Modern kernel anti-cheat systems are, without exaggeration, among the most sophisticated pieces of software running on consumer Windows machines. They operate at the highest privilege level available to software, they intercept kernel callbacks that were designed for legitimate security products, they scan memory structures that most programmers never touch in their entire careers, and they do all of this transparently while a game is running. If you have ever wondered how BattlEye actually catches a cheat, or why Vanguard insists on loading before Windows boots, or what it means for a PCIe DMA device to bypass every single one of these protections, this post is for you.
↫ Adrián Díaza
I hate that we need proprietary rootkits just to play competitive multiplayer games – we can chalk this up to a few sad people ruining the experience for everyone else, as so often happens. I have a dedicated parts bin Windows box just to play League of Legends (my one vice alright, nobody’s perfect) so I don’t really care if it has a proprietary rootkit running in the background as there’s not a single bit of valuable data on that machine, but for most people, that’s not realistic.
Virtually every League of Legends player hands over control of their entire computer to a proprietary rootkit developed and deployed by a company from China, whereas players of other popular online multiplayer games must install rootkits from companies from the United States. If anyone inside the governments of these countries ever wants to implement a backdoor in dozens (hundreds?) of millions of Windows machines, this is the way to go.
It’s an absolutely bizarre situation.
The conclusion sounds like the only real ways to fight cheating are: 1. remote attestation, 2. cloud gaming
Both two very dystopian options.
I’m not a gamer unless you count local minecraft creative peaceful, but people will cheat as long as it’s easy and they don’t get caught. I don’t know how many times I’ve said, “I don’t find much value in movie streaming platforms,” and have another computer person say, “yeah, just torrent it.” Yeah, just steal it. How many people would steal books from a book store? Less than will steal a movie online, although it’s the same thing. Why? Because they’re less likely to get caught. My moral structure doesn’t happen to allow me to lie or steal. Just the way it is. But I see it all the time. If it’s easy to steal, and easy to lie, many many people will do it. Fact. To me it appears we are lamenting simple predictable human nature – in this instance.
laxr5rs,
It’s a technical nitpick, but copyright infringement isn’t stealing. These are very different both in principal and in practice. With stealing, you take the original away from someone whereas with copying you do not. It’s still right to pay the author for something one uses.
I do believe in copyrights, however sometimes publishers themselves are abusive and cheat us too. DRM is a prime example of legitimate users having their rights routinely taken away. It’s kind of insanity that legitimate users have a second class experience compared to pirates. If someone paid, I have no ethical qualms about them violating copyrights to break the DRM.
I also don’t see the point in cheating at gaming. It’s the classic external validation above all. You, as a cheater, know you suck. Some people just need to find a way to get the applause somehow.
I understand it a bit more when money is involved. Just look even at the Olympics. What is the point? I guess when you barely can make a living out of being a professional athlete, the incentive to cheat is high. Why are there professional athletes to begin with? Or the astronomical football salaries? The fact that you can kick balls accurately or ski downhill fast doesn’t really add anything of value to society.
HOWEVER –
Torrenting and pirating is completely understandable. I have original copies of Age of Empires but the only way I can play now is by running the torrented copy. I’d need to rebuy a steam edition, CD-ROM drives are dying, compatibility with new computers is worse.
Or… imagine that I would pay a streaming package for 19 EUR. They pull up a show I am watching. So the alternative is to pay 2 services? My contract just lost value and I get no discount. My Eastern European salary does not allow for subscribing for multiple services.
And when you consider that I probably pay more tax than the billionaires that use the same roads, airports, water and police that I do, I think I’d be basically getting them to pay a bit of tax to my benefit.
Why do they get to unilaterally change contracts and we can’t?
Pretty sure 90% of the cheat industry is propped up by moms’ credit cards. I would say it’s paywalled rather than easy, and as long as the money is on the table, Linux (and anything open source) is forever going to banned by anti-cheat.
I am impressed by the author’s work here, the article is so detailed and technical…
There is a clear arms race between the cheats & anti-cheats and this article covers all the mechanisms and their weaknesses very well. Without remote attestation it’s virtually impossible to prevent a skilled adversary from modifying the software, but as the article says the complexity and costs of cheating can be exploited for anti-cheat placing such techniques out of reach for typical gamers.
The conclusion doesn’t quite say it, but even with all these layers in place, anti-cheats are ultimately not up to the task of detecting external equipment able to do things like aim-assist. This form of cheating does not modify the computer/OS/game/etc. Heuristic solutions don’t really work here because cheats can always be toned down in skill to the point where anticheat would be accusing legitimate players with false positives.
Alfman,
That is why consoles lock in more than just the software. The controllers, USB storage filesystems, save games, network / wifi cards are completely controlled and verified by the system.
However there are always outer attacks. Losing in a team match? Have the router fail one of the adversaries. Not all games will have dedicated servers, but many runs peer-to-peer. It is just a matter of finding which peer is the “good guy” you want to every slightly slow down.
The ultimate way to fix this is having people match in a controlled environments, like a physical tournament. But even then people would break the system by bringing in cheat devices.
sukru,
Someone with moderate skills in electronics & hardware modding one can fake controller input with no indication to the operating system that it’s happening. It would take more work to build and train an AI assistant to auto-aim with a live video stream, but feasible with modern GPGPUs. In this scenario, neither consoles nor anti-cheat software will see anything other than a normal setup and there’s nothing that can be done about it.
Indeed. A classic DOS attack can introduce latency on an adversary’s system, assuming you know their IP. Your opponents may or may not have a way to detect a DOS attack happening on their network. I expect most games do not hand out IPs over the public internet, but some social engineering could work since people often let their guard down.
It’s obviously riskier in public, but like bicycle races, some cheaters are very motivated. I suspect some have gotten away with it.
Mindblowing how complex it was to break the security of the XBox One. Check it out.
Alflman,
True, for controllers there is always the “analog loophole”. One can pick parts from real official ones, hack together a new “analog” input from a fake microcontroller input, and the system would never be able to detect it.
Fortunately this is hard and expensive to do.
===
Shiunbird,
Yes, they were just able to hack it after 10+ years and the console becoming obsolete. And only the base machine. (Now where is my “unlock” for my older One X, which would make an awesome desktop)?
sukru,
Yes, my point was that it would be undetectable. But what makes you think this is hard or expensive? There’s not much to it for someone with intermediate electronics skill.
This person actually created a mod wherein he needed to solder resisters to fake the inputs.
https://www.youtube.com/watch?v=3l3e68b90dw
Granted he had a completely different goal for the project, but honestly physically opening the controller was probably the hardest part. Hooking up a microcontroller or SBC DAC is easy; realistically less than an hour. The harder part is telling the controller what inputs you actually want. To me, training a NN to detect targets from an HDMI stream stands out as the harder and more time consuming problem to solve, but still doable especially if trained on data specific to the game.
Shiunbird,
I don’t recall the source, but it looks like it got hacked using old glitching techniques. There wasn’t much incentive to hack it. People could already pay MS something like $50 to officially unlock dev capabilities on their hardware without the hassle.
I don’t play any online games. So I have no desire to “cheat” against anyone online. What I am tired of, is every new modern game being so artificially hard and difficult – Think Dark Souls, Elden RIng, Bloodborne, etc. I just want to play an RPG adventure and turn my brain off. Beat the bad guys and save the princess. All these modern game companies are making these games rage increasingly difficult as part of the “fun”? Who wants that? But it’s fueling the “game cheat software” market.
An interesting study found that something like 70% of gamers don’t even finish those souls-like games. Or if they did, they used a trainer (game cheat) of some sort. I’m in that boat too. (just google “how many people actually finished dark souls” 40%). And completion rate for Bloodborne (29.9%).
I’ll use a cheat software every time just to have some fun and turn the difficulty down. Not that I want it, but I think some of these souls like games development companies are their worst enemies creating the very culture they are railing against by creating horribly difficult games that no one wants.
And actually I go as far as to say that even though those games are beautiful to look at, they have technically horrible game mechanics. Yeah, I do think cheating in MMO and online co-op games is a pretty lame thing to do. But I think modern game difficulty is ruining gaming in general and fueling the use of cheat engine software.
I totally agree see my standalone response. I also like breaking the game just because I can. It’s fun to see where the boundaries are when you take away the guard rails.
“Virtually every League of Legends player hands over control of their entire computer to a proprietary rootkit developed and deployed by a company from China…”
Which is a very interesting point considering the US government paranoia regarding China (eg. Huawei ban)
Why do games that have offline play require this even if we never play online?
I miss the days when we could go crazy with “cheats” and bork parts of the game for the hell of it. I miss the days of things like game shark and game genie where we were playing around with memory assets.. hidden components and places in ID games.
Nutter tools and star reduction so I could watch what happens when a helicopter crashes on top of a tank.
The only games I play online are gta in an archaic ascii based DND
Its a game! People need to chill, its not real. I miss the old days of admins and voting where the games were moderated by the people playing in the server not some corpo mining all your data. Having a persistent level/score is dumb, everyone should have the exact same equipment skins and all. Steam really was the downfall of gaming with their hosted servers and persistent accounts. Now consoles/hw gets banned from games, people need to chill.