Executive summary
- Compiled binary name is Slate.exe, hardcoded in the leaked .vcxproj FullPath attribute: C:\Users\AntiGang\Downloads\Wizard New ImGui\x64\Release\Slate.exe.
- HWID formula is fully leaked: fnv1a_hex(MachineGuid + "|" + volume_serial(C:)) truncated to 20 hex characters. Server-side rebinding is enforced (HwidMismatch is a distinct auth result).
- Auth backend is fivem.ovh with two live brand paths: current /goonen/ and legacy /tita/ — the operator rotates paths to churn detections but never changes the host.
- All memory I/O uses ZwReadVirtualMemory and NtCreateThreadEx resolved via lazyimporter — bypasses user-mode hooks on ReadProcessMemory/CreateRemoteThread.
- NVIDIA App masquerade goes further than mutex naming: writes GUID {497B8458-4244-4EE6-BFEA-F3D2BA294F21} value 0x24 under HKLM\SOFTWARE\NVIDIA Corporation\Global\NvApp\ShadowPlay\FTS — a distinctive registry footprint.
- Overlay window uses undocumented CreateWindowInBand with ZBID_UIACCESS (band 2) to render above secure-desktop windows.
- SilentAim hooks IsPlayerFreeAimingAtEntity with a 3-byte shellcode (B0 01 C3 — mov al, 1; ret) that unconditionally reports the local player as aiming at the target — 19 leaked ped-bone constants (SKEL_Head 0x796e, SKEL_Neck_1 0x9995, etc.) drive bone selection.
- String obfuscation is aggressive: 624 distinct xorstr() call sites across the tree — every URL, error message, registry path, and window class name is XOR-encrypted at compile time.
Overview
Wizard External is an out-of-process cheat that reads and writes to the FiveM GTA V game process from a separate host process. The current build under analysis ships as the "Wizard New ImGui" revision, whose compiled artifact is Slate.exe — the innocuous name is deliberate misdirection; the product is marketed as Wizard.
Interesting code lives entirely under src/. The tree is organised into six top-level namespaces: Core::SDK (game structs + external memory access), Core::Features (Aimbot, SilentAim, Triggerbot, MagicBullets, ESP, cam, dynamicfov, Friends, NVIDIA, WizardVisuals, and the RP-exploits sub-namespace), Core::Threads (EntityList, LocalPlayerState, ScreenResolution, UpdateNames, UpdatePointers, VehicleList, Exploits2, GetConfig), Gui (Overlay + Pages/Combat, Exploits, Local, Login, plus the Dear ImGui tree), auth (WinHTTP KeyAuth-style login), and declar (math primitives).
The developer's Windows user handle, AntiGang, is baked into the .vcxproj FullPath of the release binary reference and into numerous .suo / .vs IntelliSense caches. This is our anchor for the WIZ002 build-tree IOC.
Sample metadata
Archive Wizard External (new).zip
Size 1,362,806,272 bytes (1.4 GB)
SHA-256 881afff07f38cbe5e43d0fa9abb89c6c90f2bffb29f16a724aacff2cf374ef74
Solution External.sln (Visual Studio 2022)
Source 62 .cpp | 405 .h/.hpp | Dear ImGui vendored
Vendored xorstr, lazyimporter, DirectX SDK D3DX 9.29
Developer AntiGang (leaked in .vcxproj FullPath + .suo)
Compiled Slate.exe (x64 Release)
Build tree C:\Users\AntiGang\Downloads\Wizard New ImGui\x64\Release\
Auth host fivem.ovh
Brand paths /goonen/ (current) /tita/ (legacy — same host)
Target FiveM (GTA V)
proc: FiveM_GTAProcess.exe / FiveM_GameProcess.exe
build-numbered: FiveM_b\d{4}_GTAProcess.exeThe compiled release binary name Slate.exe is baked into External.vcxproj, DocumentLayout.json, and the Visual Studio solution file. Any downstream build produced from this tree will ship with the same name unless the operator explicitly renames the output — which they generally do not, as Slate.exe is already innocuous enough to blend in with legitimate products (Microsoft Yammer and Adobe Slate both ship a Slate.exe). This is why the name alone is not an IOC — it needs corroboration.
Auth infrastructure
Authentication is handled in a single file: src/Core/Features/auth.hpp — 1,120 lines of WinHTTP client code with every URL, key, and error string XOR-obfuscated. There are two brand paths on the same host and eight distinct endpoints. The current build points at /goonen/; the older /tita/ paths are commented but still resolve.
// current brand path — /goonen/ API_URL = https://fivem.ovh/goonen/login-check-new-private.php CONFIG_API_URL = https://fivem.ovh/goonen/cloud_config.php CHECK_INJECT_BYPASS_URL = https://fivem.ovh/goonen/bypass.php UPDATE_INGAME_NAME_URL = https://fivem.ovh/goonen/update-ingame-name.php WIZARD_NAMES_URL = https://fivem.ovh/goonen/wizard-names.php DISCORD_STATS_URL = https://fivem.ovh/api/discord_stats.json // legacy brand path — /tita/ — same host, commented out but reachable API_URL (tita) = https://fivem.ovh/tita/login-check-new-private.php CONFIG_API_URL (tita) = https://fivem.ovh/tita/cloud_config.php CHECK_INJECT_BYPASS_URL = https://fivem.ovh/tita/bypass.php
All requests are HTTPS POST with a JSON body sent over WinHTTP (winhttp.lib) — no TLS pinning, no custom CA validation, so an MITM proxy with a trusted root CA installed (mitmproxy, Fiddler with root cert) transparently intercepts every call. The client parses responses with a hand-rolled JSON scanner (no nlohmann/json).
Two client-side back-off timers exist in the same namespace: g_rate_limit_until + g_rate_limit_penalty_ms (per-account throttle), and g_service_pair_block_until + g_service_pair_verified_until (host/pair block). Both are unsigned 64-bit tick counters and reset in memory only — a process restart clears the throttle, meaning the server carries the authoritative state.
The response schema populates an AccountProfilestruct:
struct AccountProfile {
std::string user_name;
std::string ingame_name;
std::string expiredate; // human string
std::string expires_at; // ISO 8601
std::string discord_id; // Discord snowflake
std::string discord_display_name;
std::string discord_avatar_url;
bool admin = false;
bool staff = false;
};
enum class Result {
Ok, // license valid, HWID auto-bound this session
OkBound, // license valid, HWID was already bound
Invalid, // wrong key / user
HwidMismatch, // server has a different HWID on file
Network, // WinHTTP send / receive failure
BadResponse, // JSON parse failure or unknown error code
Expired, // subscription past expires_at
};HWID formula (leaked)
The HWID is computed client-side and sent as the hwid field of every POST body. The exact formula is trivially reproducible:
static std::string get_hwid() {
std::string a = trim(get_machine_guid()); // HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid
std::string b = trim(get_volume_serial()); // GetVolumeInformationW(L"C:\") → 8 hex upper
std::string mix = a + "|" + b;
if (mix.empty()) mix = "fallback";
std::string h = fnv1a_hex(mix); // 64-bit FNV-1a, hex-encoded
if (h.size() > 20) h.resize(20); // truncate to 20 chars
return h;
}Practical detection implication. Because the HWID is a fixed function of a machine's MachineGuid + C:\ volume serial, and never depends on any per-session salt, a server can fingerprint a user across every product on the same infra with a single hash lookup. This is how /tita/ and /goonen/ can share a ban list without any brand correlation on the client side.
For defenders. If you obtain a known-Wizard-user account HWID (via a leaked database, a subject's screenshot, or their own admission), you can recompute fnv1a_hex(machine_guid | vol_serial)[:20] on any suspect PC and match with zero false positives — the collision space is 280.
JSON API surface
Every endpoint takes the same base shape: a POST with {"hwid": "<20 hex chars>", ...} body. The server returns JSON with a top-level result code and optional payload.
login-check-new-private.php Primary auth. Returns AccountProfile + result:
Ok / OkBound / Invalid / HwidMismatch / Expired
Server binds first-seen HWID → subsequent Result::OkBound.
bypass.php Injection-status oracle. Client posts
{"hwid":..., "action":"load"} and reads a token
gating whether Slate.exe will start hooking. Called
by probe_bypass_endpoint() before every scan.
cloud_config.php User-scoped feature-flag / settings JSON. Client
posts {"hwid":..., "action":"load"}. Response
is the per-account cheat config (enabled features,
bones enabled, aim smoothing, ESP colors).
update-ingame-name.php Reports the RP character name in the running FiveM
server back to the operator (server-side scoreboard
of Wizard users by in-game identity).
wizard-names.php Pull the list of other Wizard users' in-game names,
used by WizardVisuals to draw a per-user badge/logo
above teammates in-game (LoadWizardIngameNames symbol,
our WIZ002 IOC).
/api/discord_stats.json Public health/stat JSON. No hwid required.
Used by the login screen to show a "live users" count.SilentAim engine
SilentAim is implemented in src/Core/Features/SilentAim.cpp. The core trick is a 3-byte shellcode written into a code cave in the FiveM process:
std::vector<uint8_t> shellcode = {
0xB0, 0x01, // mov al, 1
0xC3 // ret
};
uintptr_t shellcodeAddr = Mem.CreateCodeCave(shellcode.size());
Mem.WriteBytes(shellcodeAddr, shellcode);
// Function-pointer patch redirects the game's aim-validation call
// to the code cave — SilentAim now reports "yes, aiming at target"
// unconditionally, and the game's shooting logic obliges.Bone selection is driven by a full leaked map of GTA V ped skeleton IDs:
SKEL_Pelvis 0x2e28 SKEL_Spine1 0x60f0 SKEL_L_Thigh 0xe39f SKEL_Spine2 0x60f1 SKEL_L_Calf 0xf9bb SKEL_Spine3 0x60f2 SKEL_L_Foot 0x3779 SKEL_L_UpperArm 0xb1c5 SKEL_R_Thigh 0xca72 SKEL_L_Forearm 0xeeeb SKEL_R_Calf 0x9000 SKEL_L_Hand 0x49d9 SKEL_R_Foot 0xcc4d SKEL_R_UpperArm 0x9d4d SKEL_R_Forearm 0x6e5c SKEL_R_Hand 0xdead SKEL_Neck_1 0x9995 SKEL_Head 0x796e
Note the joke — SKEL_R_Hand = 0xdead — is the developer's own literal, not a bug on our side.
MagicBullets AOB patch
MagicBullets is a bullet-redirect feature (bullets travel to a picked target regardless of where the player aims). It relies on an AOB scan for a specific instruction sequence in gta5.exe:
m_MagicBulletsPatch = 0F 29 4F ?? 83 8F ?? ?? ?? ?? ?? 48 8B 4F // Toggle is gated on foreground-window check to avoid triggering // while alt-tabbed — see MagicBullets.cpp:IsSilentAimActive2(). if (ActiveWindow != g_Variables.g_hGameWindow) return false;
The Offsets.hpp file contains ~30 similar AOB signatures for classes and functions the cheat needs (m_World, m_ReplayInterFace, m_ViewPort, m_BlipList, m_CamGameplayDirector, m_LocalPlayer, m_SilentAim, m_InfiniteAmmo0/1, m_ArmsKinematics, m_LegsKinematics, m_InfiniteCombatRoll, m_GiveWeapon, and 15 more). These are patchday-current — each build revs them when a FiveM/GTA update ships.
External memory I/O (syscall-level)
src/Core/SDK/Memory.cppdeliberately avoids the ordinary Windows API calls that a user-mode anti-cheat would hook. Instead it resolves NT syscall wrappers through the vendored lazyimporter library and calls them directly:
// Reads use ZwReadVirtualMemory (aka NtReadVirtualMemory) — the raw
// syscall wrapper, resolved by lazyimporter at first use. Anti-cheats
// that hook ReadProcessMemory in kernel32 see nothing.
if (!ZwReadVirtualMemory(Mem.ProcHandle, addr, &buf, size, &read))
break;
// Remote thread creation uses NtCreateThreadEx directly — sidesteps
// CreateRemoteThread hooks and, on Windows, sidesteps CreateRemoteThreadEx
// too.
typedef NTSTATUS(WINAPI* pNtCreateThreadEx)(...);Pattern-scan / offset-resolve is done externally: the cheat scans the FiveM process address space for each AOB signature from Offsets.hpp, resolves RIP-relative operands (ResolveRelativeAddress), and stores the resolved pointers into the g_Offsets singleton. A background thread (Threads/UpdatePointers.hpp) re-scans on demand when the pointer set goes stale.
CreateWindowInBand overlay (ZBID_UIACCESS)
The in-game menu is drawn by an ImGui overlay in a separate top-level window that layers over the FiveM game window. Two rendering paths exist; the interesting one is gated on a compile-time FULLSCREEN_EX flag:
#ifdef FULLSCREEN_EX
CoInitializeEx(NULL, COINIT_APARTMENTTHREADED | COINIT_DISABLE_OLE1DDE);
CreateWindowInBand pCreateWindowInBand =
reinterpret_cast<CreateWindowInBand>(GetProcAddress(
LoadLibraryA("user32.dll"), "CreateWindowInBand"));
PrepareForUIAccess();
g_hCheatWindow = pCreateWindowInBand(
WS_EX_TOPMOST | WS_EX_TRANSPARENT | WS_EX_NOACTIVATE,
RegClass, L" ", WS_POPUP, x, y, w, h,
NULL, NULL, wc.hInstance, NULL,
2 /* ZBID_UIACCESS */);
#else
g_hCheatWindow = CreateWindowExW(
WS_EX_TOPMOST | WS_EX_LAYERED | WS_EX_TOOLWINDOW | WS_EX_TRANSPARENT,
wc.lpszClassName, L" ", WS_POPUP, x, y, w, h, NULL, NULL,
wc.hInstance, NULL);
#endifCreateWindowInBand is an undocumented user32 export. ZBID_UIACCESS (band 2) is normally reserved for windows whose owning process has a UIAccess manifest and holds a UIAccess token — the same band as the on-screen keyboard and Narrator. Getting into it requires PrepareForUIAccess and the correct manifest, but once granted, the overlay renders above the secure desktop and above any normal user process — including screen-capture overlays. A commented-out line (SetWindowDisplayAffinity(hCheat, WDA_EXCLUDEFROMCAPTURE)) shows the developer previously tried an anti-screenshot mode too.
A low-level keyboard hook (WH_KEYBOARD_LL) intercepts all key events and PostMessages them to g_hCheatWindow — this lets the menu open on key press without needing input focus.
NVIDIA App masquerade (registry hijack)
The renderer disguises itself as an NVIDIA App component. The masquerade is layered:
- Mutex name: Global\NvApp — the same mutex the real NVIDIA App uses. A Wizard instance and a genuine NVIDIA App cannot both run at once, but a casual observer scanning mutex names sees nothing suspicious.
- Window class name: MirrorWindowClass, registered in Threads/ScreenResolution.hpp:122. This is a legitimate NVIDIA internal window class used by their overlay compositor.
- Registry key hijack (the real detection signal). From Core/Features/NVIDIA/NVIDIA.hpp:22:
REG_PATH = HKLM\SOFTWARE\NVIDIA Corporation\Global\NvApp\ShadowPlay\FTS
VALUE_NAME = {497B8458-4244-4EE6-BFEA-F3D2BA294F21} // GUID (wide string)
VALUE_DATA = 0x00000024 // DWORD
NV_PROCESS = nvcontainer.exe // watched for lifecycle
// A background thread (m_watchThread) monitors nvcontainer.exe.
// When it exits, EmergencyCleanup() removes the value.Why this GUID is a perfect IOC. The value name is a hardcoded GUID inside the cheat. It has no meaning in NVIDIA's own software — searching the NVIDIA App binaries and ShadowPlay for this GUID returns zero hits. Any presence of HKLM\SOFTWARE\NVIDIA Corporation\Global\NvApp\ShadowPlay\FTS\{497B8458-4244-4EE6-BFEA-F3D2BA294F21} = 0x24 is Wizard. We will add this as a follow-up WIZ004 registry IOC once the v2 scanner's registry collector lands.
Anti-analysis blocklist
Wizard maintains a static process-name blocklist and refuses to run when any is present. Interestingly this list is itself a defensive fingerprint — any binary that enumerates this same set is highly suspect:
Fiddler.exe Fiddler_x64.exe / _x86.exe
Fiddler Everywhere.exe Fiddler Classic
HTTPDebuggerSvc.exe HTTPDebuggerSvc_x64.exe
HTTPDebuggerUI.exe HTTPDebuggerUI_x64.exe
HTTP Debugger Windows Service (32 bit).exe
HxD.exe / HxD32.exe / HxD32_x86.exe HxD64.exe / HxD64_x64.exe
HxD_x64.exe / HxD_x86.exe
Cheat Engine.exe Cheat Engine_x64.exe / _x86.exe
KsDumper.exe
FolderChangesView.exe FolderChangesView_x64.exe / _x86.exe
AnyDesk.exe AnyDesk_x64.exe / _x86.exe
Also referenced (regex-matched):
FiveM_b\d{4}_GTAProcess\.exe FiveM_b\d{4}_GameProcess\.exeWhy it matters for SS checks. The cheat refuses to run while any of these tools are open. Users tend to close them right before starting a session — the resulting close-then-launch sequence in the USN Journal (or Amcache / Prefetch) is itself a screenshare signal, even after the cheat has cleaned up.
String obfuscation (xorstr)
Every URL, error message, registry path, window class name, and Windows API name in the source is wrapped in xorstr() or xorstr_() — a header-only compile-time XOR obfuscator vendored under security/xorstr.hpp. In the leaked tree the wrapper appears at 624 call sites. What this means for defenders:
- Static string search against Slate.exe for "fivem.ovh", "MirrorWindowClass", "NvApp", etc. will NOT match — every constant is XOR-encrypted with a per-string key resolved on first use, then re-encrypted (see crypt_get() in xorstr_).
- Strings surface briefly in the heap while a call executes. A runtime memory scan of the live Slate.exe process will find them — this is the intended IOC surface for WIZ001 in the v2 engine (which loops STRING_IOCS over collected memory windows).
- The lazyimporter library additionally hides Windows API resolution — imports don't appear in the PE Import Directory. Import-based IOCs will not fire.
The presence of xorstr plus lazyimporter without a legitimate reason (game modding, DRM tooling, or a CTF binary — all rare on a FiveM-user PC) is itself a behavioural indicator on top of the string / registry / mutex hits.
Screenshare check guide
A systematic screenshare (SS) investigation for Wizard External / Slate.exe. Every step below is sourced from concrete artifacts in the leaked tree — no memory-dump speculation.
Journal Trace on drive C: for build artifacts
- Run a Journal Trace on drive C: with the term Wizard New ImGui. The exact directory name is baked into the developer's build output — anyone who unzipped the leaked source has this path in their USN Journal.
- Search for Slate.exe, but do not treat a bare hit as conclusive (Microsoft Yammer, Adobe Slate both ship Slate.exe). Corroborate with any of steps 2–8.
DNS cache & browser history
- Run ipconfig /displaydns | findstr /I fivem.ovh. The domain has no legitimate reason to appear on a clean FiveM install — the FiveM launcher points to runtime.fivem.net / servers.fivem.net, never fivem.ovh.
- If the DNS cache has been flushed, grep browser history for any URL containing /goonen/ or /tita/. Discord OAuth callbacks resolving to fivem.ovh are also a hit.
Registry — the killer indicator
- Open regedit and navigate to HKLM\SOFTWARE\NVIDIA Corporation\Global\NvApp\ShadowPlay\FTS.
- Look for a REG_DWORD named {497B8458-4244-4EE6-BFEA-F3D2BA294F21} with value 0x24. This value name is a Wizard-authored GUID; it does not exist in any legitimate NVIDIA install. Presence is proof the cheat has run on the machine.
Mutex enumeration (System Informer)
- System Informer → Handles → filter type Mutant. Look for Global\NvApp owned by a process whose signer is not NVIDIA Corporation.
- Cross-reference the owning process with the registry check in step 3 — the same process should hold the mutex and have written the GUID value.
Window class enumeration
- Enumerate top-level windows (Spy++ or System Informer "Windows" tab) and filter for class MirrorWindowClass whose owning process is not signed by NVIDIA.
- A single unsigned process owning the mutex from step 4 and a MirrorWindowClass window is a WIZ001 + masquerade compound hit.
Anti-analysis close-then-launch pattern
- Journal-trace Prefetch or Amcache for close events of the blocklisted tools (Fiddler / HxD / Cheat Engine / KsDumper / HTTPDebugger / FolderChangesView / AnyDesk) immediately preceding a FiveM launch.
- The pattern is telling because the cheat refuses to run while those tools are open — subjects close them right before starting a session, then relaunch after.
Discord OAuth linkage
- In Discord → User Settings → Authorized Apps, look for any application whose callback resolves to fivem.ovh. The cheat stores discord_id + discord_display_name + discord_avatar_url on the account and requires OAuth for the initial bind.
HWID cross-reference (when applicable)
- If you have a known-Wizard HWID (from a leaked user DB, a screenshot the subject posted, or an admin confession), read the subject's MachineGuid from HKLM\SOFTWARE\Microsoft\Cryptography and their C:\ volume serial (vol C:). Compute fnv1a_hex(MachineGuid | vol_serial)[:20]. Match to the known HWID → conclusive.
- This lookup is deterministic; the collision space is 280. No coincidence is possible.
Detection summary (WIZ001–003)
The Clubhouse AC scanner ships three IOC definitions for Wizard. Each includes a false-positive guardrail — see lib/server/cheat-iocs.ts for the exact contextOk callbacks. A registry-based WIZ004 (targeting the GUID + value from §NVIDIA masquerade) is queued for the next release once the v2 registry-collector lands.
ID Severity Needle FP guardrail
──────────────────────────────────────────────────────────────────────────
WIZ001 Critical fivem.ovh/goonen/ — (unique path)
WIZ001 Critical fivem.ovh/tita/ — (unique path)
WIZ001 Critical login-check-new-private.php requires fivem.ovh /
goonen / tita / wizard
marker in same window
WIZ002 Critical Wizard New ImGui\ — (unique dev folder)
WIZ002 Critical LoadWizardIngameNames — (unique internal sym)
WIZ002 Critical wizard-names.php — (unique endpoint)
WIZ003 High update-ingame-name.php requires same-window
cheat-brand marker
WIZ003 High cloud_config.php requires same-window
cheat-brand marker
WIZ004 Critical Registry: HKLM\SOFTWARE\NVIDIA…\ (queued for v2 registry
(queued) ShadowPlay\FTS\{497B8458-…-F21} collector — GUID-value
= 0x24 is 100% specific)Slate.exe is deliberately NOT a WIZ IOC on its own. Multiple unrelated products ship a Slate.exe (Microsoft Yammer, Adobe Slate). Detection requires corroboration — a WIZ001 network hit, a WIZ002 build-tree hit, the WIZ004 registry hit (when live), or a signed hash lookup once a compiled build is submitted to the corpus.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only; no compiled cheat binary is redistributed, and no functional shellcode or exploit is provided in a weaponisable form. The source-archive SHA-256 and build-tree paths are cited to enable cross-comparison with independently obtained copies. For vulnerability disclosures or corpus contributions, contact security@clubhouseac.shop.