Auxiliary scoreboard reads status directly from memory

[StaticChanger] built a scoreboard to display his kill statistics from Halo for the PC. Yes, we’ve seen kill counters before, but we like the way that he gathers the data. This project is reading the score directly from an address in memory.

Using a program called Cheat Engine, the memory used by a program can be sniffed. After a few passes, the program will help you find a static memory address for your desired data. Once you have that it’s just a matter of using a pointer to that address in your desired programming language. In this case, a C# program polls the value and instructs an Arduino to display the value on a couple of 7-segment displays. Voila, the number appears next to your screen as you see in the image above.

Comments

  1. Ploogle says:

    I can see this not working well with Steam games. I’ll wager that it’ll raise all kinds of flags with your account if it detects something like “Cheat Engine” running alongside your multiplayer game…

  2. Mike says:

    Interesting project. A few things I wonder:

    1. How often do the memory address locations change? On newer games, I’d think this happens more frequently to prevent cheating.

    1a. Halo is a console port. Would that mean its memory locations are, by nature, more static?

    2. Also regarding cheating, would some anti-cheat measures notice you’re running a program that checks specific addresses? I don’t really know how deeply the anti-cheat software checks for things like this.

    3. What happens when you’re not playing Halo? Random segments lit as random data passes through that memory location?

  3. Mike says:

    Ploogle: As I understood the article, he was running Cheat Engine just to GET the address, then using his custom program to READ the address.

    Though I wondered the same. It’d be pretty risky running Cheat Engine while running a Valve game, risking a ban.

  4. Ploogle says:

    The easiest way would be for Steamworks to expand the API to allow desktop clients to glean certain bits of information from games (scores, etc) made available by the game developers.

  5. Franklyn says:

    So does he have to run cheat engine every time ?.

  6. Spork says:

    If I may add my $0.02,
    1)Cheat Engine is just a memory search/comparison program, it is not necessary, it’s just what he used. I wrote my own while I was in college.
    2)Dynamic memory locations are easy to account for. There is usually a pointer at a specific offset that is itself static, which holds the address of the value you are trying to find. Instead of reading straight from a dynamic address, you read an address from the pointer, then read the value of that address.
    3)When reading memory, you ALWAYS ALWAYS ALWAYS use window handle or process address. If your stats are not available you have a few choices. You can set NULL values, you can freeze the last known values, or you can set an error state.

    @Ploogle,
    I do not think that game dev’s will implement something like this for security reasons.

  7. Danukeru says:

    @Ploogle
    On private servers using Metamod Source, you can easily collect these stats. MMS sits between the source engine and the game specific logic, and lets you hook virtual table calls for access to server internals.

  8. Danukeru says:

    @Spork
    I’m assuming you’re just using Cheat Engine to get the adress and then calling ReadProcessMemory() in your C# coded application afterwards?

  9. nimrod says:

    that topic is cheap. i cannot even see a point in that project. where is the challenge?

  10. Spork says:

    @Danukeru
    Exactly the right idea. Though I don’t use Cheat Engine or C#.
    Basically, Cheat Engine is an easier method than using a debugger and figuring out what is actually happening in the code. What the application is doing is dumping the process from RAM to a file so you can search for a value, then repeating and seeing which values change to get a specific address. Once you have a dynamic address, you find the static pointer and do something like:
    ReadProcessMemory(ReadProcessMemory(Pointer));
    Where the first RPM is to get the dynamic address (byte) and the second is to get the actual values. Normally you just need one of the values (for instance kills) and then extrapolate where the other values are based on structs used in the code. Kills and deaths are usually one byte apart in my experience.

    @nimrod
    I don’t think it’s supposed to be a challenge. Consider that it may have been a great learning experience or even just a fun app. to have when the author was finished.

  11. M72 says:

    So yeah, all the little groups of game modders and hackers have done this same thing since the early 90’s at the very least.

    I really don’t see how this is either challenging or interesting. But hey, I guess another article on this won’t end the world as we know it.

  12. Zencyde says:

    Oh, nifty. I’ve found it’s always easy to isolate the right value/values after a few passthroughs of separate values. This procedure is used by ArtMoney to widdle down a value and then lock a new one in place. I appreciate the simplicity of reading out of RAM. :)

  13. edward.81 says:

    Mumble (simil team speak) read memory address of games (like tf2) for getting 3d audio pos. So no vac ban if u only read.

  14. CutThroughStuffGuy says:

    “The easiest way would be for Steamworks to expand the API to allow desktop clients to glean certain bits of information from games (scores, etc) made available by the game developers.”

    That requires Steamworks to actually implement an API for EVERY value you care about, lest it not work.

  15. moo says:

    Cheat Engine is like MHS they both let u find the pointers, they are both designed so that u can edit freezes the values examples are ammo health etc. Sorta a easy way to make trainers for any game u have.

  16. renter says:

    Somebody should write a program that allows you to punch in a cheat engine address code and change it at will.

  17. Frogz says:

    ….renter…
    its called cheat engine…
    or tsearch
    or any other memory editor
    THATS THE WHOLE POINT OF THEM

  18. Spork says:

    @renter
    You can make one in about 5 min with visual basic.
    Just make an input box and do the following when a button is pressed.
    WriteProcessMemory procHandle, *myAddress, *myData , length, *error
    Where error is the number of bytes written, if it’s zero you really do have an error.

  19. Spork says:

    Note VB is not my language of choice.

    @Frogz
    You miss the point that tsearch, CE (Cheat Engine), moneytree, MHS (Memory Hacking Software) are all “detected” by anti-hack software. So if he writes his own, or someone writes him a piece of software to simply write to memory, he can cheat on multiplayer games.

  20. Danukeru says:

    @Spork
    If you limit the anti-cheat softwares privileges and run Cheat Engine at a higher privilege setting, or with the soft in software as a child process, you can effectively thwart the anti-cheat anyways.

    Also under Windows with Detours you can hook their system calls when they want to read the current running process list for instance of Cheat Engine…feed it what it wants to read.

    Then again I just have experience tip toeing around Warden in WoW.

  21. cde says:

    Don’t most detection systems look for modifications of memory based on invalid checksums and duplicated memory spaces?

    IE, don’t change the values, and it doesn’t care?

  22. Whatnot says:

    Valve is actually constantly moving in the opposite direction from helping with such things as showing scores and info by making more and more things locked down and unavailable from my experiences, I guess as a reaction on their desperation experienced during fighting cheaters, but it’s a pity that they don’t get that there are people that aren’t lame too but who do like to tinker without cheating.

  23. Spork says:

    @Danukeru
    This is true in some cases, like WoW apparently, but there are exceptions.

    For instance, some require you to have admin privileges to run. (i.e. games that have an updater built in to the main game require admin to overwrite files)

    Then you have wonderful Micro$oft who makes it easy to see which processes are running and their windows regardless of user privileges.

    @cde
    Yes, they are called sanity checks, but game dev’s usually don’t even want you reading and will kill your program if it’s even accessing their program’s memory space.

  24. aimbotwriter says:

    @Spork

    there’s a bypass for everything. Run the game under a virtual machine, read the virtual machine values, and then voila! free access to your games memory without it knowing. i worked on a counter strike source aimbot for a while that worked that way. never got vac banned, because polling the mouse and key inputs is done by the os, not the game. Never really took off though, no-one liked having to install vmplayer to use it.

  25. Pup says:

    @Whatnot

    Freedom vs security. It’s pretty much the same as society. Sure, freedom is good, but there’s always dicks that ruin it for everyone else, validating the need for priority over security.

  26. Just to clarify, CheatEngine (or artmoney) is only used in the development process not when the actual game is running. The program is only reading from memory, not writing, so its not being picked up as a cheat (unless of course you modify it too). The problem with memory writing as cheating is that most games host all information on the server, so even though it may appear your exploiting, it only appears that way, because the info is never sent out to other clients. Aside from all that, this doesn’t have to be used in games. What other information could be useful when extracted from a program?

  27. Spork says:

    @aimbotwriter
    You’re right, but things like themida do detect VM’s. I think the best way to attack game protection is through obscurity.

  28. michael says:

    It’s fairly trivial to do this stuff with Source (and possibly Halo as well). A lot of servers talk GameSpy query protocol, which is a “standard” way to glean this sort of information.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,598 other followers