James Hay | OSCP | OSWE | CRTO

Hello, my friend. Stay a while and listen.

4 minute read

This is a short series of notes I am taking out of a OneNote I sometimes misplace and simply putting them into the blog so it appears I am still producing content and can reference this next time I need to.

In a revelation that will surprise absolutely no one, I like to cheat at video games. I do not give a fuck, I play for fun; if I want stress I will simply go to work. I do not have time for bullshit, I do not wish to be “challenged” (this is a bullshit way of saying your product is dogshit btw - things should not be challenging to consume) I wish to absolutely curb stomp the ai and revel in enormous blowout matches.

But you have alluded to competitively playing counter strike?? yeah like fifteen fucking years ago before I got a career and a mortgage. it turns out not having a job means you have a lot of time to scrim in public servers, who’d have thought that..

burns

Much like..well pretty much anything, the first step to successfully creating a trainer is understanding the problem at hand. I run out of gold too fast because I like to spend it, much like I do inside my irl meat suit.

Cheat engine, yes that same cheat engine that allowed us to find the memory locations for the SNES SF NN, is the tool of choice again today.

Start a new campaign (I find it best because then you have gold that can be spent; the value can only be found when entropy is generated) [SAVE IMMEDIATELY BECAUSE WE DONT WANT TO SIT THROUGH THE MENUS ANYMORE THAN WE HAVE TO] , set initial value to 4000, scan, buy a farm upgrade, set scan type to decreased value, run next scan, and you’ll see some entries. Buy something else to see them change. the ones that reflect the value in game (should be two) you want to add to the cheat table (double click the found value)

01

NOW HERES THE TRICK. While both of these seem linked to the gold, only one actually sets it. Here’s a little neato thing that’ll waste your time if you don’t catch it; modifying this one that I have called A will immediately revert back to its original value when re-entering the game.

But when we set B and re-enter the game, it modified A, and sets it in game. I found this tricky to capture in scrots, so I did not. This right here is basically why I wrote this blog; I do not know why I never put this into my OneNote notes.

Right click (on the identified correct addr), pointer scan for this address.

02

Accept the defaults, save the file into a folder (not directly onto your desktop it spawns fucking hundreds of files!!!)

It comes back with (in this case) over 50 fucking million results. Obvs this is not possible to find the right one without filtering it a little. Make sure to NOT close this window.

03

We are going to close shogun while making sure to NOT close cheat engine!

Restart shogun and reattach to CE. it’ll ask if you want to keep the current table, no you do not, these addresses change hence why we are on the hunt for the pointer.

Repeat the finding process. once the “B” addr has been found again, we go to pointer scanner, rescan memory, pop in the mem addr, do NOT tick new scan, click ok, overwrite the old file, and viola it is filtered…somewhat. down from 50 mil to 3 mil. so filtering works.

04

05

06

Theres two options here. filter again, and again, and again, or start digging. I chose the first and sorted by offset. by filtering by offset 6, it brought to the top of the pile those that do not have a 3rd, 4th etc offset.

Double click on these and add them to the cheat window. We want to ensure they actually do carry across restarts, so restart shogun, reattach making sure this time to NOT empty the table, load up your save again and 1) see if those pointers say 4000, and 2) modifying them translates into game.

It appears (in this instance at least) all the added addresses work properly. So next we want to make a trainer.

I removed all but one (since they were all doing the same thing anyway), then we generate the trainer.

07

08

09

We want to set a hotkey to ‘increase value to’. This is strange nomenclature I won’t lie, to me that reads like “make it become x”, but it actually does increase the value of the addr BY that amount.

10

And that’s it. Generate, and if its anything like my mate who I sent it to to test, your machine will probably think it’s a virus and ban it.

This is very interesting how simple this really is, but has been on my to do list since 2020. I recommend that anyone wanting to get into gamehacking get a sub to GuidedHacking; it cuts through the shit and gets you to the actionable info you need to get going.

As a parting note do make sure to check out the latest C.A.P.S.U.L.E.S. modules as I have crafted a kit to deploy the lab from Chapter 17 of the OSEP materials.

mcbain

You May Also Enjoy

Simulating discovery of CVE-2003-0344

13 minute read

This is going to be a very long, very large post where I pontificate quite a bit to empty out my head. There’s a lot of disparate thoughts rattling around th...

Code Execution out of VST Plugins

5 minute read

For the second time this month I have been forced to realise that I need to build up a golden image for a dedicated development machine. Unrelated to this po...

The Price of Good

6 minute read

Alternative titles for this post I came up with included “What is premium?” and the exceedingly clever “Premium and the art of good enough”. This post wa...