Special
GameBreaker

Cheats in Games: What They Are and How They Work

What a Cheat Actually Is, in Simple Terms

A cheat is a program or device that gives a player an unfair advantage in an online game. Seeing enemies through walls, automatically shooting at the head, flying through textures, moving twice as fast - all of this is the work of cheats.

Under the hood of any cheat lies one of two approaches: reading game memory (finding player coordinates, health, camera angles) or directly interfering with its operation - moving the cursor for the player, changing variable values, sending fake packets to the server.

Competitive shooters and MMOs suffer the most from cheaters: CS2, Valorant, Rust, Apex, PUBG, Escape from Tarkov, DayZ. Cheats also exist in single-player games, but there they're more like mods - and they don't bother anyone.

Next, in order: what cheats can actually do, how they're built internally, who fights them, and what risks users face.

Cheat Functionality - Feature Breakdown

Cheats have many names and abbreviations. Here are the most common ones found in forum descriptions or shops.

WH (Wallhack, ESP). Overlay boxes, health bars, and player names. Allows you to see enemies and loot through walls.

Aimbot. Automatically aims at the enemy's head or body. Quality cheats have smoothness adjustments and FOV settings - to look legitimate.

Triggerbot. Doesn't move the mouse, but automatically fires when the crosshair is already on the enemy.

Silent aim. You shoot wide, but the bullets hit the opponent. Visually nothing suspicious.

Radar. Mini-map with enemy positions. Mainly used by DMA users.

Chams. Highlights enemy models in bright plastic through walls. Better than ESP because the model itself is replaced - but more obvious (visible in videos, streams, screenshots, etc.).

Bunnyhop. Jumps in rhythm with the player to maintain maximum speed. Classic for Source games.

No recoil, no spread. Removes weapon recoil and bullet spread.

Speedhack. Increases game speed or player speed.

Fly and Noclip. Flight and walking through walls. Most useful in open worlds - Rust, DayZ.

Backtrack. Uses server lag compensation. You shoot where the enemy was 200 milliseconds ago, and it counts as a hit.

A single cheat usually combines several of these features at once. Next, we'll discuss the internal architecture: how a cheat physically connects to the game to do all this.

Первый тип: External - Внешний чит

An external cheat is a separate program, usually an EXE file, that runs alongside the game rather than inside it. It reads the game's memory from the outside using standard Windows capabilities.

How it works. The cheat calls OpenProcess to access the game process. Then it uses ReadProcessMemory to read player coordinates, health, and camera angles. On top, it draws its own transparent overlay window - displaying boxes and HP values. If an aimbot is needed, the mouse is moved via SetCursorPos or a virtual HID.

⚠️ This is the simplest explanation. In this pure form, the method leads to a ban in 99% of cases - you need workarounds and driver work.

Pros. Doesn't penetrate the game, so anti-cheat has a harder time detecting it with standard methods. Simpler to develop - and if something breaks, the game doesn't crash.

Cons. Slow: each memory read is a separate kernel call. Modern anti-cheat like EAC or Vanguard will simply cut off read permissions via kernel callback: your OpenProcess returns a handle, but without read capability. And that's it, the cheat is dead.

Also requires optimization - otherwise the ESP starts stuttering and lagging. Classic external cheat problems.

Second Type: Internal - The Internal Cheat

An internal cheat hides inside the game itself. A special injector program takes a DLL with cheat code and injects it into the game process. After that, the cheat code lives in shared memory with the game and works directly with it, without unnecessary Windows calls.

How DLLs are injected. The simplest way is CreateRemoteThread paired with LoadLibrary. A new thread is created in the game that loads the DLL itself. It works, but the DLL appears in the module list and is detected easily. More serious methods use manual mapping: the injector itself parses the DLL PE file, places its sections in memory, and resolves imports. From Windows' perspective, such a module is not officially loaded - it's not in the list.

What cheats can do internally. Hook functions in the game itself. For example, intercept DirectX's Present call and inject its own rendering - the ESP is rendered directly through the game engine, no external window needed. Or patch the game code bytes: disable recoil checks, spread, or even the ability to die.

Pros. Speed - no kernel switches when reading memory. Perfect synchronization with the game: aim-smoothing looks human-like because it moves in time with frames. Plus access to the engine's internal API - you can call functions like GetPlayerByIndex or TraceLine.

Cons. Injection is the most obvious action. Kernel anti-cheat sees any new module instantly. Even manual mapping is visible through internal memory accounting checks: an executable chunk of memory without a corresponding disk file is a clear sign of injection. Plus any error inside the cheat crashes the entire game.

Third Type: Kernel - Cheats That Work Through the Windows Core

Kernel is the operating system's core level. Everything that runs there has higher privileges than ordinary applications and is usually inaccessible for reading from user mode.

The idea of kernel cheats. Write not a program, but a Windows driver. The driver runs at the most privileged level and can access any process's memory, bypass user-mode anti-cheat checks, and hide itself.

The problem. To load a driver in Windows, you need a digital signature from Microsoft. You can buy it, but it's expensive, and any cheat with a known signature gets banned instantly.

Solution - BYOVD (Bring Your Own Vulnerable Driver). "Bring your own buggy driver". They take a legitimate signed driver (usually from Dell, ASUS, MSI, or some Intel utility) that has a known bug. Through this bug, the cheat gets the ability to read and write kernel memory without loading its own code.

How they get caught. Microsoft maintains a list of vulnerable drivers and distributes it through Windows Update. Vanguard goes further and maintains its own whitelist - any driver outside this list means the game simply won't launch. There's also PatchGuard: a Windows mechanism that periodically checks kernel integrity - if a cheat patches something there, the system gets a blue screen. On modern systems, there's HVCI, which requires all kernel code to be signed at the hypervisor level.

That's why kernel cheats are now the domain of private paid projects. A free kernel cheat is guaranteed to either be already dead or actually malware bundled in.

DMA and AI Vision

DMA. When a cheat is hardware

The pinnacle of cheating. Not a program, but a physical card. Installed in a PCIe slot of a second computer, a USB3 cable stretches between the two PCs.

How it reads gaming PC memory. The card uses Direct Memory Access - a legitimate PCIe capability where a device can read and write a computer's working memory bypassing the processor and OS. On the card itself is an FPGA chip programmed with special firmware based on the open-source PCILeech project.

The gaming PC looks completely clean during this time: the game is untouched, no processes are open, no injections or hooks. All calculations (ESP, aim) are done by the second PC.

How to display and control:

Radar. Second monitor with a map scheme and enemy positions. You aim yourself, but know where everyone is.

Overlay. The image goes from the gaming PC via Fuser to the second PC, where enemy boxes are drawn on top of it.

Aimbot. The second PC calculates where to move the aim and sends commands via Kmbox / makcu / Arduino / ferrum, etc. These devices emulate a regular USB mouse for the gaming PC.

Why it's top tier. The gaming PC only sees a regular USB mouse, as if the player is moving it themselves. There's no cheat code on it. Standard anti-cheat is invisible to DMA - and vice versa.

How they still get caught in 2026. Anti-cheats scan all PCIe devices and match their identifiers (Vendor ID, Device ID, config space) against a database of known hardware. DMA cards try to masquerade as something like "Realtek NIC", but can't fake all characteristics. On modern systems, there's IOMMU (Intel VT-d, AMD-Vi), which can block DMA from unknown devices.

Price. Simple Chinese CaptainDMA - from $100, top options - from $300. Plus a second PC, Fuser, Makcu, firmware. A full setup usually costs $500-$2000.

AI Vision. When a cheat doesn't touch the game at all

A new and very problematic approach for anti-cheats: the cheat doesn't touch the game at all. It watches the screen the same way you do.

How it works. A screenshot tool captures a screen frame (or a separate capture card for PS5/Xbox consoles). The frame is passed through a YOLO neural network (or its analogues), trained to recognize player models in a specific game. The neural network outputs enemy coordinates in pixels, and the aimbot translates these pixels into mouse movement angles via Arduino/Makcu.

Why it's a headache for anti-cheats. The game is untouched, kernel anti-cheat sees nothing suspicious. It even works on consoles, where cheats were previously almost impossible. Detection is only through behavior: too fast reactions, perfect snaps, flawless shooting.

HWID Bans and Spoofers

When a player gets caught, they can be banned in different ways, from mild to severe:


Account ban. The easiest one. Make a new account - and play again.

IP ban. Also weak: a VPN for a couple bucks a month solves it.

HWID ban (Hardware ID). A unique fingerprint of your hardware: motherboard serial number, network card MAC address, drive serial numbers, GPU ID, BIOS UUID. The ban is tied to the computer itself, not the account. A new account won't help - the anti-cheat recognizes the same machine.


How HWID bans are bypassed. A program called a spoofer. Usually a kernel driver that intercepts system requests (WMI, SetupAPI) and returns fake serial numbers to the anti-cheat. Some spoofers modify the actual values in the registry and NVRAM.

Risks and Conclusion

Cheats aren't a free pleasure, even when the cheat itself is free. Here's what can happen:


Malware. Downloaded a free cheat from a no-name site - got a stealer bundled in. Theft of your Steam account, Discord tokens, browser cookies. You should always scan someone else's code for malware before running it.

HWID ban. It's not just the account that gets burned. Some games (EAC, BattlEye) ban by hardware - a new account won't help, only a spoofer will save you.

Rootkit risk. Kernel cheats and HWID spoofers require ring 0. A bad driver can crash the system.

Ban wave. Anti-cheats often accumulate detections and ban all at once - every 1-3 months. A single ban wave burns thousands of users of the same cheat. Naturally, nobody refunds the subscription cost.

Anti-Cheats. Who's on the Other Side

Cheats and anti-cheats are a constant arms race. An anti-cheat is a program that lives on your computer and monitors the game. It has three levels of protection:


Server-side. Looks at player statistics: too-perfect headshots, impossible movements, shooting through walls. Runs on servers. Examples: Steam's VAC, FairFight.

User-mode. A DLL that's injected into the game itself. Scans process memory, looks for suspicious modules, hooks the Windows API.

Kernel-mode. A driver (.sys file) in the Windows system folder. Catches process and thread creation and DLL loading, walks internal memory structures, enumerates PCIe devices looking for DMA cards. This is the top level.


Well-known kernel-level anti-cheats:


Vanguard by Riot (Valorant, League of Legends). Loads at Windows startup, before everything else. Requires TPM 2.0 and Secure Boot. The most aggressive one.

BattlEye. Rust, PUBG, ArmA. Loads together with the game.

Easy Anti-Cheat (EAC) by Epic Games. Fortnite, Apex Legends, Elden Ring. Also kernel-level.

Ricochet in Call of Duty, Hyperion in Roblox.


What anti-cheats do against each type of cheat:


External: cut off game memory read permissions via a kernel callback.

Internal: instantly spot any new DLL, catch manual mapping through memory analysis.

Kernel: a driver whitelist against BYOVD, PatchGuard, HVCI.

DMA: enumerating PCIe devices and checking them against a database of known hardware, IOMMU.

AI Vision: only through server-side statistics.


Vanguard is considered the strongest. Because of its TPM 2.0 and Secure Boot requirements, it also refuses to run the game on unprepared systems.