Hacking a game with DLL injection [Game Hacking 101]

Рет қаралды 94,107

Күн бұрын

Implementing a game hacking trainer for Age of Empires by using Dynamic Link Library (DLL) injection. The injected DLL enables the player to toggle the "reveal map" and "no fog" cheat codes on and off by pressing the F6 key.
DLL injection is a useful technique, used by game hackers and malware authors alike. The DLL injection process enables you to force some process into running your own code. Once the process is running your code, you can do and access anything that the main process can.
🎮 Game Hacking 101 Playlist ➝ • Game Hacking 101
👮 Fair use of copyrighted material in the context of Age of Empires (video game); en.wikipedia.o... / en.wikipedia.o...
⛔ Material presented for offline learning purposes only. No content regarding modern online games or detection bypass techniques will be discussed.
🏆 The 247CTF channel is dedicated to teaching Capture The Flag fundamentals. If you want to improve your technical skills and succeed in Capture The Flag competitions, make sure to subscribe!
🏁 The 247CTF is a free Capture The Flag learning environment where you can improve your technical skills by solving challenges and recovering flags. You can join now for free at 247CTF.com/.
📺 Subscribe for more Capture The Flag videos!
🏆 Solve CTF Challenges ➝ 247CTF.com/
🐦Stay up to date ➝ / 247ctf
🥰 Support the 247CTF ➝ / 247ctf
💬 Discuss and learn ➝ / discord
📌Free flag ➝ 247CTF{9719c5ddf317154473d334f47a77ac6a}
📝 Icons made by Freepik & Monkik from Flaticon.com
🚨 247CTF’s channel videos are intended for educational purposes only. Methods and techniques discussed are not to be used for illegal activities against unauthorised systems.

Пікірлер: 122

@247CTF 3 жыл бұрын

🤖🤖🤖 Who knew malware authors and game hackers aren't so different after all? 🤖🤖🤖

@Kindlylisten3 2 жыл бұрын

Hey, Do you have any plan to give your programming course on YT? It seems you have deep skills of hacking so please share so that we can also learn.

@darkfllame Жыл бұрын

i watch dll injection tutorial for "educational" purpose 😏

@schittPosts101 10 ай бұрын

Script kiddie

@darkfllame 10 ай бұрын

@@schittPosts101 no worry kid, i got the *C programming language👍👌* directly into my brain, with a lot of cafeine lol

@schittPosts101 10 ай бұрын

@@darkfllame LMK when you go straight to the diet coke to finish by deadline xD

@darkfllame 10 ай бұрын

@@schittPosts101 okay xd, i'm making a programming language with zig and don't really have a deadline so anyway

@Kronos.Saturn 9 ай бұрын

@@darkfllame i code in pure binary im better then you

@octaviocuatrochio2006 2 жыл бұрын

NOTE: if you're trying to DLL Inject an 32 bit game, compile the code AND the DLL in 32 bit. This will save you A LOT of debugging hours. PD: Very nice tutorial! thanks to you i was motivated to pickup a very old project, which extends the functionality of an old but loved game of mine (Burnout Paradise)

@dasphantom0439 3 жыл бұрын

So why do you need to use the WriteProcessMemory and ReadProcessMemory functions? The DLL is running directly in the memory of our game so. Why are we not able to treat the address like a pointer and directly write/read to it?

@247CTF 3 жыл бұрын

Good point! As long as we can write to that memory location we can use more native functions. WriteProcessMemory handles some of the leg work for us automagically if it's not, so for a beginner video this was an easier approach!

@dasphantom0439 3 жыл бұрын

Thank you for your answer. I really enjoy your videos. Keep up the good work!

@247CTF 3 жыл бұрын

@@dasphantom0439 Thanks, will do!

@WildeMarshall 22 күн бұрын

Jackson Patricia Thomas Patricia Rodriguez Laura

@djay10101 11 ай бұрын

How do you locate the address of the patch without knowing it in the first place? And how do you know what values to overwrite it with to achieve the function you want?

@DatBoi_TheGudBIAS 7 ай бұрын

This is where the previous part comes in. Before U inject a dll, u should use cheat engine to make a script. With Dat script, u can then see the bytes of the new opcodes and the adress changed, and there's ur answer

@247CTF 6 ай бұрын

That's right - there is a playlist for the series, if you watch it in order the current video (usually) builds on the previous one.

@tacillo 2 жыл бұрын

instead of using hardcoded patch size you could utilize vectors which automatically resize themself to match the contents required space :) (and why not use an unsigned long long (uintptr_t) for the patch address? It wont be negative and can get really big if you have a lot of RAM available) Edit: The amount of ram doesnt really matter, its because of the userland virtual address range

@247CTF 2 жыл бұрын

TIL, thanks!

@muhammadziyad3648 Жыл бұрын

hey can anyone help me hack state of survival game its only p2p and its server sided or if anyone knows how to cheat in sos or inject using tools

@tacillo Жыл бұрын

@@muhammadziyad3648 if the game is fully server sided than there highly likely won't be a lot of useful stuff you can do from the client side. Would recommend to take a look at package modifying or in case you just want to cheat in that one specific game without actually caring about learning that type of stuff, let it be.

@muhammadziyad3648 Жыл бұрын

can you guide me about package modifying cause i want to hack a specific server sided game @@tacillo

@starwinner4982 Жыл бұрын

Hey, nice video, I am a total noob with C++, in the Injector.cpp file, on line 28, what is the full line? I tried to figure out that myself but I had no success. Do you mind helping? :D

@247CTF Жыл бұрын

Code is in Patreon

@mrvb6408 3 жыл бұрын

Nice stuff, but you don't actually need to read the original game bytes to toggle the trainer on/off... use the power of XOR :P

@247CTF 3 жыл бұрын

Awesome tip! This is a good improvement to the trainer for sure! Will implement this in the next video!

@realNAKAMI 3 жыл бұрын

feedback: you have an icon for a questionmark and a checkmark. whenever you come up with an idea, you use the checkmark, as if you had already finished the execution of said idea. it would make more sense to introduce a lightbulb or a though bubble icon whenever you talk about a new concept/idea.

@247CTF 3 жыл бұрын

Thanks for the feedback! Now if only I could draw..

@Operation6bruh 2 ай бұрын

@@247CTFI have the same problem😂

@OnionsBonnie-w1m 11 күн бұрын

Miller Sandra Hernandez Mary Thompson Maria

@AHN1444 Жыл бұрын

I compiled a test dll with visual studio 2022, and the exe is crashing with 0xc000007b error on start, what I am doing wrong?

@247CTF Жыл бұрын

"The error code means an invalid image format. Specifically, you are attempting to start an application which is designed to run on 64-bit operating system. But your computer is running 32-bit Windows."

@arcsyndicate Ай бұрын

Nice video. Sharing code outside patreon would be nice

@brhvitor4 3 жыл бұрын

Nice video! A few criticism that I hope to be constructive: I would point out why you created a thread after the injection. I would say that writing with pointers is cleaner and gives the viewer a better understanding of whats going on but doesn't really matter

@247CTF 3 жыл бұрын

Great point! I'll use pointers moving forward, a few people have made a similar comment.

@koenbrink 3 жыл бұрын

This is actually one of the best tutorials I have ever seen. Short, clear and perfect pace

@247CTF 3 жыл бұрын

Thanks!

@aidan41 3 жыл бұрын

For you to copy and paste LMAO

@G242gdkxjfje 6 ай бұрын

all them scriptkiddies@@aidan41

@Hyperlands 3 жыл бұрын

How do you find out what patches you need to do? i.e. at <a href="#" class="seekto" data-time="420">7:00</a>, where did you get all the data for the memory hacks?

@247CTF 3 жыл бұрын

Take a look at the previous videos in the series for context!

@leanhhao86 3 жыл бұрын

Great tutorial! I wonder what machine you used to test the DLL injection, because I'm running into a problem with CreateRemoteThread(). Both my DLL and Injector are 32bit running on Windows 10 and I received Access Denied Error with the function. :((

@247CTF 3 жыл бұрын

The code in the video is 'bad', there is no error checking on the responses from the function calls - you should start there and use GetLastError to try and find the problem. If you have an EDR or similar running on your system, that may be blocking these types of calls too.

@bobbymcbobface Жыл бұрын

Cheers dude! I'm currently writing a mod engine for a game with a friend and because of you i can start learning c++ the way i like (by doing stuff) :D

@Xanderfied Жыл бұрын

Let's say a game is running in unreal engine, and want to access the debug console. However, after injecting my script, and checking the log Im told console wasnt able to be reenabled due to code not being present. Is the code set by the devs, or is it more of a universal code? Also could you say examine the executable in a hash editor and maybe discover said code? Like it has to be in a mem block at some point right?

@247CTF 6 ай бұрын

Don't know much about Unreal Engine - good luck.

@ruadeil_zabelin 2 ай бұрын

Wouldn't piggybagging on one of the existing dll's be better? So for example it probably uses winmm.dll or some d3d dll. If you put that in the same directory as the executable; it'll get loaded first. You stub/forward all the functions and put your own stuff in one of the ones that gets called. That way you don't need admin elevation to inject yourself into the other process

@247CTF 2 ай бұрын

That is another option sure, but you don't need admin rights to inject into another process you own

@DukeNuGets 4 ай бұрын

Nice tutorial !. It's possible to inject a .Net Framework DLL ?. Thx

@247CTF 2 ай бұрын

Yes, it's a different method but you can - there are a few projects from GitHub that will show you how this works

@tylermoore9908 Жыл бұрын

Hey yall remember if your directory uses '\'. just make it a raw string like : R"(your string here)";

@aozzz6936 3 ай бұрын

I thought windows will always give you random memory addresses, but you apply patching to the same address all the time. I don't get it.

@misch2 2 ай бұрын

It's a virtual address, not a physical one. So it doesn't depend where into the RAM the process is loaded, it always sees itself with the same addresses.

@aozzz6936 2 ай бұрын

@@misch2 what do you mean sees itself, when he specifies the exact address. Try to define a variable and it will have different addresses on each run, even if it's virtual memory.

@247CTF 2 ай бұрын

Depends if the binary / DLL is compiled with ASLR or not

@tr1ngle 2 жыл бұрын

<a href="#" class="seekto" data-time="173">2:53</a> i cant see full line of code for hProcess :skull:

@247CTF 2 жыл бұрын

💀

@tr1ngle 2 жыл бұрын

💀

@brodienelson7493 2 жыл бұрын

@@tr1ngle Be a patrion and get it all there. do yall not listen XD

@kanutaro3426 Жыл бұрын

Thank you so much I finally understand how byte patching works

@ahmedgames9335 8 ай бұрын

can i deal with mono.dll like you used the LoadLibraryA and run it in thread inside the target process but i will use for ex mono_get_root_domain ???

@247CTF 6 ай бұрын

You want to do this with .NET? You can achieve a similar effect but the process is slightly different, there are some examples on GitHub you could check out. The bonus is .NET makes the reversing step easier (usually).

@leon_black Жыл бұрын

hey I wanna inject a modded directX dll into a game to force it to run on a lower feature level GPU.. How can I force the game to use it rather than the one in sys32 Is injection the solution? because your injector ran after the game opens But the game in my case doesn't open because it detects a lower FL

@247CTF Жыл бұрын

It depends a bit on the application.. You might need to binary patch, might not: learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order You could also try a loader like DxWnd

@epicm999 2 жыл бұрын

Gonna have to rewatch this video. The info here is too good to pass up.

@nvdbk70 3 жыл бұрын

do you give me code in video ?

@247CTF 3 жыл бұрын

It's available for Patreon supporters, but all the code is shown on screen

@TibiaOTarena 2 жыл бұрын

@@247CTF no not "ALL the code" since you cut out hProcess..

@brodienelson7493 2 жыл бұрын

@@TibiaOTarena Lmao

@PROJECTJoza100 Жыл бұрын

Earned a new subscriber. Nice video!

@AR-dx6nm 5 ай бұрын

Is it possible to do this in an online games like ragnarok online?

@igorthelight 2 ай бұрын

It is but you may be banned ;-)

@aaron6807 2 жыл бұрын

I hope you still read the comments.. At <a href="#" class="seekto" data-time="339">05:39</a>, why did you use write process memory instead of memcpy or so, the dll is already executing in the game's memory space, so how come?

@247CTF 2 жыл бұрын

No real reason, Windows error codes could be more useful if I handled them. I use memcpy in a different video and someone asked in the comments if I could also use WPM, so I did that in this video instead.

@aaron6807 2 жыл бұрын

@@247CTFyeah fair. Thanks a bunch for clarifying it

@realNAKAMI 3 жыл бұрын

feedback: i find the music a tiny bit too distracting. maybe lowering it like 30% would help. but maybe that's just me.

@247CTF 3 жыл бұрын

Thanks for the feedback! Will lower the background sound in the next video!

@heatseeker3654 Жыл бұрын

Can this be done for Age of Empires II: The Conquerors?

@247CTF 6 ай бұрын

Probably something similar, I've never looked..

@heatseeker3654 6 ай бұрын

@@247CTF I have already tested time ago and it works.

@aatupontio8118 Жыл бұрын

whats the differnce how dll injector and lua injector work

@247CTF 6 ай бұрын

Don't know much about lua injectors, I would guess it's injecting lua script instead of compiled code?

@stickmaker10111 Күн бұрын

@@247CTF Lua has the ability to require (import) dlls of specific name, for example if a directory is specified it would try to look for directory/init.dll and directory/directory.dll, it will execute a luaopen_directory symbol found in it and pass the lua context which houses global variables and such.

@maciejszpyra 3 жыл бұрын

Is it always possible to inject DLL into a process?

@247CTF 3 жыл бұрын

I would expect most modern games would either prevent or detect this naive injection approach. There are methods to block direct DLL injection, but if you can install kernel drivers you could still achieve the same effect! We can explore this in a future video!

@SideRocketeer0 3 жыл бұрын

Just wanna say your videos are great they combine two great things and hacking the game is just getting your money's worth.

@247CTF 3 жыл бұрын

Thanks for the feedback!

@sieutruc 3 жыл бұрын

Thank for the video, but can you share your code ? i tried to do but do not understand why it does not work. iam on win10 x64.

@247CTF 3 жыл бұрын

5:48

@sieutruc 3 жыл бұрын

Thanks for your information and useful video.

@jamesking2439 Жыл бұрын

Also your inner loop for testing is way faster this way.

@247CTF Жыл бұрын

🥷

@muhammadziyad3648 Жыл бұрын

hey can anyone help me hack state of survival game its only p2p and its server sided or if anyone knows how to cheat in sos or inject using tools

@realNAKAMI 3 жыл бұрын

feedback: whenever you talk about states or a procedure, i state machine graph would look even cooler.

@247CTF 3 жыл бұрын

Thanks for the feedback! Do you have a timestamp for an example?

@realNAKAMI 3 жыл бұрын

@@247CTF 7:54 sure, it's just three simple steps, but it feels like you're going into more complex examples in the future with these "our program will do this/that" explanations.

@quochungftu 3 жыл бұрын

Does anyone have an edited dll file which I can toggle in-game while playing?

@247CTF 3 жыл бұрын

When you say toggle, do you mean toggle functionality on/off or toggle the DLL being injected/not injected?

@phamquochung4908 3 жыл бұрын

@@247CTF functionality I meant. I found some dll injector tools more useful than the one I built but it causes heavy lag in-game, may be the dll file doesnt work well in win 10

@247CTF 3 жыл бұрын

@@phamquochung4908 Sleep might help you out, depending on what you are trying to do. Failing that, the next video in the game hacking series will include functionality toggles so you can see how that works!

@funy7657 2 жыл бұрын

Can you share for me code?

@tacillo 2 жыл бұрын

you can find the code in his patreon

@247CTF Жыл бұрын

🙏

@declanrussoj3736 3 жыл бұрын

Good. I wait for love from you 💝💖

@dasphantom0439 3 жыл бұрын

@Wanna Chill Yeah, but that are they phishing for? Just views? They all have the same playlists with the same league of legends gameplay videos with sex thumbnails.