Fighting the Good War - Against MMO CheatersMarch 17, 2011
Part of my job working for the MMO company is dealing with professional (and some amateur) game hackers. It's something every MMO company deals with. For some reason people are determined to play a different game than you designed and are willing to pay a lot of money for the privilege. Of course there are people out there just as determined to sell these folks ways to get ahead of their fellow players.
Like all arms races for every counter measure you come up someone out there is trying to counter it as well. That's makes it an interesting game to play assuming you like the competition.
All companies have to consider who is hacking their games, how the hacks are invented, how they are distributed, who buys them and of course what happens at runtime. There are a lot of for-pay companies who sell anti cheat systems (PunkBuster et al.) and people who sell (and sometimes just give away) anti anti cheat systems.
Since I have started working on this stuff I've learned there are a ton of places on the internet where people gather to share hacks, speculate on better hacks, talk hacking and generally make a game out of gaming the games. Generally companies never talk about the issue, as if talking might make customers suddenly realize there are hacks out there and immediately rush to obtain them. Of course they won't talk about what they actually do to combat the problem (neither will I of course, except in general). I can say virtually all MMO's are hacked at some point, sometimes they can stop one for a while but eventually new ones emerge, like evolutionary organisms. There is no perfect way to keep hacks away but there are still many tools one can use to at least frustrate the competition.
Another funny thing I learned is that the professional (for pay) hack companies get hacked themselves and suffer the same issues; China is rampant with both game hack companies and those that sell hacked hacks. For pay hack companies also suffer from customer complaints and refund demands and lose revenue to the hack hackers. What a weird world we live in.
Keeping your app hack-proof (or more accurately just stay briefly ahead of hackers) requires a lot of thinking about what in your app is appealing to a game cheater, how your code and data are stored and what it looks like in binary, and what kind of thinking a hacker uses to find things to do.
Windows of course is the primary attack base since most of the big games are on Windows; in addition there are so many known ways to inject code into the OS, drivers, dlls and exes enough to provide a nice assortment of attack vectors (witness all the billions of viri). There are lots of "binary debuggers", tools which aid in attaching to applications and examining their contents, data, code and runtime environment. The hacker has a lot of ways to examine what your game client is doing.
Common cheats that people like are chams/wallhacks, which allow you to see enemies or booty in front of everything, usually in bright colors, so that you can find them even when they are really hidden. ESP is similar and generally gives you information about the enemies or booty to aid in identifying targets. Speed hacks generally change the tick clock to make the game think you are moving faster than you really are, which is then sent to the server at that speed. Value hacks which can get you more gold or bullets or life or whatever is important in the game. Aimbots are tools to help you automatically target enemies. Of course there are tons more, anything that might help a player gain an edge.
Using these cheats has a drawback, if they are too obvious then you may be banned which can cost you real money since you can't play any more and you may have paid for the cheat. Many players who refuse cheats will turn you in if they suspect you are using a cheat (I know most of our players get especially pissed). Personally I don't understand the cheater mentality, it's a game I play for fun and challenge, why would I want to ruin the whole point of playing? I've been playing our game for 9 years and still enjoy it. Cheating would take all the fun out. I have the source code and could cheat without penalty but why? Winning is great in the lottery but in a game without the possibility of loss there is no lasting fun in 100% victory.
Reality of course says some people need to feel superior and refuse to invest any time in actually becoming good at a game. So we as an industry take time to deal with this reality which never stops.
It does take a fair amount of effort to keep a game from being overrun by cheaters. Some of the people you are fighting are extremely talented and likely would succeed at almost any programming effort. Some are the proverbial "script kiddies" who just follow some blind instructions on making a cheat. To be even moderately successful at stopping hacking (or more likely slowing it down) you have to understand your game very well and still be able to look at it with a hacker's eye, what do they see, what can they find, how can they inject themselves into your client. THen you try to find ways to make it difficult. Of course you can also buy from the anti cheat companies, though everywhere I look they get hacked just as much.
The battle is between a binary view of your game client, versus your source based view. Who will win, at least in the short term?