Ooh i know this trouble haha. If some value for some reason doesn't seem to have a usable pointer jidt use something else that changes

I wonder where the line would be drawn between a TAS and a standard speedrun for a game where the whole point is to write code to cheat your way through it.

Well I wouldn't really say speedrunning tools are a "valid use case", but I would be really interested in knowing some! There must be some good reason they added potentially dangerous stuff like that, but I can't make up any example right now...

@@DOENERUSCHI mostly debuggers I think

@@DOENERUSCHI debugging

Oh shit, he found out!! Plan B!!

He's hacked you dude

lol it's just the youtube algorithm mining you for your data, you're perfectly safe 😏

Someone must be observing your pointer paths!

The one example I know of where internal values are allowed to be visible in speedruns, Half-Life, does this via a mod to the game itself instead of a third-party tool (afaik). That's yet another route that communities might take.

haha

Yep! I'm writing an internal Discord RPC mod for a game. (Cube World). Dealing with binary is cool tho.

the problem with this is that it's not intended by the devs. if you'd use this on a game with an anti-cheat, you will get banned; which would be a bit unfortunate for just showing your friends which level you're at

Yes. Cube World doesn't have any anticheat nor modding system. People are just blackboxing the game since 2013.

Vorname Nachname Anticheats will still get pissed off because of wallhacks and such that CAN work without writing.

I did this for Puyo Puyo Tetris!

This has not been guarded at all, if you were interested in game cheats you could get this info on any game hacking forum

Also this is surface level

This is quite well known. There's a good book on this topic if you want even more detail: www.amazon.co.uk/Game-Hacking-Developing-Autonomous-Online/dp/1593276699

If this information was well-guarded, then cheating in games would be far easier than it is currently. But you can't keep secrets like this. Different people can come up with different methods of getting the same results. One person may find an exploit in new hardware, and never reveal it while someone else may just stumble upon the same exploit some time later. It happens.

some speedrunners, a lot of (mainly console game) speedrunners use manual splitting

RedMikePumpkin Manual splitting sounds tedious. That explains why some speedruns have moments where the runner forgets to do a split.

@@DrewTNaylor It starts out tedious, but after awhile it becomes an instinct. Multiple times I've seen speedrunners performing live at marathons instinctively reach for their nonexistent split button (or foot pedal!)

thechucknorrisofNSMB Foot pedals would make it a lot easier.

e.g.: smw 0 exit

Here is a link to what is, for today's purposes, a list of all such known exploits: tasvideos.org/Movies-C3050Y.html

Donald Trompetas Go on unknowncheats and watch some of the guided hacking KZbin channel videos. You’re going to want to understand how memory works and be familiar with C/C++ (or C#). Some modern online games have anti cheat measures that won’t be easy for a newbie to circumvent (don’t ruin people’s day though, if you do cheat online - don’t rage cheat at least).

@@zzzdenda huh? i am

@@NtQueryInformationProcess yep, using the debugger to find the pointer is so much more reliable than the pointer scan. everytime someone uses the pointer scan I die a little inside

yeah 100%. It's useful whenever you wanna interact with another process that isn't designed to be interacted with. Frida (frida.re) uses techniques like this and I've used it modify apps before to reverse engineer apis or remove annoying features. Also, I saw that michael reeves video about fortnite where a real gun shoots him when he takes damage and he uses screenshotting whereas it would have had a lot less latency and required less processing if he had hooked the damage function or something in game ( Granted that might be hard for fortnite but just an example).

I didn’t notice :O

Oh hey, thanks!

I think the fair question to ask is, why did you blow up Ryder's car?

I made a tool that tracks the amount of kills I got in a game, for no reason other than to just have cool statistics to display on stream. I was told, rightfully, that it could be used to see whether you got a blind shot or not. I modified the tool to be disabled during the part where the player does the blind shot.

@@LotsOfS I always figured it'd be neat to have a program displaying extra info on stream but with the player not able to see it, just to be more interesting for the viewers.

www.cheatengine.org/forum/viewtopic.php?t=582759&sid=c0cda86d513e76498067b26f4fe6dfb6

Philipp The Cat Am auto splitter might want to do something when a function is called, or there might be data stored in TLS that can’t be accessed completely externally IIRC.

@@thomhughes4617 Yes, thats what a detour can do, but that isnt really exposed to the asl scripts.

1) ASLR in Windows is not system-wide, every Executable or DLL file can have ASLR enabled or not (it's enabled by adding the /DYNAMICBASE flag in msvc while compiling). 2) Even if the base is dynamic, and the address where GameLogic.dll is mapped changes, the pointer path taken starts with "GameLogic.dll"+offset, not with a fixed address, Cheat Engine or other software can calculate the pointerpath by replacing "GameLogic.dll" with its base address (with just a call to GetModuleHandle in the context of the target process, or from its PEB->Ldr.InMemoryOrderModuleList), then, from there, it's easy to get to the variable.

@@redouanered7950 I figured that much, but how does it know where GameLogic.dll is loaded ?

@@Wyvernnnn Windows has a function that can give you the base address of a module

It is "fixed" sometimes, but not in this particular case. The reason the pointer path works is because the pointer is always at a certain address _relative_ to the beginning of GameLogic.dll, and the WinAPI function GetModuleHandle can be used to find out the address where that DLL is loaded. So since we can find out where that DLL is, we can find out where the pointer is. Every time the game is started, GameLogic.dll creates the value for the menu position at a random address. It then keeps track of that random address using a _pointer._ The pointer is always at a certain address relative to the beginning of GameLogic.dll. So for example, let's say it is 1024 bytes after the beginning of the DLL. Every time the game wants to know the menu position value, it needs to find out where that value is located, since the value is in a random location. It looks at GameLogic.dll + 1024 bytes, and there is the _pointer._ The pointer gives the address of the actual value, so it then looks there next and finds it. If we know where the pointer is, relative to the DLL start, then we too can reliably find the value's address. Now, DLLs themselves don't reliably load at any particular location, but Windows always keeps track of where they're loaded, so it can tell us if we call GetModuleHandle. But thanks to Virtual Address Spacing, if the pointer is in an EXE, we don't even have to do that, as we have a guarantee it will be loaded at the same place every time. So in that sense, it is possible for the pointer path to be truly "fixed"

Well all OS's need to have memory management so that should be self explanatory but aside from that most, if not all decent anti-cheats protect against these kind of things. The ways the anti-cheats block them is quite simple it's a kernel driver that blocks the use of WINAPI, you can't just say "hey program change this memory from an unsigned program with out a big bully from kernel space saying forbidden and given you a basic memory access violation or something. Other things they may use are File Integrity Checks, Detecting Debuggers, Stops debugger from attaching, Detect Cheat Engine & memory editors, Signature Based Detection, Detect DLL injection, Detect Hooks, Memory integrity checks and Statistical Anomaly Detection. What I currently use to bypass this when you take use of already signed programs and drivers such as drivers from intel and discord which already have access to these sorts of things and then exploit them to run my own read and write process memory. Hope this helps - Calvin.

@@calvinspear6707 Wow, very insightful comment, thanks a lot! So there's two things to unpack here - the first one is, why would opening a thread in a remote process be a necessity for OS memory management? It feels a bit insecure in and of itself, but then again, attaching a debugger to a running process is often a very welcome functionality, and so is tracing its execution, so I guess it's allowed unless explicitly prevented, which I assume can be done at application level (in userspace)? Which leads me to the second thing - essentially the way you bypass kernelspace protections (I assume things like BattlEye?) is by hijacking code that already runs in kernel space, and therefore code that is signed, so that you can essentially read and write anywhere in memory? Sounds very complicated, at least for the intel drivers, maybe less so for discord but I didn't realize they had a kernelspace driver running?

How? I wanna know. Please

livesplit one desktop?

@@1e1001 so, livesplit one is currently just a timer that runs in the web browser, right? One of the developers has a version that runs 100% natively.

pwn adventure is the only game

@Vorname Nachname I'm not sure what you mean, you can easily scan a process's entire memory for a specific pattern in milliseconds. It's not much different to how cheat engine would scan for any value. It's also less likely to break during a game update like offsets, depending on the game's design and what kind of memory you're scanning for.

Xhiro lol you can look cheat engine it is open source

@@alword I meant to make programs that can hold the value at a certain a address

@@xhir0 you dont even need to make a program to do that. you can simply disable the code that accesses the address and then it can never change unless you change it

@@Airyz developed cheats aren't just cheat engine's source code with modifications. You make your own gui, your own way to find the games process id, and addresses. Then you can write and read to memory at those addresses.

@@xhir0 im well aware. I have made many of my own. And you can achieve this easily through your own code

game.startCredits();

@@unflexian Not sure about you, but I'd watch it.

the exe is trustable

@@1e1001 Yeah idk man, I found nothing about it to feel trustworthy. I would rather build it myself and know the project before every dealing with that because not only does every antivirus go off around that thing but every website damn near that the creator of it links people to they are also riddled with malware so either it is trustworthy or the creator is pulled the wool over a bunch of peoples eyes. I was about to get CE until I went to the forum in which the creator was linking people to different places and most of the places he was linking people on sites he created Alarm bells were screaming all over my computer because he had so much malware all over the place and we are not talking about CE malware, we are talking god knows what that was triggering all these safe search things. Something is highly highly shady about CE and its creator and because of that I just can not in good conscious run anything made by him. Wish I could because I love using hexeditors but at the end of the day I could likely just create one myself and use it faster than I could learn that mess of a project that is CE.

You can also leave the scan result open and close/-reopen the game. Then filter out the wrong ones. And repeat. The list should shrink to a few really nice ones.

Alexandru Ene Agreed

Alexandru Ene Looking back i should have said "i can't change your mind because it's the truth"

The factory must grow! Go back to your iron mine!

No need to, It is the best game.

My friends ........ There is nothing that cures depression better than 16hours of Factorio a day

@@MS-hj6bh no

There are better methods than raw pointers for hacking Java games...

@@makak_zeleny besides signature scanning what else?

@@rockyrivermushrooms529 Frida (frida.re) has some very good ways to interact with the JVM. I don't know what it's doing behind the scenes though so sorry if that's not what you were looking for.

Typically emulators. Or parsing the video feed. A lot of old games have recognizable pixels to indicate the current level.

I reckon if they manage to find a vulnerability in the device that gives them code execution or lets them overwrite the firmware they can do stuff like that. I don't know if that's what those game hackers actually do or if there's another way but those vulnerabilities certainly do exist so its theoretically possible.

@@LiveOverflow >Typically emulators but i said original hardware, emulators are their own speedrunning category >Or parsing the video feed. A lot of old games have recognizable pixels to indicate the current level. makes sense i guess, but would not work in many games. as far as i was able to google right now some people just have some kind of pedal that they press with their foot to do the time splits.

@@dummybugstudios6450 i never mentioned some kind of vulnerability. it is completely possible to hack/mod any console, they just can't do it because it's not allowed by the rules of the speedrunning community. that is what i meant with "they can't"

@@proxy1035 ohhh my bad then I have no clue