Somewhere in the game memory is the X,Y, and Z location of each player. The game needs to know this information so it knows where to render the player's model and so forth (although you can limit how much the game client can know by only sending it player information for players in view).

游戏内存中的某处是每个玩家的 X、Y 和 Z 位置。游戏需要知道这些信息，以便它知道在哪里渲染玩家的模型等等（尽管您可以通过只向游戏客户端发送查看玩家的玩家信息来限制游戏客户端可以知道多少）。

An aimbot can scan known memory locations for this information and read it out, giving it access to two positions--the player's and the enemies. Subtracting the two positions (as vectors) gives the vector between the two and it's simple from there to calculate the angle from the player's current look vector to the desired angle vector.

瞄准机器人可以扫描已知的内存位置以获取此信息并将其读出，从而可以访问两个位置——玩家和敌人。减去两个位置（作为向量）给出了两个位置之间的向量，从那里计算从玩家当前的外观向量到所需角度向量的角度很简单。

By sending input directly to the game (this is trivial) and fine-tuning with some constants you can get it to aim automatically pretty quickly. The hardest part of the process is nailing down where the positions are stored in memory and adjusting for any dynamic data structure moving players around on you (such as frustum culling).

通过将输入直接发送到游戏（这是微不足道的）并使用一些常量进行微调，您可以使其快速自动瞄准。该过程中最困难的部分是确定位置在内存中的存储位置，并针对移动玩家的任何动态数据结构进行调整（例如视锥剔除）。

Note that these are harder to write when address randomization is used, although not impossible.

请注意，当使用地址随机化时，这些更难编写，尽管并非不可能。

Edit: If you're wondering how a program can access other programs memory, the typical way to do it is through DLL injection.

编辑：如果您想知道程序如何访问其他程序内存，典型的方法是通过DLL injection。

Edit: Since this is still getting some hits there are more ways that aimbots work that are more popular now; namely overwriting (or patching in-place) the Direct3D or OpenGL DLL and examining the functions calls to draw geometry and inserting your own geometry (for things like wall-hacks) or getting the positions of the models for an aimbot.

编辑：由于这仍然受到一些打击，因此现在有更多更流行的瞄准机器人工作方式；即覆盖（或就地修补）Direct3D 或 OpenGL DLL 并检查函数调用以绘制几何图形并插入您自己的几何图形（例如墙壁黑客）或获取瞄准机器人模型的位置。

Interesting question - not exactly your answer but I remember in the early days of Counter-Strike people used to replace their opengl32.dll with a botched one that would render polygons as transparent so they could see through the walls.

有趣的问题 - 不完全是你的答案，但我记得在反恐精英的早期，人们曾经用一个拙劣的来替换他们的 opengl32.dll，它将多边形呈现​​为透明的，这样他们就可以透过墙壁看到。

The hacks improved and got more annoying, and people got more creative. Now Valve/Steam seems to do a good job of removing them. Just a bit of warning if you're planning on playing with this stuff, Steam does scan for 'hacks' and if any are found, they'll ban you permanently

黑客改进并变得更烦人，人们变得更有创意。现在 Valve/Steam 似乎在移除它们方面做得很好。如果您打算玩这些东西，请稍作警告，Steam 会扫描“黑客”，如果发现任何内容，他们将永久禁止您

A lot of "Aim bots" aren't aim bots at all but trigger bots. They're background processes that wait until your reticule is actually over a target and fire automatically. This can be accomplished in a number of different ways but a lot of games make it easy by displaying the name of someone whenever your target goes over them or some other piece of data in memory that a trigger bot can pin point.

许多“瞄准机器人”根本不是瞄准机器人，而是触发机器人。它们是后台进程，等待您的标线实际越过目标并自动开火。这可以通过多种不同的方式来完成，但是很多游戏通过在您的目标越过某人时显示某人的姓名或触发器机器人可以精确定位的内存中的其他一些数据来轻松实现。

This way, you play by waving the mouse at your target and as soon as you mouse over them it will trigger a shot without your having to actually fire yourself.

通过这种方式，您可以通过向目标挥动鼠标来进行游戏，一旦您将鼠标悬停在它们上方，它就会触发一次射击，而您无需实际开火。

They still have to be able to pinpoint that sort of stuff in memory and have the same sort of issues that truer "Aim bots" do.

他们仍然必须能够在内存中查明那种东西，并遇到与更真实的“瞄准机器人”相同的问题。

Another method that has been used in the past is to reverse engineer the network packet formatting. A man-in-the-middle attack on the packet stream (which can be done on the same system the game runs on) can provide player positions and other useful related information. Forged packets can be sent to the server to move the player, shoot, or do all kinds of things depending on the game.

过去使用的另一种方法是对网络数据包格式进行逆向工程。对数据包流的中间人攻击（可以在运行游戏的同一系统上完成）可以提供玩家位置和其他有用的相关信息。伪造的数据包可以发送到服务器以移动玩家、射击或根据游戏进行各种操作。

Check out the tutorial series by Fleep here. His fully commented C# source code can be downloaded here.

在此处查看 Fleep 的教程系列。他的完整注释 C# 源代码可以在这里下载。

In a nutshell:
Find your player's x y z coordinates, cursor x y coordinates as well as all enemies x y z coordinates. Calculate the distance between you and the nearestenemy. You are now able to calculate the x y cursor coordinates needed in order to get auto aim.

简而言之：
找到玩家的 xyz 坐标、光标 xy 坐标以及所有敌人的 xyz 坐标。计算你和最近的敌人之间的距离。您现在可以计算获得自动瞄准所需的 xy 光标坐标。

Alternatively you can exclude enemies who are dead (health is 0) so in this case you also need to find the enemy's health address. Player-related data is usually close to each other in memory.

或者，您可以排除已死亡的敌人（健康为 0），因此在这种情况下，您还需要找到敌人的健康地址。与玩家相关的数据通常在内存中彼此接近。

Again, check out the source code to see in detail how all of this works.

同样，查看源代码以详细了解所有这些是如何工作的。

Edit: I know this offtopic, sorry But i thought this would help out the asker.

编辑：我知道这个离题，抱歉但我认为这会帮助提问者。

The thing the hacking industry haven't tried out, but which I've been experimenting with, is socket hiHymaning. It may sound a lot more than it actually is, but basically it uses the WinPCap drivers to hook into the process' Internet connections via TCP (Sockets), without even going near the process' offsets.

黑客行业还没有尝试过但我一直在尝试的东西是套接字劫持。这听起来可能比实际情况要多得多，但基本上它使用 WinPCap 驱动程序通过 TCP（套接字）连接到进程的 Internet 连接，甚至没有接近进程的偏移量。

Then you will simply have to learn the way the TCP Signals are being transferred and store them into a hash-Table or a Multiplayer (Packet) class. Then after retrieving the information and overlay the information over the Window (not hooked), just transparent labels and 2D boxes over the screen of the windowed game.

然后，您只需了解 TCP 信号的传输方式并将它们存储到哈希表或多人（数据包）类中。然后在检索信息并将信息覆盖在窗口上（未挂钩）后，只需在窗口游戏的屏幕上放置透明标签和 2D 框即可。

I've been testing it on Call of Duty 4 and I have gotten the locations of 4 players via TCP, but also as Ron Warholic has said: all of the hacking methods won't work if a game developer wrote a game server to only output the players when the current user should see the player.

我一直在《使命召唤 4》上对其进行测试，我已经通过 TCP 获取了 4 个玩家的位置，但正如 Ron Warholic 所说：如果游戏开发人员编写了一个游戏服务器，所有的黑客方法都将不起作用当当前用户应该看到播放器时输出播放器。

And after cut the transmission of that player's location as for the X Y Z and player will no longer be stored and not rendered there for stop the wallhack. And aimbots will in a way stall work but not efficiently. So anyway, if you are looking into making a wallhack, don't hook into the process, try to learn WinPCap and hook into the Internet signals. As for games, don't search for processes listing for Internet transmissions. If you need an example that utilizes this, go search Rust Radar that outputs the player's location on a map and also outputs other players around you that is being sent via Internet transmissions TCP and is not being hooked into the game.

并且在切断该玩家位置的传输后，对于 XYZ 和玩家将不再被存储，也不会在那里渲染以阻止墙黑客。瞄准机器人会在某种程度上停止工作，但效率不高。所以无论如何，如果你正在考虑制作一个wallhack，不要进入这个过程，试着学习WinPCap并连接到互联网信号。至于游戏，不要搜索互联网传输的进程列表。如果您需要一个利用此功能的示例，请搜索 Rust Radar，它会在地图上输出玩家的位置，并输出您周围的其他玩家，这些信息通过 Internet 传输 TCP 发送且未连接到游戏中。