45 comments

[ 3.6 ms ] story [ 94.0 ms ] thread
> So hopefully this cheat will be VAC / PB undetected for ever

yeah... until they patch it

As for VAC, it can’t even detect spinbotters. Given its track record I‘m certain there won’t be any patch whatsoever.
Are you sure VAC doesn’t detect spin botters? Valve has implemented neural net based cheat detection trained from overwatch cases (players watching demos of reported players and judging if they were cheating). It’s a rather nice solution and doesn’t involve kernel mode drivers from a third party I don’t trust to make secure kernel mode drivers (a la battle eye or punk buster).

https://youtu.be/ObhK8lUfIlc

(comment deleted)
Yikes, I really don't want an effective random number generator deciding whether or not if I get to keep using the product I payed for. Refuting a cheat-accusation/action is pretty much impossible as is.
AFAIK, the ML piece only selects candidates to review for cheating. The overwatch volunteer(s) still need to watch your demo and judge if you're cheating.
I still get to see them play full games when I do overwatch myself. This should be a round 1 kick, instead they waste everyone’s time and ruin their experience. Same goes for obvious wall- and aimhacks. I see non obvious cheaters every 2nd game or so (players following but not tracing you through walls or soft aimlocks for example). VAC doesn’t do any process analysis as far as I know and as such, it will only ever be able to ban players after the fact (if it does even that, because „legit“ hacks will almost always pass due to overwatches high consensus requirements)
I think overwatch is just there for confirmation in most cases. That makes sense imho.

FWIW I tend to only see cheaters on casual. The TrustFactor thing seems to work fairly well, because (judging by Overwatch) the cheaters seem to be among their likes. It must suck for new (non-prime) accounts, though.

It does. My brother started playing recently and the matches I’s play with him were abysmal. Toxic players, bad communication, no organization, and cheaters relatively often. I bought him the game and it is indeed night and day. I personally just saw my first hacker in a prime lobby in the 300 hours I’ve played since prime became a thing.
I haven't seen a spinbotter for ~4 years, I have 500+ hours on CSGO, average 2 games a week. I think VAC is catching them. But it's also possible people don't rage-hack anymore, and prefer the self delusion of stealthy hacks.
It's very expensive to rage hack, mostly due to account age and phone number requirements. Sure, you can buy an account or play for 20 hours to get in good standings, in matchmaking - but VAC will evaporate you in a single match.
They troll F2P and lower ranks very effectively.
So this looks like a ROP "template" compiler using a set of gadgets found in the binaries: https://github.com/Speedi13/ROP-COMPILER/blob/master/RopComp...?

> So hopefully this cheat will be VAC / PB undetected for ever

Well, until they remove most of the ROP gadgets or employ CFI?

(comment deleted)
> Well, until they remove most of the ROP gadgets...

This is unfeasible. ROP gadgets essentially show up in "random" locations. Not to mention that they might also show up in code that Valve has no access to.

Presumably if they built the game with address space layout randomisation then the ROP would be defeated?
Not really; you'd just need to be able to leak an address.
Surely they can just change the binary slightly with every patch and move the gadgets around in memory or just remove them outright.
(comment deleted)
Finding gadgets is not hard. Removing them entirely is difficult, but work is being done in this field to make this possible to some extent.
> So hopefully this cheat will be VAC / PB undetected for ever ;)

That attitude really grinds my gears. I'd much prefer to see something like "here's how we think Valve could fix this permanently".

I've got no problem with people writing hacks for games; with the shit that gets released these days I expect it would often be far more rewarding than playing the game itself.

That said, authors should follow responsible disclosure, give the game company some time to respond before releasing.

> That said, authors should follow responsible disclosure, give the game company some time to respond before releasing.

Stack-smashing attacks have been around since at least 1988[1]. This cheat has less to do with the game itself and more to do with the computing architecture (i.e. stack-based). ROP is an active area of research and "code hardening" is a way to mitigate such an attack[2], but (from what I understand) usually comes with performance penalties.

[1] https://lwn.net/Articles/732201/

[2] https://cs.brown.edu/~vpk/papers/ccr.sp18.pdf

I don't see your point. Do you think the authors shouldn't give responsible disclosure because the underlying mechanism has been around for a while? The company would obviously fix the area where false data is allowed to be injected, not systematically harden their entire codebase against any possible ROP-based attack.
There are going to be hundreds or thousands more, possibly outside of their code. They are easy to introduce in your code, fairly easy to find and hard to fix. It's more of an idea or PoC on how to write cheats than a specific exploit.

On another note it's not an exploit in the classic sense - if you own your game you're legally allowed to do what you want with it in most countries AFAIK. I'm not convinced responsible disclosure even applies here.

I don't think R.D. should apply when the exploit can benefit the device owner in gaining control over their device.

Rooting/jailbreaking/safetynet exploits (and exploits that can be used for rooting and jailbreaking) shouldn't go to google and apple first, they should go to the users first.

The same applies for bypassing anti-cheats or other modification prevention systems or other attestation systems.

Even when that benefit is at the direct expense of other users? Your device rooting example is different compared to online cheating in this respect and to me that's key.
> I've got no problem with people writing hacks for games; with the shit that gets released these days I expect it would often be far more rewarding than playing the game itself.

Hacks in singleplayer games are fun. Hacks in multiplayer games are not. If someone thinks the game is shit and unrewarding, they should just not play it and not ruin it for everyone else.

There are loads of people who enjoy cheating in multiplayer games so much that they’re willing to spend hundreds of dollars a month on the hacks.
Sorry to disappoint, but stuff like the glowESP for csgo are around since the source engine released in 2004. Even normal cheats on github like charlatano are undetected, and that one is pretty popular.

They dont really do shit

Its multiplayer though. Doing this creates "fun" by cheating others.
This sounds really petty to me, it grinds your gears that the attack developer is proud of their work?

Seems like the next logical step will be for one of the many people specializing in defenses to develop a "permanent" fix :)

It's not petty. Hacks in multiplayer games ruin the game for everyone else, and the hack developer hopes that the hack will stay undetected forever. That's not proud. It's more like "I hope you can use this to be assholes and ruin the game for all other players as long as the game exists."

Also, this is just a game, but if it was ransomware and the dev said "hopefully this ransomware will be antivirus undetected for ever", you'd probably have a different opinion, no?

Perhaps I'm just going with a more charitable interpretation. The hack developer came up with what he thinks is a new approach that fundamentally undermines the approach taken by anticheat developers, of course he hopes that his work wasn't in vain.

Yeah, I think it is petty to call him out for having a "bad attitude" because of this.

I’m completely out of the loop with respect to gaming and cheating nowadays, and I’m not the target audience of the readme, so pardon my ignorance: how is this used? Via exploits in the game? Injected locally by a more privileged process?
In csgo specifically you can either inject a DLL (simplest way would be LoadLibraryA, but there are more methods) or just getting a handle and read / write memory.

How this cheat does it I dont know. And I am too lazy to check :)

If you're interested in learning more about ROP, I highly recommend this fantastic writeup CTURT produced about hacking the PS4 (which, of course, used ROP). https://cturt.github.io/ps4.html I
Is the idea that this would only be possible in object-oriented programming? And it wouldn't be possible in something like Haskell/Rust?
No, I’m not sure what implied that for you, but gadgets in this context are program code fragments.
Oh I was reading return-oriented as "object-oriented" the entire time. My mistake.
Hopefully VACnet, which is an ML anticheat used in CS:GO will catch it anyway