Hypn.za.net
Hacking, Coding and Gaming | @[email protected]
December 30, 2022
Game Hacks - OpenGL Wall Hacks

A YouTube channel called "Cheat The Game" has a video on creating a "Wall Hack" using Cheat Engine (which is a particularly useful type of hack in multiplayer first person shooter games). The video:

A key element in this wall hack is the OpenGl glDepthFunc() function - used for checking how far away an object is from the player. This function takes in a "depth comparison function" argument which is used to determine whether or not to render stuff - such as enemies. If you're able to pass in a different argument (GL_ALWAYS) it may render things it wouldn't normally.

With this knowledge I made a quick and dirty wall hack for OpenGL Quake 1, using the Steam version of Quake and manually running glquake.exe in the game's folder:

  • with the game running open Cheat Engine (hint: you may want to run glquake.exe -window to avoid it messing with your desktop resolution)
  • have Cheat Engine open glquake.exe
  • click the Memory View button on the near the bottom left (you'll probably need Cheat Engine 7.3 or higher)
  • select the View menu then Enumerate DLL's and Symbols
  • search for opengl32.glDepthFunc (CTRL+F)
  • double click on the result
  • right click and Break and trace and allow it to attach the debugger
  • when it's finished scanning, right click on the results and choose Expand all
  • scroll down a little to the first glquake.exe result, below the OPENGL32.glDepthFunc results - this is the Quake code just after the OpenGL code
  • double click on it (it should be glquake.exe+FFFF8 - fld dword ptr [glquake.exe+430c70]) to view the code
  • two lines above this is push 00000203, this number is the GL_LEQUAL "depth-comparison function" argument that is passed to the glDepthFunc() function
  • double click this line to change it to push 00000207 (so GL_ALWAYS is used, as shown in the video)

Now stuff is rendered that wouldn't normally be visible:

I did say this was a quick and dirty hack... ideally only enemy and player models should be rendered, rather than all parts of the level, but this is just a global patch to force everything to render.

This can also be done as a Cheat Engine address/table and saved for re-use later without having to repeat the above steps:

The full line of the code changed is:

glquake.exe+FFED - 68 03020000           - push 00000203

The address is given (glquake.exe+FFED), the code starts with the byte 68 (which is the push instruction), the second byte is the 03 (part of the 0x203) which gets changed to 0x07 for the above to work. The address to add in Cheat Engine is the address above plus 1 byte (to skip over the push), giving us glquake.exe+FFEE.

Adding this in Cheat Engine as a single byte should show its value as 3, which can then be changed to 7 to apply the hack, and back to 3 to undo it.

The above can also be done in Quake 3:

Though the YouTube covers "Return to Castle Wolfenstein" which is based on the Quake 3 engine, so the same enemies-only wall hack should be similar.