makemake's blog

Anti-cheat doesn't work

8 min read

Well, this blogpost is a departure from my regular blogposts here. Im going to be yapping about how client side anticheat is completely useless, and how cheating is a problem that can only be solved server side. If you like these sorts of topics, enjoy!

Note: Theres lots of handwaving and skimming over details. This is not a guide on how to bypass anticheat. I wrote this while bored in an hour. If you are mad about this feel free to call me a skid and move on.

Origin story

I originally started developing cheats when I was 13-14 yo. Everyone at school was playing quakeworld whenever we had classes in the computer lab. This was fun, but what if it was more fun. For me. What if I was hypothetically destroying everyone…

And so I began to write cheats and begin my hobby of reverse engineering. I started out a skid. Copy pasting and breaking things constantly. Slowly I learned more about how computers work. I learned about memory. Eventually I made a very basic aimbot. I learned more about trigonometry and maths doing this than all my middle school classes combined. I still ended up having a C in maths. No Im not salty or anything its fine.

I moved onto other games. Specifically CSGO and TF2. I remember studying the source SDK. I learned how to use Hex-Rays. I still remember the lengths I went to to get my hands on a pirated copy of IDA 6. Theres some irony to be had there. I essentially ported my quake aimbot and added basic esp. This eventually led to the following incident happening: Pasted image 20240527200137.png

Not ideal. Especially considering CSGO was not F2P at this time so I did this on my main account because I was a kid with no money and could not afford an alt.

But I had passion! But after this incident, that passion kinda moved on from cheating and I went on to do other things. Some of which include doing low-level hardware stuff.

The point Im trying to illustrate is that even though i’ve been out of the loop for a while when it comes to developing cheats, I have some low level understanding of how cheats/anticheats work.

With the #SaveTF2 movement becoming a thing, as well as linux gaming gaining more market share, i’ve seen some truly [REDACTED] takes by all sides. I wanted to write something to get my thoughts out about this issue and hopefully clear up some of the more, interesting takes.

How does anti cheat anti cheat?

tldr; it doesn’t lol

Jokes aside, client side anti-cheat does literally nothing.

Anticheats, in essance, havent changed much in the past decade. They all boil down to doing something along the following:

  • Scan processes, bad process, flag account;
  • See whats attached, something bad, flag account;
  • Do heuristics, something bad, flag account.

This is pretty much how all anti cheats work. Theres some nuance to this and different anticheats will have different methods and different things theyre looking out for, but in essance this is what they do.

If you know how a certain anti-cheat flags accounts, you can trivially circumvent this. This is where a lot of A/B testing and reverse engineering comes into play when developing cheats. Its also important to note that these anticheats ran in userspace. Cheats generally we’re either more privileged or less depending on the cheat/anticheat.

The goal of any cheat is to replace code thats being ran by the game with its own. This allows the cheat to actually work. Depending on the game and platform the method to achieve this varies widely. Privileges matter here, because essentially the more privileged you are as a process the more you’re able to inspect and change about the system. A basic example would be that you’re able to edit all files as admin/sudo but not as a regular user. In most cases running the cheat as root, while the game is not is enough to beat anti-cheat.

Pasted image 20240527202007.png

The cat and mouse game of devs making changes, and cheat developers finding a workaround is essentially the anticheat. This was all fine and dandy, cheaters cheated and developers banned them, until a challenger approached. Promising to curb cheaters for good, Vanguard entered the frey.

Kernel level anti cheat

Note: ESEA and faceit also have kernel level anticheats. The ESEA one even being used to mine bitcoin. Its true look it up, these are the people who are writing your anticheat.

tldr; still doesnt work and sucks ass for multiple reasons

Microsoft Windows is a proprietary operating system. More importantly, its a proprietary operating system that actively dislikes you, the user!

Kernel modules on windows can only be installed and ran if you got the greenlight from microshit. For the reasons stated above, M$ greenlit Vanguard. Which is spyware.

And do not get it twisted whatsoever, Vanguard is spyware by design. Remember what we said about how anticheats monitor your system? With regular anticheats this was manageable privacy and security wise as they did not have complete control over your computer. Vanguard however does. It has complete control over every aspect of your computer. Everything you do is monitored, and it’s completely unauditable. Riot says that it doesn’t spy on you, but then it would be a bad anticheat.

And credit where credits due. Vanguard is a very good anticheat. It’s just that anti cheat is not a problem that can be solved in the scope vanguard is targeting…

PCI-E DMA

Cheaters are a crafty bunch, and in the face of adversity they do whatever it takes to get stroke their egos.

PCI-E is what connects your graphics card to your motherboard. Its fast. Some really smart people added DMA to it so it goes even faster. DMA(or direct memory access) is a feature that allows PCI-E devices, direct memory access. In our context this means that any PCI-E device can read memory completely bypassing the CPU and any anticheat.

Pasted image 20240527204445.png

This was a very niche thing to do when only ESEA and faceit had their kernel level anti cheats. But absolutely exploded in popularity when vanguard dropped.

And how did Vanguard, the revolutionary anticheat to end all cheats solve this?

It didnt. Its physically unable to. Because it bypasses the CPU and reads the heap directly, Vanguard is unaware that anything is happening. All you need is a specific PCI-E card, and a raspberry pi. PCI-E DMA went from being a very obscure way for the most paranoid to skid level.

More primitive hardware cheats

Theres even more primitive hardware cheats than PCI-E DMA. People have been hooking up arduinos as mouse inputs that trigger when you hover over someones head, detected with OCR, for a while. This is also completely undetectable. Pasted image 20240527204651.png

Cheating is a server side problem

Cheating is a server side problem. The only way it can be solved is by:

  • Designing server code to only give necessary info and nothing more;
  • HEURISTICS HEURISTICS HEURISTICS;
  • some human intervention.

The first one should be obvious. Unfortunately this is hard to do properly and gamedevs are lazy.

The second one less so. Heuristics in this context means analysing how someone plays, and looking at any statistics that makes that player an outlier. Accounts that behave strangely can be flagged, banned, or manually reviewed. VACnet seems to be finally doing something so heres hoping it actually works??

And the third one is the best but most labour intensive way of solving it. Granted, it can be outsourced like CSGO overwatch and humans are error prone, but still. When all else fails humans are the only fallback.

i mean whats the fucking point yknow?

Client side anti cheats only work to prevent the most bottom of the barrel spinbotting skids. Anyone remotely serious about cheating will be able to easily bypass any sort of BS anticheat that gets thrown at them. Kernel level anticheats are just theatre and slightly inconvenience cheaters.

So why do companies still do kernel level anticheat? They do it because it’s good marketing. Noone likes cheaters. But it’s all performative. How many online matches in games with anticheat have you played where the other person is clearly cheating?

The only way to actually beat cheats is on the server. Preventing people from running code on machines they have local access to is a complete pipe dream.

STAY TUNED FOR THE NEXT INSTALLMENT OF THIS ARICLE SERIES WHERE I WRITE A LINUX KERNEL MODULE CHEAT FOR TEAM FORTRESS 2! YAY UNDETECTABLE CHEATS ^.^

Vukašin Gostović

Im makemake and I like it when people put blocks in a chain and turn that into a database. Love building useful programs and anything infra. I like reading about psychology, sociology, and philosophy. I have been making computers do stuff since i was ~11 years old. Rust is pretty cool. I'll mostly be writing about Ethereum and blockchains as that's what my time is mostly preocupied by. Feel free to reach out via my links below if you have any inquiries!