Jump to content
Caimen0

Basic Anti-Cheat for DD:A

Recommended Posts

In this post by Elandrian, there are 2 important pieces of information relevant to this topic:

  1. DD:A will use a similar multiplayer system to DD1
  2. Chromatic plans to adopt some sort of Anti-Cheat system

Preventing the use of cheats in a peer-to-peer and noncentralized networking method is not as simple as DD2 simply doing everything for the player, thus removing most hacking options, but there is a way to catch or prevent most hacking within DD1's system.

This can be accomplished by establishing a system of checks that when tripped will send a notification to HQ that triggers a manual or automated review of the account the packet came from. The most common forms of hacking come from gear, hero stats, and tower hacking. The checks must therefore be directed at finding any abnormalities in stat changes regarding these properties.

The game itself runs checks that ask the following questions:

  • Did this item spawn due to an item spawn event, or did it simply appear? (Catches duping by wholesale item spawning)
  • Did the stats on this item change when expected? (Was an upgrade applied)
  • Did the stats change by the expected amount?
  • Did the player's hero stats change when expected? (Level up bonus applied)
  • Did they change by the appropriate amount?
  • Did this tower's stats change when expected? (Did it get upgraded or buffed?)
  • Did they change by the expected amount?
  • Was the DU/MU properly updated when the tower was placed?
  • Does the total amount of DU/MU match the expected amount for the map?
  • Did a change of mana occur when expected?
  • Did it change by the expected amount?

These checks will catch a vast majority of all people using basic forms of memory hacks that are the most common. More or less of these checks can be added depending on the mechanics introduced to or removed from the game. The advantage of using these checks is that the game does not have to unnecessarily strain the player's computer with an exe permanently searching for memory intrusions like Steam's VAC system. Another option on items to allow for hacker detection are things like stats that a certain item will always spawn with (The absence of this stat can give away a hacked item) and other invisible item properties. Item ID tying in with certain properties, etc.

  • Like 4

Share this post


Link to post
Share on other sites

Speaking of anti-cheat... Please, do something with leaderboards. Seeing 1-2b scores on leaderboard is not a good thing. In addition to that, what about making the leaderboard public? So other players can compete with each other and track the top.

Share this post


Link to post
Share on other sites
54 minutes ago, solomax said:

Speaking of anti-cheat... Please, do something with leaderboards. Seeing 1-2b scores on leaderboard is not a good thing. In addition to that, what about making the leaderboard public? So other players can compete with each other and track the top

It was public, how else did you see those big scores?!

 

Yes, definitely, a fair leaderboard is essential. 

Share this post


Link to post
Share on other sites

@Caimen0 agreed, the other thing it could benefit is in the case of high tier weapons or armour. Currently with ult++ we have to be careful with hiding stats and potentially who  we show the pieces too because duping is such a realistic threat. If this was not the case and we could use our best characters, or show gear to one another without any fear of it being duped or stolen, it would make a huge quality of life change and also potentially make us less wary of playing with players we don't know and let the community's grow.

  • Like 1

Share this post


Link to post
Share on other sites
4 hours ago, Hover Tower 2000 said:

It was public, how else did you see those big scores?!

What I meant is the ability to look not only at the top-1 player. Like this DD2 leaderboard page or something in-game.

Share this post


Link to post
Share on other sites

add error detection like crc on items:squire_small: but adding stuff that is not as easy as opening cheat engine might be something to look at. Because its going to be client side im sure somebody will always work it out but maybe the odd thing to throw people off might be nice especially on high end items.

  • Like 1

Share this post


Link to post
Share on other sites
Posted (edited)
11 minutes ago, DarkDasher said:

add error detection like crc on items:squire_small: but adding stuff that is not as easy as opening cheat engine might be something to look at. Because its going to be client side im sure somebody will always work it out but maybe the odd thing to throw people off might be nice especially on high end items.

Then you can make some asymmetric encryption things with signatures :DDD But of course it would work only on centralized server-side structure, so only the main server could "sign" drops/bought items/upgrading stats/renaming. And then public-key verification of the signature can be made. But I'm not so advanced programmer to think about implementation of such a thing. In addition to that, afaik DD1 multiplayer was peer-to-peer, so I have no idea. And I don't know how ranked TrendyNet stuff works like adding custom items for events and so on.

Edited by solomax

Share this post


Link to post
Share on other sites
33 minutes ago, solomax said:

What I meant is the ability to look not only at the top-1 player. Like this DD2 leaderboard page or something in-game.

I don’t mean to derail this post, but you can view I believe every score in DD1. If you check your core in your tavern, it will show you your top score and how it ranks. Also can see every score above it. Although it is rather tedious to view and scroll through, I will admit..

Share this post


Link to post
Share on other sites
38 minutes ago, solomax said:

What I meant is the ability to look not only at the top-1 player. Like this DD2 leaderboard page or something in-game.

DD1 had complete (complete with hackers as well) leaderboards - you could see everyones score and your place in the ranking. 

Share this post


Link to post
Share on other sites
Posted (edited)
On 3/9/2019 at 2:26 PM, Caimen0 said:

In this post by Elandrian, there are 2 important pieces of information relevant to this topic:

  1. DD:A will use a similar multiplayer system to DD1
  2. Chromatic plans to adopt some sort of Anti-Cheat system

Preventing the use of cheats in a peer-to-peer and noncentralized networking method is not as simple as DD2 simply doing everything for the player, thus removing most hacking options, but there is a way to catch or prevent most hacking within DD1's system.

This can be accomplished by establishing a system of checks that when tripped will send a notification to HQ that triggers a manual or automated review of the account the packet came from. The most common forms of hacking come from gear, hero stats, and tower hacking. The checks must therefore be directed at finding any abnormalities in stat changes regarding these properties.

The game itself runs checks that ask the following questions:

  • Did this item spawn due to an item spawn event, or did it simply appear? (Catches duping by wholesale item spawning)
  • Did the stats on this item change when expected? (Was an upgrade applied)
  • Did the stats change by the expected amount?
  • Did the player's hero stats change when expected? (Level up bonus applied)
  • Did they change by the appropriate amount?
  • Did this tower's stats change when expected? (Did it get upgraded or buffed?)
  • Did they change by the expected amount?
  • Was the DU/MU properly updated when the tower was placed?
  • Does the total amount of DU/MU match the expected amount for the map?
  • Did a change of mana occur when expected?
  • Did it change by the expected amount?

These checks will catch a vast majority of all people using basic forms of memory hacks that are the most common. More or less of these checks can be added depending on the mechanics introduced to or removed from the game. The advantage of using these checks is that the game does not have to unnecessarily strain the player's computer with an exe permanently searching for memory intrusions like Steam's VAC system. Another option on items to allow for hacker detection are things like stats that a certain item will always spawn with (The absence of this stat can give away a hacked item) and other invisible item properties. Item ID tying in with certain properties, etc.

It sounds nice an easy when you say it like this, but pratical solutions are much more complicated. With simple checks you are just making the most trivial attacks harder. But you have to assume that...

- the attacker is fully capable of controlling the source code (reading, modifying, deleting)

- can not only modify run-time values but also do code injections

So hidden values are never hidden. You could use a hash-value of the item with it's attributes to ensure integrity, but the attacker can also calculate this value. Send a notification - nope, won't happen, because the attacker can just remove this part of the code or filter outgoing network traffic. So you do need a third party process that ensures the integrity of your program and also memory.

At least the loot generation should be made safe, because the hacked gear was one of the biggest issues in DD1 and extremely frustrating for players that grinded a lot and wanted to trade. Of course the most easiest and safe solution would be to make all the calculation server-sided. But this costs a lot of performance and won't support local/offline gameplay.

You could use some kind of block-chain approach to create a verifiable chain of legit items. The client gets a seed s and the item and all it's attributes are derived from this seed. The next item uses Hash(s) as the next seed. The problem is the performance here (not such a big deal, because it is local - there are certain crypto currency which are extremely intensive to calculate but the proof is relatively easy to check -> zero cash). When you start a game, you would have to tell the server "I am playing map x with difficulty y now" and the server would send you a starting seed then and save the info. Afterwards you would send the server a list of the items you picked up and the server can check, if these items are a valid part of the chain and only if this is true, they will be added to the server-side stored account data. This way you would at least guarantee loot with legit stats only. But then again you could have never actually played this particular map. And also you have no control over the amount of generated items (someone could still just instantly kill all enemies with hacks or simply call the "generateItem" function as often as he wants). You would somehow have to proof, that you played this game legitimately... which would require a system like this for everything that is calculated in the game. You could add some artifically limitation to fix the amount of drops to a certain number per game (actually doable, because you know the number of enemies on map x with setting y) and check the completion time... But we assumed that the attacker has full control, so he can simply pretend to have just played the hardest map, killed every enemies and got the correct amount of loot in a reasonable time and do this 24/7 - there is no way to tell, if he actually played the game or just run the code.

Well to sum this up. No, adding simple checks won't solve this issue, if you do not use further techniques to ensure the integrity of the program and it's runtime data. But on the other side, if you could ensure these, you could make a system that is pretty safe and I really hope that the developers will put some effort into this.

Edited by The Ich
  • Like 2

Share this post


Link to post
Share on other sites
1 minute ago, The Ich said:

It sounds nice an easy when you say it like this, but pratical solutions are much more complicated. With simple checks you are just making the most trivial attacks harder. But you have to assume that...

- the attacker is fully capable of controlling the source code (reading, modifying, deleting)

- can not only modify run-time values but also do code injections

So hidden values are never hidden.

 It's almost like I said "basic forms of memory hacks" 🤔

By "hidden values" I'm referring to stats that aren't shown on the item card. (Item ID, size, etc)

Share this post


Link to post
Share on other sites

this sounds quite solid idk how they are gonna implement it but im sure if they want to keep hackers out of the game they will figure it out.

Share this post


Link to post
Share on other sites
4 minutes ago, Caimen0 said:

 It's almost like I said "basic forms of memory hacks" 🤔

By "hidden values" I'm referring to stats that aren't shown on the item card. (Item ID, size, etc)

Yeah sure, memory manipulations have been the most common types of "hacks", because they are easy to do and already enough to achieve the goal. No need for more complex stuff. But if you want to make a working Anti-Cheat system you have to consider even the most sophisticated attacker.

Share this post


Link to post
Share on other sites

I don't think these methods would work, really.  I don't want to say why not, and I don't want to say how I think you might design a proper anti-cheat system (for obvious reasons), but it's definitely not a problem you can solve easily.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...