How Speedrunners Use Game Hacking Tools

How Speedrunners Use Game Hacking Tools


In this video I want to tell you about the
time splitter tools speedrunners are using to track their time and how this relates to
game hacking. But before, let’s play some more Pwn Adventure
3, because we need to learn about something first. In a previous video we were able to use the
tool Cheat Engine to find the variable of the selected skill in memory. But if tried this yourself you might have
run into an issue when you close and reopen the game. Because in that case Cheat Engine would just
show question marks. Or it might show random other values. This is because the data is not located at
the same address anymore. For example ASLR changes the addresses of
the memory regions. So how do we deal with that? Let’s attach Cheat Engine again to the game,
and throw away the current address list, because it will be useless. But now that we know the values of the skill
number variable, we can directly search for the value. So first slot selected would be a 0. We found 64million. Then let’s select the second slot. Search for value 1. 3300 possible values left. We can see that some values are already different
again, so we can just scan again for the 1. Switching to the third slot, so we search
for 2, One left! Okay… we found it again! This time we want to ensure that we find this
value every time when we restart the game. In theory the game itself has to know where
the value in memory is, right? We can again think about this from a programmers
point of view. There could be a global general game object. And that game object has maybe a reference
to the world object. And the world object has a reference to the
player. And the player then has the variable for the
slot number. And if you know somewhat how that is implemented
on the lower level, you know that objects are somewhere in memory, so they have an address. And their variables are located at some offset
from the start of the object. So basically you just have to always follow
those pointers and offsets until you reach the end. And of course, the awesome tool Cheat Engine
has a feature called “Pointer Scan” that can help you with that. So let’s do “a pointer scan for this address”. This is the address we want to get to. And then there are a lot of settings that
you can control when searching for these pointer/offset paths. We will leave it mostly at the default settings,
except that we change the restrictions for the base address. “Base address must be in specific range”. The base address is where the pointer chain
has to start. The root. The one fixed address. And with this setting we can define a range
where it has to be. From last video we know the code that accesses
this variable is from the GameLogic.dll. So it makes sense to guess that this .dll
maybe has some global variables pointing to some objects which we can use. So I looked at the memory map again to find
the rough memory range and add it there. Now let’s search. Depending on the size of the memory, this
can take a while. Fast forward, here we are. We found over 20000 possible pointer paths. And look at this one. Apparently at this address here, so from the
base address of the dll, we go up hex 0x97e48. There is some address, and when following
that address and go to the offset hex 0x110 there, we find the address (or pointer) to
our variable. We can also sort based on other columns here,
that helps us to discover other possible nice pointer paths. So we can add another possible path. Also do you notice how the last offset here
is hex 0x110? Remember when we looked at the assembly accessing
this slot id value, it was from offset hex 0x180 from ESI. and we had ESI assumed to
be the player class. So it’s a bit unexpected that we find here
addresses, where the slot id appears to be at the offset 0x110. But looking at the list you can also find
pointer paths where it has the expected offset hex 0x180. Because I trust the assembly offset a bit
more, than guesses by cheat engine, I decided to rescan the pointer list for pointers with
the last offset 0x180. This is very similar to how you scan for values
– now we just scan for better pointer paths. But let me show you how you can check if you
have reliable pointer paths or not… Let’s close the game! So now the process is gone and memory is of
course unknown. Then let’s start the game again. Login…. Select the character… and we are back… Attaching to the new game process – and we
want to keep the current address list. Now look at the address list. The hardcoded address now points somewhere
else in memory and there is a 0. We know that this would be wrong. The third pointer path also seems to point
into bad memory. So that one wasn’t reliable. But these two pointer paths here seem to successfully
point to somewhere with the value 2. And that looks correct, because we have selected
the 3rd slot. Let’s delete the wrong ones. It could also be a good idea to redo this
process of playing the game, closing it, restarting and so forth a few more times, just to be
sure that the pointer path is really 100% reliable. And if not, you redo the path scan and select
a different one. But why did we do this? What’s the purpose of the pointer path? Well, this is very useful for when we want
to write programs like trainers, bots or cheats. We can write code that gets the address of
the GameLogic.dll, and then follows that pointer chain to find the address of that value. Which you can then use to change it. The skill selection is maybe not the most
useful variable. But of course we can imagine that we find
a lot of other values like that. Maybe we could even find the address of the
position to teleport or move around. But that is something for another episode. I have a special idea for that. I want to talk about something else now. I know a lot of people don’t like cheaters
and maybe wonder why I would make a video like that. But I want to show you that this can also
be used for more productive things. Would you have guessed that these hacks are
used by speedrunners ALL THE TIME? Here is for example the current BioShock Infinite
World-Record speedrun by glurmo. And let’s look at the timer when the map
changes… it made a split and moved to the next one… So have you ever wondered how these automatic
time splitters from speedrunners work? They don’t seem to have to press a button
when they progress in the game, it seems to happen automatically. Let’s have a look at a tool called LiveSplit. LiveSplit is a timer program for speedrunners
that is both easy to use and full of features. It has this feature: Game Time is automatically
read directly from an emulator or PC game, and you can use it by switching to Game Time
under Compare Against. Do you have a guess how they might be able
to do that? Let’s checkout the Auto Splitter documentation: LiveSplit has integrated support for Auto
Splitters. An Auto Splitter can be one of the following: A Script written in the Auto Splitting Language
(ASL). A LiveSplit Component written in any .NET
compatible language. The Auto Splitting Language – ASL is small
scripting language made specifically for LiveSplit Auto Splitters. An ASL Script contains a State Descriptor
and multiple Actions which contain C# code. So what are State Descriptors? The State Descriptor is the most important
part of the script and describes which game process and which state of the game the script
is interested in. This is where all of the Pointer Paths, which
the Auto Splitter uses to read values from the game, are described. Pointer Paths!!!! We know pointer paths!!! And they are used here to read values from
the game. Like we read the selected skill number from
memory! Let’s read just a little bit further: The optional base module name BASE_MODULE
describes the name of the module the Pointer Path starts at. Every *.exe and *.dll file loaded into the
process has its own base address. Instead of specifying the base address of
the Pointer Path, you specify the base module and an offset from there. If this is not defined, it will default to
the main (.exe) module. This is exactly what we also figured out with
Cheat Engine. We have figured out a pointer path from the
GameLogic.dll as the base module, to the selected skill ID. Let’s look at an example .asl file. This is the file for Bioshock Infinite. Here is the state definition. And apparently from going from the base address
to hex 0x14154e8, and then following that pointer going to offset 4, we find a float
that contains information about the “map loading”! And the integer that tells you which map is
being loaded, needs apparently three offset. And you can see how those values are being
used. This is the function that checks if the timer
should be started, and it will check if the map is loading, and if the map that is being
loaded is number 15. Cool, right! This means LiveSplit is doing the same stuff
that also cheat tools are doing. They have to somehow interact with the game’s
memory. So here for example we have the ProcessExtensions
class. In here we can find a createThread function
which calls WinAPI.CreateRemoteThread. Let’s have a look into the Windows API documentation. Use the CreateRemoteThreadEx function to create
a thread that runs in the virtual address space of another process. Create a thread that runs in ANOTHER process. So this is a typical windows function that
you can use to inject and run your own code in a target process – in this case the game. This is exactly what you would do when you
want to write your own cheats. You write malicious cheat code that you run
in the context of the game’s process. If you browse a bit more around the sources,
you can also find other helpful functions like WriteDetour. The comment here says
// allocate memory to store the original src prologue, bytes we overwrite with jump to
destination, along with the jump back to source. So you can use this to overwrite part of the
game’s code, jump to your own code, and then jump back. This is also called a “hook” a function
“hook”. And that’s exactly the same kind of stuff
you would do for any kind of game hacking or cheating. I mean LiveSplit is literally game hacking. But it’s not only game hacking, this is
what also malware might use to hide it’s code, or steal data from a running program. And browsing a bit more you can even find
code that seems to hook keyboard presses in order to detect global keybord shortcuts,
probably for when you are in the game and want to interact with LiveSplit. But this could easily be changed to log keypresses
for a keylogger. You get the idea… Just to make it 100% clear, I’m not saying
LiveSplit is cheating or malware. I’m just saying that it uses the same programming
techniques. I think you can see that learning about game
hacking, reverse engineering and how the basics of cheating works, is useful! The cool thing is that game hacking can be
really fun. Because you play around with games. But the skills you learn are applicable in
many other areas as well. I hope this shows you how interconnected the
skills are. And how learning one topic can benefit you
somewhere else. And I also hope it shows you that some skills
that on the surface might seem only be useful for malicious purposes, be it online game
hacking or malware development. They can also be used for awesome useful tools
like LiveSplit. A tool that has probably had tremendous positive
impact on the joy of thousands of people. And I wouldn’t be surprised if the developers
of that tool haven’t had a history in game hacking themselves.

Related Posts

Review of the Thule Archway Trunk-Bike Racks on a 2015 Toyota RAV4 – etrailer.com

Today on our 2015 Toyota Rav-4, we're doing at test fit of the Thule Archway XT two-bike rack, part number
Billie Eilish Scares Her Fan Melissa McCarthy – EXTENDED
How to Track or Locate a Mobile on Google Maps ?

100 Replies to “How Speedrunners Use Game Hacking Tools”

  1. I have heard about something called signature / pattern scanning. Could you maybe explain what that is / cover it in a video?
    Love your channel btw, keep up the good work.

  2. but the detour stuff isnt exposed to the autosplitters, is it? And wouldnt reading the values from the game rather use ReadProcessMemory?

  3. The same method could also be used to add Discord Rich Presence (The thing that shows which level you are playing on) support to basically any game

  4. you could also rescan in the pointer scanner after restarting the game and instead of pointer scanning you can use the debugger to get all the addresses and offsets etc.

  5. You could also scan the Memory with a Signature how maybe the player obj might look like and get the addr from that. pow Mindblowing

  6. If anyone is interested in this stuff there are decent tutorials with pretty decent explanations(not just telling you what to do but why you’re doing it) on unknowncheats. Just google “unknowncheats coding” and you’ll find a bunch of useful stuff there. Have fun

  7. this still doesn't explain how people do this for games on original hardware like an NES
    they cannot pyshically change the cardridge, code, or the hardware of the NES (besides RGB Mods) because then it would not be original hardware

  8. It might also be useful for machine learning.
    Imagine you get values in memory, and use them as inputs to train your AI.
    Way better than just taking screenshots of the game and splitting it, etc

  9. Aside from Autosplitters, finding memory addresses can also be useful in Speedrunning for better understanding the game by watching values for things that aren't directly visible in the game. For example watching how exactly sprint stamina decreases/increases, how values related to glitches change or what affects experience points. Sometimes it can even be useful to actively change those values when testing or practicing the speedrun.

    Of course in actual speedruns (not testing/practice, but actually going for a time) most of these things are not allowed. Rules depend on the individual game community, however often only values that are already apparent from playing the game are allowed to be watched via third-party tools, like 100% Checklists automatically tracking completion of the game (which could also be done by checking stuff off on a piece of paper) or the mentioned Autosplitters. In some cases even these tools can be problematic, e.g. if an automatic split reveals some information about the game's state you wouldn't immediately know otherwise, but usually they are just a big help by not having to remember to press a split button all the time. Some communities allow additional information read from memory to be displayed (e.g. movement speed), some are a bit more strict.

  10. Unlike literally every YouTuber that exist, this channel is getting progressively better and not sucking the dick of the like button. For that I am very grateful

  11. I find the timing of this video amusing, as I've been working with livesplit-core and a PoC version of livesplit one desktop (all written in rust) to have working autosplitters on linux. I think the API still needs work to obtain feature parity, etc, but I've already been using it with Portal.

  12. Speedrunners borrow a lot more from the infosec community than just for creating autosplitters. Hell, there's a whole class of speedruns based around arbitrary code exploits. Although not for Windows specifically.

  13. Even when actually using Cheat Engine to cheat, discovering the pointer paths is very useful.

    I… may or may not have been using Cheat Engine to cheat in Maple Story when I was younger. (Don't judge)
    I had no idea how it works, I just downloaded a list of pointer paths with a nice description and there you go. (Typical script kiddie. Rather literally)
    Even if you use it for yourself (in single player games, of course), you probably don't want to rediscover the addresses every time. Gets tedious.

    On the topic of Maple Story, they ended up separating the European and US server due to so many European cheaters. I think people just didn't really report cheaters. I saw a cheater just slashing at the air and killing mobs, with normal players just standing there and complaining how unfair it is, but not reporting him. (Actually saying they don't want to report him)
    Meanwhile, I was watching this unfold from below the map… They couldn't have reported me if they wanted to, but for some reason they didn't even bother reporting that guy…

  14. I'm sitting here watching this video with my serious face pretending that I understand what I watch so my friends will be like wtf are you watching.

  15. There's also cool versions of auto splitting that works for consoles – it can either rely on a homebrew that reads RAM, or compares screenshots to the capture output

  16. Most Auto Splitters don't actually inject anything into the game. Instead they simply rely on ReadProcessMemory to follow the pointer paths.

  17. What is the best way to compile Cheat engine ones self because I want it but I do not Trust the Exe or the Creator for that matter so I would not only have to compile it myself but become familiar with what is a rather large codebase and know it inside out before deciding to use it before I can trust it. Can anyone recommend where to start because it is programmed in multiple languages and idk really how to handle the mess that is Cheat engine Github.

  18. This video has also helped me to understand how many glitches such as wrong warps in old games have been found! By exploring memory in ways like this, speedrunners can hunt for potential exploits to send them quickly towards the end of the game, even directly to the credits in some cases, if they can find a way to use in game techniques to change the right memory values.

  19. How about a structured video series from you, where you explain everything from the start of the goal "reverse eng.". Several hours, short and pregnant, but also repeating key elements to focus the memory on? Using and explaining several key programs also. Cheat Engine, Ghidra etc. Something like the 10hr C++ tutorial accumulated from 100 videos done on this topic. Made me remember what i read over a decade ago.

  20. That's really cool! So how would you go about searching for pointer paths from a programming language? I guess I can scavenge through LiveSplit's API

  21. I really like these series and I'm finally learning game hacking properly.
    Please keep making them! They're really usefull

  22. Really nice videos man! I also learn some basic reverse engineering and dll injections based on games. I would really appreciate if you show a video about calling functions and stacks. You can explain all stuff really well… Oh, btw I use a little bit different method to find pointers – firstly, I find out what writes to address and then substract the offset. After this, I search for the new address and it usually brings 1-5 results. Then you can try to see what accesses them and this could reveal the second offset. Then you can generate two pointer maps and compare them. As the last step, you can define the offsets and module base address. This makes the pointer scan much easier and usually brings within 100 results 😉

  23. Brilliant video! This was very well balanced between looking at code/tools and then showing WHY it mattered. Good job

  24. "Cheaters suck." Yes, in multiplayer games. In SP let people play however they want, and if they can hack the game themselves more power to them. It's not like this tutorial is useful to anyone who wants to hack MP games much.

  25. Man i didn't even realized until now , that game crackers , trainer writers had to do such an amount of smart work to make those hacks. Respect++

  26. Hi, could you check out the puzzle site ae27ff and maybe show us your thought process while solving? A livestream of this for example would be great!

  27. I've personally been using your videos to help me figure out and learn reverse engineering and hacking for speedrunning. It's nice to see this coming full circle and now the content I watch for speedrun game hacking is talking about game hacking for speedruns.

  28. very nicely made. when i was younger, i was in "warrock" game hacking scene. Maybe someone remembers ElitePVPers. I used the same methods. but sometimes you need to find some "injection methods" – luckily i wasnt the only dev, so i had some partners, who created injectors, which i was able to use, to modify memory data without getting cought from the anti cheat 😀 Oh this was an awesome time.

  29. Cool to see some of my work make it into a LiveOverflow video. I made the HRH mod(indicated by the gray hrh icon in the top left) and found some of the addresses for the auto splitter, specifically the overlays pointers. Funny thing, the loadingScreen pointer is actually pointing to the length of a string, not an id but hey it works.

  30. the offset from edi was indeed +0x180, but earlier on is the instruction "add edi -70", so that might change the offset to be +0x110. What do you think?

  31. You should also tell the people about actually reversing the code you found with the debugger instead of playing arround with cheat engine.
    IMO cheat engine is good for fast trial and error or testing, but actually reversing the code beats any tool – especially when updating the code on a new patch 😛

  32. Honestly, from clicking the video with just the knowledge of the title alone, I thought i was going to see an EZScape or Apollo Legend video.

  33. This is awesome! Computer science student here. Spend the last 2 days with Cheat Engine, Guided hacking and a lot of games 😀 So cool to look at your own programs from another perspective! Thanks @LiveOverflow

  34. It really does depend on the game. fortunately for us in the quake 2 speedrunning community. we just need to look for map name strings being loaded for individual segments. we also have an IGT plugin now which is a new feature of the most recent source port of q2 (q2pro) and thankfully one of our guys already did the work, so all we had to do was ask him for the addresses we needed to pull *accurate IGT from the game. cool video though. it's nice to see speedrunning getting a mention.

    You should check out TAS runs if you want a more technical challenge to break down.

    We fully abuse application logic in these runs (anything goes).

  35. I love how you basically figured out Livesplit without even downloading it. One common use for GlobalHotkeys is resetting btw. For Portal (which has a really awesome autosplitter), I used to have a reset hotkey that I had also bound in the game to close the current game session and delete my common quicksaves, so I could start a clean run, which I later also added to the bind ingame and the autosplitter picked up the map change and started livesplit's timer again

  36. It would've been great if you would've created a livesplit script for any game in this video, to show how to apply the knowledge first hand.

  37. It's almost as if Windows added these API's because they have valid use cases and not just for malware writers to use.

  38. Speedrunner also do other security related stuff and abuse mechanics. For example Zelda Speedrunner actively attacking the the memory allocator. They repeatedly leaking memory to get the heap increasingly fragmented until there isn't a contiguous region of memory large enough to load obstacles. The result is that some obsticals will not load and are not there and the Speedrunner can go faster! 😀 That's so f**** cool 😀 I love this stuff!

  39. I have a feeling that many MMO accessory tools are using the same tech. For example, in FF14 people use tools to track and broadcast hunting objects and team damage/tanking/healing stats. I don't think FF14 has built in API (e.g. WoW) or log (e.g. Elite: Dangerous) for that, so maybe they are just hooking to the process to do all the job.

  40. This episode was very enlightening, although I really had made the connection there. What interests me most (and what I learned) is this very interesting CreateRemoteThread function to spawn a thread inside another process? Can all OSes do that, is it a standard way to inject code into things, and why (or how) can/can't this be patched up by game anti-cheats? Thanks for the great video 🙂

  41. you should really try to avoid using the pointer scan… it's easier and smarter to find a pointer by attaching cheat engine's debugger. In this video you show that the code accessing this variable is mov[esi +180],edx. in this scenario its much smarter to now scan for the value stored in esi and continue this process until the register appears in static memory inside GameLogic.dll. doing this you can be absolutely certain that you have a correct path as you are accessing the variable in the same way the game is accessing it

  42. HEY LiveOverflow, LD_Preload can be done on windows with PYTHON with the module frida search for it https://www.frida.re/docs/javascript-api/#interceptor

  43. Hey LiveOverflow, could you make a video about the windows notepad attack vector?
    link of the news: theregister.co.uk/2019/08/13/windows_notepad_flaw/

Leave a Reply

Your email address will not be published. Required fields are marked *