- Game Name
- N/A
- Anticheat
- N/A
- Coding Language
- C# Mostly
Hacking Unity games requires a special approach, using native methods is not the best way to approach them. This Unity game hacking tutorial will teach you everything you need to know to get started with this game engine.
TL : DR Version of Guide
Unity Game Hacking Guide
What is Unity?
Unity is a very popular game engine for smaller indie games but there are a lot of larger games that are using it as well. It's cross platform, and games can be released for PC (Windows, OSX, Linux), mobile (Android/iOS), and you can even release them for the browser via WebGL. It's free, makes game development very easy and uses a C# or Javascript scripting engine.
Popular games written in Unity include:
For more details, see Unity (game engine) - Wikipedia and List of Unity games - Wikipedia
Hacking Unity Games is Special
Hacking Unity Games is different than native games. Any game that uses a modern game engine requires a special approach and Unity games are no exception.
When hacking a regular native game you can typically find pointers and offsets and use them easily. The way memory is mapped and the executable is loaded into memory is predictable and follows the same pattern every time, it's just how the PE file format and the Windows loader works. But hacking Unity games is different, because game engines like Unity are large infrastructures that load and run the game logic that the developers of the actual game create. They have their own methods of loading dynamic code and data. Game engines add another layer of abstraction and often utilize a lot of inheritance, overloading and polymorphism which makes reversing them and writing Unity hacks more difficult.
First thing you will notice is that it is hard to find pointers that work after you restart the game when you're hacking Unity games. For that reason pattern scanning and hooking is typically easier. I don't recommend trying to go after multilevel pointers when writing Unity hacks.
Second thing you will see is that Unity games code is located in an Assembly-CSharp.dll module and not in the main EXE. What's good about this is you can easily de-compile and modify this file using dnSpy which is a .NET de-compiler/debugger.
Thirdly, because of the way the just-in-time (JIT) assembly works, the functions that you want to hack aren't even going to be converted to x86/x64 until those branches of code are hit. If you want to make a godmode hack, normally you'd want to find all the functions that damage the player and NOP/JMP them out, but when writing a godmode hack for Unity games you need to find where health is stored (dynamically), then trigger each of the functions that damage the player, then scan memory to find them (note they'll be in different locations and probably using different registers each time), and then patch them. A godmode hack isn't going to be fun if the player has to go and damage themselves in various ways every time they restart the game...
All this aside, if you're still thinking of using the native route to hack a Unity game and not using mono injection please view this thread to understand how much work it is. Thanks @Boboo99 for providing a ton of information on hacking this Unity game
Solved - How to Hack Secrets of Grindea
Static Analysis
You can statically analyze the game code using a .NET decompiler. You will see the structures and the functions. Keep in mind all the game engine code won't be in there, it's just the game logic. Not all the functions and structs the game uses will be in the Assembly-CSharp.dll. Sometimes it will include all the names of the structures, variables and functions. Other times the developer will strip these out or obfuscate it. Even with the names stripped, it is easy to reverse engineer functions like this. Some disassemblers such as IDA will also allow you to reverse the .NET bytecode, although this won't match up directly with the game in memory as it will be just-in-time (JIT) assembled into x86 code and this will turn up in a different position in memory each time.
IL2CPP Compilation
Some Unity games are using IL2CPP which compiles the game code to C++ then to assembly, which makes decompiling with dnSpy and mono injection impossible. This is more efficient and makes it much more difficult to hack Unity games, so we are seeing more and more games use it. While they're related, hacking il2cpp is slightly different to hacking Unity and it requires different tools.
Learn more from https://docs.unity3d.com/Manual/IL2CPP-HowItWorks.html
If your game is using IL2CPP you don't need a Unity hacking tutorial, it's probably best to just use native game hacking methods. Here is a IL2CPPDumper Perfare/Il2CppDumper
djkaty/Il2CppInspector
Cheat Engine Mono Dissector
Cheat Engine has basic features to view Unity game data as well. We don't have tutorials for it but here are some from our friends
CheatTheGame Mono Videos
Stephen Chapman Mono Videos
Editing Assembly-CSharp.dll
If the game doesn't have integrity checks, and especially for single player games you can simply modify the Assembly-cSharp.dll using a decompiler and save it. If the game has integrity checks, which most good multiplayer games will, this will not work. This is a C# DLL with the code for your Unity game so you'll need to use dnSpy or similar. This approach allows you to write your Unity hacks in C# and compile them back down, and gives you a clean result as long as you can work around any integrity checks.
Mono Injection - the best way to hack unity games
Mono injection is a technique of writing your own C# assembly and injecting it into the game engine, you essentially override game functions with your own functions. It is the equivalent of hooking a function when hacking Unity games, you run your code and the games original code. It is pretty easy to do. Unlike editing the DLL, you should be able to inject your Unity hacks without triggering any integrity checks in anything on the disk.
Here is an excellent Unity hacking tutorial using mono injection by @Truth
- Tutorial - How to Hack Unity Games using Mono Injection Tutorial
Download the GuidedHacking Mono Injector from @Truth here:
- Guided Hacking DLL Mono Injector
Other mono injectors:
Harmony
A library for patching, replacing and decorating .NET and Mono methods during runtime - pardeike/Harmony
About
Harmony gives you an elegant and high level way to alter the functionality in applications written in C#. It works great for hacking Unity games and is well established in titles like 7 Days To Die, BattleTech, Besiege, Cities:Skylines, Kerbal Space Program, Oxygen Not Included, Ravenfield, Rimworld, Sheltered, Stardew Valley, Staxel, Subnautica, The Ultimate Nerd Game, Total Miner, Unturned and many more.
It is also used in unit testing WFP controls and in many other areas.
How it works
If you develop in C# and your code is loaded as a module/plugin into a host application, you can use Harmony to alter the functionality of all the available assemblies of that application. Where other patch libraries simply allow you to replace the original method, Harmony goes one step further and gives you:
• A way to keep the original method intact
• Execute your code before and/or after the original method
• Modify the original with IL code processors
• Multiple Harmony patches co-exist and don't conflict with each other
• Works at runtime and does not touch any files
Keep in mind that this is a unit testing framework, which also gives you the option of loading the game DLL and building your own tests around functions as if you were the original developer. In a C/C++ game this would be an absolute dream, because we spend a lot of time trying to figure out how functions work, but when hacking a Unity game, you can write unit tests with your own expected inputs and output and test your theories about how a function works, and whether this is the place you want to add your hack.
Is your unity hack lagging?
Unity game hacking tutorial that has some good tips, by @Erarnitox
- Tutorial - How to Fail Reverse Engineering old Unity Games
Example source code for a hack using mono injection from @SystemX32
- https://guidedhacking.com/threads/unity-engine-scp-secret-laboratories-esp.11647
@Syqao Unity Tutorials
- Tutorial - Unity Game Hacking Tutorial
Extracting Unity Assets such as textures etc...
Additional Unity hacking resources:
TL : DR Version of Guide
- Best method to hack Unity is to code in C# and use mono injection
- Multilevel pointers are shit in Unity, use hooking/pattern scanning instead
- Game logic is usually inside Assembly-CSharp.dll, decompile/edit it with dnSpy
- Cheat Engine has a mono dissector you can use
- Some games use IL2CPP compilation which makes dnSpy and mono injection more difficult
- How to Hack Unity Games using Mono Injection Tutorial - Guided Hacking
- Guided Hacking DLL Mono-Injector
Unity Game Hacking Guide
What is Unity?
Unity is a very popular game engine for smaller indie games but there are a lot of larger games that are using it as well. It's cross platform, and games can be released for PC (Windows, OSX, Linux), mobile (Android/iOS), and you can even release them for the browser via WebGL. It's free, makes game development very easy and uses a C# or Javascript scripting engine.
Popular games written in Unity include:
For more details, see Unity (game engine) - Wikipedia and List of Unity games - Wikipedia
Hacking Unity Games is Special
Hacking Unity Games is different than native games. Any game that uses a modern game engine requires a special approach and Unity games are no exception.
When hacking a regular native game you can typically find pointers and offsets and use them easily. The way memory is mapped and the executable is loaded into memory is predictable and follows the same pattern every time, it's just how the PE file format and the Windows loader works. But hacking Unity games is different, because game engines like Unity are large infrastructures that load and run the game logic that the developers of the actual game create. They have their own methods of loading dynamic code and data. Game engines add another layer of abstraction and often utilize a lot of inheritance, overloading and polymorphism which makes reversing them and writing Unity hacks more difficult.
First thing you will notice is that it is hard to find pointers that work after you restart the game when you're hacking Unity games. For that reason pattern scanning and hooking is typically easier. I don't recommend trying to go after multilevel pointers when writing Unity hacks.
Second thing you will see is that Unity games code is located in an Assembly-CSharp.dll module and not in the main EXE. What's good about this is you can easily de-compile and modify this file using dnSpy which is a .NET de-compiler/debugger.
Thirdly, because of the way the just-in-time (JIT) assembly works, the functions that you want to hack aren't even going to be converted to x86/x64 until those branches of code are hit. If you want to make a godmode hack, normally you'd want to find all the functions that damage the player and NOP/JMP them out, but when writing a godmode hack for Unity games you need to find where health is stored (dynamically), then trigger each of the functions that damage the player, then scan memory to find them (note they'll be in different locations and probably using different registers each time), and then patch them. A godmode hack isn't going to be fun if the player has to go and damage themselves in various ways every time they restart the game...
All this aside, if you're still thinking of using the native route to hack a Unity game and not using mono injection please view this thread to understand how much work it is. Thanks @Boboo99 for providing a ton of information on hacking this Unity game
Solved - How to Hack Secrets of Grindea
Static Analysis
You can statically analyze the game code using a .NET decompiler. You will see the structures and the functions. Keep in mind all the game engine code won't be in there, it's just the game logic. Not all the functions and structs the game uses will be in the Assembly-CSharp.dll. Sometimes it will include all the names of the structures, variables and functions. Other times the developer will strip these out or obfuscate it. Even with the names stripped, it is easy to reverse engineer functions like this. Some disassemblers such as IDA will also allow you to reverse the .NET bytecode, although this won't match up directly with the game in memory as it will be just-in-time (JIT) assembled into x86 code and this will turn up in a different position in memory each time.
IL2CPP Compilation
Some Unity games are using IL2CPP which compiles the game code to C++ then to assembly, which makes decompiling with dnSpy and mono injection impossible. This is more efficient and makes it much more difficult to hack Unity games, so we are seeing more and more games use it. While they're related, hacking il2cpp is slightly different to hacking Unity and it requires different tools.
Learn more from https://docs.unity3d.com/Manual/IL2CPP-HowItWorks.html
If your game is using IL2CPP you don't need a Unity hacking tutorial, it's probably best to just use native game hacking methods. Here is a IL2CPPDumper Perfare/Il2CppDumper
djkaty/Il2CppInspector
Cheat Engine Mono Dissector
Cheat Engine has basic features to view Unity game data as well. We don't have tutorials for it but here are some from our friends
CheatTheGame Mono Videos
Stephen Chapman Mono Videos
Editing Assembly-CSharp.dll
If the game doesn't have integrity checks, and especially for single player games you can simply modify the Assembly-cSharp.dll using a decompiler and save it. If the game has integrity checks, which most good multiplayer games will, this will not work. This is a C# DLL with the code for your Unity game so you'll need to use dnSpy or similar. This approach allows you to write your Unity hacks in C# and compile them back down, and gives you a clean result as long as you can work around any integrity checks.
Mono Injection - the best way to hack unity games
Mono injection is a technique of writing your own C# assembly and injecting it into the game engine, you essentially override game functions with your own functions. It is the equivalent of hooking a function when hacking Unity games, you run your code and the games original code. It is pretty easy to do. Unlike editing the DLL, you should be able to inject your Unity hacks without triggering any integrity checks in anything on the disk.
Here is an excellent Unity hacking tutorial using mono injection by @Truth
- Tutorial - How to Hack Unity Games using Mono Injection Tutorial
Download the GuidedHacking Mono Injector from @Truth here:
- Guided Hacking DLL Mono Injector
Other mono injectors:
Harmony
A library for patching, replacing and decorating .NET and Mono methods during runtime - pardeike/Harmony
About
Harmony gives you an elegant and high level way to alter the functionality in applications written in C#. It works great for hacking Unity games and is well established in titles like 7 Days To Die, BattleTech, Besiege, Cities:Skylines, Kerbal Space Program, Oxygen Not Included, Ravenfield, Rimworld, Sheltered, Stardew Valley, Staxel, Subnautica, The Ultimate Nerd Game, Total Miner, Unturned and many more.
It is also used in unit testing WFP controls and in many other areas.
How it works
If you develop in C# and your code is loaded as a module/plugin into a host application, you can use Harmony to alter the functionality of all the available assemblies of that application. Where other patch libraries simply allow you to replace the original method, Harmony goes one step further and gives you:
• A way to keep the original method intact
• Execute your code before and/or after the original method
• Modify the original with IL code processors
• Multiple Harmony patches co-exist and don't conflict with each other
• Works at runtime and does not touch any files
Keep in mind that this is a unit testing framework, which also gives you the option of loading the game DLL and building your own tests around functions as if you were the original developer. In a C/C++ game this would be an absolute dream, because we spend a lot of time trying to figure out how functions work, but when hacking a Unity game, you can write unit tests with your own expected inputs and output and test your theories about how a function works, and whether this is the place you want to add your hack.
Is your unity hack lagging?
Unity game hacking tutorial that has some good tips, by @Erarnitox
- Tutorial - How to Fail Reverse Engineering old Unity Games
Example source code for a hack using mono injection from @SystemX32
- https://guidedhacking.com/threads/unity-engine-scp-secret-laboratories-esp.11647
@Syqao Unity Tutorials
- Tutorial - Unity Game Hacking Tutorial
Extracting Unity Assets such as textures etc...
Additional Unity hacking resources:
Last edited:
