Exploiting games, guide to how you set about doing it.

exploits_banner.jpg

How to exploit games (as in cheating).

It has become rather popular to exploit games in recent times, be it as an activity in and of itself, for trying to achieve faster times/better challenge results, and as a requirement when properly reviewing games. While there are guides to various aspects, and endless lists for more specific games, a more complete generalist approach is harder come by. This will hopefully at least be the outline of such a thing and allow you to go a bit further than you might have otherwise. A broader audience is aimed for here so programming and code related talk will be kept minimal and generally optional, for this article anyway and all bets off for any follow up ones. If nothing else an awful lot of this can be done by those not steeped in arcane hacking and programming knowledge (though that can certainly help if you have it and affords more options in things) and instead those that just like to push the limits of normal play, indeed it is generally suspected most exploits and glitches are found via play or a more systematic approach to exploit finding in it than those with disassemblers contemplating minutia in code.

There are many techniques available to the would be exploiter. This will focus less on console commands and simple mods made with developer tools that allow you to do whatever you like within a game (sometimes including programming whole new functionality), though such things might be a means to test something if gathering resources for an attempt would otherwise take considerable amounts of time, and if you are just after silliness then they might also allow for that.

A warning before you delve into this field. Seeing how things work, and learning to pull things apart often sees those that learn such things do it instinctively and see through the illusion. It should also go without saying that deploying some of these in multiplayer or competitive environments might not end too well, though other times it could well become just another skill to master. The sharing of exploits in games is somewhat different to sharing exploits in code people rely on to make a living, and generally people play games for fun so do what you will. The exceptions tending to come in games with serious online multiplayer components, and maybe in the future for games with paid for content you just bypassed or accessed. To that end you are left on your own to ponder “responsible disclosure” and the like.

A basic understanding of hexadecimal and terms associated with it will be useful though if you plan to venture into the coding side of things, cheat making or save game editing. A basic familiarity with gameplay terms and conventions will also be assumed.
Those looking at exploiting games or systems to run homebrew code will likely find minimal content for them here.

Game tester jobs are an oft considered entry job the game industry. True code testing is a fine skill to have, and one not even all coders will have. Game testing jobs tend to be more variable but many of the skills here will also help in such roles, or product testing in general, as well as the aforementioned game reviews.


Topics to be covered, though areas of overlap are in many of them.


Errors in code, specifically menus and UI
Glitching through walls and scenery
Errors in game logic and economies
Memory manipulation
Save manipulation
Unexpected play


Errors in code (UI)
In theory is is easy to make a robust menu system. In reality unless your device is going to cause someone injury when it goes wrong then most coders will opt for the simpler ways that allow them to expand options or potentially make for a more pleasant experience for the player (imagine “you did not fill in this box properly” from a web shop but in a game you are ostensibly playing for fun). If you are into coding then the phrase you will want to look for here is “safe coding”.
Instead developers will open for simpler “do this action” type of menus whilst hoping you as a human are too slow to do certain things which is where custom controllers, unusual controllers (pressing left and right at once is hard on a conventional control pad, on a dance mat is a very different affair), automatic mouse clickers that can deliver several dozen clicks in a short period, macros and more come in. The developers might even overlook certain more bizarre actions, store things in temporary locations (useful for duplication), miss something when rearranging items such that moving to the edge of it has odd effects, forget that keyboard commands are an option if they expect things to have to reset (see things like “hold an item and press button to sell, put item back and you will have gained money but still have item”). They might also take cues from the world, such that a shopkeeper might sell all the items physically in the room (or on their person or in a hidden storage area) and if you can drop things, be it from a menu, skill or in world item movement, into said area they might sell them back to you (possibly minus a stolen flag, at full health, minus negative attributes... if that is a thing you want). Companions, two player, other NPCs and more could also be employed in this to help stop a game from removing something or function as a secondary inventory location that the game devs might have neglected to consider.
Sometimes an animation might be the start of an effect but not actually properly started until the animation is finished which means changing area or going into menus while it is happening can have all sorts of interesting effects.

While coding will generally be kept to a minimum in this then there is a reason many functions in games will read “on click” and “on release”, possibly being two halves of a given greater function (click starts it, release finishes), and thus why you might want to delay the releasing of a button or mouse until you have done something else.
https://www.w3schools.com/jsref/event_onmouseup.asp
https://www.w3schools.com/jsref/event_onmousedown.asp
https://docs.microsoft.com/en-us/dotnet/api/system.windows.forms.control.onkeyup?view=net-5.0
https://docs.oracle.com/javase/tutorial/uiswing/events/mouselistener.html
https://doc.qt.io/qtforpython/PySide6/QtGui/QMouseEvent.html
Most consoles will distinguish between pressed and not pressed in their memory areas that handle such things, and code will also expect to see a press and a release before anything happens. Similarly many items in electronics will use “edge detection” (as in voltage rising and falling after switches are pressed and then released, the “edge” of the waveform that creates being of importance) and computers are electronic devices at their heart. The list of other event names should also be giving you some ideas.


Simple macro.
Macros are ways of doing automated series of inputs to a program/game. Some will have custom controllers modified for this, PC games can use quite complicated scripting languages to do all sorts of things here, and all can make use of programmable devices that will output a series of pulses of a given timing (your classic arduino or teensy++ being good for this, indeed the basis of it might be part of the basic example code https://www.pjrc.com/teensy/usb_keyboard.html https://www.pjrc.com/teensy/usb_mouse.html , though there are plenty of programmable chips on the market that can do things here). For the purposes of exploits then macros are mostly useful for allowing fast and precise series of button inputs, perhaps more complex in nature than the humble autoclicker which might only have a speed and maybe simple repetition of a pattern (think a timed reload), though if you want to make one to turn your camera a specific amount and throw a grenade such that it reliably lands a given distance away and all from one press then you would not be the first to do such a thing.
For those looking for non hardware methods
Autohotkey
https://www.autohotkey.com/
AutoIT
https://www.autoitscript.com/site/autoit/
Many other “automation” tools exist https://appmus.com/alternatives-to/autohotkey

Emulators, particularly those used by tool assisted speedrunners, will often support a programming language called Lua.
The NES emulator FCUEX is the main reference example for a lot of emulators, though do check your particular setup.

Game slowdown.
In the simpler menu options if the game will despawn a menu item after it is clicked then having the machine be incredibly slow (possibly by means a program specifically run to induce it) can see you click a menu item several times when theoretically only one should have been clicked, or your 5 times for a normal speed autoclicker might be more like 25.
Some also try to use ping raising methods (usually rate limiting a network, making a dodgy cable or flooding your connection) to force a game to use its lag mitigation techniques, either to bypass walls or make whether you get shot/collided with a more variable affair than a less laggy game might be able to more accurately determine.

Examples of macros in action
An older example, though by no means the oldest, or the idea of macros comes to us by way of Final Fantasy 6 from within the game itself

Here it is noted that the game would remember button locations if you wanted it to. Couple this with an autofire controller and you could send your main team around a loop in a game, fighting simple random battles throughout but the levels of the enemies would remain the same (and eventually pose no threat). Leave it running overnight/while at school and come back to high level characters with no manual grinding done by you.
video of it in action

More general list of bugs and glitches for this franchise.

Hidden menus.
Can include menus locked away from the player in certain modes, UI tricks being most common to find these outside of serious memory manipulation based cheating or outright game modification and analysis of the code therein. For instance if you can hold on the give me [insert “cheat” perk available on easy mode] and back out of the menu and then back into the hardcore mode with the keyboard before releasing then this is one example. If you are exploring the code itself look for input buffers or odd results and tests for branches/jumps beyond the obvious, such a thing will also be able to indicate whether it treats keyboard and mouse as separate entities which could be useful for the options noted above.

Glitching into scenery and “out of bounds”
Almost everybody reading will have “fallen through the world/map” at one point or another in a game, even more so in 3d games (2d still have it, indeed many speedrunners will use such techniques, but you usually have to work harder).
There are two primary reasons for this to happen
1) Developers failed to implement collisions where you are at.
2) Some action done by the character allows them to be put beyond the collision barrier. Typically for deliberate actions then a special move, taunt, high speeds, enemy item, weapon with push back, vehicles in engines not exactly made to handle them, falls, holding an object which changes your apparent location (or does after you drop it), moving object in the world, object in the world, or coming back from an idle animation as well as cancelling other animations. For more actual glitch behaviours then high speed, or odd angles meaning any reaction happens such that you end up booted out of the world as it takes the change location command into account before the collision aspect of the game has its say.
Such things are also the basis behind many “climbing” and “launch you into the air” techniques. The idea here being the game will try to place you on top of the first viable point in the game, indeed it might even be an attempt at mitigating people from falling out of the map. If you move around in a corner or edge of a wall, possibly in a crouch or similar action that causes some movement that the basic control stick movement would normally not have accounted for then you could well appear on top of a location (or flying through the air if “max height of the map” is what the game decides it should be), possibly even one not normally accessible or only accessible “officially” via other means. Might also mean you are technically in another area for the purposes of weapons, or stealing things.
There are also weapon exploits that might do damage, fire through walls or similar wherein a given weapon might exceed a length (or be undersized), this typically being extras added in after release, weapons put in as a joke or super stylised options of the normal weapons that might have not got as much testing.
Some might exploit the out of bounds options in a given game (often driving, fighting or something with a vehicle) to cause the respawn to happen in an unexpected location if say the last thing it touched was considered valid or in the next area. For this you might wish to figure out the behaviour of a game in a simpler area before you embark upon a convoluted series of movements to get you to a specific place. Some will also go into more general hacking and figure out the level formats to see if something can be touched.
Less commonly if a player dropped or created an item it might be interacted with in the world. Stacked and nested (items stored within items) items can be particularly fun here if manipulating a lower item sees the higher item “restored” once manipulating has finished but can still be interacted with (maybe by a second player) during the manipulation section. One such example of this was seen in Animal Crossing on the Switch. Many games have “rocket jumps” after an unintentional side effect of them in one game. “mine ladders” are a thing in some games that are not Bomberman wherein a player might place mines, jump onto them and then place another and another (the character presumably having the strongest toes ever seen) to traverse a gap.

High speed is also often an example of the “no more than 20” example in the UI section. If your speed is fast enough then when you fly towards a wall if the distance it travels per frame at that means you would never have touched the wall during the time it takes (even old games like Mario 64 do it 4 times a frame so speeds will have to be high) and thus can have bypassed it.

Some will also use these sorts of effects to bypass simple barriers that normal movement methods will not bypass, and in doing so gain things not available at that point in the game or make for a quicker speed run through a game. Can also have effects in multiplayer where a character is off the map with a key item, or is supposed to be hunted down and is nowhere on the map.

It can all get quite involved (see Mario 64 a presses, Mario 64 uncollectable coin, Donkey Kong 64 speedrunning as a whole, or perhaps Mario Kart 64 choco mountain speedrunning) but fundamentally it is all about interacting with barriers and ways to get past them by causing the game to move you places that most conventional play will not allow.


Getting trapped under falling platforms or moved by doors. Many times will simply render the game unplayable, but sometimes might be the start of an out of bounds affair.

Halo banshee out of bounds. This technically represents another failure in level design but is included here never the less. The developers of Halo 2, a rather anticipated game at the time, hid some items where players could not normally access and expected it to remain a secret for some time to come. The reality was though someone broke the banshee’s wings and dragged it through a tunnel such that it was in a map section without flying vehicles and thus found the hidden section in very short order. video of it

Skyrim horse “tilting”
Possibly one of the more famous examples here. Combination of vehicles, animations, direction and even sometimes going faster than the world might load, with a further bit of fun if you go into a sort of menu (some of the crafting options here appear to disable collisions).
https://en.uesp.net/wiki/Skyrim:Glitches#Horse_Tilting

Magic jumping in games.
If a game allows you to create spells, scrolls, potions or similar that do jump mechanics then quite often they can be used to achieve all sorts of odd effects. Elder Scrolls games many times have featured this, including a particularly amusing case for the Elder Scrolls Morrowind speedrunning community wherein one of those nice developer bonus items get used to allow speedruns in very short order having not long left the starting area. Two Worlds II also has another such effect where you might make it to a later area rather ahead of time.

Camera tricks. Glitching into scenery shows how most games treat the world as tissue thin and the barriers not much better. Even if you have never fallen through the world then you have presumably seen through it at some point. Distance, wrong angles, camera movement, close up, getting higher than you might be expected to. Can also be combined with weapons on some occasions to shoot places you can’t see (though more likely you can’t shoot and instead you just make a noise and a hole in the wall, or even die, or that might not be able to see you if you can have your character lower than the weapon camera.

Room entrances aka teleporters. Map entrances are in fact not entrances as some games would have you think it but more akin to teleporters. That is to say step on this tile/area and we will teleport you (or maybe load in a given area and a short connecting passage that functions as a loading screen) to another area. Change where this teleport goes to and you can access all sorts of interesting areas, or find something of use to speedrunning (speedrunning might also combine a blocked off teleporter, think the classic pay me 5 gold coins to pass this barrier, with some kind of unexpected bounds breaking). Fallout 76 and the developer room being one of the more interesting uses of this as being an online game and the room being (theoretically) inaccessible through conventional play meant much could be discovered about the game, and its already dubious economy flooded with the unlimited items stored there.

Caches. These store level and other data in case you go back. Find what is kept, what is not kept, how quick the cache is reset and you can sometimes duplicate things, maybe cause havoc and have it reset, maybe not have the actions happen.
More commonly you will see it in things like the removal of dead bodies, vanishing of vehicles wherein the otherwise notoriously corrupt and incompetent police of future dystopian world manage to retrieve a car stolen 5 minutes ago.

Quick travel and quick save. In the ideal case then a game would take a snapshot of all the memory and restore it perfectly. However that might be a lot of memory and make for a very large (and time consuming) save file. Many games then will attempt to take a subset of the data and restore it, or might take a second or two, which can also be forced sometimes with slowdown tools, to parse/generate the data (randomly generated npc and trader inventories, hostility levels, npc awareness, items in the world being “dropped” to land on whatever floor/table/shelves they might be on and thus reveal hidden items). If the game allows you to generate a quick travel point then that can also often be exploited.

Tutorial zones.
The game developer might well have balanced a mechanic but removed its effects for the sake of a tutorial zone. See then if you can exploit such a thing to create infinite money/experience/..., or maybe gain abilities beyond what are expected in such a scenario and possibly leave the easy mode tutorial area while still enjoying its perks beyond what it expects.
Same can apply to certain missions wherein effects might be activated that if you can escape the parameters of the mission without is dealing a failure state (or a proper failure state) that it can change certain elements of gameplay.

Timers also often stop in menus and cutscenes. Can make it easier if you have a very temporary effect as a result of a spell or potion you want to keep active for longer. Can also temporarily raise the stats of a character to allow them to perform an action but that brings us to the next topic



Errors in game’s underlying logic/economy

MMO players will probably have heard the term “sink” before. This is to say all that money produced by killing creatures in the woods (or at least all the meat and fur you sell to produce the same thing just abstracted a step) will be taken out by potions that get consumed but are only available from vendors or created with the harvested materials.
Find a means to gain without also suffering a sink and you have yourself quickly rising wealth. Infinitely spawning enemies where you have cover is a good place to start here, cooperative play also yielding more of these if you can have your other player bring the enemies to your killing zone.

Buy low, sell high
The common investment phrase that forms the title of this mini section says it all. If you can buy something in one vendor (or maybe obtain it from a mission) that sells for more than it costs to buy it then you have yourself the start of an infinite money glitch. In real life an abundance of a product/commodity will reduce its price, and many games will at some level seek to replicate this if an overabundance of a given item is available. Others might just be something like fixed 80% of sale price. Such things are rare to find as developers are usually pretty keen to squash them and the effects are mostly predictable (unlike some others) but you occasionally see such a thing, especially from things that might have been done last minute, added for variety without considering things or hastily balanced for something else.

Others might see if the game’s skill tree, items, support characters, character likes you rating or similar might push prices for sale high or purchase low and skim a profit on the difference. There might also be an individual NPC somewhere that pays over the odds for a given item; “I’m a quirky collector of [insert item/class of item], will buy any amount of this item for this price”.

Value added manufacturing and “More than the sum of their parts”.
Many games will feature crafting systems wherein you can create or improve items. If these sell for more than their base cost for components then you have the start of an infinite money loop.
If you can break down items into constituent components then they might be worth more as parts than as a whole. Sometimes you might have to combine item harvest with item creation, and maybe some player skills, to get this feedback loop going on but in combination is usually where the more interesting things arise here. It can also happen in real life too, see “vulture capitalism”, though is generally frowned upon these days.

Seeds
More of a subject for competitive play, cheats and the like it still will be mentioned here.
Random values are surprisingly hard for computers to come up with (they are designed as utterly predictable and repeatable machines for doing lots of maths very quickly after all) so programs will also use short values known as seeds to further generate the rest of the world. Also allows players to share seeds and play the same randomly generated setups (maps, “random” pick of pieces in something like tetris, selection of obstacles in a game or the like). Knowing a seed can also be useful in determining the results of actions in advance. Pokemon players might also be familiar with seeds and random IDs from various aspects of things.

Pokemon missingno glitch.
Technically this is a combination of two glitches and something that sort of behaves like a seed or hidden variable (or actually several, though many would be standard for many players). Never the less it is a fine example of an exploit in action.
In the first generation pokemon it was noted that if you swam back and forth along a shoreline that the last area you were in would be what spawns there as they were designated hostile tiles. Quite useful for catching pokemon normally only catchable at a nature reserve with what amounts to a minigame (that you also are limited in time, or more accurately then in game steps, playing).
Secondary to that is there is an example battle early in the game that you can view endlessly as a sort of tutorial. If you played this battle, flew to a sea location and then swam on said shoreline tiles it would often spawn a very high level pokemon that the game interpreted as missingno (missing number, presumably a holdover from development when not every pokemon had an assigned number). It was often over level 100 (with attendant stats), and also happened to cause an item in one part of your inventory to be set at 128 (though glitched on the display) and thus quite useful for item duplication. Today much more is known about it ( https://bulbapedia.bulbagarden.net/wiki/MissingNo. https://pokemon.fandom.com/wiki/MissingNo. https://kotaku.com/pokemons-famous-missingno-glitch-explained-1653929141 ), including intricacies of how it works.

In something of a crossover with UI we have the Zelda Link’s Awakening minigame. Get your sword and 10 rupees. Now you can go into the minigame in the main village (a sort of claw game). Move the shadow to the top left corner of the conveyor belt and wait. When the item you want gets to the tile one down from the top right then lightly tap the other button so it registers a press. Every time you will win a prize. As said prizes include a 30 rupee crystal and things reset by leaving the room and coming back in you now have infinite money (can buy some things in the shop a few screens up from there) and potentially access to a few items ahead of when you might get them in the story. Minigames like this are often exploitable and thus should be considered carefully when assessing a game, though also be sure they are not exhaustible or if they are if you can in fact win less and keep them alive longer.

Duplication.
A variety of means have been employed here to duplicate items
This can include simple menu exploits as covered elsewhere
This can include abusing game cache mismatches, say by moving through doors and then immediately back again while maybe using the fraction of a second of action you have.
If you can reset vendors (caches, hostility, quicksaves and quick travel being prime candidates in many games) then what might normally be one item sold per visit then you can possibly get it in stock again.
In some games if you “lose” a key item it might have a means of being provided to complete the game from a special character. Losing can simply mean not having it in your inventory, or having it in a location where the game has not yet despawned it (if it will at all, like maybe a chest).
Moving items in the world (be it as a general action, or a specific thing with another item connected to it in some manner) can also yield many things from duplication, to escaping bounds, to invisibility, to invincibility, to high speed and much more besides.


Look after the pennies.
A game might offer a token reward for an action, one that will mean very little in and of itself compared to requirements to reach next level or something. However if said small action can be repeated easily then it could well add up very quickly (or perhaps not so quickly but with no great need of serious player input and thus “wander off and leave it” becomes an option).

Bonus items.
There are no great memory structures, mathematical constructs or common program functions known as “game”. This is to say developers make their own and in doing so usually leave things open to the would be exploiter.
While there might be no great universal concept known as game then they do tend to be basically a series of maths problems composed of many variables (attack, defence, accuracy, cost of use, speed… and you can probably name a dozen more that have been in various games and been considered by you when equipping characters or choosing weapons or maybe capturing those pokemon). While you could balance such a thing then it has been demonstrated for many years now that developers generally do not do this save for those few things that might be brought up by their testers, and sometimes might not even think along such lines. Developers also seemingly can’t help but include special one off items under the guise of “it is an unusual reward” and this often forms the basis of such a thing.
They might also have a special character that for some reason or another will not react the same to some of your actions, or might have infinite of a given item for the purposes of a quest.

This might well take exploring an unusual play style; your combat simulator might well see you make a build that is less “glass cannon” and more “high level tomato with a feather duster but one exceptionally good at diplomacy”, or your strategy game might see you go absolutely all in on a given strategy that is normally only a small perk. Strategy games are also some of the hardest to balance, and most prone to developers adding “something cool” into it that serves to unexpectedly unbalance the equation underpinning things (see Pareto frontier if you want a game theory term here). That said the maths and rewards for a given perk are often listed. Run the maths yourself to see how far such a thing might take you (though be aware some games will calculate compounded values incorrectly so can still be worth a try, some will also compound things correctly and that can be the start of a feedback loop) and then plan a means to get there.
You might also need to consider some potentially self destructive paths, why you might want to target yourself for some things you might never know but is often quite useful if you do.

Determining hidden variables by experiment.
The term datamining is often thrown around these days with little regard for its true meaning in industry, science and education. This however would actually be that. As mentioned elsewhere then random numbers are hard for computers (and humans for that matter) to do. There are two methods of doing random in games. If it helps think of the classic sum of two dice (2 only be made with two dice, total of 7 being made with many more and thus is the more expected value) in this. One method is numbers matching the expected distribution in a bag, another is something like true random. Numbers in a bag is more likely to be close to the theoretical distribution where random has the annoying habit of being random. Play enough games noting every random chance and you can then mathematically determine whether it is a bag of numbers draw or something more like true random, those playing in the bag front can also note the numbers already drawn and the probability of the remaining values and play accordingly where random really is random and you lack that perk but also is random and thus someone could more likely be screwed over by random being random. Someone could do a battle several times noting random chance and then another with the same stats but for luck being higher to see the effect it has, one might even manipulate memory with cheats. Can also be used to find out whether the 99% chance to hit and missed twice in a battle is in fact filthy lies and actual rate is considerably lower, or join in the debates in games of chance.

It can get considerably more involved ( https://towardsdatascience.com/tagged/gaming ) but this section is here to remind us that much can be learned by simple observation and experiment and not everything needs deep analysis by veteran coders. On that subject

Memory manipulation.
Initially this is your classical cheat making. The game’s memory will store all you need to know about the state of the game. If you can edit this you can change an awful lot of things. Cheat making is well covered in many guides.
The basic technique though is you want to find something that views memory (many emulators will have this, debuggers will be another) and the ability to compare it between changes to it. Use a potion, run a search for anything lower, use a potion, run a search for anything lower and so forth tending to be the basic way to find infinite potions, HP, mana or simple values. You can get more complicated with things like double jump using games where if you can find the value that says “character as done a double jump, don’t allow any more” and set it to “no double jump done” you might well have a moon jump cheat. Other games without double jump might need you to mess with gravity, stats or simple to achieve such an effect.
It can get harder; modern devices use pointers so that locations might change between runs/levels/loads and you then need to find the pointers, and developers might have anti cheat methods; if the potions example earlier where you searched for things counting down, if then they simultaneously had another value counting up (max value minus current value maybe) and the two don’t match then it can declare an error (or worse). There are many more means of anti cheat as well but that will be left for another day.

Links
Enhacklopedia
(found in various locations around the web).
This is one of the main reference documents for console type hacking. It covers how the cheats are formatted for a great many consoles from classics to more modern.

ETK's guide to cheat making
A guide to cheat making for the GBA, however it applies to just about every console going. Those it does not apply to typically still will use that as a base but have issues with pointers to deal with by default (see something like ASLR, which was added to Windows many versions ago but appeared in console games in more recent times)

Buffer overflow.
In an absolutely surprising turn of events then data takes storage to store. If you put more data than it expects in a given location, accounts for in its save or similar you can cause some fun for the program as it might overwrite what follows, or maybe just allow you to carry more than the artificial limit (delving slightly into code then “IF item =20 then can’t buy one more” sounds great until someone forces 21 in there and as 21 is not 20 then you are free to buy as many more as you like). Many developers will set these limits lower than the theoretical maximum (less data to load, quicker load times, quicker processing of data, lower save file sizes…) at the cost of some players maybe causing issues down the line if they have a bit of an item hoarding tendency (or perhaps an item duplicating tendency). Or maybe if they reach the limit for an area but there is an in game action that spawns another item into existence can cause an issue. See also this is why you often have stats in a game that top out at 1023, 255, -128 to 127 or variations on that theme as developers might have only dedicated a single value to it and that maximum range it can store is those if you count in multiples of 8 bits. Sometimes however these numbers will start back around at 0, or even negatives, which can be quite useful if making custom spells that might try to be balanced with an insane casting cost calculated by the effects of the spell.


Developers are often keenly aware of such limitations and will code in checks to make sure values do not exceed a given value. The preventing of such issues can also be exploited at times. If a game checks to see if your inventory is full before giving a quest item then it might still perform actions, or stop the progress of a game until a reward is taken.
An infinite experience exploit in the original Deus Ex if you have full inventory is a good example. Later in the game if you fulfilled specific conditions then a character will give you a reward item and some experience. The experience happens as a result of the text displaying but will display again (and again) if you don’t yet have room in your inventory.

Cartridge tilting and memory corruption via hardware methods.
The ROM, short for read only memory, part of names for things games come on is not just there for fun and it is indeed usually read only or treated as such. If you interfere with this reading on mostly older systems (protections employed on newer ones make cartridge methods less useful) by maybe loosening the cartridge a bit such that the reading fails a bit then it can have all sorts of interesting effects. One of the more notable sees developers once more being overly cautious. Here in the often maligned Sonic 3d for the megadrive/genesis it was noted that the cartridge would jump to a hidden debug menu if you knocked the cartridge causing an exception in the code.

Goldeneye N64 tilting
More amusing than practical but a nice visual example of things

Corruption
Normally the name associated with a ROM hacking technique (think translations, fan driven user improvements, custom levels, uncensoring games, custom music and the like) to find data. Here you will have a program by some means randomly write areas of the memory for you, or maybe another program leak into it via some means, or possibly a modified save game (though this usually falls under exploits designed to change code and run homebrew, never the less it is possible for what we are discussing here). What it will do will vary with what is corrupted and what it is changed to. Most often will cause crashes but sometimes you might even up with what amounts to a cheat, just something silly, random level layouts or whatever else might come of memory being fiddled with. Find a more narrow area to apply it to and you might get something more.

Save games

Initially most will meet this as memory cheats gone save game cheats, and found in much the same way. If the memory holds data while you are playing then the save file is what holds is when you are not. If you can edit this file you can change whatever data it contains that the game might then be persuaded to load back in afterwards.
This can be harder if the save game is protected with a hash or encryption, or more tricky means like encrypted, duplicated and inverted values (you might find the number of swords in your inventory, however if the game also stores 255 minus number of swords elsewhere as a check for the basic cheater). Hashes and encryption is largely going to be left as an exercise to the reader. The general idea though is some mathematical operation is done upon the data contained with the save file (usually all the stuff you as the would be hacker/exploiter care about but sometimes something might be missed) and then the results of this maths is noted and compared, if you change the data without matching the hash then it detects it as at least a corrupt save file (or password if it is a really old game). Hashes vary radically from simplistic (parity and bytesums where the maths is very basic indeed), to error detection (something like crc32 that you might have seen in zip files) to various flavours of cryptographically secure wherein the hash is assumed to see the would be attacker unable to generate a file to match a chosen hash (in basic bytesums if the whole value is 200 then taking 5 potions but adding 5 end game swords you can sell for a fortune will see 200 as the count for your inventory..., not so easy with anything dubbed cryptographically secure) and any small change causes a massive change in the resulting hash. Figure out and recreate this hashing method if you want, some will hack the game to ignore it when loading (which might also fix it up nicely for you when saving again).

Reset area cheats. Storing an entire world is a fairly intense requirement. Storing just the essentials while the rest regenerates from scratch (if it is always going to be random items in the vendor then why save that?) is far easier. This can lead to loading savestates regenerating things that might otherwise take a while to regenerate, if at all, or resetting statuses (hostility, position of enemies). You might have to be careful as some changes might appear random but will not be, also known as why various exploits will require you to use low value items rather than have the vendor fail out, or explode as is the case of a gambling game in Jade Empire but more on that in a moment.
While save games/save states are the most common cause of this then it can also sometimes be seen by going into menus (possibly deep settings menus) or simply starting an action and going into the menu such that the negative results of an action (breaking, ending…) never come or are delayed until you return from the menu. Cutscenes can also be a thing for this.

Rate limiting
Depending upon what you are doing the game might have some form of limitation in terms of needing a specific item which only respawns at a given rate. If you want to make infinite items but each making takes a 30 second minigame then it will get old very fast. A vendor might also have a limited amount of money with which to buy items from you. You might only be able to hold so many items as well. Working around these limitations then often becomes a thing you also have to consider when working up your exploit into a more useful one.
This can be as simple as a game not counting weight of items within items, or you carrying an item in your hands in the real world, or throwing an item before moving and picking it up.

Side channel
Side channel attacks are the name of a hardware attack method wherein an action or result might be broadcast via unexpected means, or similar things are used. For a more real life example unlocking a door sounds quite different to simply putting a key in and wiggling it a bit.
One of the more interesting applications was a pokemon shiny detector. Here it was noted shiny pokemon (rare examples of pokemon with different colours that the developers include if a few ostensibly random conditions are met, conditions the average non hacked device user might not have any idea of, quite desirable for some) took ever so slightly longer to load in the encounter, presumably as the device was busy calculating the special colours. Someone then built a device to detect this time, and if it was normal time signature would press suitable buttons to run away where if it was a shiny pokemon it would alert the user (or possibly even catch them). https://hackaday.com/tag/shiny-pokemon/
Such things do also open up the doors to things like causing real world actions depending upon screen captured events.
Skies of Arcadia on the Dreamcast has a nice one here. If you are in a dungeon the disc would spin up a few seconds before a random battle launched. If there was a means of reset (enter new area, escape dungeon item, navigate a menu, stop encounters item or something) then you would have been able to use it, alternatively if you were debating whether to use a healing item or keep it for later that might make the decision for you.
In other cases things may happen concurrently to other actions, such that you might quite literally have to move to the beat of the backing music to be sure you are acting on the right timing.

Unexpected play.
Buck the refusal of the call.
If you spend any time contemplating storytelling, especially in games, you will probably meet the “Hero’s journey” idea. One aspect of this is the refusal of the call, which is to say after the initial thing setting the quest up there will be something that sees them opt to stay at home and mess around instead. Games might opt for a subtle approach by guiding you back, might offer invisible walls or might do something else entirely like make you die if you leave the mission zone (though usually after a warning).
The more subtle approaches with a warning can often form the basis of exploits. Often it is not the threat of instant death but damage that acts as the incentive to get into the area. Find a means to lessen or mitigate the damage, or reset a timer, and you can find yourself where nobody expects you to be (or at least buy a reprieve).

In game AI based exploitation

Playing against other players is not always possible so since the earliest days really then developers have made games to be played solo and inserted machine scripts to pose a challenge for the player. As strong AI is not yet something even the shiniest supercomputers have then your little game console is not going to have it either (it is actually quite a problem for various styles of game). These scripts are often very limited indeed (a note in a review saying “all the enemies do is run towards you and attack” might literally be the entire setup) but this can also see things exploited.

Things to consider in this is visibility, mainly as developers will often make some crude approximation of such a thing and use that to make it more realistic. However if the sight is blocked, say by a bucket on the head in the case of various Elder Scrolls games, or you effectively being in a different area by means of gaming the location system then that is something to consider in this.
Activation radius. Be it lines in the sand, or distance from the NPC/player, and what might shorten it (firing a gun maybe).

Unlocks by enemies that have been aggroed. Games might simply have enemies unlock any door they come across regardless of anything else (keys in their inventory, personal level of access). Push an enemy onto a door, or cause a noise and cause them to run to the door and watch it unlock. Sometimes this is a mechanic in and of itself but other times it is not.

More advanced techniques might see the entire AI understood and its path finding behaviours, attack behaviours, elements of randomness (or indeed apparent randomness) but that can be left for the time being. Usually more of a problem for those making custom levels.


Pokemon text speed. Sometimes things are just plain unexpected in their discovery. This popular pokemon speedrunning trick was discovered by accident during normal play, though it also serves as an example of non standard aspects of a game (think the developer left in items) or odd states (menus, minigames, crafting screens and more as it pertains to collisions and enemy behaviours) being used.


Finishing thoughts

As with many of these discussions then the maths underpinning much of this falls under a concept known as game theory, though the psychology of game design is also noted. Framing things in such terms can also help with uncovering failures in the game design, which has implications in things beyond exploit hunting.
If you are interested in that then the following two videos provide a very nice introduction
Practical Game theory
Game mechanics and mechanism design
and a book called characteristics of games is a must read.

Anyway the above is a somewhat superficial overview of the types of exploits seen in a game, how they arise and some of the things you can do with them. However it hopefully serves to show that you can find any number of things without being steeped in programming knowledge and possibly spending hours considering the code, or indeed in the case of some modern systems hours getting to the point where you can even consider looking at the code.

An exercise for the reader that may help in this is go look up lists of exploits for your favourite games (several places featuring such things have been linked throughout this). Be they for normal play, to make something silly happen, for challenge runs, for speedrunners, to access bonus areas or anything else. Try to categorise them based on some of the things mentioned above, or maybe make a few of your own based on something similar. See enough of them and you will start to see what causes them more easily and what to look for, or indeed try out, out in the world.
 

FAST6191

Techromancer
OP
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,282
Country
United Kingdom
A good well written article... enjoyed reading it

I did however expect there to be a guide on how to find some of the said exploits and not just an overview of them

I was part of the game hacking scene, when game genie and action replays where widely used especially around the N64 era and a lot of the time is the thinking of “how can I exploit this” or “what exploit do I want” that stop people creating them

it’s great to see how the mind of someone who creates and seeks out exploits looks at things differently to how others do - and the huge amount of effort and work that goes into creating them

I would normally do worked examples (the main version of https://gbatemp.net/threads/gbatemp-rom-hacking-documentation-project-new-2016-edition-out.73394/ ) but was hoping the examples listed here for existing games and videos detailing things also linked would suffice for now. The more I have to explain matrix maths, floating point numbers, data types, 3d engine mechanics and the like the more people would have clicked off. This would have been less than ideal for me for while

is a thing in some games there are plenty more that can be achieved by sweeping a stick around next to a wall/junction, trying all the animations, spinning around next to a corner, spinning around holding something... and while I could cover deriving your chosen strategy game's equivalent of https://www.dragonflycave.com/mechanics/gen-i-capturing from assembly or maybe just memory viewing then you can also look at all the bonus perks from everything, derive some nuts strategy to achieve them (one that if you pulled back even a tad you would lose) and also consider more closely all the weird and wonderful stuff (jokes, references, silliness) the devs chucked in there that might have broken their otherwise careful balancing.

I also owe something to the N64. My gameshark had a little guide to making cheats (basic fire a bullet/lose some health/... search, repeat) and I did that. Was not my first dalliance with such devices (had peek and poke on the C64, trainers on the amiga, sort of something on the PC that barely worked and needed a parallel dongle and a game genie on the megadrive, something on the gameboy as well) but was the first time I properly got my hands dirty and awoke something in me there, though it was probably inevitable.

I am planning some follow ups that necessarily delve into engine design at the very least but was aiming to keep it light and maybe have those that wanted to go further have some jumping off points for it.

Shorter for sure. More like "Community reporter Tom White creates guide on Exploiting games", highlight juiciest parts in front page, then make the guide even longer on the FAQ section.
That is something I often do (the ROM hacking and game journalism guide ones probably being main examples).
Will possibly make a full 90s "have you ever wanted to do this?" type deal as a frontload.
 

naed06

Well-Known Member
Member
Joined
May 16, 2017
Messages
127
Trophies
0
Age
42
XP
2,325
Country
I am planning some follow ups that necessarily delve into engine design at the very least but was aiming to keep it light and maybe have those that wanted to go further have some jumping off points for it.

looking forward to the follow ups


And this topic reminded me of the super Mario flappy bird exploit, which is explained far better in this video than I could ever explain
 
  • Like
Reactions: Alexander1970

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    straferz @ straferz: Anybody know why this is happening to my ACWW town...