Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
Discussions Rules and Guidelines
Report this post
There's only one thing that matters when we talk about cheating and it's called "worth". Meaning "is it worth the effort". Sophisticated cheats that inject stuff into processes on the fly, potentially bypassing some digital driver signatures and whatnot - are not an easy thing to pull off, so question becomes "is it worth cheating to bother so much".
And the answer is always - money. Elaborate cheats are not created by people for themselves. People who can hack stuff on such level are experts, extremely intelligent and experienced professionals who - if they put their wits to a regular job - can pull off strong six digits a year easily. They wouldn't bother wasting weeks on creating cheats only to dump on some kids in a video game. They do it to sell these cheats.
So it boils down to popularity. As well as the demand for cheats (read: competitiveness of the game). If the game is extremely popular - it will be in the crosshairs and cheats will appear. It's not a matter of "if", it's a matter of "when" and "how much". The only consistent way of dealing with cheaters if to remove them from the game via properly managing the community and monitoring reports.
Now, of course - in-game protection and anti-cheat systems are important, because they raise the barrier on complexity to create the cheats, meaning that reduces the surface of attack by the virtue of it becoming "not worth" for many cheat-makers (ideally, as many as possible). But you can never be 100% sure and your last line of protection must always be the human vigilance.
And regarding mods - the simple truth is that allowing mods inherently weakens potential of any protective systems that could be put in place, therefore increasing the "worth" for cheat-makers as the barrier to entry for such games is lower. It's better just not allow any mods.
Again, it depends on the game actually verifying that the client is correct. The games that most often do this are turn-based games because they have the easier time of it without impacting performance. You can't cheat at Chess. You can hack your client to allow you to move ANYWHERE ON THE BOARD or even morph your unit into a different one, but when you attempt to perform an illegal move with this unit, the server will stop you and say "nuh uh, that's invalid". It's why gacha games survive and make money, because if everyone could just cheat in them, they wouldn't need to pay. Some do have problems because they verify at the END of the mission instead during every turn, but not all do that.
Chief reason games get hacked is because it's not as cost efficient to perform constant server calls on every action, as it means the server has to process each attack manually instead of allowing the client to do it. Doesn't mean it's not possible, just means most developers don't bother with it. MMORPGs are great examples since even if you edit your strength in World of Warcraft, it has no impact on your ability to hit the boss, the server doesn't trust the client. Most MMO hacks are related to movement speed and teleporting because the server trusts the client's ability to WASD since verifying every step was done in old MMOs and resulted in a lot of rubberbanding and players complaining about "bad optimization" when it was really just the devs thwarting cheaters.
Can you post a video of people doing this?
Have you ever created an MP game or dealt with one? I did. In very practical terms - but also with proper theory on the matter. Now, not to "exert the expert pressure", let me just tell you these points:
-->> There are things that the server cannot know as they happen on the client. Example are all aimbot cheats. They read data available to the client and then react on this, sending the data back to the server via legitimate means that the client has. There's no "trust-distrust" here, the server cannot know if it's the legitimate input by the player or illegitimate one by the cheat.
To drive the point home on why it is a theoretically unsolvable problem: imagine the client machine not having anything suspicious installed AT ALL. But there's a web-cam that reads the monitor that's connected to that client machine, then it sends the signal to another machine that has the cheating software installed. That software processes the signal, calculates what should be the input and then transmits it to a robotic arm implement which in turns moves the mouse controller on the legitimate client machine.
There = completely pure client is compromised, bypassing each and every possible control. It doesn't matter that the scenario I described is impractical, it only matters to show that it is simply impossible to "check things on the server" or "not trust the client". Some data that server gets is simply created on the client. You cannot "not trust" it. You can only hope for some AI/heuristic to check it, but that cannot be 100% accurate. And it has a next problem:
-->> There are things that are impossible to check regarding the client because it is impractical. If we imagine that client cannot be trusted, that means any checks must run on the server. So if you create any heuristics or AI to try validating client input (like seeing if it's 100% headshot accuracy or some such) = you must run it on the server. That means you immediately get a multiplier by the amount of clients that server has. These heuristics are computation-heavy even for one client, but for something like 100.000 of them - you'd need to get a google-size cluster just to run it.
-->> And that still fails if you remember that there is data that the client can use to its advantage without the need to send anything back to the server. We're talking wallhacks = just highlight enemy players, use the data that client already has. The player is then free to do anything with that information, the cheat simply doesn't even engage with the server in any way, it's completely client-side and provides advantage over those who don't have access to this information.
Yeah, no. I've seen these things, I had to deal with these things. You simply cannot solve it automatically/algorithmically. If you still don't believe me - think of all the brilliant minds in all the gaming companies for 30+ years of gaming. We had cheats back then, we still have them now. And those people often stand to gain millions if not billions from making their games free of cheaters.
Yes, which is where I'm coming from. I've also attempted to break many games as well, finding the line between what gets constituted as valid and what doesn't. Diablo 2 back in the day, for example, you can cheat all your stats to max on the client's side yet the server doesn't care and still applies damage according to your server-sided BNET stats. Which also made a solid internet connection required to play because if you ran on dial-up, your damage wouldn't even appear onscreen for a few seconds until the server returned it. All calculations were being processed server-side and verified to counter attempts at spoofing.
-->> There are things that the server cannot know as they are happen on the client. Example are all aimbot cheats. They read data available to the client and then react on this, sending the data back to the server via legitimate means that the client has. There's no "trust-distrust" here, the server cannot know if it's the legitimate input by the player or illegitimate one by the cheat.
Again, all of that is to spoof a client-sided hack prevention software. It has no bearing on the server. You're talking about DMA cheats or mimicking player movements, none of which matters if the server is verifying the input. What you have crafted with this web-cam nonsense is an elaborate undetectable aimbot which has nothing to do with server verification and is already possible using DMA cheats. What I'm talking about isn't simulated player actions, but what you said before -- memory editing, register spoofing, etc. You can't edit data that is stored server-side, and cheats make use of data available to the client. All a server has to do to counteract your particular cheat is verify whether the input is human or noticeably artificial, which intelligence as advanced as the one you're using can discern. Older anticheats, before they flat out tried to read your files and get into your kernels, did exactly that... they operated server-side and tried to guess if your movement were physically possible or the product of a computer.
See above, that's exactly what I'd do, and 100% accuracy isn't needed, as I never promised 100% accuracy or flawless execution.
Again, that is evidence of what I said before, that it isn't cost-effective. Not that it's impossible. It's actually very possible to create a hackproof game, it's just never going to be practical to do it. The reason developers give us so much client-side control is because they don't want to process it on their end, most notably due to the lag and cost.
Such things were actually attempted in old FPS games, including TF2, but you can actually verify those with the server. The server can check each individual file as older games once did before they became multiple gigabytes to check for any modifications to them. Elden Ring itself even operates in a somewhat similar way with a checksum result based on an algorithm known only to the server, verifying that client data is authentic when connecting. In theory it can still be spoofed if you have supreme omniscience, but I'd not run that by.
Those brilliant minds took the easy way out. I'm very much thinking about the past 30 years since I lived through them and watched games get worse and worse over time, depending more and more on the client for processing and switching to invasive anticheats as a last resort in order to prevent negative reviews from "bad optimization" due to rubberbanding when the server disagreed with the client.
Cheers.
I hate to say it, I really do = because I don't like to "brush off" the arguments that someone brings on a simple observation, but in this case I don't think I can just ignore it. You claim to be an expert and then dismiss the experience of everybody in the entire gaming industry for the entire time that industry ever existed as "not trying hard enough". I've seen many things in my professional life, but I've never seen an expert claiming stuff like that.
The rest of your post alludes to contradiction to itself, since you tend to forget that by your own assumption the client cannot be trusted. And I still fail to see what will you verify on the server if the client manipulates the data it has access to without ever sending anything to the server. Or how the supposed "heuristic" could deal with a cheat that mimics the statistics of pro-level players (i.e. fairly within the realm of human capabilities, with no statistical anomalies to latch on).
How did I forget the client cannot be trusted? You claim to dislike brushing off entire posts then do exactly that because you can't be bothered or aren't able to address them. We're discussing online games, if the client is modifying something on its end, it's to impact something on the server's end, and the server can at least attempt to check whether modifications on the client's end match the server's expected requirements -- not with encryption but with algorithmic verification processes like so many data authenticates already use.