NanoHack

From BigPackets Game Hacking Wiki
NanoHack 2 Menu on GMod

NanoHack is a set of recurring hacks for Source engine games. They were designed and written by NanoCat, with some cooperation from third parties, most notably Leystryku. Some hacks from the set have pioneered a range of ideas unseen in hacks before.

History

Work on the first hack, then called simply nanohack.lua, was started in late 2012, motivated by limited features in existing Garry's Mod hacks. The hack went through several iterations, starting with simple Lua file, run simply using lua_openscript_cl. sv_allowcslua and/or sv_cheats, required for lua_openscript_cl to work, were set manually externally. The autoloader for the hack, which avoided use of Source's console, was eventually developed and provided spread-computing functions for Spread compensation. The next minor iteration of hack was done in effort to port the hack completely to C++. The autoloader from previous hack was taken as base and the main logic of the hack was written in C++. Despite this, the hack still altered Lua state, forwarding functions from C++ in order to establish hooks in Lua. There are no known copies of the source code remaining in existence.

NanoHack 1

First Barebones Version
NanoHack 1 ESP on GMod

In mid-2013, the interaction with Lua was completely abolished. The hack also gained a few new gimmicks, such as fancy mouse menu, screenshot avoidance, built-in music player using BASS library, certain gamemode-specific features and a spectator list. The quality of hack's source code was completely unacceptable, cramming whole hack in just two files. Although this can not be confirmed, as any known source code copies were destroyed.

The hack was also ported to Counter-Strike: Source, Team Fortress 2 and Half-Life 2: Deathmatch, but there are no demos, screenshots or videos confirming its existence remaining.

In 21 January of 2014, a week after NanoHack was ported to Team Fortress 2, NanoCat received a VAC ban, reason for which later turned out to be the injector used.

NanoHack 2

NanoHack 2 ESP on Team Fortress 2

Wrongly getting the blame for ban, NanoHack was rewritten from scratch, with major improvements in source code quality. It later acquired name "NanoHack 2". It was decided by NanoCat that it was important for hack to be able to work in presence of anti-cheats such as Source Mod Anti-Cheat and be easily portable between Source engine games. The hack acquired features such as SMAC aimbot, SMAC auto bhop, SMAC seed-set spread and, eventually, SMAC name stealer. It's also worth noting that the hack would work in any Source engine game without requiring recompilation, because it was a single dll multigame hack. Later, in joint effort between Leystryku and NanoCat, the hack acquired spread compensation for Garry's Mod, and, in Willox's effort, smooth speed hack. The hack's version number was also bumped to 2.1.

Notable Features

  • Shake Spread Compensation that doesn't skip a bullet to work
  • SMAC Namechanger bypass
  • SMAC Aimbot Detection bypass - Done by smoothing out aimbot angles, NanoCat uses this method because his laptop commonly had FPS drops below 60 which would fuck up the common method where you reset your angles to 0, 0, 0. If you have a decent PC, you can easily bypass SMAC aimbot detector by setting your angles to 0 while you don't shoot.
  • SMAC autopistol detection bypass
  • SMAC seed detection bypass
  • SMAC bunnyhop detection bypass
  • Engine Prediction
  • Chat Jammer - Spams tons of newlines in chat and prevents users from communicating through it, while filtering this spam out of your chat so you can still read it finely.


Videos:

http://youtu.be/3g1IrPwvosI - first, barebones version

http://youtu.be/izXoK-E2xAo

http://youtu.be/liLeIZF4MiU - css autowall demo

http://youtu.be/xMWdwfPQxsQ - gmod shake nospread demo

http://youtu.be/F03KhcrAilA

http://youtu.be/CFlC4_HcEOY

http://youtu.be/JjUChDjp4pA - HVH in GMod

http://youtu.be/vv4O7BLw1uM

http://youtu.be/uWcdg2o4tbI

http://youtu.be/hD59_c_7Wag

http://youtu.be/FfWhC7xZS48

http://youtu.be/OWgZo-qmXWs

http://youtu.be/pgYyUgMiRHU

http://youtu.be/gJFNvyrPrwY

http://youtu.be/bCvgOG1y4-E

NanoHack 3

NanoHack 3 ESP on L4D2

As impact of complexity of the hack became evident in increased maintenance difficulties and performance issues, it was time for rewrite once again. Although never becoming as user-friendly as NanoHack 2 ever was, NanoHack 3 addressed some of the performance and maintenance issues and, with exception of its build system, was generally simplified and contains twice as less lines of code as NanoHack 2 did. There was no user interface although one was planned.

Notable Changes

  • Fixed prediction errors on speedhack, this one wasn't quite worked out, because recoil apparently is still fucked up.
  • A new, unique way to draw stuff on screen hack hooks into EngineVGui::Paint and draws stuff during the call. This was found by styles
  • use of GCC to compile hack with special parameters this would let me bring size of hack down to 27 kilobytes while still not having to do anything special.
  • compile script compiles separate DLL for each game unlike it was single DLL for all games in the older hack, v2.1
  • custom compiler script with custom preprocessor which allowed me to implement small JIT generator in NanoCat's hack in a more easy way, would let me make NanoCat's SDK look nice and slim, let me use IDA signatures very easily and compress signatures and do a lot of other things.
  • small JIT generator for interfaces would improve performance of calls to engine interfaces i.e. virtual IEngine::GetScreenSize() call gets turned into more simple CALL [] instruction. JIT info is pregenerated at compile time by compile script.
  • Use of special format for signatures hack uses format for signatures you probably know as "IDA Style", where bytes are written down as hex and separated with spaces. Other than that, you can also put a . (dot) before a byte and that will make sig finder return offseted address.
  • Compilation/compression of signatures is performed by preprocessor and allows to decrease size of sig, simplify sigfinder and improve its runtime performance. Compiled sig consists of: 1st byte is offset (dot). If there was no offset in sig, it's set to 0. 4 bytes of mask (written in little endian). Instead of string mask (i.e. "x????xxx") NanoCat's sigs use bit mask which other than minimizing size usage also determines length of a sig. Though this also implies limitation of sig length up to 32 bytes. After offset and mask, there go known bytes of sig.
  • Use of "engine prediction" doesn't fuck up when stepping into water in Left 4 Dead 2 - Thanks to styles for this
  • Well optimized aimbot lookup algorithm


Videos:

http://youtu.be/gPmfBLijMrM

http://youtu.be/xi_4UAxdOo8

http://youtu.be/IYHW1cTmZhw

http://youtu.be/XB9x3lNkwB4

http://youtu.be/zs5TCdsl_AY

Pioneered Features

SMAC name stealer

SMAC prevents clients which have names it considers invalid from playing.

Invalid names include but not limited to:

  • Zero-long names
  • Names that begin with '&'
  • Names that begin with space
  • Names that end with space
  • Names that contain characters from its blacklisted set.

Name collisions in Source engine games are resolved by appending "(n)" string, where n is a positive integer. To prevent the game from resolving the name collision and avoiding SMAC's attention, letters from English alphabet were swapped with similar-looking ones from Cyrillic alphabets and vice versa. For example, the name "NanoCat" (\x4e\x61\x6e\x6f\x43\x61\x74) would become "NаnоСаt" (\x4e\xd0\xb0\x6e\xd0\xbe\xd0\xa1\xd0\xb0\x74) after being stolen.

Garry's Mod Spread Compensation

In joint effort with Leystryku, NanoHack 2 acquired spread compensation for Garry's Mod, which is well known to be non-trivial. It should be noted that the compensation doesn't lag behind for one tick, but instead simulates the player and weapon one tick further than is needed to, obtaining the bullet direction the weapon is about to apply. It also has led to a number side effects, such as weapon seemingly firing twice, player's step sounds playing twice and other client-predicted events happening twice.

Legacy

On 29th December 2015, NanoHack 2 and 3 were publicly released into public domain.


Both hacks were used as study and/or base material by later game hackers and researchers.