How To Call Game Functions C++ x64dbg Hacking Tutorial

How To Call Game Functions C++ x64dbg Hacking Tutorial

Welcome to another installment of Guided Hacking’s renowned video tutorials! In this tutorial you will learn how to call game functions and reverse engineer functions using x64dbg. Once learning how to do this, it becomes very easy to call any game function you want it only takes a few minutes.

In this episode we’ll be covering calling a game’s function from our game hack. This lesson will be split into two parts with part one covering a very basic introduction into the topic through the use of a test console application we write ourselves. We will reverse engineer the function prototypes using x64dbg disassembler and write a internal DLL hack that will call the functions by address when a key is pressed using a DLL injector.

Register & Download “funkyVictim” file:

Video made by:

Download x64DBG

Follow GuidedHacking!

Intro Audio:

How To Call Game Functions C++ x64dbg Hacking Tutorial

what is going on guys its tracks here with a little video tutorial on : functions and games alright we're going to well this is the basic process alright you find the function with cheatengine and/or a debugger you use either or you figure out the parameters the return type and call them convention you could also use Ida for for some of this Ida is an amazing tool then you just write your do you call the functions and profit all right it's really not that hard and I'm gonna break this down into like to two parts okay it would be a second video I think probably but in part one we're not we're not really gonna touch a game I have a little demo to show you a work in progress but we're not gonna touch a game in this video I'm gonna make a console application I actually have the code for it right back here you can see it and we're gonna call some of the functions and that alright we're gonna call these two functions it's gonna be real easy I'm gonna keep it really simple and stupid and then part two we're gonna pull up a salt cube and we're gonna actually use this little slope thingamajig right here and it's gonna be good it's good alright but before we get into the tutorial a little demo about up being bada-boom see I got this little internal menu in here I don't use open OpenGL or DirectX I'm just using some of the games rendering functions and they're just just it's some of the really high level rendering functions so it's it's good stuff it's good stuff it makes it really easy to make wrappers around that and then make a little like framework to them build a menu and a whole hack around so it's good stuff when you enable enable load and unload the heck there are calls to the chat function right to the prints a chat function it's good stuff I mean that could help you with debugging that could help you with I don't know informing your end user the hack was enabled or disabled whatever you get what I mean and you know you could also unload the mud module and we fucked the fuck off and we're closing the game and getting to the tutorial which is what you guys came here for oh right that was weird whatever anyways we're gonna we're gonna run this without the debugger because I don't want Visual Studio getting in the way maybe fucking do what I say not what I do alright you can see it does that we're gonna pull up our debugger here I use x64 debug this is the 32-bit version because we're keeping it simple with 32-bit project run um now the reason I chose to use the console application because this this step is gonna be very easy I could just type func and we'll see our two functions right here part two I'll show you how to find the function with cheatengine maybe would it be bugger I don't know me maybe I need it maybe I don't we'll see what happens all right but for right now let's work on function a let's put a breakpoint on it let's go back into the program hit 1 on the numpad and scoot up a little bit oh shit seems like my first videos in source I don't even know what fuck I should place myself for this sound good well whatever you just gonna roll with it we're gonna hit ctrl f 9 f 8 step out alright you'll see here there's a jump that if we hit enter we'll follow and it jumps right over the call that we just got out of and another push call which I'm assuming as to our second yeah funk be right there which is our second function so there's no push there's no push onto the stack and again we know this because we wrote the source but I'm just speaking as like in place of the ignorant you know like if we were just analyzing this for the first time and it was a closed source we could sell easily there's no there's not nothing being pushed onto the stack it probably hasn't doesn't have any parameters um there's no move statement or anything or something like this after the call so that's either evident that there's no return type or again there are no parameters right but on the second call we see that there's a push and after the call we see there's an ad ESP for at for two ESP this again tells us there was one parameter when you add to these people here this is basically just cleaning the stack of however many of how many bytes you pushed onto the stack right if we come in here I see nesting on Visual Studio add a bunch of bullshit and like variables that you've never wrote but that it needs for the function so they add some sort of low layer of complexity here that's whatever we're just gonna go back into here I said what I gotta say about functions and arguments and cleaning the stack again I'm not the fucking most qualified to be teaching this shit but I'm just explaining what I know and hopefully by just introducing the topic to you it'll make sense and when you see other examples of it being used it'll it'll be more like obvious to you you know but either way now again we know this is just a void function with no arguments right so all we need is basically the address of the function and that's it so let's get started right I'm gonna start up a new project windows does your studio sorry this is my template i got a template yeah I know I'm a lazy fuck whatever whatever so what are we doing main thread my first thing we need is the address need the module base doing point get mojo handle but I need that to be right thank you why am i doing no right if you use if you call get module handle and pass it no Jesus Christ English in me are not getting along today but whatever if you pass null so get module handle it returns the base address of the exe that's loading this module all right so basically funky victim HC it's base address all right so next thing we need is you points huh I guess we could do another one of these No this is what we need to do all right we need to type def or basically our function prototype I'll just type it up void perfect push EBP move EBP ESP Subba move ESP EBP pop EBP let's pull up the old Google box because here we need to figure out the calling convention and I don't know what it is any day now thank you Oh scrap my neck was beautiful any fucking day now what about me Jesus Christ okay it's that cleanup caller call me standard call pointer funk a that has no parameters and that's the prototype for our function pointer that's that's basically all we're doing and then we could a in stand basically instantiate it like this funk a and we could give this whatever name but I like to put a underscore some people do like an O for original or t4 I'm fucking now you know but anyways you can just put whatever fucking name you know this works very simple you could set it up like this which is kind of how I have it in my hack right now and instead of zero you just give it an address right well we're not gonna do that we're gonna do it that's how we're gonna do it the smarter way we're gonna assign it dynamically pretty much yes what is dynamically more base we're gonna hop back into the off the butter and I'm I mean fucking know if I mentioned this yet I think I did but this right here is our offset from the base so we're just gonna copy that sin heal right yeah whatever OCD build it actually we're going do it better okay since I can't type with Jessica make sure I use a different number build it what the fuck whatever injector what is this funky as you can see this is not my first attempt but whatever trying to make this shit like decent I don't know if I'm getting that what am I doing here perfect inject successful moment of truth we're gonna hit two on the numpad you guys ready I'm not Oh success bitches yeah sweet dude oh damn should have closed that probably not yeah I should have actually you know what we're gonna fix it sweet guys now we could unload our module and get back to coding all right now we need a we're just gonna hit the reload yes yes I get it but jump-jump-jump be alright so funk beat let's see word worry ignorant analyzer and we're going through this function for the first time so we're gonna place a breakpoint on it we're gonna go back sup program we're gonna hit 1 on the numpad we're going to hit ctrl F 9 f8 and now we're here alright so okay cool one parameter I don't see anything with EAX I'm gonna assume void return type alright perfect what's this parameter though just look at the stack all right it looks like a string cool sounds good to me Oh another thing if you notice the the address of this string is not on the stack now it's not what I wanted to do I believe this is what they call the heap so this is where I guess the constant strings would go what I want to do I wanted to go search for current module string references and yeah so these are like the constant strings just a little side note but if it was a smaller dress like one of these 0:06 FFC 40 if it was on the stack that would usually mean it was a variable and the calling routine or and I mean in this between I mean it's a variable in this routine that's being passed into this into this thing to this function usually as a reference all right so yeah let's get back to whatever we were doing okay yeah whatever the fuck I just did Jesus Christ just put it here type def void wait a tick a DSP that's not Kali that's caller seed uncle I wonder if this will also work probably will because it's void so void and no parameters so there's nothing to clean up per se all right so we knew it was a string from looking at this thing right here it's pass it in the string will go back in B funk and we're gonna do like the same thing that chop bullet is gonna be fun beep this is gonna be different one two five four zero cool cool so aren't you that great for you smack right my fault my fault I didn't get smacked right you're right let's do three Bing because I can't think of anything else build a bee inject I have a breakpoint set or something let's take that off oh it's not working huh huh II do need it when I working what the fuck I did build it back okay okay just make a shirt just making sure what the fuck just happened here all right I'll close my debugger and extreme injector just took a shit massive shit what the fuck cool let's try it again all right so function B isn't working and the only reason why that could be could be for a couple reasons one two three four zero to see that's that's exactly why wouldn't be a guy that hacking Satori without a few fuck-ups right oh your bitch Bam Bam Bam Bam what you tell a success see that's normal behavior fucking hockey shit and that's that's about it that's the toriel one of calling game functions along with my dumb ass hoped you enjoyed it hope you learned something and stay tuned for tutorial – peace