Game Cheat Memory Hack Question

[DaveLembke]

I have been using game cheats for years, most of which were easter egged in there intentionally by the programmer such as (showmethemoney - 'starcraft' ) or cheats implemented by saving game state to an alternate location and always writing good changes to a single save file to boost gear etc ( Diablo 1 & 2 for example 'single-player') I also had the Game Genie for NES way back.

But recently I found a 'memory hack' to cheat a game and I am curious as to how a variable can be changed in Ram on the fly when I might be wrong but it was my understanding that Ram was random in where data was stored so how can you know that forcing data to change in memory was going to specifically target the single variable in a game vs hit sensitive operating system values in Ram that could crash the system? Do variables have a fingerprint in memory so they can be found to target and force the binary change in Ram or how are they doing this force change?

Google search didnt come up with anything other than pages and pages of cheat sites, so I figured I'd post it here. Not looking into making a hack for a game, just trying to understand how it all works out of curiosity.

[Salmon Trout]

Memory access can be sequential (where you cannot access memory location 10 without passing 1,2,3,4,5,6,7 and a tape is like that... later memory locations take longer to get to... or random where you could access (say) location 5 straight away. The word 'random' just means that you could access any memory locations chosen at random in the same amount of time. A scroll is an example of sequential access - if you are at the beginning you have to unroll it to see the parts further on, and if you then want to go back to the start you have to roll it back up again, whereas a book is an example of random access (you can flip it open at any page).

Data stored in RAM (Random Access Memory) is not stored at randomly chosen locations. A program (or rather, the programmer) knows exactly where all its data is stored, including all the variables. If you happen to know which location you want to change, you can just target that one value.

[DaveLembke]

Thank You Salmon for answering with good information on this.. but I still have a question.

Data stored in RAM (Random Access Memory) is not stored at randomly chosen locations. A program (or rather, the programmer) knows exactly where all its data is stored, including all the variables. If you happen to know which location you want to change, you can just target that one value.

Question I have with this is if you have two instances of the same program running the address in the Ram will be different to where the variable is stored in both instances. And on a multitasking system depending on what loads first from second as well as the amount of Ram that one user has say 1GB over another user with 4GB will likely have the variable tied with the game located in different locations in the memory .... so there must be a fingerprint sort of speak to search for before altering the value ... right? If so how do they find this fingerprint to know where the data is located in a multitasking environment? 

[Salmon Trout]

If there are two instances of a program each will have its own private data memory. When a program is run the operating system allocates it with a unique program ID and also reserves memory for it. The program neither knows nor cares what the actual memory addresses are. The OS will allocate the program blocks of memory and the program code will know the start address of each block and keep track of the contents.  Cheat engines for a particular game work because the engine author knows the game program inside out and knows how to query the OS to find out the block locations and once that is know can calculate where the various data values are located.

[BC_Programmer]

All Processes have their memory separated. As far as each process is concerned, they are the only thing even in memory. They allocate memory and are given pointers to their own Virtual Address Space, which maps to either RAM itself or the pagefile. Most games either store their information in the same places in Virtual Memory or have some other sort of distinctive way of finding where things are in memory externally, and cheat programs simply open the process and read and write to the game program's address space.

I guess one way to show what me and Salmon are describing is with a small example. Let's pretend we have a small little text adventure. The text adventure stores your inventory. Let's try to keep things as simple as possible here, though that might be tricky. Usually, an inventory item would have quite a bit of information. Let's stick to a simple example- each item has a item ID, and a "damage" value, which might work with armor or something. these might be 32-bit integers, so each item is 8 bytes of memory. Usually such an inventory listing will probably be used in several places- as a list in each "room" to show the contents of the room, as a list for each player to show their inventory, and as a list on each enemy as well, to determine what they will drop. If the program is written in C, C++, or another compiled language, usually the order that things are initialized will determine where in Virtual Memory the variables are actually stored. If we go with the simple case that the Player structure is initialized first, that means that the Player structure will always start at a given Virtual Memory address in the game process. a Game cheat program can easily take advantage of this- if it knows the structure, it can wander through the memory itself and see things; for example, the Player Structure would likely contain a pointer to an array of INVITEM's for the inventory. the cheat program can use the Process Memory functions to read from the Player structure location (which will be fixed for each compile, most likely); then it can find the pointer to the array, which will be a pointer within the Virtual Memory address space; it can then continue and read that data and parse and interpret it as needed; if desired even changing, say, item IDs within the process memory on the spot to change items.

[DaveLembke]

Thank you both for explaining with detailed information.

Cheat engines for a particular game work because the engine author knows the game program inside out and knows how to query the OS to find out the block locations and once that is know can calculate where the various data values are located.

lit the light above my head, and  BC's content brightened it 

Now I know how its done. MANY THANKS!!!