverse the client data files

Recently I tried an mmo and its data files were SCRAMBLE. Scramble is not the best option to hide your files as with the minimum effort they can be reversed. Basically most of the times they rely on a modified version of the XOR encryption.

Write a proxy

Writing a proxy isn’t that difficult and it lets you take a look at your game’s packets. Proxies usually are between the Game Server and the Client itself. Many of them are encrypted and in most of the cases they do a previous handshake process in which they exchange encryption keys.

Read more of this post

Advertisements