Anti-Cheat Reloaded - an Anti-Cheat Revolution

---

Neither cheaters nor anti-cheaters can deny it, something has changed within the last year. There are two big anti-cheat solutions left, to preserve what Counter Strike was (probably) supposed to be: A fair online multiplayer shooter for everyone owning one or more Half Life cd keys.

Coming directly from Valve, Valves Security Module (VSM, often referred to as VAC = Valve Anti-Cheat) has the best opportunity to secure Half Life, Counter Strike and Day of Defeat servers, since the developers have direct access to the HL source code.

Matt Bamberger is responsible for the development of Valves anti-cheat, although people often hear the name Eric Smith, who publishes VAC update news in Valves mailing list. VAC is a client side anti-cheat module that is distributed to clients through VAC secured servers, so there is no need to download additional software for players. The servers are updated automatically whenever new VAC modules are released, this way neither admins nor players need to do anything to be up to date. Of all anti-cheat solutions for Half Life and its mods, VAC always tried and tries to keep its methods as simple and compatible as possible. On the other hand it’s difficult to keep cheat detections and improvements updated, since as the official anticheat, Valve has to ensure that the distributed software works for everyone.

VAC uses different methods to prevent cheating by updating cheat detections and adding new methods of cheat prevention. In the beginning, VACs only function was to scan players memory for running cheats (VAC never scanned the players hard-disk for cheat files like e.g. CS Guard did), and after a few months Valve was ready to use its advantage of run a central WON server, everyone needs to connect to in order to play online. Combining cd key validation and anti-cheat, Valve set up a global database that gets queried every time a player joins a VAC secured server. Its purpose: To collect cheat detections from all vac servers worldwide. By keeping VAC servers in constant contact with this database, the unique WON id of a cheater caught by VAC is banned on all VAC enabled servers. The downside of this, there have been several issues with people who, mostly without their knowledge, installed damaged memory in their computer what caused VAC to believe it had found a cheat and to ban innocent people worldwide. Valve constantly improves this system and is currently able to distinguish between a memory error and a cheat detection, to make sure the ban affects cheaters only.<br>It was, is, and will always be possible to run hacks, Valve is well aware of that. About the same time they introduced the global banlist. VAC therefore created a new method of preventing cheats by adding a generic wallhack-block to VAC. The wallhack-block consists of additional checks on each player’s point of view, whether he should be able to actually see an enemy or not. So it basically does this: if (part-of-enemy-model is within player’s point of view) {draw enemy model completely} else {hide enemy model completely}. This could cause some issues and is not yet perfect (using a wallhack, you can still see your teammates, map- and player entities like weapons, thrown grenades or boxes and crates behind walls for example), but effectively blocks enemy models players should not see. Latest wallhacks found a way to circumvent this by disabling parts of VAC without recognition and bring working wallhacks back in business. Valve is aware of this issue, a fix is probably already in development.

A very important factor of the success of Valves anti-cheat is the familiarity with customer support. It’s crucial for a official anti-cheat development to handle compatibility issues as quick as possible and keep the software up to date. But since the VAC developers are also involved in other Valve projects, they can’t keep VAC as up to date as they probably would like to. There are currently cheats like OGC’s OpenGL Hack that have been working on VAC enabled servers for more than half a year now, up until the latest VAC update it was also possible to run way old cheats like OGC and other client hooks on VAC servers by using one of 3 public available VAC proofers. Multi-hacks like LTFX and Joolz are updated as often as VAC to keep them from detection and are even sold on Ebay. Its possible that this situation will improve after the release of the upcoming Counter Strike 1.6 (beta testing via steam started in January 2003, CS 1.6 beta currently also features VAC), but there are still other big projects Valve needs to direct their attention to, like Counter-Strike - Condition Zero and Half Life 2.

The other big player (this used to change a lot ... the rank of "currently best anti-cheat" was taken by Punkbuster, Jedi, CSGuard/HLGuard/ASGuard, Paladin, Cheaterlog and more) at the moment is Cheating Death.<br>C-D did a great job when being developed by Cdeath a while ago but since of the way C-D works, the anti-cheat did not work with VAC enabled mods which was introduced with CS 1.4. Cdeath continued anti-cheat support for non-VAC mods but was not able to regain its success again until UnitedAdmins took over C-Ds development and released a Counter Strike, Natural Selection, Day of Defeat and Team Fortress Classic compatible modification of the old client. Using the resources and experience UA already made with their server-side only anti-cheat HLGuard, C-D is constantly being updated to resolve compatibility issues and to detect and/or prevent latest cheats from working.

Cheating-Death works like VAC as a clientside module that comes in a small package everyone has to download and install in order to play on C-D enabled servers. The anti-cheat itself is located inside the client (the server basically only makes sure everyone on the server is using it) and uses different ways to detect or block cheats: First of all, C-D loads itself by hooking Half Life/Counter Strike like most cheats do, this way other cheats trying to hook the game engine cannot be loaded. The C-D client focuses on making it as hard as possible for cheats to modify the game. Therefore it uses different methods of checking whether a cheat tries something illegal: Are there any programs that use OpenGL just before Half Life uses it? Do non-HL processes other than drivers call windows functions responsible for moving the mouse, e.g. aimbots do? Are OpenGL functions accessed that are not needed during ordinary Half-Life play, but could be used to draw extra information (ESP, ballhack)? Is there another window on top of HL drawing, for example, another crosshair? To run these tests, C-D has to dig as deep in the players system as cheats do ... the prize for C-D doing this are occasional compatibility issues with certain graphic and soundcards and being detected by VAC.

But Half Life and its mods can be hacked (or enhanced, depends on your point of view) not only via the windows-way, so C-D has an eye on Half Life itself as well. C-D not only has a wallhack-block to prevent wallhacks in general from doing their job, it also checks the players config for variables that are used to alter HLs rendering engine to e.g. make walls completely white instead of textured. But even with C-D, there is still the possibility to see what’s going on behind a wall: By displaying sounds (ESP). All current wallhack-blocks cannot do anything against visually displaying sounds like footsteps and weapon reloading, so this again is some work for C-Ds function check.

Furthermore, C-D tries to detect the use of certain custom models that could be used as aimbot models: There are (actually quite old) aimbots that scan the players screen for certain colours (used to be an extreme green and red) and, if the aimbot finds these colours, it moves the mouse/crosshair towards it. Therefore the player needs custom models with this colour to give the aimbot something to lock on, as a countermeasure C-D checks for common aimbot colours inside the player’s model files (and slight variations of it) to make sure that most custom models still work, but widely spread aimbot models do not.

It’s hard to compare these two anti-cheat solutions (well, solution is the wrong term, I guess): Valve has the harder job because they have to make sure VAC does not spoil the fun of honest customers who paid money to play HL/CS online. They can’t just force gamers to download and install extra clientside software in order to play online, and till now they have done a pretty good job in keeping their anti-cheat as simple as possible for players and admins. The downside is, there are several multi- and OpenGL hacks that work on every VAC enabled server, cheaters can use aimbots, working and unblocked wallhacks, or just useful things like controlling Winamp from within Counter Strike. In contrast, there is at the moment no publicly available wallhack that works on C-D secured servers, and getting one of the 3 currently undetected coloured aimbots to work is something most cheaters are not capable of (installing custom coloured models, getting used to heavy fps drops ...). Both modules are client side and can therefore be hacked, so the more time UA / Valve gives cheaters, the more likely they get hacked. You can’t really do anything about this, but you can make sure that whatever a cheat coder gets, it has to be already outdated when they managed to break it. Only constant updating can ensure cheater-free playing, and this makes UA a jump ahead of Valve.

As an interesting fact, the wallhack-block of C-D, VAC and HLGuard, though having similar results, are not the same. VACs wallhack-block does not block teammates behind walls, C-D does. When you view a demo with activated wallhack, you can see everyone behind walls since there is no active wallhack-block (great for catching cheaters that aim through walls ...), unless the server the demo was recorded on uses HLGuards Wallhack-block: As a serverside plugin, HLG completely erases the model whenever the should not be able to see it instead of just hiding it. Even if you view the demo offline with an activated wallhack, you won’t see models behind walls.

Where will all this lead to? Well, disregarding what cheat coders and cheaters may tell anti-cheaters almost every day, the situation has improved and will get better with every new HL/CS/VAC/C-D release. Valve already announced that it will be much harder for cheaters in the future to check whether a hack is detected or not: Since they have full control over their global database they can detect a cheat on one server and let it work on another or only detect it whenever its used by a specific WON id, and vary the players. They could also decide to not add the WON id to the database at all, just freeze the player on that server like C-D does. Valve will create a pretty insecure situation for cheaters, time will tell how cheat coders and users will react on this development.

C-Ds next steps will be the integration of an automatic update like VAC already has, server-admins wont need to do anything in order to always have the latest anti-cheat on their servers. But as always, cheaters will find a way to get cheats running on VAC and C-D servers, that is for sure. Don’t get me wrong, I believe the current anti-cheat situation has not been that good for a long time, but I also believe there will always be coders who have the brains and experience to react to any new anti-cheating measures. The question used to be whether they CAN hack it, the question now is: Can they keep up?

- MUffeehhh
http://www.nocheat.de∞

---

Categories: