Guide Unity Game Hacking Guide & Tutorials

Hexui Undetected CSGO Cheats PUBG Accounts

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,959
78,998
2,463
Game Name
N/A
Anticheat
N/A
Coding Language
C# Mostly
Hacking Unity games requires a special approach, using native methods is not the best way to approach them. This Unity game hacking tutorial will teach you everything you need to know to get started with this game engine.

TL : DR Version of Guide

Unity Game Hacking Guide

What is Unity?
Unity is a very popular game engine for smaller indie games but there are a lot of larger games that are using it as well. It's cross platform, and games can be released for PC (Windows, OSX, Linux), mobile (Android/iOS), and you can even release them for the browser via WebGL. It's free, makes game development very easy and uses a C# or Javascript scripting engine.

Popular games written in Unity include:

For more details, see Unity (game engine) - Wikipedia and List of Unity games - Wikipedia

Hacking Unity Games is Special
Hacking Unity Games is different than native games. Any game that uses a modern game engine requires a special approach and Unity games are no exception.

When hacking a regular native game you can typically find pointers and offsets and use them easily. The way memory is mapped and the executable is loaded into memory is predictable and follows the same pattern every time, it's just how the PE file format and the Windows loader works. But hacking Unity games is different, because game engines like Unity are large infrastructures that load and run the game logic that the developers of the actual game create. They have their own methods of loading dynamic code and data. Game engines add another layer of abstraction and often utilize a lot of inheritance, overloading and polymorphism which makes reversing them and writing Unity hacks more difficult.

First thing you will notice is that it is hard to find pointers that work after you restart the game when you're hacking Unity games. For that reason pattern scanning and hooking is typically easier. I don't recommend trying to go after multilevel pointers when writing Unity hacks.

Second thing you will see is that Unity games code is located in an Assembly-CSharp.dll module and not in the main EXE. What's good about this is you can easily de-compile and modify this file using dnSpy which is a .NET de-compiler/debugger.

Thirdly, because of the way the just-in-time (JIT) assembly works, the functions that you want to hack aren't even going to be converted to x86/x64 until those branches of code are hit. If you want to make a godmode hack, normally you'd want to find all the functions that damage the player and NOP/JMP them out, but when writing a godmode hack for Unity games you need to find where health is stored (dynamically), then trigger each of the functions that damage the player, then scan memory to find them (note they'll be in different locations and probably using different registers each time), and then patch them. A godmode hack isn't going to be fun if the player has to go and damage themselves in various ways every time they restart the game...

All this aside, if you're still thinking of using the native route to hack a Unity game and not using mono injection please view this thread to understand how much work it is. Thanks @Boboo99 for providing a ton of information on hacking this Unity game
Solved - How to Hack Secrets of Grindea

Static Analysis
You can statically analyze the game code using a .NET decompiler. You will see the structures and the functions. Keep in mind all the game engine code won't be in there, it's just the game logic. Not all the functions and structs the game uses will be in the Assembly-CSharp.dll. Sometimes it will include all the names of the structures, variables and functions. Other times the developer will strip these out or obfuscate it. Even with the names stripped, it is easy to reverse engineer functions like this. Some disassemblers such as IDA will also allow you to reverse the .NET bytecode, although this won't match up directly with the game in memory as it will be just-in-time (JIT) assembled into x86 code and this will turn up in a different position in memory each time.

IL2CPP Compilation
Some Unity games are using IL2CPP which compiles the game code to C++ then to assembly, which makes decompiling with dnSpy and mono injection impossible. This is more efficient and makes it much more difficult to hack Unity games, so we are seeing more and more games use it. While they're related, hacking il2cpp is slightly different to hacking Unity and it requires different tools.



Learn more from https://docs.unity3d.com/Manual/IL2CPP-HowItWorks.html

If your game is using IL2CPP you don't need a Unity hacking tutorial, it's probably best to just use native game hacking methods. Here is a IL2CPPDumper Perfare/Il2CppDumper

djkaty/Il2CppInspector

Cheat Engine Mono Dissector
Cheat Engine has basic features to view Unity game data as well. We don't have tutorials for it but here are some from our friends

CheatTheGame Mono Videos

Stephen Chapman Mono Videos

Editing Assembly-CSharp.dll
If the game doesn't have integrity checks, and especially for single player games you can simply modify the Assembly-cSharp.dll using a decompiler and save it. If the game has integrity checks, which most good multiplayer games will, this will not work. This is a C# DLL with the code for your Unity game so you'll need to use dnSpy or similar. This approach allows you to write your Unity hacks in C# and compile them back down, and gives you a clean result as long as you can work around any integrity checks.

Mono Injection - the best way to hack unity games
Mono injection is a technique of writing your own C# assembly and injecting it into the game engine, you essentially override game functions with your own functions. It is the equivalent of hooking a function when hacking Unity games, you run your code and the games original code. It is pretty easy to do. Unlike editing the DLL, you should be able to inject your Unity hacks without triggering any integrity checks in anything on the disk.

Here is an excellent Unity hacking tutorial using mono injection by @Truth
- Tutorial - How to Hack Unity Games using Mono Injection Tutorial

Download the GuidedHacking Mono Injector from @Truth here:
- Guided Hacking DLL Mono Injector

Other mono injectors:

Harmony
A library for patching, replacing and decorating .NET and Mono methods during runtime - pardeike/Harmony

About
Harmony gives you an elegant and high level way to alter the functionality in applications written in C#. It works great for hacking Unity games and is well established in titles like 7 Days To Die, BattleTech, Besiege, Cities:Skylines, Kerbal Space Program, Oxygen Not Included, Ravenfield, Rimworld, Sheltered, Stardew Valley, Staxel, Subnautica, The Ultimate Nerd Game, Total Miner, Unturned and many more.

It is also used in unit testing WFP controls and in many other areas.

How it works
If you develop in C# and your code is loaded as a module/plugin into a host application, you can use Harmony to alter the functionality of all the available assemblies of that application. Where other patch libraries simply allow you to replace the original method, Harmony goes one step further and gives you:

• A way to keep the original method intact
• Execute your code before and/or after the original method
• Modify the original with IL code processors
• Multiple Harmony patches co-exist and don't conflict with each other
• Works at runtime and does not touch any files

Keep in mind that this is a unit testing framework, which also gives you the option of loading the game DLL and building your own tests around functions as if you were the original developer. In a C/C++ game this would be an absolute dream, because we spend a lot of time trying to figure out how functions work, but when hacking a Unity game, you can write unit tests with your own expected inputs and output and test your theories about how a function works, and whether this is the place you want to add your hack.

Is your unity hack lagging?



Unity game hacking tutorial that has some good tips, by @Erarnitox

- Tutorial - How to Fail Reverse Engineering old Unity Games

Example source code for a hack using mono injection from @SystemX32
- https://guidedhacking.com/threads/unity-engine-scp-secret-laboratories-esp.11647

@Syqao Unity Tutorials
- Tutorial - Unity Game Hacking Tutorial

Extracting Unity Assets such as textures etc...
Additional Unity hacking resources:
 
Last edited:

llt2012

Newbie
Full Member
Apr 23, 2016
12
249
1
I scanned one Address same picture below. But I change value of the Address then value No change.

5738
 

Sheesha

0x1EFF2FE1
Dank Tier Donator
Jul 23, 2018
17
1,058
0
You found the wrong address cuz the value could have been stored in many different dynamic addresses.
Try to search with all value types.
Recommended: watch some cheat engine tutorial series for ex. "How to find problematic values with cheat engine"
 
Last edited:

llt2012

Newbie
Full Member
Apr 23, 2016
12
249
1
You found the wrong address cuz the value could have been stored in many different dynamic addresses.
Try to search with all value types.
Recommended: watch some cheat engine tutorial series for ex. "How to find problematic values with cheat engine"
Thank you so much.
 

Hype

Meme Tier VIP
Mar 16, 2019
412
2,758
9
Thank you so much.
Also, I wanna tell you that some values are only for information usage for a game.
For example, even if you find a health adress and you change it and after back to game you see it didn't change it were back to the previous value, it means that variable is invalid and it is only for information usage for a game, not value that stores health.
 

0xDEC0DE

retired
Dank Tier VIP
Fleep Tier Donator
Dank Tier Donator
Oct 28, 2018
449
18,798
90
Help me please
What does "Loader.Unload" do ? In the video you press Insert but the string is still printed, so your hack does not unload i guess.

Does the Injector support unload / eject (FreeLibrary call) ? To inject the same DLL again it has to be freed first (all threads stopped and refcount decreased) at least for native dlls, dunno with mono.
 
Last edited by a moderator:

zuduhediga

Full Member
Apr 1, 2019
6
22
0
What does "Loader.Unload" do ? In the video you press Insert but the string is still printed, so your hack does not unload i guess.

Does the Injector support unload / eject (FreeLibrary call) ? To inject the same DLL again it has to be freed first (all threads stopped and refcount decreased) at least for native dlls, dunno with mono.
Mono doesn't have FreeLibrary.Cheat unload supported gamebooster/mono-assembly-injector
 

rec0gn1ze

Full Member
May 25, 2019
8
173
1
So I am trying to make a hack on a unity game. But I have a problem with poor gui performance. I don't know why but when I am use GUI class to write a text on a screen my fps suddenly drops from 150 to about 20. Do you know how to solve it or maybe I should use another way to draw?
 

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,959
78,998
2,463
can you elaborate on how you are drawing?
 

rec0gn1ze

Full Member
May 25, 2019
8
173
1
can you elaborate on how you are drawing?
I am drawing stuff on screen using the defauld GUI class in unity ( Unity - Scripting API: GUI )
Some code from esp:
public void OnGUI()
{
    if (playerESP)
                {
                    GUI.color = Color.green;
                    GUI.Label(ButtonRects.playerEspRect, "Player ESP (Enabled)");
                    Player[] players = FindObjectsOfType<Player>();
                    for (int i = 0; i < players.Length; i++)
                    {
                        Player player = players[i];
                        Vector3 entityPos = player.currentActor.centerTransform.position;
                        Vector3 screenPos = Camera.main.WorldToScreenPoint(entityPos);
                        if (screenPos.z > 1f)
                        {
                            Rect ScreenPos = new Rect(screenPos.x, Screen.height - screenPos.y, 120, 120);
                            GUI.color = player.isNeighbor ? Color.red : Color.white;
                            GUI.Label(ScreenPos, player.isNeighbor ? "Neighbour" : "Kid");
                        }
                    }
                }
}

And this shit is very lagging, with disabled esp this game runs in about 150 fps but with esp fps drops to 30fps and lower.
Снимок экрана (244).png
 

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,959
78,998
2,463
looks cool, but I don't know the cause of your issue.

You could make it a bit more efficient by not making a copy of players and instead just accessing it directly via players

Maybe don't call WorldToScreenPoint() unless they are alive might help too, idk just a few thoughts I had. Might make a small difference at least
 
  • Like
Reactions: rec0gn1ze

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,313
37,938
271
Unity is kinda garbage.
Constantly calling FindObjectsOfType is bad, and all the functions like it. Only call those every once in a while (5-10s), the players themselves wont leave/join that quickly.

Likewise, everytime you call "camera.main" its actually a unity call for GetCamera().GetTransform() which has (surprisingly) led to some insane FPS drops myself when i coded for Rust.

Cache the camera, cache the players, enjoy your FPS

https://guidedhacking.com/threads/unity-game-hacking-guide-tutorials.12579/
 
Last edited by a moderator:
  • Like
Reactions: rec0gn1ze and Hype
Community Mods