Building a Rust (Game) Aimbot: EAC Bypass and Memory Reading

Rust is one of the most punishing survival games out there, and its PvP combat is where cheats shine brightest. Built on the Unity engine with il2cpp compilation, Rust presents unique challenges and opportunities for cheat developers. In this guide, we'll cover everything you need to build a functional aimbot — from reverse engineering il2cpp structures to calculating aim angles with smooth, human-like movement. We'll also dive deep into Easy Anti-Cheat (EAC) evasion since Rust relies on it heavily.

Rust cheats are extremely popular on CheatBay because of the game's hardcore nature — losing hours of farming to a better-geared player drives enormous demand for aimbots, ESP, and recoil scripts. Let's build something worth selling.

Understanding Rust's Unity + il2cpp Architecture

Rust uses Unity engine, but unlike older Unity games that ship with Mono (.NET IL), Rust uses il2cpp — Unity's IL-to-C++ transpiler. This means:

• All C# game code is compiled to native C++ and shipped as GameAssembly.dll
• No easy .NET reflection or decompilation of the game DLL
• However, il2cpp generates metadata that maps native functions back to their C# signatures
• Tools exist to parse this metadata and reconstruct the class hierarchy

Key Files

• GameAssembly.dll — The compiled game code (your primary target)
• global-metadata.dat — Contains class names, method names, field offsets, and string literals
• UnityPlayer.dll — The Unity runtime engine

il2cpp Reverse Engineering Tools

• Il2CppDumper — Parses global-metadata.dat and GameAssembly.dll to produce a complete class dump with method signatures and field offsets.
• Il2CppInspector — More advanced, generates IDA scripts, C++ headers, and even DLL injection frameworks.
• Cpp2IL — Attempts to reconstruct C# source from the il2cpp output.

// Example Il2CppDumper output for Rust's BasePlayer:
// (simplified, real class has hundreds of fields)

// Namespace: (none)
class BasePlayer : BaseCombatEntity {
    // Fields
    PlayerModel playerModel;          // 0x598
    PlayerInput input;                // 0x5A0
    PlayerEyes eyes;                  // 0x5A8
    PlayerInventory inventory;        // 0x5B0
    PlayerBlueprints blueprints;      // 0x5B8
    float health;                     // 0x224 (inherited from BaseCombatEntity)

    // Methods (RVA = relative virtual address in GameAssembly.dll)
    void OnLand(float fVelocity);     // RVA: 0x8A4320
    bool IsAlive();                   // RVA: 0x8A5670
    bool IsSleeping();                // RVA: 0x8A5690
    Item GetActiveItem();             // RVA: 0x8A2140
}

Finding Game Objects in Memory

Unity uses a GameObjectManager (or tagged object system) to track all active objects. In il2cpp builds like Rust, you need to navigate the il2cpp runtime structures:

Method 1: il2cpp Class Iteration

// il2cpp exposes internal API functions that you can call from injected code:

// Get the domain (runtime context)
il2cpp_domain* domain = il2cpp_domain_get();

// Get assemblies
size_t assemblyCount;
const il2cpp_assembly** assemblies = il2cpp_domain_get_assemblies(domain, &assemblyCount);

// Find the assembly containing game classes (Assembly-CSharp)
for (size_t i = 0; i < assemblyCount; i++) {
    il2cpp_image* image = il2cpp_assembly_get_image(assemblies[i]);
    const char* name = il2cpp_image_get_name(image);

    if (strcmp(name, "Assembly-CSharp.dll") == 0) {
        // Find BasePlayer class
        il2cpp_class* basePlayerClass = il2cpp_class_from_name(
            image, "", "BasePlayer"
        );

        // Now find all instances using typed references
        // ...
    }
}

Method 2: BaseNetworkable.clientEntities (Rust-Specific)

Rust's networking system maintains a list of all networked entities through BaseNetworkable.clientEntities. This is the most reliable way to find all players:

// BaseNetworkable has a static field: EntityRealm clientEntities
// EntityRealm contains a ListDictionary which holds all entities

// Memory chain:
// GameAssembly.dll + BaseNetworkable_StaticFields -> clientEntities
// clientEntities -> entityList (ListDictionary)
// entityList -> vals (List<BaseNetworkable>)
// vals -> _items (BaseNetworkable[])
// vals -> _size (int, actual count)

// Pseudocode for entity iteration:
uintptr_t baseNetworkable_statics = GameAssembly + offsets::BaseNetworkable_StaticFields;
uintptr_t clientEntities = Read<uintptr_t>(baseNetworkable_statics + 0xB8);
uintptr_t entityList = Read<uintptr_t>(clientEntities + 0x28);
uintptr_t vals = Read<uintptr_t>(entityList + 0x18);
uintptr_t items = Read<uintptr_t>(vals + 0x10);  // C# array
int count = Read<int>(vals + 0x18);                 // _size

for (int i = 0; i < count; i++) {
    uintptr_t entity = Read<uintptr_t>(items + 0x20 + i * 0x8);
    if (!entity) continue;

    // Check if this is a BasePlayer
    uintptr_t classPtr = Read<uintptr_t>(entity);  // vtable / class info
    // Verify against BasePlayer class pointer
    // or check the entity's class name via il2cpp metadata
}

Camera and Local Player

For an aimbot, you need the local player's camera position and the ability to set aim angles:

// Finding the local player:
// LocalPlayer is typically stored in a static field
// LocalPlayer.Entity gives you the BasePlayer instance

// Camera access in Unity/Rust:
// MainCamera = Camera.main (static property)
// Or: LocalPlayer -> eyes -> HeadPosition() and BodyForward()

// The eyes component (PlayerEyes) contains:
// - position (Vector3) — eye position in world space
// - rotation (Quaternion) — current look direction
// - bodyRotation (Quaternion) — body orientation

// For external approach, read these directly:
uintptr_t localPlayer = GetLocalPlayer();
uintptr_t eyes = Read<uintptr_t>(localPlayer + offsets::BasePlayer_eyes);
Vector3 eyePos = Read<Vector3>(eyes + offsets::PlayerEyes_position);
Quaternion eyeRot = Read<Quaternion>(eyes + offsets::PlayerEyes_rotation);

// To get the view matrix for ESP world-to-screen:
// Unity stores it in Camera component
// Camera.main -> worldToCameraMatrix and projectionMatrix
// Combined = projectionMatrix * worldToCameraMatrix

Aim Angle Calculation

The core math of an aimbot — calculating the angles from your position to a target:

Basic Angle Calculation

struct AimAngles {
    float pitch; // Up/down (X rotation)
    float yaw;   // Left/right (Y rotation)
};

AimAngles CalcAimAngles(Vector3 source, Vector3 target) {
    Vector3 delta = target - source;

    float hypotenuse = sqrt(delta.x * delta.x + delta.z * delta.z);

    AimAngles angles;
    angles.pitch = -atan2(delta.y, hypotenuse) * (180.0f / M_PI);
    angles.yaw = atan2(delta.x, delta.z) * (180.0f / M_PI);

    return angles;
}

// Note: Rust uses Unity's coordinate system:
// X = right, Y = up, Z = forward
// Pitch: positive = looking down, negative = looking up
// Yaw: 0 = north (Z+), 90 = east (X+)

Target Selection: Nearest to Crosshair

BasePlayer* GetBestTarget(Vector3 localPos, AimAngles currentAngles, float maxFov) {
    BasePlayer* bestTarget = nullptr;
    float bestDelta = maxFov;

    for (auto& player : entityList) {
        if (!player->IsAlive()) continue;
        if (player == localPlayer) continue;
        if (player->IsTeammate()) continue;

        // Target the head bone for maximum damage
        Vector3 headPos = GetBonePosition(player, BoneIndex::Head);

        AimAngles targetAngles = CalcAimAngles(localPos, headPos);

        // Calculate angular distance from crosshair
        float deltaYaw = NormalizeAngle(targetAngles.yaw - currentAngles.yaw);
        float deltaPitch = NormalizeAngle(targetAngles.pitch - currentAngles.pitch);
        float totalDelta = sqrt(deltaYaw * deltaYaw + deltaPitch * deltaPitch);

        if (totalDelta < bestDelta) {
            bestDelta = totalDelta;
            bestTarget = player;
        }
    }

    return bestTarget;
}

Smooth Aim — Making It Look Human

Instant snapping to targets is the fastest way to get reported and banned. Smooth aim interpolates your crosshair toward the target over multiple frames:

AimAngles SmoothAim(AimAngles current, AimAngles target, float smoothFactor) {
    // smoothFactor: 1.0 = instant, higher = slower/smoother

    AimAngles result;
    result.yaw = current.yaw + NormalizeAngle(target.yaw - current.yaw) / smoothFactor;
    result.pitch = current.pitch + NormalizeAngle(target.pitch - current.pitch) / smoothFactor;

    return result;
}

// Advanced: Add randomization for more human-like movement
AimAngles HumanizedSmooth(AimAngles current, AimAngles target, float smoothFactor) {
    float distance = AngleDist(current, target);

    // Faster when far from target, slower when close (like human micro-adjustments)
    float dynamicSmooth = smoothFactor * (1.0f + (1.0f / (distance + 0.1f)));

    // Add slight randomness
    float randX = ((float)rand() / RAND_MAX - 0.5f) * 0.3f;
    float randY = ((float)rand() / RAND_MAX - 0.5f) * 0.3f;

    AimAngles result;
    result.yaw = current.yaw + NormalizeAngle(target.yaw - current.yaw) / dynamicSmooth + randX;
    result.pitch = current.pitch + NormalizeAngle(target.pitch - current.pitch) / dynamicSmooth + randY;

    return result;
}

Recoil Compensation (No-Recoil)

Rust has significant weapon recoil that follows learnable patterns. Compensating for recoil dramatically improves aimbot accuracy:

// Rust's recoil system:
// Each weapon has a RecoilProperties component
// It defines: recoilYawMin/Max, recoilPitchMin/Max
// Recoil is applied per-shot with some randomness

// Approach 1: Pattern-based compensation
// Record recoil patterns for each weapon and apply inverse movement

struct RecoilPattern {
    float pitchPerShot;  // Average pitch increase per bullet
    float yawPerShot;    // Average yaw drift per bullet
    int shotCount;       // Bullets fired in current spray
};

void CompensateRecoil(AimAngles& current, RecoilPattern& pattern) {
    current.pitch -= pattern.pitchPerShot;
    current.yaw -= pattern.yawPerShot;
    pattern.shotCount++;

    // Rust's recoil increases with sustained fire
    // Adjust compensation based on shot count
    if (pattern.shotCount > 5) {
        current.pitch -= pattern.pitchPerShot * 0.3f; // Extra compensation
    }
}

// Approach 2: Read the recoil state directly from memory
// BasePlayer -> input -> recoilAngles (applied recoil)
// Simply negate these values each frame
Vector2 recoilAngles = Read<Vector2>(localPlayer + offsets::recoilAngles);
WriteAimAngles(currentAngles.pitch - recoilAngles.x, currentAngles.yaw - recoilAngles.y);

Applying Aim: Internal vs External

Internal (DLL Injection)

// When injected, you can call game functions directly:
// Write to PlayerEyes rotation
// Or call ConVar methods to set input angles

// Example: Write angles directly
PlayerEyes* eyes = localPlayer->eyes;
Quaternion targetRot = EulerToQuaternion(aimAngles.pitch, aimAngles.yaw, 0);
Write<Quaternion>(eyes + offsets::rotation, targetRot);

// Or use the input system:
// LocalPlayer.input.state.current.aimAngles = targetAngles;

External (Memory Writing)

// From an external process, write the aim angles to the correct memory location:
// This requires finding the input state structure and writing to its aim angle field

// Caution: External writing of aim angles is more detectable because:
// 1. The angles change without corresponding mouse input
// 2. Anti-cheat can compare mouse delta vs angle delta
// 3. Writing to game memory from external process can be monitored

// Hybrid approach: Use a kernel driver for memory R/W
// This avoids user-mode API monitoring by EAC

Easy Anti-Cheat (EAC) in Rust

Rust uses EAC, which is one of the most common anti-cheats in gaming. Here's how it works and how developers approach evasion:

EAC Detection Methods

1. Module scanning: EAC walks the PEB module list and scans for unknown DLLs. It also scans memory pages that are executable but not backed by a known module (manually mapped code).
2. Integrity checks: EAC periodically hashes game code sections (GameAssembly.dll, UnityPlayer.dll) and compares against known-good hashes. Inline hooks modify code bytes and are detected.
3. Thread monitoring: New threads with start addresses outside known modules are suspicious. EAC can enumerate threads and check their context.
4. Heartbeat system: EAC sends encrypted challenges to the game client at regular intervals. The client must respond with integrity data. Missing or invalid responses lead to disconnection/ban.
5. Stack walking: When certain game functions are called, EAC checks the call stack to ensure it originates from legitimate game code, not injected code.
6. Memory R/W monitoring: EAC's kernel driver can hook NtReadVirtualMemory / NtWriteVirtualMemory to detect external tools targeting the game process.

Evasion Strategies for Rust

• Kernel-level memory access: Use a custom driver or BYOVD (Bring Your Own Vulnerable Driver) to read/write game memory from kernel mode. EAC's user-mode hooks can't intercept kernel calls.
• Manual mapping: If going internal, manually map your DLL (no LoadLibrary). Zero PE headers. Allocate memory as RW, write code, then change to RX. Don't use a single RWX allocation.
• Syscall stubs: Instead of calling NtReadVirtualMemory through ntdll.dll (where EAC hooks), use direct syscall instructions with the correct syscall number.
• Timing: Load your cheat BEFORE EAC initializes. EAC starts when the game launches, so loading during the splash screen or via a loader that patches the EAC initialization can give you a window.

Complete Aimbot Architecture

// Production aimbot structure for Rust:
//
// [Loader]
//   ├── License verification (contact auth server)
//   ├── Download latest offsets
//   ├── Load kernel driver (if external approach)
//   └── Inject/map cheat module
//
// [Cheat Core]
//   ├── Config System (saved per-weapon settings)
//   ├── Entity Manager (thread)
//   │   ├── Read BaseNetworkable.clientEntities
//   │   ├── Filter and categorize entities
//   │   └── Cache player data (position, health, weapon, team)
//   ├── Aimbot Module
//   │   ├── Target selection (nearest to crosshair)
//   │   ├── Bone selection (head, chest, random)
//   │   ├── Prediction (lead moving targets)
//   │   ├── Smooth aim (humanized)
//   │   ├── Recoil compensation
//   │   └── Triggerbot (auto-fire when on target)
//   ├── ESP Module
//   │   ├── Player boxes, names, health
//   │   ├── Item ESP (resources, airdrops)
//   │   └── Raid ESP (tool cupboards, sleepers)
//   └── Menu System (ImGui)
//       ├── Aimbot settings per weapon
//       ├── ESP toggles
//       └── Panic key (instant disable)

Bullet Drop and Travel Time Prediction

Rust has realistic bullet physics — bullets have travel time and drop. Without prediction, your aimbot will miss moving targets at range:

Vector3 PredictPosition(Vector3 targetPos, Vector3 targetVel,
                        Vector3 sourcePos, float bulletSpeed, float gravity) {
    float distance = (targetPos - sourcePos).Length();
    float travelTime = distance / bulletSpeed;

    // Iterative prediction (2 iterations is usually enough)
    for (int i = 0; i < 2; i++) {
        Vector3 predicted = targetPos + targetVel * travelTime;
        // Apply gravity drop to the predicted position
        predicted.y += 0.5f * gravity * travelTime * travelTime;

        distance = (predicted - sourcePos).Length();
        travelTime = distance / bulletSpeed;
    }

    Vector3 finalPos = targetPos + targetVel * travelTime;
    finalPos.y += 0.5f * gravity * travelTime * travelTime;

    return finalPos;
}

// Bullet speeds for common Rust weapons:
// AK-47: ~375 m/s
// LR-300: ~375 m/s
// Bolt Action: ~656 m/s
// L96: ~1125 m/s
// Eoka: ~100 m/s
// Gravity: -9.81 m/s²

Selling Your Rust Aimbot on CheatBay

Rust's competitive, high-stakes gameplay means aimbot demand never drops. Players who've invested hundreds of hours in a wipe will pay premium prices for a competitive edge. CheatBay is the ideal platform to sell your Rust cheat:

• Rust-specific category: Buyers browse by game — your listing shows up exactly where they're looking.
• Subscription billing: Charge daily, weekly, or monthly. CheatBay handles recurring payments automatically.
• Review system: Positive reviews from satisfied customers build your reputation and drive more sales.
• Crypto-only payments: Bitcoin and Lightning Network mean zero chargeback risk for you.
• No middleman fees at listing: You only pay a small commission on actual sales.

Bundle your aimbot with ESP and recoil control for a premium package. Rust players want the complete toolkit, and bundling increases your average order value significantly.