Reverse Engineering

Internal vs External Game Hacks

If you’re a beginner to reverse engineering, game hacking can be a fun way to learn it. (but please use them only for learning, don’t ruin a gamer’s life ūüėõ)

The terms used can be somewhat confusing, so I decided to write a post to make it clear to you.

Table of Contents

What are Internal Hacks

Internal hacks are basically ones that reside in the same virtual address space of the game’s process.

The most common case is when you inject your hack DLL into the game, your DLL will be able to¬†directly access the game’s memory because it is in the same virtual address space.

This makes hacking easier and less messy than external since you can directly change the contents of the game’s memory and directly call the in-game functions.

What are External Hacks

External hacks are ones that don’t reside in the virtual address space of the target process.

Because of this,¬†they need to take advantage of the Windows API (or Windows Drivers) for instance, with¬†WriteProcessMemory, in order to access the game’s memory.

They can also not access the game’s memory, think, for example, a packet-based hack that proxies/does man-in-the-middle between the game client and server.

Oh, and as a result of using the Windows API, external hacks have the user-mode to kernel-mode switch overhead, meaning that external hacks will always be slower than internal ones.

Which should I learn first?

If you are new to game hacking, I’d say focus on internal.

This way you’ll be able to understand things rather quickly and you’ll be able to learn external later better.

It also adds up to the fact that it’s less painful and easier to learn.

Personally, I started with external and haven’t written any external since back then…

Code example of the program we’re going to hack

This is a pretty simple program.

int hp = 1337;

int main()
    while (true) {
        printf("hp now is: %i\n", hp);

The classic example of a program that reduces the hp value whenever we press ENTER.

I disabled ASLR¬†just so the base address doesn’t change.

With Cheat Engine, I saw that the address of hp is 0x403018, time to code the hack.

Code example of an Internal Hack

Write this simple DLL:

BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
    int* ptr = (int*)0x400000+0x3018; // 0x400000 is the base address(no ASLR so it's static)

    *ptr = 9999;
    return TRUE;

Inject it, and the value of hp will be changed to 9999.

Code example of an External Hack

If you’re going external, here’s a code example:

DWORD pid = 18844;

HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); // We need the HANDLE of the process in order to access the memory

int hpValue = 9999;

WriteProcessMemory(hProc, (LPVOID)(0x400000 + 0x3018), &hpValue, sizeof(int), NULL);

As you can see, in external you need to get the HANDLE of the process, I hard-coded the process ID just to simplify the code. (You can see how to get the process ID by the process name here or by the window name here)

Run this (as administrator) and it also changes the hp to 9999.

When to go Internal

In my opinion, you would go internal¬†whenever you can, it’s just simpler and less tedious.

I say whenever you can because sometimes you have to deal with anti-cheats and internal can be detected.

I do recommend you to use GuidedHacking’s Injector in Manual Map since this will make your DLL undetected most of the time, if you get detected using that then the anti-cheat might be detecting the API calls you‚Äôre using rather than the injection itself.

Other than that, there’s absolutely no reason not to go for internal, it makes the code cleaner, faster and even fastens the implementation.

When to go External

When you can’t go internal or you’re coding a DLL Injector.

Now, if you’re using Windows API, for instance, OpenProcess¬†to get a handle of the process, you’ll probably get detected by the anti-cheat, regardless of it having or not a Windows Driver since there are ways of detecting it both in user-mode and kernel-mode.

Some closing thoughts

You can’t go internal without having an external injecting you into the memory space of the process.

What most people do to stay undetected (when you get caught in internal or external using Windows API), is:

  • Coding a driver that implements a Read and Write to memory. (Zer0Mem0ry has a really good video on this, for CS:GO)
  • Using a vulnerable driver that lets you do arbitrary memory reads and/or writes. (This project uses this to¬†change a handle’s rights)

Both of these can be detected though.

That’s it!

If you have any questions, don’t hesitate to drop them at GuidedHacking.

2 thoughts on “Internal vs External Game Hacks

  1. I prefer external.
    It makes game safe from crash.
    Also if you can’t make your dedicated thread for cheat, internal is slower than external.
    Because people usually hook D3D11Present which is called at best 1000 per sec.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s