Memory Hacking Software

[Felheart]

Hi everyone,
does someone know how timers in games are usually made?
Are they float or double? or even unsigned int?
And is it even possible to hack a game that uses "static timers"
By static timers i mean, they save for example a unit that has a limited life-time, and now the game saves just "Now+30seconds".
So the game kills the unit after that point in time has passed.
I don't think this is possible to hack, because you never know the exact value.

[mc.flash]

u can try search as unkown um and try float in the 1st place
and when it be decreased search for decreased that might help
or try to search for unsigned long actuly u should give it a try

[L. Spiro]

You can not search for that type of timer.

There are many ways games can store timers. Some use separate threads. Some store the end time and check the current time against it every frame.
Some use the system timers. Some use time remaining and decrease it until it reaches 0.

There are also custom time-tracking functions that use the system time once per frame only to get the time that has past since the last frame, then update their own timer trackers accordingly. This is usually accompanied with a virtual time system that they can pause and unpause at will. These time trackers simply accumulate passed time up to infinity. And these time trackers will be used to see if the time-out period for custom timers has expired.


In order to get anywhere you are going to need to see which type of timer they are using.
Hook the Windows® functions to see if they are using the Windows® timers.
You can also use the Speed Hack. If the game slows down, but timers still fire at the correct times, then they are using Windows® timers.

Once you find out they are not using the Windows® timers, you need to hook timeGetTime(), GetTickCount(), and QueryPerformanceCounter() to see when the game calls them and where it stores their results.

Using this information you can easily find what accesses those locations and see when and where time values are compared against other values, which will indicate when timers are being checked.


L. Spiro

[Felheart]

Cool thanks for the info, i will try that.
What do you mean (wich function or class) by windows timers? Sleep(); ?

Edit: Never mind.
I've done as you told. Windows Timers are not used.
I break-pointed GetTickCount(), it caused the game to stop. I quickly toggled it off, and resumed the game, because it crashes after being suspended for too long.

What should I do next? Hook it? with what function?
How do I know which ASM codes called the function after hooking / breaking?

[spunge]

They might be using rdtsc or rdtscp as well. The way to find the callee, is to check ESP, which will hold the EIP for returning the call. Whenever something is called, EIP is pushed onto the stack. Therefore, at the beginning of your hook function, you can log [ESP]. It actually doesn't matter where you read the EIP so long as you accomadate for stack modifications.

[Felheart]

EDIT: poster aboved edited... nvm

[spunge]

Hooking RDTSC would require you to write a kernelmode driver which disables the use of RDTSC as well as handling the exception that is generated when RDTSC is executed.

Like I said before, to find the callee you must hook the api and read ESP.

Here is an example:

Code: Select all

kernel32!GetTickCount:
  mov    edi, edi
  push   ebp
  mov    ebp, esp
_afterhook:

Place your hook:

Code: Select all

kernel32!GetTickCount:
  jmp    _hooklocation

Your hook:

Code: Select all

_hooklocation:
  mov    dword ptr ds:[dwEIP], esp
  push   ebp
  mov    ebp, esp
  push   eax
  mov    eax, dword ptr ds:[dwEIP]
  mov    eax, [eax]
  mov    dword ptr ds:[dwEIP], eax
  pop    eax
  jmp    _afterhook

dwEIP will now hold the address of the instruction that has called GetTickCount. Now, this method will not be accurate if there are multiple callers. You'd need to implement an array for dwEIP, and use an index to place new call locations into the array. It's also up to you to reverse engineer whether or not the code is being used as a timer. The easiest way to tell if its a timer is to check if a delta calculation is being executed.

[Felheart]

I breakpointed GetTickCount() and watched the registers...
ESP is always 0017F884.
I don't think this location points to some real code, because when viewed in the Disassambler, it doesn't make sense.
It looks like "disassambled data", not code!!

And I don't think I'am ready yet to programm something like a kernel-driver.
Isn't there an easier way to figure out the calling function?
I will try to see that results the breakpointing of timeGetTime() and QueryPerformanceCounter() brings up.

L.Spiro said when the events still fire at the right times, they are using Windows Timers, but they are not fireing at the right times. So they must
be using those time functions mentioned above, or in the worst case, RDTSC.

[spunge]

No, I'm telling you to look inside esp. What you want is the value of esp, otherwise known as [ESP]. ESP points to the top of the stack, which is a memory location, what you want to find is what's inside that memory location.

[Felheart]

Ohhh, so Iam not supposed to log all values from ESP because it
is like a constant pointer to the beginning of the stack...
But wait, wouldn't it be easier to just single step through all calls, and
keep an eye on the Stack-Tab?

edit: ok, GetTickCount() is only used by nvd3dum.dll and fraps.dll.
As long as it isn't used by game.dat it has nothing to do with the timers
i'am looking for, isn't it?
edit2:
QueryPerformanceCounter() is just used by MSS32.dll and ntdll.

There is nothing left but Sleep(), I'am going to try that one now...
edit3:
This is stange, Sleep() is just called once per frame (due to the frame limit in the game?).
But I don't know wich address it is jumping back to.
Here's a pic from the stack view:


What is the calling code now??
The values at the two blue and the orange highlighted adresses are
401C46, 413866, and 40FEC4 (the value of ESP as it tells me).
3 addresses, I'am really confused now

edit4:
and by the way, why does the game crash when i remove breakpoints?
disabling is ok, but removing crashes all the time...
also resuming autohack seems to crash it once breakpoints were set.

[spunge]

You forgot winmm!timeGetTime. 00413866h, is your calling address. Whenever you step into a call the top of the stack will hold your calling address.

Honestly, I don't know about the innerworkings about MHS, so you'll have to wait for someone else to come. If anything, it sounds like anti-debugging techniques.

[Felheart]

game.dat->winmm.dll->timeGetTime()
Only callers are NTDLL and mss32 again like at QueryPerformanceCounter()
Is it even possible for a game not to work with one of these functions?
I mean, they can't just rely on RDTSC can they?
There must be something Iam missing, otherwise that means the game
always runs at full speed, only limited by the renderer and it's Sleep() calls.
But I noticed, at the beginning of the game you can adjust the speed.
Lower speed means also lower FPS, and the cooldowns for abilitys and the upgrade speed also decreases. So they really migth just use Sleep().

[L. Spiro]

If the Speed Hack slows down the game then the game is using of those 3 functions.

But there are probably anti-cheat functions, and it may be using a copy of the function rather than the function itself.

Try GetThreadTimes() (unlikely).


L. Spiro

[Felheart]

The GetThreadTimes() function is not listed in game.dat->kernel32.dll->
Does this mean the game is never using it?

The only function wich is used by some code from game.dat is Sleep()
the others are all from ntdll, fraps.dll and mss32.dll.

But I will check the others again...

[spunge]

Just because an API is not imported, does not mean it isn't in use. The game could manually load a library, and then process it through GetProcAddress, or a similar function that is designed to parse the PE header of the DLL.