It’s just a skill issue on the part of the developers.
Making anti-cheat properly is hard. Writing a spyware that watches everything that happens on your PC and blocks any attempts of touching the game is way easier, but bypassing that is easy with solutions that have higher privledges, thus being invisible even for the anti-cheat. You can just fake calls or hide memory from the anti-cheat, or just edit the anti-cheat in itself.
The solution for that is to run anti-cheat in the highest possible permission - the kernel.
Now, you could just make another kernel-level program that would have the same permissions to defeat that, or just edit your OS (i.e Linux, or a VM) where your cheat lives outside and has even higher privileges than the anti-cheat.
This is where Windows comes in - the only way to run kernel code is to have it signed by Microsoft, and that certification process is extremely difficult and annoying, which puts a pretty big hurdle in front of cheat developers. It’s the easy way out.
You could also somehow reverse-engineer Windows and run a custom version to bypass this. And that’s where TPM comes in, which (if I understood it right) validates that your Windows is the official signed one, and thus the kernel anti-cheat is safe. You can’t have this kind of affirmation on Linux, and the lazy developers who don’t want to invest into actual moderation and proper anti-cheat solutions just resort to kernel anti-cheat rootkit and require TPM to be enabled.
There’s not much Steam can do about this, aside from locking up their OS with signign keys and certification for priviliged software, along with setting up the whole TPM so you can’t run modified versions, which isn’t really possible since they are based on Linux.
Oh, cool, so if I understand it right, you have a hardware that directly reads the physical memory, so you can access it unrestricted and undetectable from another PC, where the cheat runs, and then you use a HDMI fuser to merge the output of the game and the cheat that runs on the second PC on a single monitor.
That’s actually really clever, I love solutions like this. Not that I approve of cheating, I have 0 respect for people who (unconsesualy, as in all involved parties agree to it being allowed) cheat. But from the hardware/security point of view, it’s amazing.
Oh, cool. Tbh I haven’t really looked into cheats much, but I did briefly work in cybersecurity where I was doing malware development, where AV avoidance is basically the same problem as game cheats are dealing with, so I just extrapolated what I assumed works the same.
This is a cool piece of tech, I’ll look into it more. I like seeing new exploits, thanks!
I used to make qol autohotkey scripts for games I played. Take available info on the screen, make notifications or block input at the right time. Stuff like that.
For example, I made an on-screen mini-map and arrow to guide me instead of having to repeatedly read coordinates from a chat.
Playing a ping when something happened on screen was the most basic i did.
I had more fun making my scripts than actually playing the games. It’s fun looking for small queues on the screen and then figuring out practical ways of using that. I didn’t need AI for this.
Thanks for sharing them. I’d consider the second one completely unfair, while the first one is, well, that’s how I’d like to imagine the experience of occasional cheaters from now on.
You absolutely can have that and more, what we in industry, attestation on Linux. Though the most obvious adaptation of that would the confidential computing space for key bits of the game data instead of the whole fucking OS. Though hardware level memory encryption is a server CPU feature that I don’t think any desktop ones support yet
Ryzen so-called “AI” Max Pro has hardware level memory encryption, at least it does on my HP ZBook. But it might be actually be the first laptop to do that as far as I know
Ahh, it’s a got a system called Memory Guard but that is just brand name for Transparent SME. Which still, freaking finally, that’s awesome. Though in the context of confidential computing, where container/VM memory spaces are assured through encryption it doesn’t help since there is no granular page control just the entire memory system transparently to the system above.
Though I’m not sure if that is a hardware, firmware, or driver limitation (I think below driver because of the reports I saw of fedora failing to boot with the kernel flag set to use it).
On my laptop it seems totally transparent to the OS, but I haven’t tried setting any kernel params for it, didn’t even occur to me there was such a thing but it’d make sense if there is
It’s just a skill issue on the part of the developers.
Making anti-cheat properly is hard. Writing a spyware that watches everything that happens on your PC and blocks any attempts of touching the game is way easier, but bypassing that is easy with solutions that have higher privledges, thus being invisible even for the anti-cheat. You can just fake calls or hide memory from the anti-cheat, or just edit the anti-cheat in itself.
The solution for that is to run anti-cheat in the highest possible permission - the kernel.
Now, you could just make another kernel-level program that would have the same permissions to defeat that, or just edit your OS (i.e Linux, or a VM) where your cheat lives outside and has even higher privileges than the anti-cheat.
This is where Windows comes in - the only way to run kernel code is to have it signed by Microsoft, and that certification process is extremely difficult and annoying, which puts a pretty big hurdle in front of cheat developers. It’s the easy way out.
You could also somehow reverse-engineer Windows and run a custom version to bypass this. And that’s where TPM comes in, which (if I understood it right) validates that your Windows is the official signed one, and thus the kernel anti-cheat is safe. You can’t have this kind of affirmation on Linux, and the lazy developers who don’t want to invest into actual moderation and proper anti-cheat solutions just resort to kernel anti-cheat rootkit and require TPM to be enabled.
There’s not much Steam can do about this, aside from locking up their OS with signign keys and certification for priviliged software, along with setting up the whole TPM so you can’t run modified versions, which isn’t really possible since they are based on Linux.
Cheaters just sidestep the kernel entirely and use DMA hardware instead.
At the moment its rather expensive at ~$400 but prices will probably drop over time.
Oh, cool, so if I understand it right, you have a hardware that directly reads the physical memory, so you can access it unrestricted and undetectable from another PC, where the cheat runs, and then you use a HDMI fuser to merge the output of the game and the cheat that runs on the second PC on a single monitor.
That’s actually really clever, I love solutions like this. Not that I approve of cheating, I have 0 respect for people who (unconsesualy, as in all involved parties agree to it being allowed) cheat. But from the hardware/security point of view, it’s amazing.
Oh, cool. Tbh I haven’t really looked into cheats much, but I did briefly work in cybersecurity where I was doing malware development, where AV avoidance is basically the same problem as game cheats are dealing with, so I just extrapolated what I assumed works the same.
This is a cool piece of tech, I’ll look into it more. I like seeing new exploits, thanks!
That’s too complicated to teabag people in Battlefield, but what would I know about the scene I’m not a part of.
Well, now I’m interested how far it can go in professional cheating. Any vids about that?
Not necessarily cheating, but use of external cheaters like this guy using an AI and electric shocks to have it move his arm
Or this monitor for cheating in LoL
He still uses a software cheat to trigger that
I used to make qol autohotkey scripts for games I played. Take available info on the screen, make notifications or block input at the right time. Stuff like that.
For example, I made an on-screen mini-map and arrow to guide me instead of having to repeatedly read coordinates from a chat.
Playing a ping when something happened on screen was the most basic i did.
I had more fun making my scripts than actually playing the games. It’s fun looking for small queues on the screen and then figuring out practical ways of using that. I didn’t need AI for this.
Thanks for sharing them. I’d consider the second one completely unfair, while the first one is, well, that’s how I’d like to imagine the experience of occasional cheaters from now on.
Valorant kernel anticheat stops other kernel drivers and even hypervisor level attacks
They could also ban such games from their platform, which would be a huge hit to studios implementing rootkits.
You absolutely can have that and more, what we in industry, attestation on Linux. Though the most obvious adaptation of that would the confidential computing space for key bits of the game data instead of the whole fucking OS. Though hardware level memory encryption is a server CPU feature that I don’t think any desktop ones support yet
Yeah confidential compute would be the way to go. But it’s expensive and not mainstream yet
Worse yet is gaming is normally a lot PCIe data, that encryption is still very expensive performance wise.
Ryzen so-called “AI” Max Pro has hardware level memory encryption, at least it does on my HP ZBook. But it might be actually be the first laptop to do that as far as I know
Ahh, it’s a got a system called Memory Guard but that is just brand name for Transparent SME. Which still, freaking finally, that’s awesome. Though in the context of confidential computing, where container/VM memory spaces are assured through encryption it doesn’t help since there is no granular page control just the entire memory system transparently to the system above.
Though I’m not sure if that is a hardware, firmware, or driver limitation (I think below driver because of the reports I saw of fedora failing to boot with the kernel flag set to use it).
https://en.wikichip.org/wiki/x86/sme
On my laptop it seems totally transparent to the OS, but I haven’t tried setting any kernel params for it, didn’t even occur to me there was such a thing but it’d make sense if there is
Ooohh, awesome! I gotta check that out then.