
Return-oriented programming-based CSGO, BF3, BF4 cheat - danso
https://github.com/Speedi13/ROP-COMPILER
======
berti
> So hopefully this cheat will be VAC / PB undetected for ever ;)

That attitude really grinds my gears. I'd much prefer to see something like
"here's how we think Valve could fix this permanently".

~~~
Stevvo
I've got no problem with people writing hacks for games; with the shit that
gets released these days I expect it would often be far more rewarding than
playing the game itself.

That said, authors should follow responsible disclosure, give the game company
some time to respond before releasing.

~~~
PyroLagus
> I've got no problem with people writing hacks for games; with the shit that
> gets released these days I expect it would often be far more rewarding than
> playing the game itself.

Hacks in singleplayer games are fun. Hacks in multiplayer games are not. If
someone thinks the game is shit and unrewarding, they should just not play it
and not ruin it for everyone else.

~~~
ryanlol
There are loads of people who enjoy cheating in multiplayer games so much that
they’re willing to spend hundreds of dollars a month on the hacks.

------
saagarjha
So this looks like a ROP "template" compiler using a set of gadgets found in
the binaries: [https://github.com/Speedi13/ROP-
COMPILER/blob/master/RopComp...](https://github.com/Speedi13/ROP-
COMPILER/blob/master/RopCompiler/Gadgets.h)?

> So hopefully this cheat will be VAC / PB undetected for ever

Well, until they remove most of the ROP gadgets or employ CFI?

~~~
dvt
> Well, until they remove most of the ROP gadgets...

This is unfeasible. ROP gadgets essentially show up in "random" locations. Not
to mention that they might also show up in code that Valve has no access to.

~~~
saagarjha
Work has been done to reduce the number of useful gadgets in programs:
[https://www.openbsd.org/papers/asiabsdcon2019-rop-
paper.pdf](https://www.openbsd.org/papers/asiabsdcon2019-rop-paper.pdf)

------
rollulus
I’m completely out of the loop with respect to gaming and cheating nowadays,
and I’m not the target audience of the readme, so pardon my ignorance: how is
this used? Via exploits in the game? Injected locally by a more privileged
process?

~~~
p410n3
In csgo specifically you can either inject a DLL (simplest way would be
LoadLibraryA, but there are more methods) or just getting a handle and read /
write memory.

How this cheat does it I dont know. And I am too lazy to check :)

------
hatsunearu
> So hopefully this cheat will be VAC / PB undetected for ever

yeah... until they patch it

~~~
emsy
As for VAC, it can’t even detect spinbotters. Given its track record I‘m
certain there won’t be any patch whatsoever.

~~~
willis936
Are you sure VAC doesn’t detect spin botters? Valve has implemented neural net
based cheat detection trained from overwatch cases (players watching demos of
reported players and judging if they were cheating). It’s a rather nice
solution and doesn’t involve kernel mode drivers from a third party I don’t
trust to make secure kernel mode drivers (a la battle eye or punk buster).

[https://youtu.be/ObhK8lUfIlc](https://youtu.be/ObhK8lUfIlc)

~~~
emsy
I still get to see them play full games when I do overwatch myself. This
should be a round 1 kick, instead they waste everyone’s time and ruin their
experience. Same goes for obvious wall- and aimhacks. I see non obvious
cheaters every 2nd game or so (players following but not tracing you through
walls or soft aimlocks for example). VAC doesn’t do any process analysis as
far as I know and as such, it will only ever be able to ban players after the
fact (if it does even that, because „legit“ hacks will almost always pass due
to overwatches high consensus requirements)

~~~
matzab
I think overwatch is just there for confirmation in most cases. That makes
sense imho.

FWIW I tend to only see cheaters on casual. The TrustFactor thing seems to
work fairly well, because (judging by Overwatch) the cheaters seem to be among
their likes. It must suck for new (non-prime) accounts, though.

~~~
willis936
It does. My brother started playing recently and the matches I’s play with him
were abysmal. Toxic players, bad communication, no organization, and cheaters
relatively often. I bought him the game and it is indeed night and day. I
personally just saw my first hacker in a prime lobby in the 300 hours I’ve
played since prime became a thing.

------
loufe
If you're interested in learning more about ROP, I highly recommend this
fantastic writeup CTURT produced about hacking the PS4 (which, of course, used
ROP). [https://cturt.github.io/ps4.html](https://cturt.github.io/ps4.html) I

------
espionn
Surely they can just change the binary slightly with every patch and move the
gadgets around in memory or just remove them outright.

~~~
saagarjha
Finding gadgets is not hard. Removing them entirely is difficult, but work is
being done in this field to make this possible to some extent.

------
ibaikov
Hopefully VACnet, which is an ML anticheat used in CS:GO will catch it anyway

------
olah_1
Is the idea that this would only be possible in object-oriented programming?
And it wouldn't be possible in something like Haskell/Rust?

~~~
uxp100
No, I’m not sure what implied that for you, but gadgets in this context are
program code fragments.

~~~
olah_1
Oh I was reading return-oriented as "object-oriented" the entire time. My
mistake.

