63 comments

[ 2.5 ms ] story [ 110 ms ] thread
So, what data is it accessing and where does that data come from? I assume it can show you players that you otherwise would have no info about in the game UI?

For example, this data had to come from network packets, so if the server is oversharing data, why wouldn't you just intercept the packets? What exactly is the cheat?

The file doesn't explain much.

(comment deleted)
Based on the README, it looks like it's a partial fork/mod of this upstream repo [0], which is essentially set of tooling that "uses PCIe hardware devices to read and write target system memory".

So if I'm reading this right, the partial fork has changes specifically to read CS:Go data directly out of device memory to another device, which in turn processes that data and renders a web-based map of all player locations.

[0] https://github.com/ufrisk/pcileech

It's accessing player location data after it's been decoded into structs in the game memory. The packets are encrypted, so you'd need to MiTM the key exchange to decrypt them, which takes you the same place this device goes (you either need something running in the OS, or something outside of the OS with access to host memory) - and it's a lot easier to just let the game handle that for you and slurp the data once it's available.
Why is the game sending all this data which is essentially just hidden by the UI? What is the point of sending enemy location and health data when they aren't near/visible to the player? For a non game dev like me it sounds like wasted bandwidth and a way to enable wallhack.
Because knowing which data is hidden by UI from server is hard problem.

To achieve real-time feeling game apply (most) your inputs immediately without having to wait relatively long time confirmation from server. So if you decide to push button and peek around corner you expect to see enemy immediately but server will know about your peek "much" later.

You can for sure limit some information by locations but you always must leak more than it's actually seen by client. Also it isn't easy to solve: can any part of volume be seen from another volume inside arbitrary 3D environment. Enemy size and movement through network frame => players all possible eye positions.

I think current best solutions rely on very rough (manual?) map piecing. So is it worth to invest for such thing that makes some cheats bit less powerful but cannot really prevent them.

Keep in mind that CS:GO is ALREADY built on very very old BSP maps, so knowing that some players aren't visible to others is super trivial, if not 100% accurate (ie it's a little conservative)
In warthunder this results in very noticeable pop in of enemy vehicles when you are using aircraft in realistic tank battles. The rendering distance for both tanks and aircraft is the same but since aircraft are 2km above the ground their effective view distance is much shorter than that of a tank.
VALORANT (Riot’s new CSGO competitor) uses a fog of war technique which only sends data for players in a certain radius or cone I believe. It can be done, it’s just silly to expect Valve to make important and valuable changes like this to their game.
Readme seems out of date, seems to be detected by ESEA and FaceIt, unless the hardware ID mitigation fixes that.

Shouldn't the hardware ID be randomised to start off with? Not that I plan on using this either way, though.

The detection is based on hardware ID interrogation, yes. Here's an ESEA blog post about it although of course they don't go too far into their methods, besides claiming they go "beyond just hardware ID" : https://blog.esea.net/esea-hardware-cheats/ . My suspicion is that they interrogate "suspicious" devices in various ways (for example, seeing if the IO mechanism provided by the driver for each device installed in the system can be used in the expected way), but this is of course easily defeatable.
Have you tried to honeypot the ESEA client? See what digging around they do, log absolutely everything you can, and see what you can learn from it.

Ugh, now I want to write my own game cheats for the sake of curiosity!

> but this is of course easily defeatable.

How so? Is it really common for non-cheaters to have exotic PCIe devices connected?

You could certainly build the cheating functionality into a common PCIe device, but I’m not sure I’d call that easy. There may not be enough money to be made from cheating on ESEA to justify such efforts.

this is years old
This was probably posted as related to recent discussion of Riot Games’ anti-cheat running at ring-0.
The main benefit of cloud gaming might end up being a significant reduction in cheating.

The problem historically has been that game clients have access to a lot of game state that enables cheats. With a "thin client" like Google Stadia, there should be a lot less opportunity for hacks. The incoming game data is an audio/video stream, which makes many hacks hard/impossible.

It would be great to play FPS games without any cheaters, they can easily spoil an otherwise amazing game. Maybe future online tournaments will be cloud gaming only.

That’s a great idea. Hope it happens.
Another solution might gaming “country clubs”. Where you pay/deposit to join the club and access servers/etc., and validated reports of cheating are bans and you lose your deposit.

Not sure if something like that exists (I don’t game really)

This is pretty much what subscription gaming services like the mentioned ESEA and FaceIt are and do. The problem is that validating a report of cheating is actually an extremely hard problem. Did the user have this mini-map software running, or just good game sense?
I wonder if there’s a price point at which only people who actually want to play fair would join. If you’re cheating anyways, it doesn’t make as much sense to pay large sums of money to be on a server where people aren’t cheating.

Alternatively, servers where certain categories of cheats are allowed, so if you just prefer playing with a minimap you can be with like-minded people.

This is assuming the mind of a cheater is “I prefer playing in this mode”, rather than “I want to win a lot of fake internet pints”. Idk which is more accurate.

Yeah, Valve already tries to account for some of this by building a Trust Factor of your account based on how much money you've spent, how long you log in, how frequently you log in and out, etc. (which is especially important since CS:GO went free-to-play).

Of course, that doesn't address all of it: one could still have the very best cheats that never get detected on a highly trusted account. It's silly, but then if they did get detected one day, they'd lose all their precious skins (which have non-zero to significant monetary value), as they become untradeable forever.

But yeah, I think ESEA has some of what you're talking about built in already. Why spend a bunch of money on accounts that keep getting banned?

This already exists with services like FaceIt Premium and ECL.

Valve also do this on their matchmaking servers semi-secretly using Trust Factor. Unfortunately this can make the experience for new players much much worse.

Competitive gamers care way too much about latency to use cloud gaming services for tournaments. Some Counter-strike players still use CRT monitors due to the latency advantage over LCD. I think that you won't see much adoption in competitive gaming, where every millisecond counts.
Haha, how is 240hz not quick enough for these guys?
I think there's delay regardless of the refresh rate.
You will have latency due to network effects. Streaming video/images is always going to be slower than streaming just coordinates and player metadata.
The parent was talking about LCD vs CRT displays. The parent is confusing throughput (240 frames/second) with latency.
It's not throughput if the 240 refreshes per second are evenly-spaced apart in time. It's a polling rate and it absolutely effects responsiveness.
240hz is butter smooth. But if there's a 200ms delay, then you will still lose before you even see the enemy. The problem here is buffering. Stadia can produce 60hz video, but that doesn't mean you will see it immediately. It first needs to be encoded, buffered, transmitted, buffered, decoded, buffered, sent to the screen, buffered, refreshed, and then you'll see it. And unless people find a way to increase the speed of light, the transmission will always take time proportional to the distance between Stadia's servers and you.
Speed of light is not a big deal as long as you don't run the datacenter on the other side of the planet. Video encoding is a much bigger source of latency. The lower the latency the higher the bitrate for the same quality. Since there is an upperbound for the bitrate the cost of encoding the video will dominate.
The largest straight line distance across the US is 2802 miles (Florida to Washington), according to the internet. That's 15 light milliseconds in a vacuum. That's roughly a frame of delay at 60fps. You need to multiply by another 1.5 to account for the speed of light in fiber, and fiber doesn't go in straight lines, but at the same time datacenters and users are unlikely to be literally as far apart as possible, so let's pretend those cancel out.

You don't need to be across the world for it to matter, just across the continent.

Yes, and no one should try to play competitive games across a continent. Competitions must be regional. Internet latency is great within a few hundred miles.
This isn't a question of where the players are relative to eachother, this is a question of where the players are relative to the datacenter with tons of expensive GPUs. Also for many games where that datacenter is relative to the game servers.
Not anymore, LCDs these days have less than 1ms input lag.
That's not true. To get 1ms of response time, you generally need a TN panel (and even then, you'll see ghosting running in the 1ms fast mode).
Correction: less than 4ms input lag
Citation please? That sounds physically impossible.
I follow pro csgo closely. No one uses a fucking CRT.
Why cloud gaming instead of console gaming, which as of the Xbox One is similarly secure without the latency penalty? Of course with cloud gaming you can make map-hack style cheating a theoretical impossibility (as the client never has the data) while with a console you're always relying on client-side hardware countermeasures, but the practical differences until console hardware are broken are non-existent.
I don't think cloud-gaming prevents you from writing an aimbot. Enemies are often visually distinctive (for example, Overwatch outlines them in red), so you can look at the video stream and move the mouse to their head, and synthesize a click when the crosshair is in the right place.

I almost want to write one of these that looks at Twitch streams to figure out how common the "no-reg" that streamers complain about actually happens. (Or, if I were the game company, I would write one of these to figure out if there's a bug in the netcode, or people just aren't really as good as they think they are. I have a theory, but data is better than a theory.)

To eliminate cheating, I think games have to move away from the mechanical aim aspect and focus more on ability management, which is harder to write a cheat for. I don't think it's a coincidence that most of the new heroes in Overwatch have projectile-based weapons instead of hitscan weapons -- even if you're cheating with a projectile, you're not guaranteed to hit the shot. The enemy can just move out of the way. (Of course, a "move out of the way" bot could be written, which would be a lot more insidious and harder to detect. Overwatch streamers accuse everyone that hits a hitscan shot of cheating, but nobody has ever accused someone of moving out of the way of cheating. There is enough spam in the game that eventually you'll kill the enemy; writing a cheat that kills enemies more quickly will get you better results than a cheat that lets you live longer.)

There is also a lot of low-hanging fruit where the client is trusted when it doesn't need to be. Hearthstone had a combo where people could generate infinite copies of a card ("SN1P-SN4P Warlock"), but the animations on the client limited the number that could actually be played in a turn. This is how the combo was balanced; not by a hard limit on resources, but by timers on the client. So people hacked their client to skip animations. This would be fixed with a thin client, but it's also possible to fix with 100% certainty on the traditional fat client. Just calculate how long the animations take on the server side, and reject client updates after the server thinks the turn is over. Add a few seconds of slop for people playing on 2G networks.

> I don't think cloud-gaming prevents you from writing an aimbot.

This isn't true for a number of reasons:

1. Good players are exceptionally good. In pro gaming you'll hear the term "pixel shot" because someone fired at essentially one pixel. The shooter is holding an angle where they know that a change of one pixel is someone running by. That sort of thing; and

2. If you watch any streams you'll see aimbots from cheaters (eg when the streamer gets killed and spectates who killed them) and it's pretty funny to see just how blatant aimbots are, like shooting through bushes that don't block bullets but have no visible indication of an enemy.

But I agree with other comments: I think cloud gaming is 100% never going to be relevant for competitive esports (of this kind) because of latency. That's not a technology problem. It's a physics problem.

> I think games have to move away from the mechanical aim aspect and focus more on ability management,

It's interesting that you bring that up. That's actually a criticism a lot of people have of games like Overwatch (that you mention) in that it's not about gun play but ability management. That's actually seen as a negative by many. Riot Games apparently has made a deliberate design decision to focus more on gun play than ability management in Valorant, as just one example.

> This is how the combo was balanced; not by a hard limit on resources, but by timers on the client.

This is surprisingly common actually. Timers on many games are really just approximated with frame rates. Good players will do better at a game if they can get 200fps over those that get 100fps.

An example of this is the much-beleaguered Fallout 76. Bethesda games use this pervasively and, at least for awhile, Fallout 76 had a cap put in place of 63fps to avoid some of the benefits high frame rates gave players (eg faster movement), such that I took to calling it Fallout 63.

Fallout 76's initial anti cheat efforts were quite funny. Literally based on checking if applications called "IDA" or "Cheat Engine" were open.
At least this keeps the really dumb script kiddies away.
As a lazy person who never closes applications unless necessary, and also one who occasionally does light reverse engineering, I feel discriminated here.
People have already made aimbots for Valorant that wouldn't be stopped by cloud gaming. It just uses autohotkey to detect the color of pixels on screen, and moves the crosshairs until they're over the detected pixels.
Please god no. Gaming is one of the last bastions of owning your bits. It kills off tinkering, modding, poking around asset data, and yes, some cheating. But you're throwing out the baby with the bathwater.

There is already too much rent-seeking in gaming.

(comment deleted)
You can't run a server for yourself for most games. You have to sign into a proprietary service to download/run games. We already lost this battle. I'd like to at least get some advantages like less cheating!
The best gaming experience, even in games with known/available cheats, remains LAN plan. The publishers demanding that every goddamn game have a 5v5 ranked queue/matchmaking system with lootboxes and whatever else means LAN play is a thing of yesteryear. Frankly, so are dedicated servers.

I like competitive games, or at least I did when I was younger, but nowadays I yearn for some good-ol' tribes server community where you have 32 players playing CTF and there are actual administrators who are engaged with the community. If someone becomes a problem you just ban them from your server. Similarly if someone brings a friend to your LAN party and that friend is a cheater, you uninvite your friend and/or punch the cheater.

"Cloud gaming" sounds like a hellscape.

I was thinking of Tribes this week when I watching the Cursed Halo mod video https://youtu.be/dMxIjGjMJz0?t=240. There's a flying Warthog, a sedan and a limo.

It reminded me of the Heavy Personnel Carrier. Loading the HPC with 5 heavies armed with Grenade Launchers and Heavy Mortars was fun.

> The main benefit of cloud gaming might end up being a significant reduction in cheating.

it'll just turn the cheats from memory manipulation to computer vision -- less powerfully 'psychic', but still fast enough to cheat.

There's little financial incentive for most games to fully prevent cheating.

But a streaming-exclusive game would be impossible to pirate. That's why publishers are so enthusiastic about it.

Cocaine is that you? Lol pretty sure i know these guys
If you notice an issue please report. :D
still wondering if you could not get some kind of radar cheat for cs, by 3d analysing the audio outputs and rendering them on top of the game. Not as good as a full radar, but seems pretty undetectable
That would be possible, but in case of silent areas (lone corner,..) your overlay would show false information because you have no rotation clues
This cheat use PCIe DMA to read the memory of the target computer which is running CS:GO. No kernel/user space software on the target system is necessary and practically undetectable from the target computer.

My stance on this is it's inevitable and game design shall be changed to make this cheat irrelevant, by revealing everybody the all players location, thereby the player who use this cheat has no advantage over the other. I think it doesn't change the game that much for most of the game.

In case of the game which requires secret, it can be achieved by trusted authority server or by using mental poker algorithm.

My guess is, you can't use this system to modify the target memory without detection. Since it's impossible to change the multiple memory location atomically, it would be pretty easy to detect from the target computer.

Also the guess, but to detect this memory peak attack, you take control of all the memory bandwidth, no code but you can use all of the memory access, then consume all memory bandwidth with cache disabled so you can detect the slight bandwidth change that is either this attack, or it's DMA from the motherboard(Possibly malicious access from evil binary blob firmware such as Intel ME or AMD PSP)

Aside from that this is a few years old, and got detected pretty quickly from only the target computer without using the network...