Very nice walk-through on the reverse engineering process.
Also, they linked this post that made my jaw drop: https://www.unknowncheats.me/forum/anti-cheat-bypass/667333-...
Apparantly BattleEye anti-cheat had an exploit where hackers could permanently ban any player they wanted. BattleEye allowed anybody to log in as a "game server" so hackers simply booted up a fake server, told BattleEye that "player X has logged in and is doing a bunch of suspicious stuff" and then player X's account was no more...
I'm sorry, why do we trust these guys again?
That's scary. I have an old Steam account with tons of games and already got banned once due to a bug in anti-cheat software and for a while my whole account was marked with a cheater tag.
The bug was so widespread that developers eventually removed bans but I'm sure something similar could happen where problem goes undetected and it would be really hard to try to convince developers to lift a ban.
This BattleEye exploit demonstrates a classic failure of trust boundary definition - they effectively created a system where client attestation was accepted without proper authentication or verification.
Because game companies force you to in order to play.
Forgive my ignorance, but why don’t game developers put more effort into limiting the amount of data accessible to the client (restricting it only to what’s reasonably necessary)? For example, couldn’t more movement physics be validated or handled server side? Cheats might still be able to read some data from the game process, but ideally, they’d be limited to issuing inputs like any other player, based only on the same visible output everyone sees. Is it cost? Does this model just not align with how the client/server split looks in games?
It's been a while and it never was my exact area so forgive the high level and any innacuracies! (hopefully someone smarter can chip in further!)
It begins to fall down when you think in terms of interpolation and movement, if the server had to confirm your every movement it'd end up very jittery and feel awful as you ping back and forth between where your client state thinks you are and the server state thinks you are.
Even the client is kind of guessing (visually) where it is a lot of the time, at least until the next physics or update tick comes in and all this means that the server is going to be doing a hell of a lot of guess work about the state of the clients.
This article helps with reasoning around what a game is doing per-frame: https://gameprogrammingpatterns.com/game-loop.html
Certainly though, I think in this day and age, for slower games you could probably do a better job of this on the server though -- and I'm sure people are working on it.
That's exactly what's being done, but you do not want everything server side over a network delay that is almost always more than the time between frames. Only server side physics would mean a lot of visual jank. It's now usually a model where the client and server make the calculation and the server "rolls back" the client of they do not match.
Data is being limited though, like not sending opponent location data unless the client can see them
Meanwhile Vanguard can't even stop crashing every game when you have a slightly non bog standard gaming system, e.g. with more than one adaptive sync monitor, Hyper-V or WSL installed ...
ESEA shipped their client and anti-cheat with a free bitcoin miner back in the day: https://en.wikipedia.org/wiki/ESEA_League#Bitcoin_mining_inc...
my friends got me in to valorent for a time, but I found the idea of a kernel level anticheat far too invasive
Most online Games require kernel Level anti Cheat.
No, very few of them actually use kernel level anti cheat. Really the only game that use them is Riot's games and Counter Strike private league FACEIT (as far as I remember).
Both EAC and BattleEye are also kernel level anticheats nowadays. Only if you're running them under Linux do they run in userspace only. Other than that it's pretty much only VAC, Overwatch's anticheat and maybe some other obscure ones that run in userspace.
Funny how the most advanced anti cheat just gives version info and executables in one nicely human friendly package. No need for gimmicks when you the work speaks for itself
fwiw I couldn't find the endpoint in question for vanguard, but I did find for all the riot games
Ehh, pretty sad there's almost no information on FACEIT anti-cheat. One of the most impactful out there. Wonder if it's just the invasiveness that separates it.
Valve can't replicate even part of it, while CS2 game modes are flooded with cheaters. Most people who chase competitiveness (which CS used to be all about – now it's also skins) just install FACEIT directly and ignore 90% of built-in game content.
Maybe Valve just doesn't want to make the game more difficult to install and sacrifice several % of their user base.
There's a number of good reasons not to make everyone run a kernel level anti-cheat. Linux (and therefore SteamOS) compatibility is a big one.
I think the status quo where anyone on any platform can access the vanilla game -- where cheaters may not even be a huge problem depending on one's skill rating -- and the most competitively-minded players have the choice to play on FACEIT, works pretty fine.
I do wonder what the 90% of built-in game content you're referring to actually is.
To be fair in the specific case of CS2, the normal modes without FACEIT are really barely playable. Most games are just a massive loss or win, depending on who has the suspiciously good player with 100 hours in their team.
Or just download and check the hash against older versions.