Cheat DetectionCriticalPublishedFull source obtained

Wizard bypass & external cheat — full source-tree reversal

Wizard External is a commercially sold FiveM (GTA V RP) external cheat whose compiled binary ships as Slate.exe. In July 2026 the entire source tree leaked as Wizard External (new).zip — 1.4 GB, SHA-256 881afff0…4ef74, 62 .cpp and 405 .h/.hpp files under a single Visual Studio 2022 solution (External.sln). This report is a line-cited reversal of that source. Every claim below points at the specific file, function, or literal constant in the leak.

CR
Clubhouse AC Research
July 9, 2026 18 min read

Executive summary

  • Compiled binary name is Slate.exe, hardcoded in the leaked .vcxproj FullPath attribute: C:\Users\AntiGang\Downloads\Wizard New ImGui\x64\Release\Slate.exe.
  • HWID formula is fully leaked: fnv1a_hex(MachineGuid + "|" + volume_serial(C:)) truncated to 20 hex characters. Server-side rebinding is enforced (HwidMismatch is a distinct auth result).
  • Auth backend is fivem.ovh with two live brand paths: current /goonen/ and legacy /tita/ — the operator rotates paths to churn detections but never changes the host.
  • All memory I/O uses ZwReadVirtualMemory and NtCreateThreadEx resolved via lazyimporter — bypasses user-mode hooks on ReadProcessMemory/CreateRemoteThread.
  • NVIDIA App masquerade goes further than mutex naming: writes GUID {497B8458-4244-4EE6-BFEA-F3D2BA294F21} value 0x24 under HKLM\SOFTWARE\NVIDIA Corporation\Global\NvApp\ShadowPlay\FTS — a distinctive registry footprint.
  • Overlay window uses undocumented CreateWindowInBand with ZBID_UIACCESS (band 2) to render above secure-desktop windows.
  • SilentAim hooks IsPlayerFreeAimingAtEntity with a 3-byte shellcode (B0 01 C3mov al, 1; ret) that unconditionally reports the local player as aiming at the target — 19 leaked ped-bone constants (SKEL_Head 0x796e, SKEL_Neck_1 0x9995, etc.) drive bone selection.
  • String obfuscation is aggressive: 624 distinct xorstr() call sites across the tree — every URL, error message, registry path, and window class name is XOR-encrypted at compile time.

Overview

Wizard External is an out-of-process cheat that reads and writes to the FiveM GTA V game process from a separate host process. The current build under analysis ships as the "Wizard New ImGui" revision, whose compiled artifact is Slate.exe — the innocuous name is deliberate misdirection; the product is marketed as Wizard.

Interesting code lives entirely under src/. The tree is organised into six top-level namespaces: Core::SDK (game structs + external memory access), Core::Features (Aimbot, SilentAim, Triggerbot, MagicBullets, ESP, cam, dynamicfov, Friends, NVIDIA, WizardVisuals, and the RP-exploits sub-namespace), Core::Threads (EntityList, LocalPlayerState, ScreenResolution, UpdateNames, UpdatePointers, VehicleList, Exploits2, GetConfig), Gui (Overlay + Pages/Combat, Exploits, Local, Login, plus the Dear ImGui tree), auth (WinHTTP KeyAuth-style login), and declar (math primitives).

The developer's Windows user handle, AntiGang, is baked into the .vcxproj FullPath of the release binary reference and into numerous .suo / .vs IntelliSense caches. This is our anchor for the WIZ002 build-tree IOC.

Sample metadata

Wizard External (new).zip — archive indicatorsIOC
Archive     Wizard External (new).zip
Size        1,362,806,272 bytes (1.4 GB)
SHA-256     881afff07f38cbe5e43d0fa9abb89c6c90f2bffb29f16a724aacff2cf374ef74

Solution    External.sln  (Visual Studio 2022)
Source      62  .cpp  |  405 .h/.hpp  |  Dear ImGui vendored
Vendored    xorstr, lazyimporter, DirectX SDK D3DX 9.29
Developer   AntiGang  (leaked in .vcxproj FullPath + .suo)
Compiled    Slate.exe  (x64 Release)
Build tree  C:\Users\AntiGang\Downloads\Wizard New ImGui\x64\Release\

Auth host   fivem.ovh
Brand paths /goonen/  (current)   /tita/  (legacy — same host)
Target      FiveM (GTA V)
            proc: FiveM_GTAProcess.exe / FiveM_GameProcess.exe
            build-numbered: FiveM_b\d{4}_GTAProcess.exe

The compiled release binary name Slate.exe is baked into External.vcxproj, DocumentLayout.json, and the Visual Studio solution file. Any downstream build produced from this tree will ship with the same name unless the operator explicitly renames the output — which they generally do not, as Slate.exe is already innocuous enough to blend in with legitimate products (Microsoft Yammer and Adobe Slate both ship a Slate.exe). This is why the name alone is not an IOC — it needs corroboration.

Auth infrastructure

Authentication is handled in a single file: src/Core/Features/auth.hpp — 1,120 lines of WinHTTP client code with every URL, key, and error string XOR-obfuscated. There are two brand paths on the same host and eight distinct endpoints. The current build points at /goonen/; the older /tita/ paths are commented but still resolve.

auth.hpp — endpoint table (verbatim from source)Source
// current brand path — /goonen/
API_URL                    = https://fivem.ovh/goonen/login-check-new-private.php
CONFIG_API_URL             = https://fivem.ovh/goonen/cloud_config.php
CHECK_INJECT_BYPASS_URL    = https://fivem.ovh/goonen/bypass.php
UPDATE_INGAME_NAME_URL     = https://fivem.ovh/goonen/update-ingame-name.php
WIZARD_NAMES_URL           = https://fivem.ovh/goonen/wizard-names.php
DISCORD_STATS_URL          = https://fivem.ovh/api/discord_stats.json

// legacy brand path — /tita/ — same host, commented out but reachable
API_URL (tita)             = https://fivem.ovh/tita/login-check-new-private.php
CONFIG_API_URL (tita)      = https://fivem.ovh/tita/cloud_config.php
CHECK_INJECT_BYPASS_URL    = https://fivem.ovh/tita/bypass.php

All requests are HTTPS POST with a JSON body sent over WinHTTP (winhttp.lib) — no TLS pinning, no custom CA validation, so an MITM proxy with a trusted root CA installed (mitmproxy, Fiddler with root cert) transparently intercepts every call. The client parses responses with a hand-rolled JSON scanner (no nlohmann/json).

Two client-side back-off timers exist in the same namespace: g_rate_limit_until + g_rate_limit_penalty_ms (per-account throttle), and g_service_pair_block_until + g_service_pair_verified_until (host/pair block). Both are unsigned 64-bit tick counters and reset in memory only — a process restart clears the throttle, meaning the server carries the authoritative state.

The response schema populates an AccountProfilestruct:

struct AccountProfile {
  std::string user_name;
  std::string ingame_name;
  std::string expiredate;         // human string
  std::string expires_at;         // ISO 8601
  std::string discord_id;         // Discord snowflake
  std::string discord_display_name;
  std::string discord_avatar_url;
  bool        admin = false;
  bool        staff = false;
};

enum class Result {
  Ok,           // license valid, HWID auto-bound this session
  OkBound,      // license valid, HWID was already bound
  Invalid,      // wrong key / user
  HwidMismatch, // server has a different HWID on file
  Network,      // WinHTTP send / receive failure
  BadResponse,  // JSON parse failure or unknown error code
  Expired,      // subscription past expires_at
};

HWID formula (leaked)

The HWID is computed client-side and sent as the hwid field of every POST body. The exact formula is trivially reproducible:

auth.hpp:188 — get_hwid()Source
static std::string get_hwid() {
  std::string a = trim(get_machine_guid());   // HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid
  std::string b = trim(get_volume_serial()); // GetVolumeInformationW(L"C:\") → 8 hex upper
  std::string mix = a + "|" + b;
  if (mix.empty()) mix = "fallback";
  std::string h = fnv1a_hex(mix);            // 64-bit FNV-1a, hex-encoded
  if (h.size() > 20) h.resize(20);           // truncate to 20 chars
  return h;
}

Practical detection implication. Because the HWID is a fixed function of a machine's MachineGuid + C:\ volume serial, and never depends on any per-session salt, a server can fingerprint a user across every product on the same infra with a single hash lookup. This is how /tita/ and /goonen/ can share a ban list without any brand correlation on the client side.

For defenders. If you obtain a known-Wizard-user account HWID (via a leaked database, a subject's screenshot, or their own admission), you can recompute fnv1a_hex(machine_guid | vol_serial)[:20] on any suspect PC and match with zero false positives — the collision space is 280.

JSON API surface

Every endpoint takes the same base shape: a POST with {"hwid": "<20 hex chars>", ...} body. The server returns JSON with a top-level result code and optional payload.

Endpoint → purpose (from auth.hpp call sites)API
login-check-new-private.php   Primary auth. Returns AccountProfile + result:
                              Ok / OkBound / Invalid / HwidMismatch / Expired
                              Server binds first-seen HWID → subsequent Result::OkBound.

bypass.php                    Injection-status oracle. Client posts
                              {"hwid":..., "action":"load"} and reads a token
                              gating whether Slate.exe will start hooking. Called
                              by probe_bypass_endpoint() before every scan.

cloud_config.php              User-scoped feature-flag / settings JSON. Client
                              posts {"hwid":..., "action":"load"}. Response
                              is the per-account cheat config (enabled features,
                              bones enabled, aim smoothing, ESP colors).

update-ingame-name.php        Reports the RP character name in the running FiveM
                              server back to the operator (server-side scoreboard
                              of Wizard users by in-game identity).

wizard-names.php              Pull the list of other Wizard users' in-game names,
                              used by WizardVisuals to draw a per-user badge/logo
                              above teammates in-game (LoadWizardIngameNames symbol,
                              our WIZ002 IOC).

/api/discord_stats.json       Public health/stat JSON. No hwid required.
                              Used by the login screen to show a "live users" count.

SilentAim engine

SilentAim is implemented in src/Core/Features/SilentAim.cpp. The core trick is a 3-byte shellcode written into a code cave in the FiveM process:

SilentAim.cpp:37–60 — IsPlayerFreeAimingAtEntity hookSource
std::vector<uint8_t> shellcode = {
    0xB0, 0x01,    // mov al, 1
    0xC3           // ret
};

uintptr_t shellcodeAddr = Mem.CreateCodeCave(shellcode.size());
Mem.WriteBytes(shellcodeAddr, shellcode);
// Function-pointer patch redirects the game's aim-validation call
// to the code cave — SilentAim now reports "yes, aiming at target"
// unconditionally, and the game's shooting logic obliges.

Bone selection is driven by a full leaked map of GTA V ped skeleton IDs:

SilentAim.cpp:17–34 — skeleton bone constantsSource
SKEL_Pelvis      0x2e28   SKEL_Spine1     0x60f0
SKEL_L_Thigh     0xe39f   SKEL_Spine2     0x60f1
SKEL_L_Calf      0xf9bb   SKEL_Spine3     0x60f2
SKEL_L_Foot      0x3779   SKEL_L_UpperArm 0xb1c5
SKEL_R_Thigh     0xca72   SKEL_L_Forearm  0xeeeb
SKEL_R_Calf      0x9000   SKEL_L_Hand     0x49d9
SKEL_R_Foot      0xcc4d   SKEL_R_UpperArm 0x9d4d
SKEL_R_Forearm   0x6e5c   SKEL_R_Hand     0xdead
SKEL_Neck_1      0x9995   SKEL_Head       0x796e

Note the joke — SKEL_R_Hand = 0xdead — is the developer's own literal, not a bug on our side.

MagicBullets AOB patch

MagicBullets is a bullet-redirect feature (bullets travel to a picked target regardless of where the player aims). It relies on an AOB scan for a specific instruction sequence in gta5.exe:

Offsets.hpp — m_MagicBulletsPatch signatureSource
m_MagicBulletsPatch =
  0F 29 4F ?? 83 8F ?? ?? ?? ?? ?? 48 8B 4F

// Toggle is gated on foreground-window check to avoid triggering
// while alt-tabbed — see MagicBullets.cpp:IsSilentAimActive2().
if (ActiveWindow != g_Variables.g_hGameWindow) return false;

The Offsets.hpp file contains ~30 similar AOB signatures for classes and functions the cheat needs (m_World, m_ReplayInterFace, m_ViewPort, m_BlipList, m_CamGameplayDirector, m_LocalPlayer, m_SilentAim, m_InfiniteAmmo0/1, m_ArmsKinematics, m_LegsKinematics, m_InfiniteCombatRoll, m_GiveWeapon, and 15 more). These are patchday-current — each build revs them when a FiveM/GTA update ships.

External memory I/O (syscall-level)

src/Core/SDK/Memory.cppdeliberately avoids the ordinary Windows API calls that a user-mode anti-cheat would hook. Instead it resolves NT syscall wrappers through the vendored lazyimporter library and calls them directly:

Memory.cpp — NT syscall usageSource
// Reads use ZwReadVirtualMemory (aka NtReadVirtualMemory) — the raw
// syscall wrapper, resolved by lazyimporter at first use. Anti-cheats
// that hook ReadProcessMemory in kernel32 see nothing.
if (!ZwReadVirtualMemory(Mem.ProcHandle, addr, &buf, size, &read))
    break;

// Remote thread creation uses NtCreateThreadEx directly — sidesteps
// CreateRemoteThread hooks and, on Windows, sidesteps CreateRemoteThreadEx
// too.
typedef NTSTATUS(WINAPI* pNtCreateThreadEx)(...);

Pattern-scan / offset-resolve is done externally: the cheat scans the FiveM process address space for each AOB signature from Offsets.hpp, resolves RIP-relative operands (ResolveRelativeAddress), and stores the resolved pointers into the g_Offsets singleton. A background thread (Threads/UpdatePointers.hpp) re-scans on demand when the pointer set goes stale.

CreateWindowInBand overlay (ZBID_UIACCESS)

The in-game menu is drawn by an ImGui overlay in a separate top-level window that layers over the FiveM game window. Two rendering paths exist; the interesting one is gated on a compile-time FULLSCREEN_EX flag:

Overlay.cpp — undocumented CreateWindowInBand pathSource
#ifdef FULLSCREEN_EX
    CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE);
    CreateWindowInBand pCreateWindowInBand =
        reinterpret_cast<CreateWindowInBand>(GetProcAddress(
            LoadLibraryA("user32.dll"), "CreateWindowInBand"));
    PrepareForUIAccess();

    g_hCheatWindow = pCreateWindowInBand(
        WS_EX_TOPMOST | WS_EX_TRANSPARENT | WS_EX_NOACTIVATE,
        RegClass, L" ", WS_POPUP, x, y, w, h,
        NULL, NULL, wc.hInstance, NULL,
        2 /* ZBID_UIACCESS */);
#else
    g_hCheatWindow = CreateWindowExW(
        WS_EX_TOPMOST | WS_EX_LAYERED | WS_EX_TOOLWINDOW | WS_EX_TRANSPARENT,
        wc.lpszClassName, L" ", WS_POPUP, x, y, w, h, NULL, NULL,
        wc.hInstance, NULL);
#endif

CreateWindowInBand is an undocumented user32 export. ZBID_UIACCESS (band 2) is normally reserved for windows whose owning process has a UIAccess manifest and holds a UIAccess token — the same band as the on-screen keyboard and Narrator. Getting into it requires PrepareForUIAccess and the correct manifest, but once granted, the overlay renders above the secure desktop and above any normal user process — including screen-capture overlays. A commented-out line (SetWindowDisplayAffinity(hCheat, WDA_EXCLUDEFROMCAPTURE)) shows the developer previously tried an anti-screenshot mode too.

A low-level keyboard hook (WH_KEYBOARD_LL) intercepts all key events and PostMessages them to g_hCheatWindow — this lets the menu open on key press without needing input focus.

NVIDIA App masquerade (registry hijack)

The renderer disguises itself as an NVIDIA App component. The masquerade is layered:

  • Mutex name: Global\NvApp — the same mutex the real NVIDIA App uses. A Wizard instance and a genuine NVIDIA App cannot both run at once, but a casual observer scanning mutex names sees nothing suspicious.
  • Window class name: MirrorWindowClass, registered in Threads/ScreenResolution.hpp:122. This is a legitimate NVIDIA internal window class used by their overlay compositor.
  • Registry key hijack (the real detection signal). From Core/Features/NVIDIA/NVIDIA.hpp:22:
NVIDIA.hpp — registry hijack constantsSource
REG_PATH     = HKLM\SOFTWARE\NVIDIA Corporation\Global\NvApp\ShadowPlay\FTS
VALUE_NAME   = {497B8458-4244-4EE6-BFEA-F3D2BA294F21}   // GUID (wide string)
VALUE_DATA   = 0x00000024   // DWORD
NV_PROCESS   = nvcontainer.exe   // watched for lifecycle

// A background thread (m_watchThread) monitors nvcontainer.exe.
// When it exits, EmergencyCleanup() removes the value.

Why this GUID is a perfect IOC. The value name is a hardcoded GUID inside the cheat. It has no meaning in NVIDIA's own software — searching the NVIDIA App binaries and ShadowPlay for this GUID returns zero hits. Any presence of HKLM\SOFTWARE\NVIDIA Corporation\Global\NvApp\ShadowPlay\FTS\{497B8458-4244-4EE6-BFEA-F3D2BA294F21} = 0x24 is Wizard. We will add this as a follow-up WIZ004 registry IOC once the v2 scanner's registry collector lands.

Anti-analysis blocklist

Wizard maintains a static process-name blocklist and refuses to run when any is present. Interestingly this list is itself a defensive fingerprint — any binary that enumerates this same set is highly suspect:

Wizard anti-analysis blocklist (source-verbatim, deduped)Source
Fiddler.exe                                Fiddler_x64.exe / _x86.exe
Fiddler Everywhere.exe                     Fiddler Classic
HTTPDebuggerSvc.exe                        HTTPDebuggerSvc_x64.exe
HTTPDebuggerUI.exe                         HTTPDebuggerUI_x64.exe
HTTP Debugger Windows Service (32 bit).exe
HxD.exe / HxD32.exe / HxD32_x86.exe        HxD64.exe / HxD64_x64.exe
HxD_x64.exe / HxD_x86.exe
Cheat Engine.exe                           Cheat Engine_x64.exe / _x86.exe
KsDumper.exe
FolderChangesView.exe                      FolderChangesView_x64.exe / _x86.exe
AnyDesk.exe                                AnyDesk_x64.exe / _x86.exe
Also referenced (regex-matched):
    FiveM_b\d{4}_GTAProcess\.exe          FiveM_b\d{4}_GameProcess\.exe

Why it matters for SS checks. The cheat refuses to run while any of these tools are open. Users tend to close them right before starting a session — the resulting close-then-launch sequence in the USN Journal (or Amcache / Prefetch) is itself a screenshare signal, even after the cheat has cleaned up.

String obfuscation (xorstr)

Every URL, error message, registry path, window class name, and Windows API name in the source is wrapped in xorstr() or xorstr_() — a header-only compile-time XOR obfuscator vendored under security/xorstr.hpp. In the leaked tree the wrapper appears at 624 call sites. What this means for defenders:

  • Static string search against Slate.exe for "fivem.ovh", "MirrorWindowClass", "NvApp", etc. will NOT match — every constant is XOR-encrypted with a per-string key resolved on first use, then re-encrypted (see crypt_get() in xorstr_).
  • Strings surface briefly in the heap while a call executes. A runtime memory scan of the live Slate.exe process will find them — this is the intended IOC surface for WIZ001 in the v2 engine (which loops STRING_IOCS over collected memory windows).
  • The lazyimporter library additionally hides Windows API resolution — imports don't appear in the PE Import Directory. Import-based IOCs will not fire.

The presence of xorstr plus lazyimporter without a legitimate reason (game modding, DRM tooling, or a CTF binary — all rare on a FiveM-user PC) is itself a behavioural indicator on top of the string / registry / mutex hits.

Screenshare check guide

A systematic screenshare (SS) investigation for Wizard External / Slate.exe. Every step below is sourced from concrete artifacts in the leaked tree — no memory-dump speculation.

1

Journal Trace on drive C: for build artifacts

  • Run a Journal Trace on drive C: with the term Wizard New ImGui. The exact directory name is baked into the developer's build output — anyone who unzipped the leaked source has this path in their USN Journal.
  • Search for Slate.exe, but do not treat a bare hit as conclusive (Microsoft Yammer, Adobe Slate both ship Slate.exe). Corroborate with any of steps 2–8.
2

DNS cache & browser history

  • Run ipconfig /displaydns | findstr /I fivem.ovh. The domain has no legitimate reason to appear on a clean FiveM install — the FiveM launcher points to runtime.fivem.net / servers.fivem.net, never fivem.ovh.
  • If the DNS cache has been flushed, grep browser history for any URL containing /goonen/ or /tita/. Discord OAuth callbacks resolving to fivem.ovh are also a hit.
3

Registry — the killer indicator

  • Open regedit and navigate to HKLM\SOFTWARE\NVIDIA Corporation\Global\NvApp\ShadowPlay\FTS.
  • Look for a REG_DWORD named {497B8458-4244-4EE6-BFEA-F3D2BA294F21} with value 0x24. This value name is a Wizard-authored GUID; it does not exist in any legitimate NVIDIA install. Presence is proof the cheat has run on the machine.
4

Mutex enumeration (System Informer)

  • System Informer → Handles → filter type Mutant. Look for Global\NvApp owned by a process whose signer is not NVIDIA Corporation.
  • Cross-reference the owning process with the registry check in step 3 — the same process should hold the mutex and have written the GUID value.
5

Window class enumeration

  • Enumerate top-level windows (Spy++ or System Informer "Windows" tab) and filter for class MirrorWindowClass whose owning process is not signed by NVIDIA.
  • A single unsigned process owning the mutex from step 4 and a MirrorWindowClass window is a WIZ001 + masquerade compound hit.
6

Anti-analysis close-then-launch pattern

  • Journal-trace Prefetch or Amcache for close events of the blocklisted tools (Fiddler / HxD / Cheat Engine / KsDumper / HTTPDebugger / FolderChangesView / AnyDesk) immediately preceding a FiveM launch.
  • The pattern is telling because the cheat refuses to run while those tools are open — subjects close them right before starting a session, then relaunch after.
7

Discord OAuth linkage

  • In Discord → User Settings → Authorized Apps, look for any application whose callback resolves to fivem.ovh. The cheat stores discord_id + discord_display_name + discord_avatar_url on the account and requires OAuth for the initial bind.
8

HWID cross-reference (when applicable)

  • If you have a known-Wizard HWID (from a leaked user DB, a screenshot the subject posted, or an admin confession), read the subject's MachineGuid from HKLM\SOFTWARE\Microsoft\Cryptography and their C:\ volume serial (vol C:). Compute fnv1a_hex(MachineGuid | vol_serial)[:20]. Match to the known HWID → conclusive.
  • This lookup is deterministic; the collision space is 280. No coincidence is possible.

Detection summary (WIZ001–003)

The Clubhouse AC scanner ships three IOC definitions for Wizard. Each includes a false-positive guardrail — see lib/server/cheat-iocs.ts for the exact contextOk callbacks. A registry-based WIZ004 (targeting the GUID + value from §NVIDIA masquerade) is queued for the next release once the v2 registry-collector lands.

WIZ IOC matrixSummary
ID       Severity   Needle                             FP guardrail
──────────────────────────────────────────────────────────────────────────
WIZ001   Critical   fivem.ovh/goonen/                  —  (unique path)
WIZ001   Critical   fivem.ovh/tita/                    —  (unique path)
WIZ001   Critical   login-check-new-private.php        requires fivem.ovh /
                                                       goonen / tita / wizard
                                                       marker in same window

WIZ002   Critical   Wizard New ImGui\                  —  (unique dev folder)
WIZ002   Critical   LoadWizardIngameNames              —  (unique internal sym)
WIZ002   Critical   wizard-names.php                   —  (unique endpoint)

WIZ003   High       update-ingame-name.php             requires same-window
                                                       cheat-brand marker
WIZ003   High       cloud_config.php                   requires same-window
                                                       cheat-brand marker

WIZ004   Critical   Registry: HKLM\SOFTWARE\NVIDIA…\   (queued for v2 registry
         (queued)   ShadowPlay\FTS\{497B8458-…-F21}     collector — GUID-value
                    = 0x24                             is 100% specific)

Slate.exe is deliberately NOT a WIZ IOC on its own. Multiple unrelated products ship a Slate.exe (Microsoft Yammer, Adobe Slate). Detection requires corroboration — a WIZ001 network hit, a WIZ002 build-tree hit, the WIZ004 registry hit (when live), or a signed hash lookup once a compiled build is submitted to the corpus.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only; no compiled cheat binary is redistributed, and no functional shellcode or exploit is provided in a weaponisable form. The source-archive SHA-256 and build-tree paths are cited to enable cross-comparison with independently obtained copies. For vulnerability disclosures or corpus contributions, contact security@clubhouseac.shop.