Overwatch Aimbot Creation Tutorial – Scripting

InsteadOverwatch Aimbot Creation Tutorial of just sharing an aimbot (click here), we decided to show you this Overwatch Aimbot Creation Tutorial. Using Cheat Engine, you are able to find the pointers, and create your own aimbot. Of course you should make every effort to protect yourself, including by masking the Cheat Engine, or better yet compiling your own (to make an undetectable version). But what you learn in this tutorial may help you in Overwatch, but also in other First Person Shooters (CSGO, Player Unknowns, Battlefront 2, etc.).

At the bottom of this tutorial, we will share with you a few tools you can use to help mask your Cheat Engine to make it less detectable. Be sure you get a copy of each of the tools, and understand their usage before attempting this tutorial.

Overwatch Aimbot Creation Tutorial

For this particular example of the Overwatch Aimbot Creation Tutorial, we are going to be using a Korean version of the game. The tutorial itself will be in English and will help you to learn to make your own aimbot.

You will need Cheat Engine to attempt this yourself. Knowing Cheat Engine with more than a beginner's mindset is recommended. There are common phrases and abbreviations used, which will require more than a cursory knowledge of the hacking software.

Overwatch Aimbot Creation Tutorial - Principle

There are two ways to deal with mistakes with the assembly I know. When you are dealing with 32-bit games in the past, you often manipulate mistakes through the f-series. fld, fadd, and fmul. This series of f statements has been continuously written in games.

Most recent CPUs support SSE. SSE is a set of instructions that use xmm registers and handle them. SSE supports all data types needed for arithmetic operations, such as float, double, and int, and allows a more complex computation to be done with a single instruction. It is also very convenient to deal with three-dimensional vectors because it can be operated in parallel. Overwatch deals with mistakes through SSE. So I'll show you how to use SSE properly with this Overwatch Aimbot Creation Tutorial. In other words, it will fix the previous ct. It may seem a bit annoying, but it's easier to explain and less script length. I'll take advantage of the SSE4.1 instruction set, and there are commands that the cheat engine does not recognize. For example, there is a DPPS instruction.

Overwatch Aimbot Creation Tutorial - Coordinates 2 - VisibleHook patch method

Assuming you have already looked at MouseHook, SpeedUp, before, then the last remaining hooking point is VisibleHook. In the previous tutorial, when I got the result of wall delimitation, the opcode coming out was mov [rbx + 78], al. Let's look at the video below. Of course, of all the same results, we only hook where we put the call.

Now let's take a look at this image, and the portion which we found to be the enemy number.

Overwatch Aimbot Creation Tutorial

mov rbx, [rsi + 60]. In enemy nuclei, enemy numbers are used to find enemies that minimize mouse movement among many enemies. Overwatch.exe + 113EC5B - inc [rsi + 60] is the code that increases the enemy number. Looking further down, you can also see that you are looping with an enemy number. If you have any notices, you will get a sense of how to get the total number. It is listed in Overwatch.exe + 113EC6B - cmp eax, [rsi + 50]. When the game is patched, review the opcode to find out how to get the enemy number and modify the script.

This is the section to put the enemy coordinates and their coordinates.

Overwatch Aimbot Creation Tutorial

The script comments are kindly written enemy, me. Overwatch.exe + 113EC29 - lea rcx, [rbp + 000000A0] There is both an enemy and my coordinates. Therefore, the content of [rbp + A0] with offset 0 in xmm0 register and the content of [rbp + B0] with offset 10 in xmm1 register are copied. Once the game is patched, you can re-examine the opcode appropriately and modify the script.

The rest of the VisibleHook script is computed with the enemy number and coordinates obtained above, and the aiming point is pointed at the enemy. All of the cheat table patching methods have been described so far. The next chapter will explain the principles of the emir nuclear.

Overwatch Gamer's Guide

Overwatch Aimbot Creation Tutorial - Coordinates 1 - SpeedUp patch method

There are two important ingredients in the overwatch aime nucleus. You must be able to change the aim point to the desired direction. It deals with how to find the enemy and my position in order to direct the aim point. There are a number of ways to debug enemy coordinates in fps games. One of the easiest ways to think is to think that the enemy's position is somewhere in memory and repeat the scan. You may need help from others. I called a friend and made a room, and a friend moved Carrick and I scanned it. It is easy to think, but hard to practice.

However, the method of finding the position of the enemy and my position in the overwatch emir nuclear cheat table is different now. It is a method of finding the wall discrimination function and using the parameters of the function. The wall separation function gives two coordinates and map data as parameters and judges whether or not there is a gap between the coordinates. It usually has its coordinates and enemy coordinates so you can hook it up here. Finding the wall separator function is very simple. Scan for any enemy, but if you see the enemy 1, if you do not see the enemy 0 Scanning like this is done immediately. You can scan a bot at the training site. Below is the video.

The area to focus on is the "write" part of the wall separator function into memory. Because there will be a wall separator function around it. So let's focus on mov [rbx + 78], al. There are several results, all of which are the same. This is what Overwatch has recently done to stop the emmy nuclear weapons, and it is Naruto 's subversive. Let's look at that later.

Overwatch Aimbot Creation Tutorial

mov [rbx + 78], a little above call at Overwatch.exe + D2F340 is seen. The function is a wall-delimiting function because it returns the eax value when it returns. The wall delimiter function takes two coordinates as parameters. So just look at both rdx and rcx. When debugging, rdx is not related to coordinates and you can see that rcx is the culprit. If you look at rcx, you can see that there are three float values ​​at offset 0 and offset 0x10, respectively, which are the coordinates of the enemy coordinates and your character in order.

Now I've got all the important ingredients for my Aimbot. The remaining thing to obtain is the direction vector with two pairs of coordinates obtained by hooking around the wall division function and normalize the vector to length 1. This can be done by students who have studied higher mathematics courses. However, in order to manipulate mistakes through assemblies, knowledge must exist. This will be discussed at a later time.

Now, I'm going to talk about Blizzard's "subterfuge patch". Before the patch, mov [rbx + 78], al only showed up when I pinned the result of the wall distinction. Therefore, there was no problem when hooked. We now have several identical mov [rbx + 78], al patterns and change patterns that we use periodically. I went to the parent function to take a quick look at what was happening.

Notice that call rax calls a function with a wall separator function. Debugging shows that rax continues to change periodically and that this is the effect of the subsonic patch.

Overwatch Aimbot Creation Tutorial

The bypass method is very simple. You can hook it up there and drive the call to one place. This is where I originally hooked up to improve the reactivity. I have a security patch, but there is no cost to bypass it. At least Blizzard employees should patch up a subspecialty and see how they use inline functions. Finally, let's look at SpeedUp part of ct. The code is simple.

Overwatch Aimbot Creation Tutorial

Overwatch.exe + 11368AA - In the call rax part, rip is changed to SpeedUp . You can see that you do not call rax but call it directly where you want it. Think directly about how you got the address. Looking at the code, I loop through the loop and call it many times, which increases the precision of the immune nucleus. In the early days, there was no SpeedUp, but the emme nucleus was not soft but torn. If you want to know what effect this is, you can change cmp [Count], 10 to 10 to 1. Finally, there is code to set rcx. In the original code, add rcx, r14 is displayed. When debugging, rcx value is always 0. Therefore, when hooking, use mov rcx, r14. At the end of the call, you must also use the mov statement because the value of rcx changes. Once the game is patched, you should debug again, look at the opcodes, and change the SpeedUp script to set the call address and rcx appropriately.

Overwatch Aimbot Creation Tutorial - Aiming Point - MouseHook patch method

In Overwatch, you must be able to change your aim point to the direction of your enemy if you want to achieve your core. Let's see how the over-watch handles the aiming direction and hack it. In overwatch, the aiming direction is generally expressed as a direction vector learned in high school. However, the vector size is normalized to 1 so that calculation is easy. More simply, it is called the Cartesian coordinate system.

In Overwatch it is easy to implement. This is because, in a game using a spherical coordinate system, the transformation of the orthogonal coordinate system and the spherical coordinate system is required to implement the emanucleus. The Cartesian coordinate system is represented by three real numbers and the spherical coordinate system by two real numbers. Whatever the coordinate system is, the value changes in memory when the aim point is turned around. So, to find the address of this value, you can turn the mouse around and scan. Let's see the video.

We find that the sum of all three float values ​​found is 1, which is added to all of them. If you are curious, try the calculator yourself. Finding the address you find will give you some results.

Overwatch Aimbot Creation Tutorial

I have made it the hooking point of the most frequent calls. Let's take a closer look through the memory viewer.

Overwatch Aimbot Creation Tutorial

Overwatch.exe + 105BFE4 - movaps xmm0, [rdx + 00000D20] where rdx + D20 represents the address of the aimpoint vector value. Since rdx is a parameter set from the parent function and there is no place to change rdx in particular, the hooking location can be picked anywhere around. However, because there is a bug where the xmm register is cleared when debugging the current cheat engine, you must catch the hooking point before using the xmm register. Therefore, the appropriate hooking point is the first part of the function, ie, the part where the push ebx is located. Lastly, let's look at where we store the address of the aimpoint vector in the current AIM nuclear ct. Let's look at the MouseHook part of ct.

Overwatch Aimbot Creation Tutorial

Overwatch.exe + 105bf90 - In push rbx, change rip to MouseHook. Then put the address of the aim point vector in the [mouse] variable and return to the original code. The [mouse] value is used to point to where the enemy actually exists. Later on you will see how the value of [mouse] is handled. Finally, I will briefly explain the ct patch method. Once the game is patched, you can re-debug it, change the MouseHook code so that you can see the opcode through Find and put the correct value back into [mouse]. Of course, hooking and returning addresses should be set appropriately. Overwatch requires a bit of  discretion because the opcode changes for each patch. As such, I manually search and patch myself. 

That's the end of the Overwatch Aimbot Creation Tutorial, as promised, here are a set of tools you can use to hide Cheat Engine from Blizzard...

Run daily on the original downloads!

For those interested, here is the Cheat Table from this Overwatch Aimbot Creation Tutorial. You will need to update all the offsets, before using it, and again we highly recommend using the above methods to mask Cheat Engine from Blizzard.

Overwatch Aimbot Cheat Table

Warning: As with all game hacks, bots, and cheat tables, it's a good idea not to show off, nor use it around other people who are playing. Don't even tell or show friends, otherwise a ban hammer could hit you.

NOTE: Press  SKIP AD  at the top of the link, to get to the download page. We use adf.ly to mask all links and prevent bots from issuing automatic DMCA removal requests (and it works surprisingly well).


Overwatch Aimbot Creation Tutorial translated from Korean by user Jub

Leave a Reply

Your email address will not be published. Required fields are marked *