>>Introduction<<
In programming, we use functions to run sequentially through statements declared by us, the
developers.
A program can be described as nothing more than a lot of functions being executed, creating a
loop.
These Functions do all of your Business Logic, in a Game they could handle your Health, Ammo, Mana,
Entitiy Spawn Conditions, basically anything.
The Algorithms and Math inside these Functions decides how much Damage you take, how much an Item
costs, how many Enemies Spawn where, when and how.
But what if we could manipulate them? There are a lot of hacking options you could use for this, but
in this entry we will look at
Function Hooking
>>So what are Hooks?<<
Hooks are, by definition, internal hacks (except if you use a disassembler during runtime,
which is, of course, external).
You manipulate a game function to call a function that you have written yourself, and
afterwards return to the normal program flow.
This means they run
inside the Process you want to Hack, because you are
HOOKING an original program function.
To make this easier, here is a Visualisation on how this looks.
┌───────────────┐
│ source_code.c │
┌─────────────────────────────────────────────────┐
│#include <stdio.h> │
│int calcHealth(curHealth, int dmg){ │
│ newHealth = curHealth - dmg; │
│ return newHealth; │
│} │
└─────────────────────────────────────────────────┘
Above you can see some really simple example code, don't read too much into it, This
is just so we can grasp the concept easier. This code is getting called everytime an
Entity in our fictional Game takes damage, it takes a int Value and subtracts it from
the Entities Health. So what if we wanted to make Entities take a TON more damage?
This is where Hooking comes in.
Let's Hook this Function to execute our OWN Code.
┌───────────────┐
│ source_code.c │
┌─────────────────────────────────────────────────┐
│#include <stdio.h> │
│int calcHealth(curHealth, int dmg){ │
│ newHealth = funcHook(curHealth); │
│ return newHealth; │
│} │
│ │
│int funcHook(int health){ │
│ health = 0; │
│ return health; │
│} │
└─────────────────────────────────────────────────┘
We injected our Hook into the Original game function, which now always executes our own Code
which sets the HP of the Entitiy hit to 0, resulting in an one-shot Kill, nice!
Of course, this is a really really simplified overview on how Hooking works, and
the question that is probably in your head is "how the hell do i even get my Function INTO the Game?"
>>The Windows API<<
That question has different answers, but I just want to Highlight the one that works for any game, nay, program
that is running on an Windows NT Kernel, the Windows API. To be more specific, the windows API is a well documented
piece of code, and the Kernel itself is written C.
So, if you know your way around in C or C++, the Sky is pretty
much the damn limit. First you get a
Handle (a fancy way of saying "the window the process is runing in"), with
FindWindow, then you can use that Handle to get that Process ID with
GetWindowThreadProcessID.
Now you just need to full access to that specific process, which you can do with the process ID and
OpenProcess.
And with that, the heavy lifting is already finished. You now can manipulate any virtual memory of that specific process with
WriteProcessMemory and
ReadProcessMemory