Combating cheats is an ever-evolving arms race. The scope and complexity of cheat development grows every year along with the stakes in online gaming. The pressure is on for game studios to level up when it comes to detecting and preventing bad actors. I’m Michael “Perma” VanKuipers, and I used to be one of those bad actors; I spent over a decade developing cheats for various games and earned the ire of at least one large game studio in the process. These days I work on Riot’s Anti-Cheat team, helping secure League of Legends from scripts, bots, and exploits. In this article, I’m going to show you some of the details and strategies behind our latest anti-cheat initiative, including a technical overview of the steps we took to mitigate certain types of cheating.
I’ve been playing League of Legends for six years, and I may (I wasn’t sure) have seen cheating once or twice. Riot’s work seems to be paying off.
This has been going on for decades, obfuscation is a cat and mouse game. It will never end until one of the parties gets bored of playing the game. Just as the devs take steps to detect hacks, motivated hackers can take steps to impede detection.
I wonder if they attempt to detect virtualization? A target running under CPU virtualization can’t really stop debuggers on the host (or in the kernel) from reading/writing it’s memory.
For an extremely covert attack, a sophisticated hacker could run his code from ring 0, which is one of the ultimate hiding spots as it’s inaccessible even to the OS kernel.
Ring 0 is where the kernel runs.
FlyingJester,
Yeah, I meant SMM. There’s so many ways to get ahead of a game’s “anti-cheat” code. A ring0 debugger would be fairly safe from detection too, but even assuming the game used a kernel driver, hackers can get above ring 0 using virtualization as well as SMM.
The article is all about code obfuscation, which only offers relatively weak protection. A more robust solution is something like TPM that uses fully encrypted security domains and is designed from the ground up to be robust against software attack. Even so, a highly sophisticated attacker could compromise the hardware, but it would be unlikely a random game cheater would have the resources. Also, I don’t know that TPM would be fast enough to protect actual game code.
Looking to the future, it’s only a matter of time when cheaters will use aim/nav bots that use computer vision to cheat rather than hacking into game memory. I suspect someone so inclined could do this today: use a pattern recognition or train a NN to pinpoint targets and align a perfect shot (introducing a bit of error to appear more human).
At that point, that only way to enforce “anti-cheat” would be to quantify whether the player is too good to be human with arbitrary thresholds, but devs will inevitably face a conundrum because they can’t say with certainty that a player is cheating or just very good.
Reminded me about MarI/O
https://www.youtube.com/watch?v=qv6UVOQ0F44
https://www.youtube.com/watch?v=S9Y_I9vY8Qw
zima,
Yeah I can see why, that’s pretty neat.
Another annoying thing in games like LOL are the bots. It seems impossible to get them out of the system. But I dont understand why Riot doesnt put some CAPTCHA like thingies after selecting a match.
But anyway. It is very easy to win in Twisted Treelane Blind Pick with only bots as other summoners. Always an s.
lighans,
Captcha’s are mostly broken these days and do more to annoy real humans than to deter bots.
The thing is, building bots shouldn’t be wrong in and of itself. Game designers ought to recognize the talent of bot authors and encourage them to participate in the game in novel ways without having to conceal their identities. Maybe, instead of outright banning the bots, they could actually encourage them to register and play in designated areas. It could make for an interesting game mode, have contests and human versus AI death-matches.
You are right off course, although I think that a Captcha or anything like that is less annoying then these bots.
I’ve been playing for four years myself. I’ve seen very little actual cheating (almost always aimbots when I do see it, which make me laugh, because they’re usually predictable and therefore easier to dodge than players). I’ve seen a lot of bot accounts though, like, comically many, especially in low-level co-op games I’ve run with friends who are just learning to play (I’ve had at least a couple of games where the friend I queued with and I were the only actual humans in the game).
That said, I’ve heard it’s largely an issue only on particular servers. The Turkey server is particularly bad from what I understand.
I suppose I will assume that they already cover this case, but it seems like all their methods could easily be subverted by writing a new program loader (or basing one off of Wine or ReactOS’s) that simply traces where certain data is placed, and then using specially crafted mouse and keyboard drivers.
Now you have total knowledge of the unpacked state of the program at any moment, and you have untraceable control of the inputs. They would have to analyze the actual quality of the input to trace the drivers (although you could fuzz it trivially).
To track the loader you’d need to do memory space validation…but if the hacker controls how your code is loaded, such checks would also be under their control. Randomizing which checks appear where is useless unless you are really adding significant new checks every single release.
FlyingJester,
It has always been an intrinsic problem with all software based DRM: ultimately, it’s not possible to protect software/content using another software layer because it’s also running under the control of an adversary.
This guy, having been a hacker previously, must realize that obfuscation is never foolproof, it’s merely a temporary barrier. Any loader code he writes to scramble program code or scan for debuggers using software can also be reverse engineered. The author talks about moving variables around in ram, which could stop existing ram scanning tools, but obviously once the new mechanism is reverse engineered it’s no longer a reliable means to protect variables in memory. So it’s a constant battle against motivated hackers.
If it were me, I’d try to analyze the motivation of the hackers:
1. Are the hackers merely doing it for a challenge? If so, give them genuine challenges that don’t interfere with normal gameplay for human players: bot competitions, scoreboards, etc.
2. Are the hackers writing bots to compensate for repetitive elements of gameplay that are too tedious and uninteresting for humans? If so, arguably this is actually the failure of the game design for ignoring player frustration. Instead of banning the bots that exist to compensate for unenjoyable parts of the game, it should be taken as feedback to improve the game experience for humans. Game designers might even incorporate “background mining” into the normal game such that there’s no incentive to use outside bots.
3. Are the hackers writing bots for financial motives? What is the underlying reason for a black market to exist? Usually it represents demand for something that is not being met in the normal market. Game designers should see if they can do a better job at meeting demand.
4. Are the hackers doing it to troll players and/or make the game worse? For all the other cases listed thus far, IMHO the best mitigation would be for devs to improve the game itself. But if the hacker’s goal is to disrupt the game, then that’s a problem. Unfortunately this motive is intrinsically harmful, but it’s probably a minority of the hackers doing it deliberately to cause harm. These are the ones that need to be banned.