Heroes Of Hammerwatch Cheat Engine

[Edco Haglund]

SomersetRecon, Inc. is a full-service computer security consulting firm. We provide security analysis, training, consulting, incident response, and penetration testing services to a wide variety of industries. Our team is comprised of world-class security professionals with experience in hardware and software reverse-engineering, code auditing, malware analysis, encryption, and embedded systems. They come from diverse backgrounds including government, military, commercial sector, and academia, so we can address the unique requirements of our customers. Contact us today to find out how we can help with your specific security needs.

Hacking video games poses interesting challenges that sit outside the realm of traditional vulnerability research and exploit development. It requires a different perspective that aims to solve a set of goals that rely heavily on reverse engineering and shares similar techniques to that of malware analysis. However unlike traditional exploit development, when you hack a video game it provides immediate visual feedback.

At Somerset Recon, we find value in researching this form of hacking. While it is a bit esoteric, in the end it is still hunting for vulnerabilities in software. Additionally, much of the software in video games shares similarities to the software we regularly perform security assessments on. These similarities include utilizing custom protocols, assuming trust in the client, and using an architecture built upon legacy software/architecture with features bolted on, etc.

During our research, we quickly discovered that Hammerwatch had a very loose client-server model. Using the memory editor in Cheat Engine, we were able to set our health value and the server respected the change. This led us to believe that the client was responsible for updating the server of changes and that these changes were not double-checked by the server.

Our next steps were to reverse the codebase to observe what values in the game we could change. Since Hammerwatch is written on Mono, decompiling it with a .NET decompiler gives us the full C# codebase. We used dnSpy for this task. Loading the Hammerwatch.exe executable results in a tree-view which nicely displays all the classes in the game, including the character classes.

After reviewing the classes, we noted that the ranger character looked interesting, so we decided to focus our efforts on modifying the Ranger class. The Ranger class is extended by a subclass, PlayerRangerActorBehavior, that contains the properties and behaviors of our Ranger character. This subclass contains a function called "Damaged" that controls how the client calculates and reports damage to the world.

Most of the work is done in the base class, but the ranger can randomly dodge attacks depending on a random number generator. However, an invincibility cheat can be achieved simply by patching the dodge chance check to always return false.

More interesting cheats can be achieved when observing the ranger classes Attack function. This function works by starting some animations, calling ShootArrow in the direction the character is facing, and updating the world about this action.

While these issues may seem specific to Hammerwatch, they actually extend past this. In our experience, issues that we encounter in game hacking such as custom protocols with similar weaknesses of assuming trust or not properly verifying the sender, are common in software today. All of this combined to make our work with Hammerwatch a good lesson in security as well as a fun game to hack.

Since this question gets asked a lot on the boards, with many many good suggestions and tips scattered everywhere, I decided to try to compile most of it in one place. I am looking forward to adding suggestions to this post so let me know what works and what doesn't! I will edit this post with notes on specific games as I see them here or from personal experience. I use AHK with most of the games that I play, anything from keybinds to full MMO grind bots. Lets compile some of our good info here.

Easy Steps:

First basic steps to get AHK working with the average game.

1) Make sure the script is running with Admin privilege(Right-Click on script, Run As Administrator)

-Explanation: Some games run at admin level and AHK does not typically run with this privilege set.

2) Switch the game settings from 'Full Screen' mode to 'Windowed' or (I prefer) 'Borderless Windowed' mode.

-Explanation: DirectX draws the screen in a manner different from Windows, this can cause things like colors

being reported wrong, mouse jumping to the 'wrong' coords, and it can just plain prevent the game from

registering the input at all.

3) A lot of times Keypresses need to be held down longer than normal for the game to fully register it.

-Explanation: Usually caused by DirectX(DirectInput). It 'polls' the keyboard every 15ms(varies slightly) and

records the keys that are down, then 15ms later it takes another 'snapshot' and compares the two. This

is how games allow you to hold two(or more) keys at the same time, but very fast(sub 10-15ms) inputs

can fall between snapshots and the game never sees the keypress. If your script is very twitchy and seems

Intermediate Steps:

If you are at this point and the script still doesn't work it is likely that you are dealing with some sort of cheat

prevention software. Don't give up hope, there are a couple fairly simple things that can still be done.

1) Compile the script to .exe form and rename the program to something non-threatening to the game.

-Explanation: Look here in the docs for how to compile, it is very well written and I will not be re-creating

the wheel here. This method is a fairly simple workaround for most 'hackshield' type softwares.

-Examples: Rename to something generic or the same as something legit(setup.exe, skype.exe) possibly

2) Simulating DirectInput. This is difficult and not supported natively in AHK in any way. Look here for a

thread describing a couple ways to simulate DirectInput. This is theoretical and untested. Requires

Following these steps should get scripts working in the majority of games. I have found a few that I cannot

make work so far but they are few and far between. If you have some tips to add to this please let me know!

Who my player Select with mouse click some objet (a mob, a npc, an item in the ground) and do some action, like press letter E & click. The most dificult part, i think, is make who the script click the objets that i wish, using it "Artificial Inteligence". For exaple, make click over objets with color #FFF000.

I play Perfect world which comes from the same publisher and uses the same engine etc.

I would really appreciate it if you would send me a copy of your Forsaken World script for Autohokey, as I am having issues getting this to work with Perfect World.

i have already made the script i want to use with rappelz but it has the same affect, nuthing, i know its doing what its ment to because if i bring up a notepad it starts typing into it but on rappelz it has no affect. (i also have a counter on my script that brings up a window from the taskbar showing me how many times its ran threw my loop)

any sugestions? because i refuse to play a magic class until i can get this working so i can auto attack like a melee class can (a mage class has to hit 1 every 1 sec & 2 every 1 sec, they need to be hit 0.5 sec apart to actualy have the class attacking like a melee class does

3a8082e126