Reverse Engineering: Conceptual Logic

Totally_Not_A_Haxxer
15 Feb, 2023
Conceptual logic essentially is the logical processing and the thought or understanding of a given concept, in our case these concepts may mean ESP.

Introduction

Every since the mid to late 80’s game hacking was a thing, it was always a competition between game hackers and game developers. However, game hackers were very VERY different from what they are not, you see, in today’s world we have writers, authors, you-tubers and hundreds of thousands of documents all on game hacking and it is easy for us to pick up a concept. Back then they did not have these resources, they had to understand a concept and implement it by being able to reverse engineer the game from scratch or even know about hardware to be able to hijack gaming systems. Despite there being 0 security it was still hard to do because the person exploiting the system would have to know a lot about how the system works, the type of system they are trying to work with, the disassembled code or parts of it and use custom tools to automate these tasks for them if they needed it. Now, sure it was a major task for them and it took alot of time but the thing was that despite it being difficult back then they could still apply alot of the concepts and logical processing that they built over time. This is because concepts like aimbot, snap lines, ESP and other various client side and even server side cheats all stay the same, it is just in the way that they are implemented which it changes. The most powerful form of knowledge within the game cheating realm or any deep level reverse engineering realm is understanding the concepts within the application to process them. In this article we will be learning how multiple different concepts work in game cheating which include ESP, Aimbot, Trigger bots and how different cheats may operate and finally ending on how these concepts may change the slightest bit when implementing them, similar to the differences between computational and standard mathematics explained here.

What do I mean with conceptual logic?

Conceptual logic essentially is the logical processing and the thought or understanding of a given concept, in our case these concepts may mean ESP. You may be wondering why we are doing this or even reading about this, honestly coming from the more deeper side of things understanding concepts of any field makes the actual job and implementation much more easier. For example we can say to find the pythag of a triangle we can use the Pythagorean theorem but we can always look the answer up and paste it, make a few changes and boom we made a calculator for the Pythagorean theorem but that is not always the easiest and best ways to do things. While it may make your job also way easier it is important for both our knowledge level and boundaries that we understand common concepts especially before we walk into the realm of game cheating. Knowing the deep level or the deeper side of a given concept also helps in many ways such as forming more logical processors or gates mentally which can aid us in problem solving. Programmers have always been known as creative thinkers as they find ways to work with out problems in applications, using this logical path and thinking to solve your problems or better understand a theorem will actually allow you to produce much more accurate applications and in our case much more accurate game cheats. But how exactly do we get to this point? Well, the thing with concepts is they can sometimes if not most times be hard to break down for a regular person unskilled in that topic, well we need to actually break it down to something that is relatable. For example, say you are trying to explain decrementation and incrementation of a variable in a program to a gamer that plays a soccer game. You can break down the concept to better relate to this person by saying

say your character has the soccer ball and you are ready to score but there is an enemy blocking your way and you pass the ball to your friend. The game has now decremented the ball from your character by one and if your friend passes it to your character again and you catch it then the game incremented the ball by 1.

This is also how we can get ourselves to better chomp down concepts in programs, if we can describe it to ourselves in a much more individual and relatable way and we can break that into different concepts to reach deeper we might be able to chomp down a much more advanced concept much more easier than trying to read it over and over. I have also found that working with implementing it using something you love that can apply that such as programming works really well. In conclusion we do this to make our lives easier when working to fix or solve problems in the implementation and to give our brain a good idea of what we are actually doing.

SETUP

Before we start this article we need to understand some terms. These terms and understanding their meaning may be essential to moving onto fully understanding the pseudo code and texts written further down in the article

POS → Positioning : POS is just another way of saying position, it is used to reference terms like PPOS ( Player Positioning/Position ) on a 3D plain.

BID → Bone Identification : This is a type of number used on a model within a 3 dimensional game which are used to describe the skeleton model of a game’s entity within a physics engine. These BONEID’s are used in game cheats to pinpoint a specific joint or location on the enemies or targets model.

TB → Trigger Bot: A bot in a game that will check if the cursor is hovering over a player, if the cursor is given a set amount of time the trigger bot will trigger and fire on the target if it is on a timer. If the trigger bot is not within a time limit then it will auto fire the second it detects that the crosshair ID is over a specific or given part of a model.

AB → AimBot : A cheat used to auto aim to players, this means if a player is close to another player represented as player1 then the player will within nano seconds have the laser ( in the case the gun has a laser ) pointed at their head by player1.

ESP → Extra Sensory Perception: A game cheat that allows a given cheater or hacker to have more information such as closest players, current players, the gun a player is holding etc about the given game world and environment around them.

AC → Anti Cheat : A program used to prevent game hackers from attempting to exploit or modify values within the game’s source code.

Linear Transformation Algorithm → Algorithm: The LTA ( Linear Transformation Algorithm) Is a linear algebraic function to solve and compute a linear transformation.

W2S → World To Screen : This function is commonly used in game cheats such as ESP game cheats to calculate a 3 dimensional coordinate on a game world such as the world’s current position and camera angle to a 2 dimensional coordinate which can be represented in screen space.

Understanding the basics → Game cheats

For quite a long time game cheats have changed, they change frequently as the way a game operates changes. However, this does not mean that the way the game exploit can be implemented differently as explained above. Game cheats are just another way of telling a program to do exactly what it was meant to do, execute instructions which are given to it through or within the process or internally. For example the common concept between internal and external cheats is that one uses the internals of a game through certain steps to modify the game and external cheats will operate external to the game modifying the game via process manipulation. This may be hard to understand and chomp down so lets break down the idea. When you think internal and external what do you think of? For internal you may be thinking obviously something that operates from the inside of a given application as for external it is the opposite it will literally operate from the outside but these concept’s break into their own individual concept and building them is completely different from one another.

  • Differences in EXTERNAL and INTERNAL : For this series we will keep this section quite short and if you want it may be important to read Deeper Dive Into External Game Cheat Development and Internal Cheat Development as both articles were basically sub sections explaining key differences in the concepts, this may also show the a completely different route and show you how far each span down the list. Anyway the key differences between the two is how they work and operate as we know one operates internally and externally but what are the other differences? Mainly it resides in the development process of the game cheat and exploit itself. For example most internal game cheats are injected into a game which means the code is compiled into a file such as a .dll file and is put into the game using a DLL injector which is a program dedicated to injecting a DLL file into a process. Now the external game cheats are always going to be compiled down to EXE or ELF ( for Linux ) as these are executes that do not need to be injected into the game because they do not need to and may be more accurate reading and writing to the process externally than internally however this is where confusion gets brought up. You may see that some game cheat developers will say that this is an external cheat but you need to inject it, this is not a true external cheat as it is injected. Now it may also not be a true internal cheat either which means despite it operating from the inside ( being injected ) it still requires something such as a memory module to take advantage of the process externally to the game. Basically a internal cheat is just a cheat that works internally but does not have to use the internals of that game where a external cheat may work externally on its own. As said before the development process also will vary but how are these different other than the way they are compiled? Most internal cheats use and implement a concept called hooking. In a sense hooking is the process of injecting a function the hacker created with the intent to tell the game to replace the function they created with one the game calls, we will get deeper into this later on. Now the development process of hooking is completely different to an external cheat as an external cheat may hook a function completely differently using techniques such as RPC’s or DLL’s to communicate with the process to hook it where internal cheats actually involve injecting code into the process or program that needs to have that code executed. Both of these concepts work similarly but are completely different when it comes to implementation and actually code writing.
  • The concept of game cheats: The whole idea of a game cheat is to exploit a game and tricking it to doing something such as modifying the values of a client or messing with other functions in a game on other players which can include increasing a players health or decreasing a players health. Game cheats also work in separate ways, their concept of understanding is pretty basic as it is just a simple program that modify’s the internal of a game but messing with functions called in the code or extends the values of a variable or memory address stored in memory using certain scanners and calculators. A good example of the concept is this → Build a program that can load CSGO as a process, then find its process ID, find the ID of the module client.dll and modify client data on the client side which includes the values of player site. . This is a pretty simple concept to grasp but its execution may be harder for someone to grasp, this is why cheats can go from basic to extremely advanced and why they break down into their own sub categories and methods such as ESP, AimBot, Trigger Bots, Input Bots, Miners and much more among that list. The whole concept stays the same though as it is still a program that is developed to mess with the way a game operates by modifying values within the process.

This section may have been a bit confusing which I understand that so let me write a short conclusion. In conclusion, the basic concept of game cheats branches off into a million different sub-stories which are based on the game and the game type, the way the game is built, and are all accessed and written entirely differently. Each game has its own code base and the purpose of a game cheat is to take these games and implement concepts based on the type of the game. Next, we will learn about different ideas and how they are implemented.

Understanding a core value → Thought process

With most of my articles if you are not new here you may see commonly that in different fields I often talk about logical thinking and the process of understanding your task before you execute it. This is because in cases like game cheating which require prior knowledge of the game and engine you are exploiting you should have a laid out process and plan or stepped out plan as to how you are going to do it or how you are going to write a driver or how you may hook the functions of the game. This process is important because if a game cheater who knows what they are doing wants to make a good cheat they will require a design process. This process helps you also mark how fast you can complete the process as with a much more organized routine and step by step process you can ignore possibly running into issues so moving onto other sections ignoring your issue until the very end where time is running out. So how do you set this up? Well this is all about building logic so lets say we have a client asking us to build a game cheat and they send us this request.

I need a external game cheat for valorant, it needs to have a GUI, a login system and a fully functioning cheat which includes modifying game settings of the client, dumping data, having a full player extra sensory perception cheat which outputs the weapon, name and skeleton trace of the player from head to toe and also allows for optional trigger bot which has all sorts of custom hot keys and a built in command language. The price for this cheat will be something like 5K towards you

this is all hypothetical of course and is not likely to happen but lets see how we can make this a much more logical step by step process. So as our client explained they need a cheat with multiple functionalities where the design needs to be sleek and it must have multiple systems embedded into it. But how exactly are we going to form our process here? As explained above we can develop an entire tree but we should focus on one thing at a time the main thing being functionality. It is a common rule that back-end comes first before front-end because back-end is what makes the program work and if we have a better front-end then a back-end our client will most likely kill us and end up not paying us what we want or paying us at all. Given the game is valorant which is a multiplayer online first person shooter game with one of the better anti cheat systems out there, we should first design our idea and process.

  • Step 1: Figure out a way to write a driver which can modify game values along with bypassing the anti cheat system → First thing is first and it is to ensure we can build out cheat which may require recon but assuming we know valorant and have explored the game before we should think about building a kernel mode driver that can modify values from the game. This is because games like VAL which is what we are targeting use an anti cheat system which will detect modification to the game through certain methods like attaching to a process or attaching to the game to inject code into it. This means given that it uses Vanguard anti cheat we should do some reading up on vanguard and the methods it uses then build a driver accurate enough and fast enough to modify values externally to the game without getting caught.
  • Step 2: Building the cheats and the design as well as designing the general aspect → Once we have a driver working and we know we can modify values to the game we need to build a program that can use pattern scanning to scan for patterns which will be used later by the program to write and modify values of the game. Getting this down will help us write and add much more functionality because if we write a pattern scanner and we have already dumped the assembly patterns or code sets we can actually tell the pattern scanner to scan for these values each time which means we will not need external resources to dump the data to the game and depend on other servers for data. Once we get the cheat’s design down and we have most of the required back-end functionality and the memory readers, the writers, the drivers, the scanners and even hookers we can finally setup our cheat.
  • Step 3: Building the cheat → When we have all the basic to advanced functionality within the game down and we have our drivers set in place and we know they work we can get to writing the actual cheat. Note that our cheat is external which means we will require external overlays to allow us to develop ESP accurate enough to draw boxes on the screen and even include optional hit boxes based on the bone ID of the models. Now this is our most important and final step to the back-end work of the exploit itself as we will be adding characteristics to highlight characters and values, grab player data, save session data and more even add key and authentication systems. But now that we have all the functionality done and it can execute and run bypassing the anti cheat system what is something we do next?
  • Step 4: Building the front-end → Fronted was last now that we have the back-end set so our first operation would be to get a nice smooth interface. This should appeal to your clients design and should have tabs sectioning off data such as player values, player ESP, client settings, model settings and much more.

Do you now understand what I mean when i talk about creating a flow of logic? This is essentially common sense but walking through the steps from most important to least important works much more in terms of planning and scheduling. This also allows you to focus on the current plans instead of creating a whole mess for yourself later on. Now these individual steps may also branch into your head one by one but remember we do not need to write every step down but creating a steady flow of logic will certainly help during the creation and development logic. Now that we have a general idea of what our development logic should be like we can now move onto understanding the concepts such as the main class of ESP and branches that work over that, then also from there we can get a general grasp on other cheat types and understand how they may work and how they work in other games.

Understanding → Extra Sensory Perception

Extra Sensory Perception games cheats are exactly what the name implies, it adds more perception to your characters or clients sensory values. Basically ESP cheats are cheats that add or give a player additional information about the environment they are playing in which can include information on where players are, the players in the map, map information, predictions of bullet traces, bullet locations, shots from locations, where players are on a radar and may even be cheats that add a whole new map like a 3 dimensional map to your players view of where games are. This is a really popular cheat because it allows you to see and view everything which in some cases is important to most cheaters. However because this cheat allows you to see everything or add extra values to a clients sensory perception it also can be very hard to implement and depending on the type of cheat the mathematical expressions may vary. But what is the concept of ESP exactly? Below you will find a list of a given type of ESP depending on the game which explains its idea and concept of operation which is how the concept would be implemented to fufill the operational request.

  • Player ESP → Player Extra Sensory Perception is pretty difficult and spans in all different types of forms. This cheat uses a lot of projection and mathematical equations to calculate the distance between two players on the map or all players on the map from a center point. The concept idea of player ESP differs from the type, some player based ESP might be designed to get and display the closest player while others may be used to display all players which means we can separate this into two categories, below you will find the following explanations of both concepts CPESP ( Closest Player ESP ) and APESP ( All Player ESP ) .

CPESP → This type of ESP iterates through every player in the map, runs a calculation to both of them and will calculate the closest player. For example given 64 players in a map iterate through all of them, read the player information, check their health and if the entity is dormant then continue and if it is dead then continue but if all checks pass then continue onto getting that given players location and throw it into an array, find the closest player in that list and draw a box around the nearest player revealing their location, do this for all 64 players or entities in the map until you find one that is the closest. The following pseudo ( false ) code below may demonstrate this finding and calculation for each player.

  DWORD Entity = GetPlayer(i) 
  int Team = getTeam(Entity) 
  if EnmTeam == localTeam { 
      cont
  } 
  int Health = GetPlayerHealth(Entity); 
  if EnmHealth < 1 || EnmHealth > 100 { 
      cont
  }
  Dormant = DormantCheck(Entity); 
  if Dormant { 
      cont
  }  
  Vector3 headBone = WTS<get_head<<Entity>>, vm>
  Finish = pythag<player.x, player.y, hairx, hairy>
  if Finish < Closest {
     Closest = Finish;
     PlayerClosestToMe = i; 
  }

This is a pretty simple code brick to understand, first it causes a function to get the player, then it gets the team the player is on and if it is on our local team we skip it because we do not want out team to have boxes around it, the code then scans for health and if the player is dormant and skips if it is dead or dormant. Finally we get the head-bone by using a WorldToScreen function and finish it by using a function that implements the Pythagorean theorem to get these values. We finally check the code to see if the player or finished resulting values is closest to us and if it is then closest = finish and player closest to me is equal to the index of i. This is pretty simple to both understand and read, see the idea here? Now lets look at every player highlight which will scan every entity and for every entity draw a box around them. It may be important to know that depending on the cheat external ESP cheats will create an external overlay where the data is drawn onto the window, some anti cheat systems or other detection plugin’s may prevent the use case of overlays that are see through. The windows and overlays are typically see through because they need to also allow the client to still see the game map and other values as the purpose of ESP external or internal is to just allow the game cheater to see more data about players. Internal ESP may not use external or general overlays for their ESP cheats as they will over-ride functions through a process of hooking the game engine’s graphics to draw out those functions on the window.

APESP → APESP is a bit different but still holds the same concept, this uses similar to the same algorithms to get the player values and convert them to displayable values on the screen. So basically we have 150 entities in our map, for every entity get their data, run checks if it is a real and usable entity in the memory and then continue to draw a box around it like so.

            uintptr_t player = RPM<DWORD>(0x00000FFFFF + ENTLIST + (i * 0x10));
            int team = RPM<int>(player + OFFSET~>m_iTeamNum);
            if team != localteam {
                health = RPM<int>(pEnt + m_iHealth);
                Vector3 pos = RPM<Vector3>(pEnt + m_vecOrigin);
                Vector3 head; 
                head.x = pos.x; 
                head.y = pos.y; 
                head.z = pos.z + 72.f;
                Vector3 screenpos = WTS(pos, vm);
                Vector3 screenhead = WTS(head, vm);
                height = screenhead.y - screenpos.y;
                width = height / 2.4f;
 
                if screenpos.z >= 0.01f && health > 0 && health < 101 {
                    Draw => Memhdc, screenpos, screenhead
                }
            }

This pretty much does the same thing as the previous cheat but instead of returning the closest entity it rather just draws a box around it if the player is alive and if the screen position is good to draw on.

Both of these concepts stay the same the only thing that changes is the way they are made to return or draw out and display data, now while ESP concepts might not change we also noticed that the implementation of different methods and types all differed and would use different algorithms and sub sets of mathematics to get these values. We also noticed that they both used some of the same function known as the WorldToScreen function. Below you will find a deeper explanation as to how this function works, what algorithm it uses and why it is important to cheats such as ESP cheats no matter the form or type of cheat.

World2Screen → Basic to mathematical explanation

The world to screen function other wise and commonly refereed to as the W2S function is a function game cheaters will use or is used to take map a 3D world space to a 2D screen space. This allows game cheaters to basically convert a set of 3D coordinates to a 2D set of coordinates, for example converting x, y z → x1, x2, y1 and y2. This kind of function works by multiplying the 3D position of a given point on a 3D grap by a view and projection matrix which in a games sense will represent the camera’s and views current position and orientation within the game environment then finally dividing the resulting 3D position by its homogeneous coordinate. For those who do not know a homogeneous coordinate is a type of coordinate to representing a point on a multi dimensional space such as a 3-Dimensional space using an additional dimension also known as the homogeneous dimension. This type of dimension is used to represent scaling in translation which comes in handy during the W2S function which preforms and executes a algorithm known as the linear transformation algorithm during matrices transformations. This helps the function to perform a conversion from the 3D space to a 2D placement on a screen space. This type of matrix transformation is a linear operation known as the matrix vector multiplication which in the case of the W2S function the Model View Point matrix is used to perform this kind of calculation which is the linear transformation from a 3D camera and world view point and the resulting 4-Dimensional homogeneous vector which is finally transformed into a 2-Dimensional space. The major point being of W2S is transform a given 3D space into a 2D screen space. This function uses those matrices transformation and homogeneous coordinates to execute the function and transformation. Let me break this down for you.

Consider we have the following point in a 3D world space which is represented in a structure V3 which stands for Vector 3 ( a three dimensional vector holding float values to our position in the 3D world space represented as float x, y, z ). The world to screen function will transform our positions held within the V3-Structure into a V2-Structure which represents a 2 dimensional field holding x’, y’. This function can be represented using the following mathematical setup.

A = ModelView * [x, y, z, 1] ^ T -> x' = A.x / A.w -> y' A.y / A.w

This is broken down like the following

We start by declaring A = ModelView and where model view is is the location of a 4 by 4 matrix representing our concatenation of our mode;, projection matrices and view within the world. We declare that followed by 4-Dimensional homogeneous position vector which represents the 3-Dimensional position of the point in the world space. The result of this matrix multiplication is a 4-Dimensional homogeneous vector A, representing the 3-Dimensional position of the point in camera space. The 2-Dimensional screen position is then calculated by dividing the first two components of this vector (A.x, A.y) by the fourth component (A.w). In sum the MVP matrix is calculated once per frame based on the camera’s position and orientation in the game world, and the W2S transformation is performed for each object in the game world that needs to be displayed on the player’s screen. The resulting 2D screen positions are used to draw the objects on the player’s screen. This function helps in ESP cheats alot because it is the reason that game cheaters can calculate the values required to draw on this screen, the linear transformations and vector arithmetic is often used as well because of how they are required for graphical calculations such as the W2S function. Even if the result is not a player and is an object such as an item, this functions comes extremely helpful but may need modifications when you want to draw 3D boxes which means you will require the 3 Dimensional result not the resulting 2-Dimensional positions which were originally used to calculate and draw the box on your screen. In sum without this function, game cheaters would not know how to properly work with the game to output cheats like ESP. Alright now back to the types.

There are also other known concepts for ESP and all come in different forms from simple item ESP which is a concept that grabs all items in the game and outputs the data to that value and also ESP that may include information on the player’s account such as name and account level. As you can probably see all of these concepts stay the same, they loop, scan for objects in memory such as a player and will run a series of calculations to get the locations of the entity or object within the map and convert those coordinates to coordinates and positions on the screen of the client. This type of cheat can range from many difficulties and may use different algorithms and may only get all players within a certian radius or get all players within a certain range or angle. These types of cheats may look similar to this.

Or they may be extremely complex and look like this

Needing-less to say about this specific topic, you should be able to understand the basic’s of ESP and the algorithms used inside of them. In order to create a proper game cheat from scratch that is in the category of ESP it takes a lot of prior experience and or knowledge within the mathematical realm in fields like geometry and trigonometry to calculate distances and to debug or exploit and inject into the game may take understanding of the way the game stores values.

Understanding AB & TB → How their concepts work

AimBot (AB) and Trigger Bot’s (TB’s) are very interesting forms of bots and similar to ESP may also use algorithms to calculate certain values required for the cheat to work. These cheats are frequently used for more rage cheating and give the player a million times more of a advantage than something like ESP will. ESP allows you to sure see players through walls but aim-bot and trigger bot’s mixed together? Ha, you do not even have to fully move in some implementations. The basic implementations and concepts are of the following.

AB → Aimbot is a bot or cheat in a game that is supposed to automate the process of aiming using auto locking mechanisms that allow you to constantly keep your cross-hair on the target at a given bone ID (BID). Bone ID’s are used here because they allow the cheat developer to tell the auto locking mechanisms where to lock on in the enemies or targets model joint or body. The use of mathematics in AimBot is much more complex and uses trigonometric functions to convert a 3-Dimensional vector into an angle that can be used for further calculations. The below code shows a function used to convert a 3D vector into usable angles.

 constexpr const Vec3& TrigF___3DConversionToAng() const noexcept {
  return Vec3{
   std::atan2(
        -z, std::hypot(x, y)
    ) * 
       (
        180.0f / std::numbers::pi_v<float>
    ),
   std::atan2(y, x) * (180.0f / std::numbers::pi_v<float>),
   0.0f };
 }

This function may be hard to understand so let us break it down. The function’s idea is to convert a 3D vector to a usable view angle. The first thing that is calculated using std::atan2 is the pitch angle, this is the rotation around the x axis. This takes the difference between the z component of our Vec3 ( 3D vector ) and the length of the xy plane projection of our given vector. The next thing it calculates is the yaw angle which is the rotation around the y axis, this is calculated by also using atan2 and using the radio of y on the axis as well x on the axis in the vector. The final angle calculated is the rotation around the Z axiis which is set to 0. The function sets the role angle to 0.0f because the roll angle is not used any further as the whole purpose of the algorithm is to convert a 3D vector to the proper angle representation and if the third result or other wise known as the roll angle is not used then the algorithm can be simplified to exclude the values that are not needed. These functions are used because they aid the aimbot in figuring out certain values in the game that are relevant to the actual calculation of the target on the aimed at model. For example, in some scenarios looking at cheat code or other aim bot cheat’s you may see functions like the one below which reads the values of the bone ID three times to get the players head POS.

    let PHPOS = Vec3{
       MR (BM + 0x30 * 8 + 0x0C),
       MR (BM + 0x30 * 8 + 0x1C),
       MR (BM + 0x30 * 8 + 0x2C)
    };

This function may be confusing so let me explain, a variable named PHPOS standing for Player Head Position which holds a value of structure vector 3 ( our 3D vector ) in the 3D vector values are stored in X, Y and Z formats so we can infer that MR is MemoryRead and is reading off the bone matrix of the character given specified with BM ( Bone Matrix ) which is added to 0x30 which may be used to refer to a specific bone in the skeletal structure within the game. Then is multiplied by the integer 8, well following that this function has been assumed to get the player head position in a 3D space we can infer the only full integer ( based on our logical learning so far ) can possibly be a boneID. So we can look at game player models with the ID’s outputted on them like so.

Based on this image when we look at the head we can 100% infer that given this is an aimbot cheat for CSGO or implementation of aimbot and it uses the BONEID of 8 ( the head ) and is named PHPOS we can again assume this function is calculating to figure out the exact coordinates of the head of the player in a 3D space. This is used by first getting and scanning the bone matrix of a player.

What is a bone matrix?

The bone matrix of a player model within a game is a mathematically accurate way of representing the skeleton of a player model. The graphic below represents the skeleton of a player

The bones of a model are much more complex than this and this is a simple image and representation of the structure. Every player or character may have the same bone structures that are in most games however much more technical games such as COD with much more textures, operators, and skins may use different modeling indices. This is where the skill differentiates in games like COD from CSGO as it may be longer to find the bone matrix of a player in COD than CSGO as CSGO has only a few operators. If you ever find a leaked cheat to COD online and you look at the aimbot files you may find a file that shows a dump of the operators which all have different BONEID’s, this concept falls the same for R6 ( Rainbow six siege). This will make it harder for game hackers to fully exploit the game but the second those models are released and if they stay static then it is easy to write a function to get the operator of the player and then match the bone ID’s up to individual models and operator names. The bone matrix of a player is usually stored as a 4 by 4 matrix which can be represented using the following matrix.

these values and 4 x 4 matrices can be multiplied with vertices in a mesh to deform it according to the position and orientation of the bones. This bone matrix is often used in the implementation of skinning algorithms or animation algorithms or even texture based algorithms which help to specify the “wrapping” of the textures. In our specific case the value 0x30 can be inferred to be used to specify the index of a specific bone in the bone index with 0x0C, 0x1C and 0x2C used to access the three coordinates in the three dimensional coordinate of the bones position in the given matrix.

Aimbot may also use angle calculations like the one below to calculate the best current Field Of View of the aimbot before it can aim and lock on.

    let BFOV = 5.f;
    let BANG = Vec3{};
    let a = CalcAngle(
       localEyePosition,
       playerHeadPosition,
       viewAngles + aimPunch
    );

    let fov = hypot(a.x, a.y);

    if fov < BFOV {
       BFOV = fov;
       BANG = a;
    }

This algorithm basically gets the best current FOV for the aimbot to lock onto and then also calculates the angle using the player’s head position, current view angles plus the aim punch with the current local players or client players eye position. In conceptual understanding the players eye POS is calculated by taking the view angles and adding them to the origin. This allows for the aimbot to make a decisions on where to lock and will given a suggested FOV automatically pull to that player and lock on. The final function to call and use the calculations may look something like this.

Write<Vec3>(
  clientStateModule + ClientViewAngle, 
  viewAngles + BANG / 3.f
);

This function will write to the process’s memory with the current values of the offset or address of the client state module adding to the offset of ClientViewAngle then finally changing the values of the angles other wise causing the aimbot algorithm to work and automatically pull towards the player you are targeting or whatever player is closest. Other algorithms like the one shown below ( the same function used in the CEESP otherwise known as Closest Entity Extra Sensory Perception ) is used to get the closest player.

func FindClosestEnemy() int {
   var closestEntity int = 1
   closest := math.MaxFloat32
   localTeam := getTeam(GetLocalPlayer())
   for i := 1; i < 64; i++ {
      entity := GetPlayer(i)
      enmTeam := getTeam(entity)
      if enmTeam == localTeam {
         continue
      }
      enmHealth := GetPlayerHealth(entity)
      if enmHealth < 1 || enmHealth > 100 {
         continue
      }
      if DormantCheck(entity) {
         continue
      }
      headBone := WorldToScreen(getHead(entity), vm)
      finish := pythag(headBone.X, headBone.Y, xhairx, xhairy)
      if finish < closest {
         closest = finish
         closestEntity = i
      }
   }
   return closestEntity
}

This function was explained above and before in the ESP section, it iterates through every player or entity in the map or the max and gets the current player for the current entity being scanned. It checks if the player is on the enemy team and if they are then do not exit the loop if else then exit. It then checks if the player or entity is dormant or dead if either return true continue to the next entity. It finally gets the head bone and uses the Pythagorean theorem to get the values of the head bone and finished algorithm states.

TB → Trigger bots do not pose as much as a threat as aimbot does even in the smoothest aimbot’s because trigger bots automate the process of firing which means the second the game cheat has detected that a crosshairID was put over a player’s or models body then the game cheat will force fire sending and executing either key inputs or modifications to offsets such as FORCE_FIRE in games. Bone ID’s are of use here similar to the way they are used in aimbot, but instead the trigger bot can be customized to only trigger and fire when it detects it is on the head, chest or any other region of the other players body. For example lets say let BID = 10; // ID for head unit then we can say

if CrossHairID == 1 { // representing the crosshairID or result of that function is a boolean value and is currently hovering over the player then we can run checks
    let BID = 10;
    if BoneIdOfPlayer == BID {
        SENDINPUT(OFFSETS::FORCE_FIRE_CHAR, 1)
    }
}

Obviously the code above is not directly working but it gives you an idea of how it can be represented in code, if the crosshairID is on a players model where crosshairID is a function which returns boolean INT then let the target bone ID of the model be 10, if the boneID of the player that the cross-hair is currently on is equal to BID then send the input to force the character to fire. This makes much more sense when we map it our in our heads and can see the clearer understanding. Trigger bot may not use any specialized algorithms as they are nothing more simple than just checking if a given ID is hovered over a player and if it is then force fire input. The idea of trigger bot as you can see and the concept including implementation is a lot more easier and simpler to explain but also easier to work with and represent compared to most aim-bot which is not easy.

As you can see both concepts are easy to understand and in some cases easy to implement depending on the level but it really boils down to how well you understand the vector mathematics and the translations as well ad the algorithms used and required to implement them.

Substitute / smaller cheats used in video games

Some cheats are used and built just to make the game not so fun for other people and rather rage inducing for some streamers, for which are always known as rage cheats or sniper cheats. However, some people will make simple programs and exploits not to sell them but to just make tricks in games easier. These cheats may include constant radar or view of the enemy on a map or the ability to bunny hop. These scripts and programs are used to basically “ add features “ rather than have full fledged intent to cheat. Most people will build value and color changes which modify the values and RGBA values in the game’s GUI to change it to their liking which is still exploiting the software but it is mostly done without trying to be a giant troll or have the end goal of selling and making money off of these exploits. The list below explains these types of cheats and their concept.

  • Radar Cheats : You may be familiar with a UAV in COD and what that does, well if you do not know having a perk to call a UAV in COD allows you to see players on the map for a limited number of time or in other games like CSGO enemies will appear based on their fire as if they fire their red dot shows up on the map. Some players do not like ruining everything by making full kitted cheats and only want to modify smaller perks to the game unlimited such as coins or tokens or even in this case modifying values in memory to create a radar of each player. In game’s like CSGO the entities location is stored in memory as we know from ESP, these values also consist of boolean values that describe if the enemy is spotted, if it was then display it on a radar of some sorts. Well if this is a boolean value for each player and we have 64 players in each lobby we can loop through each entity and set that value to spotted indicating or tricking the game into thinking our character or our player has seen and came across all entities in the map. This is not the biggest cheats and is still one of the smallest forms of ESP cheats out there but is still widely used as a feature to most cheats.
  • Anti Flash : Anti flash concepts are pretty easy to understand, ever get tired of getting blinded by a flash grenade in a game? Well this value is represented as an alpha value which overlays your screen for a certain duration. The game will detect if your client was hit by a flash grenade and if it was set a value or RGBA or alpha value to 1.0f which indicates your screen is fully blank and as time goes on by the millisecond this value may decrement by .01 slowly going back to normal each time. Flash values are stored on the client side and are easily manipulable. For example the simple program will check the flash alpha state of the client character and if it is anything more than 0.0f then immediately write the flash value to set it back to 0.0f in memory.
  • FOV Changers : FOV or Field Of View changing is a feature implemented in most games, it allows you to change the player field of view. However in games like CSGO this feature is not added which means some players may implement similar concepts to the radar cheats where they just change simple values in the game. The FOV of the current player is also stored as client side settings and changes for each person, well you can make a simple program that given a key state will change the values of the current client FOV up or down. This type of cheat is easy to implement as it grabs the current player FOV by reading it from memory and then continues to modify the value of the FOV by writing that same exact value back to memory with an incrementation or decrementation depending on key states.
  • Bunny Hop Cheats : Bunny hop scripts or exploits are one of the most used base implementation of a cheat to ensure drivers or by-passer's or injector tools may work as they are very easy to make. All you do is given a key input detection such as a virtual key input the program will force jump multiple times within nano seconds mimicking and automating the process of bunny hoping in programs. Some people also add these in games just for fun and to add more “bounce” to the game instead of manually needing to master it.

Most cheats that are implemented are designed to troll, there are whole cheats out there dedicated to hunting certain players down given a name input and only use and activate aim-bot when that player has been detected in the memory or it has been chosen and read. These cheats are much more complex, however, some people may want to just make small modifications to the game such as changing the background, colors, states, settings etc from external managers.

Understanding the basics of → Hooking

Hooking is by far one of the most used methods for all types of cheats, in general the concept of hooking is to hook an internal function in the game and replace it with one the hacker made to control the flow and execution within the game’s program. Hooks are typically used to override graphical functions which display player data which are then replaced by functions that may have been manipulated to draw out player data. A high level example of how it works is of the following steps.

First the hacker finds that the game has a function to calculate the players position, the hacker wants to replace this with a function that will change the given players position within the game. The hacker then will write a custom player based function to change those values finally using hooking techniques to replace the function within the game with the hackers custom function. When the game calls the original function which is now replaced with the hackers function the hackers function will be executed and will now change the values the hacker wanted to change. Hooking is almost always implemented at a source code or assembler based level of code. At the assembler level hooking will mostly involve injecting code into the games process then finally replacing the few instructions of the original function. Consider the original function in a game.

mov eax, [CLIENT]
add eax, 10
mov [CLIENT], eax
ret

This brick of code will move the players position by 10 and return, the custom function implemented by the hacker looks something like this.

mov eax, [CLIENT]
add eax, [VALUE]   ; in other cases may be 100
mov [CLIENT], eax  ; moves the client
jmp ORIGIN         ; Jumps to the original function

The hacker will inject and replace code in the original function causing the original function to look something like this once it has been modified.

jmp ORIGIN_CHANGED

ORIGIN:
mov eax, [CLIENT]
add eax, 10
mov [CLIENT], eax 
ret

This code above when the game goes to call the original function when calling the jmp instruction which is also known as jump to ___ when this function is finished the position is modified and then the control is passed back to the ORIGIN function which is called next in the assembly code. For now this is the most basic understanding we need to have of hooking as it is used in most game cheats to change the execution flow of games.

The final concept and confusion marker

Alot of people always get confused especially if they are new when they look at assembler patterns and patterns used in scanners, I know when I started out and saw a memory address or assembler pattern with an array of ? ? ? ? xx ? x ? x I would always get confused. So this next section is dedicated to explaining these concepts and understanding how they work and how they are developed and why they are used. First thing’s first, what exactly is a memory address? A memory address by definition and following by quotes is “a unique identifier for a specific location in the computer’s memory”. This basically is saying that given a function, variable, identifier or whatever is all assigned a specific location in memory represented by an address. For example

int main() { return 0; }

might have memory address of

0x43239

held in the memory where this address points to that function which is represented as a location in memory. Memory addresses are used in game hacking for many things and are almost if not 100% required all the time to create operations such as bypassers, changing or reading values from the game or will be used to write and modify other values apart of that address in the same game. Each memory address is completely different as they all refer to a specific byte within the memory. Now the major question behind people all the time when starting out is

how do they get these addresses? what is a mask and why is it required?

Well lets start one by one and go from the very begging to the end like we did all of the other concepts.

Understanding patterns and memory signatures

To start off with what even is a memory signature? A memory signature is a sequence of bytes which is used to identify a specific function or piece of code in memory. This signature can usually be represented as a hexadecimal string ( \x1b\x01\x93\xkd... ) where each byte is separated by a space or slash. Now, hackers may write programs called pattern scanners which are scanners that will take these strings and match them in memory, however there is something much more deeper as to how they work and where they need to determine values. For example, if they have a pattern scanner which matches values in memory for the following hexadecimal string

\x80\x3D\x00\x00\x00\x00\x00\x0F\x85\x00\x00\x00\x00\x85\xC9

They need to calculate the mask, the mask is used to define certain parts of the signature that can be ignored and also parts that must match directly. Have you ever seen the following snippet or something similar?

xx????xxx????xx

Well you may be wondering how they get these values and why they need them, well in order to scan for bytes in memory they need a mask to tell the scanner what must match with the string so we can dissect this. If you have the hexadecimal string like the one above starting with \x80 we can calculate the mask by saying for every byte that matches \x00 we can use a question mark ? and for every value that does not equal \x00 then place x , what do these values mean? In the signature and mask we use the x to represent a byte in the signature that MUST match directly, where we use a question mark ? for the complete opposite which in other words represents a byte in the signature that can have any value. These values are extremely important in a pattern scanner, but why? Most pattern scanners exist to get the actual value or actual address using the pattern within a currently running process. Having hex string which again represents the binary data in hexadecimal format and having a mask to that hex string that indicates which parts are important and which can be ignored are helpful because it can tell you which values are expected to change. For example if we know the data at

\x80\x3D\x00\x00\x00\x00\x00\x0F\x85\x00\x00\x00\x00\x85\xC9

is going to change, we can fill the mask with values we know are going to change which means these will be completely ignored or in other words field with ? where the values can change but have no affect. In sum if a particular value at a memory address is expected to change, the mask can be used to ignore that part of the hexadecimal string and still find the match. This can be useful when dealing with obfuscated code, where the exact sequence of bytes may change between different execution’s (states) of the program. Having masks also narrows down the search and being able to scan for these in memory is important in the context of game cheats because it is needed for again certain values, and you never want to have to rely on external resources every time an update is pushed to the game. Now that we have a general understanding we can move onto the assembler address which is written like this.

A1 ? ? ? ? 33 D2 6A 00 6A 00 33 C9 89 B0

Translating Assembler patterns

Assembler patterns which are another way to pattern scan for data in games and processes using pattern scanners can in themselves also be translated to those hexadecimal strings and then be converted to a mask. For example the following assembler pattern below will be translated to that hex address.

A1 ?? ?? ?? ?? 33 D2 6A 00 6A 00 33 C9 89 B0

this translates to

\xA1\x00\x00\x00\x00\x33\xD2\x6A\x00\x6A\x00\x33\xC9\x89\xB0

in hex. Notice how everything is just separated with a back slash and following that is an x? As you can see by comparing them the ? (question) marks were converted to \x00 which calling back from our previous section is a value that can change and will still have no affect on the address in other words a value that can be ignored. We can create our mask like so

x????xxxxxx

This might also be an easier concept to understand but it is also an important note. The mask must have the same amount of characters in either x or ? corresponding to the length count of each pattern specified. Below shows another case scenario with the hexadecimal address of

\x80\x3D\x00\x00\x00\x00\x00\x0F\x85\x00\x00\x00\x00\x85\xC9

Pretty simple to understand right? Now that is how the masks are calculated and it is a pretty simple concept to grasp but what do the question marks mean in the actual assembly pattern? Well they mean the same exact thing in the hexadecimal address. Let us build another scenario to better understand how this works.

Say you have the following assembly address

A1 ?? ?? ?? ?? 33 D2 6A 00 6A 00 33 C9 89 B0

We notice right away after A1 that there is a series of four question marks which represent a 32 bit memory address that is being loaded into the EAX register A1 . We know this because the A1 at the beginning of the code is an opcode short for operation code that loads the contents of a memory address into the EAX register IN X86 ASSEMBLER! The given characters of ?? following it represent an unknown value, in our case this is assumed to be a 32 bit integer because the use of a 32 bit memory address can be inferred from the fact that x86 assembler uses 32 bit addresses by default. if a 64 bit address was being used here it would be specified differently in the code such as with a different opcode or by using a different register to store the address. But what about actually getting those signatures. Well, to answer that question, seen below is a list of common methods used by game hackers to get these addresses.

  • Method 1 → Static analytics : Game hackers will use static analysis to find these values which is the static analytics of the games binary code to locate the given assembly instructions. To do this the hacker may use popular reverse engineering frameworks such as IDA pro or debuggers and binary analyst tools such as ollyDBG. These hackers can use other disassembles to search function to locate the exact sequence of assembly instructions to determine the address of where they are located during execution time or stored in memory. This is a very slow process and can be time consuming.
  • Method 2 → Dynamic analytics : Game hackers use dynamic analysis which is running a game and using a debugger such as OllyDBG or memory scanners like cheat engine to dynamically analyze its memory. Once the scans finish hackers can continue to search for the exact sequence of assembly instructions in the games memory and determine where they all reside within the memory.
  • Method 3 → Reverse engineering : Reverse engineering is a pretty main step in game hacking but it also is used to understand how the game works and determine the address of the given assembler instructions. This is an even slower process because you have to analyze and understand alot about the game you are dissecting in order to make a properly educated guess as to where the code that implementes the given functionality resides.

The base logical understanding of game cheats

Game cheats have been around for quite a while and so has the skill and knowledge required to build and sell them. Game cheats take a lot of time, a lot of skill, a lot of algorithmic implementation and general knowledge of hacking. Game cheats can also range from easy to hard and may come in many shapes and form’s allowing hackers to do whatever they want to the game as long as it is client side and if the hacker gets lucky then server side through security flaws within the server. Many current game cheats exist for games and it is a constant battle between cheat and cheat developers but also cheat and game developers. Understanding the logic of how these algorithms are implemented really helps you understand how these games are modified and I am sure by using this logic and lesson you can also find methods to prevent the cheaters from cheating. A good practice to also understanding the concepts of how cheats even begin to start such as by writing and injecting themselves into the game would be to write your own plugin to a current anti cheat system such as VAC or a current game like CSGO to prevent DLL injection, detected external over lays and even prevent memory mapping and process attaching using debuggers and other tools. It is always hard to understand and the game cheating road of truly understanding how its done is something that is always difficult to catch at first but eventually you will learn most of what you need to know. The purpose of this article was not to teach you about game cheats directly but to rather show you the logical processing that goes behind them and the work that goes into them from the game cheat developers themselves and the amount of knowledge it takes. This logical thinking and deep understanding of concepts is also universal because the concept stays the same and as we said before only the implementation of the concept may change depending on the concept type. In the case of ESP the general idea is to give people site of everything but the concept depends on the type such as item, player, weapon, entity ESP which all change the way the final concept of those under the umbrella of ESP are implemented into a game. Some people like to remark that it is not that deep but they are wrong, understanding the concepts will allow you to have the skill to read almost any piece of source code of cheats like ESP or aim-bot no matter the language and be able to understand the implementation. For example the world to screen function shown below is from a ESP cheat for CSGO.

struct Vector3 WorldToScreen(const struct Vector3 pos, struct view_matrix_t matrix) {
    struct Vector3 out;
    float _x = matrix.matrix[0] * pos.x + matrix.matrix[1] * pos.y + matrix.matrix[2] * pos.z + matrix.matrix[3];
    float _y = matrix.matrix[4] * pos.x + matrix.matrix[5] * pos.y + matrix.matrix[6] * pos.z + matrix.matrix[7];
    out.z = matrix.matrix[12] * pos.x + matrix.matrix[13] * pos.y + matrix.matrix[14] * pos.z + matrix.matrix[15];
 
    _x *= 1.f / out.z;
    _y *= 1.f / out.z;
 
    int width = WBounds.right - WBounds.left;
    int height = WBounds.bottom + WBounds.left;
 
    out.x = width * .5f;
    out.y = height * .5f;
 
    out.x += 0.5f * _x * width + 0.5f;
    out.y -= 0.5f * _y * height + 0.5f;
 
    return out;
}

however we may also see it in other languages like the following languages below.

  • Go implementation of the function in C++
type Vector3 struct {
    x, y, z float32
}

type viewMatrixT struct {
    matrix [16]float32
}

func WorldToScreen(pos Vector3, matrix viewMatrixT) Vector3 {
    var out Vector3
    _x := matrix.matrix[0]*pos.x + matrix.matrix[1]*pos.y + matrix.matrix[2]*pos.z + matrix.matrix[3]
    _y := matrix.matrix[4]*pos.x + matrix.matrix[5]*pos.y + matrix.matrix[6]*pos.z + matrix.matrix[7]
    out.z = matrix.matrix[12]*pos.x + matrix.matrix[13]*pos.y + matrix.matrix[14]*pos.z + matrix.matrix[15]
 
    _x *= 1.0 / out.z
    _y *= 1.0 / out.z
 
    width := WBounds.right - WBounds.left
    height := WBounds.bottom + WBounds.left
 
    out.x = float32(width) * 0.5
    out.y = float32(height) * 0.5
 
    out.x += 0.5*_x*float32(width) + 0.5
    out.y -= 0.5*_y*float32(height) + 0.5
 
    return out
}
  • Fortran implementation of the function above in C++
program main 
  type Vector3
  real :: x, y, z
end type Vector3

type viewMatrixT
  real, dimension(16) :: matrix
end type viewMatrixT

function WorldToScreen(pos, matrix) result(out)
    type(Vector3) :: pos
    type(viewMatrixT) :: matrix
    type(Vector3) :: out
    real :: _x, _y
    _x = matrix%matrix(1)*pos%x + matrix%matrix(2)*pos%y + matrix%matrix(3)*pos%z + matrix%matrix(4)
    _y = matrix%matrix(5)*pos%x + matrix%matrix(6)*pos%y + matrix%matrix(7)*pos%z + matrix%matrix(8)
    out%z = matrix%matrix(13)*pos%x + matrix%matrix(14)*pos%y + matrix%matrix(15)*pos%z + matrix%matrix(16)
    _x = _x / out%z
    _y = _y / out%z
    width = WBounds%right - WBounds%left
    height = WBounds%bottom + WBounds%left
    out%x = real(width, kind=4) * 0.5
    out%y = real(height, kind=4) * 0.5
    out%x = out%x + 0.5 * _x * real(width, kind=4) + 0.5
    out%y = out%y - 0.5 * _y * real(height, kind=4) + 0.5
  end function WorldToScreen
end program main

As you can see even if you may not know Golang or FORTRAN to the highest extent which are two completely different languages then you will still be able to understand what this function is doing because we understand the general concept which is universal and if it is allowable in almost any language then it can be read in any language that allows this kind of arithmetic.

Conclusion and Summary

This article was super deep and went to an extreme length of understanding game cheat concepts such as the world to screen function, linear transformation algorithms, vector mathematics and even taking snippets of code from open sourced cheats and understanding how they work on a deeper level. This article also went into deep detail as to how this logic helps in the different forms of cheats and discussed why the types may change depending on the variation or features of the concept of cheat. The main point of this article was to again show you how well the logical understanding and processing of mathematical and computational concepts helps and is very universal to most things computers. When working with game cheats and working with them raw on a game that may not have been researched, understanding these concepts really helps when you want to learn how to exploit a game on your own with no guidance or work on a game that again has no prior hacks on it such as legacy games that are not talked about more or a newer game that came out. Sadly, once game’s are reverse engineered by cyber security experts and reverse engineers they are forever going to stay that way and hacks will be pushed out daily. In the instance that the game changes close to everything in a major update such as COD Modern Warfare 1 → COD Modern Warfare 2 then the game hackers will have to dump everything again and get the model index’s but because not everything in the game changes those hackers can use those same methods and frameworks or tool-kits to dump the data they need to bypass and build a new cheat for the game and can get back to starting to make that 6K a week or maybe even 20K a week selling the game cheat they sold before just much more modern. The truth being told that game cheaters will never be able to be defeated as new methods come out developed by smart people there is always someone smarter to develop a concept to bypass that method and vice versa within the game. Anyway I hope you all enjoyed this article as it was very complex and nice to write myself and I enjoyed it. The game cheating realm goes deep and it is fun to learn new things about it!

Until then, Totally_Not_A_Haxxer OUT!


Support me on 

Totally_Not_A_Haxxer

Totally_Not_A_Haxxer

Hello nerds! My name is Totally_Not_A_Haxxer, I am a professional security researcher, reverse engineer and programmer. I develop applications and programming languages to improve the state of the cyber security world everyday!

Next Post Previous Post
No Comment
Add Comment
comment url