A few months ago, I published an aimbot & esp for shellshock.io on greasyfork.com. It gets around 150-400 installs per day. Has 10k+ installs in total as of writing. In this post, I will be explaining how it was done. This post will be split into 3 parts. The first part will cover what an aimbot requires to work. Second, the development of the aimbot. And third, the development of the ESP (or vision through walls). This post could be helpful for peeps wondering how cheats for web games are made. I would suggest looking through the code of the script while reading to better understand this post. You can find it here.
What are the things an aimbot requires to work? The positions of players in the game and a way to set the local player’s aim. How do you find these? You can look for them in the main JS file of the game. How do you find the js file? View the source of the HTML page and search for
.js and use some basic logic.
Going further and looking into the
loadJS function reveals that the game uses an XHR to fetch the js file. This is useful for us. We can proxy XHR, inject our code into the fetched js file and let the game run it.
This part of the script takes care of proxying
XMLHttpRequest and injecting our needed code.
Now that we have a way to modify the main game file, it’s time to find the two things our aimbot needs to work. How do I find the players list? It all comes down to reasoning and logic. How will anyone store players? Either as an object or an array. Shellshock stores it as an array. How do you find this array? You can look for
=  in the beautified version of the js file and use a little bit of guesswork to figure out which one could be the player list. In our case, the highlighted variable in the code below was the players list.
Note: You should never use the exact var name in your script cos var names change whenever the code is rebuilt (aka update is pushed by the developers). You should use regular expressions to find the var names.
We can similarly find a way to set the aim of our local player by a little bit of reasoning and guesswork. We know that the aim change when the mouse moves. In browser-based FPS games,
movementY properties of the
MouseEvent object are used to change the aim when the cursor moves. Searching for
movementX, we find this function that has a health check to determine if our local player is alive. This local player object also has yaw and pitch properties which we can alter to change the aim.
We now have access to everything our aimbot needs. Time to move on to next part!
Making it aim
This is pretty EZ to do. You just find the closest player to you, calculate its yaw and pitch from your local player, and then set the aim of your local player. There are also a few checks to prevent aiming at your teammates. Below is the code for finding the nearest player and aiming at it.
The interesting part here is the
Math.radAdd function. It solves a major problem. Without it, some hits won’t be registered. It was an issue with my script for a long time. There were many complaints about it. The thing was that the game stores the yaw up to some fixed precision.
Math.radAdd automatically reduces the precision to what the game expects, thus solving the issue.
Making the ESP
ESP is by far the simplest thing one. All you have to do is attach a box to the player models and tell the game engine to render it on top of everything. Shellshock.io uses Babylon.JS for rendering and Babylon provides a very easy-to-use interface for telling which objects to render on top of everything.
The script also shows a line between your local player and the enemies. It is good for keeping an eye on eggies behind you. But I won’t be going over the creation of that. This post has been pretty big already. It’s also not that important in my opinion. If you are just starting out creating scripts for web games, I think this should’ve given you great insight into how things are done already. Thank you for reading! Keep scripting!