In the previous article, I introduced the idea to hack games and create a simple hacking application. The problem in the previous article is that every time you enter the game, you have to use the Cheat Engine to find the address of blood and ammunition. In this article, I will show you how to create a better hack application that can be taken anywhere.
If you want to try the hacked version to verify, you can download Half Life 1.6 here and download the hack you’ve created here with the unzipped pass codelearn.io
Note: first enter the game then enable hacking.
Video detailed instructions on how to hack here.
Dynamic address and static address.
For simplicity I will call a variable with a dynamic address as a dynamic variable, a variable with a static address is a static variable.
Dynamic variables are variables that always change their address when entering the game, specifically the blood variable, so using a dynamic variable to hack is not a good idea, you must use the Cheat Engine to find it every time you visit. game.
The static variable is a variable whose address does not change even when you exit the game or bring it to another device, so if you find a static pointer variable pointing to the blood variable, you will create a hack application. Can be taken anywhere.
At this point many of you think “Oh, it’s clear that the address of the variable is always different each time”, this is true but I will explain why I say the address of the static variable does not change later.
In code, the static variables are global variables or variables declared with the static keyword and dynamic variables are local variables (variables set in functions) …
In summary, the goal of this article will be to find the static variable pointing to the blood variable and perform a blood hack through this static variable.
Find the static variable that points to the blood variable.
Find the address of the blood transfusion (same as in the previous article I did).
Find variables pointing to blood transfusion.
The problem is that in the newly found variables there is both a dynamic variable (the cursor declared in the function) and the variable does not always point to a blood variable (you just randomly detect it when it is pointing to a blood variable. ). Therefore you need to remove these unwanted variables:
Remove the dynamic variable by exiting the game back and forth, then check to see if the variable no longer points to the blood variable, then remove that variable. To get rid of pointers that do not always point to blood transfusions, you can play and observe whether it always points to the blood variable. You should play on more game modes to make sure (try to shoot with bots, try changing from robbers to police …). Perform a static variable search using the Cheat Engine (you can see in the video): Find the address of the blood variable (same as in the previous lesson).
Right-click on the blood transfusion address and select Pointer scan for this address as shown in the picture.
A new window appears, this is a window to help you find which pointers are pointing to the blood transfusion. In this window to max level = 1 and click ok (max level = 1 is equivalent to finding the pointer directly to the cell containing the blood variable, I have tried and found that searching with a higher max level is not necessary) .
After clicking ok, a new window will appear to catch save, you can save anywhere and this is the result after running.
It can be seen that there are 5 pointers pointing to the blood transfusion (there are not always 5 pointers to the blood variable). The base address column is the column that stores the address of the static variable, you will see it has the form “hw.dll” + 1 hex number. If it is a static variable to look for, this hex number will be the same at all runs and on different machines. Therefore, the address of the static variable will not change compared to a base address, so at first I said that the address of the static variable is always unchanged. The base address in this case is the address of the “hw.dll” module, you can call the function to get the address of this module. Now we need to remove the dynamic and static variables that don’t always point to the blood variable by saving these 5 addresses in the address list and observing + restarting the game (you can see in the video specifically) . I finally got the static variable address.
The static variable address to retrieve is “hw.dll” + 0x00809820. This address will point to 0x10330758. Note 0x10330758 is not the address of the blood variable, the variable’s address will always be equal to the address that the static variable points to (0x10330758) + 0x504. To understand digital son 0x504 you can see the following code:
The newly found static variable is the pointer variable p1, which is not directly to the blood variable but to the heap memory where the player information is stored. The variable address will be located at a constant distance from the device where p1 is pointing to, called offset. In the above code offset will be 0x08 while the offset in the game Half Life I just found is 0x504. So health_address = p1 + 0x504. => Delete Cheat Engine gone. At this point, you can see that the static variable p1 does not directly refer to the blood variable, but to the cell where the variable is located. Above I said to find the static variables pointing to the blood variable just to make it easy for you to imagine, but that is not very standard. See the source code to better understand (if this source reports an error on your computer, you can use other sources here:)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | #include <Windows.h> #include <iostream> #include <vector> #include <TlHelp32.h> #include <tchar.h> using namespace std; // Hàm lấy địa chỉ của module "hw.dll" DWORD getModuleBaseAddress(TCHAR* moduleName, DWORD pid) { DWORD moduleBaseAddress = 0; HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, pid); MODULEENTRY32 modEntry; modEntry.dwSize = sizeof(MODULEENTRY32); if (Module32First(hSnap, &modEntry)) { do { if (_tcscmp(modEntry.szModule, moduleName) == 0) { moduleBaseAddress = (DWORD)modEntry.modBaseAddr; break; } } while (Module32Next(hSnap, &modEntry)); } CloseHandle(hSnap); return moduleBaseAddress; } int main() { // Lấy process id thay vì phải làm thủ công như lần trước DWORD pid; HWND hGameWindow = FindWindow(NULL, "Counter-Strike"); GetWindowThreadProcessId(hGameWindow, &pid); HANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); // Tính địa chỉ của biến máu DWORD baseAddress; char moduleName[] = "hw.dll"; DWORD moduleAddress = getModuleBaseAddress(moduleName, pid); // 0x00809820 chính là offset tìm được bằng Cheat Engine if (!ReadProcessMemory(pHandle, (LPVOID)(moduleAddress + 0x00809820), &baseAddress, sizeof(baseAddress), NULL)) { cout << "Couldn't read process memory"; return -1; } // 0x504 chính là offset tìm được bằng Cheat Engine DWORD healthAddress = baseAddress + 0x504; cout << "Static address:" << (moduleAddress + 0x00809820) << endl; cout << "Base address:" << baseAddress << endl; cout <<"Health address: " << healthAddress << endl; float newHealth = 100000; while (true) { if (!WriteProcessMemory(pHandle, (LPVOID)(healthAddress), &newHealth, sizeof(newHealth), 0)) { cout << "Couldn't write process memory"<<endl; } Sleep(500); } } |
This code has some new functions compared to the previous one:
getModuleBaseAddress is a function that takes module “hw.dll”.
FindWindow and GetWindowThreadProcessId are two functions used to get process id.
ReadProcessMemory is the function that takes the address that the static variable is pointing to (more generally, this function is the function that takes the value of a memory cell).
Enter the game and test this code, if you do not report any errors, you have successfully hacked.
Conclusion
It can be seen that creating global and static variables makes your application hacked more often, but if you only use local variables, creating an application will be more difficult.
We hope to receive suggestions from you. Article Source: Part 1: https://codelearn.io/blog/view/hack-game-half-life-voi-c Part 2: https://codelearn.io/blog/view/phan-2-hack -game-half-life-with-c