Hacking games with DLL Injection

DLL injection is method of injecting code to some other processe’ss address space and executing that piece of code on behalf of that process. Note that we need administrator privileges to carry out such an operation. DLL injection has gained bad name for itself since it’s mostly used by malware (remember meterpreter can also do this ? ) for stealth purposes but there is more to it than just stealth. To expand on this , I am going to quote this answer from Reverse Engineering Stack Exchange

1
2
3
4
5
6
7
DLL injection provides a platform for manipulating the execution of a running process. It's very commonly used for logging information while reverse engineering. For example, you can hook the IAT entry for a given imported operating system library function, and then log the function arguments onto disk. This provides you a data source that can assist in rapidly reverse engineering the target.
DLL injection is not limited to logging, though. Given the fact that you have free reign to execute whatever code that you want within the process' address space, you can modify the program in any way that you choose. This technique is frequently used within the game hacking world to code bots.
Anything that you could do with byte patching, you can do with DLL injection. Except DLL injection will probably be easier and faster, because you get to code your patches in C instead of assembly language and do not have to labor over making manual modifications to the binary and its PE structure, finding code caves, etc. DLL injection almost entirely eliminates the need for using assembly language while making modifications to a binary; the only assembly language needed will be small pieces of code nearby the entrance and exit to a particular hook to save and restore the values of registers / the flags. It also makes binary modification fast and simple, and does not alter any cryptographic signatures of the executable that you are patching.
DLL injection can be employed to solve highly non-trivial reverse engineering problems. The following example is necessarily vague in some respects because of non-disclosure agreements.

How Injection works?

DLL injection can be summarized in 4 setps

1) Attach to target process

We use OpenProcess() with RWX (Read Write Execute) permissions to get handle to target process.

2) Allocate memory within process to inject code

We use VirtualAllocEx() to allocate memory required to put our DLL. Think of this function like malloc()

3) Copy DLL into allocated space

We use WriteProcessMemory() to write out DLL into allocated space.

4) Execute the code

This is the final process . Create a remote thread in the target process with CreateRemoteThread() using the address of the beginning of the DLL as the entry point to execute injected code.

Writing step by step on all these step would make this article too lengthy So , I am going to link some excellent write-up on how to perform injection in detail.

Windows DLL Injection Basics

An Improved Reflective DLL Injection Technique

Hacking the game

With all the newly gained knowledge , I am going to hack minesweeper by writing a simple bot to automatically play the game.

Covering the bases

I am going to use Cheat Engine to automate process of injecting DLL instead of manually writing a injector because I’m lazy. For compiling DLL , I am going to use Visual Studio to compile DLL . Some familiarity with Win32 API is assumed. Further IDA Pro is used to reverse engineer minesweeper binary.I am using XP’s minesweeper. Get it from my Github VirusTotal

Let’s check if we can do ‘Hello world’ quickly.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#include <windows.h>
BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
/* The DLL is being loaded for the first time by a given process.
Perform per-process initialization here. If the initialization
is successful, return TRUE; if unsuccessful, return FALSE. */
MessageBoxA(0 , "DLL has been attached !" , "DLL Bot" , MB_ICONEXCLAMATION | MB_OK);
break;
}
return TRUE;
}

Compile this code to DLL. It can easily be injected by Cheat Engine by

1) Open the target program , minesweeper.exe in this case
2) Open the process in Cheat Engine then from Memory View > Tools > Inject DLL. Then supply the targer DLL and you should see something like

Hello world

Finding out available functions

We’re gonna use IDA Pro to find out what functions are available in the minesweeper binary for us to pivot to build the bot. Open the minesweeper.exe in IDA Pro and then click Functions to check list of functions

functions

You can study what these functions do by setting up break points on these functions and then play the game to see when they are triggered. I studied one functions called StepSquare(x,x) located at address of 0x1003512 , It takes two parameter and jumps to square provided to it’s argument . This function will be used to step our bot throughout the it’s execution.

Finding location of Bomb

Now we that we know how to step forward in the game , we need to know where actual bombs are located to avoid stepping on it and complete the game.
Let’s start by fixing size of height and width to check where it is located in memory.

In minesweeper choose some game size say 17x19 from Game > Custom and then open the process in cheat engine.

Search for 17 in game memory from cheat engine we can some address
search for 17

again chaining height to see 11 we can see how values change from 17 to 11 , now we are sure that height is located at address 0x1005338
search for 11
Similarly we can find out width and it was 0x1005334 in my case.

Now let’s check out memory at address where width and height are located. After some observation and some trial & error I noticed something near these memory address.
Notice the highlighted memory space.
memory 1

Memory location which store bomb or no bomb start at 0x0015341. You can see how value change when I click first tile as
memory 2

These are the memory located which store if bomb is located a particular tile. 0F means no bomb while 8F means bomb.

Coding the Bot

Coding the bot is simple enough we just need to travel down the tile array and skip tile if it contains the bomb. For travelling we’re gonna use StepSquare(x,x). You can read here in detail on how to call function by its address.

1
2
3
4
5
6
unsigned int i, j;
for (i = 1; i <= *WIDTH; i++) {
for (j = 1; j <= *HEIGHT; j++) {
if (isBomb(i, j)) CheckBox(i, j);
}
}

and isBomb() can be defined as

1
2
3
4
5
int isBomb(unsigned int i, unsigned int j) {
unsigned int *tile = (unsigned int *)(0x1005340 + i + j);
if ((BYTE)*tile == 0x0F) return 1;
return 0;
}

You can see full source of the program here on Github

Testing our bot

Testing is similar to the way we tested our ‘hello world’ DLL , on injcting this dll we get
success

What next?

You can try making a DLL injector yourself instead of relying on Cheat Engine for it. It’s not too hard and fairly easy to implement.
You can try to make hacks for other games , maybe Counter Strike 1.6? Global Offensive ? Only bottleneck with modern games is that they come with cheat protection , so it’s not easy like this to make cheats.