├── README.md ├── CS2CheatPOC ├── Classes │ ├── Line.cs │ ├── Rectangle.cs │ └── Player.cs ├── ESPBehaviour.cs ├── CS2CheatPOC.csproj ├── Memory.cs └── Program.cs ├── CS2CheatPOC.sln ├── .gitattributes └── .gitignore /README.md: -------------------------------------------------------------------------------- 1 | # CS2CheatPOC 2 | CS:GO 2 External Aimbot Proof of Concept
3 | Also ESP which utilizes https://github.com/shuruk421/custom_overlay 4 | -------------------------------------------------------------------------------- /CS2CheatPOC/Classes/Line.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace CS2CheatPOC.Classes 8 | { 9 | public class Line 10 | { 11 | public int X1 { get; set; } 12 | public int Y1 { get; set; } 13 | public int X2 { get; set; } 14 | public int Y2 { get; set; } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /CS2CheatPOC/Classes/Rectangle.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | 7 | namespace CS2CheatPOC.Classes 8 | { 9 | public class Rectangle 10 | { 11 | public int X { get; set; } 12 | public int Y { get; set; } 13 | public int Width { get; set; } 14 | public int Height { get; set; } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /CS2CheatPOC/ESPBehaviour.cs: -------------------------------------------------------------------------------- 1 | 2 | using CS2CheatPOC.Classes; 3 | using Newtonsoft.Json; 4 | using WebSocketSharp; 5 | using WebSocketSharp.Server; 6 | 7 | namespace CS2CheatPOC 8 | { 9 | public class ESPBehaviour : WebSocketBehavior 10 | { 11 | protected override void OnMessage(MessageEventArgs e) 12 | { 13 | if (e.Data == "GET") 14 | { 15 | var lines = CheatClass.GetLines(); 16 | Send(JsonConvert.SerializeObject(lines)); 17 | } 18 | } 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /CS2CheatPOC/CS2CheatPOC.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Exe 5 | net6.0 6 | enable 7 | enable 8 | true 9 | AnyCPU;x64 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /CS2CheatPOC/Classes/Player.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Numerics; 3 | using System.Runtime.InteropServices; 4 | 5 | [StructLayout(LayoutKind.Explicit)] 6 | public struct Player 7 | { 8 | [FieldOffset(0x318)] 9 | public int m_iMaxHealth; 10 | [FieldOffset(0x86C)] 11 | public float XPos; 12 | [FieldOffset(0x86C + 4)] 13 | public float YPos; 14 | [FieldOffset(0x86C + 8)] 15 | public float ZPos; 16 | [FieldOffset(0x3B8)] 17 | public byte m_fFlags; 18 | [FieldOffset(0x31C)] 19 | public int m_iHealth; 20 | [FieldOffset(0x3AF)] 21 | public int m_iTeamNum; 22 | [FieldOffset(0x300)] 23 | public long m_pGameSceneNode; // CGameSceneNode* (CSkeletonInstance*) 24 | } 25 | 26 | [StructLayout(LayoutKind.Explicit)] 27 | public struct CSkeletonInstance 28 | { 29 | [FieldOffset(0x160)] 30 | public CModelState m_modelState; // 0x160 - 0x390 31 | } 32 | 33 | [StructLayout(LayoutKind.Explicit)] 34 | public struct CModelState 35 | { 36 | [FieldOffset(0x80)] 37 | public long m_boneArray; // CBoneData* 38 | } 39 | 40 | public struct CBoneData 41 | { 42 | public Vector3 Location; 43 | public float Scale; 44 | public Quaternion Rotation; 45 | } -------------------------------------------------------------------------------- /CS2CheatPOC.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.5.33516.290 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CS2CheatPOC", "CS2CheatPOC\CS2CheatPOC.csproj", "{9ED7E1B1-CB05-48F8-A529-8BAC56338DD1}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {9ED7E1B1-CB05-48F8-A529-8BAC56338DD1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {9ED7E1B1-CB05-48F8-A529-8BAC56338DD1}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {9ED7E1B1-CB05-48F8-A529-8BAC56338DD1}.Debug|x64.ActiveCfg = Debug|x64 19 | {9ED7E1B1-CB05-48F8-A529-8BAC56338DD1}.Debug|x64.Build.0 = Debug|x64 20 | {9ED7E1B1-CB05-48F8-A529-8BAC56338DD1}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {9ED7E1B1-CB05-48F8-A529-8BAC56338DD1}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {9ED7E1B1-CB05-48F8-A529-8BAC56338DD1}.Release|x64.ActiveCfg = Release|x64 23 | {9ED7E1B1-CB05-48F8-A529-8BAC56338DD1}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {E34A59FC-E313-4AAD-8EC5-33E76BB5B92B} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /CS2CheatPOC/Memory.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Data.SqlTypes; 4 | using System.Diagnostics; 5 | using System.Drawing; 6 | using System.Linq; 7 | using System.Net; 8 | using System.Reflection; 9 | using System.Reflection.Metadata; 10 | using System.Runtime.InteropServices; 11 | using System.Text; 12 | using System.Threading.Tasks; 13 | 14 | namespace CS2CheatPOC 15 | { 16 | public class Memory 17 | { 18 | [DllImport("kernel32.dll")] 19 | public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); 20 | 21 | [DllImport("kernel32.dll")] 22 | public static extern bool CloseHandle(int hObject); 23 | 24 | [DllImport("kernel32.dll")] 25 | public static extern bool ReadProcessMemory(int hProcess, long lpBaseAddress, byte[] lpBuffer, int dwSize, ref int lpNumberOfBytesRead); 26 | 27 | [DllImport("kernel32.dll")] 28 | public static extern bool WriteProcessMemory(int hProcess, long lpBaseAddress, byte[] lpBuffer, int nSize, ref int lpNumberOfBytesWritten); 29 | 30 | [DllImport("psapi.dll")] 31 | public static extern bool EnumProcessModulesEx(int hProcess, long[] lphModule, long cb, ref int lpcbNeeded, int dwFilterFlag); 32 | 33 | [DllImport("psapi.dll")] 34 | public static extern bool GetModuleFileNameExA(int hProcess, long hModule, char[] lpFilename, int nSize); 35 | 36 | [DllImport("kernel32.dll")] 37 | public static extern int GetLastError(); 38 | 39 | [DllImport("user32.dll", CharSet = CharSet.Auto)] 40 | public static extern IntPtr FindWindow(string strClassName, string strWindowName); 41 | 42 | [DllImport("user32.dll")] 43 | public static extern bool GetWindowRect(IntPtr hwnd, ref Rect rectangle); 44 | 45 | public struct Rect 46 | { 47 | public int Left { get; set; } 48 | public int Top { get; set; } 49 | public int Right { get; set; } 50 | public int Bottom { get; set; } 51 | } 52 | 53 | public static long GetModuleBaseAddress(Process process, string moduleName) 54 | { 55 | 56 | // Get an instance of the specified module in the process 57 | // We use linq here to avoid unnecesary for loops 58 | 59 | var module = process.Modules.Cast().SingleOrDefault(m => string.Equals(m.ModuleName, moduleName, StringComparison.OrdinalIgnoreCase)); 60 | 61 | // Attempt to get the base address of the module - Return IntPtr.Zero if the module doesn't exist in the process 62 | return (long) module?.BaseAddress; 63 | } 64 | 65 | public static int WriteFloat(int processHandle, long address, float value) 66 | { 67 | int bytesWritten = 0; 68 | byte[] bytes = BitConverter.GetBytes(value); 69 | WriteProcessMemory(processHandle, address, bytes, sizeof(float), ref bytesWritten); 70 | return bytesWritten; 71 | } 72 | 73 | public static int ReadInt(int processHandle, long address) 74 | { 75 | byte[] buff = new byte[4]; 76 | int bytesRead = 0; 77 | bool readMemory = ReadProcessMemory(processHandle, address, buff, buff.Length, ref bytesRead); 78 | if (!readMemory) 79 | throw new Exception("Error reading int"); 80 | return BitConverter.ToInt32(buff); 81 | } 82 | 83 | public static long ReadPointer(int processHandle, long address) 84 | { 85 | byte[] buff = new byte[8]; 86 | int bytesRead = 0; 87 | bool readMemory = ReadProcessMemory(processHandle, address, buff, buff.Length, ref bytesRead); 88 | if (!readMemory) 89 | throw new Exception("Error reading int"); 90 | return BitConverter.ToInt64(buff); 91 | } 92 | public static long GetAddressFromOffsets(int processHandle, long baseAddress, int[] offsets) 93 | { 94 | long lastAddress = baseAddress; 95 | foreach (var offset in offsets.Take(offsets.Length - 1)) 96 | { 97 | lastAddress = ReadPointer(processHandle, lastAddress + offset); 98 | } 99 | return lastAddress + offsets.Last(); 100 | } 101 | 102 | public static unsafe T[] ReadStructArray(int processHandle, long address, int length) where T : struct 103 | { 104 | T[] array = new T[length]; 105 | for (int i = 0; i < length; i++) 106 | { 107 | unsafe 108 | { 109 | array[i] = ReadStruct(processHandle, address + sizeof(T) * i); 110 | } 111 | } 112 | return array; 113 | } 114 | 115 | public static unsafe T ReadStruct(int processHandle, long address) where T : struct 116 | { 117 | unsafe 118 | { 119 | T result = new T(); 120 | byte[] buff = new byte[sizeof(T)]; 121 | int bytesRead = 0; 122 | bool readMemory = ReadProcessMemory(processHandle, address, buff, buff.Length, ref bytesRead); 123 | if (!readMemory) 124 | throw new Exception("Error reading struct"); 125 | fixed (byte* bufferPtr = buff) 126 | { 127 | Buffer.MemoryCopy(bufferPtr, &result, sizeof(T), sizeof(T)); 128 | } 129 | return result; 130 | } 131 | } 132 | } 133 | } 134 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd -------------------------------------------------------------------------------- /CS2CheatPOC/Program.cs: -------------------------------------------------------------------------------- 1 | using CS2CheatPOC; 2 | using CS2CheatPOC.Classes; 3 | using System.Diagnostics; 4 | using System.Numerics; 5 | using WebSocketSharp.Server; 6 | using static CS2CheatPOC.Memory; 7 | 8 | namespace CS2CheatPOC; 9 | 10 | public class CheatClass 11 | { 12 | static Vector2 WorldToAngle(Vector3 playerPos, Vector3 vector) 13 | { 14 | Vector3 relativePos = new Vector3(vector.X - playerPos.X, vector.Y - playerPos.Y, vector.Z - playerPos.Z); 15 | float yaw = (float)Math.Atan(relativePos.Y / relativePos.X); 16 | float pitch = (float)-Math.Atan(relativePos.Z / Math.Sqrt(relativePos.X * relativePos.X + relativePos.Y * relativePos.Y)); 17 | float degrees = 180 / (float)Math.PI; 18 | yaw *= degrees; 19 | pitch *= degrees; 20 | if (relativePos.X < 0) 21 | yaw = yaw - 180; 22 | return new Vector2(pitch, yaw); 23 | } 24 | 25 | static Vector2 PlayersToAngle(int processHandle, Player player, Player target) 26 | { 27 | int headBoneindex = 6; 28 | int boneCount = 116; 29 | 30 | CSkeletonInstance playerSkeletonInstance = ReadStruct(processHandle, player.m_pGameSceneNode); 31 | CBoneData[] playerBoneArray = ReadStructArray(processHandle, playerSkeletonInstance.m_modelState.m_boneArray, boneCount); 32 | 33 | CSkeletonInstance targetSkeletonInstance = ReadStruct(processHandle, target.m_pGameSceneNode); 34 | CBoneData[] targetBoneArray = ReadStructArray(processHandle, targetSkeletonInstance.m_modelState.m_boneArray, boneCount); 35 | 36 | return WorldToAngle(playerBoneArray[headBoneindex].Location, targetBoneArray[headBoneindex].Location); 37 | } 38 | 39 | static float DistanceTo(Player player, Player target) 40 | { 41 | return new Vector3(player.XPos - target.XPos, player.YPos - target.YPos, player.ZPos - target.ZPos).Length(); 42 | } 43 | 44 | static Player? ClosestEnemy(Player[] players) 45 | { 46 | Player player = players[0]; 47 | Player? closestPlayer = null; 48 | float minDistance = float.MaxValue; 49 | for (int i = 1; i < players.Length; i++) 50 | { 51 | if (players[i].XPos == 0 && players[i].YPos == 0 && players[i].ZPos == 0) 52 | continue; 53 | 54 | if (players[i].m_iTeamNum != player.m_iTeamNum && players[i].m_iHealth != 0) 55 | { 56 | var distance = DistanceTo(player, players[i]); 57 | if (distance < minDistance) 58 | { 59 | closestPlayer = players[i]; 60 | minDistance = distance; 61 | } 62 | } 63 | } 64 | return closestPlayer; 65 | } 66 | 67 | public static Vector2? WorldToScreen(byte[] matrix, Vector3 origin, Rectangle gameWindow) 68 | { 69 | float m11 = BitConverter.ToSingle(matrix, 0), m12 = BitConverter.ToSingle(matrix, 16), m13 = BitConverter.ToSingle(matrix, 32), m14 = BitConverter.ToSingle(matrix, 48); 70 | float m21 = BitConverter.ToSingle(matrix, 4), m22 = BitConverter.ToSingle(matrix, 20), m23 = BitConverter.ToSingle(matrix, 36), m24 = BitConverter.ToSingle(matrix, 52); 71 | float m31 = BitConverter.ToSingle(matrix, 8), m32 = BitConverter.ToSingle(matrix, 24), m33 = BitConverter.ToSingle(matrix, 40), m34 = BitConverter.ToSingle(matrix, 56); 72 | float m41 = BitConverter.ToSingle(matrix, 12), m42 = BitConverter.ToSingle(matrix, 28), m43 = BitConverter.ToSingle(matrix, 44), m44 = BitConverter.ToSingle(matrix, 60); 73 | 74 | Vector4 clipCoords; 75 | clipCoords.X = origin.X * m11 + origin.Y * m21 + origin.Z * m31 + m41; 76 | clipCoords.Y = origin.X * m12 + origin.Y * m22 + origin.Z * m32 + m42; 77 | clipCoords.Z = origin.X * m13 + origin.Y * m23 + origin.Z * m33 + m43; 78 | clipCoords.W = origin.X * m14 + origin.Y * m24 + origin.Z * m34 + m44; 79 | 80 | var screen = new Vector2(0, 0); 81 | if (clipCoords.W < 0.1f) 82 | return null; 83 | 84 | Vector3 NDC; 85 | NDC.X = clipCoords.X / clipCoords.W; 86 | NDC.Y = clipCoords.Y / clipCoords.W; 87 | NDC.Z = clipCoords.Z / clipCoords.W; 88 | 89 | screen.X = (gameWindow.Width / 2 * NDC.X) + (NDC.X + gameWindow.Width / 2); 90 | screen.Y = -(gameWindow.Height / 2 * NDC.Y) + (NDC.Y + gameWindow.Height / 2); 91 | return screen; 92 | } 93 | 94 | public static List GetLines() 95 | { 96 | return lines; 97 | } 98 | 99 | static void UpdateLines(int processHandle, long viewMatrixAddress, Rect window, List players) 100 | { 101 | List playerList = players.Skip(1).Where(P => P.m_iTeamNum != players.First().m_iTeamNum).ToList(); 102 | var newLines = new List(); 103 | byte[] viewMatrix = new byte[64]; 104 | int bytesRead = 0; 105 | ReadProcessMemory(processHandle, viewMatrixAddress, viewMatrix, 64, ref bytesRead); 106 | foreach (var player in playerList) 107 | { 108 | Rectangle rect = new Rectangle() 109 | { 110 | X = window.Left, 111 | Y = window.Top, 112 | Height = window.Bottom - window.Top, 113 | Width = window.Right - window.Left 114 | }; 115 | 116 | List playerCorners = new List() 117 | { 118 | new Vector3(player.XPos - 16, player.YPos - 16, player.ZPos + 72), //upper corners 119 | new Vector3(player.XPos - 16, player.YPos + 16, player.ZPos + 72), 120 | new Vector3(player.XPos + 16, player.YPos + 16, player.ZPos + 72), 121 | new Vector3(player.XPos + 16, player.YPos - 16, player.ZPos + 72), 122 | new Vector3(player.XPos - 16, player.YPos - 16, player.ZPos), //bottom corners 123 | new Vector3(player.XPos - 16, player.YPos + 16, player.ZPos), 124 | new Vector3(player.XPos + 16, player.YPos + 16, player.ZPos), 125 | new Vector3(player.XPos + 16, player.YPos - 16, player.ZPos) 126 | }; 127 | 128 | List positions = new List(); 129 | positions = playerCorners.Select(C => WorldToScreen(viewMatrix, C, rect)).ToList(); 130 | 131 | if (!positions.Any(P => P == null)) 132 | { 133 | //top four 134 | for (int i = 0; i < 3; i++) 135 | { 136 | newLines.Add(new Line() 137 | { 138 | X1 = (int)positions[i].Value.X, 139 | Y1 = (int)positions[i].Value.Y, 140 | X2 = (int)positions[i+1].Value.X, 141 | Y2 = (int)positions[i+1].Value.Y 142 | }); 143 | } 144 | newLines.Add(new Line() 145 | { 146 | X1 = (int)positions[3].Value.X, 147 | Y1 = (int)positions[3].Value.Y, 148 | X2 = (int)positions[0].Value.X, 149 | Y2 = (int)positions[0].Value.Y 150 | }); 151 | 152 | 153 | //bottom four 154 | for (int i = 4; i < 7; i++) 155 | { 156 | newLines.Add(new Line() 157 | { 158 | X1 = (int)positions[i].Value.X, 159 | Y1 = (int)positions[i].Value.Y, 160 | X2 = (int)positions[i + 1].Value.X, 161 | Y2 = (int)positions[i + 1].Value.Y 162 | }); 163 | } 164 | newLines.Add(new Line() 165 | { 166 | X1 = (int)positions[7].Value.X, 167 | Y1 = (int)positions[7].Value.Y, 168 | X2 = (int)positions[4].Value.X, 169 | Y2 = (int)positions[4].Value.Y 170 | }); 171 | 172 | //connections 173 | for (int i = 0; i < 4; i++) 174 | { 175 | newLines.Add(new Line() 176 | { 177 | X1 = (int)positions[i].Value.X, 178 | Y1 = (int)positions[i].Value.Y, 179 | X2 = (int)positions[i + 4].Value.X, 180 | Y2 = (int)positions[i + 4].Value.Y 181 | }); 182 | } 183 | } 184 | } 185 | lines = newLines; 186 | } 187 | 188 | public static Player[] ReadPlayers(int processHandle, long EntitiesList, int playerCount) 189 | { 190 | Player[] players = new Player[playerCount]; 191 | for (int i = 0; i < playerCount + 1; i++) 192 | { 193 | long EntAdr = ReadPointer(processHandle, EntitiesList + 0x8 * i); 194 | if (EntAdr == 0) 195 | break; 196 | players[i] = ReadStruct(processHandle, EntAdr); 197 | } 198 | return players; 199 | } 200 | 201 | private static readonly int PROCESS_VM_READ = 0x0010; 202 | private static readonly int PROCESS_VM_WRITE = 0x0020; 203 | private static readonly int PROCESS_VM_OPERATION = 0x0008; 204 | private static readonly int playerArrayOffset = 0x14A2A48; 205 | private static readonly int pitchOffset = 0x1635694; 206 | private static readonly int yawOffset = pitchOffset + 0x4; 207 | private static readonly int viewMatrixOffset = 0x1627DD0; 208 | private static List lines = new List(); 209 | static void Main(string[] args) 210 | { 211 | bool espOn = true; 212 | bool aimbotOn = true; 213 | bool fullscreen = false; 214 | 215 | var wssv = new WebSocketServer(8081); 216 | 217 | wssv.AddWebSocketService("/esp"); 218 | wssv.Start(); 219 | 220 | string procName = "cs2"; 221 | Console.WriteLine("Starting"); 222 | var process = Process.GetProcessesByName(procName)[0]; 223 | var processHandle = (int)OpenProcess(PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, false, process.Id); 224 | //var windowHandle = process.MainWindowHandle; 225 | 226 | Rect window = new Rect(); 227 | if (!fullscreen) 228 | //GetWindowRect(windowHandle, ref window); 229 | window = new Rect() { Top = 0, Left = 0, Bottom = 720, Right = 1280 }; 230 | else 231 | window = new Rect() { Top = 0, Left = 0, Bottom = 1080, Right = 1920 }; 232 | 233 | long clientDLL = GetModuleBaseAddress(process, "client.dll"); 234 | Console.WriteLine("client.dll: {0:X}", clientDLL); 235 | 236 | int playerCount = 30; 237 | float maxDistance = 2000f; 238 | while (!(Console.KeyAvailable && Console.ReadKey(true).Key == ConsoleKey.Escape)) 239 | { 240 | Player[] players = ReadPlayers(processHandle, clientDLL + playerArrayOffset, playerCount); 241 | if (espOn) 242 | UpdateLines(processHandle, clientDLL + viewMatrixOffset, window, 243 | players.Where(P => P.XPos != 0 || P.YPos != 0 || P.ZPos != 0).ToList()); 244 | if (aimbotOn) 245 | { 246 | Player localPlayer = players[0]; 247 | Player? closestEnemy = ClosestEnemy(players); 248 | if (closestEnemy != null) 249 | if (DistanceTo(localPlayer, (Player)closestEnemy) <= maxDistance) 250 | { 251 | Vector2 aimAngle = PlayersToAngle(processHandle, localPlayer, (Player)closestEnemy); 252 | WriteFloat(processHandle, clientDLL + pitchOffset, aimAngle.X); 253 | WriteFloat(processHandle, clientDLL + yawOffset, aimAngle.Y); 254 | } 255 | } 256 | Thread.Sleep(1); 257 | } 258 | CloseHandle(processHandle); 259 | wssv.Stop(); 260 | } 261 | } --------------------------------------------------------------------------------