The problem of cheats in online games



    Most large multiplayer games sooner or later face the fact that not all users play fair. In our Warface shooter, at some point it began to feel especially strongly. To combat cheaters, we use a whole range of solutions. One of the components of this complex is our internal development called MRAC (Mail.Ru AntiCheat). After its implementation, we achieved good results: the average number of cheating accounts flying away in a ban every day fell from 17,000 at the beginning of the year to 1,500 now, despite the fact that the number of complaints from users about cheaters has significantly decreased. It now takes about 5 minutes to identify suspicious activity and block an account, instead of the previous 20. Now the system recognizes and responds to more than 200 signatures of cheating software and is constantly being improved.

    Each game has its own specifics, and to deal effectively with cheaters, you need to understand the internal features of a particular game and the techniques used in cheats. We could tell in detail about all the solutions that we use in Warface, however, having given such information to the public, we would invite the authors of the malware to take active action. While the specifics remain a secret, it is more difficult for cheaters to hide from the system. Nevertheless, the topic itself is very interesting, so I want to reveal it in more detail.

    Brief Background


    I think many people know what IDDQD is. Throughout the history of computer games, developers have built into their brainchilds such codes, called cheats. Cheats allow you to become immortal, get endless ammo, resources, and more. The primary purpose of such codes is game testing. In addition to the cheats built into the game, there were always lovers to independently correct something in the game for the same purpose - to become “immortal”. All this is good in single-player games, when a person plays with his computer and does not bother anyone. In multiplayer online games, cheating is already a problem that can ruin the whole game. If one does not play by the rules, then his rivals are simply not interested in playing. Moreover, if in a shooter this is just a spoiled match,

    Of course, there are no cheats built in by developers in online games. But for almost any online game, cheats exist as separate applications. As a rule, cheats at startup make changes to the working client of the game. Sometimes changes are made directly to client files on disk.

    One of the varieties of cheats are bots, which themselves control the character, automating routine actions. It would seem that there is nothing to worry about in such bots. But actually there is. If a person is sleeping, and his character himself kills lambs on the field in the automatic mode, receiving game experience for this, then other players will be upset by this state of things. Some of these bots allow you to write entire scripts to control the character. Here, the possibilities are limited only by the imagination of the botvod.

    Reasons for cheaters / bots:
    1. "Kick everyone's ass" for self-affirmation. Albeit dishonest.
    2. Earn money. To do this, you need to pump faster, collect resources, clothes, etc., in order to later sell it for real money.

    The main motive of the authors of cheats / bots is to earn money. The highest quality cheats / bots are sold by subscription for real money. There are free cheats, but they are usually stuffed with adware and all sorts of semi-viruses, which again, is designed to bring money.

    Let's take a closer look at what and how cheats do on the example of the multiplayer online shooter Warface.

    Types of cheats


    Any cheat interacts with the game client in one way or another. For this, the author of the cheat needs to have an idea of ​​the internal structure of the client. The most professional cheaters get this idea, including through reverse engineering - they find the necessary variables and restore the class interfaces. After that, class methods can be called in their own interests. The internal structure of classes in the client changes extremely slowly throughout the life of the game. After some time, this information falls into a much larger circle of less skilled cheaters, and then the variety of cheats with identical functionality increases by an order of magnitude.

    ESP (Extrasensory perception)- A variety of cheats that can show additional information about opponents in the game. Unfortunately, the game client knows about the location of all opponents in a certain radius from you, even if they are behind the wall and they are not visible. In a shooter, actions develop quite quickly, and if a client receives information about an adversary from a server only when it gets into the field of visibility, this will certainly lead to lags due to network delays. The cheat receives information about opponents through the internal interfaces of the client classes and displays it directly on top of the game image. This is, at a minimum, the location of the enemy in space and the distance to it. To draw on top of the game image, the cheat intercepts one of the Direct3D methods that are called every frame. For example, EndScene. All this implies that a cheat code has been embedded in the client’s memory,

    Aimbot - a kind of cheats for automatic aiming. You just have to run and pull the trigger, and the sight itself falls on the closest enemy. You can even choose the part of the body that you need to aim at. The enemy’s location in space is also obtained through the client’s inner classes. Further, options for performing automatic aiming are possible. Or cheat directly calls the necessary methods in the client to rotate your character (the sight is always in the center of your gaze). Or it sends messages to the client on behalf of the mouse for the same purpose.

    Autoshot- an automatic shot at the moment when the enemy is in sight. Such a cheat works similarly to aimbot - it receives information about the location of the enemy through the internal classes of the client and sends a message from the mouse for the shot. Often autoshot and aimbot combine together. Then you just have to run, and aiming and shooting are performed automatically.

    Recoil- disables recoil when fired. Such cheats, as a rule, simply patch the client code of the game in memory, which is responsible for the return. As a result, shooting becomes much easier. In addition to disabling recoil, there are many more cheats that disable various elements and simplify the game. For example, disabling scatter during a shot or disabling the effect of the operation of a stun grenade. Some of these cheats to achieve their goal do not modify the code, but the variables in the client’s memory.

    Of course, this is not a complete list of existing cheats, but you can already make a list of the mechanisms of their work:
    1. Modification of the game client code in memory.
    2. Modification of game client variables in memory.
    3. Calling methods of client inner classes directly.
    4. Sending messages on behalf of the mouse.

    Methods of struggle


    How to deal with this? Of course, having a competent client-server architecture in a game is very important. But, unfortunately, this does not solve all the problems. Some elements of the gameplay are performed only on the client side, and the server can not detect the fact of their disconnection. And the server is forced to inform the client about all opponents within a certain radius from you for acceptable game performance.

    The first most effective way is to validate the player’s actions on the server. For example, if a player somehow moves per space unit further than the game mechanics allows, then this is probably a speedhack, and you need to kick it immediately. Such a validation of player movements is possible, since ultimately the server controls the location of players on the map.

    The second way is a statistical analysis on the server. For example, if all the player’s bullets constantly hit the heads of enemies, then this is very suspicious. Or not in the head, but simply without blunders. Or, say, the player’s results according to the results of the match are strongly knocked out of the average. Of course, all this is not a reason to block the account of this player. Maybe he is really very cool. However, this can be used as a trigger to closely monitor the player’s actions by the technical support team of the game. It should be understood that a smart cheater, most likely, will not “scorch” and will not fall under verification.

    Another way to fight is the ability to complain about the cheater built into the game. Of course, for complaints, you must first check and then decide whether to block the account or not. But as practice shows, this method has a rather limited application. A complaint about cheating immediately becomes an element of manipulation in the game - people complain about everyone who plays better than them. The result is a huge stream of complaints, especially against experienced players.

    On this, the "beautiful" ways to defend against cheats end, but the problem is not completely solved. You have to turn to the hinged protection of the game client.

    Hinged protection


    Very painful for the game is the modification of the client code. For example, to disable some gameplay elements that are played only on the client side. You can deal with this by periodically counting and verifying the checksum of all your code in memory. But this check will be disabled in the same way: by changing the code responsible for it. Here you already need code protection from analysis (obfuscation) and from debugging. Self-development of more or less strong code protection is a separate difficult task, but there are ready-made solutions on the market.

    There is no way to protect all code. Obfuscated code works many times slower, as it becomes many times more. Only small pieces of code that are not performance critical are protected. For example, you can just protect the checksum of the entire code. Of course, no code protection is a panacea. It can only complicate the task for the attacker. The goal in this case is to ensure that the cost of hacking is higher than the expected benefit.

    If the code can calculate its checksum, then with variables it is already more difficult. We need to think of ways to store variables important from this point of view in encrypted or redundant form. And so that it does not affect performance. Again, this will not solve the problem, but only complicate the task for the attacker.

    Suppose we at least defended ourselves against code modifications and important client variables. But there are cheats that do not need to modify any code or variables to work. For example, ESP. In fact, the cheat takes information from the client’s memory and displays it. But for such functionality, a cheat code must be present in the client’s memory. You can already catch on to this and go in the following ways:
    1. Do not let the cheat get into the client’s memory.
    2. Try to find the cheat in the client’s memory.

    The first way implies a ban on writing to the process memory (WriteProcessMemory) and a ban on creating remote threads (CreateRemoteThread). The usual way to inject your module into the process just requires writing to memory and creating your own thread in this process. Given that the cheat has the ability to work with administrator privileges (the cheater will always give them), then in Windows there is no way to prohibit writing to memory and creating threads in other people's processes. You might think about creating your own driver, which will block access to the game client process. But in the Windows kernel there are no documented ways to filter the recording of foreign processes (NtWriteVirtualMemory), and the use of undocumented methods is greatly complicated by the presence of Kernel Patch Protection. Even if you manage to block the record in your memory, there will always be other holes: you can embed your code in the system libraries on the disk.

    It is assumed that the game modules are protected and packed with code protection, and changing them on disk is rather problematic.

    The second way implies something similar to an antivirus: look for previously known fragments of cheats in the client’s memory. There are no technical obstacles here. However, it will be necessary to solve the problem of online updating the cheat database. You can go further and look for fragments of cheats not only in the client’s memory, but in the whole system. This is in the case of such cheats that work in their own process, and the client is patched with code and variables or send messages from the mouse.

    There is a third way: try to find traces of the cheat of Direct3D functions by cheating and consider this a threat. The cheat captures the D3D functions to take control and draw the necessary information every frame. But this option has significant problems. There is a lot of “good” software that does the same thing: it intercepts the same D3D functions to draw its information on top of the game image. For example, RaidCall . And the task of “distinguishing good software from bad” is generally unsolvable.

    Of course, all this search for cheats and blocking their implementation can be disabled by modifying the code that is responsible for this. The only way out is to use code protection. But no matter how you protect the code, sooner or later they will break it anyway. It is clear that while the application is running on the user's computer, nothing can stop the user from changing this application. It is only a matter of time and cost justification.

    Conclusion


    The problem of cheating in online games cannot be solved only by improving client-server interaction. It is comprehensive, and it is also necessary to deal with it with comprehensive measures. As a result, most games have additional specialized software for protection against cheats (anti-cheats), and there is a real sense of them. Thanks to such systems, cheaters spoil the gaming experience of other players on a much smaller scale than they could.

    Also popular now: