Game Security
This blog post provides an overview of cheating and anti-cheat methods in electronic games. NCC Group has previously looked at cheating, and found ways to bypass anti-cheat, but this is more of an overview. It doesn’t contain details on particular games or companies. Cheats are specific to individual games and individual game companies handle cheat detection differently. In particular, the specific details of their cheat detection methods are very secret. Cheaters versus anti-cheat is an arms race where security through obscurity is one of the fundamental tools in the anti-cheat arsenal.
So who cheats? And why do they do it? Some cheat because they want to degrade other player’s experience; others aim to make the game easier. Some cheat to win or are cheating to get back at cheaters or to level the playing field. One common theme is that once a player has cheated in one game the chance they will cheat again, be it in the same game or another is much higher.
A speedrun through cheat history
Cheating has been a part of gaming since the beginning. Early games contained ‘cheat codes’ which allowed developer features such as level skips or more lives. They weren’t originally intended to be used by players, but were quickly found through reverse engineering of the games and spread through word of mouth. The most famous cheat code is the ‘Konami code’, which appeared first in the 1986 game Gradius. Entering it powered up your ship and the same code was implemented in many Konami and other games since.
Cheat codes remained popular throughout the 90s, but lost popularity with the advent of online gaming and the achievement system.
Another early form of cheating was ‘trainer’ programs. One of the first of these was for the 1981 game Castle Wolfenstein. These programs modified the game, adding lives or items or starting the player in any room. Trainer programs were available for many games and continue to be used today.
With the console age and restricted hardware, the cheat cartridge emerged. The Game Genie and Action Replay cartridges sat in between the cartridge and the console and provided the ability to modify values read from memory, thus increasing lives, providing invisibility or allowing other actions where they were not usually possible.
Vulnerabilities in the games themselves have also been used for cheating. Before it was possible to offer patches for games, these vulnerabilities had a much longer life. They are particularly popular in speedrunning, where gamers attempt to complete a game as fast as possible. Use of vulnerabilities can allow speedrunners to gain speed advantages, traverse outside the map or skip levels entirely.
With the introduction of online multiplayer games, cheating started a new era. Games were now clients which communicated with a server and cheaters could now gain an advantage in competition against their opponents.
Types of cheating
There are many types of cheating in modern online games. The first is the use of exploits, where existing vulnerabilities; either bugs in the game, or design features, can be used to gain an advantage for a player. Bugs in the game are only likely to be used for a short time as developers will patch the issue, but design features which can be used for cheating are different. One example is in a first person shooter when a player is able to stand on a teammate’s head in order to see over a wall and shoot at enemies from an unexpected position. Some would argue that this is a legitimate tactic, others call it cheating. Another example is in last person standing type games where players team up to eliminate others instead of playing individually, or a poker game where a team is used to sway the odds in their favour.
These examples do not require any extra software or modification to the game, they are simply the use of the game in unintended ways. Whether this is allowed or not is largely a decision of the game developer although will likely be influenced by the community.
Cheating with the use of extra software is a larger area of focus, and this is generally what most people think of when they refer to cheaters in online games. This form of cheating can be further broken down into several categories, but before we describe those, we need to understand the various ways software can interact with the system.
There are three basic ways software can help to cheat in a game; network manipulation, function hooking and memory manipulation. Network manipulation is performed outside of the client, by changing, removing or delaying packets sent to or received from the server or even the creation of entirely new packets outside of the client. Function hooking is achieved by injecting new code into the game; replacing an existing function so that its results can be modified, or calling game functions in response actions occurring in the game. Memory manipulation is performed by accessing the game’s memory as it is running and changing variables or reading information that isn’t normally available to the player.
Now that we have an idea of how cheats can be used, we can look at different categories of cheating. The first category is automation. Automation is primarily used in games where repetitive tasks need to be performed to gain experience, but also in games where the player needs to perform a precise series of inputs, or react in a precise way. Sometimes this kind of cheating is referred to as macros. There are a variety of ways to achieve this, depending on the game architecture. For web-based games, or those with simple network protocols, it may be possible to ‘play’ the game without the official game client at all, just generating the appropriate packets and sending them to the server. By hooking functions, it is possible to cause a game to react at a specific instance automatically, for example causing a character to dodge when fired upon or to block when about to be hit. It is also possible to map special moves into a single key press, so that the precise timing is not required by the player.
The second category is Extra Sensory Perception (ESP). This is where overlays are used to provide a player with more information than would ordinarily be displayed. This can result in enemy units being visible on the map, enemies being outlined behind walls, the location of items revealed, the health or equipment of players being displayed; basically any extra information that might give a player an advantage. How this is achieved is dependent on the game and its architecture, hooking functions, reading memory or examining network packets are all possible.
The final category is state manipulation. This is where the game is changed so that a player can move faster, fly, or pass through walls. This category also includes the aimbot. An aimbot is a cheat which manipulates the players aim, so that when they press the fire button, the crosshair moves to the enemy in order to cause more damage. This category of cheat is generally achieved using function hooking.
Anti-cheat
Preventing cheating relies first on the detection of cheating, and so anti-cheat strategies need different methods to detect different types of cheating.
There are several non-technical methods to discourage cheating which should be employed in the game design phase. One of the most effective is to have an authoritative server. This means that the server, and not the player’s client, performs the functions where players might cheat. As a simple example, a client might send a message to the server saying that they have shot another player and dealt 200 damage. With an authoritative server, the client sends a message saying that they fired a shot in a particular direction, and the server keeps track of which weapon the player was using, where they were, and if another player might be hit by the shot. Essentially, the goal is to trust the client as little as possible. The trade-off is generally one of responsiveness. The more you can do on the client, the smoother the experience for the gamer. Using the same principle, the client should operate on a need to know basis. For example, if the player cannot see the other players, then the server should not include that information when sending data to the client.
Another aspect of game design which can reduce cheating is to increase the cost for the cheater. This can be done in several ways. The first is to increase the cost of the game. As cheaters get accounts banned, they need to buy new accounts in order to play again. The higher this cost, the less likely they are to be repeat offenders.
Similarly, cheaters can be discouraged by increasing the time commitment required when starting a new account. This can be done through tutorials, or trials which the player must complete before they can go online and play against other players.
A third method is to increase the value of an account. This method uses reputation or collections so that a player might perceive their account to have added value, thus discouraging them from cheating and potentially losing that account.
Protecting the client as best as possible is another deterrent to cheating. There are many ways to do this involving obfuscation, encryption, monitoring and even kernel implants. These techniques generally slow down cheat developers, but not by much. It will always be a losing battle as the client controls the machine and will always have the upper hand.
When it comes to actually detecting when cheating occurs, there are again several methods. The first is non-technical, and that is to use the players themselves. By including a reporting system in the game, players can report those they suspect of cheating. The suspected player can then be reviewed by support staff, or volunteer helpers in order to convict guilty parties. The downside here is the possible volume of reports, and the potential for abuse by players intent on ruining other players’ experience. An advantage is that a human can judge whether or not a player is cheating without needing to know how they are cheating. Experienced players can tell when something doesn’t look right.
Statistics can also be used to detect cheaters. Monitoring player activities and flagging the outliers for investigation is a method of detecting players who are cheating. If their aim is too good to be true, then it is likely they are cheating.
On the client, detecting cheating is a difficult task. It is usually done using signatures similar to how an antivirus works. This results in an arms race between cheat developers and game developers where as soon as a cheat developer knows their cheat is detected, they modify it and the game developer has to create a new signature. Creating signatures is a difficult process. Developers need a copy of the cheat before they can write a signature for it, and finding a copy of the cheat relies on it being available to buy or being able to obtain the cheat after a player is found to be cheating through the reporting system. Heuristics can be used to detect strange behaviour on the client in order to develop a signature. One example is monitoring execution flow and flagging processes which jump around a lot. Monitoring processes can flag extraneous DLLs or memory access. In these cases protection of the client is important here to slow down the cheat developers. Recently, Riot Games released an open beta of Valorant, which contains an ‘always on’ cheat detection system called Vanguard. This is a kernel level monitor starts when the operating system starts. Previous kernel level implants only start when the game is run. It is the next step in the anti-cheat arms race.
A novel approach to cheating is the use of trust scores. This technique uses statistics to evaluate the trustworthiness of a players account, predicting whether they will cheat or not. Typically this is done by noting that the same person is associated with other accounts which have been banned for cheating. Once a trust score has been established, matchmaking on the server can be used to match cheaters with cheaters. Thus, players who are not cheating are less likely to encounter cheaters in their games, giving them a better playing experience.
The final cheat detection method emerging in recent years is to use machine learning. This technique involves extracting data from matches of known cheaters and using it to train a neural network to detect cheating. An example of this is taking the movements of a player before and after they have taken each shot in a first person shooter as well as other metadata and using it to train the network to detect aimbots. This technique does not require signatures and can’t be hidden by the cheat developer because a human is deciding what is cheating and what is not. The network can be retrained as required as cheats evolve. Collecting the right type and amount of data in this case is where the effectiveness of the technique is found.
The future
So what is the future of cheating? There is not doubt that cheating will continue. It may even get to the point where the cheater isn’t playing at all. Neural networks have been developed to play through some games, such as Mario Bros. Cheats will get better, anti-cheat will detect those cheats and the cheats will evolve. As detection methods improve, particularly as machine learning enables developers to detect at the same rate as humans, we will likely see cheats becoming more human. Aimbots, for example, will more and more closely emulate the top players, or be tuneable to avoid detection. Cheats and the best players will slowly converge until it is near impossible to tell the difference between the two. The real question is can we distinguish a good player from a cheater?
Current machine learning techniques look at a very limited window of a player’s game in order to detect the cheating. If we can imagine a scenario where a cheat is developed which functions/operates in a human-like fashion, but is still within the realms of feasibility for a human function/operation, how can we tell if the player is cheating?
How can we even tell if the player is human?
The future of game cheating and prevention will be interesting. With current trends, it seems like artificial intelligence and machine learning will prove more prevalent.
*Image Credit used under Creative Commons (no changes made).