tags:

views:

1615

answers:

4
+23  Q: 

how do aim bots in fps games work?

I was curious if anyone had any experience/knowledge about aim bots in online FPS games such as Counter-Strike. I am curious and would like to learn more about how the cursor knows how to lock on to an opposing player. Obviously if I wanted to cheat I could go download some cheats so this is more of a learning thing. What all is involved in it? Do they hook the users mouse/keyboard in order to move the cursor to the correct location? How does the cheat application know where exactly to point the cursor? The cheat app must be able to access data within the game application, how is that accomplished?

EDIT: to sids answer, how do people obtain those known memory locations to grab the data from? EDIT2: Lets say I find some values that I want at location 0xbbbbbbbb using a debug program or some other means. How do I now access and use the data stored at that location within the application since I don't own that memory, the game does. Or do I now have access to it since I have injected into the process and can just copy the memory at that address using memcpy or something?

Anyone else have anything to add? Trying to learn as much about this as possible!

+35  A: 

Somewhere in the game memory is the X,Y, and Z location of each player. The game needs to know this information so it knows where to render the player's model and so forth (although you can limit how much the game client can know by only sending it player information for players in view). An aimbot can scan known memory locations for this information and read it out, giving it access to two positions--the player's and the enemies. Subtracting the two positions (as vectors) gives the vector between the two and it's simple from there to calculate the angle from the player's current look vector to the desired angle vector.

By sending input directly to the game (this is trivial) and fine-tuning with some constants you can get it to aim automatically pretty quickly. The hardest part of the process is nailing down where the positions are stored in memory and adjusting for any dynamic data structure moving players around on you (such as frustum culling).

Note that these are harder to write when address randomization is used, although not impossible.

Edit: If you're wondering how a program can access other programs memory, the typical way to do it is through DLL injection.

Ron Warholic  2009-11-17 15:29:47
So someone uses DLL injection, now how exactly do they know what memory to access, trial and error process until they find what they are looking for??
 2009-11-17 15:36:09
+1 Great answer, @Sid Farkus!
KG  2009-11-17 15:36:38
Trial and error, yes, pretty much.
mizipzor  2009-11-17 15:39:27
Using memory readers/scanners, attaching a debugger, using specially built tools, or a number of other tricks you can watch values in the process's memory as they're changing and pause execution to examine the actual code that's executing. Typically to find a specific address you can take a snapshot of the processes memory, manipulate the one variable you want to read (such as moving your player), take another snapshot of memory and look at the values that have changed.
Ron Warholic  2009-11-17 15:42:06
Could you recommend such a tool that would allow me to take snapshots of the memory of a running process? I was looking into MSDN c++ DebugActiveProcess, but don't have any experience with it.
 2009-11-17 17:48:33
You don't need DLL Injection to access a programs memory. DLL Injection is used to execute code in the same address space as the target process. You can then use it to call upon functions that are internal to that process or trap certain calls.
Simucal  2009-11-20 04:15:15
ahh, thanks for clarify; yeah i found the read/writeProcessMemory functions on MSDN, so those should be helpful
 2009-11-20 19:34:04
however, isn't it probably possible that you need to write/read the memory of the process from inside it's address space as it might block other programs from doing so?
 2009-11-20 19:35:17
+8  A: 

Interesting question - not exactly your answer but I remember in the early days of Counter-Strike people used to replace their opengl32.dll with a botched one that would render polygons as transparent so they could see through the walls.

The hacks improved and got more annoying, and people got more creative. Now Valve/Steam seems to do a good job of removing them. Just a bit of warning if you're planning on playing with this stuff, Steam does scan for 'hacks' and if any are found, they'll ban you for at least a year, possibly more.

Chalkey  2009-11-17 15:31:49
+1 for fun trivia. :)
mizipzor  2009-11-17 15:40:35
+1 I was just reading through all the possible counter strike hacks. There is actually a subscription hack industry (much like the anti-virus industry) which tries to stay ahead of the hack detection curve.
whatnick  2009-11-17 16:33:51
I thought VAC bans were permanent, not yearly?
bdonlan  2009-11-17 18:37:34
Ive just looked it up on their forum. It used to be one year, then two now its permanant.
Chalkey  2009-11-17 18:47:07
+4  A: 

A lot of "Aim bots" aren't aim bots at all but trigger bots. They're background processes that wait until your reticule is actually over a target and fire automatically. This can be accomplished in a number of different ways but a lot of games make it easy by displaying the name of someone whenever your target goes over them or some other piece of data in memory that a trigger bot can pin point.

This way, you play by waving the mouse at your target and as soon as you mouse over them it will trigger a shot without your having to actually fire yourself.

They still have to be able to pinpoint that sort of stuff in memory and have the same sort of issues that truer "Aim bots" do.

Drew  2009-11-17 15:36:02
That explains why I have seen some aimbots just shaking the cursor randomly around really fast, must be looking for names to pop up so it knows when to fire
 2009-11-17 15:46:19
+3  A: 

Another method that has been used in the past is to reverse engineer the network packet formatting. A man-in-the-middle attack on the packet stream (which can be done on the same system the game runs on) can provide player positions and other useful related information. Forged packets can be sent to the server to move the player, shoot, or do all kinds of things depending on the game.

Alan  2009-11-17 18:34:16

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS