How do wallhacks&no recoil cheat programs work?

Factual Questions
1

If you are first person shooter player, you know these kind of programs exist. And the most interesting thing to me is these program can function despite anti-cheat software such as VAC, sXe and Punkbuster.

How can these program program influence the game even tough there is an anti cheat software processing simultaneously?

Can anyone interested in programming and coding produce such cheating programs?

Does it require to have a great amount of knowledge of programming to code these wallhack programs?

What kind of people are these hack&cheat program coders?

2

I don’t think it requires a lot of knowledge so much as a competent degree of specialized knowledge – and a lot of dedication. I’ve run Cheat Engine on a Game For Windows Live game before*, GFWL has its own protection that causes the game to freeze if it detects memory editing.

One important thing to note is that at the execution level everything is just numbers (well, binary switches that are on and off, but splitting hairs), so any program that can change numbers at any address of a program can change the way it runs. So when a program is running, you can inspect the part of the code that runs the memory monitor, and alter a few instructions to render it harmless. This is what you do with GFWL, I think you overwrite five instructions in the memory monitor and make it harmlessly escape, instead of actually checking if anything is wrong.

Of course, this is all a bit of an arms race – you can run the monitor in another process or thread; you can make the inspection program require bizarre idiosyncratic passcodes/checksums/whatever be found or it will freak out, etc etc. It can never be perfect, but it can become more and more of a pain to circumvent it.

I’m afraid I don’t know the specifics of wallhacks, but I think they usually exploit cooperation between the server and the client. Since it would be too slow for the server to process an action request for every player, calculate the actions and compute physics for everythings, and then tell each player where it is every frame – it has each client do some of its own calculations, and then propagates the changes after the client tells it what’s changed. So (at a very basic level), after you circumvent the protection, you essentially just break the physics engine on your machine and tell the server “no, really, I’m at this location – you’re imagining things, there’s no wall here” and the server goes “well… I can’t really spare the power to check, so I believe you!” This is also how things like teleport hacks work. I’m not clear on how Aimbots work, but I think it fundamentally relies on reading the game’s hitbox data and causing the player’s targeting reticle to automatically be set to point at the correct location.

Note that this is a very high level overview, there are entire computer security papers about guarding against these, and detailing ways of attacking them, and so on and so forth. I’ve never written any hacks myself, though I have known a couple of professors in computer security that have done research of ways to prevent them.

I would say that any interested competent programmer could probably make one of these if they did enough research first (to prevent getting banned over and over while they bug test it), but you have to be prepared for a lot of boring poking around in executables and figuring out what random collection of hexadecimal characters correspond to the physics engine code and what’s safe to change to give the desired effect without breaking the program and so on.

The real annoyance is that even if the same techniques work between game to game, even different games in the same engine and protection likely require a good deal of work just to find the correct parts to attack. Meaning that even if you know what you’re doing it can be tedious to do it for another game.

  • Dark Souls: Prepare to Die edition for PC – I never PVP’d on that character, I’d already beaten it on PS3 and just wanted to dick around and see what I could find out about the game.
3

The anti-cheat software work by examining other running processes in conjunction with the game. If you can manipulate the process list presented to the anti-cheat, then you can avoid detection. As new techniques are developed to hide the cheat programs, so the anti-cheat tools get updated to include these new techniques. It is worth noting that many of these techniques are the same as those used to hide root-kits and malware from anti-virus/anti-malware tools.

Developing such a hack requires the use of debugger, sniffer, knowledge of assembly language and high-level languages, data protocols, deep understanding of the OS/API used by the game, and an appreciation of coding techniques. It is very difficult to do, and the people who do so are highly skilled individuals, and could probably earn excellent money in the real-job market.
However, they could also make easier money on the illegal markets helping malware authors hide malicious code. I suspect that they sit somewhere in the middle - not willing to do actual evil (working for malware authors), but not motivated enough to make a serious regular living from their skills. And also lazy enough to develop a cheat to win at a game that they are not willing to develop skills at to win by talent/practice. Generally they are motivated by the kudos of developing a hack for the game and hiding it from the anti-cheat tools.

4

To add - once the protocol/client-side data structures for a particular game has been hacked, mostly it is about hiding the modifying tools from the anti-cheat systems. The first bit is real hard, the hiding bit is hard in a different way.

[QUOTE=Jragon]
I’m afraid I don’t know the specifics of wallhacks, but I think they usually exploit cooperation between the server and the client. Since it would be too slow for the server to process an action request for every player, calculate the actions and compute physics for everythings, and then tell each player where it is every frame – it has each client do some of its own calculations, and then propagates the changes after the client tells it what’s changed. So (at a very basic level), after you circumvent the protection, you essentially just break the physics engine on your machine and tell the server “no, really, I’m at this location – you’re imagining things, there’s no wall here” and the server goes “well… I can’t really spare the power to check, so I believe you!” This is also how things like teleport hacks work. I’m not clear on how Aimbots work, but I think it fundamentally relies on reading the game’s hitbox data and causing the player’s targeting reticle to automatically be set to point at the correct location.
[/QUOTE]

This is one reason that companies are looking at game-streaming, where all the work is done remotely, and the server does not have to rely on a trusted client apart from feeding control data and display data back and forth.

5

I actually worked on one of these, it used Ocaml to pass around (compiled) C code instead of data, and if the server suspected foul play the components could be switched around so that it required a different function to be passed in to work properly. So hacking wasn’t a matter of changing some numbers, but rather being able to deal with numerous compiled APIs that worked in a shifting system. It worked… okay, but it had some serious issues: it put a serious burden on the developer to write, more or less, more than one logically equivalent modular working engine, and it was a bit slow.

6

For some cheats (such as aimbots, but not things like wallhacks), you can get away with dealing with the game at an interface level. Basically, the game has no way of knowing that there’s an actual human sitting in the chair in front of the keyboard: It could just as easily be an android with perfect reflexes etc. And only slightly removed from that, you could write a program that intercepts the video data going to the screen, interprets it, and sends back data as if it came from the mouse or keyboard.

You could still in principle detect this, by having the game check what other processes are running on the computer at the same time, but since the cheat program isn’t directly touching the game itself, it’s much harder.

7

Have you seen this done? Because I’ve thought about this before and I’m not convinced this method is feasible, it’s a non-trivial computer vision problem; one that I’m not certain can be solved at the speed necessary to make it useful.

8

I’ve never seen it, no (or at least, not that I know of), but the computer vision problem wouldn’t be nearly as bad as you’d think, given that all of the imagery is computer-generated to begin with (making a template bank easy), character avatars often have distinctive colors in their design, and they move relative to the environment.

9

I don’t have first-hand experience with these things, although I have played Counterstrike and similar games since modem days.

In simple terms, the only way a wallhack (seeing through walls) could work is if the client’s (player’s) copy of the game is being sent the positions of other players/objects during the course of the game. Normally the game would not reveal those locations to the player unless the player character should be able to see the players/objects in their current field of view. The wallhack would force all objects to be rendered, I assume with the help of transparent/translucent walls.

I’m not positive what a no recoil cheat is, but I’m assuming it means that all the player’s shots in an online game would hit the same spot with no “spread” even with fully automatic fire. My guess is this sort of hack depends on the fact that the client copy of the program does the actual “spread” calculations and rendering, so the hack eliminates that spread, setting it to zero and putting all the player’s shots in the same spot.

The way I see it there is a certain type of person that just has a mindset that lets them hack these things. Just like people that can crack encryption or compose symphonies in their heads.

As far as how the cheat programs circumvent the anti-cheat programs, I do not know but can speculate they somehow maintain a pristine copy of the game code to satisfy the anti-cheat software, while the client actually plays with a hacked version of the game code.