Sep 11, 2023
Advanced Techniques in Game-Hacking Communities
Game hacking communities have a history of adopting methods that are discovered in the field before security industry research is published. The adoption of automated binary analysis for identifying critical areas has been gradual despite the potential advantages. Because of its complicated nature, some people could consider it overkill, which is even beyond what is listed in this DirectX11 tutorial.
The community generally favors AOBs because of their simplicity, but experienced modders may find binary analysis to be a useful tool in their toolbox, especially if they’re dealing with a game engine that’s popular or if the game is constantly updated and more reliable techniques are required to find regions of interest. Today, we’ll be exploring some advanced, powerful game hacking techniques in the world.
Emulation
When considering emulation, the first thing that typically springs to mind is using a virtual machine to run software or a program to simulate a gaming console. Emulation, however, can also be used to execute a function in a regulated setting and watch how it behaves. When dealing with functions that are difficult to analyze statically, this technique is quite helpful.
We can imitate the function (or group of instructions) and watch its behavior given an anchor instruction to start from (this presupposes you know how to find this instruction in the first place, for example, through an AOB or string reference lookup, even the program’s initial point).
Along the way, we can keep an eye out for function calls to relevant other functions, specific memory operations (like accesses to global variables), specific values in registers, accesses into structures to find specific field offsets, or we can simply follow the general flow of data.
Symbolic Execution
Emulation and symbolic execution both run a function in a predetermined context. Instead of actually running the function, though, it examines its code and creates a set of constraints that accurately captures its behavior. This specific tactic is not employed here, but it is nonetheless important to note.
The most basic illustration I can offer here is that symbolic execution can determine which inputs can lead a particular function or program to arrive at a particular instruction. For instance, product key activation features, where you may determine which key will cause the software to believe it is legitimate. The addition to static analysis to investigate all paths is the only method we do that is similar to this.
Analysis of Data Flow
The process of monitoring a program’s data flow is known as data flow analysis. This method is frequently applied in the security sector to monitor user input and spot potential weaknesses. However, it can also be used to monitor the data flow within a program and spot particular actions or useful functionalities.
In this particular situation, we can “taint” a register or memory address with a magic number and monitor its flow throughout the code using emulation, provided an anchor point (such as a function or instruction). There are several uses for this, including:
Verification of behavior:
- We can confirm that the section of code writes to memory if the taint value flows into a memory write (direct or indirect), if that’s what we were searching for.
- We can confirm that a function returns a value in the RAX register, for instance, if the taint flows there after a function call.
Finding global variables in a particular manner:
- Using the prior example as a guide, we can presume that the target global variable we were seeking is the one to which the taint value (from RAX) passes.
- As the analysis will only follow the flow of the taint value, which could be anywhere after the first seen memory write to a global variable, this is considerably different from simply running a disassembly or emulation and looking for the first memory write to a global variable.
For data flow and/or taint analysis, the same libraries that are used for emulation can be applied.
More Details