Guest post by a security enthusiast friend.
Several years ago I got an idea to learn how can I use Cheat Engine to make “cheats” or “hacks” to games. The simplest game I knew was the famous Windows game Minesweeper. This article is a tutorial about how to make a simple program to show where are the mines on the field.
To write a program to display some (hidden) data from a game’s memory we have to know where exactly is the desired data in the memory. In our case this means we have to know the address of the minefield and the address of the size too. This is where Cheat Engine comes into play. It is an open source tool with so many great features. We only (have to) use 2-3 of these.
Then if we have those addresses, we need to write a program to read from the game’s memory and display it. Back then when I didn’t know many programming languages I used C++ and WinAPI functions like ReadProcessMemory. Now when I’m writing this post I want to use Python, so we will use the ctypes library to read that data. This will work exactly the same as my old C++ solution, but you know it’s python.
LEt’s GO dIg (in the memory)!
First fire up our game and Cheat Engine. Click on the shiny computer picture then open the game.
Okay, now we want to find the size of the minefield in the memory. It’s easy because we know the exact value and we can just search for it. To do this we start a game with a 9 by 9 field, then we search for the value 9. This show us a lot of addresses where the value 9 is presented, but don’t worry we can narrow this list by changing the field size to 16 then hit ‘next search’. This will only show the values that was in the previous list AND their value is 16 now. If we the board to 16 by 30, we can see these values change too.
Great! Next step is to get the board’s address. It will be a bit tricky because we don’t know the exact value of any of the field. We can use some advanced search like selecting ‘Unknown initial value’ then a ‘Value changed/unchanged’ search. Spoiler alert: it takes a lot of time!
The funny thing is when we click the ‘Memory View’ button we arrive into that part of memory we are looking for :). But there is a way to find this without luck too! With the ‘Graphical memory view’ feature we can visually detect where is the memory changing at new game starts. This is because the minefield is re-generated with every restart.
With some messing around with field sizes we can see that the field is stored row continuously as a 30 by 30 matrix. This means that if we play on a 9 by 9 field the memory looks like this: 9 values representing a row then (30-9) unused space then the next row and so on. For example, the 30 by 30 (the biggest playable) field fills up this whole space without unused spaces. Because of this we don’t even have to know the size of the field, we can print out the whole 30*30 values, but it’s not a pretty solution and we are here to practice.
The only thing left is write a program to read and display where are the mines in the memory. My example program is avaible here. I think It’s easily understandable, so I don’t want to write much more about it.
We managed to write a hack to a popular game thanks to Cheat Engine!
Next time we will try something more complicated!