Game Hacking

Table of Contents

Sort

Fix ToC

End Sort


General


Nintendo

  • Nintendo Gameboy/Pocket/Color/Advance
  • Nintendo 3DS
    • Articles/Writeups
      • Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain
        • We demonstrate an attack on the secure bootchain of the Nintendo 3DS in order to gain early code execution. The attack utilizes the block shuffling vulnerability of the ECB cipher mode to rearrange keys in the Nintendo 3DS's encrypted keystore. Because the shuffled keys will deterministically decrypt the encrypted firmware binary to incorrect plaintext data and execute it, and because the device's memory contents are kept between hard reboots, it is possible to reliably reach a branching instruction to a payload in memory. This payload, due to its execution by a privileged processor and its early execution, is able to extract the hash of hardware secrets necessary to decrypt the device's encrypted keystore and set up a persistant exploit of the system.
      • ARM9Loader Technical Details - GBAtemp
      • Throwback: K9Lhax by Bruteforce
      • soundhax
        • A heap overflow in tag processing leads to code execution when a specially- crafted m4a file is loaded by Nintendo 3DS Sound. This bug is particularly good, because as far as I can tell it is the first ever homebrew exploit that is free, offline, and works on every version of the firmware for which the sound app is available.
    • Emulator
    • Homebrew
      • Luma3DS
        • Luma3DS is a program to patch the system software of (New) Nintendo 3DS handheld consoles "on the fly", adding features (such as per-game language settings and debugging capabilities for developers) and removing restrictions enforced by Nintendo (such as the region lock). It also allows you to run unauthorized ("homebrew") content by removing signature checks.
  • Nintendo Entertainment System
    • Articles/Writeups
    • Emulators
  • Nintendo Super Nintendo
    • Articles/Writeups
    • Emulators
  • Nintendo64
    • Articles/Writeups
    • Tools
      • libdragon
        • libdragon is meant to be a one stop library providing low level API for all hardware features of the N64.
      • 64Drive
      • FAT64
        • FAT64 is a FAT32 library for use on the 64drive, a development cart for the Nintendo 64. It is used by the 64drive bootloader and menu.
  • Nintendo Gamecube
    • Dolphin
      • Dolphin is a GameCube / Wii emulator, allowing you to play games for these two platforms on PC with improvements. https://dolphin-emu.org/
  • Nintendo Wii
    • Dolphin
      • Dolphin is a GameCube / Wii emulator, allowing you to play games for these two platforms on PC with improvements. https://dolphin-emu.org/
    • wiihacks forum
    • WiiHacks
    • The Homebrew Channel
      • The Homebrew Channel - open source edition
    • WiiUse
      • Wiiuse is a library written in C that connects with several Nintendo Wii remotes. Supports motion sensing, IR tracking, nunchuk, classic controller, Balance Board, and the Guitar Hero 3 controller. Single threaded and nonblocking makes a light weight and clean API.
  • Nintendo WiiU
    • Emulators
    • Firmware
    • Homebrew
  • Articles/Writeups
  • Anatomy of a Wii U: The End...?
  • Nintendo Switch
    • Articles/Writeups
      • Console Security - Switch Homebrew on the Horizon
        • Nintendo has a new console, and it's more secure than ever. The Switch was released less than a year ago, and we've been all over it. Nintendo has designed a custom OS that is one of the most secure we've ever seen, making the game harder than it has ever been before. In this talk we will give an introduction to the unique software stack that powers the Switch, and share our progress in the challenge of breaking it. We will talk about the engineering that went into the console, and dive deep into the security concepts of the device. The talk will be technical, but we aim to make it enjoyable also for non-technical audiences.
      • Nintendo_Switch_Reverse_Engineering - dekuNukem
        • A look at inner workings of Joycon and Nintendo Switch
    • Emulators
      • Ryujinx
        • Experimental Switch emulator written in C#
      • yuzu
        • yuzu is an experimental open-source emulator for the Nintendo Switch from the creators of Citra. It is written in C++ with portability in mind, with builds actively maintained for Windows, Linux and macOS. The emulator is currently only useful for homebrew development and research purposes.
    • Firmware
      • Atmosphere-NX
        • This is a repo for a work-in-progress customized firmware for the Nintendo Switch.
    • Homebrew

Sony


PC Games

  • 101

  • Articles/Blogposts/Writeups

  • Educational

  • Writeups

    • Cheat Prevention Software
      • Valve Anti-Cheat Untrusted Bans (VAC) CSGO
      • How ESEA detects cheat software in its online gaming league - Let's get physical!
        • Before we dig in, this post should not be construed as an attack on ESEA, anti-cheat software, or fair gaming in general. It is simply an analysis thereof, detailing what the ESEA driver does on your machine. Although analysis will make attack vectors clear and obvious, no code or detailed explanation of how to leverage these points will be given.
      • Inside Blizzard: Battle.net
        • This paper intends to describe a variety of the problems Blizzard Entertainment has encountered from a practical standpoint through their implementation of the large-scale online game matchmaking and chat service, Battle.net. The paper provides some background historical information into the design and purpose of Battle.net and continues on to discuss a variety of flaws that have been observed in the implementation of the system. Readers should come away with a better understanding of problems that can be easily introduced in designing a matchmaking/chat system to operate on such a large scale in addition to some of the serious security-related consequences of not performing proper parameter validation of untrusted clients.
      • An Objective Analysis of the Lockdown Protection System for Battle.net
        • Near the end of 2006, Blizzard deployed the first major update to the version check and client software authentication system used to verify the authenticity of clients connecting to Battle.net using the binary game client protocol. This system had been in use since just after the release of the original Diablo game and the public launch of Battle.net. The new authentication module (Lockdown) introduced a variety of mechanisms designed to raise the bar with respect to spoofing a game client when logging on to Battle.net. In addition, the new authentication module also introduced run-time integrity checks of client binaries in memory. This is meant to provide simple detection of many client modifications (often labeled "hacks") that patch game code in-memory in order to modify game behavior. The Lockdown authentication module also introduced some anti-debugging techniques that are designed to make it more difficult to reverse engineer the module. In addition, several checks that are designed to make it difficult to simply load and run the Blizzard Lockdown module from the context of an unauthorized, non-Blizzard-game process. After all, if an attacker can simply load and run the Lockdown module in his or her own process, it becomes trivially easy to spoof the game client logon process, or to allow a modified game client to log on to Battle.net successfully. However, like any protection mechanism, the new Lockdown module is not without its flaws, some of which are discussed in detail in this paper.
    • Emulators
    • Breaking The Game
    • Reverse Engineering
      • +1,000,000 -0: Cloning a Game Using Game Hacking and Terabytes of Data
        • In this talk, I'll provide a window into the warchest my team used to generate over a million lines of code. In particular, we created and used game hacks to process data from tens of millions of hours of in-game data and use the results to generate copies of a game's map, monsters, quests, items, spells, non-playable characters, and more. We also used a wiki crawler to obtain a large amount of data, generate additional code, and guide our cheat scripts in what to look for, clarify, and ignore. After explaining our end-game vision, I'll dive deep into the architecture of the game client, server and protocol. Once that's out of the way, I'll talk about the different types of hacks we used, how they work, and what data they were able to obtain. Once that's out of the way, I'll round out the story by explaining exactly what type of data we gathered and what parts of our toolkit we used to gather it.
    • Miscellaneous
  • Tools

    • CSGOSimple
      • A simple base for internal Counter-Strike: Global Offensive cheats.
    • PubgPrivXcode85
      • Simple chams wallhack for Player Unknowns Battlegrounds using a D3D11DrawIndexed hook
  • TruePlay - msdn

  • Game Trainers

    • ugtrain
      • Universal Elite Game Trainer for CLI(linux game trainer)
  • BattleEye

    • FuckBattlEye
      • Bypassing kernelmode anticheats via handle inheritance (across sections)
    • NoEye
      • An usermode BE Rootkit Bypass

Game Programming Papers

  • The TRIBES Engine Networking Model or How to Make the Internet Rock for Multi­player Games
    • This paper discusses the networking model developed to support a "real­time" multi­player gaming environment. This model is being developed for TRIBES II, and was first implemented in Starsiege TRIBES, a multi­player online team game published in December '98. The three major features of this model are: support for multiple data delivery requirements, partial object state updates and a packet delivery notification protocol.
And because hacking is easy; the Tegra X1 Bug.

Tegra X1 RCM forgets to limit wLength field of 8 byte long Setup Packet in some USB control transfers. Standard Endpoint Request GET_STATUS (0x00) can be used to do arbitrary memcpy from malicious RCM command and smash the Boot ROM stack before signature checks and after Boot ROM sends UID. Need USB connection and way to enter RCM (Switch needs volume up press and JoyCon pin shorted).

To:
ReSwitched
fail0verflow
SwitchBrew
BBB
Team Xecuter
Team SALT

Reminder: Real hackers hack in silence. You all suck.


"Game Over."


F8001BE1190CAED74BBDDAD78667877C84D1A128