Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,190 --> 00:00:04,470 hello and welcome back to CS 420 a 2 00:00:04,470 --> 00:00:07,230 course on game hacking this section is 3 00:00:07,230 --> 00:00:08,670 going to be on the basics of the 4 00:00:08,670 --> 00:00:11,160 operating system and a memory scanning 5 00:00:11,160 --> 00:00:13,049 which is arguably the most important 6 00:00:13,049 --> 00:00:15,120 skill in game hacking we're not going to 7 00:00:15,120 --> 00:00:16,740 go deep into operating systems since 8 00:00:16,740 --> 00:00:18,600 that can be an entire course on its own 9 00:00:18,600 --> 00:00:20,279 we're just gonna learn the parts that 10 00:00:20,279 --> 00:00:21,960 are relevant to game hacking and then 11 00:00:21,960 --> 00:00:22,740 we'll move on 12 00:00:22,740 --> 00:00:25,230 memory scanning is a technique used to 13 00:00:25,230 --> 00:00:27,180 find things like health and gold in a 14 00:00:27,180 --> 00:00:29,130 video game we'll go over how that works 15 00:00:29,130 --> 00:00:31,170 and I'll demonstrate a few live examples 16 00:00:31,170 --> 00:00:34,649 at the end let's briefly dive into what 17 00:00:34,649 --> 00:00:36,620 we need to know about operating systems 18 00:00:36,620 --> 00:00:39,180 the operating system does quite a few 19 00:00:39,180 --> 00:00:40,379 things but these two are the most 20 00:00:40,379 --> 00:00:42,809 important first it manages the hardware 21 00:00:42,809 --> 00:00:45,629 in your computer and this part really 22 00:00:45,629 --> 00:00:47,430 isn't that important to game hackers so 23 00:00:47,430 --> 00:00:49,500 we won't touch on this very much the 24 00:00:49,500 --> 00:00:51,149 second thing it does is that it manages 25 00:00:51,149 --> 00:00:52,760 the programs running on your computer 26 00:00:52,760 --> 00:00:55,680 when you double-click an exe file when 27 00:00:55,680 --> 00:00:57,750 you open an application it's the 28 00:00:57,750 --> 00:01:00,210 operating system that is responsible for 29 00:01:00,210 --> 00:01:03,329 making sure that program runs and let's 30 00:01:03,329 --> 00:01:06,780 look at how that works so here we have 31 00:01:06,780 --> 00:01:08,790 the executable file for squally on the 32 00:01:08,790 --> 00:01:11,369 left and that's a file that exists on 33 00:01:11,369 --> 00:01:13,049 your hard drive and when you 34 00:01:13,049 --> 00:01:15,570 double-click that exe file the operating 35 00:01:15,570 --> 00:01:17,369 system basically takes that file and 36 00:01:17,369 --> 00:01:20,430 copies it into RAM a couple other things 37 00:01:20,430 --> 00:01:23,340 happen behind the scenes but again it's 38 00:01:23,340 --> 00:01:24,570 one of those things where you don't need 39 00:01:24,570 --> 00:01:26,729 to know all the details now if you want 40 00:01:26,729 --> 00:01:28,170 to know just for the sake of knowing you 41 00:01:28,170 --> 00:01:30,030 can read up on loaders and executable 42 00:01:30,030 --> 00:01:32,430 file formats and I'll put links to the 43 00:01:32,430 --> 00:01:34,170 relevant Wikipedia articles in the 44 00:01:34,170 --> 00:01:36,570 description it's worth mentioning that 45 00:01:36,570 --> 00:01:38,670 when we hack the game we hack the copy 46 00:01:38,670 --> 00:01:41,759 in RAM not on disk this means none of 47 00:01:41,759 --> 00:01:44,189 the changes we make are permanent if we 48 00:01:44,189 --> 00:01:45,810 break something or crash the game it 49 00:01:45,810 --> 00:01:47,040 doesn't matter we could just run the 50 00:01:47,040 --> 00:01:49,200 game again this is the main difference 51 00:01:49,200 --> 00:01:51,240 between software cracking and game 52 00:01:51,240 --> 00:01:53,549 hacking when cracking software you 53 00:01:53,549 --> 00:01:55,170 generally hack the version on disk 54 00:01:55,170 --> 00:01:57,750 rather than the version in RAM this is 55 00:01:57,750 --> 00:01:59,729 because in software cracking the goal is 56 00:01:59,729 --> 00:02:02,130 to make a paid program free by removing 57 00:02:02,130 --> 00:02:04,350 serial key checks and that sort of thing 58 00:02:04,350 --> 00:02:06,540 and game hacking you would still want to 59 00:02:06,540 --> 00:02:07,920 be able to play the game normally when 60 00:02:07,920 --> 00:02:10,318 you want to for this reason we only hack 61 00:02:10,318 --> 00:02:12,750 the version in RAM 62 00:02:12,750 --> 00:02:14,640 so let's cover some of the tools that 63 00:02:14,640 --> 00:02:16,950 game hackers use cheat engine is the 64 00:02:16,950 --> 00:02:18,360 most well known tool it's been around 65 00:02:18,360 --> 00:02:21,660 since about 2003 it's well tested and it 66 00:02:21,660 --> 00:02:23,940 gets the job done the other tool listed 67 00:02:23,940 --> 00:02:26,460 here is squalor this is the tool that 68 00:02:26,460 --> 00:02:28,260 I've been working on it's faster than 69 00:02:28,260 --> 00:02:30,120 cheat engine but it's newer and has some 70 00:02:30,120 --> 00:02:31,890 issues if you're watching this via and 71 00:02:31,890 --> 00:02:33,810 20:19 probably just stick with cheat 72 00:02:33,810 --> 00:02:35,700 engine however if you're watching this 73 00:02:35,700 --> 00:02:37,710 video in that future checkout squalor 74 00:02:37,710 --> 00:02:38,970 I'll put links to both in the 75 00:02:38,970 --> 00:02:41,640 description one thing to note is that 76 00:02:41,640 --> 00:02:43,650 when you're installing cheat engine they 77 00:02:43,650 --> 00:02:45,630 have optional promoted software that 78 00:02:45,630 --> 00:02:47,010 they bundle with the Installer you have 79 00:02:47,010 --> 00:02:48,750 to make sure to decline those during the 80 00:02:48,750 --> 00:02:50,970 installation process so no just spam the 81 00:02:50,970 --> 00:02:52,640 next button just be careful about that 82 00:02:52,640 --> 00:02:55,170 so next let's talk a bit about how these 83 00:02:55,170 --> 00:02:57,570 tools work all right 84 00:02:57,570 --> 00:03:00,390 so because the operating system has so 85 00:03:00,390 --> 00:03:02,790 much power over running programs we can 86 00:03:02,790 --> 00:03:04,709 abuse the operating system to help us 87 00:03:04,709 --> 00:03:07,680 cheat in games you can say hey operating 88 00:03:07,680 --> 00:03:09,150 system you see that game running over 89 00:03:09,150 --> 00:03:11,610 there go ahead and change health to 100 90 00:03:11,610 --> 00:03:13,709 for me and as long as you tell it 91 00:03:13,709 --> 00:03:15,660 exactly where to look it'll follow your 92 00:03:15,660 --> 00:03:16,170 orders 93 00:03:16,170 --> 00:03:18,540 every operating system has a bunch of 94 00:03:18,540 --> 00:03:20,489 things you can ask it to do these 95 00:03:20,489 --> 00:03:22,920 functionalities are known as an API or a 96 00:03:22,920 --> 00:03:25,140 library I used to find these terms 97 00:03:25,140 --> 00:03:26,970 confusing but they really just mean code 98 00:03:26,970 --> 00:03:28,880 that somebody else wrote that I can use 99 00:03:28,880 --> 00:03:31,470 the operating system is code it's 100 00:03:31,470 --> 00:03:34,500 written in C and C++ we're able to use 101 00:03:34,500 --> 00:03:37,019 some of that code when we develop our 102 00:03:37,019 --> 00:03:39,269 hacking tools on windows this is known 103 00:03:39,269 --> 00:03:41,519 as the windows api and on mac and linux 104 00:03:41,519 --> 00:03:44,099 they have their own API 105 00:03:44,099 --> 00:03:46,049 some of these are really powerful some 106 00:03:46,049 --> 00:03:47,579 of these functions that they let us use 107 00:03:47,579 --> 00:03:49,469 are very powerful and allow us to cheat 108 00:03:49,469 --> 00:03:51,689 in games one example is this right 109 00:03:51,689 --> 00:03:53,549 process memory function here on the 110 00:03:53,549 --> 00:03:55,950 screen it's used to edit things running 111 00:03:55,950 --> 00:03:58,200 in RAM which is exactly what we need to 112 00:03:58,200 --> 00:04:00,390 cheat in our games you could just fire 113 00:04:00,390 --> 00:04:03,510 up a C++ or C sharp program and use this 114 00:04:03,510 --> 00:04:06,120 code to edit the program this is how 115 00:04:06,120 --> 00:04:08,760 both cheat engine and squalor work I'm 116 00:04:08,760 --> 00:04:10,139 going to leave it at that for now later 117 00:04:10,139 --> 00:04:11,939 I'll have a lecture on how you would 118 00:04:11,939 --> 00:04:13,950 actually implement a memory editor using 119 00:04:13,950 --> 00:04:16,289 the windows API and I'll go into much 120 00:04:16,289 --> 00:04:17,918 more detail there 121 00:04:17,918 --> 00:04:19,779 if you recall from before I mentioned 122 00:04:19,779 --> 00:04:21,488 that hacking can be broken up into three 123 00:04:21,488 --> 00:04:23,860 steps find the thing exploit the thing 124 00:04:23,860 --> 00:04:26,379 and observe the results for this hacking 125 00:04:26,379 --> 00:04:28,840 method and memory scanning is the act of 126 00:04:28,840 --> 00:04:30,460 finding the number you want to change 127 00:04:30,460 --> 00:04:32,469 it's like hitting ctrl F in your browser 128 00:04:32,469 --> 00:04:34,990 to search for something in our case we 129 00:04:34,990 --> 00:04:36,939 want to use it to find health mana Gold 130 00:04:36,939 --> 00:04:39,400 skill points the XYZ coordinates of the 131 00:04:39,400 --> 00:04:42,189 player anything numeric once you find 132 00:04:42,189 --> 00:04:43,840 the number you want to change you can 133 00:04:43,840 --> 00:04:46,300 edit it with memory editing and then you 134 00:04:46,300 --> 00:04:47,199 just see if it worked 135 00:04:47,199 --> 00:04:50,110 and you're done before I get into this 136 00:04:50,110 --> 00:04:52,210 we need to update our understanding of 137 00:04:52,210 --> 00:04:55,449 what a computer program actually is so 138 00:04:55,449 --> 00:04:57,610 last lecture I said we could think of a 139 00:04:57,610 --> 00:04:59,409 program as a bunch of zeros and ones and 140 00:04:59,409 --> 00:05:00,879 I also mentioned that this was a very 141 00:05:00,879 --> 00:05:03,580 bad understanding I promised that we 142 00:05:03,580 --> 00:05:04,779 would keep building on this so let's 143 00:05:04,779 --> 00:05:07,389 build on it so if this was the memory of 144 00:05:07,389 --> 00:05:09,430 a game loaded into Ram then somewhere in 145 00:05:09,430 --> 00:05:11,469 the sea of zeros and ones would be the 146 00:05:11,469 --> 00:05:14,319 players health now let's say we somehow 147 00:05:14,319 --> 00:05:16,060 figured out that this particular 148 00:05:16,060 --> 00:05:18,669 sequence of zeros and ones somehow 149 00:05:18,669 --> 00:05:20,979 represents the player's health one might 150 00:05:20,979 --> 00:05:22,509 think that in order to increase the 151 00:05:22,509 --> 00:05:24,069 player's health we could just delete the 152 00:05:24,069 --> 00:05:27,099 old bits and put in a bunch of ones now 153 00:05:27,099 --> 00:05:29,259 this is wrong this is not how it works 154 00:05:29,259 --> 00:05:31,419 look how laggy this is I'd released the 155 00:05:31,419 --> 00:05:33,189 one key a long time ago and it's still 156 00:05:33,189 --> 00:05:35,289 trying to catch up the problem is that 157 00:05:35,289 --> 00:05:37,389 when you insert a new digit it has to 158 00:05:37,389 --> 00:05:39,490 shift over potentially billions of other 159 00:05:39,490 --> 00:05:42,399 digits and this is super slow let's 160 00:05:42,399 --> 00:05:44,680 explore how we actually accomplish our 161 00:05:44,680 --> 00:05:46,500 goal 162 00:05:46,500 --> 00:05:49,020 to make things less confusing computer 163 00:05:49,020 --> 00:05:51,060 scientists a long time ago agreed to 164 00:05:51,060 --> 00:05:53,310 group bits into eight this grouping of 165 00:05:53,310 --> 00:05:56,130 eight bits is known as a byte this is a 166 00:05:56,130 --> 00:05:57,810 lot cleaner to look at and a lot cleaner 167 00:05:57,810 --> 00:06:00,120 to work with this restriction is baked 168 00:06:00,120 --> 00:06:01,770 and almost everything in your computer 169 00:06:01,770 --> 00:06:04,140 files have to be a multiple of eight bit 170 00:06:04,140 --> 00:06:06,060 it's impossible to have a file that only 171 00:06:06,060 --> 00:06:07,920 takes up seven bits it would have to be 172 00:06:07,920 --> 00:06:09,990 rounded up to eight if I have a text 173 00:06:09,990 --> 00:06:11,790 file that had just has one letter in it 174 00:06:11,790 --> 00:06:15,300 its size on the disk is one byte so now 175 00:06:15,300 --> 00:06:16,680 let's say we found the players health 176 00:06:16,680 --> 00:06:19,860 let's say it's this byte here if we 177 00:06:19,860 --> 00:06:22,110 wanted to change it we would simply 178 00:06:22,110 --> 00:06:26,360 overwrite the existing value 179 00:06:26,360 --> 00:06:28,189 now I know we haven't learned a binary 180 00:06:28,189 --> 00:06:30,050 yet next lecture we'll dive into how 181 00:06:30,050 --> 00:06:32,000 binary actually works but for now just 182 00:06:32,000 --> 00:06:34,430 bear with me it's important to note that 183 00:06:34,430 --> 00:06:36,650 because we can't insert new data that 184 00:06:36,650 --> 00:06:38,270 means whoever programmed the game had to 185 00:06:38,270 --> 00:06:41,330 decide the limit in advance it turns out 186 00:06:41,330 --> 00:06:44,840 the maximum for one byte of data is 255 187 00:06:44,840 --> 00:06:46,550 if you took this and converted it to 188 00:06:46,550 --> 00:06:50,569 decimal it would be 255 and that works 189 00:06:50,569 --> 00:06:52,460 pretty well for health because a lot of 190 00:06:52,460 --> 00:06:53,750 games will have like a hundred max 191 00:06:53,750 --> 00:06:55,639 health so you never have to go worry 192 00:06:55,639 --> 00:06:57,310 about going over the memory limit 193 00:06:57,310 --> 00:06:59,900 however if you have gold in a video game 194 00:06:59,900 --> 00:07:02,330 this one byte is not enough so you would 195 00:07:02,330 --> 00:07:04,729 actually have to use multiple bytes a 196 00:07:04,729 --> 00:07:07,310 lot of games will use for when you have 197 00:07:07,310 --> 00:07:11,330 4 bytes the limits about 2 billion so 198 00:07:11,330 --> 00:07:12,889 programmers will take this group it into 199 00:07:12,889 --> 00:07:16,270 4 and say this is actually one number 200 00:07:16,270 --> 00:07:19,030 sometimes they'll use groupings of one 201 00:07:19,030 --> 00:07:24,500 two four or even eight I'm highlighting 202 00:07:24,500 --> 00:07:27,230 the right amount here yeah so this is 203 00:07:27,230 --> 00:07:29,660 our new updated mental model of what a 204 00:07:29,660 --> 00:07:32,000 computer program is it's still not 205 00:07:32,000 --> 00:07:34,310 perfect but this is far less insulting 206 00:07:34,310 --> 00:07:36,620 than our original model we know that a 207 00:07:36,620 --> 00:07:38,360 computer program is made up of a bunch 208 00:07:38,360 --> 00:07:40,310 of bytes which are groups of eight bits 209 00:07:40,310 --> 00:07:42,740 and to represent larger numbers a 210 00:07:42,740 --> 00:07:44,840 programmer can group bytes together to 211 00:07:44,840 --> 00:07:46,640 give themselves more digits to work with 212 00:07:46,640 --> 00:07:49,700 these can be groups of one two four and 213 00:07:49,700 --> 00:07:51,440 eight which will learn the reasons for 214 00:07:51,440 --> 00:07:53,840 it in a later lecture and I glossed over 215 00:07:53,840 --> 00:07:55,400 this but you may have been able to 216 00:07:55,400 --> 00:07:57,200 figure out that binary numbers can be 217 00:07:57,200 --> 00:07:59,480 converted to decimal numbers we can 218 00:07:59,480 --> 00:08:01,460 convert the highlighted group of four 219 00:08:01,460 --> 00:08:04,360 bytes in the bottom left into the number 220 00:08:04,360 --> 00:08:08,210 623 luckily for us most tools will 221 00:08:08,210 --> 00:08:09,920 handle this sort of thing for us so 222 00:08:09,920 --> 00:08:11,270 we've never have to really look at 223 00:08:11,270 --> 00:08:13,700 binary 224 00:08:13,700 --> 00:08:16,100 now on to memory scanning I mentioned 225 00:08:16,100 --> 00:08:17,600 earlier that memory scanning is like 226 00:08:17,600 --> 00:08:19,940 hitting ctrl F in your browser except 227 00:08:19,940 --> 00:08:21,380 instead of a searching for text on a 228 00:08:21,380 --> 00:08:23,150 page we're searching for numbers and 229 00:08:23,150 --> 00:08:26,210 memory so if a player has 100 health 230 00:08:26,210 --> 00:08:28,310 we'll assume that we're searching for a 231 00:08:28,310 --> 00:08:29,990 number that can be up to four bytes long 232 00:08:29,990 --> 00:08:31,220 because like I said that's what most 233 00:08:31,220 --> 00:08:34,309 programmers choose and there is a 234 00:08:34,309 --> 00:08:36,230 problem with this though and allow me to 235 00:08:36,230 --> 00:08:38,929 demonstrate what the issue is it's not 236 00:08:38,929 --> 00:08:42,350 as easy as just hitting ctrl F so let's 237 00:08:42,350 --> 00:08:44,930 say that it did work exactly like ctrl F 238 00:08:44,930 --> 00:08:46,550 does in your browser and we want to 239 00:08:46,550 --> 00:08:48,320 search for 100 because that's how much 240 00:08:48,320 --> 00:08:51,080 health we have well we quickly run into 241 00:08:51,080 --> 00:08:53,330 the problem of there's just too many 242 00:08:53,330 --> 00:08:56,120 matches it turns out that most games 243 00:08:56,120 --> 00:08:58,610 take up anywhere from 1 gigabyte to 8 244 00:08:58,610 --> 00:09:01,850 gigabytes of memory for larger games and 245 00:09:01,850 --> 00:09:04,100 this can be about 4 billion numbers 246 00:09:04,100 --> 00:09:05,600 which means we'll get a lot of matches 247 00:09:05,600 --> 00:09:08,090 so we need to figure out how to narrow 248 00:09:08,090 --> 00:09:10,880 down our search and there's a cool magic 249 00:09:10,880 --> 00:09:12,320 trick that makes that possible but 250 00:09:12,320 --> 00:09:14,090 before we can learn about that we need 251 00:09:14,090 --> 00:09:17,630 to know what an address is first let's 252 00:09:17,630 --> 00:09:19,130 go back to our mental model of what a 253 00:09:19,130 --> 00:09:21,080 computer program is there are these 254 00:09:21,080 --> 00:09:23,720 groups of 8 bits these bytes that start 255 00:09:23,720 --> 00:09:25,340 at the top left and go from left to 256 00:09:25,340 --> 00:09:28,400 right until they reach the end well we 257 00:09:28,400 --> 00:09:30,920 can call that first group of bits that 258 00:09:30,920 --> 00:09:34,490 first byte address 0 because it exists 259 00:09:34,490 --> 00:09:36,320 at the first location it's kind of weird 260 00:09:36,320 --> 00:09:38,690 but programmers tend to start list with 261 00:09:38,690 --> 00:09:42,140 0 instead of 1 so the first one is 0 262 00:09:42,140 --> 00:09:44,810 then it goes to 1 and 2 now if we keep 263 00:09:44,810 --> 00:09:48,190 going this first group of 4 bytes 264 00:09:48,190 --> 00:09:52,730 starts at address 116 now even though it 265 00:09:52,730 --> 00:09:55,160 occupies 4 addresses we refer to it by 266 00:09:55,160 --> 00:09:58,700 the first address in the sequence now 267 00:09:58,700 --> 00:10:00,980 just to you know give an analogy right 268 00:10:00,980 --> 00:10:02,510 just because you have a mansion just 269 00:10:02,510 --> 00:10:03,620 because you have a lot of property you 270 00:10:03,620 --> 00:10:05,270 still only have one street address and 271 00:10:05,270 --> 00:10:08,600 the same is kind of true here now it's 272 00:10:08,600 --> 00:10:11,420 important to note this example here in 273 00:10:11,420 --> 00:10:14,630 the center sia address 169 is where we 274 00:10:14,630 --> 00:10:17,480 have the value 100 and this can get very 275 00:10:17,480 --> 00:10:19,340 confusing for people right you don't 276 00:10:19,340 --> 00:10:21,710 want to confuse addresses and values the 277 00:10:21,710 --> 00:10:23,660 value is whatever the bits inside 278 00:10:23,660 --> 00:10:25,940 represent and the address is just the 279 00:10:25,940 --> 00:10:26,900 location 280 00:10:26,900 --> 00:10:28,820 all right I want to reiterate this so 281 00:10:28,820 --> 00:10:31,190 here the value is just a hundred if we 282 00:10:31,190 --> 00:10:33,740 look at this box but it exists at a bat 283 00:10:33,740 --> 00:10:40,540 position 169 value 100 position 169 284 00:10:40,540 --> 00:10:43,840 banja the value can change but the 285 00:10:43,840 --> 00:10:45,730 address can never change this will 286 00:10:45,730 --> 00:10:48,010 always be a hundred sixty-nine but 100 287 00:10:48,010 --> 00:10:50,200 can change if the bits change right if I 288 00:10:50,200 --> 00:10:52,420 kept flipping the first bit this value 289 00:10:52,420 --> 00:10:55,330 would change to a hundred once all gone 290 00:10:55,330 --> 00:10:58,900 flip between these two a hundred it 291 00:10:58,900 --> 00:11:01,570 changes a hundred and one right but the 292 00:11:01,570 --> 00:11:04,580 address will always be one sixty nine 293 00:11:04,580 --> 00:11:06,589 so now that we know a little bit about 294 00:11:06,589 --> 00:11:08,600 addresses we can actually learn how to 295 00:11:08,600 --> 00:11:11,029 solve that problem from earlier that 296 00:11:11,029 --> 00:11:13,940 problem of we have too many matches so 297 00:11:13,940 --> 00:11:15,500 the best way for me to do this is just 298 00:11:15,500 --> 00:11:17,570 to jump into some live examples and 299 00:11:17,570 --> 00:11:21,220 we'll solve this together 300 00:11:21,420 --> 00:11:23,190 so here we have an early build of 301 00:11:23,190 --> 00:11:25,500 squally open on the left and we have 302 00:11:25,500 --> 00:11:28,110 cheatengine open on the right the first 303 00:11:28,110 --> 00:11:29,400 thing we're gonna want to do is tell 304 00:11:29,400 --> 00:11:31,050 cheat engine which game we're trying to 305 00:11:31,050 --> 00:11:33,090 hack and we do that with this little 306 00:11:33,090 --> 00:11:35,310 glowing select a process button the 307 00:11:35,310 --> 00:11:38,610 computer icon here we pick squally and 308 00:11:38,610 --> 00:11:40,140 now cheat engine knows what we're trying 309 00:11:40,140 --> 00:11:41,450 to do 310 00:11:41,450 --> 00:11:44,360 now our goal is to hack our health you 311 00:11:44,360 --> 00:11:46,910 see here we have eleven health and we 312 00:11:46,910 --> 00:11:49,570 want to change that to heal ourselves up 313 00:11:49,570 --> 00:11:52,010 so what we do in cheatengine is we can 314 00:11:52,010 --> 00:11:54,320 search for eleven now there's a lot of 315 00:11:54,320 --> 00:11:56,480 overwhelming looking settings here but 316 00:11:56,480 --> 00:11:58,700 we can ignore most of them just know 317 00:11:58,700 --> 00:12:00,890 that we're using four bytes I mentioned 318 00:12:00,890 --> 00:12:02,630 earlier that that's how most programmers 319 00:12:02,630 --> 00:12:06,170 store integers and we hit the first scan 320 00:12:06,170 --> 00:12:10,910 button now we got a lot of matches right 321 00:12:10,910 --> 00:12:13,730 we have about 16,000 matches which is a 322 00:12:13,730 --> 00:12:16,610 considerable amount so there's no way 323 00:12:16,610 --> 00:12:17,930 we're just gonna be able to flip through 324 00:12:17,930 --> 00:12:20,540 these and you know eyeball which one of 325 00:12:20,540 --> 00:12:22,700 these is health we can ignore this 326 00:12:22,700 --> 00:12:24,200 column for now so just know there's 327 00:12:24,200 --> 00:12:26,030 address which we covered earlier and 328 00:12:26,030 --> 00:12:28,700 value address here is being represented 329 00:12:28,700 --> 00:12:30,200 as a hex number but it's still the same 330 00:12:30,200 --> 00:12:32,740 exact concept 331 00:12:32,740 --> 00:12:36,250 so how do we narrow this list down well 332 00:12:36,250 --> 00:12:38,110 since we already know everything that's 333 00:12:38,110 --> 00:12:41,080 11 we can actually just go ahead and 334 00:12:41,080 --> 00:12:43,150 take some damage in the game so I'm 335 00:12:43,150 --> 00:12:46,060 gonna get hit again and now we want to 336 00:12:46,060 --> 00:12:48,160 know which things used to be 11 but our 337 00:12:48,160 --> 00:12:50,500 eight now and that's how scanning works 338 00:12:50,500 --> 00:12:53,260 so I go ahead and type 8 and it'll 339 00:12:53,260 --> 00:12:55,330 search this list right so now we're 340 00:12:55,330 --> 00:12:56,590 searching Arden 341 00:12:56,590 --> 00:12:58,120 we're searching on our search 342 00:12:58,120 --> 00:13:00,070 essentially right just narrowing the 343 00:13:00,070 --> 00:13:01,870 search down so if I hit this there's 344 00:13:01,870 --> 00:13:03,700 only one result we found it that was 345 00:13:03,700 --> 00:13:06,090 super easy it only took two scans 346 00:13:06,090 --> 00:13:08,710 sometimes it can take a lot more but for 347 00:13:08,710 --> 00:13:10,690 us we got pretty lucky now I just 348 00:13:10,690 --> 00:13:13,120 double-click this value change it to 16 349 00:13:13,120 --> 00:13:15,760 and then the game I have 16 health that 350 00:13:15,760 --> 00:13:18,010 easy 351 00:13:18,010 --> 00:13:20,320 now let's jump into another example 352 00:13:20,320 --> 00:13:23,050 using squalor my software so here 353 00:13:23,050 --> 00:13:24,490 there's a drop down just go ahead and 354 00:13:24,490 --> 00:13:26,740 hit this and pick squally from the list 355 00:13:26,740 --> 00:13:29,710 similar to cheat engine and up in this 356 00:13:29,710 --> 00:13:31,870 top bar all the settings are good too 357 00:13:31,870 --> 00:13:35,140 it's already set to a four byte integer 358 00:13:35,140 --> 00:13:40,630 and we can go ahead and just type in 380 359 00:13:40,630 --> 00:13:41,860 because now we're gonna try and change 360 00:13:41,860 --> 00:13:45,220 your gold in our minigame hexxus so I go 361 00:13:45,220 --> 00:13:48,370 ahead and start this scan I get a fair 362 00:13:48,370 --> 00:13:50,470 number of matches there's not a lot only 363 00:13:50,470 --> 00:13:53,830 132 matches this time you know what I 364 00:13:53,830 --> 00:13:56,110 can go ahead and do is buy something in 365 00:13:56,110 --> 00:13:57,220 the game so I'll go ahead and buy this 366 00:13:57,220 --> 00:14:01,180 card and now it's 275 so I just go in 367 00:14:01,180 --> 00:14:03,520 and now I try and narrow the search by 368 00:14:03,520 --> 00:14:06,970 searching for 275 there's only one match 369 00:14:06,970 --> 00:14:08,820 so I go ahead and double click this and 370 00:14:08,820 --> 00:14:11,380 now we change it to something else so I 371 00:14:11,380 --> 00:14:16,000 can change it to 200,000 now you may 372 00:14:16,000 --> 00:14:17,980 have noticed that in the game it hasn't 373 00:14:17,980 --> 00:14:21,700 updated well it turns out that it 374 00:14:21,700 --> 00:14:23,860 doesn't update immediately every single 375 00:14:23,860 --> 00:14:25,690 time sometimes you have to do something 376 00:14:25,690 --> 00:14:27,550 to refresh the screen so if I go ahead 377 00:14:27,550 --> 00:14:30,490 and buy to the card now it recognized 378 00:14:30,490 --> 00:14:33,120 okay I increased my gold now it updates 379 00:14:33,120 --> 00:14:36,900 and that's all there is to it 380 00:14:36,900 --> 00:14:39,120 so in our examples we learned how to 381 00:14:39,120 --> 00:14:40,680 find health and we learned how to find 382 00:14:40,680 --> 00:14:42,810 money this is enough to get you started 383 00:14:42,810 --> 00:14:44,940 but there's still a lot more we need to 384 00:14:44,940 --> 00:14:47,250 cover for example what if you wanted to 385 00:14:47,250 --> 00:14:48,990 find the x and y-coordinates of the 386 00:14:48,990 --> 00:14:51,540 player to write a teleportation hack how 387 00:14:51,540 --> 00:14:53,220 would you do it we have no idea what the 388 00:14:53,220 --> 00:14:55,080 players x-coordinate is it could be a 389 00:14:55,080 --> 00:14:58,370 hundred a thousand a million no idea 390 00:14:58,370 --> 00:15:00,860 also the Chiefs we learned how to create 391 00:15:00,860 --> 00:15:04,589 aren't reusable if we restart the game 392 00:15:04,589 --> 00:15:07,140 the addresses we found for gold and 393 00:15:07,140 --> 00:15:09,450 health are no longer valid and will 394 00:15:09,450 --> 00:15:11,850 learn the reasons for that later but 395 00:15:11,850 --> 00:15:13,890 what we learned today is enough to be 396 00:15:13,890 --> 00:15:15,360 dangerous right I encourage you to go 397 00:15:15,360 --> 00:15:17,089 start hacking some single player games 398 00:15:17,089 --> 00:15:19,470 whatever you own and get familiar with 399 00:15:19,470 --> 00:15:21,190 the process 400 00:15:21,190 --> 00:15:23,139 okay thanks for watching and if you have 401 00:15:23,139 --> 00:15:25,269 any questions or feedback leave a 402 00:15:25,269 --> 00:15:28,379 comment below thank you 29025