Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

15 KiB

Game Hacking

Table of Contents


Fix ToC

End Sort



Console Hacking


  • Nintendo Gameboy/Pocket/Color/Advance
  • Nintendo 3DS
    • Articles/Writeups
      • Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain
        • We demonstrate an attack on the secure bootchain of the Nintendo 3DS in order to gain early code execution. The attack utilizes the block shuffling vulnerability of the ECB cipher mode to rearrange keys in the Nintendo 3DS's encrypted keystore. Because the shuffled keys will deterministically decrypt the encrypted firmware binary to incorrect plaintext data and execute it, and because the device's memory contents are kept between hard reboots, it is possible to reliably reach a branching instruction to a payload in memory. This payload, due to its execution by a privileged processor and its early execution, is able to extract the hash of hardware secrets necessary to decrypt the device's encrypted keystore and set up a persistant exploit of the system.
      • ARM9Loader Technical Details - GBAtemp
      • Throwback: K9Lhax by Bruteforce
      • soundhax
        • A heap overflow in tag processing leads to code execution when a specially- crafted m4a file is loaded by Nintendo 3DS Sound. This bug is particularly good, because as far as I can tell it is the first ever homebrew exploit that is free, offline, and works on every version of the firmware for which the sound app is available.
    • Emulator
  • Nintendo Entertainment System
  • Nintendo Super Nintendo
  • Nintendo64
    • Articles/Writeups
    • Tools
      • libdragon
        • libdragon is meant to be a one stop library providing low level API for all hardware features of the N64.
      • 64Drive
      • FAT64
        • FAT64 is a FAT32 library for use on the 64drive, a development cart for the Nintendo 64. It is used by the 64drive bootloader and menu.
  • Nintendo Gamecube
  • Nintendo Wii
    • Dolphin
      • Dolphin is a GameCube / Wii emulator, allowing you to play games for these two platforms on PC with improvements.
    • wiihacks forum
    • WiiHacks
    • The Homebrew Channel
      • The Homebrew Channel - open source edition
    • WiiUse
      • Wiiuse is a library written in C that connects with several Nintendo Wii remotes. Supports motion sensing, IR tracking, nunchuk, classic controller, Balance Board, and the Guitar Hero 3 controller. Single threaded and nonblocking makes a light weight and clean API.
  • Nintendo Switch
    • yuzu
      • yuzu is an experimental open-source emulator for the Nintendo Switch from the creators of Citra. It is written in C++ with portability in mind, with builds actively maintained for Windows, Linux and macOS. The emulator is currently only useful for homebrew development and research purposes.
    • Nintendo_Switch_Reverse_Engineering - dekuNukem
      • A look at inner workings of Joycon and Nintendo Switch


PC Games

  • 101

  • Educational

  • Writeups

    • Cheat Prevention Software
      • Valve Anti-Cheat Untrusted Bans (VAC) CSGO
      • How ESEA detects cheat software in its online gaming league - Let's get physical!
        • Before we dig in, this post should not be construed as an attack on ESEA, anti-cheat software, or fair gaming in general. It is simply an analysis thereof, detailing what the ESEA driver does on your machine. Although analysis will make attack vectors clear and obvious, no code or detailed explanation of how to leverage these points will be given.
      • Inside Blizzard:
        • This paper intends to describe a variety of the problems Blizzard Entertainment has encountered from a practical standpoint through their implementation of the large-scale online game matchmaking and chat service, The paper provides some background historical information into the design and purpose of and continues on to discuss a variety of flaws that have been observed in the implementation of the system. Readers should come away with a better understanding of problems that can be easily introduced in designing a matchmaking/chat system to operate on such a large scale in addition to some of the serious security-related consequences of not performing proper parameter validation of untrusted clients.
      • An Objective Analysis of the Lockdown Protection System for
        • Near the end of 2006, Blizzard deployed the first major update to the version check and client software authentication system used to verify the authenticity of clients connecting to using the binary game client protocol. This system had been in use since just after the release of the original Diablo game and the public launch of The new authentication module (Lockdown) introduced a variety of mechanisms designed to raise the bar with respect to spoofing a game client when logging on to In addition, the new authentication module also introduced run-time integrity checks of client binaries in memory. This is meant to provide simple detection of many client modifications (often labeled "hacks") that patch game code in-memory in order to modify game behavior. The Lockdown authentication module also introduced some anti-debugging techniques that are designed to make it more difficult to reverse engineer the module. In addition, several checks that are designed to make it difficult to simply load and run the Blizzard Lockdown module from the context of an unauthorized, non-Blizzard-game process. After all, if an attacker can simply load and run the Lockdown module in his or her own process, it becomes trivially easy to spoof the game client logon process, or to allow a modified game client to log on to successfully. However, like any protection mechanism, the new Lockdown module is not without its flaws, some of which are discussed in detail in this paper.
    • Emulators
    • Breaking The Game
    • Reverse Engineering
      • +1,000,000 -0: Cloning a Game Using Game Hacking and Terabytes of Data
        • In this talk, I'll provide a window into the warchest my team used to generate over a million lines of code. In particular, we created and used game hacks to process data from tens of millions of hours of in-game data and use the results to generate copies of a game's map, monsters, quests, items, spells, non-playable characters, and more. We also used a wiki crawler to obtain a large amount of data, generate additional code, and guide our cheat scripts in what to look for, clarify, and ignore. After explaining our end-game vision, I'll dive deep into the architecture of the game client, server and protocol. Once that's out of the way, I'll talk about the different types of hacks we used, how they work, and what data they were able to obtain. Once that's out of the way, I'll round out the story by explaining exactly what type of data we gathered and what parts of our toolkit we used to gather it.
    • Miscellaneous
  • Tools

    • CSGOSimple
      • A simple base for internal Counter-Strike: Global Offensive cheats.
    • PubgPrivXcode85
      • Simple chams wallhack for Player Unknowns Battlegrounds using a D3D11DrawIndexed hook
  • TruePlay - msdn

  • Game Trainers

    • ugtrain
      • Universal Elite Game Trainer for CLI(linux game trainer)
  • BattleEye

    • FuckBattlEye
      • Bypassing kernelmode anticheats via handle inheritance (across sections)
    • NoEye
      • An usermode BE Rootkit Bypass

Game Programming Papers

  • The TRIBES Engine Networking Model or How to Make the Internet Rock for Multi­player Games
    • This paper discusses the networking model developed to support a "real­time" multi­player gaming environment. This model is being developed for TRIBES II, and was first implemented in Starsiege TRIBES, a multi­player online team game published in December '98. The three major features of this model are: support for multiple data delivery requirements, partial object state updates and a packet delivery notification protocol.