The latest articles on DEV Community by StealthC (@stealthc). https://dev.to/stealthc https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F632906%2F43662a80-9ac0-408f-b80a-463af352604f.jpeg https://dev.to/stealthc en StealthC Wed, 28 May 2025 17:48:12 +0000 https://dev.to/stealthc/en-gatonauta-gamedevtv-gamejam-2025-experience-2ppe https://dev.to/stealthc/en-gatonauta-gamedevtv-gamejam-2025-experience-2ppe <p>Translation: Este artigo também está <a href="https://dev.to/stealthc/pt-br-gatonauta-experiencia-do-gamedevtv-gamejam-2025-3f45">disponível em Português</a></p> <p>I decided to join the GameDev.tv game jam (<a href="https://itch.io/jam/gamedevtv-jam-2025" rel="noopener noreferrer">GameDev.tv Game Jam 2025 - Free Course For All Submissions! - itch.io</a>), which is a great choice for anyone getting started with game development. The community is very welcoming, mostly made up of students and beginners, and there's a lot of active and constructive feedback exchange. Also, everyone who submits a game gets a free course, which is an amazing perk if you’re just starting out!</p> <p>This is a 10-day jam, and the chosen theme was <strong>"Tiny World"</strong>. Last year, I joined with a game called <a href="https://stealthc.itch.io/gataria" rel="noopener noreferrer">Gataria by StealthC</a>, made for the theme <strong>"Last Stand"</strong>, and it got a lot of positive feedback. I already knew I wanted to make another game with a cat protagonist, and as soon as the theme was announced, I started thinking about how to make it fit.</p> <p>This time, I decided to go big. Way bigger than <em>Gataria</em>. I knew I was risking not finishing in time, especially since most of the 10 days were weekdays and I had to balance it with my regular job.</p> <h2> Choosing Tools and Initial Scope... </h2> <p>My idea was to make a game focused on <strong>survival, exploration, and crafting</strong>, heavily inspired by games like <em>Factorio</em> and <em>Forager</em>. I also wanted to implement a gravity mechanic on small planets, something like <em>Super Mario Galaxy</em>, but in 2D.</p> <p>I chose to use Godot Engine (went all in with the beta version 4.5 dev3), which I know pretty well and lets me develop quickly. Its Web builds are lightweight and perfect for game jams, and the community is super active, which helps a lot when solving problems.</p> <p>One thing I hadn’t done before, but decided to try this time, was setting up a CI pipeline using GitHub. That way, every time I pushed to the main branch, the game would be automatically built and uploaded to Itch.io. It helped me track progress, get testers earlier, and catch bugs faster.</p> <p>Here’s the workflow I used (if you want to try it yourself, remember to adapt the keys and the Godot version to your own project):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Export and Upload to Itch.io</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Export Godot project</span> <span class="na">id</span><span class="pi">:</span> <span class="s">export</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">firebelley/godot-export@v6.0.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">godot_executable_download_url</span><span class="pi">:</span> <span class="s">https://github.com/godotengine/godot-builds/releases/download/4.5-dev4/Godot_v4.5-dev4_linux.x86_64.zip</span> <span class="na">godot_export_templates_download_url</span><span class="pi">:</span> <span class="s">https://github.com/godotengine/godot-builds/releases/download/4.5-dev4/Godot_v4.5-dev4_export_templates.tpz</span> <span class="na">relative_project_path</span><span class="pi">:</span> <span class="s">./</span> <span class="na">archive_output</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">cache</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload to Itch.io</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">Ayowel/butler-to-itch@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">butler_key</span><span class="pi">:</span> <span class="s">${{ secrets.ITCHIO_API_KEY }}</span> <span class="na">itch_user</span><span class="pi">:</span> <span class="s">YOUR_ITCHIO_USERNAME</span> <span class="na">itch_game</span><span class="pi">:</span> <span class="s">YOUR_GAME_NAME</span> <span class="na">version</span><span class="pi">:</span> <span class="s">${{ github.ref_name }}</span> <span class="na">files</span><span class="pi">:</span> <span class="s">${{ steps.export.outputs.archive_directory }}/Web.zip</span> </code></pre> </div> <h2> A Pretty Ambitious Concept... </h2> <p>From the start, it was clear the scope would be a challenge. I wanted the game to include:</p> <ul> <li>A <strong>survival system</strong>, with hunger and resource management</li> <li> <strong>Combat</strong> and action elements</li> <li> <strong>Dungeons</strong>, for exploration and extra challenges</li> <li>A <strong>grappling hook</strong>, to attach to asteroids or pull objects</li> <li> <strong>Localization</strong>, so it could be played in English and Portuguese</li> </ul> <p>With that scope, a playthrough would take a while. So a save system was a must. I started building that first, which took me almost an entire day, plus time to plan the overall structure of the game.</p> <p>Here’s my initial sketch and the AI-generated version:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fitjbmqzzrh225m9od017.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fitjbmqzzrh225m9od017.png" alt="Image description" width="800" height="1144"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbt9f4h0ad4d22hz731wr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbt9f4h0ad4d22hz731wr.png" alt="Image description" width="800" height="1200"></a></p> <h2> Reinventing Gravity From Scratch... </h2> <p>On day two, I tackled one of the biggest technical challenges: movement with gravity on planetoids. It sounded easy in theory: just make gravity point toward the planet’s center. In practice... not that simple.</p> <p>The solution I found was to calculate all movement (walking, jumping, gravity) as if it were a regular 2D Cartesian plane. Only at the end did I rotate the final movement vector to align it with the planet’s surface. It ended up feeling pretty smooth and intuitive.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gdscript"><code><span class="k">if</span> <span class="n">is_on_floor</span><span class="p">():</span> <span class="n">_local_velocity</span><span class="o">.</span><span class="n">x</span> <span class="o">=</span> <span class="n">input_x</span> <span class="o">*</span> <span class="n">current_planet</span><span class="o">.</span><span class="n">side_velocity</span> <span class="k">else</span><span class="p">:</span> <span class="n">_local_velocity</span><span class="o">.</span><span class="n">x</span> <span class="o">=</span> <span class="nb">lerp</span><span class="p">(</span><span class="n">_local_velocity</span><span class="o">.</span><span class="n">x</span><span class="p">,</span> <span class="n">input_x</span> <span class="o">*</span> <span class="n">current_planet</span><span class="o">.</span><span class="n">side_velocity</span> <span class="o">/</span> <span class="mf">2.0</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">)</span> <span class="c1"># Smooth air control</span> <span class="o">...</span> <span class="k">var</span> <span class="n">gravity_center</span> <span class="o">=</span> <span class="n">current_planet</span><span class="o">.</span><span class="n">global_position</span> <span class="k">var</span> <span class="n">direction_to_center</span> <span class="o">=</span> <span class="p">(</span><span class="n">gravity_center</span> <span class="o">-</span> <span class="n">global_position</span><span class="p">)</span><span class="o">.</span><span class="n">normalized</span><span class="p">()</span> <span class="o">...</span> <span class="k">var</span> <span class="n">target_rotation</span> <span class="o">=</span> <span class="n">direction_to_center</span><span class="o">.</span><span class="n">angle</span><span class="p">()</span> <span class="o">-</span> <span class="bp">PI</span> <span class="o">/</span> <span class="mf">2.0</span> <span class="o">...</span> <span class="k">var</span> <span class="n">local_rotated</span> <span class="o">=</span> <span class="n">_local_velocity</span><span class="o">.</span><span class="n">rotated</span><span class="p">(</span><span class="n">target_rotation</span><span class="p">)</span><span class="o">.</span><span class="n">normalized</span><span class="p">()</span> <span class="o">*</span> <span class="nb">abs</span><span class="p">(</span><span class="n">_local_velocity</span><span class="o">.</span><span class="n">x</span><span class="p">)</span> <span class="n">velocity</span> <span class="o">=</span> <span class="n">local_rotated</span> <span class="n">velocity</span> <span class="o">+=</span> <span class="n">_gravity_velocity</span><span class="o">.</span><span class="n">rotated</span><span class="p">(</span><span class="n">target_rotation</span><span class="p">)</span> <span class="n">velocity</span> <span class="o">+=</span> <span class="n">_jetpack_velocity</span><span class="o">.</span><span class="n">rotated</span><span class="p">(</span><span class="n">global_rotation</span><span class="p">)</span> <span class="n">move_and_slide</span><span class="p">()</span> </code></pre> </div> <p>The game has two basic physics modes:</p> <ol> <li>On planets: with gravity and lateral movement</li> <li>In space: no gravity, fixed camera, and free rotation + propulsion</li> </ol> <p>Of course, problems came up. In Web builds, physics started acting weird: probably due to floating point precision loss. After a lot of trial and error, I found that using <strong>square collision</strong> for the player and <strong>circle collision</strong> for planets fixed a bunch of it. Using capsules or circles for the player caused a strange bug: moving faster to one side, which got worse over time.</p> <h2> Racing Against Time and Using AI </h2> <p>For the next five days, I spent my daytime working, and only had time to work on the game late at night, usually already exhausted and not thinking straight. So I focused on building <strong>assets</strong>: sprites, planets, items, sounds, music, etc.</p> <p>And that’s when I hit a hot topic: using <strong>AI to create assets</strong>.</p> <p>Yeah, it’s a controversial subject in game dev, and for good reason. AI tools have become really powerful, especially for solo devs or small teams, which is basically the case in most game jams. When time is short and you don’t have all the skills needed (art, sound, music...), AI can be a huge help.</p> <p>I’m not a professional artist. Creating all assets from scratch: sprites, sound effects, music, UI... just wouldn’t be realistic in a few days. So yes, I used AI tools to speed things up.</p> <p>But I believe it’s important to think about how and why we use AI. It shouldn’t replace human creativity (at least not right now), but extend it. I used it to bring my ideas to life: rough sketches, textures, sounds. Almost everything needed editing, rework, adjustments to fit the game’s style.</p> <p>In that sense, AI is just another tool, like a sound effect generator, for example, <a href="https://sfxr.me/" rel="noopener noreferrer">jsfxr - 8 bit sound maker</a>, which I also used. It helps turn ideas into something playable, especially when you’re stuck on skills you don’t have.</p> <p>Of course, I also understand the criticism. There are valid concerns around how models are trained (often using artists’ work without consent) and how it affects the creative industry.</p> <p>To me, the biggest problems aren’t about the AI itself, but how the entire system around it is structured: tech monopolies, business models, etc. It’s a deeper issue.</p> <p>In the context of a game jam, where we’re prototyping, learning, experimenting... I see AI use as totally valid, as long as you’re being conscious, honest, and transparent. The rules of this jam even mention that.</p> <p>Still, as devs, I think we should keep asking questions and thinking about how to build a space where these tools can exist ethically and fairly, helping everyone: artists, developers, and players.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fthttvhremyvc89wkdyjr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fthttvhremyvc89wkdyjr.png" alt="Image description" width="800" height="800"></a></p> <h2> The Development of Gatonauta: Racing the Clock </h2> <p>Back to development: during this period, I created the first planet assets, the character, some items, and resources, but nothing was functional yet. It wasn’t until around day seven that I finally managed to finish crucial systems like inventory and resource collection. By then, I had already scrapped several parts of my initial scope:</p> <ul> <li> <strong>Survival</strong>: In the context of my idea, survival was just another layer. If the game core wasn’t even ready, that layer would only get in the way.</li> <li> <strong>Combat</strong>: Sadly, combat systems weren’t going to happen with so little free time. Maybe next time.</li> <li> <strong>Grappling Hook</strong>: This was scrapped along with space mining, but it would’ve been super cool to have.</li> <li> <strong>Dialogues</strong>: I had a whole story planned involving the Gatonaut and his sidekick, CatGPT (the little drone that flies around breaking stuff).</li> <li> <strong>Dungeons</strong>: Another idea dropped due to time constraints.</li> </ul> <p>I focused on getting the basics working: movement, resource gathering, crafting, and building. Plus, the planet exploration part. I needed the game to at least have a complete gameplay loop. So I decided to go for a single simple goal: fix the spaceship. To do that, the player needs to craft three different parts. I planned the recipes for those parts and designed the steps to get them. Nothing overly complex, just enough to be fun for most players without requiring a grind.</p> <p>I tried my best to make things modular using Godot’s signals, so the game would be easy to expand. In practice, if I wanted to add more resources, nodes, or structures, I just needed to create new instances using the existing logic, data, and textures.</p> <p>All recipes, crafting, and upgrades are defined with simple dictionaries. Sometimes I use special objects for recipes, but they still rely on dictionaries under the hood:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gdscript"><code><span class="c1">## Structure costs dictionary</span> <span class="k">const</span> <span class="n">STRUCTURE_COST</span><span class="p">:</span> <span class="kt">Dictionary</span><span class="p">[</span><span class="kt">String</span><span class="p">,</span> <span class="kt">Dictionary</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"FURNACE"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"COBBLESTONE"</span><span class="p">:</span> <span class="mi">10</span> <span class="p">},</span> <span class="s2">"STORAGE"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"COBBLESTONE"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="s2">"WOOD"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="s2">"CHARCOAL"</span><span class="p">:</span> <span class="mi">5</span> <span class="p">},</span> <span class="s2">"WORKBENCH"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"COBBLESTONE"</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="s2">"WOOD"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="s2">"GEAR"</span><span class="p">:</span> <span class="mi">2</span> <span class="p">},</span> <span class="s2">"3D_PRINTER"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"BAR"</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="s2">"CHARCOAL"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="s2">"GEAR"</span><span class="p">:</span> <span class="mi">30</span> <span class="p">},</span> <span class="p">}</span> <span class="c1">## Structure prefab dictionary</span> <span class="k">const</span> <span class="n">STRUCTURE_PREFAB</span><span class="p">:</span> <span class="kt">Dictionary</span><span class="p">[</span><span class="kt">String</span><span class="p">,</span> <span class="n">PackedScene</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"FURNACE"</span><span class="p">:</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scenes/structures/furnace.tscn"</span><span class="p">),</span> <span class="s2">"3D_PRINTER"</span><span class="p">:</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scenes/structures/3d_printer.tscn"</span><span class="p">),</span> <span class="p">}</span> <span class="k">const</span> <span class="n">STRUCTURE_RECIPES</span><span class="p">:</span> <span class="kt">Dictionary</span><span class="p">[</span><span class="kt">String</span><span class="p">,</span> <span class="kt">Array</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"FURNACE"</span><span class="p">:</span> <span class="p">[</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scripts/data/recipes/charcoal.tres"</span><span class="p">),</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scripts/data/recipes/bar.tres"</span><span class="p">)</span> <span class="p">],</span> <span class="s2">"DAMAGED_SHIP"</span><span class="p">:</span> <span class="p">[</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scripts/data/recipes/fix-ship.tres"</span><span class="p">),</span> <span class="p">],</span> <span class="s2">"3D_PRINTER"</span><span class="p">:</span> <span class="p">[</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scripts/data/recipes/ship-piece-1.tres"</span><span class="p">),</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scripts/data/recipes/ship-piece-2.tres"</span><span class="p">),</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scripts/data/recipes/ship-piece-3.tres"</span><span class="p">),</span> <span class="p">]</span> <span class="p">}</span> <span class="k">const</span> <span class="n">UPGRADES_RECIPES</span><span class="p">:</span> <span class="kt">Dictionary</span><span class="p">[</span><span class="kt">String</span><span class="p">,</span> <span class="kt">Dictionary</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"FIX_JETPACK"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"GEAR"</span><span class="p">:</span> <span class="mi">5</span> <span class="p">},</span> <span class="s2">"PLANETOID_INDICATOR"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"WOOD"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="s2">"COBBLESTONE"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="s2">"CHARCOAL"</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="p">},</span> <span class="s2">"BETTER_JETPACK"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"CHARCOAL"</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="s2">"COBBLESTONE"</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="p">},</span> <span class="s2">"FASTER_HARVEST"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"WOOD"</span><span class="p">:</span> <span class="mi">15</span><span class="p">,</span> <span class="s2">"COBBLESTONE"</span><span class="p">:</span> <span class="mi">15</span><span class="p">,</span> <span class="s2">"GEAR"</span><span class="p">:</span> <span class="mi">25</span> <span class="p">},</span> <span class="s2">"MORE_RESOURCES"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"ORE"</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="s2">"GEAR"</span><span class="p">:</span> <span class="mi">15</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>I wish I had polished the UI more, but I realized that every time I added a new feature, I spent way too long finishing it. This made it clear how inexperienced I am with Godot’s UI system. So I decided to keep it simple but functional. No fancy icons or effects... just text. The goal was to make sure players understood what to do and how to do it, even if it wasn’t the prettiest.</p> <p>I spent day nine testing and fixing bugs, prepared a credits screen, and wrapped up the game. On day ten, I had work, so I could only fix a few last-minute bugs.</p> <h2> Conclusion </h2> <p>Joining this jam was, without a doubt, an amazing experience. I learned so much, tried out ideas I had shelved for a long time, like planet gravity, continuous integration, and even using AI more seriously in my workflow.</p> <p><em>Gatonauta</em> ended up being far from what I originally dreamed, but that’s not necessarily a bad thing. Part of the process is understanding your limits, adjusting the scope, and turning a giant idea into something that’s functional, fun, and gets the concept across.</p> <p>I definitely leave this jam even more motivated to keep developing games, improving my processes, understanding my strengths better, and, more importantly, my weaknesses.</p> <p>If you made it this far, thank you so much for reading. I hope this post inspired you, helped you, or maybe even gave you that little push to join your first (or next) game jam.</p> <p>And if you’d like to try the game, it’s available here:<br> <a href="https://stealthc.itch.io/gatonauta" rel="noopener noreferrer">Gatonauta by StealthC</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm5itqxfzqimonawuskff.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm5itqxfzqimonawuskff.png" alt="Image description" width="800" height="1600"></a></p> gamedev godot gdscript StealthC Wed, 28 May 2025 17:38:20 +0000 https://dev.to/stealthc/pt-br-gatonauta-experiencia-do-gamedevtv-gamejam-2025-3f45 https://dev.to/stealthc/pt-br-gatonauta-experiencia-do-gamedevtv-gamejam-2025-3f45 <p>Tradução: This post is also <a href="https://dev.to/stealthc/en-gatonauta-gamedevtv-gamejam-2025-experience-2ppe">available in English</a></p> <p>Decidi participar da game jam da GameDev.tv (<a href="https://itch.io/jam/gamedevtv-jam-2025" rel="noopener noreferrer">GameDev.tv Game Jam 2025 - Free Course For All Submissions! - itch.io</a>), que é uma ótima opção para quem está começando no desenvolvimento de jogos. A comunidade é bem acolhedora, formada principalmente por alunos e iniciantes, e a troca de feedbacks é muito ativa e construtiva. Além disso, todo participante que enviar um jogo, automaticamente ganha um curso deles, que é algo muito bom pra quem está começando!</p> <p>Essa é uma jam de 10 dias, e o tema escolhido foi <strong>“Tiny World”</strong>. No ano passado, participei com um jogo chamado <a href="https://stealthc.itch.io/gataria" rel="noopener noreferrer">Gataria by StealthC</a>, feito para o tema <strong>“Last Stand”</strong>, e recebi muitos feedbacks positivos. Eu já sabia que queria fazer mais um jogo com um gato como protagonista, e, assim que o tema saiu, comecei a pensar em como encaixar essa ideia.</p> <p>Dessa vez, decidi me arriscar com um escopo bem maior que <em>Gataria</em>, mesmo sabendo que corria o risco de não conseguir finalizar a tempo. Afinal, boa parte dos 10 dias eram dias úteis, e eu também precisava conciliar com meu trabalho.</p> <h2> Escolha de ferramentas e escopo inicial... </h2> <p>Minha proposta era criar um jogo de <strong>sobrevivência, exploração e crafting</strong>, com bastante inspiração em jogos como <em>Factorio</em> e <em>Forager</em>. Além disso, queria implementar uma mecânica de gravidade em pequenos planetas, no estilo <em>Super Mario Galaxy</em>, mas adaptado para um jogo 2D.</p> <p>Decidi usar o Godot Engine (arrisquei e fiz todo na versão beta 4.5 dev3), que é uma ferramenta que já conheço bem e que me permite desenvolver jogos de forma rápida e eficiente. Suas builds para Web são ótimas e leves, perfeitas para game jams, e a comunidade é bem ativa, o que facilita encontrar soluções para problemas comuns.</p> <p>Uma das coisas que eu não tinha feito antes, mas dessa vez decidi implementar, foi preparar uma CI (integração contínua) para o projeto, usando o GitHub. Assim, a cada commit que eu fizesse na branch main, o jogo seria compilado e disponibilizado automaticamente no Itch.io. Isso me ajudou a manter o controle do progresso, fazer outras pessoas testarem e identificar bugs mais rapidamente.</p> <p>O workflow ficou assim (Se você quiser usar este workflow, lembre-se de adaptar as chaves e ajustar a versão do Godot conforme o seu projeto):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Export and Upload to Itch.io</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">main</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build-and-deploy</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Export Godot project</span> <span class="na">id</span><span class="pi">:</span> <span class="s">export</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">firebelley/godot-export@v6.0.0</span> <span class="na">with</span><span class="pi">:</span> <span class="na">godot_executable_download_url</span><span class="pi">:</span> <span class="s">https://github.com/godotengine/godot-builds/releases/download/4.5-dev4/Godot_v4.5-dev4_linux.x86_64.zip</span> <span class="na">godot_export_templates_download_url</span><span class="pi">:</span> <span class="s">https://github.com/godotengine/godot-builds/releases/download/4.5-dev4/Godot_v4.5-dev4_export_templates.tpz</span> <span class="na">relative_project_path</span><span class="pi">:</span> <span class="s">./</span> <span class="na">archive_output</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">cache</span><span class="pi">:</span> <span class="kc">true</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload to Itch.io</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">Ayowel/butler-to-itch@v1</span> <span class="na">with</span><span class="pi">:</span> <span class="na">butler_key</span><span class="pi">:</span> <span class="s">${{ secrets.ITCHIO_API_KEY }}</span> <span class="na">itch_user</span><span class="pi">:</span> <span class="s">MEU_USUARIO_ITCHIO</span> <span class="na">itch_game</span><span class="pi">:</span> <span class="s">NOME_DO_JOGO_ITCHIO</span> <span class="na">version</span><span class="pi">:</span> <span class="s">${{ github.ref_name }}</span> <span class="na">files</span><span class="pi">:</span> <span class="s">${{ steps.export.outputs.archive_directory }}/Web.zip</span> </code></pre> </div> <h2> Um conceito bem ambicioso... </h2> <p>O meu conceito inicial já deixava claro que não seria uma tarefa fácil. Eu queria que o jogo tivesse:</p> <ul> <li><p>Um sistema de <strong>sobrevivência</strong>, com fome e gerenciamento de recursos.</p></li> <li><p><strong>Combate</strong> e elementos de ação.</p></li> <li><p><strong>Dungeons</strong>, para exploração e desafios extras.</p></li> <li><p>Um <strong>gancho</strong>, para se prender em asteroides ou puxar objetos até o personagem.</p></li> <li><p><strong>Internacionalização</strong>, para que o jogo pudesse ser jogado em português e inglês. </p></li> </ul> <p>Com esse escopo, uma partida poderia demorar bastante. Então, seria necessário ter um sistema de salvamento. Comecei criando esse sistema, que me tomou praticamente o primeiro dia inteiro, além de dedicar tempo ao planejamento da estrutura geral do jogo.</p> <p>Aqui vai meu sketch inicial do projeto e a versão gerada por IA:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fitjbmqzzrh225m9od017.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fitjbmqzzrh225m9od017.png" alt="Image description" width="800" height="1144"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbt9f4h0ad4d22hz731wr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbt9f4h0ad4d22hz731wr.png" alt="Image description" width="800" height="1200"></a></p> <h2> Recriando toda a teoria da gravidade... </h2> <p>No segundo dia, parti para um dos maiores desafios técnicos: fazer um sistema de movimentação com gravidade em planetoides. A ideia parecia simples na teoria: basta fazer a gravidade sempre apontar para o centro do planeta. Na prática... foi bem mais trabalhoso do que parecia.</p> <p>A solução que encontrei foi calcular todos os movimentos (andar, pular, gravidade) como se estivessem num plano cartesiano normal. Só no final dos cálculos é que eu rotacionava o movimento, alinhando para que ele ficasse na direção correta em relação ao planeta. Na minha opinião, ficou bem suave e intuitivo.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gdscript"><code><span class="k">if</span> <span class="n">is_on_floor</span><span class="p">():</span> <span class="n">_local_velocity</span><span class="o">.</span><span class="n">x</span> <span class="o">=</span> <span class="n">input_x</span> <span class="o">*</span> <span class="n">current_planet</span><span class="o">.</span><span class="n">side_velocity</span> <span class="k">else</span><span class="p">:</span> <span class="n">_local_velocity</span><span class="o">.</span><span class="n">x</span> <span class="o">=</span> <span class="nb">lerp</span><span class="p">(</span><span class="n">_local_velocity</span><span class="o">.</span><span class="n">x</span><span class="p">,</span> <span class="n">input_x</span> <span class="o">*</span> <span class="n">current_planet</span><span class="o">.</span><span class="n">side_velocity</span> <span class="o">/</span> <span class="mf">2.0</span><span class="p">,</span> <span class="mf">0.1</span><span class="p">)</span> <span class="c1"># Suaviza o movimento lateral no ar</span> <span class="o">...</span> <span class="k">var</span> <span class="n">gravity_center</span> <span class="o">=</span> <span class="n">current_planet</span><span class="o">.</span><span class="n">global_position</span> <span class="k">var</span> <span class="n">direction_to_center</span> <span class="o">=</span> <span class="p">(</span><span class="n">gravity_center</span> <span class="o">-</span> <span class="n">global_position</span><span class="p">)</span><span class="o">.</span><span class="n">normalized</span><span class="p">()</span> <span class="o">...</span> <span class="k">var</span> <span class="n">target_rotation</span> <span class="o">=</span> <span class="n">direction_to_center</span><span class="o">.</span><span class="n">angle</span><span class="p">()</span> <span class="o">-</span> <span class="bp">PI</span> <span class="o">/</span> <span class="mf">2.0</span> <span class="c1"># -PI/2 para alinhar com a direção do planeta</span> <span class="o">...</span> <span class="k">var</span> <span class="n">local_rotated</span> <span class="o">=</span> <span class="n">_local_velocity</span><span class="o">.</span><span class="n">rotated</span><span class="p">(</span><span class="n">target_rotation</span><span class="p">)</span><span class="o">.</span><span class="n">normalized</span><span class="p">()</span> <span class="o">*</span> <span class="nb">abs</span><span class="p">(</span><span class="n">_local_velocity</span><span class="o">.</span><span class="n">x</span><span class="p">)</span> <span class="c1"># Aplica a rotação do jogador à velocidade local</span> <span class="n">velocity</span> <span class="o">=</span> <span class="n">local_rotated</span> <span class="c1"># Atualiza a velocidade do jogador com a velocidade local rotacionada</span> <span class="n">velocity</span> <span class="o">+=</span> <span class="n">_gravity_velocity</span><span class="o">.</span><span class="n">rotated</span><span class="p">(</span><span class="n">target_rotation</span><span class="p">)</span> <span class="c1"># Aplica a velocidade da gravidade</span> <span class="n">velocity</span> <span class="o">+=</span> <span class="n">_jetpack_velocity</span><span class="o">.</span><span class="n">rotated</span><span class="p">(</span><span class="n">global_rotation</span><span class="p">)</span> <span class="c1"># Aplica a velocidade do jetpack rotacionada pela rotação do jogador</span> <span class="n">move_and_slide</span><span class="p">()</span> </code></pre> </div> <p>No jogo há basicamente dois modos de física:</p> <ol> <li><p>Dentro de um planeta, onde é calculado a gravidade, movimentos laterais e etc.</p></li> <li><p>No espaço, onde a câmera fica fixa, a gravidade é desligada, mas agora você pode girar o personagem e impulsioná-lo na direção que ele está. </p></li> </ol> <p>Claro que surgiram problemas no caminho. Nas builds Web, por exemplo, a física começava a apresentar erros, provavelmente por conta da perda de precisão dos floats. Depois de muito quebrar a cabeça, descobri que usar colisão <strong>quadrada</strong> no personagem e <strong>circular</strong> no planeta resolvia vários desses problemas. Se o personagem usasse uma colisão do tipo cápsula ou redonda, acontecia um bug estranho: ele se movia mais rápido para um lado do que para o outro, e esse erro ia acumulando aos poucos, ficando cada vez pior.</p> <h2> A corrida contra o tempo e uso de IA </h2> <p>Nos cinco dias seguintes, minha rotina foi basicamente trabalhar o dia todo e só conseguir mexer no jogo bem tarde da noite, quando já estava exausto e com a cabeça pouco produtiva. Por isso, optei por focar na criação dos <strong>assets</strong>: sprites, planetas, itens, sons, músicas e afins.</p> <p>E é aqui que entro em um tema meio polêmico: o uso de <strong>inteligência artificial na criação de assets para jogos</strong>.</p> <p>Sem dúvida, esse é um assunto que gera bastante discussão na comunidade de desenvolvimento, e com razão. A IA se tornou uma ferramenta extremamente poderosa, principalmente para quem trabalha sozinho ou em equipes pequenas, como é o caso de muita gente em game jams. Quando o tempo é apertado e nem sempre temos habilidades em todas as áreas, como arte, música ou efeitos sonoros, ela acaba sendo uma aliada bem interessante.</p> <p>No meu caso, eu não sou artista profissional. Produzir todos os assets do zero: sprites, efeitos sonoros, músicas, interfaces... dentro de poucos dias simplesmente, não seria viável. Então sim, recorri a ferramentas de IA para acelerar parte desse processo.</p> <p>Mas acho essencial refletir sobre como e por que usar IA. Ela não deve ser encarada como um substituto da criatividade humana, pelo menos não nesse momento, mas sim como uma extensão dela. Usei IA para transformar ideias que eu já tinha em algo mais concreto, como rascunhos visuais, texturas e até sons. Mas, na prática, quase tudo exigiu bastante trabalho manual: ajustar, editar, retrabalhar e encaixar no estilo e na proposta do jogo.</p> <p>A IA, nesse contexto, acaba sendo apenas mais uma ferramenta, assim como é, por exemplo, um gerador de efeitos sonoros como o <a href="https://sfxr.me/" rel="noopener noreferrer">jsfxr - 8 bit sound maker</a>, que também usei no projeto. Ela resolve um problema prático, permitindo que uma ideia se transforme em algo jogável, sem que você trave nas partes onde não domina 100%.</p> <p>Claro que eu também entendo, e concordo em vários pontos, com quem traz críticas. Existem preocupações bem válidas sobre como os modelos são treinados, muitas vezes usando trabalhos de artistas sem consentimento, e sobre como isso pode afetar o mercado criativo e desvalorizar o trabalho de profissionais.</p> <p>Na minha opinião, boa parte dos problemas que vemos hoje não são causados exatamente pela IA em si, mas pela forma como todo o sistema foi estruturado. A concentração de tecnologia nas mãos de poucos, todo o modelo de negócios usado, tudo isso faz parte do problema. E esse debate, honestamente, vai muito além da tecnologia em si.</p> <p>No contexto de uma game jam, que é um ambiente de aprendizado, prototipagem e experimentação, vejo o uso da IA como algo totalmente válido, desde que usado de forma consciente, honesta e transparente. Inclusive, isso é abordado nas próprias regras dessa jam específica.</p> <p>Mas acho que, como desenvolvedores, é nosso papel continuar questionando e discutindo como construir um cenário onde essas ferramentas possam existir de forma mais justa, ética e equilibrada, beneficiando a todos, desde quem cria, quem desenvolve e quem joga.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fthttvhremyvc89wkdyjr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fthttvhremyvc89wkdyjr.png" alt="Image description" width="800" height="800"></a></p> <h2> O desenvolvimento do Gatonauta: Problemas de Prazo </h2> <p>Voltando ao desenvolvimento, nesse tempo eu criei os primeiros assets de planetas, do personagem, de alguns itens e recursos, mas nada ainda estava funcional. Foi só lá pelo sétimo dia que finalmente consegui concluir partes mais importantes, como o sistema de inventário e a coleta de recursos. Nesse tempo, eu já havia riscado várias partes do meu escopo inicial:</p> <ul> <li> <strong>Survival</strong>: No caso do meu conceito, survival seria só mais uma camada do jogo. Se a base nem está completa, essa camada mais atrapalharia do que ajudaria.</li> <li> <strong>Combate</strong>: infelizmente, fazer sistemas de combate com tão pouco tempo livre não iria rolar. Fica para a próxima.</li> <li> <strong>Gancho</strong>: isso foi riscado com toda a parte de mineração no espaço, mas seria muito legal de ter.</li> <li> <strong>Diálogos</strong>: cheguei a pensar em toda uma história envolvendo o Gatonauta e seu assistente, o GatoGPT (que é esse drone que fica destruindo as coisas).</li> <li> <strong>Dungeons</strong>: outro plano riscado por falta de tempo.</li> </ul> <p>Me concentrei em fazer o básico funcionar: movimentação, coleta de recursos, crafting e construção. E, claro, a parte de exploração com os planetas. Só que precisaria, pelo menos, ter um gameplay completo. Então decidi focar em um único objetivo simples: consertar a nave. Para isso, o jogador precisaria obter três peças diferentes. Planejei a receita dessas peças e os passos para obtê-las. Não quis deixar muito complexo, mas algo que fosse viável e divertido para a maioria dos jogadores, sem muito grind.</p> <p>Tentei ao máximo abstrair e usar os signals do Godot para poder reutilizar as classes e fazer o jogo ser facilmente expansível, na prática, se eu quisesse criar mais recursos, nodes, ou estruturas, era só criar instâncias dos objetos existentes, com os novos dados e texturas.</p> <p>Todas as receitas, crafting e upgrades usam dicionários simples para definição, algumas vezes, uso um tipo especial de objeto para as receitas, mas continua sendo baseado em dicionários:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight gdscript"><code><span class="c1">## Dicionário de custos das estruturas</span> <span class="k">const</span> <span class="n">STRUCTURE_COST</span><span class="p">:</span> <span class="kt">Dictionary</span><span class="p">[</span><span class="kt">String</span><span class="p">,</span> <span class="kt">Dictionary</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"FURNACE"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"COBBLESTONE"</span><span class="p">:</span> <span class="mi">10</span> <span class="p">},</span> <span class="s2">"STORAGE"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"COBBLESTONE"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="s2">"WOOD"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="s2">"CHARCOAL"</span><span class="p">:</span> <span class="mi">5</span> <span class="p">},</span> <span class="s2">"WORKBENCH"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"COBBLESTONE"</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="s2">"WOOD"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="s2">"GEAR"</span><span class="p">:</span> <span class="mi">2</span> <span class="p">},</span> <span class="s2">"3D_PRINTER"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"BAR"</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="s2">"CHARCOAL"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="s2">"GEAR"</span><span class="p">:</span> <span class="mi">30</span> <span class="p">},</span> <span class="p">}</span> <span class="c1">## Dicionário de prefabs das estruturas</span> <span class="k">const</span> <span class="n">STRUCTURE_PREFAB</span><span class="p">:</span> <span class="kt">Dictionary</span><span class="p">[</span><span class="kt">String</span><span class="p">,</span> <span class="n">PackedScene</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"FURNACE"</span><span class="p">:</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scenes/structures/furnace.tscn"</span><span class="p">),</span> <span class="s2">"3D_PRINTER"</span><span class="p">:</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scenes/structures/3d_printer.tscn"</span><span class="p">),</span> <span class="p">}</span> <span class="k">const</span> <span class="n">STRUCTURE_RECIPES</span><span class="p">:</span> <span class="kt">Dictionary</span><span class="p">[</span><span class="kt">String</span><span class="p">,</span> <span class="kt">Array</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"FURNACE"</span><span class="p">:</span> <span class="p">[</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scripts/data/recipes/charcoal.tres"</span><span class="p">),</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scripts/data/recipes/bar.tres"</span><span class="p">)</span> <span class="p">],</span> <span class="s2">"DAMAGED_SHIP"</span><span class="p">:</span> <span class="p">[</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scripts/data/recipes/fix-ship.tres"</span><span class="p">),</span> <span class="p">],</span> <span class="s2">"3D_PRINTER"</span><span class="p">:</span> <span class="p">[</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scripts/data/recipes/ship-piece-1.tres"</span><span class="p">),</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scripts/data/recipes/ship-piece-2.tres"</span><span class="p">),</span> <span class="nb">preload</span><span class="p">(</span><span class="s2">"res://scripts/data/recipes/ship-piece-3.tres"</span><span class="p">),</span> <span class="p">]</span> <span class="p">}</span> <span class="k">const</span> <span class="n">UPGRADES_RECIPES</span><span class="p">:</span> <span class="kt">Dictionary</span><span class="p">[</span><span class="kt">String</span><span class="p">,</span> <span class="kt">Dictionary</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="s2">"FIX_JETPACK"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"GEAR"</span><span class="p">:</span> <span class="mi">5</span> <span class="p">},</span> <span class="s2">"PLANETOID_INDICATOR"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"WOOD"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="s2">"COBBLESTONE"</span><span class="p">:</span> <span class="mi">5</span><span class="p">,</span> <span class="s2">"CHARCOAL"</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="p">},</span> <span class="s2">"BETTER_JETPACK"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"CHARCOAL"</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="s2">"COBBLESTONE"</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="p">},</span> <span class="s2">"FASTER_HARVEST"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"WOOD"</span><span class="p">:</span> <span class="mi">15</span><span class="p">,</span> <span class="s2">"COBBLESTONE"</span><span class="p">:</span> <span class="mi">15</span><span class="p">,</span> <span class="s2">"GEAR"</span><span class="p">:</span> <span class="mi">25</span> <span class="p">},</span> <span class="s2">"MORE_RESOURCES"</span><span class="p">:</span> <span class="p">{</span> <span class="s2">"ORE"</span><span class="p">:</span> <span class="mi">20</span><span class="p">,</span> <span class="s2">"GEAR"</span><span class="p">:</span> <span class="mi">15</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Eu gostaria de ter polido mais a UI, mas percebi que, a cada nova feature, eu demorava muito para finalizar. Isso deixou clara minha falta de experiência com a UI do Godot. Então decidi deixar a UI mais simples, mas funcional. Nada de ícones ou efeitos, só texto. A ideia era que o jogador conseguisse entender o que fazer e como fazer, mesmo que não fosse tão bonito.</p> <p>Gastei o nono dia testando e resolvendo bugs, preparei uma tela de créditos e finalizei o jogo. No décimo dia, eu tinha trabalho, então só consegui ajustar pequenos bugs que escaparam.</p> <h2> Conclusão </h2> <p>Participar dessa jam foi, sem dúvidas, uma experiência incrível. Além de aprender muita coisa nova, pude testar ideias que estavam na gaveta há tempos, como o sistema de gravidade em planetas, integração contínua e até experimentar o uso de IA de forma mais consistente no desenvolvimento.</p> <p>O <em>Gatonauta</em> ficou longe de tudo que sonhei no início, mas isso não é necessariamente algo ruim. Faz parte do processo entender os próprios limites, ajustar o escopo e transformar uma ideia gigante em algo que, pelo menos, funcione, seja divertido e transmita uma proposta.</p> <p>Com certeza saio dessa jam com ainda mais vontade de continuar desenvolvendo, melhorar meus processos, entender melhor meus pontos fortes e, principalmente, meus pontos fracos.</p> <p>Se você leu até aqui, muito obrigado. Espero que esse relato tenha te inspirado, ajudado ou, quem sabe, te dado aquele empurrãozinho para participar da sua primeira (ou próxima) game jam.</p> <p>E se quiser jogar o jogo, ele está disponível em:<br> <a href="https://stealthc.itch.io/gatonauta" rel="noopener noreferrer">Gatonauta by StealthC</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm5itqxfzqimonawuskff.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fm5itqxfzqimonawuskff.png" alt="Image description" width="800" height="1600"></a></p> gamedev godot gdscript StealthC Wed, 11 Dec 2024 00:59:52 +0000 https://dev.to/stealthc/en-introduction-to-frida-real-time-memory-manipulation-with-typescript-and-doom-357d https://dev.to/stealthc/en-introduction-to-frida-real-time-memory-manipulation-with-typescript-and-doom-357d <p>Translation: Este artigo também está <a href="https://dev.to/stealthc/pt-br-introducao-ao-frida-como-manipular-memoria-em-tempo-real-com-typescript-e-doom-5167">disponível em Português</a></p> <h2> Introduction </h2> <p>The other day, I was reading updates on the website of a tool I follow called <a href="https://frida.re/docs/home/" rel="noopener noreferrer">Frida</a>, which is, as they describe it, a "Greasemonkey for native programs." In other words, it’s a toolkit with its own API to analyze, interact, and manipulate running programs, supporting multiple platforms.</p> <p>Anyway, I came across this <a href="https://frida.re/news/2024/09/06/frida-16-5-0-released/" rel="noopener noreferrer">September 2024 update</a> that not only announced some new features but also showcased an interesting use case. It involved the game "Doom + Doom II," which was released recently. In the example, they demonstrated a tool that scans memory to locate where the ammo count is stored and, with remarkable ease, creates a sort of Cheat Engine to maintain infinite ammo. I loved how practical this example was and decided to recreate it while detailing every step here.</p> <h2> Installing Frida </h2> <p>As I mentioned earlier, Frida is available for multiple platforms. Here, I’m using Windows and already have Python installed, so I’ll simplify the installation process by using pip:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>frida-tools </code></pre> </div> <h2> Usage Example </h2> <p>The <em>frida-tools</em> package comes with several utilities to interact with the Frida ecosystem (you can learn more by visiting the <a href="https://frida.re/docs/home/" rel="noopener noreferrer">official documentation</a>).</p> <p>A practical example is using <code>frida</code> to attach directly to a running program. For instance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>frida <span class="nt">-n</span> CalculatorApp.exe </code></pre> </div> <p>This opens Frida and attaches it to the process called <code>CalculatorApp.exe</code>, which is the Windows calculator.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4gxoomcf6jamv7lr22v0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4gxoomcf6jamv7lr22v0.png" alt="Image demonstrating Frida execution" width="800" height="340"></a></p> <p>From this new prompt, you can use several built-in functions and call JavaScript directly to access the application’s memory, registers, interrupts, etc.</p> <p>It’s great for quick tests, but the real power comes from creating your own scripts, known as "agents."</p> <h2> Choosing the API Language </h2> <p>You can write these agent scripts in various languages. Frida offers support for Python, JavaScript, C, Go, Swift, and others.</p> <blockquote> <p>For this example, I’ll go with JavaScript—or even better, TypeScript, which provides autocomplete and quick access to documentation, as shown below:</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhp6ccpyglnz6h3qrak5v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhp6ccpyglnz6h3qrak5v.png" alt="Image showing TypeScript documentation support in VS Code" width="800" height="313"></a></p> Documentation and autocomplete—some of the best things about modern IDEs (until AI came along) <h2> Setting Up the Project Structure </h2> <p>Frida’s documentation for JavaScript suggests cloning the following repository to start developing your "agent": (<a href="https://github.com/oleavr/frida-agent-example" rel="noopener noreferrer">https://github.com/oleavr/frida-agent-example</a>). So, I’ll clone it, install the dependencies, and open it in VS Code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/oleavr/frida-agent-example.git doom_example <span class="nb">cd</span> .<span class="se">\d</span>oom_example<span class="se">\</span> npm <span class="nb">install </span>code <span class="nb">.</span> </code></pre> </div> <p>The repository simplifies programming in TypeScript and compiling JavaScript to be used by Frida. It comes with some scripts in <code>package.json</code>, like <code>pnpm watch</code>, which watches and compiles the <code>./agent/index.ts</code> file automatically.</p> <blockquote> <p>However, in the latest versions of Frida, it can directly read our TypeScript, so we don’t need to compile to <code>.js</code>.</p> </blockquote> <h2> One More Thing Before We Continue </h2> <p>It’s likely, as was the case during my tests, that the repository has some outdated dependencies. Don’t forget to run <code>npm update --save</code> to update the dependencies, especially the typings.</p> <h2> Basic Agent </h2> <p>Let’s start with the same example from the original post, adding some comments, typings, and adapting it for TypeScript:</p> <blockquote> <p>Important note: If you use plain JavaScript for the agent, you can directly call any function or variable declared in the script. However, when using TypeScript, functions and variables are not added to the global object. You must export them to the <code>globalThis</code> object. I’m making this export at the end of the script.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">let</span> <span class="nx">matches</span><span class="p">:</span> <span class="nx">NativePointer</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="c1">// Scans the process memory for a pattern</span> <span class="kd">function</span> <span class="nf">scan</span><span class="p">(</span><span class="nx">pattern</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="nx">MatchPattern</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">locations</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Set</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">();</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">r</span> <span class="k">of</span> <span class="nx">Process</span><span class="p">.</span><span class="nf">enumerateMallocRanges</span><span class="p">())</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">match</span> <span class="k">of</span> <span class="nx">Memory</span><span class="p">.</span><span class="nf">scanSync</span><span class="p">(</span><span class="nx">r</span><span class="p">.</span><span class="nx">base</span><span class="p">,</span> <span class="nx">r</span><span class="p">.</span><span class="nx">size</span><span class="p">,</span> <span class="nx">pattern</span><span class="p">))</span> <span class="p">{</span> <span class="nx">locations</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="nx">match</span><span class="p">.</span><span class="nx">address</span><span class="p">.</span><span class="nf">toString</span><span class="p">());</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">matches</span> <span class="o">=</span> <span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">locations</span><span class="p">).</span><span class="nf">map</span><span class="p">(</span><span class="nx">ptr</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Found</span><span class="dl">'</span><span class="p">,</span> <span class="nx">matches</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="dl">'</span><span class="s1">matches</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Further filters results for those containing a specific value</span> <span class="kd">function</span> <span class="nf">reduce</span><span class="p">(</span><span class="nx">val</span><span class="p">:</span> <span class="kr">number</span><span class="p">)</span> <span class="p">{</span> <span class="nx">matches</span> <span class="o">=</span> <span class="nx">matches</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">location</span> <span class="o">=&gt;</span> <span class="nx">location</span><span class="p">.</span><span class="nf">readU32</span><span class="p">()</span> <span class="o">===</span> <span class="nx">val</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Filtered down to:</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">matches</span><span class="p">));</span> <span class="p">}</span> <span class="c1">// Converts a numeric value into a pattern for a 32-bit unsigned integer</span> <span class="kd">function</span> <span class="nf">patternFromU32</span><span class="p">(</span><span class="nx">val</span><span class="p">:</span> <span class="kr">number</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">MatchPattern</span><span class="p">(</span><span class="nf">ptr</span><span class="p">(</span><span class="nx">val</span><span class="p">).</span><span class="nf">toMatchPattern</span><span class="p">().</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">11</span><span class="p">));</span> <span class="p">}</span> <span class="nx">globalThis</span><span class="p">[</span><span class="dl">'</span><span class="s1">scan</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">scan</span><span class="p">;</span> <span class="nx">globalThis</span><span class="p">[</span><span class="dl">'</span><span class="s1">reduce</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">reduce</span><span class="p">;</span> <span class="nx">globalThis</span><span class="p">[</span><span class="dl">'</span><span class="s1">patternFromU32</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">patternFromU32</span><span class="p">;</span> </code></pre> </div> <h2> Attaching Frida to the Game </h2> <p>Now, let’s run Frida and attach it to the game.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>frida <span class="nt">-n</span> doom_gog.exe <span class="nt">-l</span> agent/index.ts </code></pre> </div> <p>Make sure the game is running so <code>frida</code> can locate the process using the <code>-n</code> option. If you’re unsure about the process name, use <code>frida-ps</code> to list all running processes.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0v0szhg34e6cj113t5xf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0v0szhg34e6cj113t5xf.png" alt="Image demonstrating Frida execution" width="800" height="333"></a></p> <h2> Finding a Value in Memory (a needle in a haystack) </h2> <p>In the original post, the author searches for the memory location where the ammo count is stored. But let’s switch things up and look for where our health (or "HP," "life," or whatever you call it) is stored.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F56fgsex01p02qlnb8iq9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F56fgsex01p02qlnb8iq9.png" alt="Gameplay image of Doom" width="800" height="478"></a></p> Let’s hope this 100% is an integer... <p>In the open Frida console, we’ll execute our <code>scan</code> function with a pattern for the number 100 as an argument.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; scan(patternFromU32(100)) Found 8073 matches </code></pre> </div> <p>Whoa, 8073 matches for the number 100! That seems like a lot, but not too bad. We need to narrow it down. First, let’s take some damage in the game:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhqm7kub3qfjejrkiublc.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhqm7kub3qfjejrkiublc.gif" alt="The player shoots at a barrel, causing it to explode" width="634" height="375"></a></p> Take that, barrel filled with mysterious green liquid! <p>Now that our health has dropped to 67%, let’s further filter our results using the <code>reduce</code> function we created in the script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; reduce(67) Filtered down to: ["0x179b96a0d0c","0x179f5499984"]` </code></pre> </div> <p>We’re left with two possibilities. Which one is it? Hang on, I’ll figure it out…</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydnsmh3wpuej33b2t73s.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydnsmh3wpuej33b2t73s.gif" alt="The player picks up a blue potion" width="500" height="295"></a></p> Drinking this blue potion I found on the ground... <p>Now that our health is at 68%, let’s filter the results again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; reduce(68) Filtered down to: ["0x179b96a0d0c","0x179f5499984"] </code></pre> </div> <p>Hmm, we still have two addresses left. It’s possible that health is stored in two different memory locations or represents two separate update states. Maybe I shouldn’t have tested this by both losing and then regaining health, but oh well—let’s move on with the experiment.</p> <h2> Creating Dynamic Watchpoints </h2> <p>Let’s proceed with the article by creating a helper function to set watchpoints. This function will take the memory address, the size of the stored data, and the break condition type as arguments. We’ll use <code>w</code> to specify that it should only trigger on <code>write</code> conditions.</p> <p><em>Don’t forget to register the function with <code>globalThis</code> at the end.</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">installWatchpoint</span><span class="p">(</span><span class="nx">address</span><span class="p">:</span> <span class="nx">NativePointerValue</span><span class="p">,</span> <span class="nx">size</span><span class="p">:</span> <span class="kr">number</span> <span class="o">|</span> <span class="nx">UInt64</span><span class="p">,</span> <span class="nx">conditions</span><span class="p">:</span> <span class="nx">HardwareWatchpointConditions</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">thread</span> <span class="o">=</span> <span class="nx">Process</span><span class="p">.</span><span class="nf">enumerateThreads</span><span class="p">()[</span><span class="mi">0</span><span class="p">];</span> <span class="nx">Process</span><span class="p">.</span><span class="nf">setExceptionHandler</span><span class="p">(</span><span class="nx">e</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`\n=== Handler got </span><span class="p">${</span><span class="nx">e</span><span class="p">.</span><span class="kd">type</span><span class="p">}</span><span class="s2"> exception at </span><span class="p">${</span><span class="nx">e</span><span class="p">.</span><span class="nx">context</span><span class="p">.</span><span class="nx">pc</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">Process</span><span class="p">.</span><span class="nf">getCurrentThreadId</span><span class="p">()</span> <span class="o">===</span> <span class="nx">thread</span><span class="p">.</span><span class="nx">id</span> <span class="o">&amp;&amp;</span> <span class="p">[</span><span class="dl">'</span><span class="s1">breakpoint</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">single-step</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="kd">type</span><span class="p">))</span> <span class="p">{</span> <span class="nx">thread</span><span class="p">.</span><span class="nf">unsetHardwareWatchpoint</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="se">\t</span><span class="s1">Disabled hardware watchpoint</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="se">\t</span><span class="s1">Passing to application</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">});</span> <span class="nx">thread</span><span class="p">.</span><span class="nf">setHardwareWatchpoint</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">address</span><span class="p">,</span> <span class="nx">size</span><span class="p">,</span> <span class="nx">conditions</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Ready</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nx">globalThis</span><span class="p">[</span><span class="dl">'</span><span class="s1">installWatchpoint</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">installWatchpoint</span><span class="p">;</span> </code></pre> </div> <h2> Identifying the Code Location (via Watchpoints) </h2> <p>Now the goal is to find where in the game’s code the damage calculation is executed. Let’s start by registering a watchpoint for the first address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; installWatchpoint(ptr('0x179b96a0d0c'), 4, 'w') Ready </code></pre> </div> <p>After inserting the watchpoint, I tried taking more damage, but nothing happened. However, when I picked up a potion, the code was triggered:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; === Handler got single-step exception at 0x7ff6332f7b08 Disabled hardware watchpoint </code></pre> </div> <p>This indicates that the first address we located is likely used in the context of health recovery. Since we’re more interested in the damage context, I tested the other address. This time it triggered when I took damage in the game:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; installWatchpoint(ptr('0x179f5499984'), 4, 'w') Ready [Local::doom_gog.exe ]-&gt; === Handler got single-step exception at 0x7ff6332fafcc Disabled hardware watchpoint </code></pre> </div> <h2> Finding the Exact Code Execution Location </h2> <p>With the address where the value change occurs, <code>0x179f5499984</code>, let’s find its relative offset to the program’s base.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; healthCode = ptr('0x7ff6332fafcc') "0x7ff6332fafcc" [Local::doom_gog.exe ]-&gt; healthModule = Process.getModuleByAddress(healthCode) { "base": "0x7ff633020000", "name": "doom_gog.exe", "path": "F:\\GOG Games\\DOOM + DOOM II\\doom_gog.exe", "size": 15450112 } [Local::doom_gog.exe ]-&gt; offset = healthCode.sub(healthModule.base) "0x2dafcc" </code></pre> </div> <p>Now we know the address is in the <code>doom_gog.exe</code> module and its position relative to the program’s base is <code>0x2dafcc</code>.</p> <h2> Checking the Address in a Disassembler </h2> <p>We can use any debugger with disassembler support to analyze this segment and determine its functionality. You can use tools like radare2, IDA, or GHidra. In this example, I used x64dbg and navigated to the correct address by pressing Ctrl+G and entering the expression:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>doom_gog.exe+0x2dafcc </code></pre> </div> <p>... which produced the following disassembly:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6l8t9xjmsosewq2428no.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6l8t9xjmsosewq2428no.png" alt="Address displayed in x64dbg" width="800" height="366"></a></p> <p>Here, we see the instruction executed immediately after the health value decreases. We can hypothesize that <code>[rsi+24]</code> holds our health value and <code>r15d</code> represents the damage received. Let’s focus on the damage received for now.</p> <h2> Creating Interceptors to Dynamically Receive Data </h2> <p>Following the example from the original article, let’s create an interceptor for this instruction to capture the amount of damage received.</p> <blockquote> <p>Since this function is executed directly in the script, we don’t need to add it to <code>globalThis</code>.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">Module</span><span class="p">.</span><span class="nf">getBaseAddress</span><span class="p">(</span><span class="dl">'</span><span class="s1">doom_gog.exe</span><span class="dl">'</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="mh">0x2dafcc</span><span class="p">),</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">context</span> <span class="k">as</span> <span class="nx">X64CpuContext</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">damageReceived</span> <span class="o">=</span> <span class="nx">context</span><span class="p">.</span><span class="nx">r15</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Damage Received: </span><span class="p">${</span><span class="nx">damageReceived</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>After saving the script, if we continue to take damage in the game, the Frida console will print messages showing the amount of damage:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2lueekdnk2eflmrn3777.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2lueekdnk2eflmrn3777.png" alt="Damage displayed in the console" width="417" height="131"></a></p> <h2> Now, the Ultimate Manipulation! </h2> <p>If we want, as in the original example, to completely ignore the damage, we just need to move the interceptor to the previous instruction (address <code>0x2dafc8</code>) and dynamically set the register value to zero!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">Module</span><span class="p">.</span><span class="nf">getBaseAddress</span><span class="p">(</span><span class="dl">'</span><span class="s1">doom_gog.exe</span><span class="dl">'</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="mh">0x2dafc8</span><span class="p">),</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">context</span> <span class="k">as</span> <span class="nx">X64CpuContext</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">damageReceived</span> <span class="o">=</span> <span class="nx">context</span><span class="p">.</span><span class="nx">r15</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Damage Received: </span><span class="p">${</span><span class="nx">damageReceived</span><span class="p">.</span><span class="nf">toUInt32</span><span class="p">()}</span><span class="s2">, but we will just ignore it`</span><span class="p">);</span> <span class="nx">context</span><span class="p">.</span><span class="nx">r15</span> <span class="o">=</span> <span class="nf">ptr</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8y2edw88ggyxks0wvfh1.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8y2edw88ggyxks0wvfh1.gif" alt="Animation of the player taking damage but the health value doesn't decrease" width="800" height="682"></a></p> Who needs IDDQD? <h2> Conclusion </h2> <p>This exercise was fantastic for exploring what a tool like Frida can offer. This dynamic way of handling data is also incredibly interesting for learners. The example with Doom was perfect due to its simplicity. Keep in mind that creating a game cheat like this is merely "scratching the surface" of possibilities. Tools like Frida can—and should—be extensively used for tasks like malware analysis, software behavior studies, security assessments, and more.</p> frida reverse typescript hacking StealthC Wed, 11 Dec 2024 00:47:11 +0000 https://dev.to/stealthc/pt-br-introducao-ao-frida-como-manipular-memoria-em-tempo-real-com-typescript-e-doom-5167 https://dev.to/stealthc/pt-br-introducao-ao-frida-como-manipular-memoria-em-tempo-real-com-typescript-e-doom-5167 <p>Tradução: This post is also <a href="https://dev.to/stealthc/en-introduction-to-frida-real-time-memory-manipulation-with-typescript-and-doom-357d">available in English</a></p> <h2> Introdução </h2> <p>Outro dia eu estava lendo as notícias do site de uma ferramenta que eu acompanho, chamado <a href="https://frida.re/docs/home/" rel="noopener noreferrer">Frida</a> que é, como eles mesmo dizem no site, um Greasemonkey para programas nativos, ou seja, é um kit de ferramentas com uma API própria que ajuda a analisar, interagir e manipular programas em execução com suporte para várias plataformas diferentes.</p> <p>Mas enfim, me deparei com essa <a href="https://frida.re/news/2024/09/06/frida-16-5-0-released/" rel="noopener noreferrer">notícia de setembro de 2024</a> que, além de informar novidades no projeto, demonstra uma utilização bastante interessante. Usa como base, o jogo "Doom + Doom II", que foi lançado a pouco tempo. No exemplo, ele cria uma ferramenta que busca na memória, onde número de munição é armazenado e com muita facilidade, cria uma espécie de Cheat Engine para manter as balas infinitas. Eu adorei a praticidade do exemplo e resolvi refazê-lo, mas detalhando aqui cada etapa.</p> <h2> Instalando o Frida </h2> <p>Como eu disse no início, o Frida está disponível para várias plataformas. Aqui, estou usando o Windows e já tenho o python instalado, então vou simplificar o processo de instalação usando o pip:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>frida-tools </code></pre> </div> <h2> Exemplo de utilização </h2> <p>O pacote <em>frida-tools</em> vem com vários utilitários para trabalhar com o ecossistema do Frida (Você pode saber mais sobre eles visitando a <a href="https://frida.re/docs/home/" rel="noopener noreferrer">documentação oficial</a>).</p> <p>Porém, um exemplo bem prático é usar o <code>frida</code> para anexar-se diretamente em um programa em execução, por exemplo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>frida <span class="nt">-n</span> CalculatorApp.exe </code></pre> </div> <p>Vai abrir o frida e se anexar no processo chamado <code>CalculatorApp.exe</code>, que é a calculadora do windows.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4gxoomcf6jamv7lr22v0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4gxoomcf6jamv7lr22v0.png" alt="Imagem demonstrando a execução do frida" width="800" height="340"></a></p> <p>A partir desse novo prompt, você pode usar diversas funções embutidas e chamar JavaScript diretamente para acessar a memória do aplicativo, registros, interrupções, etc.</p> <p>É ótimo para fazer testes rápidos, mas o melhor mesmo é fazer seus próprios scripts, os chamados "agentes".</p> <h2> Escolhendo a linguagem da API </h2> <p>Você pode escrever esses scripts de agentes em várias linguagens diferentes, o Frida oferece já suporte para linguagens como Python, JavaScript, C, Go e Swift, dentre outras.</p> <blockquote> <p>Neste meu exemplo, vou de JavaScript, ou melhor ainda, TypeScript, que oferece algum suporte para autocompletar e verificar rapidamente a documentação, conforme mostrado abaixo:</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhp6ccpyglnz6h3qrak5v.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhp6ccpyglnz6h3qrak5v.png" alt="Imagem mostrando o recurso de documentação do TypeScript no VS Code)" width="800" height="313"></a></p> Documentação e autocompletar, as melhores coisas de IDE modernos (até a chegada das IAs) <h2> Preparando a estrutura do projeto </h2> <p>A documentação do Frida sobre JavaScript sugere clonar o seguinte repositório para começar a desenvolver seu "agente": (<a href="https://github.com/oleavr/frida-agent-example" rel="noopener noreferrer">https://github.com/oleavr/frida-agent-example</a>), então vou clonar ele, instalar as dependências e abrir no VS Code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/oleavr/frida-agent-example.git doom_example <span class="nb">cd</span> .<span class="se">\d</span>oom_example<span class="se">\</span> npm <span class="nb">install </span>code <span class="nb">.</span> </code></pre> </div> <p>A ideia do repositório é simplificar a tarefa de programar em TypeScripte compilar o JavaScript para ser usado pelo Frida, ele vem com alguns scripts no <code>package.json</code>, como <code>npm watch</code> que observa e compila automaticamente o arquivo <code>./agent/index.ts</code>. </p> <blockquote> <p>Porém, nas últimas versões do Frida, ele consegue ler automaticamente nosso TypeScript, então não precisamos compilar o .js.</p> </blockquote> <h2> Mais uma coisa antes de seguirmos </h2> <p>É bem provável, como foi o caso quando eu estava testando, que o repositório esteja com algumas dependências já ultrapassadas, não esqueça de rodar <code>npm update --save</code> para atualizar as dependências, principalmente as tipagens.</p> <h2> Agente básico </h2> <p>Vamos começar usando o mesmo exemplo da postagem original, adicionando alguns comentários, inserindo tipagens e adaptando para o TypeScript:</p> <blockquote> <p>Uma observação importante: Se você usar JavaScript puro para fazer o agente, poderá chamar diretamente qualquer função ou variável declarada no script. Porém, ao usar TypeScript, as funções e variáveis não são inseridas no objeto global e portanto, você não conseguirá acessá-las diretamente a menos as exporte para o objeto <code>globalThis</code>. Estou fazendo essa exportação logo no fim do script.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">let</span> <span class="nx">matches</span><span class="p">:</span> <span class="nx">NativePointer</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="c1">// Escaneia a memória do processo em busca de um padrão</span> <span class="kd">function</span> <span class="nf">scan</span><span class="p">(</span><span class="nx">pattern</span><span class="p">:</span> <span class="kr">string</span> <span class="o">|</span> <span class="nx">MatchPattern</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">locations</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Set</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">();</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">r</span> <span class="k">of</span> <span class="nx">Process</span><span class="p">.</span><span class="nf">enumerateMallocRanges</span><span class="p">())</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">match</span> <span class="k">of</span> <span class="nx">Memory</span><span class="p">.</span><span class="nf">scanSync</span><span class="p">(</span><span class="nx">r</span><span class="p">.</span><span class="nx">base</span><span class="p">,</span> <span class="nx">r</span><span class="p">.</span><span class="nx">size</span><span class="p">,</span> <span class="nx">pattern</span><span class="p">))</span> <span class="p">{</span> <span class="nx">locations</span><span class="p">.</span><span class="nf">add</span><span class="p">(</span><span class="nx">match</span><span class="p">.</span><span class="nx">address</span><span class="p">.</span><span class="nf">toString</span><span class="p">());</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">matches</span> <span class="o">=</span> <span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">locations</span><span class="p">).</span><span class="nf">map</span><span class="p">(</span><span class="nx">ptr</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Found</span><span class="dl">'</span><span class="p">,</span> <span class="nx">matches</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="dl">'</span><span class="s1">matches</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Filtra ainda mais os resultados para aqueles que contém um valor específico</span> <span class="kd">function</span> <span class="nf">reduce</span><span class="p">(</span><span class="nx">val</span><span class="p">:</span> <span class="kr">number</span><span class="p">)</span> <span class="p">{</span> <span class="nx">matches</span> <span class="o">=</span> <span class="nx">matches</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">location</span> <span class="o">=&gt;</span> <span class="nx">location</span><span class="p">.</span><span class="nf">readU32</span><span class="p">()</span> <span class="o">===</span> <span class="nx">val</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Filtered down to:</span><span class="dl">'</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">matches</span><span class="p">));</span> <span class="p">}</span> <span class="c1">// Converte um valor numérico em um padrão para número inteiro unsigened de 32 bits</span> <span class="kd">function</span> <span class="nf">patternFromU32</span><span class="p">(</span><span class="nx">val</span><span class="p">:</span> <span class="kr">number</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">MatchPattern</span><span class="p">(</span><span class="nf">ptr</span><span class="p">(</span><span class="nx">val</span><span class="p">).</span><span class="nf">toMatchPattern</span><span class="p">().</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">11</span><span class="p">));</span> <span class="p">}</span> <span class="nx">globalThis</span><span class="p">[</span><span class="dl">'</span><span class="s1">scan</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">scan</span><span class="p">;</span> <span class="nx">globalThis</span><span class="p">[</span><span class="dl">'</span><span class="s1">reduce</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">reduce</span><span class="p">;</span> <span class="nx">globalThis</span><span class="p">[</span><span class="dl">'</span><span class="s1">patternFromU32</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">patternFromU32</span><span class="p">;</span> </code></pre> </div> <h2> Anexando o Frida ao jogo </h2> <p>Agora rodamos o Frida e anexamos ao jogo.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>frida <span class="nt">-n</span> doom_gog.exe <span class="nt">-l</span> agent/index.ts </code></pre> </div> <p>Você deve estar com o jogo em execução para que o <code>frida</code> possa encontrar o processo usando a opção <code>-n</code>, se você tiver dúvidas sobre o nome do processo, use o <code>frida-ps</code> para listar todos os processos em execução.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0v0szhg34e6cj113t5xf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0v0szhg34e6cj113t5xf.png" alt="Imagem demonstrando a execução do frida" width="800" height="333"></a></p> <h2> Encontrando um valor na memória (uma palha em um agulheiro) </h2> <p>Na postagem original, o autor busca na memória o local onde o valor da munição é armazenado, mas vamos tentar diferente e procurar onde está nossa vida (ou "saúde", "life", "HP", ou como você gostar de chamar)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F56fgsex01p02qlnb8iq9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F56fgsex01p02qlnb8iq9.png" alt="Gameplay image of Doom" width="800" height="478"></a></p> Vamos torcer para que esse 100% seja um número inteiro… <p>No console aberto do frida, vamos executar nossa função <code>scan</code> com um padrão do número 100 criado como argumento.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; scan(patternFromU32(100)) Found 8073 matches` </code></pre> </div> <p>Eita, 8073 resultados para o número 100, isso parece muito, mas nem tanto, precisamos diminuir as possibilidades, para isso, vamos primeiro sofrer algum dano no jogo:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhqm7kub3qfjejrkiublc.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhqm7kub3qfjejrkiublc.gif" alt="O jogador atira em um barril, que explode" width="634" height="375"></a></p> Tome isto, barril com líquido verde estranho! <p>Agora que reduzimos nossa vida para 67%, vamos filtrar ainda mais nossa busca usando a função criada no script <code>reduce</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; reduce(67) Filtered down to: ["0x179b96a0d0c","0x179f5499984"]` </code></pre> </div> <p>Ainda sobraram duas possibilidades, qual será? Espera, que já resolvo isso…</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydnsmh3wpuej33b2t73s.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fydnsmh3wpuej33b2t73s.gif" alt="O jogador pega uma poção azul" width="500" height="295"></a></p> Bebendo desse frasco azul que encontrei no chão… <p>Agora que estamos com 68% de vida, vamos filtrar novamente:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; reduce(68) Filtered down to: ["0x179b96a0d0c","0x179f5499984"]` </code></pre> </div> <p>Ué, continuamos com os dois endereços... É provável que a vida esteja mesmo sendo armazenada em dois locais diferentes na memória ou ainda podem ser estados diferentes de atualização. Talvez eu não devesse ter testado sofrendo e depois recuperando vida, mas enfim, vamos seguir com a experiência...</p> <h2> Criando watchpoints dinamicamente </h2> <p>Vamos continuar com o artigo e criar uma função helper para designar watchpoints. Essa função vai receber como argumentos, o endereço da memória, o tamanho do dado armazenado e o tipo de condição para o break, que posteriormente vamos usar <code>w</code> para dizer para ele parar apenas em condições de <code>write</code>, ou seja, de escrita.<br> <em>Não se esqueça de registrar a função no <code>globalThis</code>, no final.</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">installWatchpoint</span><span class="p">(</span><span class="nx">address</span><span class="p">:</span> <span class="nx">NativePointerValue</span><span class="p">,</span> <span class="nx">size</span><span class="p">:</span> <span class="kr">number</span> <span class="o">|</span> <span class="nx">UInt64</span><span class="p">,</span> <span class="nx">conditions</span><span class="p">:</span> <span class="nx">HardwareWatchpointConditions</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">thread</span> <span class="o">=</span> <span class="nx">Process</span><span class="p">.</span><span class="nf">enumerateThreads</span><span class="p">()[</span><span class="mi">0</span><span class="p">];</span> <span class="nx">Process</span><span class="p">.</span><span class="nf">setExceptionHandler</span><span class="p">(</span><span class="nx">e</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`\n=== Handler got </span><span class="p">${</span><span class="nx">e</span><span class="p">.</span><span class="kd">type</span><span class="p">}</span><span class="s2"> exception at </span><span class="p">${</span><span class="nx">e</span><span class="p">.</span><span class="nx">context</span><span class="p">.</span><span class="nx">pc</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">Process</span><span class="p">.</span><span class="nf">getCurrentThreadId</span><span class="p">()</span> <span class="o">===</span> <span class="nx">thread</span><span class="p">.</span><span class="nx">id</span> <span class="o">&amp;&amp;</span> <span class="p">[</span><span class="dl">'</span><span class="s1">breakpoint</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">single-step</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="kd">type</span><span class="p">))</span> <span class="p">{</span> <span class="nx">thread</span><span class="p">.</span><span class="nf">unsetHardwareWatchpoint</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="se">\t</span><span class="s1">Disabled hardware watchpoint</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="se">\t</span><span class="s1">Passing to application</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">});</span> <span class="nx">thread</span><span class="p">.</span><span class="nf">setHardwareWatchpoint</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="nx">address</span><span class="p">,</span> <span class="nx">size</span><span class="p">,</span> <span class="nx">conditions</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Ready</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nx">globalThis</span><span class="p">[</span><span class="dl">'</span><span class="s1">installWatchpoint</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">installWatchpoint</span><span class="p">;</span> </code></pre> </div> <h2> Obtendo a localização do código (via watchpoints) </h2> <p>O objetivo agora é obter onde no código do jogo, o dano é executado. Então vamos começar registrando o watchpoint do primeiro endereço:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; installWatchpoint(ptr('0x179b96a0d0c'), 4, 'w') Ready </code></pre> </div> <p>Após inserir o watchpoint, tentei sofrer mais dano, porém nada aconteceu. Mas aí, ao pegar uma poção, o código é executado:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; === Handler got single-step exception at 0x7ff6332f7b08 Disabled hardware watchpoint </code></pre> </div> <p>Ou seja, esse primeiro endereço, endereço que localizamos provavelmente é usado no contexto de recuperação de vida.<br> Estamos mais interessados no contexto de dano sofrido, então, testei com o outro endereço e dessa vez sim ele ativou quando eu tomei dano no jogo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; installWatchpoint(ptr('0x179f5499984'), 4, 'w') Ready [Local::doom_gog.exe ]-&gt; === Handler got single-step exception at 0x7ff6332fafcc Disabled hardware watchpoint </code></pre> </div> <h2> Obtendo a localização exata da execução do código </h2> <p>De posse do endereço onde a mudança do valor ocorre <code>0x7ff6332fafcc</code>, vamos obter o endereço relativo à base do programa.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Local::doom_gog.exe ]-&gt; healthCode = ptr('0x7ff6332fafcc') "0x7ff6332fafcc" [Local::doom_gog.exe ]-&gt; healthModule = Process.getModuleByAddress(healthCode) { "base": "0x7ff633020000", "name": "doom_gog.exe", "path": "F:\\GOG Games\\DOOM + DOOM II\\doom_gog.exe", "size": 15450112 } [Local::doom_gog.exe ]-&gt; offset = healthCode.sub(healthModule.base) "0x2dafcc" </code></pre> </div> <p>Agora sabemos que o endereço está no módulo <code>doom_gog.exe</code> e que sua posição relativa à base do programa é <code>0x2dafcc</code></p> <h2> Conferindo o endereço em um disassembler </h2> <p>Podemos usar algum debugger com suporte a disasm para ver esse trecho e definir sua funcionalidade, você pode usar qualquer tipo de ferramenta: radare2, ida, GHidra, nesse exemplo eu abri com o x64dbg, e fui para o endereço correto pressionando Ctrl+G e inserindo a expressão:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>doom_gog.exe+0x2dafcc </code></pre> </div> <p>... que resultou no disasm abaixo:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6l8t9xjmsosewq2428no.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6l8t9xjmsosewq2428no.png" alt="O endereço mostrado no x64dbg" width="800" height="366"></a></p> <p>Aqui, nós temos a instrução que é executada exatamente depois do valor da vida ter diminuído, imaginamos então que <code>[rsi+24]</code> é o nosso valor de vida e <code>r15d</code> é o dano recebido. Vamos nos concentrar no dano recebido por enquanto...</p> <h2> Criando interceptadores para receber dados dinamicamente </h2> <p>Seguindo o exemplo do artigo original, vamos criar um Interceptador para essa instrução, que vai nos dizer a quantidade de dano recebido.</p> <blockquote> <p>Como essa função é executada diretamente no script, não precisamos adicionar ao <code>globalThis</code>.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">Module</span><span class="p">.</span><span class="nf">getBaseAddress</span><span class="p">(</span><span class="dl">'</span><span class="s1">doom_gog.exe</span><span class="dl">'</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="mh">0x2dafcc</span><span class="p">),</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">context</span> <span class="k">as</span> <span class="nx">X64CpuContext</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">damageReceived</span> <span class="o">=</span> <span class="nx">context</span><span class="p">.</span><span class="nx">r15</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Damage Received: </span><span class="p">${</span><span class="nx">damageReceived</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Logo depois de salvar o script, se continuarmos a receber dano no jogo, o console do frida irá imprimir mensagens informando a quantidade de dano:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2lueekdnk2eflmrn3777.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2lueekdnk2eflmrn3777.png" alt="Dano sendo mostrado no console" width="417" height="131"></a></p> <h2> E agora, a manipulação suprema! </h2> <p>Se quisermos, igual ao exemplo original, que o dano seja totalmente ignorado, basta trazer o interceptador para a instrução anterior (endereço <code>0x2dafc8</code>) e substituir dinamicamente o valor de registro para zero!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">Interceptor</span><span class="p">.</span><span class="nf">attach</span><span class="p">(</span><span class="nx">Module</span><span class="p">.</span><span class="nf">getBaseAddress</span><span class="p">(</span><span class="dl">'</span><span class="s1">doom_gog.exe</span><span class="dl">'</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="mh">0x2dafc8</span><span class="p">),</span> <span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">context</span> <span class="k">as</span> <span class="nx">X64CpuContext</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">damageReceived</span> <span class="o">=</span> <span class="nx">context</span><span class="p">.</span><span class="nx">r15</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Damage Received: </span><span class="p">${</span><span class="nx">damageReceived</span><span class="p">.</span><span class="nf">toUInt32</span><span class="p">()}</span><span class="s2">, but we will just ignore it`</span><span class="p">);</span> <span class="nx">context</span><span class="p">.</span><span class="nx">r15</span> <span class="o">=</span> <span class="nf">ptr</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8y2edw88ggyxks0wvfh1.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8y2edw88ggyxks0wvfh1.gif" alt="Animação do player sofrendo dano, porém, o valor da saúde não diminui" width="800" height="682"></a></p> Pra que o IDDQD? <h2> Conclusão </h2> <p>Esse exercício foi ótimo para testar o que uma ferramenta como o Frida pode oferecer, essa forma dinâmica de lidar com os dados é muito interessante também para quem está aprendendo, e o exemplo com o Doom foi muito bem-vindo pela simplicidade. Note que ao fazer um cheat de um jogo, estamos apenas "arranhando" a superfície das possibilidades, ferramentas como o Frida podem e devem ser amplamente utilizadas para auxilio e simplificação de análise de malware, estudo de comportamento de software, segurança e outros processos. </p> frida reverse typescript hacking