Tutorial How to Find Offsets if you can't attach Cheat Engine

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,349
78,998
2,412
To find offsets, the easiest method is to use "Find What Accesses" in Cheat Engine, that is always the first step. All this feature is, is a read breakpoint which logs the instruction which trips the breakpoint. After you get a couple offsets, you typically move to ReClass to begin reversing the classes in which the variable resides.

If your game has anticheat, you can't attach Cheat Engine and therefore you don't have "Find What Accesses" and you can't attach ReClass. If you find yourself in this situation, you're pretty much screwed.

Often times the person asking "how do you find offsets if the game has anticheat?" is just naive and doesn't understand the reality of game hacking. The purpose of this thread is to explain why it's naive and answer the question.

If you read our General Anticheat Guide it gives you a few steps to try if the game has custom usermode anticheat and is blocking Cheat Engine

The first and easiest steps to attempt to bypass Cheat Engine detection are:
These steps work on custom usermode anticheats, not commercial anticheats.

The rest of this guide assumes you have completed the first 2 books in the GHB

This brings us to a very important message, which is the official GH stance on the topic:

If you cannot bypass the anticheat, you shouldn't be hacking the game.

It's very similar to the pasting problem: if you don't know how to hack and you don't know how to code, you can't hack games. Any attempt to avoid learning from the beginning is signing yourself up for failure. Avoiding bypassing the anticheat completely and using a little loop hole to hack the game is not a long term solution.

A bypass which doesn't allow you to attach Cheat Engine, is not a true bypass.

If you don't reverse the anticheat yourself and properly disable it or hide from it, it's not a real bypass.

What are the game hacking pros doing?

People who sell properly made pay hacks have true bypasses that give them full control, and they have reversed the anticheat themselves. This allows them to attach Cheat Engine & ReClass to easily reverse the game. Again, if you don't have a true bypass you shouldn't be hacking the game. The goal of GH is to make yourself self sufficient.

When you see posts which contain offsets, reversed classes, SDKs etc... the people who post them have true bypasses or they're using information provides by someone who does have a true bypass. So if you're asking "How do they find them?" it's really a stupid question. They have bypassed the anticheat and they're using the normal game hacking methods to find everything, the only different between them and you is, they know to bypass the anticheat, enabling themselves to be successful. If you want to be successful, you should focus on reversing and learning everything you need instead of trying to exploit these little loopholes to hack games with anticheat.

Public Knowledge

Many people, including pay hack developers, utilize the public knowledge which the pros share with the community. Even if the offsets are outdated, you will find other information that will enable you to be successful such as signatures, structure layout, function prototypes, vtable indices & more.

Most pay cheat developers are using this public knowledge and are not doing all the work themselves, we have seen dozens of pay hacks get leaked / cracked and almost all of them are pastes. Most bypasses included with payhacks do not enable you to use Cheat Enable. Many pay cheats rely on the public signatures and offsets that are shared in the game hacking community. BillyBob'sCheats.xyz is not attaching Cheat Engine and reversing it himself. Often times there is enough public information to make a payhack without reversing anything yourself, you can combine an old paste, with new offsets & kdmapper. (btw you should be ashamed)

Static Analysis

The most common thought process we see people take is: if they can't attach Cheat Engine they must be using 100% static analysis. This is WRONG. Like I already said, the original people sharing the information have true bypasses.

Doing 100% static analysis is way too difficult, when you're talking about a massive game. You have to have something to start with. Just like in our video tutorials, we start in Cheat Engine, we find some offsets, "find what accesses" and now we take the address of that function and we look at it in IDA Pro and start reversing it.

If you don't have a true bypass, you can use the public knowledge that people have shared as a starting point for your static analysis.

If you have zero information, you cannot make a hack using only static analysis, unless you're some kind of super genius. Again, "if they can't attach Cheat Engine they must be using 100% static analysis" is a myth.

Game Dumps

Most games that have anticheat, are also heavily obfuscated. You need to dump the modules in order to begin static analyis. More info:
Tutorial - How to Dump a packed executable with Scylla
EquiFox/KsDumper

Game Engines, Netvars & SDKs

Game Engines make reverse engineering difficult for novice hackers, but if you're an expert they can make your life 100 times easier.

Look at our Quake Engine Guide, Quake Engine is from 1999. Source Engine, idTech and all Call of Duty games are based on this engine. Doom Eternal was released in 2020 and still uses some of the same structures. That's 20 years! If you have a deep understanding of the Quake Engine, you can literally hack hundreds of games with relative ease. Every year a new Call of Duty comes out, the professional game hackers can have a hack up and running on the same day as the beta release.

Knowing this, you don't exactly need to find offsets, you just need to find a few signatures to update your hack. The core of the game engine doesn't change much.

Netvars
If you are not familiar with netvars, read this: Video Tutorial - How to Find dwGetAllClasses & Netvar Manager

Basically games use strings and there will be a lookup function which you feed one of these string and it gives you the address or offset of a variable.

Professional cheats use these netvar systems, so you don't have to find offsets, you just query the game engine for them.

Dumping an SDK
Because all game engines use some sort of netvar system, if you can reverse this system you can dump an SDK. Let's say you're a paycheat developer, and you make an SDK dumper for Frostbite 2, let's say a new game comes out on Frostbite 3 that has anticheat, well you can probably update your dumper very easily and dump a new SDK. In this manner you don't need to attach Cheat Engine to find offsets.

Dumpers don't even need to run at runtime, in some cases you can code them to work on static binary files, so you can dump the game using KsDumper and then run your dumper and boom you're done, no Cheat Engine necessary.

Game Updates & Updating Offsets

You should 100% be using signature and pattern scanning. Once your pattern scan finds the address of the instruction, you pull the address or offset out of the harcoded instruction argument. Then, even if the game updates there is a good chance your pattern will still work. Start working with signature earlier rather than later, so you can avoid the pains of updating offsets.

Whenever you get a hack 100% working with all the correct offsets, you should make a backup of all important game binaries. When the game updates, you can diff them to find out what they changed, and easily update your offsets and signatures that way. This is an extremely underrated step. I got screwed many times for not saving the old files for comparison.

Hypervisors & Virtual Machines

If you can bypass the anticheat's virtualization detection, you can use a hypervisor or a VM to enable yourself to debug or perform logging to help you find offsets. This is for professionals only. You can also use these to enable Cheat Engine to attach, and then find offsets that way.

Bypassing Anticheat

As we've said a thousand times: bypass the anticheat or don't hack the game. Why waste your time avoiding learning how to do it yourself when you could just learn. Being independent and self sufficient is your goal, why struggle with all this bullshit for years when you could just git gud instead.

You can learn all about bypassing anticheat in our guides:
Additional Offset without Cheat Engine Threads
Solved - How to find Offsets without Attaching Debugger
Solved - COD Warzone - How to find offsets
 
Last edited:

rzirvi

Full Member
Nobleman
Top Poster Of Month
Sep 7, 2019
95
1,693
4
I remember when I struggled to find everything in apex legends, from entitylist to localplayer, 1000% through static analysis. You won't believe how many hours I spent eyeballing the decompilation hoping to find localplayer/entitylist lol. (probably like 40 hours) In the end I figured out how to attach cheat engine and just found the offsets from there.


Finding offsets through pure static analysis, with no public info to support you, is EXTREMELY hard. There are people who post methods on how to do this, but those posts are hard to find.


Some games require less dynamic analysis than others. For example, in CSGO you can easily find things like entitylist and localPlayer through pure static analysis. In UE4 you can easily find GObjects, UWorld, and many other important things through static analysis.


I think this was an excellent post, If I read this back in november 2019 I would know exactly what to do, and what path to take.



also: useful tip for CE: scanning 8 byte value can help you find these global offsets
 
  • Like
Reactions: Petko123 and Rake
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods