
Riot Games Approach to Anti-Cheat - cammm
https://engineering.riotgames.com/news/riots-approach-anti-cheat
======
exgamedev
Back when I worked in games we would detect cheaters and then shadow ban.
Quarantine them by only matching them into games with other cheaters.

You may still have to ban them from certain elements of your game, like player
economies (auction house, etc). But the more legitimate their experience looks
the better.

The idea is that instead of fully banning them and triggering the next
iteration of the arms race, you trap and release them into a competitive arena
for cheaters. It's actually fun for them to compete with each other at who can
cheat the hardest and no one else gets hurt. We hooked them up with a
community rep. They found bugs and generally improved our security. Everyone
won.

There's no way to win with an adversarial approach to cheating IMO, not when
you let the client run on their machine

~~~
reificator
Sure. Until you're playing Dark Souls for the first time, you get summoned to
help someone with a boss, and then get invaded by someone with a 360 degree
one-shot kill spell that breaks all your weapons and armor, gives you an
egghead that you can't remove unless you know where to go, and gives you an
item that marks you as a cheater so you now get constantly invaded by
exclusively cheaters.

The item that marks you as a cheater might have been a drop in another
invasion, I don't remember. The point remains, once the cheaters realize you
have a separate cheaters' matchmaking system, they will weaponize that too.

~~~
dkersten
> The item that marks you as a cheater might have been a drop in another
> invasion, I don't remember.

I believe they can do it completely passively, so you’re kinda screwed if it
happens to you :( This is sadly the nature of trusting what clients send you:
a hacked client can send whatever it wants and the “anti cheat” in Dark Souls
sadly seems to simply just check if an item should be possible, meaning a
cheater can trick the game into punishing non-cheaters. Luckily this hasn’t
been a problem for me on console, but it certainly does suck on PC :(

~~~
reificator
And of course, if it didn't punish non-cheaters, then cheaters could simply
cheat the items in on one account, invade/summon another of their own
accounts, (or passworded summon in the remaster) and then give the new account
the items.

There's no winning against cheaters as long as you trust the client. (And it's
possible to do it on consoles too, just more rare as the tools are readily
available on PC.)

~~~
dkersten
> There's no winning against cheaters as long as you trust the client.

Indeed.

> And it’s possible to do it on consoles too

Sure, but the barrier to entry is higher, so its not done as often. I’ve never
_noticed_ someone who was obviously cheating (which doesn’t mean I’ve never
encountered any, but if I have, they’ve never been so severe as to do the
things mentioned here or for me to notice it)

------
Teknoman117
I have mixed feelings about anti-cheat, especially in the last few years. A
lot of them are getting rather intrusive. Take Player Unknown's Battlegrounds
for instance, which uses BattlEye. It actually injects a kernel mode driver
into Windows that spies on whatever else your system is doing and exfiltrates
unknown data in the name of "guaranteeing a fair game experience." I didn't
even realize that this is what it was doing until my system crashed one day
and the cause was some .sys file in PUBG.

It'll also randomly kick you from games for having various programs installed
or running. Programs such as VMware. You have to disable all VMware services
or PUBG will kick you randomly for using "unauthorized applications." God
forbid you have any VMs running, that might amount to a ban (seriously).

Worse still is that when you take your complaints to their social media, or in
anyway speak ill of it, you get hordes of fanboys saying that you shouldn't
install anything other than games on your PC or you're a dirty cheater. "Oh
you want to do things _other_ than gaming on your PC? You should buy another
PC then."

Don't even get me started about trying to run games in a virtual machine w/
GPU passthrough. The communities will tear you a new one telling you to do
things "normally" and by attempting to use anything other than the "normal"
setup makes you a cheater. Just google anything like "steam vac kvm" or
"battleye kvm" and you'll get hordes of people claiming they heard some guy
say virtualization is the future of game cheating therefore VMs are cheating
tools and should be banned.

Seriously, if I could get a refund for every game that uses BattlEye, I would
try.

/rant

~~~
xd
I've been out of gaming for some years but this reminds me of similar issues
with PunkBuster. I'd spend hours pulling my hair out trying to figure out why
I was being booted from games. The worst bit was, it didn't actually stop
cheaters.

~~~
AngryData
Oh god... I forgot punkbuster even existed, what an absolute pile of garbage.
So many hours wasted on dealing with that shit and reading redundant and
useless forum posts where everyone just copy pasted the same shit over and
over.

------
withinrafael
So I'm not seeing anything particularly novel here. In fact, I think most AAA
titles do most if not all of these things today. It really just boils down to
understanding your title's threat model and mitigating the threats.

I think the article missed an opportunity to talk about false positive rates,
the workflow for users to get unbanned due to false positives (usually a very
nasty process), performance, platform support (Windows, for example, has
encrypted app packaging [1], anti-cheat monitoring [2], and protected
processes [3] built in), and the privacy implications of uploading non-game-
related Windows driver and process data.

[1] [https://docs.microsoft.com/en-
us/windows/uwp/packaging/creat...](https://docs.microsoft.com/en-
us/windows/uwp/packaging/create-app-package-with-makeappx-tool)

[2,3] [https://docs.microsoft.com/en-
us/windows/uwp/packaging/app-c...](https://docs.microsoft.com/en-
us/windows/uwp/packaging/app-capability-declarations)

~~~
m-p-3
> usually a very nasty process

especially with how opaque the whole flagging is.

I understand why they do it and a game environment is not a democracy or a
court of law, but it's hard to defend yourself when you do not have access to
the evidences.

~~~
half-kh-hacker
Videogame cheat developer here (although, not for the game mentioned in the
article) -- The mentality of game companies is if the 'evidence' of the anti-
cheat flag is made accessible to users, cheat devs will use the same evidence
to overcome the existing detections in place.

The oft-used 'arms race' analogy for this would be like sending blueprints of
your newly-fabricated weapons to the adversary.

~~~
SteveNuts
I've always been curious about this, do you get paid, and if so how?

~~~
behringer
People love cheating so much they pay for the tools to do so.

The fact is 99 out of 100 banned users were actually banned for good reason
and are lying about not cheating. Half of those will also dmit to cheating but
beg for forgiveness as if they aren't quite literally destroying the game and
everyone's enjoyment of it. That less than 1 percent that is truly innocent is
nearly impossible to service because of all the noise.

~~~
hermitdev
Cheating definitely sours a gaming community, as does falsely accusing people
of cheating. I left the original (circa early 2000s) Counter Strike community
after being routinely accused of cheating. I have never once cheated in a
online multiplayer game. But, some people just couldn't grasp that I was
really that (comparatively) good & quick of a shot. Also, I don't think they
realized that certain materials could be shot through with a powerful enough
weapon. I probably had a bit of a leg up on most people, too, as I had state
of the art hardware for the time (I had dual P4 Xeons, 3GB RDRAM & the best at
the time GeForce AGP card in 2002) and a single to low double digit ping for
most servers being on a university OC-3 line.

~~~
macintux
Your comment reminded me of a frustrating evening on bzflag.

Long ago I was using a custom Linux box with a slow GPU, and on one map no
matter how hard I tried (and no matter how many fellow players watched trying
to help me get the timing right) I simply couldn’t jump to the first level of
a building.

I’d never experienced a hardware limitation quite like that.

~~~
behringer
Haha neat. That was probably caused by the physics engine running slower than
needed. If you do a rough friction calculation based on the frame rate you
will end up with more friction at 20 fps vs 40 or 60.

------
crsv
This is a great technical breakdown of some modern high level approaches to
common cheats. I think this the most transparent approach (even though the
author admits leaving some detail out) to modern anti-cheat for massive
multiplayer games. Good on riot for having an open dialogue about this. I
don't think you'd ever see someone like Valve going a transparent route with
something like this. (Not making a judgement on that decision, just an
observation).

~~~
johnmg
Fair context: I make cheats/utilities this exact game being talked about in
this article, so perhaps my opinion on the subject is biased or even invalid.

I partially disagree about the transparency of this article, while they do
explain most of their approach to anti-cheat (and that is pretty cool for them
to do), they seem to leave out any mention of anything that could be
controversial.

It suppose that it does make sense to not mention the implementation details
of their anti-cheat, but I wish that they would be a little more transparent
about how/when/what they snoop around and send to their servers. The current
Mac game client for League Of Legends contains full debug symbols and it
doesn't have Packman (the packer described in this article), which makes it
quite easy to look through the symbols. Inside you can find all of the anti-
cheat-related network packets, in specific:

PKT_C2S_EnumDrivers PKT_C2S_EnumProcesses PKT_C2S_EnumDrives
PKT_C2S_EnumHandles PKT_C2S_EnumRecentFiles PKT_C2S_EnumModules
PKT_C2S_ProcessorData PKT_C2S_SystemState PKT_C2S_ModuleLoadNotification
PKT_S2C_SendModule PKT_C2S_ModuleResponse

Now, I personally expect anti-cheat to snoop around my system when I'm doing
something shady like scanning its memory. However, if I was a normal user of
the game, I would be a bit concerned to know that it might be sending my
recently used file names, drive names, system driver names, currently running
processes, processor information, system state, and even entire binary files
that it automatically deems as "suspicious", to their servers.

~~~
ipython
Wouldn't that run afoul of GDPR?

~~~
munchbunny
Not necessarily. GDPR isn't a blanket ban on collecting/using this info
without consent, it's a policy that consent is required for non-essential
collection/usage. You could argue that anti-cheat is essential for an online
multiplayer game like this.

I think it's sketchy to collect this much info, but I don't think it's
explicitly illegal.

~~~
mikekchar
It's a bit more complicated than that. You have to do a few things. First you
have to tell the customer that you are collecting their data. Then you have to
tell them under what lawful basis you are collecting their data. The user then
has various rights (depending on the lawful basis you choose) to object, etc.
If you must collect and use the data in order to fulfil the contract (i.e.,
there is no other way to do it -- for example you need to get their address in
order to ship them a package), then you can just do it (as long as you tell
them that you are doing it). For most other lawful bases, you have to allow
them to object, in which case you have to stop using the data.

I think the real question is whether or not the information in question is
personally identifiable information. If it's not, then GDPR doesn't apply. I
think you could make a pretty strong argument that it doesn't apply, as long
as you take pains to ensure that you can't identify the person from the
information.

~~~
civilitty
> I think you could make a pretty strong argument that it doesn't apply, as
> long as you take pains to ensure that you can't identify the person from the
> information.

That would entirely defeat the purpose of an anti-cheat system. You have to
have some sort of personally identifiable information attached to the data
being sent in to the server, otherwise how are you going to ban the cheaters?
Even IP addresses are personal identifiers as far as the GDPR is concerned and
even if they're not storing it long term, just sending the user data over the
wire is enough to trigger the data collection portions of the GDPR.

~~~
mynameisss
Instead of using an IP address to identify cheaters the game could assign a
unique random generated ID to players. Then they could ban that id without
using IP. I think this scheme complies with the GDPR if you take care of not
binding that ID with other user personal information.

~~~
lwansbrough
If you can identify a physical person with a unique identifier, it is PII
according to GDPR, I believe.

~~~
mynameisss
You can apply a one way function to an IP to obtain an ID and then maintain a
database of bad IDs. For example you could compute this ID by the SHA256(IP +
secret salt). Since way one function don't allow you to recover the IP, the ID
is not PII. If you detect an IP which has bad ID the connecting ban that IP
from the game. I think this respect the GDPR, you don't maintain a list of IPs
or any other PII.

~~~
civilitty
The second you use this ID to tag data you're sending over to the servers,
that ID could easily lose any claim to anonymity for the purpose of the GDPR
because the anti-cheat system vacuums up a vast trove of information. All it
takes is one email "Re: Claim for Your Local Psychiatrist Bob" or a document
named "John Doe Jr - First Grade Book Report.docx" showing up in the titles of
your open windows (that many anticheat systems send to a remote server) and
boom, that ID and all of the data attached to it are now a radioactive
liability.

------
stcredzero
Here's my project's approach to Anti-Cheat.

1, 2, 3) Everything on the server. Server's version always wins. Server is the
authoritative source. Granted, I have a mathematical advantage in the game's
particular movement mechanics which makes this easy to get away with. The
other game mechanics are also designed with facilitating this in mind.
Corollary: The client is almost nothing and trusted with nothing. It's pretty
much a dumb terminal for displaying moving things, syncing their motion with
the server.

4) Scripting -- if you can't beat 'em, join 'em! We're going to publish an API
to allow for user scripting. We plan on releasing the client as Open Source,
allowing people to modify and extend the client.

5) Cryptographically hard RNG and procedural generation. If you want to know
what's in Star System 7, Galaxy Grid 123987236-87324958, you're going to have
to go there yourself. We don't even know ourselves!

Regarding #4 -- This is going to be a design philosophy. Anything we can't
enforce, we will allow and co-opt into the game!

~~~
SXX
Very unfortunately what you explain here only work for very specific type of
gameplay. For instance almost nothing works when you need to secure first-
person shooter simply because it's skill-based gameplay where it's also very
easy to cheat for the bot.

~~~
vladimirralev
Nvidia has geforce now [http://www.nvidia.com/object/cloud-
gaming.html](http://www.nvidia.com/object/cloud-gaming.html) and people with
good internet connection have been able to play FPS games. Granted, the
latency and the FPS are worse than a local game, but surprisingly it is
unnoticeable to many people.

~~~
SXX
Streaming wont help against cheating in FPS, aimbot just going to use machine
learning to determine enemy location and conrrols are not problem.

------
infogulch
The game is 100% online. Could you have a piece of the networking protocol
where the server sends little snippets of executable code over the network
_during the game_ that read some specific locations in memory, do some
processing, and send the results back to the server in the next packet? You
could do things like check the starting address and length of loaded dlls, or
take the hash of some random span of machine code, or even random locations in
the heap, all of which may or may not actually be verified on the other end.

You can use any number of obsfucation tricks to hide their purpose (if they
even have one) and you could even randomly generate them. And since the server
expects the response in the next client packet it would be literally
impossible for a cheater to manually deconstruct them, and even be difficult
for automatic analysis tools to have enough time to do anything meaningful
with it.

You can reduce the security nightmare from the user's perspective by only
allowing machine code that's on a tight whitelist. Allow it to read from
anywhere, and only let it write to a dedicated little sandbox area with e.g.
fixed addresses.

~~~
bitexploder
If you restrict the machine code it makes it that much easier for me to write
an emulator to execute your machine code and return the result. It might even
be trivial. It is a never ending Ouroboros. You build a more clever mouse
trap, I will design a more clever mouse. If I have all your code and am
running it on my computer it will be a matter of time before I can back out
whatever obfuscation or technique you are doing and undo it. You may have some
hope in network delivery of graphics only. If I am not running the game client
code, and just streaming the game from one of your servers, you have a chance
at keeping your client safe.

~~~
jonjojr
"If I have all your code and am running it on my computer it will be a matter
of time before I can back out whatever obfuscation or technique you are doing
and undo it."

sure try to undo a block-chain and see what happens.

The code will be encrypted with a unique key that will need to be registered
on the server with your account. Change that code and it invalidates your
entire build along with your account. case closed.

~~~
bitexploder
I think you are missing my point. This concept in client computing security
basically chains back to the halting problem. You can't /know/ what I am doing
with my computer. You can build a very elaborate trap / obfuscation and it
might be hard, really hard, to defeat it or circumvent it, but it is a
certainty that I can. The block-chain has absolutely nothing to do with client
code security because it has a network enforced mechanism. What the
grandparent was suggesting was running some nugget of code in a little VM (or
actually on my machine), computing a result, and then returning the result to
the server to make a security decision. The problem is I control that machine
performing that computation and your security decision as the server is based
solely on the computation performed on my computer. A skilled reverse engineer
will just hook your code in the right place, intercept that security check and
have it return the right bytes back to your server, while still doing whatever
client side cheats they wanted to do.

[https://en.wikipedia.org/wiki/Rice%27s_theorem](https://en.wikipedia.org/wiki/Rice%27s_theorem)
<\--- this is all about program behavior and did the user actually run the
code you sent them. Block chain is about "did I possess certain data" (such as
a private key to sign a transaction) and not about "did I run certain code".

~~~
mikekchar
You are absolutely correct, but it occurs to me that CPU designers could
actually implement a kind of RSA style memory fetch instruction. The CPU would
generate a public/private key pair, where the private key is not accessible by
any means. The client would send the public key to the server, which would in
turn encrypt the memory location(s) that it wishes to inspect. There would
then be an instruction on client's CPU which would accept that encrypted
memory location and return the contents, without divulging location. The CPU
could regenerate the public/private key values for each request. I can't
imagine defeating that kind of scheme without hardware hacks. The more that I
think about it, the more I wonder why no-one has done it before, because it
seems useful. Probably there is something I'm missing...

~~~
unknownid
How do you prevent the cheat doing a MITM attack and changing keys?

~~~
mikekchar
Yes, you are right. That's what I was missing :-)

~~~
bitexploder
The answer, and it has dark implications, to me, is Trusted Computing. Never
let the user have full control. Do this key exchange on a base OS or some
other VM the user can never touch (e.g. Knox / TrustZone). Still, we can
exploit our way to this trusted OS and MiTM there, but it takes much more
skill. With Trusted Computing the base OS can more simply install a "spy" to
keep track of a games memory / code to ensure it is only ever loaded and
executed from memory that is essentially made read only after the program is
loaded but before it executes. The trusted OS verifies the program code, the
OS, etc, and if it all checks out, let's the code run. Of course it goes back
to the halting problem, but if the programs memory is unexecutable and modern
exploit mitigation is applied the game is now in a considerably sturdier mouse
trap :)

------
swanson
I wonder if Riot would consider building the scripting UI they show into some
kind of training mode. It's a bit like the argument that no one would pirate
if they content was easy to get for a reasonable price.

If players could train with the spell range circles, skill shot path
projection, last hit helpers, etc in a sanctioned way, I wonder how much this
would remove the desire to seek out the cheating programs.

Edit: I see they have a "training mode" already:
[https://na.leagueoflegends.com/en/news/game-
updates/features...](https://na.leagueoflegends.com/en/news/game-
updates/features/practice-purpose)

~~~
tylerhou
> I wonder if Riot would consider building the scripting UI they show into
> some kind of training mode.

The game would probably be more vulnerable then, because now you have "cheat"
scripts designed to work with the game.

> If players could train with the spell range circles, skill shot path
> projection, last hit helpers, etc in a sanctioned way, I wonder how much
> this would remove the desire to seek out the cheating programs.

People who cheat aren't trying to practice; they're trying to win games. There
already exists a "practice mode" which lowers cooldowns and shows tower
ranges. And it doesn't make sense to practice with cheats because it won't
help you play the game without cheats very much.

~~~
Arnavion
>The game would probably be more vulnerable then, because now you have "cheat"
scripts designed to work with the game.

That's possible. For example, World of Warships is a game where you fire big
ship-mounted guns and must learn to take shell travel time and target relative
velocity into account to hit moving targets. There used to be a cheat which
did those calculations for you and showed you a reticle you could aim at
instead. IIRC this cheat relied on code that existed within the game already
and was just not used.

~~~
NeedMoreTea
So basically the same reasons real warships developed rangekeepers resulted in
a game targeting computer? :)

------
larrik
Unfortunately, their latest anti-cheat measures broke the ability to play on
Wine.

Guess no LoL for me anymore.

~~~
rcoveson
They broke GPU passthrough setups as well at first. There was some community
backlash and they rolled that back, and I believe they also mentioned they
intended to work with the wine people on a solution for that as well.

~~~
EvangelicalPig
How did it break GPU passthrough?

Then again I heard recent versions of VAC detect running under a KVM
hypervisor and kick you out of CS:GO servers.

~~~
Teknoman117
That's unfortunate to hear that VAC looks for KVM. I was planning on moving my
gaming partition to just a VM and using GPU passthrough. It's how I have my
work PC setup, figured I'd replicate it at home.

~~~
EvangelicalPig
Sorry to be the bearer of bad news.

I plan to reverse engineer VAC sometime to figure out how the detection works.

------
jayjohnson
Good timing, I am using my own AI (keras + tensorflow) stack to predict in-
game hackers on ARK Survival Evolved with an AWS EC2 instance. Here's some
background on the fully open-sourced stack: [https://github.com/jay-
johnson/train-ai-with-django-swagger-...](https://github.com/jay-
johnson/train-ai-with-django-swagger-jwt) with docs
[http://antinex.readthedocs.io/](http://antinex.readthedocs.io/) I would love
some players, but I'm still load testing how many players the game server can
use + make real time predictions without impacting the game. Reach out if you
want to try it out!

------
alkonaut
Message to EA: don’t try to be clever. Make simple query based bans, after the
fact. Sift through the event tables and make trivial questions like if A
killed B with a weapon that is not possible to use on the map - then he
cheated. Check for ridiculous (not just suspicious) activity.

The cheaters that ruin games aren’t the ones that make players better such as
discrete wallhacks. It’s the trolls that are immortal and flying. They
blatantly cheat just for the response to their trolling, and they empty a
server in a matter of minutes. But just _because_ they are so very blatantly
cheating, they should be quite simple to detect in logs too. If someone has
200 kills with an ammo box in a 5 minute round that’s enough to say it’s
definitely a cheat. Yet these people do it over and over with NO obvious
response to reports. Focus on THIS type of cheating (which is _trolling_ , not
gaining an advantage). Only after that look at more subtle cheating.

------
pythonaut_16
I'd love to see a game where cheating and scripting is the primary means of
gameplay. By default the game would present a very simple UI but players would
be encouraged to write and share scripts enabling varying levels and types of
functionality.

As a game developer your job then would be to write interesting enough systems
for players to exploit to come up with interesting gameplay. I can imagine a
scenario where different Overwatch-style "classes" emerge all built from the
same basic game elements.

~~~
Assossa
Check out [http://www.pwnadventure.com/](http://www.pwnadventure.com/)

"Pwn Adventure 3: Pwnie Island is a limited-release, first-person, true open-
world MMORPG set on a beautiful island where anything could happen. That's
because this game is intentionally vulnerable to all kinds of silly hacks!
Flying, endless cash, and more are all one client change or network proxy
away. Are you ready for the mayhem?!"

"Pwn Adventure 3 was originally during Shmoocon 2015, from January 16-18,
2015. While the CTF is now over, we are still running the servers in a limited
capacity so others can try it."

~~~
rubicon33
Recently (last week or so), there has been a hacker in PUBG who is using a
flying car. I had never seen this cheat before, EXCEPT in "LiveOverflow" 's
YouTube videos of pwnadventure!

[https://www.youtube.com/watch?v=pzM4o6qxssk](https://www.youtube.com/watch?v=pzM4o6qxssk)

In this series he managed to get his player to be able to fly.

I can't help but wonder if whoever that hacker is that developed the recent
PUBG cheat, got his inspiration from pwnadventure and this series :)

~~~
mrguyorama
I had a cheat back in Halo 2 for Vista that could make the Warthog fly. A
flying car in a game is really not new

------
jrockway
I am surprised people don't virtualize the game and do their analysis at a
level that the OS and game can't detect. Ultimately, these games trust that
the hardware they're running on behaves according to specification. That is
clearly an unwise assumption. Cheaters may not be taking this path today, but
it gets easier and easier as time goes on, and it sounds like they're not
prepared at all. (Some other comments mention that current games look for
virtualization software installed on the same OS install that the game is
running on and fails the integrity check if found. I can't imagine that stops
anyone actually determined to cheat. I imagine it annoys people that test
their Docker images on the same machine they play the game on, though.)

Even if virtualization is detectable, you can also take the computer entirely
out of the loop. The state of the art for aimbots seems to be reading game
memory and applying synthetic mouse movements at the OS level. That is quite a
blunt instrument to apply and I'm sure that no game has a major problem with
this kind of aimbot. A more elegant aimbot would look at the video of the
game, look for targets, and provide the necessary mouse movements over USB. At
best, the only countermeasure is to make enemies harder to see or to learn
some heuristic in mouse movement that differentiates the bot from a human...
but injecting randomness is straightforward and nobody needs a 100% accurate
aimbot anyway. The pros destroy you with 30% accuracy.

Finally, it's unclear if there is even any advantage to be gained by cheating.
If you want a higher rank in a competitive game, you can just pay someone to
play on your account. From what I've read on Reddit... many of the people
offering these services are apparently professional players. No anti-debugger
hook is going to detect that.

It should be interesting to see how this advances. While games that rely
solely on mechanics or information hiding are clearly doomed in the long run,
it's probably good news for the rest of the software industry. What is your
cloud provider really doing? Is your own software compromised? The tools used
to cheat in games will be quite valuable in answering these questions and
protecting your users from people that actually have something tangible to
gain from these actions.

------
maerF0x0
IMO games should encourage ergonomic aids. Why allow the UI to be a limiting
factor to how you want to play?

For example people used to talk about APM in SC2 as a sort of measure of how
good someone is. Why should that be? It's a strategy game. Imagine if you
could express your ideas effectively into actual game actions?

~~~
echohack5
(As a former high level StarCraft / SC2 player / caster).

It's not chess. That's why.

There is a real physical aspect to the game. Training your fingers to hit
certain combinations quickly to execute build orders, and mix in micro is key.
Pro players use hot packs to warm up their hands, or glasses to aid their
eyes.

The game developer takes a lot of care to ensure the UI / hotkeys / peripheral
setups are optimized for pro players.

Using external tools to defeat this setup simply isn't fair and diminishes
skill built into the hands and muscle memory of players. Even at a mid-level
of skill, people learn simple combos. For example, a Protoss player hitting
"4+e" because that's where they have hotkeyed all their Nexuses and e is the
hotkey to build probes.

~~~
maerF0x0
Many responses are saying the same thing, so I'm going to respond to you ...

> It's not chess.

I agree it's not chess, and chess often has a time component to it. The
realtime nature of a game doesnt mean you should have to be able to "move" in
realtime, IMO it would be superior if it tracked more closely to your ability
to react, intellectually, in realtime. That is, real time thought more than
realtime motion. Ergonomic aids would help people to convert their thoughts
into real game plays without limiting them to their body's capabilities. But I
also admit this is my opinion and it's clearly an arbitrarily decided dividing
line between how much should a game be about myelinating certain move patterns
(spread out troops, cast a spell, select production groups) and how much a
game should be about quality of thought in realtime (I see he made units X,
How am i going to respond? I have many minerals, should I spend them on tech
or units?) ...

~~~
vkou
With enough mechanical aides, the game balance breaks.

For example, SC2 has a very cheap unit called the roach. When burrowed, it
can't attack, but regenerates health incredibly quickly.

It's trivial to write a cheat that will, whenever one of your roaches starts
taking damage, causes it to burrow, and whenever it stops taking damage,
unburrow.

The unit is balanced around human control - no human can, with perfect
accuracy, choreograph burrows and unburrows of individual roaches in a pack of
~60.

With such a cheat, roaches punch way above their weight, completely breaking
the rock-paper-scissors balance of the game.

~~~
maerF0x0
I do not deny that the game mechanics would vastly change. The strategy would
shift away from "How can I micro these roaches" vs "How can i effectively
attack burrowing/unburrowing roaches" to "How can i ensure I get roaches" vs
"How can I frustrate/prevent my opponent from getting them in the first
place"... As an aside, ANY change to a game is going to disrupt the
equilibrium in some manner and I assume would require human intervention to
re-establish a "fun" gameplay.

~~~
vkou
> How can i ensure I get roaches

Which is trivial for any skilled player, because they are an incredibly cheap,
low-tech unit, and passive base defenses are currently very good at fending
off very early aggression.

> As an aside, ANY change to a game is going to disrupt the equilibrium in
> some manner

Yes, and sometimes, the equilibrium settles on an incredibly shallow,
uninteresting game-space.

StarCraft is a game of a number of rock-paper-scissors cycles, all operating
at the same time. Greedy expansion - versus rushing versus safe plays. Economy
versus army versus tech. Roaches versus marauders versus zerglings.

Sometimes, due to patch changes, poor balancing, or because player skill
improved, the game ends up stuck in a quagmire, where the risk/reward ratio
for many of these options is completely out of whack. The game stagnates, and
becomes incredibly unfun to play, and to watch.

Throwing a wrench into balance, by allowing auto-scripts, which have an
incredibly uneven effect on the different units, mechanics, and races in the
game is far more likely to push it into an unfun equilibrium, then a fun one.

~~~
maerF0x0
Yes, but keep in mind this idea and thread is not about SC2 specifically. It
used SC2 as an example of the class of games that I personally believe I would
find improved by removing the mechanical aspect of the game allowing me to
focus on the fun part -- Making decisions and giving instructions patterns
more than "micro"

------
aclelland
Great write-up. I'm my job we spend a lot of time dealing with hackers and
cheats for our mobile and PC games.

We tend to see similar exploits across all our games (memory hacking, fake
IAPs, etc) which lets us build an armoury of anti-cheat tools.

What I find most interesting is where hackers don't focus their attention. It
took almost 4 years for them realise the encryption key for our assets was
easily accessible using the 'strings' tool in Linux - once they found it we
had a busy few days stopping modders from impacting legitimate players.

~~~
orliesaurus
You're probably dealing with newbie reverse engineers, do you work for a
triple A game publishing studio or an indie game shop? People who want to
"mess" with games are usually doing it so that they can make a lot of money
from it and therefore hunt big triple A games...the people I've seen do proper
reverse engineer on triple A game to bypass ie. Blizzard's anticheat in World
of Warcraft now all work for big "anti-virus" companies

------
euske
Cheat, anti-cheat, antivirus, malware, and to a lesser extent debugger and
profiler. All these tools are going after each other in the same territory:
monitoring a certain system activity to report or intervene. To me, it looks
that all these functions are traditionally in the realm of operating system.
Are we going to have a new middle layer or a new OS architecture for catering
things like this? I'm curious.

~~~
stcredzero
I'm working on this.

------
outworlder
I wonder, given that nowadays access to vast amounts of computing power on
demand is easy, if it would be effective to generate unique builds for each
and every player. Just like they already do, but tailored for each downloader.
Which would get tied to an account, and to a given fingerprint.

~~~
colordrops
What problem would that solve?

~~~
sthomas1618
I think he's implying a cheater's injected DDL would be tailored for a
specific build, so if they shared it with others, it would be ineffective. And
not only that, but based on how the Cheater.DDL is targeting the build, they
could identify the account that made the cheat.

------
shmerl
Does it hinder Linux gamers who are using Wine? A lot of such anti-cheats
can't figure out when Wine is used and ban Linux users. Some also ban custom
D3D implementations like DXVK even if they are really correctly implementing
the API.

~~~
phoe-krk
Yes - it hit the news that LoL will no longer work on Wine or virtual machines
because of these anti-cheat measures.

~~~
rcoveson
Can't speak for Wine users, but VMs are working now. The workaround was found
within days of the patch (they were just checking for the CPU feature
"hypervisor"), and they actually ended up rolling back that check due to the
community response.

------
yadaeno
Some of this is pure evil.

> We block this very common technique by making sure that when the value is
> changed by taking damage, the value is actually moved as well.

> To introduce more entropy, we also made sure that each value uses slightly
> different encryption.

> At compile time, a randomly selected type of anti-debug check is inserted
> into each of the locations where a check was requested in the code.

Ive always wondered where you store the key that decrypts code at run time. On
phones and DVD players the key is stored on hardware but it does not seem like
an exe has this luxury.

~~~
bsamuels
it doesn't matter where you store the key as long as it's not easy to figure
out for the disassembly program

~~~
yadaeno
If its out in the open it sort of defeats the purpose doesn't it? If you know
the key + encryption scheme you could decrypt all the .text in a single pass.

------
walrus01
One of the things I'm not seeing is what kind of statistical data they're
collecting and storing for prevalence of discovered cheats/scripts/bots, on a
per-ISP basis. Since they know and log the IP that every user connects to the
game from, they can certainly profile it down to at least as granular as the
individual /24\. For example if there's a college dorm full of students where
somebody has shared a recent script/bot, the behavior could be correlated
between time, place and IP.

Thereby allowing them to develop IP space reputation lists that contain the
relative likelihood of bots/scripts being run (sort of like SMTP spam RBLs,
but not an all-or-nothing, more of a weighted distributed reputation scale).

There is also a league of legends mobile android/iOS app. If you set it up to
require location permission, they could begin to correlate the physical
location of cheaters with their specific IP block. For example if somebody is
at home on their wifi, their phone is connected to their home router, and
their desktop PC with a cheat script are all going outbound to the internet
through the same NAT, and coming from the same /32 (in ipv4) address.

I'm willing to bet that if plotted on a map you could develop hotspots. Of
course they would also match the density of players in general. But perhaps
certain trends could be identified.

------
username3
The best way to prevent cheating is by streaming games. Game streaming
services are the future of multiplayer games. Edit: I mean cloud gaming like
OnLive, not Twitch.

~~~
SteveNuts
Aren't there massive video latency issues with this? People spend tons of
money to get the absolute best frame rates and monitor response times, I can't
imagine hardcore gamers wanting to have tens of ms additional latency in their
gaming.

~~~
stcredzero
You can have real-time games whose mechanics are designed around latency. My
game is one example. In fact, I would assert that for now, you have to design
around latency in real-time multiplayer games. Until round-trip latency for
your entire userbase is below 40ms, it will be an issue.

~~~
earenndil
I'd say 30ms, not not 40. Because a single frame is 16.6ms, so 30ms round-trip
would bring one-way down to below one frame of latency (potentially with a
small amount of jitter).

~~~
stcredzero
It sounds surprisingly high, but a lot of the population won't notice 40ms
round trip. Some of it will know. It also depends on the game's mechanics. Not
all games are FPS. Not all games have action significant down to one frame.
Some of my favorite real time games involve making decisions about once every
5 seconds which will result in a turning point in another 15 to 30 seconds
which will get you killed or leave you victorious.

------
hathawsh
What I wonder is how the encryption keys are stored. There are obvious ways to
obfuscate keys, but at decryption time, the keys need to be exposed plainly in
memory, don't they? So how do game makers like Riot prevent debuggers from
discovering the keys and revealing them to everyone? Does every player have
different keys?

~~~
unnouinceput
A good solution will not only generate keys for each player, will even
generate different keys for same player each time that player starts a new
gaming session. Start game->generate keys for session->play game->throw keys
away.

------
Avery3R
Even if they move a memory value when it's changed they still need to have a
pointer somewhere to it's new location. If you can find that pointer you can
still read/write at will. This is actually one of the things covered by Cheat
Engine's tutorial.

------
wumbovii
I wonder if there is any defense against adversaries that use computer vision
and just digest the actual raw images and overlaying information, so there
aren't any hooks into the software itself.

~~~
frenchie14
Overwatch changes the colors of its heatlh bars slightly every match so that
aimbots can't lock on it

[https://www.reddit.com/r/Overwatch/comments/6imjce/todays_pa...](https://www.reddit.com/r/Overwatch/comments/6imjce/todays_patch_includes_defensive_measure_against/)

------
rmrfrmrf
These are all just various degrees of obfuscation that will be defeated if
it's worth the money.

In particular these approaches seem weak to hardware, firmware, and driver
side-channels.

~~~
meowface
All anti-cheating techniques are fallible. It's impossible to build a perfect
cheat detection/prevention, just like it's impossible to build something that
will always detect all malware, etc. The client code is always going to be on
the player's computer and has to execute on the player's computer. There's no
way around that.

You can't guarantee effectiveness, but you can make it very hard to reverse
engineer and circumvent, and you can constantly change techniques so that
adversaries need to put in more work. It's an ever-evolving cat-and-mouse
game.

------
lifeisstillgood
One of the things coming out of this is that _legitimate_ coding within a game
(for example teaching children how to code - a very important point for me at
this point in life) is almost out the window

I love minecraft for their RPi version but beyond that, I don't know of any
games that have that kids pull and can still be taught

it's something like "we used to turn on a PC and see a command line. now we
have to jailbreak something"

~~~
phit_
you can still do so with most drm free singleplayer titles

~~~
lifeisstillgood
can you suggest any please :-)

------
Kagerjay
Is this approach similar to ones used in VAC (valve) or easyanticheat, or
battleye?

Some of the above are notorious for consuming client resources. Easy anticheat
is known for banning players in unrelated games that they cheated on. (E.g.
cheat on pubg, get banned in a different game that you didn't cheat if both
games use easyanticheat)

This is a great writeup but I'd love to see how 3rd party anticheat programs
work

------
reassembled
This talks about common techniques for protecting Windows binaries but what
about their Mac client? Are similar techniques also applicable to Mac?

~~~
lucb1e
I don't know much about OS X except that they use the Mach-O executable format
(unlike PE in the article), but I know that the ELF format as used on Linux
and many other unixes is similar in that it also has a section where the code
resides, so they can encrypt only that part. And inserting checks into the
code is also portable of course.

It would have been interesting if they had talked about different platforms,
but alas, it's quite a superficial article...

------
AlexAffe
What great insight! As a developer I wonder how you implement such methods and
still be sure the code runs at desired speeds. Benchmarks? I'd really love to
see the workflow of implementing new behaviours. I mean... incremental
decryption of distinct pieces of code during execution seems so tough to
thoroughly test! Not to speak of debugging... I am genuinely stunned.

------
limonkufu
I wish to see how they dealt with the overhead because of all the encryption,
checks etc. performance-wise? I know LOL is quite an old game so they mastered
these points. I am especially curious because lately I play PUBG and when PUBG
does something about cheat it effectively kills performance.

------
dawhizkid
Free startup idea: sift science for anti-cheat for gaming industry

------
shiburizu
slightly related: The LoL end user client that they wrote with CEF(!) is one
of the worst game clients I've used.

Edit: It's CEF not Electron

~~~
sandov
It's crap, but at least it's better than the old one written in Adobe Air.

------
Illniyar
Ha obfuscation. The best way to get management off your ass to prevent hacking
without actually preventing hacking.

------
paulie_a
I got into developing by modding doom with a hex editor. Giving my SimCity
virtually unlimited money. Cheating in a video game is fun and standard
practice in my opinion.

~~~
maxton
Cheating in single-player games is absolutely fun and a good way to introduce
oneself to reverse-engineering. The key difference, though, is that cheating
in multiplayer games can directly (usually negatively) impact the experience
of other people playing the game.

------
rimsy
The next step is to rewrite it all in Brainfuck.

------
mikec3010
I wonder if there's an optimization to be made about tolerating a minimum
amount of cheating while being vociferous about the countermeasures? Along the
same lines as "no such thing as bad publicity", having just enough cheating to
piss off a few people and getting them to talk about it and the
countermeasures seems like a great way to get free advertising and game
engagement of players just curious to see who is cheating or the drama between
cat and mouse.

~~~
fredophile
You won't find any companies with competitive online games that turn a blind
eye to cheating. If you consider a game with a cheater as being ruined for the
other players, a very small number of cheaters can ruin games for a large
portion of the players.

For a rough example of how the math works, let's say we have a game that is
5v5. If we have 100 players, 1 player cheating, and everyone plays once you
end up with 9 players having their game ruined. That's 9% of players impacted
by having 1% of the players cheating.

~~~
mikec3010
I'm not suggesting they tolerate it completely. Just that they make the game
slightly "cheatable" then counteract it enough for there to be a known
controversy.

~~~
fredophile
No one is intentionally making it possible to cheat in their games. Cheaters
and cheat detection/prevention are in a constant arms race. You can't just
allow a little cheating. The people that develop cheats will share them and
those cheats become more widespread.

Your whole argument is also based on the idea that there is no such thing as
bad publicity. This is incorrect. If your game gets a reputation for being
full of cheaters then people will leave your game and probably not come back.
If the first time you hear about a game, all you hear is that it is full of
cheaters are you going to head out to the store to buy a copy?

------
megaman22
I sorta miss the way cheat codes and exploits were seen back in the long ago
days when I started gaming. They were fun little easter eggs and things to
mess around with if you got stuck and couldn't progress past a certain point.
Or just weird things to have fun with. Of course, pretty much everything was
single-player, so it didn't impact anybody else if you wanted to turn on no-
clip mode to get around some pain-in-the-ass jumping puzzle in Half-Life, or
spawn a nuke-launching spaceman in Age of Empires. And the hours and hours
spent button-mashing trying to get new and unusual finishing moves in Mortal
Kombat...

------
rjvbk
>We don’t share the state of other players if it doesn’t need to be shared, so
we can avoid common cheats like “map hacks” (revealing all players on the
map). >We let the server’s game simulation make the authoritative game
decisions and generally don’t trust the information received from the client,
which helps prevent common cheats like “god mode” and “disconnect hacks,”
barring any overlooked exploits. >Our network protocol has been obfuscated,
and we change this obfuscation regularly so that making a network-level bot is
much more difficult.

I hope they are proud of doing the obvious. That's like having a webpage and
bragging about escaping strings that you insert into a SQL table...

~~~
mopierotti
The first point is actually something that game developers have failed to do
in many cases. For example if they want client syncing to require transferring
very little data, they may only send player inputs across the wire, meaning
that each client needs to know everything, even if the final decision about
game state is made by a server.

~~~
rjvbk
Yeah, the same many developers haven't escaped strings they inserted into SQL
tables, leading to SQL injections. Does this mean if I don't do that I have a
right to brag about it? If I wrote a post saying "look at me, I escape
strings" the response here would be "cool story bro". This isn't any
different.

------
atesti
Great writeup, and nice that they mention telemetry only once and work more
with obfuscation than the usual process scanning, document scanning,
blacklisting and reporting all back to shady servers, etc.

It's scary that one can easily get nasty anticheat software installed, even
when playing only single player(!) games.

~~~
squeaky-clean
League of Legends is an online-only multiplayer game.

~~~
atesti
I know, that's why I wrote about single player games. Many games have both and
the telemetry for anti cheating is not needed for single player.

------
sthomas1618
I feel like the industry would be better off being transparent about anti-
cheat strategies and maybe even embracing open-source. Protecting "secret
sauce" is basically admitting their anti-cheat are largely through obfuscation
and can be defeated by knowing any details.

~~~
monocasa
You obviously shouldn't rely entirely on security through obscurity, but
obfuscation can absolutely be an important component of defense in depth.

Especially when your attackers own the hardware.

~~~
def_true_false
Or you could design the game mechanics so that client-side cheating offers
little advantage... but that would probably require doing more than ripping
off a popular mod of another game.

~~~
B-Con
That's literally impossible. The entire _point_ of the game is to have client-
side input and for that input to be generated by a human and not a computer.
There's no way to move that to a server.

~~~
wild_preference
I’m pretty sure their comment only really existed to dismiss LoL as a “copy of
a popular mod”.

~~~
def_true_false
I'm merely saying that they could have avoided some of the issues if they
designed a new game from scratch.

~~~
B-Con
These problems are inherent to nature of being in the real-time PvP genre.

And AFAIK LoL was designed from scratch, it's Dota that actually based on the
code of the WoW mod. Not that it matters today, that code is long gone.

~~~
def_true_false
I wasn't talking about the code.

Btw, you are thinking of Aeon of Strife (Starcraft mod). World of Warcraft
hasn't even been released back then.

~~~
monocasa
He's thinking of DotA, the Warcraft mod.

------
jonjojr
Use blockchain.

It is a very simplified comment, but behind that you can expand the topic to
include many advantage a blockchain can provide during multiplayer games.

EDIT: yes it is a very unpopular topic, but deep down many of you who are
developers, know that blockchain can solve many of these issues with
cheater.dll

~~~
lucb1e
Reason for downvote: you seem to have no clue about blockchain or cheater.dll
whatsoever.

~~~
jonjojr
Blockchain is all I work on and you seem to not understand my suggestion.

cheater.dll needs to be loaded in memory along with the game. Correct, right?
If the original build of the game has already generated an encryption key that
is stored on a server or a distributed ledger using your account, then
tampering with the origonal build in memory will result in generating and
invalod key thus changing the ledger or the stored key on the server, and not
matching the ledger. If this happens then it invalidates your build and the
distributed ledger would need to updated, but since that is not allowed in
this instance all ledgers would reject your change and flag the block and the
account. Making it easier to find who attempted a change. Sure this can be
done on a server but because of the tamper proof inherited by a distributed
ledger it would make it harder for this code to be shared. The cheater can
still change the code but it would not be able to share it.

~~~
BenjiWiebe
How would it invalidate the build? How would the server find out the build was
tampered with? Why would my hacked game add anything to a blockchain? I've
followed blockchain tech closely since '13 and your comment makes no sense.

~~~
jonjojr
apparently not close enough.

