Auxiliary Scoreboard Reads Status Directly From Memory

[StaticChanger] built a scoreboard to display his kill statistics from Halo for the PC. Yes, we’ve seen kill counters before, but we like the way that he gathers the data. This project is reading the score directly from an address in memory.

Using a program called Cheat Engine, the memory used by a program can be sniffed. After a few passes, the program will help you find a static memory address for your desired data. Once you have that it’s just a matter of using a pointer to that address in your desired programming language. In this case, a C# program polls the value and instructs an Arduino to display the value on a couple of 7-segment displays. Voila, the number appears next to your screen as you see in the image above.

28 thoughts on “Auxiliary Scoreboard Reads Status Directly From Memory

  1. Interesting project. A few things I wonder:

    1. How often do the memory address locations change? On newer games, I’d think this happens more frequently to prevent cheating.

    1a. Halo is a console port. Would that mean its memory locations are, by nature, more static?

    2. Also regarding cheating, would some anti-cheat measures notice you’re running a program that checks specific addresses? I don’t really know how deeply the anti-cheat software checks for things like this.

    3. What happens when you’re not playing Halo? Random segments lit as random data passes through that memory location?

  2. Ploogle: As I understood the article, he was running Cheat Engine just to GET the address, then using his custom program to READ the address.

    Though I wondered the same. It’d be pretty risky running Cheat Engine while running a Valve game, risking a ban.

  3. If I may add my $0.02,
    1)Cheat Engine is just a memory search/comparison program, it is not necessary, it’s just what he used. I wrote my own while I was in college.
    2)Dynamic memory locations are easy to account for. There is usually a pointer at a specific offset that is itself static, which holds the address of the value you are trying to find. Instead of reading straight from a dynamic address, you read an address from the pointer, then read the value of that address.
    3)When reading memory, you ALWAYS ALWAYS ALWAYS use window handle or process address. If your stats are not available you have a few choices. You can set NULL values, you can freeze the last known values, or you can set an error state.

    @Ploogle,
    I do not think that game dev’s will implement something like this for security reasons.

  4. @Ploogle
    On private servers using Metamod Source, you can easily collect these stats. MMS sits between the source engine and the game specific logic, and lets you hook virtual table calls for access to server internals.

  5. @Danukeru
    Exactly the right idea. Though I don’t use Cheat Engine or C#.
    Basically, Cheat Engine is an easier method than using a debugger and figuring out what is actually happening in the code. What the application is doing is dumping the process from RAM to a file so you can search for a value, then repeating and seeing which values change to get a specific address. Once you have a dynamic address, you find the static pointer and do something like:
    ReadProcessMemory(ReadProcessMemory(Pointer));
    Where the first RPM is to get the dynamic address (byte) and the second is to get the actual values. Normally you just need one of the values (for instance kills) and then extrapolate where the other values are based on structs used in the code. Kills and deaths are usually one byte apart in my experience.

    @nimrod
    I don’t think it’s supposed to be a challenge. Consider that it may have been a great learning experience or even just a fun app. to have when the author was finished.

  6. So yeah, all the little groups of game modders and hackers have done this same thing since the early 90’s at the very least.

    I really don’t see how this is either challenging or interesting. But hey, I guess another article on this won’t end the world as we know it.

  7. Oh, nifty. I’ve found it’s always easy to isolate the right value/values after a few passthroughs of separate values. This procedure is used by ArtMoney to widdle down a value and then lock a new one in place. I appreciate the simplicity of reading out of RAM. :)

  8. “The easiest way would be for Steamworks to expand the API to allow desktop clients to glean certain bits of information from games (scores, etc) made available by the game developers.”

    That requires Steamworks to actually implement an API for EVERY value you care about, lest it not work.

  9. Cheat Engine is like MHS they both let u find the pointers, they are both designed so that u can edit freezes the values examples are ammo health etc. Sorta a easy way to make trainers for any game u have.

  10. @renter
    You can make one in about 5 min with visual basic.
    Just make an input box and do the following when a button is pressed.
    WriteProcessMemory procHandle, *myAddress, *myData , length, *error
    Where error is the number of bytes written, if it’s zero you really do have an error.

  11. Note VB is not my language of choice.

    @Frogz
    You miss the point that tsearch, CE (Cheat Engine), moneytree, MHS (Memory Hacking Software) are all “detected” by anti-hack software. So if he writes his own, or someone writes him a piece of software to simply write to memory, he can cheat on multiplayer games.

  12. @Spork
    If you limit the anti-cheat softwares privileges and run Cheat Engine at a higher privilege setting, or with the soft in software as a child process, you can effectively thwart the anti-cheat anyways.

    Also under Windows with Detours you can hook their system calls when they want to read the current running process list for instance of Cheat Engine…feed it what it wants to read.

    Then again I just have experience tip toeing around Warden in WoW.

  13. Valve is actually constantly moving in the opposite direction from helping with such things as showing scores and info by making more and more things locked down and unavailable from my experiences, I guess as a reaction on their desperation experienced during fighting cheaters, but it’s a pity that they don’t get that there are people that aren’t lame too but who do like to tinker without cheating.

  14. @Danukeru
    This is true in some cases, like WoW apparently, but there are exceptions.

    For instance, some require you to have admin privileges to run. (i.e. games that have an updater built in to the main game require admin to overwrite files)

    Then you have wonderful Micro$oft who makes it easy to see which processes are running and their windows regardless of user privileges.

    @cde
    Yes, they are called sanity checks, but game dev’s usually don’t even want you reading and will kill your program if it’s even accessing their program’s memory space.

  15. @Spork

    there’s a bypass for everything. Run the game under a virtual machine, read the virtual machine values, and then voila! free access to your games memory without it knowing. i worked on a counter strike source aimbot for a while that worked that way. never got vac banned, because polling the mouse and key inputs is done by the os, not the game. Never really took off though, no-one liked having to install vmplayer to use it.

  16. @Whatnot

    Freedom vs security. It’s pretty much the same as society. Sure, freedom is good, but there’s always dicks that ruin it for everyone else, validating the need for priority over security.

  17. Just to clarify, CheatEngine (or artmoney) is only used in the development process not when the actual game is running. The program is only reading from memory, not writing, so its not being picked up as a cheat (unless of course you modify it too). The problem with memory writing as cheating is that most games host all information on the server, so even though it may appear your exploiting, it only appears that way, because the info is never sent out to other clients. Aside from all that, this doesn’t have to be used in games. What other information could be useful when extracted from a program?

  18. It’s fairly trivial to do this stuff with Source (and possibly Halo as well). A lot of servers talk GameSpy query protocol, which is a “standard” way to glean this sort of information.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.