Helldivers 2 Cheats Architecture

System Architecture

The framework consists of three main components working together:

HD2_Dll - Injected C++ DLL with core cheat features
HD2_Overlay - Rust-based DirectX overlay for UI rendering
HD2_Anticheat_Bypass - Lua scripts for security bypass

Component 1: Injected DLL (C++)

Injection Architecture

The DLL is injected using a manual mapping technique that avoids LoadLibrary hooks. The injector:

Allocates memory in target process with executable permissions
Manually maps PE sections preserving relocations
Resolves imports through custom IAT reconstruction
Calls DllMain with DLL_PROCESS_ATTACH

Core Features

Once injected, the DLL hooks game functions to modify behavior:

// Feature categories
- Player: Infinite ammo, god mode, speed modifiers
- Weapons: No reload, instant fire, damage scaling
- Mission: Instant completion, difficulty modifiers
- Resources: Infinite stratagems, warping, samples
- Utility: No sway, no overheat, stealth options

Hook Implementation

Function hooking uses a combination of techniques:

MinHook for stable IAT hooking on known functions
Inline hooks (5-byte JMP) for performance-critical paths
VMT swapping for class method interception

The anti-cheat (GameMon) uses integrity checks on code sections. Hooks must be placed on non-integrity-protected memory or restored before scans complete.

Component 2: DirectX Overlay (Rust)

Why Rust for the Overlay?

The overlay is built in Rust using the windows crate:

Memory safety for long-running background processes
Zero-cost abstractions for minimal CPU overhead
Direct integration with Windows graphics APIs
Cross-process communication without unsafe code

Rendering Pipeline

The overlay renders on top of the game window:

1. Hook Present() via vtable swap on game's swapchain
2. Capture backbuffer before game renders UI
3. Render ImGui widgets to overlay buffer
4. Composite overlay onto final frame
5. Call original Present() with modified buffer

Inter-Process Communication

The overlay communicates with the injected DLL via shared memory:

Named shared memory segment mapped by both processes
Lock-free ring buffer for input commands
Atomic flags for feature toggles
Mutex-protected configuration block

Component 3: Anti-Cheat Bypass

GameMon Analysis

Helldivers 2 uses GameMon (GameGuard derivative) which:

Creates protected processes (GameMon.des, GameMon64.des)
Hooks system APIs to monitor process activity
Scans memory for known cheat signatures
Reports to server for ban decisions

Lua-Based Bypass

The bypass script runs within Cheat Engine's Lua environment:

Scan for unique AOB patterns in game process
Nop integrity check functions (8 bypass points)
Kill GameMon processes after hooks are installed
Reopen game handle with elevated permissions

-- Bypass pattern example
aobscanmodule(bypassP1,$process,48 83 EC 28 8D 81 17 ? ? ? 83)
bypassP1:
  db B8 01 00 00 00 C3 CC CC CC CC  -- mov eax, 1; ret

-- Kill monitors
os.execute('taskkill /F /IM "GameMon.des"')

Pattern Scanning System

AOB (Array of Bytes) Scanning

Game updates change memory layouts. Features use signature scanning:

Unique byte sequences identify function entry points
Wildcards (? ?) match variable bytes
Multiple patterns per feature for version resilience
Runtime re-scanning if initial pattern fails

Parsers Architecture

The Parsers directory contains assembly scripts for each feature:

Parsers/
├── ct_scripts/           -- Cheat Table scripts
│   ├── Infinite_Ammo.asm
│   ├── No_Reload.asm
│   ├── Speedhack.asm
│   └── ...
└── sigs/                 -- Binary signatures
    ├── player_sigs.txt
    ├── weapon_sigs.txt
    └── mission_sigs.txt

Feature Implementation Details

Infinite Ammo / No Reload

Two approaches depending on anti-cheat state:

Hook ammo decrement function to skip subtraction
Or freeze ammo values via memory write loop
Reload skip patches magazine check conditional

Speed Modification

Game speed is controlled by internal timer:

Hook QueryPerformanceCounter return value
Scale delta time by desired multiplier
Visual-only speed (animations) vs physics speed

Instant Mission Complete

Missions track objectives in a completion array:

Enumerate objective pointers from base structure
Set all completion flags to true
Trigger end-of-mission sequence

Technical Challenges

Update Resilience

Game updates break memory patterns. Mitigation:

Signature-based detection over hardcoded offsets
Version detection via executable hash
Automated pattern generation from disassembly

Detection Avoidance

Anti-cheat has multiple detection vectors:

Code section integrity checks → restore hooks temporarily
Process enumeration → inject after launch, hide from APIs
Memory scanning → obfuscate cheat code patterns
Timing analysis → randomize hook delays

What I Learned

This project taught me about the adversarial nature of anti-cheat systems. The cat-and-mouse game between cheat developers and anti-cheat engineers mirrors broader security concepts. Understanding how GameMon works improved my knowledge of Windows internals, driver development, and low-level debugging techniques.

Project Status

The framework is private and not distributed. It was built for personal education and understanding of game security. The techniques described here are for educational purposes only.