I spent almost 12 hours yesterday plowing through the game memory, trying to figure out specifically how the Town data was encoded. It ended up being quite an archetypal example of how the game hacking is done. I will try to explain a bit about it.

First the tools of the trade. I use:

• Cheat Engine 7.0
• Google sheets
• Visual Studio 2017

Cheat Engine is a super powerful memory editing tool that can access any process running on your PC.

Google sheets is used for two reasons: (i) calculator and (ii) database. Since you need to switch between Decimal and Hexadecimal like a madman, and perform various calculations on those values, a calculator is of course essential. A spreadsheet is a very powerful calculator. Whenever you find out something useful, you also need to jot it down and this is where the database comes in. It is basically a table of useful locations in the game that you can quickly access.

Visual Studio is only needed to create the final software program.

Why visual studio?
Well mostly because it exposes the Windows API in a convenient way. I tend to code in VB.net.

Why VB.net and not C#?
Well many reasons. It is my native programming language and I am rather nostalgic about BASIC. I developed quite some experience in EXCEL programs in VB6. And why not?

The process of hacking the game starts with Cheat Engine. You simply attach the process from the drop down list and then start searching the process memory. There are two basic ways to search either (i) known value or (ii) unknown value.

Known value is the simplest. You may know your Hero has 3 Intelligence. You may also know that when you next level up it will go to 4 Intelligence. You can then simply do a new scan for a byte that is = “3” (and you will get so many thousand hits since there are a lot of things equal to 3 throughout the entire game). However, when you level up and the Intelligence changes to 4 you can simply scan next for something equal to 4 and if you are lucky you get 1 hit. You can then browse to that memory location and change it to 99 (= 63h).

Unknown value requires more patience. Take a look at your movement bar on your hero. Well it might be “full” but you have no idea what “full” is numerically. All you know is that when you move it gets lower. You can then search for something with an “unknown initial value” and then search over and over again for lower values each time you move. When you start a new day you can search for a value that is higher. This takes much more time because by coincidence there might be several hundred other things going up and down in the same pattern.

The nice thing about HOMM3 is that you can also search for “strings” rather than “bytes”. You can simply search for “Solmyr” and you get 3 hits. One of them is “Solmyr” Hero data. Again you can browse the memory at that location.

But what do all those numbers mean?

It is a bit like Matrix code on first glance. But pretty soon you start to notice patterns. Going back to the example of intelligence that we found and set to 99 earlier. You may notice that the 3 adjacent bytes next to the “Intelligence Byte” are equal to 0, 0 and 2 respectively. A quick check of the game tells you that your Attack, Defense and Power are equal to 0, 0 and 2 respectively. You change the 2 to 99 and your Power increase to 99. You have found all your Stat’s by association.

The developers of any game has a logic in regard to how it is structured. It makes sense to group values together in memory as they are grouped together in the game. This makes it much easier for the developers to track and plan the game architecture.

Small numbers are usually safe to toggle randomly. If you find a “5” you can toggle it to a “6” and see what changes in the game. You might inadvertently alter your Hero class, your Hero’s specialty or your movement bar.

Since all the heroes are sequential in memory you can arrange the memory map so you can see both heroes simultaneously and compare values for both to try to figure out to what the bytes correspond. This goes equally for Player and Town data too.

So basically you play “spot the difference” whilst trying to make some logical intuitive changes to the games memory.

Every once and a while the game will crash because you corrupted the memory, but mostly (fortunately) the game does not object to the manipulation.

Sadly for every scenario or campaign you start the value will be moved slightly in memory. So you cannot return to the same location in memory again by absolute address. You need another way to find it.

What you need is a “marker”

A “marker” is a value that is always present, always unique and always has a specific offset to that specific value. A marker makes it it easy to find that value again. With Hero data this is simple, since they are listed by Name and they always follow the same sequence. You can simply scan for Solmyr and for each hit look 1169 (the size of the Hero data slot) bytes further down for the value “Cyra”. When you have this, you know you have found Solmyr’s Hero data.

With the towns this is trickier. All the Town data contain the string “<x”, but there are thousands of “<x” in memory. Evidently it is a common developers block flag. The useful thing about Town data, similar to Hero data is that it is sequential in memory. Each Town data block is 360 bytes. Just like each Hero data block is 1169 bytes. You can calculate this by subtracting the addresses of the first letter of the Hero names for Hero data or subtracting the addresses of the occurrence of “<” from “<x” for the Town data.

Its like a jigsaw puzzle. You need to find the edges first and then fill in the centre.

So when you find “<x” in memory and then 360 bytes later there is another “<x” you have found the town data. Once you have the relative address of the marker. You can apply the absolute offsets and find all the values you already discovered waiting for you.

Happy hunting!

Ok, I am already on version 0.10. Time flies! I will try to bring you up to speed on what has been going on and where the development is going.

I am starting to get familiar with the game memory. There are 3 main areas of interest:

• Player data
• Town data
• Hero data

Player data is where your basic information is stored. If you ever played multiplayer, your multiplayer name can be found here. It also lists the heroes in your party, the next two heroes you can buy from the tavern and the towns you control, along with your resources and gold. There is space for a maximum of 8 players.

Town data is where the game places information on all the towns on the current map. Here you can see the town type, the owner, whether it has been upgraded today, the garrison and visiting heroes, the town name*, the town state (the type of each building) and the spells in the Mage’s Guild. There is space for a maximum of 23 towns per map .
*note: the name is not actually stored here, actually the 4-byte address of where you can find the name in memory is stored here. That was a bit tricky of the developers!

Hero data is where the game stores information on the state of each hero, whether they are in the current game or not. Here you can find the hero class, specialty, stats, level, spell points, XP, secondary skills, the creatures in their army, the artifacts in their possession and the spells they know. There are 156 heroes.

I started the software from a “Herocentric” view. First looking at the Hero data, reading values and finally overwriting values.

Now it seems more obvious to look from a “Playercentric” view. This seems logical since Players own Heroes. Also Heroes themselves do not own resources, gold and towns, the Player does.

This inevitably means that I will need to re-architecture the GUI to show the Player data in the first instance, and from there show the Hero and Town data that is selected.

The other alternative is a “Mapcentric” view. The Map has the towns and the Players own town on the map. From the map point of you, you could list all the Towns and Players on the map. Then finally all the Heroes in the possession of Players or in a Player’s town. I was considering this as a secondary view: as a kind of a “Spy mode” similar to when you visit the Thieves’ Guild. Here you could drill down through the Map > Player > Hero hierarchy until you can see exactly which creatures you opponent sitting so stoically on his horse just outside your town possess (and perhaps take away a few of his stronger creatures by overwritting them).

For now I will transition the software to a “Playercentric” view and reflect on whether that feels the most practical.

Were you one of those kids that wanted to look “behind” a computer game and discover how they “did it”? I was.

When I was 7 years old, my grandfather had a Sinclair ZX Spectrum +2 (yes I am that old). He had various games, but the one we liked the most was similar to Gold Mine (the actual name eludes me) where there was a cyan-colored man, a magenta-colored monster, and a green field covered with rocks and gold nuggets.

What was truly amazing about this particular game is that my Grandfather had the BASIC source code. When my father bought Spectrum +3, of course, I wanted the game. My grandfather loving transcribed the entire source code onto about 6 sides of A4 paper and handed it to me. I was truly amazed, somehow, somewhere, amongst all those quotation marks, commas, numbers and letters lived the game I loved so much.

My father and I typed it out, compiled it and executed… and the game lived on our +3. Only it was not quite “right”. Sometimes I could pass through the monster, rather than him catching me. My father and I had introduced a “bug” and in doing so invented our first “cheat”. We checked my grandfather’s hand written code for a mistake, we checked the original game code on my grandfather’s +2, but we never found the error.

I spent hours looking for the bug. First, I edited the code at random, and then as I started to understand how it worked, I edited it methodically. I changed the man’s color, I exchanged his sprite with the monster’s, I changed many things. In the end I spent more time editing the game than actually playing it.

And so started a tradition of hacking video games that has been with me my whole life.

As video games became more sophisticated and the hardware more advanced, the tools I used to hack them too evolved. I had a Sega Genesis and a Game Genie, but I was limited by waiting for new codes to be invented. I had a Sony Playstation and an 5th Generation Action Replay and now I could search the games memory and create my own codes, but I was limited by the Assembly-like syntax afforded by the Action Replay code types.

Oh, but I was happy!

My greatest love was Final Fantasy VII. I do not know how many hundreds of hours I spent editing it. In the end I probably knew the memory map better than the original developers.

Time moved on and I got a Microsoft Xbox and was reduced to simply save game editing and later modding the OS. But once online gaming became the new thing and I had an Xbox 360 I thought my hacking days were over… I played the games and there would always be modders (I honestly never modded on 360) and the games would be no fun. Be it “homing head shots” on Halo or “infinite life” on Tekken 5, I understood that cheating and online gaming do not mix.

Where could I go?

What could I do?

I felt like the world had stolen my love of hacking video games and left me behind.

There was a formula. It needs to be an offline solo game against computer components to be fun. It was basically: (offline solo game) + (hacking) = (fun).

In 2013, I finally turned by back on games consoles forever and entered the world of PC gaming. I had, of course, owned various emulators to “rediscover my lost youth” and replay all my favorite games. But this was the first time I started playing actual PC games. And of course hacking PC games with the help of Cheat Engine.

And where did I start?

Final Fantasy 7 PC.

The developers had given the whole game a make over, but the memory map was still practically the same as the Playstation version. With a few offsets I could find the addresses to apply my favorite hacks : “Super Buster Sword”, “1 AP Level Up Materia” – well they are self named but you get the idea.

Now in 2019, my girlfriend told me about her favorite video game from her youth. Heroes of Might and Magic III (HOMM3). The battle system is similar to Final Fantasy 7 but the game play and story are totally different. Feeling whimsical and nostalgic, we decide to download the complete version on Saturday evening around 21:00 and start playing.

By Monday morning around 08:00, we had each managed a total of about 12 hours sleep and 23 hours gaming. Well, she was gaming. I was wearing out my ALT and TAB keys bouncing back between the game and the Cheat Engine windows.

I edited my gold and resources. Then I edited my hero’s army, secondary skills, stats, artifacts and finally spells. I also edited movement distance to infinite but found it ruined the rhythm of the game so deactivated it.

It was sooooo much fun, but at the start of every campaign or scenario I would have to scroll through the memory map again and edit all those HEX values manually. And so it went on and on, over and over. 15-20 minutes of memory editing followed by 1-4 hours of game play. Plus from the ironic remarks of my girlfriend, I could tell she was actually jealous. She wanted to participate in the fun too.

I made a decision on Tuesday to create a little program to apply all the memory edits for me. A simply windows executable written in Visual Basic .NET. I could now apply all my hacks in <1 minute. What’s more, I could share my program with my girlfriend and she could benefit from it too.

After the slap in the face presented to me by online gaming modders, I was delighted to have the ability to contribute to the world of gaming in a constructive way. I quickly made the decision to share my program and my experiences writing it with the world at large. And so here we are on Thursday morning, a mere 2 days later, and I have a surprise for you.

Here you go and over to you. Whether you want to give yourself a single spell or artifact, or all of them, or anywhere in between… the choice is yours. I hope you derive as much pleasure from using my software, as I derived from writing it:

Grab your copy from Downloads