Remix.run Logo
glitchc a day ago

Almost all trainers from time immemorial operate in the kernel space because they require direct access to memory addresses. The whole cheats paradigm started with altering values stored at specific addresses. Alter the right value and the player character gets infinite ammo or lives or whatnot, and it went from there. Modern day cheats embed more sophisticated logic that ultimately boils down to altering locations in memory in a specific order, which brings me to my point:

An anti-cheat mechanism can always be defeated if the cheater can access a lower order of abstraction from the mechanism. An arms race is the inevitable outcome. It's either that or competitive gaming is not viable.

jjmarr a day ago | parent | next [-]

> An arms race is the inevitable outcome. It's either that or competitive gaming is not viable.

I'd rather just give my passport and do one of those face turning challenges to play competitive video games. Then if I get caught cheating, my real life identity can't play anymore, rather than make a new account and "get better at cheating".

If I am a habitual cheater in literally any other sport on Earth, governing body figures that out and issues me a lifetime ban. At that point, I'm blacklisted. Even my Tuesday night dodgeball league can issue bans that actually stick because they know my real identity.

charcircuit a day ago | parent | prev | next [-]

Windows has no security between processes reading and writing each other's memory as long as they are from the same user. You doing need kernel level access to do it.

glitchc 16 hours ago | parent | next [-]

That hasn't been true since Windows 98/ME. Windows uses virtual addressing plus ASLR and DEP for process isolation/protection. See here:

https://learn.microsoft.com/en-us/windows-hardware/drivers/g...

ChocolateGod 15 hours ago | parent | next [-]

You can use system APIs to get the memory space of another application in Windows as long as their run by the same user.

However iirc processes can opt out of this so only administrators can.

Hikikomori 9 hours ago | parent [-]

>However iirc processes can opt out of this so only administrators can.

Can override those opts without admin as well.

charcircuit 15 hours ago | parent | prev [-]

ReadProcessMemory and WriteProcessMemory are APIs Windows exposes for using other processes memory. Even if a process changes the default DACL to block it, admin level access can bypass it.

https://learn.microsoft.com/en-us/windows/win32/api/memoryap...

https://learn.microsoft.com/en-us/windows/win32/api/memoryap...

charcircuit 15 hours ago | parent | prev [-]

don't need

ButlerianJihad a day ago | parent | prev | next [-]

> The whole cheats paradigm

You are limited in envisioning a game where the client device is being trusted for ground truth about the game.

In client-server models, it is possible to limit trust such that many cheat modes and methods are impossible. Furthermore is the “remote GPU streaming” model like Stadia, which nearly obsoletes conventional techno-cheating, and likewise obsoletes kernel-mode anti-cheat.

jjmarr a day ago | parent | next [-]

You can buy an autoclicking device or software that recognizes screen pixels of enemy avatars and instantly clicks to kill them. This works in "remote streaming" situations and is ~30% of the cheating dataset detected by Riot's kernel level anticheat:

https://www.riotgames.com/en/news/vanguard-on-demand

> A “pixelbot” is a computer vision cheat that injects player input for the purposes of aiming at heads or casting spells with perfect timing. Coming in “external” (hardware microcontroller) and “internal” (python script) varieties, pixelbots can be extremely impactful in VALORANT due to the low time-to-kill, sometimes just simply pulling the trigger for the cheater when an enemy enters their reticle (also known as a “triggerbot”).

iscoelho a day ago | parent | next [-]

This isn't possible in Valorant. Their kernel module is extremely particular about input devices:

1) only allows a single mouse input device at a time

2) completely ignores virtual mouse input

3) flags "special"/"uncommon" input devices

Their anti-cheat is actually much more involved and effective than most would assume.

Hikikomori a day ago | parent [-]

Websites that sell DMA devices also sell devices that merge mouse usb and hdmi signals that allows you to run the cheat on another machine and let it display en ESP overlay and do aimbot. It's likely that a naive implementation of such an usb device would be detected. But can you create such a device that uses a normal mouse usb driver and looks like a normal mouse?

iscoelho 21 hours ago | parent [-]

At least in Valorant, DMA is becoming impossible due to IOMMU / Memory Integrity enforcement. The only option is becoming pixel bots.

As for faking the input device: I'm sure it's possible, but I'm also sure that perfectly spoofing an input device is much easier said than done.

Even if it is possible, all they have to do is make it hard enough to where the percentage of players cheating is at the point where you will rarely if ever encounter a cheater in your matches. As far as I'm aware, Valorant is one of the only games that has accomplished that.

pona-a a day ago | parent | prev [-]

But really, if HID becomes suspect too, then why do you even need kernel level anti-cheat, if all you can do is behavioral detection?

ChocolateGod a day ago | parent [-]

If you're in the kernel you at least have raw access to the USB controller and input events, thus can try pick out real mouses from fake ones.

pona-a 18 hours ago | parent [-]

If the point of those events is to be registered by the game program, you already have all the data you need, otherwise you're building a keylogger.

The most the kernel can try to tell you is what's plugged in, but the cheater can easily make the fake HID interposed between the real keyboard and USB.

glitchc 17 hours ago | parent | prev | next [-]

User input is always sourced at the client device. There is no other source of truth, therefore any hacks that manipulate input will not be detected server-side. Additionally, using only the server state gives a distinct advantage to the better/faster connection. This was true in Quake 2, but games have become a great deal more sophisticated since then.

Hikikomori a day ago | parent | prev [-]

Aimbot will always be possible, it only uses what you see. ESP/wallhack can be somewhat curbed and has already been done in cs and valorant, but it really only works well with small player count and simple geometry maps. Stadia is dead, but it and geforce now had way too much delay to be enjoyable for competitive games where anti cheats are needed.

iscoelho 21 hours ago | parent [-]

Aimbot is actually very solvable!

1) When DMA is fully blocked, Aimbot resorts to being a pixel bot.

2) Once you're relying on a pixel bot, all the anti-cheat has to do is "bait" the bot. After you click the bait a few times, you're banned. (:

RuneScape is actually the pioneer of this technique.

myrmidon 18 hours ago | parent [-]

Baiting alone is not a reliable long-term solution, because it both interferes with competitive games (a lot) and because it requires you to basically stay on top of a captcha escalation (especially once cheaters limit themselves to "realistic" reaction time constraints), and this is a bad position to be in (because it means continuous effort for the developer).

The most helpful approach in my view is to make fresh accounts expensive for cheaters so they can't iterate easily; if the game developer can extract profit from such ban circumvention attempts then all the better.

iscoelho 8 hours ago | parent [-]

You'd be surprised to know that this strategy works quite well! Pixel bots require a hardware fake display when faced with kernel anti-cheat. They also depend on color/pattern recognition, as AI is not yet capable of operating at the frame rates required for competitive games. That allows the bait to be seen by a bot, but invisible to the eye.

If you are successfully baited and detected, you also get HWID banned, so it only takes once. This makes cheating via pixel bot unviable.

On the contrary, DMA is so desired because it eliminates this risk.

gopher_space a day ago | parent | prev [-]

I mean the assumption here is that administration needs to be automated. Cheating is an intermittent problem at worst on moderated servers.