Unity Game Hacking

[Billie Kjergaard]

Ithink the only feasible way is to have a server - could be a small web server, could be custom-made (possibly more optimal since it has no widely known vulnerability unlike web servers, and requires custom hacking solution) - and a database and hold the data there, only sending to the player what he absolutely needs (always sanitize your input!).

This depends on what you mean by hacking. Are you talking about getting at your assets and/or code? Are you talking about intercepting network messaging to submit fake high scores? Other? Some stuff is easy, other stuff is hard.

You can combat the simple attacks, yeah. The scoring system in our recent games keeps track of score in three different places, in different ways. If any fall out of sync we assume it was a memory hack.

o Usage of graphical representations instead of numeric values.

o Instead of rational numbers use your own formular.

o Encode values.

o Keep the values several times, in different representations.

o Use timestamps and flag/check for events, reasonable values.

o Add red hering values and log them as well.

o Check for reasonable settings due to the gathered information above.

i think this is similar to what i used to do with emulators,

say you start off with 5 lives, then i would search memory for 5, then i would deliberatly lose another life and scan the previous results for 4, then 3, then 2, then 1

eventually your left with a cariable that you can change to 99 and freeze and hooray! i can now play the game without the fun factor!

My previous "Hacking Unity Games" post explored a few tools and methods for hacking Unity games. These methods all involved patching the game logic - either in the game's files on disk or code in memory. An update to the game could break all of these methods by replacing the files on disk or causing the bytes/offset searched for in memory to change.

With the use of Frida (again) we can inject some custom Javascript into the game and access Mono (which Unity games are compiled with) functions for better hacking. This is done with "frida-inject" to inject our code and the "frida-mono-api" package to interact with Mono.

Once again I'm going to be hacking the game "198X", and re-creating the previous "invulnerability" hack as well as some others. After a few iterations of my script to hack the mini-games and hours of trial and error, googling, and staring and offsets and memory values, I've finally come up with a Javascript library to do some of the heavy lifting.

It's unimaginatively called "enumerator.js" and is used to enumerate all the function names and properties of a given Unity/Mono class, as well as provide "getter" and "setter" methods for easily manipulating an instance of that class. Unfortunately the class names still need to be discovered with dnSpy (which you'd probably still want to use anyway to find the game logic you want to hack) - this is mostly due to some of the needed Mono functionality not yet being implemented in the "frida-mono-api" library.

As mentioned above, this all works by injecting Javascript into the game - for which an "injector" script is needed, one can be found in my repo that supports command line arguments for easy reuse: injector.js.

The function's "jit_address" is of special mention as it's this value we needed in the previous post - either in CheatEngine script, or searching for specific bytes in memory - in order to patch. We now have a more programmatic, non-CheatEngine, way of finding this address IF we really wanted to do things that way... but we're still getting to the good bit.

Conveniently all three of these mini-games use the same logic, making them easy to hack at once. In the previous post I patched a if (this.dead ... logic check, to use a different field causing the damage logic to be bypassed. Rather than patching the game code, my script is going to dynamically modify the game object receiving damage to bypass the logic.

The code "enumerates" the class (getting the field offsets, that I previously needed to get from CheatEngine, and other info) and then sets up a Frida interceptor on the "Damage" function. The arguments passed to the "Damage" function are available in the local "args" variable, with the first element being a pointer to the instance of the "TakeDamage" class.

Unfortunately, unlike regular Frida interception, changing the "args" values (or "retval" in the "onLeave") of a Mono function results in an error rather than affecting the game's code - so we can't do that. Instead the "dead" property of the object can be changed, when the object is the player's character, to bypass the game logic. This is all done dynamically, no hardcoded addresses or offsets here, so the hack should survive general updates to the game that don't change it's logic too much. The "this" variable is shared between the "onEnter" and "onLeave" functions making for an easy way to share some state.

This is a racing mini-game dealing with time and speed rather than damage. It also revealed a fairly major shortcoming of my "Enumerator" code... I want to modify a property of a sub-class ("RoadRenderer.Sprite") which my code can't find or lookup the offsets for, so I've had to resort to a hardcoded offset :/

For this hack I bypass deceleration logic applied when you go off the road, prevent a speed loss when colliding with another car or obstacle, and prevent obstacles from causing a "wipeout". This logic, and work-arounds, were found looking through the game's code in dnSpy (which the previous post covers).

This mini-game is an RPG, dungeon-crawler, style of game. Damage is dealt to the player by an "EnemyAttack" function in the "RPGController" class. The first argument passed into this function is the amount of damage being dealt but unfortunately, as mentioned above, this value can't just be set to zero to prevent the damage.

Instead of "preventing" the damage I decided to just "undo" it... reading the player's health value before the damage and setting the value back after the damage. Setting the health back in the "onLeave" (of the "EnemyAttack" function) has the desired effect, and the game believes the player's still at full health, but before the function completes the screen is updated and the damaged-health value is shown. To work around this I decided to reset the player's health in the screen update function ("UpdateStatusText" in the "Status") class... this meant that I couldn't use the "this" variable as scope is not shared between "onEnter" functions, so I used a global variable for this.

Hooking game functions like this could make it easier to write bots - relying on events happening in-game to trigger bot logic, and providing easier access to game state - or be used in "speedruns" needing to detect when a level (mini-game) is completed.

LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

Debuggers. In my mind , they associate with hacking through screwing around with the machine code .Although that is not their only use . But i think about Cheat engine ,old counter strike attacks,and attacks on old PC games that used only to override machine instructions during runtime to do something unintended.They weren't really the attacks that violate users 's privacy or personal information .They were just attacks for fun;In the case of Game hacking, it was for many purposes, most popular is changing a value like your Health bar, coins,weapons,or other features based on the game ,some even premium features .However, many times, debuggers are used to bypass certain security checks, like anti-debuggers for example ,and they work in a similar way to game hacking ;Finding a function, and changing something about it that changes the flow of how the game should behave ,or at least how it should behave to a user with certain privileges like me Yeah. So i went to Mobile game Hacking since you know,these were how most people play their games on ,that and PC games.

I wanted to test small game, and most importantly ,a fun one .Remember in the beginning i told you that the idea of game hacking, besides now you can leak users personal information and sensitive data, is about changing the game 's flow and logic to do something fun,it 's called "Modding " . So i kept testing many games for days,by playing them first,and seeing if this a game i would like to spend hours testing,some even had bug bounty programs,but they were pretty boring for me to try,and since this isn't my full-time job,it makes no sense to try them out .Till i found this game called SRW 2,it's idea is pretty simple,the car your driving,keeps driving on speed,and you just change its direction with your fingers,and since the start of the game till you die,you keep running from the police ,also when you get out of your car,you keep running on your legs . It's fun,and it also doesn't require user interaction very much ,so this means i can hook Frida to it and keep it running without playing the game .

That is a big vast topic .One famous tool is ill2cppinspector ,the creator of this tool is also amazing . She has this blog called "djkaty" ,where she talks about hacking Unity games .Basically,you give the tool the metadata file,and the shared library file . It then decrypts those to Assembly-Csharp.dll file,and then you have your source code . Some times the metadata file is encrypted,but there are ways around it ,and many times,the file isn't encrypted at all .

3a8082e126