ugtrain / Blog: Recent posts

With the new development direction everything is rolling again. Now there is a stack value hacked in the FOSS game endless-sky. Even C++ strings can be watched in that game to show the names of the own space ships. Pointer following works much better and is much safer now due to heap pointer checks which determine the heap region limits in every cycle. Dynamic memory discovery became much simpler. Also finding pointers and vectors in dumped memory objects became simpler with the tool ugptrfind. E.g. it found the stored_torpedos vector in the Submarine object of the game dangerdeep. Even static memory in a library (statmem PIC) can be hacked now although there is no example for this. Finally there is an example of hacking a GNOME game using memory allocations from the GLib with gnome-mines.
The whole static/dynamic memory cheating documentation has been reworked to GitHub Markdown.
With Valgrind memory leak detection it was possible to improve the testing and code quality. All memory is freed at the end now. No more mixing of stack and heap allocations. The options have been finally converted to C++ in order to use C++ strings more frequently for letting C++ do the memory management.... read more

I've pushed away the fact that ugtrain is a homebrew FOSS collaboration fail for way too long. People expect it to have a GUI, much more demo videos, and much better usability but I don't have the development resources or a need for that. If you want it, then contribute it!

So I'll treat this project as my personal game cheating research project now to push forward my own needs.

Ugtrain comes with new example configs. This is the current list:

Complete 32/64 bit with adaption:

• Chromium B.S.U. +3
• Warzone 2100 +9
• Cube 2: Sauerbraten +2
• SuperTux 2 +3

64 bit without adaption:

• Alien Arena +2
• AssaultCube +2
• Blood Frontier +2
• BOFH: Servers Under Siege +3
• Battle Tanks +3 (PIC example)
• Dune Legacy +3
• Freedoom 1 +2
• Freedoom 2 +2

32 bit Raspberry Pi:

• Mini-Sub Game +2

The problem with new users of ugtrain always is that everybody wants to abuse ugtrain against commercial multiplayer games first. The tool is not made for that. Memory cheating is also not really the right approach for that as most data is stored on the servers there. Ugtrain is made for single-player games which allow cheating (usually FOSS games).

Ugtrain is especially abused against steam. But steam is spyware as it sends out delicate debug data without the permission of the user. This is why ugtrain blocks steam and all remote network connections now.... read more

The PIC handling for dynamic memory cheating is now complete. Dynamic memory allocations from within a library can be discovered and hacked now - no matter if the library is loaded early (visible by "ldd") or late during runtime via dlopen(). The only missing part so far is the adaption.

To demo that, the game "Battle Tanks" (btanks) is used. The money value is stored in an object allocated by libbtanks_engine.so which is loaded early. But most interesting objects are allocated by libbt_objects.so which is loaded late. The health is stored in the objects "Launcher", "Shilka" or "Tank" and the player ID check ensures that only the own vehicle becomes indestructible. Also all ammo is handled in objects allocated by libbt_objects.so.

The ugtrain comes with MeeGo 1.2 Harmattan (mobile game cheating) support now. This platform is based on the 32-bit ARM CPU architecture and Debian 6 Squeeze. The smart phones Nokia N9 and N900 are known for it. We test on a Nokia N9. Console applications for it are built on a Debian PC in the scratchbox environment. Debian packaging is mandatory as the security options for the Aegis security module need to be configured.... read more

First person shooters are really ideal for game trainers. There's always a weapons/ammo array and stuff is often stored as displayed. Invulnerability and all ammo is all it takes.
But I was shocked that it also works in multi-player with the client. But there invulnerability doesn't work as health is sent with damage in the same network package. I noticed others being invulnerable. Seems like they pached the game to ignore this message from the server. A multi-player model made of trust is not a good idea!

The scanmem maintainer Wang Lu accepted the patch set for ASLR/PIC/PIE support.
This really simplifies the discovery process of static memory values with PIE.
The documentation for this in ugtrain follows.

As BerliOS closes for FOSS projects, ugtrain moved to Sourceforge.