Advanced | Help | Encyclopedia
Directory

Encyclopaedia
A
An
Ana
Anb
Anc
And
Ane
Anf
Ang
Anh
Ani
Anj
Ank
Anl
Anm
Ann
Ano
Anp
Anq
Anr
Ans
Ant
Anu
Anv
Anw
Anx
Any
Anz

Analysis of cheating in Counter-Strike

This article or section should be merged with Cheating in Counter-Strike.
This article needs to be cleaned up to conform to a higher standard of article quality.
See How to Edit and Style and How-to for help, or this article's talk page. Remove this message when done.

This article aims to analyze the ongoing battle between cheaters and anti-cheaters, specifically in Counter-Strike. See cheating in Counter-Strike for information on the phenomenon, and refer to cheating in online games for a more general description of the subject.

Table of contents

Vocabulary

This brief section tries to explain some of the expressions used in the article.

Server-side vs. client-side anti-cheat

  • A client side anticheat mechanism usually consists of a program that authenticates itself to the server and tries to enforce purity of the client.
  • Client side anticheats often have to be kept up to date by the player, which is tedious and makes players avoid servers that require the usage of such an anticheat.
  • A server-side anticheat does not require any additional programs or actions from the players to play on the server, as only the server admin has to take care of the anti-cheat mechanism.
  • Server-side anticheats are usually less effective (producing more false negatives than client side anticheats).

Casual vs. professional cheater

  • Professional cheaters almost always play in a clan. Often, cheats are a clan business and the individual players are supplied nonpublic hacks by the clan. Some clans have their own cheat coder.
  • Professional Cheaters play for prizes, and cheats are required as much as training to defeat other pros.
  • Casual cheaters tend to be of low to middling skill and usually use publicly available hacks.
  • While some casual cheaters merely cheat in order not to be completely dominated ("pwnd") by more skilled (or more likely, cheating) players, some do it merely to disrupt gameplay and emptying a server.
  • The difference is mostly that professional cheaters play in clanwars and usually do not attend public servers, while casual cheaters restrict their cheating attitude to public servers only and don't attend clanwars or tournaments.

Public vs. private hack

  • Public hacks are hacks that are freely downloadable from a website, sometimes even advertised by the cheat in-game with or without the cheater noticing it.
  • These public hacks can be found by cheaters as much as anticheaters, a brief analysis of the cheat and an update to the anticheat mechanisms is often required to stop new proof cheats.
  • Private hacks are normally privately enhanced public cheats, maintained to keep their proofness, and rarely leaking through to the public (and thus, the authors of anti cheats).
  • Some hacks that are technically released to public but receive so little attention that they slip by the radar of anti-cheat authors. If public access is limited and brief, it is effectively a private cheat.
  • Professional cheaters use private hacks exclusively since the risk of eventual detection is too great. Casual cheaters rarely get their hands on private cheats, although with determination and the right friends it is not so hard a feat.
  • While many cheats are release by the authors simply to get attention or a desire to share what they've created, a common reason why public hacks are released is to have the hack gather passwords and potentially other sensible data for the author, see also: e-mail-phishing.

Stealthy vs. blatant cheating — hacking vs. cheating

  • Blatant cheating usually is just cheat-enhanced disruptive gameplay, and often termed hacking rather than cheating
  • Stealthy cheating is designed to make it look like the player merely was a very skillful one.
  • Blatant cheating is sometimes done by novice players (or novice cheaters) that do not know how to properly camouflage the fact that they are cheating.
  • All types of cheats can essentially be used for both ways. Wallhacks can be used to stealthily enhance the reaction time of a cheater to another player running around the corner, or blatantly by sitting behind a wall and distributing headshots to everyone.

Methods of cheating

First, an explanation of how cheats in Counter-Strike work in detail and how they are being stopped.

Replacing client.dll and datafiles

  • One of the first type of cheats that appeared for Counter-Strike were the so called headshot scripts. They utilized an altered client.dll that offered additional functions to scripts, therefore a script written in extended CS script replaced the more common mouse/keyboard bindings for attacks.
  • Similiarly, datafile cheats exchanged data like soundfiles, but mostly models for variations that imposed some sort of drawback for the enemies of the cheater, like, louder silenced weapons or player models that were visible through walls and doors due to spikes, or in the dark due to luminous / brightly colored textures.
  • Neither of the two types of cheats are considered effective at this time. Regular aimbots prove to be far more powerful than headshot scripts, and client.dll, like player models / sound file changes are restricted as servers are provided checksums by clients and can choose to disconnect them if they differ from the checksum values on the server.

Hooks

  • Client Hooks make use of a facility in the Win32 API that allows them to easily intercept, redirect, manipulate and alter DLL calls.
  • The reason why Counter-Strike is considered to be vulnerable to this attack is, because the mod is itself a separate entity from the Half-Life engine, and the two parties communicate to each other with easily-intercepted DLL calls. Most people consider this a special weakness of the Counter-Strike architecture that is not directly applicable to all games. However, few contemporary games are one monolithic executable, and almost all of them are utilizing DLL calls for various purposes – if not just driver calls.
  • The source of the loaddll library, written by the author of the original OGC was eventually released into open source, and lead to a multitude of OGC-like cheats that utilized the same facility to wedge itself between the game's engine and the mod's game logic.
  • The same thing may also have lead to the relative hook-proofness of current anti-cheats. VAC appears, and C-D even claims to be able to detect client hooks reliably, although there has been a history of hooks which managed to work without being detected either one or both.
  • Amongst the first aimbots were color based aimbots, known to exist only for relatively early versions of Counter-Strike. They colored either team in its distinctive color (e.g. bright green or bright red) and would automatically fire on any pixel with this color. Since they could sometimes been foiled by using multi-colored logos, they did not have much success. A key was pressed to switch from auto-aiming at one team to the other.

Driver manipulations

  • Beginning with XQZ, Counter-Strike has had a long tradition of being susceptive to altered drivers. As any modern computer game, Counter-Strike makes heavy use of Win32 infrastructure – Windows API, DirectX for input, networking and sound, and the ability to use either DirectX or OpenGL for the graphics. Theoretically, each one of these components could be manipulated to gain an unfair advantage. Although almost all drivers could be used, in practice, almost exclusively OpenGL and DirectX infrastructure, and more rarely, mouse drivers are manipulated.
  • OnlyC-D detects replaced OpenGL drivers, VAC at one time banned users with a certain ASUS graphics card because the drivers replaced the normal DLL supplied with Windows during installation. Coincidentally, certain ASUS drivers at some point also allowed for wallhacks without requiring any additional drivers. Such False positives have seriously harmed the efforts of the ban-them-all proponents. VAC currently does not detect these cheats, which are the easiest to create.
  • Driver manipulations are especially nasty to detect, as basically every file on the computer could be part of a legitimate driver or a cheat. Therefore it is essentially impossible for both a Lan-Party admin or an anti-cheat tool to detect such a cheat, even when being freely available to search the suspected cheater's computer.

Proxies

  • There are no known public cheats that utilize proxies, and thus are never detected. But some high end clans like mTw appear to be using proxy-like cheats, in order to increase their stealthiness against both visual detection on a lan-party, and known client- and server-side anti cheat mechanisms.
  • Proxies are exclusively aimbots and are giving themselves away by not having the crosshair correlate to the position of the actual impact. With small FOVs however, these cheats can be both extremely stealthy and effective even in lan play, as hits can easily be attributed to Counter-Strike's relatively inaccurate weapons, so called lucking.

Anti-cheat mechanisms

This section tries to elaborate about how the anti-cheat-movement has tried to reduce cheating in Counter-Strike and other Half-Life mods

Punkbuster: Prototype of client-side cheat prevention

  • Punkbuster was the first attempt at a client-side cheat prevention. It appeared in mid-2000 and was able to detect some protohacks of the time, but found little use as most players did not want to put up with running yet another program in the background while playing online, and was finally put out of business by OGC's fast developement cycle.
  • It authenticated to the server's Punkbuster plugin.
  • OGC particularly impressed by its circumvention of Punkbuster's screenshot function: when the server admin requested a screenshot of the Punkbuster client, an alarm sound would ring, and for the instant the screenshot was taken, all traces of the cheat's presence were removed. This function of Punkbuster however had some limited success against cheaters who used bugs (Or features, depending on the point of view) in their drivers to utilize as an effective wallhack.

CSGuard: Server-side file and variable checking

  • CSGuard was later renamed to HLGuard, as it was redesigned to protect other Half-Life mods, not just Counter-Strike.
  • Favored by many server admins, because it would not require any special programs running on the client's computer, a requirement that usually reduced the number of players on a server.
  • An interpreter for its own script language that utilized a facility of the Half-Life protocol: the ability of the server to execute console commands on the client. It would simply check for existence of certain variable names and files, that were exactly defined in the plugin's config file. Because of the extendable script, cheats with known filenames and variables could quickly be added without requiring the server to restart.
  • This approach is completely ineffective against modern multihacks, which usually store no information in (predictable) cvars, nor have their files within the Half-Life directory structure. CSGuard always has, and always will be, completely ineffective against private hacks.
  • Still it is in widespread use on many servers today, as it has few drawbacks and can detect many older cheats quite reliably

VAC: Valve's Anti Cheat

  • Essentially a client side anti-cheat mechanism that is integrated in the Half-Life engine and automatically kept up to date, it combines the ease of use of server-side anticheats with the detection rate of a client-side anticheat.
  • A few months after introduction of VAC, Valve began banning detected cheaters from all servers that are secured with VAC. To today, this is arguably the most effective way to keep public servers safe – While a cheat may not be detected immediately, a cheater is likely going to use a different cheat now and then, at last with a new version of Counter-Strike—a positive hit of VAC will remove the cheater's ability to play on secure servers for a long time however.
  • The number of valid CD keys, which are required to play on both WON and Steam, is limited and not computable. Because of the availability of huge lists of valid CD keys, there have been rumors about hacking incidents where CD keys were extracted from WON, but it is much more likely that the majority of such freely available CD keys originate from cheat software which transmits the CD key to the author. Valve also invalidate CD keys which they find through the various channels on the internet, so the new lists stopped being made available. It can be safely assumed that at least some cheat authors have a near unlimited supply of valid CD keys.
  • Valve has also been accused, especially by the cheater community, that they were only banning CD keys to force players to buy a new copy of Counter-Strike or Half-Life.
  • While still mostly based around detection of known cheats, and thus mostly ineffective against private hacks and professional cheaters VAC has managed to allow a mostly cheat-free game on most secured public servers, unlike C-D servers – where the detection / prevention rate of cheats may be much higher, but all cheaters are forced to play on after they were banned from VAC-secured servers, and they can simply try again if one cheat is detected/prevented.
  • Unfortuantely VAC has not been updated since April 2004. VAC2 is supposed to have been released in April 2005, and is supposedly in Beta Testing at the time of writing (April 2005). From what has been reported thus far, is that VAC2 does not appear to be a revolutionary change over the way VAC has done things in the past, and cheat creators are still very confident of being able to bypass VAC2 once it has been implemented.

Cheating-Death: Prevention instead of detection

  • Cheating-Death is praised for its ability to prevent whole classes of cheats, rather than detect single instances of such a class. It tries not to punish a cheater but instead either prevents his connection to a C-D secured server for as long as a detected cheat is active, or tries to render cheats useless.
  • It attempts to render cheats useless by wedging itself between the mod and the engine, and giving the mod (where presumably a cheat hooks) false information about positions to confuse aimbots. In case of wallhacks, it draws players behind walls in the wrong position (usually several hundred meters above their actual position).
  • Not banning anyone permanently, and not allowing the server admins to know why a certain player disconnected, hampers the effectivity of C-D as a means to keep a server 'pure'. A cheater may simply test through various cheats until he finds one, or once 'caught', wait for an update from the cheat's author
  • While trying to disable whole classes of cheats rather than detecting single instances, there were repeatedly cheats C-D proof despite using exactly a mechanism C-D was supposed to prevent. Cheat authors seem to be able to create single instances which appear to be able to circumvent C-D with relative ease, thus the true effectivity of C-D is highly disputed. There are presumably hundreds of different, private cheats which all are able to circumvent C-D. And if someone is caught, there is no punishment – one can go and simply find a new, C-D proof cheat.
  • Still, it remains the premier option of anti-cheat means for server admins which prefer not use VAC to secure their server for one reason or another, for example NOWON servers. But because of the listed problems, and because cheaters detected by VAC are forced to play on C-D or insecure servers, the cheater rate of many public C-D servers is estimated as high as 40% (2004)

Cheating detection

  • Cheating detection describes detection of the actual cheating, rather than the detection of the hacks. Theoretically in Counter-Strike, hacking approaches undetectability, but any experienced player himself can manually detect the cheating in effect to a high probability. Cheating detection thus means the automated search and identification for the effects of cheating.
  • The first working effect detection was present in CSGuard, which allowed the server to continously track the movements of the player's crosshair and tried to detect suspicious, repeated sudden lock-on headshots.
  • CSGuard's aimbot detection was miserable, as the alarm rate was almost the same with a well trained player and a player using an aimbot set up for stealth. It was hardly ever used, and the function has supposedly been removed from HLGuard, CSGuard's successor.
  • HackCam, which is rumored to become a supplemental anti-cheat mechanism to VAC2, Valve's anticheat for the Source engine, uses a wide range of elaborate detection methods to discover both ESP and aimbots, and awards points for suspicious actions.
  • One disadvantage of such elaborate cheating detection is the greatly increased ressource consumption on the server, as the software continously analyzes all behaviors that a player exhibits for suspicious actions.
  • The other problem is the realistic possibility of false positives and false negatives, and the relative arbitrariness of what may be considered a cheat-indicating behavior or just luck. The creators of hackcam claim that all CAL-I players remained below a 70 points mark, where as more than 65 points would mean 'suspicious' and more than 85 points would indicate a very high probability of cheating. However it is questionable if that is means the method is not producing false positives, or if it produces false negatives on the CAL-I players.

Weaknesses specific to Counter-Strike

This section discusses why Counter-Strike may be more susceptible to cheating than other, similar online first-person shooters.

Mod/Engine design

  • Counter-Strike was designed as a mod for Half-Life – essentially the game consists of a single DLL and a series of media files (models, sounds). Half-Life, attempting to be mod-able with ease is itself designed to have many elements changed and replaced on the client's computer.
  • This also leads to the comfortable facility of the client-hook vulnerability that is used by so many cheats
  • Half-Life itself was already a heavily hacked game before Counter-Strike came into existence. Many cheat authors could have gathered experience with Half-Life deathmatch or Team Fortress Classic. A cheat for Counter-Strike could easily be adapted to work for the various other Half-Life mods.
  • Half-Life and Counter-Strike both have been around for a very long time now, only recently with serious changes to the engine. The longer a game is being played by more people, the higher the probability someone writes a hack for it. So partially the mere popularity of both games, both Half-Life and Counter-Strike may have increased its cheat volume.
  • Counter-Strike is often humorously described as being a "hack itself" (on the Half-Life engine) and thus "ask" for being hacked.

Game physics

  • Counter-Strike equipment is dominated by very accurate, high-powered hitscan type weapons, an ideal setup for aimbots. If e.g. bullets travelled at a realistic, limited speed, the effects and lethality of aimbots may be much less dramatic.
  • Similiarly, turning speed is unlimited. A cheat is thus basically only limited to the FPS rate and the weapon performance in terms of killing speed.
  • The tactical gameplay, which favors stealthiness and using everything as cover make wallhacks very powerful. Additionally, they allow a great reduction in reaction time needed to shoot a player coming around a corner dead in his tracks.
  • Playing Counter-Strike, especially dying can make players very anxious or raging with fury. Death comes very swift and often surprising, and is penalized by not being able to do anything for the time of the round. The players are kept from immediately venting the anger of the moment "of death" and have to watch, rendered completely impotent. This trait, while arguably existing in all first-person shooters, or all computer games even, is very extreme in Counter-Strike, noticable especially at Lan parties: The only ones who shout loud enough to be heard from the entire lan party are the Counter-Strike players. As death is so much more unfavorable than in other games, the desire to "survive" in the virtual world may become real enough to be a strong argument for cheating.

Immature players

  • Some (Mainly Quake players, and to a lesser degree Unreal Tournament players) argue that the semi-realism (realistic guns, models, objective) would attract a different, more immature type of player. But most veteran Counter-Strike players disagree.
  • Counter-Strike received a surprising and very powerful hype in when it went retail in 2000, compared to its initial underdog state as "just another Half-Life mod." Features and articles in gaming magazines and online sites began to spring up, attracting a new brand of newer, younger players who had little experience with online FPS. They clashed upon the veterans who often had played Counter-Strike for over a year, and even before CS had been engaged in other online FPS, like Half-Life Deathmatch or the Quake series of multiplayer FPS. Some believe that coming to terms with not being able to hold a candle to this sort of veteran player for many months or years, may faciliate the decision of many such n00bs to turn to cheating and/or hacking.
  • However, Counter-Strike players are often synonymous with badly behaving players in other games, because Counter-Strike has a reputation for attracting 13 year old ADD sufferers that are cheating and flaming, pay little respect for the game or generally don't show good manners.

Theoretical limits to purity

Two essential hacks are in the way of being able to making a server pure: Aimbots and Wallhacks. The client software cannot be trusted, and the only way to be absolutely sure no excessive information reaches the client (and thus, a potential hack) is to render both picture and sound on the server and sending it to the client, who merely displays the pre-rendered picture and plays the pre-mixed sound. This is of course not possible with contemporary server hardware, but it means that it is theoretically possible to defeat a wallhack or any type of ESP for that matter. Partially this approach is already being used by Half-Life, as csguard, Cheating-Death, VAC and even recent servers themselves do no longer give the player the accurate position of an enemy player – they are shifted vertically. This is because not giving the client the information of players around the corner would result in missing sounds. Counter-Strike lacks a sound-info part in its protocol where an approximate 3d information of sound without any reference to its source is being transmitted. Future games will hopefully be aware of such fundamental design flaws that jeopardize purity.

An aimbot on the other hand can be considered a piece of AI, and it is theoretically always possible to create an AI that can play the game in place of the player (or even just partially in place, in the case of the Aimbot). However, aimbots in Counter-Strike do not require optical recognition like the human player does, nor do they require to shove a possibly inaccurate mouse around. The cheats in Counter-Strike receive the exact XYZ coordinates of the enemy player, and can calculate a trajectory and fire the weapon within the end of a frame. Theoretically it could be possible to create a model-free game engine where the client's computer would have no conception on what is what, unless it did actually start using virtual optical recognition. This goes into the same direction as the ESP preventing approach – the client's computer is given too much information by telling it (the client) to draw an enemy there rather than something. In Counter-Strike, the enemy players are always from a set of predictable models, and when a model is drawn, the client and the cheat both know not just where it is, but also what it is and can therefore shoot at it.

Finally, for lan-party administrators there is an easy way to secure a tournament: forcing them to play on secured machines that are offered by the lan-party. As long as the provided computers are sufficiently able to be both secure and and playable, there's nothing that can enable potential cheaters to gain an uncompetitive advantage over another. This simple solution is probably the only reason why most professional cheaters still spend a lot of their training time practising 'pure', although usually only clan-internally.

See also







Links: Addme | Keyword Research | Paid Inclusion | Femail | Software | Completive Intelligence

Add URL | About Slider | FREE Slider Toolbar - Simply Amazing
Copyright © 2000-2008 Slider.com. All rights reserved.
Content is distributed under the GNU Free Documentation License.