A Technical Solution to Cheat Detection from an Engineer

"Psycosaltine;c-1938366" wrote:

Could they make it so tampering with the memory forces the client to crash?

not to be rude, but I think you're missing the point of my previous statement, and it has everything to do with your lack of domain knowledge. once you're capable of tampering with the client, you're capable of tampering with any mechanisms in the client, including tamper detection. this has been a part of computer cracking for years. you need to have additional validation- either through a trusted central server or a decentralized network (think bitcoin) in order to establish trust.

"js4;c-1938372" wrote:

"Psycosaltine;c-1938366" wrote:

Could they make it so tampering with the memory forces the client to crash?

not to be rude, but I think you're missing the point of my previous statement, and it has everything to do with your lack of domain knowledge. once you're capable of tampering with the client, you're capable of tampering with any mechanisms in the client, including tamper detection. this has been a part of computer cracking for years. you need to have additional validation- either through a trusted central server or a decentralized network (think bitcoin) in order to establish trust.

Your right i have no idea about any of this but if one of my hair brained ideas makes someone say "that wont work but maybe this will" its 100% worth looking like an idiot. A different perspective can shine a whole new light on things.

"Psycosaltine;c-1938373" wrote:

Your right i have no idea about any of this but if one of my hair brained ideas makes someone say "that wont work but maybe this will" its 100% worth looking like an ****. A different perspective can shine a whole new light on things.

understood, just don't want you to rack your brain too hard going down the path of client-side detection as the solution when the cheating mostly stems from the client itself being untrusted.

"js4;c-1938347" wrote:
The problem you described isn't actually a problem. Gather the first random seed from the server, or base any random seeds off of the battle time and validate against it, sending duplicate battle results from old battles will no longer be an option if it even is right now. You don't need server side processing at all, you just need a way to validate a deterministic input in the data.

Interesting. So what you are proposing actually means:

• At the start of the battle, server will send RNG seed and battle ID
  
• Player will play, the battle
  
• Player's device will send battle result and information about all involved characters (levels, abilities, gear, mods) and all player's moves to another device
  
• Another device will query RNG seed from the server by providing battle ID
  
• Device will "replay" the battle and compare the result
  
• Device will report to server if result is different
  

Are RNG implementations on all platforms same?

"js4;c-1938347" wrote:
The actual cheating that has been unearthed recently and has gone undetected has to do with client-side memory tampering. There's not a great way to detect this because anyone able to do this kind of tampering is usually able to tamper with the checks as well, unless perhaps they came up with some clever trickery.

Isn't purpose of obfuscation to make it harder to to tamper with code and purpose of whitebox cryptography to make it harder tampering with client-side memory? I'm not saying they are solution, I'm just saying that tools to make this more robust even on rooted phone should be there. They cost quite lot of money and are very complex to use right but hey, game like this is making $100M+ so money to get the right tool and right devs are there. More money you put into obfuscation and whitebox crypto, more difficult it will be to get around them and you can even mess with that with every release of the game so hackers may find it not worth it if it will be changing every few weeks.

Saying that, there are enough money for them to run their own farm of phones doing just validation. Or simply make system like you are proposing server side - I find it more maintainable ,reliable and easier to make it robust and deliver.

For know it would be enough to start with battle log people are asking for. Not only to detect cheating but also to see what can beat your teams.

"js4;c-1938367" wrote:
Most of the processing power needed for the game has to do with the graphics- battle simulations are fairly straightforward algebra that can easily be accomplished by any phone capable of running the game in down time.

Which is exactly why you would do it server side. While cloud computing resources have a cost, "expensive" is a purely arbitrary term. Generally, compute and inbound data are relatively inexpensive compared to storage and outbound data. On-demand pricing for an hour of processing on a 96 vCPU EC2 instance is under $6.

The hourly cost of the resources needed to build your massively distributed validation platform is on the order of 20 times that, for a single hour - and building massively distributed platforms is non-trivial. It is certainly much more complicated than building a single, scalable event processor that could perform validation like that described above. If

compute and bandwidth are such a significant concern, you could always introduce some rule filtering to flag questionable matches and fine tune those rules as you learn more. However, I'm inclined to think that executing the rule set is probably more CPU intensive than just running the battle actions through the simulator/validator.

I'd even be willing to bet that if CG made the relevant portions of their battle algorithms available and a pipe to consume battle log messages, they'd have a couple of free solutions in place in short order.