The cheat exposes an API that is reachable via HTTP(S). It mostly relies on requests of type POST. Both loader and cheat payload make requests to LMAOBOX’s API. For lobby sharing, the cheat payload will use WinInet library functions like:

  • InternetConnectA
  • InternetSetOptionA
  • HttpOpenRequestA
  • InternetReadFile

Below you will find all endpoints that have been discovered by me.

  • POST | lmaobox.net/v/authv2/ Sent by their loader to authenticate a cheat customer, using a combination of ( %CUSTOMER_EMAIL% + %PASSWORD% + %VOLUME_SERIAL% ). Requests are encoded using a basic BITWISE NOT transformation for the identity provider used to prove identity to their backend server. Importantly, for protection of the response, LMAOBOX decided to use a basic xor transformation. It will also contain the final loader stage in a slightly modified PE Format, and the actual cheat payload that is later injected into TF2.
  • POST | lmaobox.net/sl/v/ Sent by the cheat payload for Share My Lobby: Fetching the match registration table.
  • POST | lmaobox.net/sl/ Sent by the cheat payload for Share My Lobby: Registration of the local client with LMAOBOX Premium: Share my Lobby service.
  • GET | lmaobox.net/lua/store/ Sent by the cheat payload to request a .csv file which acts as a directory of scripts using LMAOBOX’s Lua scripting system. Its structure is defined publicly (check csv) If a LMAOBOX user looks into their Lua tab inside the cheat menu, it will flow like this: cheat payload -> WinInet API -> lmaobox.net/lua/store/ -> raw.githubusercontent.com/…/repo.csv

Some methods might require valid cheat subscription if you want to interact with them.

/v/authv2/ | Authenticate & Receive Stage2 & Payload

As previously explained, this network request is made in order to authenticate with LMAOBOX’s backend server. In event of a successful request, you will receive the second loader stage and the cheat payload in an encoded form. Its encoded using the Password you used when registering on LMAOBOX’s website. It submits your customer E-Mail, Password, and a product identifier which in case of TF2, is “hl2”. It also submits your volume ID, queried by GetVolumeInformationA.

/sl/ | Register with “Share my Lobby” Service

LMAOBOX itself advertises this feature as “Share my lobby – Share my lobby with other lmaobox users”. It basically is a LFG (Looking-for-Group) platform which allows users of LMAOBOX to find each other. During registration, it transmits various metadata to its backend server:

  • Your Steam32-ID encoded in hexadecimals
  • Your region estimate (likely based on public IP)
  • Number of players present in your lobby (1/6)
  • Your current in-game name (In tf2, cheats can make it different from your real profile name.)

/sl/v/ | Fetch “Share My Lobby” Registration Table

The cheat payload makes a HTTP/POST request to https://lmaobox.net/sl/v/ through WinINET API. Without obfuscation, it looks like:

Raw formatted buffer: i=47A2BE&u=lboxuser@gmail.com
u = customer email address
i = some hardcoded string within the cheat payload (could be user identity related and embedded by their custom pipeline, no idea)

char __fastcall LB::GetShareMyLobyyList(__int64 a1)
{
  // ...
  lpParams = 0;
  memset();
  v2 = LB::DecodeString(&v18, byte_4000001366F6);
  ((void (__fastcall *)(char *, char *, __int64, __int64))sprintf)(&lpParams, *v2, 0x47A2BE, v3);

  v4 = *(_DWORD *)(*(__int64 (__fastcall **)(__int64, char *))(*(_QWORD *)AVCSteamUserV019 + 16i64))(
                    AVCSteamUserV019,
                    &v19);

  if ( LB::ShareMyLobbyResponse )
  {
    *(_DWORD *)(a1 + 64) = 0;
    free(LB::ShareMyLobbyResponse);
  }
  v5 = (__int64 *)LB::DecodeString(&v18, byte_40000013670E);
  //
  // fourth argument determines the final operation.
  // 0 - register your own lobby
  // 1 - fetch the table of already opted in lobbies 
  //
  LB::ShareMyLobbyEndpoint(*v5, &LB::ShareMyLobbyResponse, (__int64)&lpParams, 1);

  LOBYTE(v6) = LB::DecodeString2(&v18);
  v7 = (char *)LB::ShareMyLobbyResponse;
  if ( LB::ShareMyLobbyResponse )
  {
    if ( *(_BYTE *)LB::ShareMyLobbyResponse )
    {
      do
      {
        v8 = *v7++;
        *(v7 - 1) = ~v8;
      }
      while ( *v7 ); // decode the response
      v7 = (char *)LB::ShareMyLobbyResponse;
    }

You will need to apply a simple bitwise NOT over this information and attach it to your request’s body:

Postman might not be able to display it properly because the response was encoded using the same bitwise NOT operation used for encoding the identity provider. Just export it by clicking Save Response. Below you will see how an example response might look like (displayed in a hex editor):

Let’s build a simple program to decode it (python would probably have been better here, but it is what it is):

#include <stdio.h>
int main() {
    unsigned char data[] = {
        0xCD, 0x9B, 0xC6, 0xCB, 0xC7, 0x9C, 0x9A, 0xC8, 0xC4, 0xCE, 0xC4,
        0xCE, 0xC4, 0x91, 0x9E, 0xC4, 0x9D, 0x90, 0x98, 0x98, 0x93, 0x9A,
        0x8C, 0x97, 0x90, 0x8D, 0x9D, 0x96, 0x9A, 0xC4, 0xF5, 0xCD, 0x9B,
        0xCF, 0xC9, 0xC8, 0xCC, 0x9A, 0xCC, 0xC4, 0xCE, 0xC4, 0xCD, 0xC4,
        0x9A, 0x8A, 0xC4, 0x88, 0x97, 0x9A, 0x8D, 0x9A, 0x96, 0x8C, 0x92,
        0x86, 0x9C, 0x90, 0x99, 0x99, 0x9A, 0x9A, 0xC4, 0xF5
    };
    for (int i = 0; i < sizeof(data); i++)
        putchar(~data[i]);
    return 0;

This will be your result, exactly matching (*4)

Tracking and Deanonymization

If you’re wondering whether this could be used to track LMAOBOX Premium users: Yeah, absolutely! But only those who are opted into their lobby sharing system.

I built a tracker that does exactly that. Its a standalone ASP.NET CORE API with two jobs. One is to regularily poll LMAOBOX’s backend server at this endpoint /sl/v/. Then it stores that data in a SQL-Database for both currently active, but also previously seen clients.

Because you cannot interact with this API without having a valid LMAOBOX Premium cheat license, it’s rather unlikely to end up being tracked as a legitimate player. For the most part it requires an active instance of LMAOBOX that has infected a TF2 game client. Or something that emulates it, which again is very possible, especially once it becomes more widely known.

Because i know that going public with this will likely burn the method, i decided to track the ecosystem for a couple of Weeks, and then shut my tracker down right before going public. All information i was able to gather can be downloaded in SQLITE3 Format by clicking here. I also built a grafana dashboard to visualize all of this data.

While it might not be too useful, it still gives us valuable insight into the psychology of cheaters. I know this sounds ridiculous, but let me try to explain all variables. So with this system, we’ve got:

  • a stable identity via Steam.
  • the current in-game username (can be overriden by cheats).
  • an estimated region of the user.
  • number of players grouped together in that lobby.
  • lobby type, a self selected variable consisting of Rage Hacking, Mann vs Machine (PvE), Competitive, and Casual.

If you make use of longitudinal tracking here, you will also end up with a list of all names ever used by that Steam persona.

Remarks

Although we cannot measure LMAOBOX’s entire userbase, our approach still gives us valuable insights for players who are actively looking to cooperate with other cheaters. Judging from this data, LMAOBOX still plays a role inside tf2’s cheating ecosystem, even in 2026. Here are some interesting behavioural patterns:

  • there is a group of LMAOBOX users who focus on looking like legitimate players. some of them are hiding shockingly well, with absolutely no trace of cheating on their profile.
  • some will have a friends list full of players who are also using LMAOBOX or another cheat brand.
    • they might attempt to moderate the comment section of each other, in order to:
      • deflect accusations by applying psychological tactics like discrediting the commentor.
      • leaving positive comments on each other’s profiles, in order to artifically raise perceived reputation. I believe this is also done for impression management. They might want to control how people visiting these profiles end up perceiving it.
  • others are less sophisticated and heavily utilize psychological framing tactics in order to:
    • either acknowledge they were cheating in the past, but claim to have stopped now, or
    • claim that the ban was unjust (false ban)
    • claim that the ban was caused by their account being stolen, and a third-party cheating with it.
    • this can be mostly seen in their steam profile description. sometimes also within their names.
  • another group openly admits it through various signals:
    • they’ll put something like “im cheating” as their name.
    • they’ll openly admit to be using LMAOBOX in their profile description.
    • they’ll have tons of vac bans.
    • their comment section is filled with other cheaters, sometimes people who are deeply embedded within the tf2 cheating scene.
    • while these signals might not be much of worth individually, they absolutely do pile up for many cheating individuals, and honestly speaking: many of them don’t even attempt to hide it.
  • problematic in-game and profile names:
    • it seems like there is a trend for edgy/shock value type names in their in-game name or steam profile name/art/other content. here is a list of offenses found in their names alone:
      • Antisemitism:
      • Racism / Nazi / White Supremacy
      • Anti-LGBTQ / Identity-Based Hate
      • Sexual Violence / Rape Threats
      • Violent Threats / Encouraging Harm
      • Pedophilia Accusation / Defamation Bait (severe harassment)

It should be considered that none of this necessarily reflects real wrongdoings that can be traced down to specific individuals. We should not put every video game cheat user into a shelve because in psychology, cheating itself and cheating within the scope of video games is a very complex topic. My data is heavily biased and only suffices as a general hint towards trends within a specific monitored group.

You can find a wrapper and reverse engineered code from the cheat payload here. Do note that the cheat operator became aware of this abuse pattern and allegedly changed some parts which were talked about here. I cannot verify this independently because my LMAOBOX account was deleted on April 19. I never really intended to turn this into something longer lasting, which should be obvious from my move alone to make a blog post about it.

2 thoughts on “LMAOBOX Premium: HTTPS API Analysis”

    1. Hey there,

      The post you mentioned really used to exist. However, I made the decision to stop distributing it publicly.
      For those who are still in posession of the loader, it might keep working for a while until i get a chance to deprovision everything related to it.

      If you’re looking for free options i think you might find better options elsewhere.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *