Slashdot Mirror
Multiplayer Game Cheating
Washizu writes: "Ensemble Studios programmer Matt Pritchard, who worked on both Age of Empires, and Age of Empires 2: The Age of Kings, has written an article for Gamasutra, the online game developer magazine, on multiplayer game cheating methods and prevention." A lot to say here about human nature. A lot of it applies to virtually any form of online human interaction: from games to, yes, even Slashdot's message boards. A very worthwhile read.
I for one deplore cheating on online games. For shame. I'd write more, but I've got to go log on with my other account and moderate this post up.
--Shoeboy
I think that some times a little chitting can add to a game, come on how many can say that you haven't got home from work and entered "it is a good day to die" in to the chat Window of Warcraft II and send a Peon out to kill the dark armys of the humans? Helps with the stress and it can add a little to the game.
Does anyone actually have a Java program designed to control air traffic, or for the operation of a nuclear facility?
If I went into a job interview and took the previous persons resume in with me how far would that get me? That's about the same thing as cheating in video games.
These kids better wise up before they get smacked by the real word.
when you use any sort of game cheat for so long it just isn't even fun to play anymore. You have such an unfair advantage that if you actually are enjoying it, you really need to take a look at yourself and consider getting professional help. Computer games that are played online are NOT real. You are NOT cool when you win. I think that gamers that cheat to win sucked at everything they did (inside or outside of the Internet) and they feel this need to fix that (something like the fathers that scream at the kids to kick ass in some such sport or get all fired up on bad calls because they are living their non-existant sports career out in their kids).
:)
.02
Anyway, like I said, after a while it just isn't fun anymore. Until someone starts cheating a lot they will always have this desire to do it (to see what it was like). It is nothing special. Get over it
Just my worthless
One thing that impressed me about the article was the ingenuity of cheaters (the ones who actually create the cheats, not the lamers who just download and use them). The Doom/Quake franchise managed to, in some sense, harness that creativity by allowing people to create their own game modifications.
How could the creativity of cheaters be harnessed in other ways, without ruining the game for non-cheaters? Maybe create games where you design in-game ships or weapons by writing some sort of psuedo-code ?
wants to be the first monkey to touch the monolith
The article identified six types of cheating, but completely failed to identify any reasonable solution for the first one: reflex augmentation.
It is not terribly difficult to write a script to execute commands without the use of the mouse. In Quake 2, the only real effect was that some people had godlike aim - and this was usually pretty easy to spot.
But consider what reflex augmentation could do in Warcraft 2, for example. One could write a script that caused the "mouse" to "click" on your Town Hall and Barracks, automatically creating peons and ogres at a set rate, while you controlled everything else.
Would this even be possible to spot?? From the server side, it would just look like someone had insanely good reflexes. And, of course, it would be easy to tone it down just a little - occasionally have your script "mis-click" just to the left of the town hall, put in tiny delays, etc.
It seems to me that the only way to prevent reflex augmentation would be to force the player to play on someone else's computer with a very restrictive account... any thoughts?
"Beware he who would deny you access to information, for in his heart he deems himself your master."
The problem with the entire RPG genre of on-line games is that it isn't really the fun that hooks people in, it is the basic stimulus-response instinct that keeps people up all night playing Everquest or a MUD. By making you do things to get rewards (levels, new items, etc.), and by dishing them out a little at a time (with a fair ammount of randomization), these games tap into the same psychological conditioning scheme that makes old ladies spend their retirement checks all day at slot machines and BINGO games.
Since the satisfaction one gets in these games is usually the reward of a more powerful character, the mind begins to make the association of "better character == more fun", and cheating, or power-leveling, or "twinking" becomes very attractive.
The draw of these games is that they sort of let you live life in fast-forward. In a few dozen hours of gaming, you go from being a pathetic babe in the woods to being a massive warrior or wizard. Cheating speeds this up even more. It's a logical extention of the persuit of the goals the game establishes, really.
You don't often see the kind of rampant cheating that prevailed in Diablo 1 or Ultima Online when you are playing the FPS games. It seems that the shooters have acquired a sort of sports culture. To cheat at Team Fortress would be a lot like cheating at a pick-up basketball game. Neither side has more fun as a result, because the rewards of player-vs-player gaming comes from the joys of testing your skills against other people. Cheating in such situations is boring for both the cheater and the victim, even among younger kids.
It seems to me that the challenge that lies before those who wish to write on-line RPG's is to get a little farther away from the "kill monster, get a treat" format that is so common to these games. Good storytelling is helpful; nobody cheats at games like Myst. Creating a social environment that facilitates less of a "who's got the biggest *" mindset would also reduce cheating dramatically.
Mind you, I'm not saying that the typical hack-and-slash, smash-and-grab RPG does not have its place. I wore out a mouse on the first Diablo, same as the next geek. All I am trying to say is that game designers ought to start thinking beyond it, now that the current technology allows them to explore a lot of new avenues.
Information wants to be anthropomorphized.
In massively multiplayer online games, most notably MMORPGs, integrity is everything. If people can't trust the integrity of other characters, they won't bother spending the time to build them. I think a lot of attention needs to be paid about how to keep server-side certain pieces of critical data.
First, the tradeoff: anything you keep server side on a trusted server is safe. Anything you load client side you can assume for the sake of argument will be possibly modified by a player. So, let's take a MMORPG: you have characters, monster, and various abilities all interacting. What is responsible for the integrity? The server needs to be. First, the all important player character should be totally stored server-side. No information about stats/abilities/etc is kept locally, and the server never reads any from the client. It just sends a scenario and accepts commands. A pristine client interprets options from the server to provide an interface, but just because you locally manage to send a "super fireball" command when you only have a regular "fireball", doesn't mean the server should parse that. It should obviously return an error. (and probably flag you for some sort of observation, cheater!)
In any event, the dichotomy between client and server matches that between cause and effect -- never let clients dole out effects, only accept input.
On to the more difficult problem, which is when the information you pass to the client is more than they should have, based on the fact that you cannot transmit it as-needed due to bandwidth/cpu/latency limitations. This is where innovation needs to occur. Things like handing over partial maps, or possibly breaking maps/info up into smaller pieces and giving them all out encrypted, then handing decryption keys over real time. (And this would be an art in itself? Would 16-bit XORs work? Or would someone find a way to analyze all 65k combinations for consistency and break through in sufficient time to gain an advantage?)
In a game which was not time-sensitive, obviously, this stuff should be kept server side. For example, I've never played age of kings, but I've played HOMM2/3, which are turn-based strategy games. In those cases, all data could be kept server-side, other than the revealed portion of the map. Because the players play each turn in succession, time is not a real issue. A few seconds for pulling data is not that important.
Anyhow, good article. This is definitely one of the biggest problems facing MMO gaming, and as multiplayer becomes more important to games, and as more games go MP-only, this will be critical. Bandwidth and lower latency will help alleviate the problem, but there's a lot of room, I think, for clever protection from cheaters.
The previous generation servers, that the earliest branches of chessd are based off of, solved this problem by what they call "timeseal". They distributed a closed source binary for a bunch of platforms to their users, and should they choose to use them, it would use the MOVE command in such a way where it would trust the time reported. This was a half assed solution, at best. Besides being easily reverse engineered, anyone who knows how to use their system's "date" command can fool it.
The crux of the matter is, at least in chessd's case, that we can't stop cheating. We can pretend to stop people using timers, but there's no way in heck we can stop people who use a chess engine to analyze their position, etc. Hence, in our rewrite we will be implementing a "trust" system. Either the user trusts the client and risks playing a cheater, or trusts the server and bites the lag bullet. We will, of course, be doing _some_ checking on the trusted moves to make sure they aren't obviously faked. (No negative times!)
We don't think that an E-Bay style recommendation system is needed, because frankly, the server admin can always ban someone who they have good reason to believe is cheating.
In conclusion, you should trust your opponent out of good faith. If you can't, you can either trust the server and bite the performance bullet, or not play at all.
-bugg
The point is, often cheaters (in certain types of games) will end up being punished automatically, because online games just aren't fun unless you have someone to play against, and no one likes playing against a cheater.
(From the Article..very interesting. read on) An FPS aiming proxy works like this: The proxy program is run on a networked computer and the player configures it with the address of the server they are going to play on. They then run the FPS game on another machine and connect to the proxy machine, which in turn connects the game to the server, acting just like an Internet packet router.
:)
The only hitch is that the proxy monitors and attempts to decode all of the packets it is routing. The program keeps track of the movements and locations of all the players the server is reporting to the game, building a simple model. When the proxy sees a Fire Weapon command packet issued by the cheating player, it checks the locations and directions of all the players it is currently tracking and picks a target from them. It then inserts a Move/Rotate command packet into the stream going to the server in front of (or into) the Fire Weapon command packet that points the player straight at the selected target. And there you have it: perfect aim without all the mouse twisting. (End of Article)
I just cant help thinking, these guys are so desperate about cheating. All this effort could have been spent on building something productive or learning how to use the mouse with the keyboard and kicking bots ass. Why cant we just learn to lose sometimes. Why is winning so important ? I have had my ass kicked by bots and humans alike, but I jump right back up and rail his sweet ass to kingdom come. Gaming is not all about winning, but its about perspiration that drips from your eyebrows, but you cant wipe it off, because you know your enemy is out there, seeking you out with a railgun combined with the power of Quad Damage, with an ethereal blue shadow to his skin, and you wish you were somewhere else...
Rapid Nirvana
Or how would Neo dodge bullets or bend spoons in The Matrix???
Yes I've used the map hack on Starcraft- not to cheat, but to give myself a fighting chance because cheating is so widespread on BNET. The whole balance of power concept from that Star Trek episode where Kirk in response to the Klingons arming one side of a warring faction, broke the rules and armed the other side in order to create an equilibrium. It's a never ending cycle because everytime a patch is released, the new hack follows in a matter of days. Maybe trying to cut corners for that edge is just human nature.
As someone without a cable/DSL/anything above 33.6, I have little interest in multiplayer gaming. I typically buy games only for single player only.
It drives me insane when I hear an announcement that X game is delayed to correct a few multiplayer cheat bugs. *I DON'T CARE*. Why do I have to sit and wait because some poor attention-starved loser wants to cheat on a part I will never use?
Add to that the added insanity (disclaimer: I believe single player games should allow me to cheat my damn brains out - i bought the game, let me do what I want with it) that sometimes developers disable cheating entirely in the game as a way to deal with the multiplayer bugs.
How are they going to solve that? Sell two separate versions of the game? I'd also expect it to be cheaper than the single+multiplayer version.
Is there any reason why this can't be done? Or am I, as a single player, destined to be ignored due to the complaints regarding a game I don't even play?
Ask a combat vet what a winning scenario is. He is likely to tell you; no deaths and no kills. "An interesting game..the only way to win is not to play." We are being deluded into believing that a life without fifteen minutes of fame is not worth living. Read the book Stiffed by Susan Faludi.
"..don't you eat that yellow snow."
Another form of cheating that get's overlooked is cheating by the people who are running or created the game.
Anyone remember when BBS's were popular? How you could log into a BBS Door game and play it for maybe a maximum of an hour? Ever play one where the SysOp played too? Not very fun if everyone picks on the SysOp, because the SysOp would turn around and just cheat to restore balance to their favor.
The same goes for MUD's, The people running it might just be as guilty of cheating as the people playing it.
There is no such thing as a cheat-proof game. The closest Online Games come to being cheat proof is when it's Client-Server and nobody has access to the server. The second part is that the "Client" has to only process I/O from the server (Person moved from x,y to X,Y and got hit by a frog.) and not store any data on the user's end. Now the problem with these set-ups is that there has to be checks in place to prevent multiple accounts or multiple users. (Anyone play Utopia or Earth 2025? Worst case of Client Server cheating I've ever seen, reason being that the only multiple account check is the uniqie email address the authorization code was sent to.)
Of course that could be blamed on the fact there are too many free email systems out there for people to abuse.
The worst examples of cheating always occur in peer-to-peer and client-server systems that the client has to do calculations to send back to the server.
A type of cheating I haven't seen too much, but realized people do this (and not just to games!) is to create macros or bots so they don't have to play the game themselves.
The "Adbar make free money" system has been the latest target of cheating with people creating emulators and macros to cheat them.(Look it up, they exist, Alladvantage being the biggest target) And to make more free money out of them here comes the muliple accounts that they use for referer's, so when they do their X hours on whatever ad system, they load up the next account and do the X hours again.
Just about every aspect of cheating in games can be applied to cheating other software, be it cheating the Ad-paid software, to cheating stupid software from wasting your bandwidth (Do you know how many programs waste your bandwidth? *cough*Real*cough*Player*cough*)
In my opinion, if people are going to create cheats for online games, the people who create the games should be looking out for these cheats and what they do to the game. (Lot's of cheats rely on over-writing some part of the game's memory with different values) Save-game cheats
being the easiest way for the novice to cheat(all you need is a hex-editor), to the more complicated using a debugger and changing memory values to cheat.
Again I come back to the point where game developers should not "use" any data calculated on the client side since it could be cheated easily.
Anyways I think this message is long enough.
I didn't get that message from it. I don't think it is evil to hack on a game and find its weakenss. It IS evil to use that knowledge to screw with an unsuspecting person's game. Well, at least it is rude. I've considered writing a Battlezone bot just for the fun of it, but you can be darn sure I would have let other players know it was a bot they were playing against.
In the end, I decided to write my own game instead (or more correctly, a game toolkit). Sorry about sneaking in that shamelessly self serving plug. :)
Cheers,
Thad
The Bolachek Journals
Looks like "Up, Up, Down, Down, Left, Right, Left, Right, B, A, Select, Start" has been the downfall of human kind.
Why not skip the technical solution and go for the social one? Sort of like Advogato's trust model, or maybe more like PGP's key exchange mechanism. I trust Anna, who trusts Bob, so I trust Bob. Stuff like that. If someone cheats, you don't trust them. That way you don't have to trust everyone explicity, but you still have a wide pool to play from. Perhaps this is a bit too complicated for the average FPS-player (I'm not sure it could be implemented to where I thought it was easy). Do any games have solutions like this? Of course, such a model could possibly be abused and would put new players at a disadvantage (aren't they already, though?).
The best strategy I can see so far is to keep the authoritative simulation on a central server. Game character data would have to be stored and authenticated by some central authority as well. My vision for a MMRPG involves a network of virtual worlds running on many servers, and that makes the who cheating issue even more complicated. Anyone have any thoughts to share on that?
BTW, you can check out my SDK at www.gridslammer.org.
Later,
Thad
The Bolachek Journals
Out there on the web, we've got this site...
MUD-Dev is a professional and advanced amatuer discussion and design sharing forum, based around a mailing list and the kanga.nu domain. These topics are a regular subject of discussion there.
Follow this for a philosophical/technical discussion about trusting the client; includes significant amounts of contribution by Raph Koster (OU's Designer Dragon)
This is a currently running discussion about controlling "grief players"...
Take a look... there's some good stuff in here.
-- Still waiting for the Nike endorsement
Look at how many hacks and/or cheats that have been uncovered in Everquest. Nada.. Ziltch.. A few cheats that have been quickly 'repaired', but those that resided in the 'buisness logic' of the game.
;-P
One has to ask how they did it. And I can tell you one thing, it wasn't with client side logic.
They do virtually *EVERYTHING* that this article says is a big nono, or simply not possible. Yet they are successfull. They take some addition precautions as well, such as not allowing the app to run minimized, therby making it a *little* harder to hack while running. They encrypt all local files, and do a CRC check on them. If they fail, they update them. All communications is encrypted, and yet they still maintain decent framerates..
Granted, their framerates aren;t their selling points, but the game is playable with *hundreds* of people in the same zone..
-- I'm the root of all that's evil, but you can call me cookie..
I think someone should make a persistent world game designed for programmers. Instead of having them focus their energy destroying the experience for other players, why not make a game that encourages programming/hacking - in fact it requires it.
That is, all the entities in the game are controlled by computer programs, which are written by the players. The programs can run remotely on their machines and make request over the network (with some human guidance) or they can run 24hrs a day on a Java Servlet on the server.
The idea of programmers writing robots for a game isn't all that new. A long time ago there was C Robots. About 8 years ago Dave Taylor and I got our start in the gaming world by running the National Programming Contest for IEEE. This contest had a fresh new game every year that was played by client programs and run on the IBM AIX platform (they gave us free machines). Our contest were simple because contestants only had one weekend to make a client, but I can imagine a much more complex and interesting world for clients to play in.
What is kind of new here is the idea of a persistent world. As players get more advanced they can have their characters spawn new ones. A computer program can control 10 people almost as easily as 1. And computer programs can play 24 hrs a day, but human players have to sleep. And for someone looking to make money - you could charge for "hosting" the client program.
-- Virtual Windows Project
i, for one, don't give a shit about cheating because whenever someone i'm playing is cheating, i can walk over to their computer and kick them in the good 'n plentys. let me explain:
internet multiplay is crap! stop doing it! everybody cheats, we know this. you don't know the people you're playing against (this, i'm sure, is not true in many cases, but i'm generalizing) so what fun is it to win? basically, all that internet play does is foster agressiveness and competitiveness in people-- two things i personally can live without. internet play is also difficult for modem users who are up against HPBs all the time.. gosh, what fun!
the solution is, get some friends together and start having LAN parties. start playing with people you know. multiplayer games are so much more fun when you get to talk about it afterwards over a beer or a mountain dew or whatever the hell you want to drink: "dude, that one part where you bounced off my rocket over the lava and onto jimmy's head was RAD!" "yeah, rad". i know, sounds lame, but you all know it's fun.
basically, i'm giving a call to gamers to quit being lazy sax of shznit and start organizing LAN parties in your town: they kick ass, and you could probably use the socializing (if you're anything like the hermits i normally party with)!
thanks for your time, sorry if i was overly-crude
grizzo: totally insecure, but very convenient.
Children are *NOT* good at distinguishing fantasy from reality.
Geez, the number of times I see wholly ignorant people spewing that line in defense of letting kids have access to FPS, violent movies, etcetera.
Fantasy rules the child's life. The bogy-man under the bed, the magic of the shopping mall Santa, playing house, don't step on the cracks, Bambi dying.
Even a lot of adults don't have the ability to distinguish fantasy from reality. Look at the number of adults who believe that America grabbed the U571 submarine, or believe that UFOs exist.
It has nothing to do with intelligence and *everything* to do with naivete. Children don't have the life experience necessary to distinguish reality from fantasy.
In adults, it's more tempting to use the word "ignorance," but it's really the same thing: a naive person who hasn't the experience to know historical truth from Hollywood fantasy; or scientific methods versus wishful thinking.
At any rate, the bottom line is that anyone with experience with children or who spends a few minutes looking in a few child psychology books, will certainly understand that fantasy and reality are not easily distinguished by children.
And anyone who thinks otherwise is, at best, naive.
--
--
Don't like it? Respond with words, not karma.
Oh wow. I just got back into Dallas from Siggraph 30 minutes ago and discovered my mailbox filling up with emails from the /. side-effect. Just a couple quick comments on the discussion....
0) This article first appeared in print in the June 2000 Issue of Game Developer Magazine.
1) I didn't come up with the title. I honestly couldn't think of a catchy title, so I let my editor come up with one. As far as nit-picking over the useage of "Hacker" and "Cracker" - don't sweat it. Yes, I know the difference.
2) The most important point in my mind is that multiplayer cheating hurts other human players and is an order of magnitude different from the things we do when playing solo (single player) games. When a person realizes they are on the receiving end of a cheat - that another human being wants to do that to them - it's a hugely distructive feeling.
2a) People walk away from games and badmouth them to their friends when they think they are getting screwed. The better selling your game, the more this matters.
3) Many people have been emailing me and posting about things I didn't cover. I really appreciate it though I do already have some of it. When I wrote the article I had to keep it to about 7000 words, so I only got to cover about 1/2 of what I wanted to. Given the reception it has received, there will likely be a second article on the topic.
3a) Keep the comments and emails coming - I will try and respond to all.
That's all for now. I really appreciate everyone's input and thoughts on the matter.
-Matt Pritchard
Agreed absolutely!!!!
In today's age, understanding how the machine actually works is wayyyy underrated. People don't care about it anymore because they now grow up with smart compilers---or worse, they grow up buying the lie that just knowing how to use applications is "good enough" (umm, what if that app becomes obsolete, God forbid?!), and teachers de-emphasize it because it's not the "industry trend".
*I* say, screw the "industry trend". You need to understand how the thing actually works. I haven't researched this, but I'm willing to bet that people who don't know how the machine works write poorer quality code than those who do. I'm not talking about obsessive "optimized" coders who tweak the last ++ operator in C and abuse #define's to get a "100%" efficient program (only to get totally screwed over by the optimizing compiler that gets totally confused by the weird code and spits out poor executables). I'm talking about people who've had solid experience in assembly language programming. They are the ones who understand what exactly goes on in optimizing compilers, and how to take advantage of them. (John Carmack, anyone?)
People think that assembly language programmers will become extinct. Everybody around me says so. But they don't realize how much understanding you can gain just by learning how to look at a hex dump, and with a good reference on your processor's assembly language, locate where a piece of code might be, and then figuring out how to patch it to do what you want. Figuring out how to locate a piece of code in a large binary executable, possibly with no information on what is code or what is data, this in itself will be such a valuable learning that you won't ever regret spending the time and effort. You may not actually use this in your career, but who knows, the kind of logic that you need to apply to this kind of problem may well earn you a good income. And then of course, after locating the piece of code you're interested in, constructing the patch to it -- which must take into account many constraints like size, which often severely limits what instructions and addressing modes you can use -- and applying the patch... the kind of analytical thinking that you need to accomplish this will be such a help to you that even if you'll never touch assembly language again in your life, you won't regret having learned how to deal with it.
It's not that assembly language programmers are stubborn or trying to hold on to "outdated" methods; rather, it's that young programmers spoilt with modern conveniences and short-cuts are deprived of an experience that may make a huge difference to their abilities, even if their area of expertise will be programming in a high-level language.
---
mikre he sophia he tou Mikrosophou.