Anti-Cheat and other things i Unity Games

Hi,

first of all: Im new to Unity, im not a Game Developer, nor i have any experience with Unity. I bought 2 Years ago a Book for Unity 4 that i started, but never finished. Just after a while Unity 5 was released and People say, that some Parts of the Book for v4 is now deprecated and in special with 2018. As i read, the API in Unity seem to get deprecated with each new Version. They add new things and within a Update they are removed/changed.

I want to make a Game, competitive Shooter, at least thats my long-time Goal for the Future. Working since quite a while on a Concept. But for now, i want to get into the Stuff in the first Place. One of my concerns is the Question a lot may asked themself: Which Engine.

I occupy with Unity since a few Days and ive noticed, that it seem not possible to protect the Game from Cheaters. For a Singleplayergame its not such a big Deal when a Player spoils his Fun, but Online is a bigger Issue.

The Anti-Cheat-Toolkit seem to be entirely removeable, ive seen a Youtube Video. The .net Framework is the other thing im concerned, not just because of Unity, about the Framework itself, because a Assembly is more or less Opensource. Especially with Tools like Reflector, ILSpy etc. With DevX, seem so, that their Obfuscator cant be purchased anymore.

Client-Side checks can be patched, so using ACT seem to be useless.

Then ive seen, that there is a gerneric Aimbot/Wallhack...

Another Problem is piracy. Some of you know, that Two Hospital used Denuvo and was patched by replacing a DLL. Nice Copyprotection, seem to work only when its compiled into the Exe. Obfuscators are not a real Solution, they just make it harder. Classes, Variables etc. may be renamed, but the Code/Logic can still be seen and a experienced Programmer can read/understand the Code anyway.

So im wondering if its possible at all to prevent Cheating. Which Options are avaible to prevent those things as good as possible? I know that it cant be 100% avoided, but at least to make it as difficult as possible, but with generic Hacks that work for all Unity based Games :-/

 

Give people system to report hackers and hire someone to scroll through these reports.

 

Worry about becoming big enough for cheaters first, worry about cheaters later

 

That said you should offcourse do the low hanging fruits when developing your game. For example validate shots on server etc.

 

Makes sense to some degree, but better be prepared and with a Unity Game and C#, it wont be a easy Task.

 

C# or native code doesn't matter. Both are executed on the client and can be tampered with. If your game gets popular enough cheats will emerge even if its native

 

The fun part is when your monetization depends on in game purchases or microtransactions. Hackers are able to get all of them for free.

 

Cheating vs anti-cheats is not really a question of which engine or which language. Regardless of those choices, cheat prevention has to be designed into the game. This is true of every game engine and every language. If that is not obvious, then I suspect you might not be ready yet to build a big competitive shooter. I would recommend starting small. Build a few simple games as learning projects. If you are unsure of which game engine to use, then I recommend building a few simple games in each game engine you are considering.

Every popular competitive online multiplayer game will suffer from some cheaters. For example, PUBG (UE4) and Counter-Strike (Source) are both popular and suffer from some cheaters, and neither one was built in Unity.

 

You answered your own question.

Piracy isn't a problem because people who actively pirate games aren't potential customers. They won't just buy your game if they're unable to pirate it. That's a fallacy that the big studios like to throw around but it simply isn't true. Likewise there really aren't people who "pirate to try the game out".

If anything you might be chasing away potential customers with complex anti-piracy measures. GOG's main claim to fame is that it doesn't have anti-piracy measures and then there are the problems that often come with advanced solutions like being unable to play the game if it's a little off on it's detection methods.

 

Don't jump into game development with a competitive multiplayer game. That would be like trying to make your own car from scratch, and deciding you're going to make something with the performance of a McLaren. You're going to fail. You need to start with something comparative to building your own go-cart instead of a high performance super car. A very simple single player game is still going to take 6 months or more of your spare time for you to get to a polished enough state that you should consider publishing it for example. You'll learn a lot along the way building something simple that will save you a lot of trouble when you go onto your dream project that is exponentially more complex and time consuming.

That said, generally the best way to prevent cheating in a multiplayer game is to never trust input from the client and do as much as possible regarding managing the game state on the server. This unfortunately is next to impossible on a twitchy competitive shooter like a Call of Duty game, because even today's fairly low ping times are still too slow for many functions the game needs. So the client has to be trusted in some cases, which opens up the game to cheats fairly easily wherever the client is trusted. You're then stuck with looking for patterns on the server in client inputs that are suspicious or should be impossible.

As far as using ILSpy or removing anti-cheat packages, that becomes more difficult when compiling using IL2CPP instead of Mono. ILSpy can't even be used when compiling using IL2CPP for example.

But cheating is only a problem when your game has become popular and successful. Yeah I would think about it, and maybe take some effort to design your game to minimize cheating from the start, but I wouldn't put a huge focus on it without ever even completing a game in the first place. Worrying about cheating at this point in your indie dev career is like worrying about how you're going to invest all the millions of dollars your game is going to rake in, where are the best interest rates, how do I avoid capital gains taxes, etc. You're putting the cart before the horse.

 

Our multiplayer shooter only has two anti cheats shots are validated on the server, and we check the clients potistions if they are valid. If they are not valid we move them to last valid position. We also keep ammo count on server etc so you cant tamper with that state.

I think thats some low hanging fruits you can start with

 

Errm, there is a difference when you use a Engine that compiles into Native Code or a Engine that has its Scripts based on .net Framework. There is a difference when you load a EXE/DLL into da Debugger and to see the Assembler Code, or to use a Decompiler like Reflect to load a Assembly and see (almost) recompileable Sourcecode.

With .net you might could use a Obusfactor and mangle Methodsnames, Strings etc. But the Logic behind it, is still visible through the Decompiler. The Obfuscator will make it more difficult to read but not impossible. I know that Cheaters will always find Ways to create Hacks and that there is no Way to prevent it 100%.

With native Code you can use DRM or Protections like Denuvo (hated or not). With a .net based Game, this is not possible. As i wrote before: Two Hospital Game was protected by Denuvo and it got cracked by replacing a DLL. If you compare that to AAA-Titles that use Denuvo, the Game might be cracked one time but when you make Updates you can change it again.

Of course Denuvo and Anti-Cheat are different things, but i ment this with the Aspect of 'protecting' the Games entrails.

.net is "easier" to decompile and Hack - compared to native Code. For Native code you still need knowledge of Assembler and Reverse Code Engeneering and a proper Toolset (Ollydbg, proper Plugins, Scripts, or a Debugger like Ida).

You might could hook your own DLL into the Games Process and make some Sort of Api-Hook to hook the Renderer Stuff where they could inject Code to draw Rectangles around Models. (for Aimbot etc.). But even this could be removed or Patched/Bypassed.

Did u actually spend time reading my first Post? I wrote, that the Shooter is for the long-time Goal, there is no Line where i wrote, that i want to begin with it. This is stupid so start unexperienced such a Project, even i know that. Some People may did that, had succcess, because its a neverending Challenge, but can increase the frustration level very quick. Then you either keep trying or you give up. So, better start with small things. Thank you anyway for your Advice, even when im already past these train of thougts.

With Sourcecode of the Engine, there should be Ways to make it harder, but who can effort Unity Source? People might end using a different Engine where the Source is avaible without paying a Fortune. Unreal is avaible for free.

With a normal Unity License it seem not to be possible (at least in a way it makes sense) and nobody here proved me wrong or hinted Ways to protect a Game as good as possible. Again, there is no 100% protection.

It doesnt matter if a Game has to get popular in the first Place or not. This is a general Issue of a Unity based Game.

€dit
Fixed some Typos.

 

A determined hacker can and will hack any game regardless of which engine the game was created with. PUBG was built using UE4 and it has been successfully hacked over and over. Everything from aimbots, wall hacks, speed hacks, spawn hacks, and even flying cars in game.

 

I would flip this other way round. Encourage to cheat from the start and collect feedback. Then you will know, where the problems are, and you will be able fix over the time, step by step.

When possible, send only data to client, which can be visible / interacted by the player. What is behind a wall for example, should not be sen by a server/host to the player.

I would be interested in P2P solutions, where all data is shared between players. Then you can check across players for any discrepancies. This may be complex solution, but is doable. This method has potential issues with only 2 players, or if alt accounts are in game too.

 

I don't think hackers actually need encouragement. Hackers will start looking for ways to cheat in a game as soon as it becomes popular.

 

Is not that they need encouragement. You want entourage genuine players, as you get chance to get genuine feedback.

Hacker using hacks for their benefits, won't be sharing loopholes, and you as dev, will be pulling hears off, how this things happening.

 

A lot of the hacks today are coming from a relatively new phenomenon of hacking games for profit. It used to be that people would create hacks and distribute them for nothing more than a bit of bragging rights, or just to watch the game burn a bit. Now hacks have largely become their own commercialized industry (primarily centered in one highly populated country for whatever reason).

These hack for profit developers are the ones you would really want testing your game's susceptibility to hacks, but they won't jump onto your game until after it has become popular. So during an early launch or beta period you're only likely to get amateurs trying to hack your game who respond to your challenge, and then later once your game gets popular the folks who develop hacks for a living jump in who know exactly what they are doing and discover a whole lot more than you may have expected.

 

Of course ideal would be to hire a hacker, to hack you game and get feedback. But even as you called "amateur" hackers could save you from hours to days of work. Or basically any fun boy/girl, who is looking for challenges as you stated. Should not underestimate them either.

Other than that, yes I agree.

 

There are differences but they're negligible for an experienced hacker and it only takes one experienced hacker to create a tool to bypass everything and make it available to the public. Everyone else who is less accomplished will just use their tool if and when they reach the limits of their own abilities.

At best you can only slow down the hacker and only for a short while. You can't prevent them from achieving their goal.

 

Technically you can. Just don't give them goal, by not getting popular
I had Follout Shelter game for short period of time. Is kind of idle game. But more pay to win, so you need pay some real cash, if you want get beyond certain point. Any way, game is buggy as hell. But I am of course not going waste time on paid idle game. It happens, that simple cheat by shifting system clock back and forth, allowed me bypass or IDLE concept. AND I made it quite a bit like action game
This is just example of simple cheat, without spending any $ on a game.

Other idle game was online. Wan't bad, until certain point, where everything went pretty much into halt, dragging as hell.
Found the way to manipulate registers, so I could add practically inf resources, removing whole idle aspect

So plenty ways do bypass, no matter what you do. From simple hacks, registers manipulations, to cracks.

Minecraft had by default obfuscated java code. Different with each iteration of game.
Yet didn't stop people to make huge variety of mods.

 

Correct. It doesn't stop people from making a huge variety of mods, but it does slow down the whole process by days to weeks while ForgeCraft reverse engineers and makes their API compatible with the game. After that the individual mod authors have to go through some effort of their own to verify everything is working.

This is one of the most effective approaches without having to use a server. You just need to replace the binaries for your game at regular intervals. I have known MMOs that did just that every single week when their servers went down for maintenance.

 

Indeed.

This is my favorite goal. Making updates frequently. So even cloning will not really hurt the dev.

 

Genuine players can often be helpful when reporting hackers, but most players aren't going to be able to dig deep into possible vulnerabilities.

 

The hack for profit in games really surprised me in recent years. I watched some of SidAlpha's videos on the topic, and I was shocked the hackers had come up with those paths to making real world money and I was shocked anybody figured out that they were doing it. It was eye opening.

 

This is not something new. While this days many things happens more "legal" way, by selling solutions to hack for example, for year was common to release cracks which hold different type of malicious application, while allowing play/run softawre. So this apps could steal many sort of data, from personal computer.

Others made money on injecting adds in to the cracked software. Often persistent and aggressive.

Then of course part of application with fake, or misleading offers to make money, or that your pc is infected. How many people falls in that trap every year, is hard to describe.

And worse, when cracked software introduce virus, which destroys, or encodes your files, yet demanding to pay asap.

Cryptocurrency helps quite a bit too. On one side to stay anonymous, to accept often demanded payments. On other hand, by using users infected PCs, to main it.

And many more ...

So yes, it is not something new. Methods maybe shifted slightly different way.
Methods known for decades. And this is only cracking/hackng part. And where rest?

 

Yeah, there has always been the possible profit from hacking in general. I expect hackers to try to install malware and then use the malware to pop-up ads and steal login details. What surprised me more recently are the hackers using hacking tools to get a bunch of points in a game so they can quickly earn in-game loot to sell on the Steam market. Or hackers that are running a bunch of instances of fake games so they can earn Steam trading cards that they will eventually turn into real money.

For example, hackers are using aimbots, wall hacks, speed hacks, spawn hacks, and flying card hacks to rapidly kill other players in PUBG. Those kills earn in-game points, and those points unlock virtual clothing and weapon skins. Then the hackers sell those items on the Steam market. I was surprised hackers would take the time to build a workflow around that path to money.

 

Yep, and problem is, steam maybe "officially" don't support it, if clearly watching it, it supports all sorts of monetaise bad behaviours. From selling fake games for less than $, to bots, to cards trading, to what you said and more. In this sense Steam is very ugly cash cow. Also supports games with gambling, which technically is illegal in most countries.

But hey we got consumer supports for gaming industry. Wel, don't see they do much to support what should be supported. Seams like cash cow soak their dairy cow there.

 

Stopping cheaters is a battle that never stops and constantly demands resources. Is it really that important?

I remember @zombiegorilla saying that some of their players would complain about the state of a given game but the analytics would reveal that they still played heavily. As for me, I've seen countless dota reviews where players with 1k+ played hours are letting the world know how much dota sucks. Hell, I wrote a negative review at 2k played hours.

Maybe we as humans enjoy complaining. What's the real impact though?

I think cheating can bring something positive. I remember back in halo 2, there were 2 types of cheating. Crazy mods and "standbying" (basically the host would turn off their modem for a brief period of time, killing people and then turning it back on. All the players would be synced back to the host and realize they're very dead).

The cool thing was, two communities emerged out of this. A cheater community and a community against cheating. Cheaters would exchange their tricks, show mod accomplishments, etc. Non cheaters would meet up to host custom games, give tips on how to get host to prevent other players from cheating, etc.

A second example would be Warcraft III. There have been map hacks from the very beginning and all the way to the end. The community was well aware of it. It created rivalry, it got people involved. It even created forums where people would upload replays where other players got caught hacking. It brings the human aspect back into the game.

Honestly, I wouldn't gamble hundreds of thousands of dollars on my theory. I wish I had access to relevant data to check against. Still, I feel that when developers create a very strict frame, it takes away some of the player's freedom of interaction, if that makes any sense.

Maybe you could even have your own "Hall of Shame" website. User names with hacking proofs. I think it could create engagement.

 

Thanks for your Attention but would be a nice Idea to return to the Subject. Too much Offopic already.

 

Preventing cheating completely is impossible as said. There is lot you can do from the outset to minimize it, but after that is about vigilance. Follow up when users claim there is cheating and also pay close attention to analytics and results/logs. With multiplayer games cheat prevention is an ongoing concern, something you address on an ongoing basis. People create new tools and find inventive ways of hacking games all the time. Cheating can ruin a multiplayer game, you will have to update regularly to keep on top of it. Also make sure to penalize cheaters when discovered. Make sure it not worth the risk for regular players to risk trying it.

 

But how do you want to avoid Hooks with a .net Game, when there are not many options to protect the Code?

 

That is why u use authoritative host/server.

Also, you want make it harder, don't use generic assets form asset store, which are commonly used by many.

 

By using a server to verify everything important.

Just imagine an MMO for a moment. When you attack an enemy the client is literally just telling the server "I want to make an attack on this enemy". The server will then check to see if you're able to attack the enemy and if you are it will follow up with the necessary calculations and record that you've succeeded and what the outcome is. It will then tell the client some message like "You've hit the enemy for X points of damage" and the client will show that to the player.

In the above example the check to verify that the player can hit the enemy was done by the server, the check to see how much damage the player inflicted was done by the server, and so on. If the server is the one making the decision then it's meaningless for the player to hack their client.

 

Hmm, there is one thing you definitly forgot: When there is a Player that hooked your Game for the Network Part, he will be able to send Packets by himself to the Server. In this Case the Server/Client Stuff wont work at all as a Security measure. You may can Filter Packet Flooding etc. but all the Rest the Cheat could do... reading Packets, being able to predict Playermovement, read the Player Packets before they are rendered/shown in the Client etc. etc.

Apart that. Serverside Hit registration is bad. Quake Champions is a very good Example for this at the Moment. If the Client shoots at a Enemy and should hit, Server says he did not. I never wrote a Netcode but i know, that it is not a easy task.

Refering to your MMO Example, i know a Game where they put a Proxy inbetween the Client and the Server, that way they could acccess the Packets. I know this, because i did that too. Need to say here that there were 2 People that reversed the Packet Encryption Algorithm and made it public. Then hooking the Client (let him connect to the local Proxy and Proxy connects to the Server) and voila, worked. Then their Anti-Cheat Gameguard was able to detect Hooks and a lot later they added, what Hackers called GGAuth. This were Client Side calculated Packets where the Server checked, if Gameguard is running on the Client. Server sent Packet, Client did something with the Packet, sent it back and Server verified the Answer. Wrong Answer or missing Packet: Client kick. Correct Answer, no kick. Because it was possible for a while to prevent the Game from loading/starting Gameguard. When GGAuth was introduced, it took them quite a while to decompile it, then they prevented the Client again from loading Gameguard and the Client-sided packet calculation was reversed and build-in to the Cheat. So the Gameserver send his GGAuth Packets, client responded properly and nothing happend, but Gameguard was not running. Im not a RCE Guy, so my own Proxy stopped working due to Gameguard, but was not a big Deal, because i lost interest to the Game anyway.

When you have Access to the Games Packets, then you could track Monster and Auto-Attack (Speedhack) them. Or Auto-Kill other Players etc. Teleporting around the Map etc. Of course you would have to decompile the Packet Encryption before (if there is one) and find out what Packets are for, find out the Packetsformat etc. The Game mentioned above had C1/C2/C3/C4 Packets. C3 were encrypted C1, C4 encrypted C2.

Situations like "this" Problem make me think different like you Guys. And still nobody came with a suggestion or a Idea to protect the Code of the Games EXE or DLLs. You Guys just keep repeating the same over and over again. Serversided Checks are NOT enough, especially when the Netcode relies on it (Hit registration)

To me it seems that all People here are not really experienced in writing some sort of Anti-Cheat or have Ideas how to prevent People from fiddling with Game EXE/DLLs. As i wrote already. I know that nothing can be 100% prevented. Pro RCE Guys wont have many Issues, but the random Guy with some experience might be stopped.

Professional Companies that sell Cheats like those that are sued by Epic etc. are a big Issue.

 

Yes, that's completely possible... if you're an incompetent developer. Let's just start with an example. A speed hack works by sending constant position updates to the server. If the server is performing a verification on the movement requests to determine if they're allowed and blocking them if they don't this sort of hack won't succeed.

Says the person who has openly admitted to never writing netcode.

 

Easiest way is with client/server architecture.
It's quite simple.

1. Player 1 sends a packet to server saying idk "Hit".
2. Server reads what Hit means.
3. Server verify's if you have an item that can "Hit".
4. Server then calculates how much damage you will do by seeing what item it is, and passing information.
5. Server then says yes or no.
6. Server then sends a pretty much 'Display' value for what just happened, E.G. - Damage amount, XP, etc.
7. Player was hit, or not.

And yes, serverside checks are enough.
It could be as simple as storing player positions
checking if a sword is close enough to hit, or the amount of time a bullet takes to travel to a location that if it makes sense to then do a "Hit".

There is no perfect scenario whatsoever, it's about using logic as a means to an end. What can you justify doing to prevent cheating. There's only so much you can really do. And the only absolute way is with a server, there's literally nothing else period at all ever that we can do at least in today's age to prevent it outside of a server. But that comes at a cost of a lot of extra development time that can also be done later after the game is released.

if your game isn't popular, then cheating isn't really an issue to worry about, yeah you might have some, but the game didn't sell well enough to take the extra time that can be spent elsewhere, such as more content. I mean sure, yes - if you know an absolute way to prevent the cheating that can be done in a reasonable amount of time, then definitely go for it.

But you are absolutely wrong on the clientside part, the server can literally do everything. It just really comes down to - is it really important enough to deal with it now?