How I Defeated An MMO Game Hack Author
In the late 2000's, I worked at a niche MMO game company. We had a small team, not a lot of money, but a loyal audience. It was a game of skill without any of the usual powerups and unreality, and the players enjoyed the challenge.
Then, one day, we heard a rumor that a hack was available for the game, and suddenly the players were angry. Since we only had four programmers, someone had to investigate, and I volunteered. People were sure that everyone who killed them in the game only did so because they used the hack. We tried to assure people we were looking into it, but we had no idea how widespread it was.
Note that everything I recount here is likely long obsolete today. We supported both Windows and Mac, but Windows was the apparent target; in any case, only 10% of our player base used a Mac.
I found the hack for sale by some company in China, but it quickly became evident that this was not the originator; they appeared to have stolen the hack and were reselling it. After more digging, I found the company selling the hack and many other hacks for far more popular games. Given our small player base, I wondered why they even cared.
So I went home and bought a copy. I did not want our IP address associated with the purchase. I had a Windows PC, so I could install it and see what it offered. I had not spent much time with Windows internals then, as I had mostly worked on the Mac version and the cross-platform game core (it was an OpenGL game).
The hack had the usual features: wall hacks, unlimited ammo, map additions, and an aimbot. As a customer, I also had access to their forum, so I could see what their customers were saying about us (we were too stupid ever to catch them, etc.). I could tell there weren't many people posting (maybe a dozen), so I hoped it meant the usage was low. The author also posted in the forum, though he was mostly factual and did not speculate much. It appeared to be a two-person company; one wrote all the hacks, and the other did the business side. The hack cost around $30 monthly, more than we charged for the game.
I decided to focus on several things. First, I would learn how to hack a game on Windows, then plan how to make hacking the game more difficult or at least slow the author down, and finally, see if I could determine who was actually using the hack.
Honestly, this is probably the most fun "project" I ever did, two months of battling a clever adversary!
I then spent several days reading about hacking Windows games and all the techniques people used, ignoring anything targeted at more complex games from prominent companies. Reading the forum, I could tell the author was a customer and played the game; I had no idea who yet. So the mystery of why there was a hack was not simply money, but he wanted to use it himself! Any money was just gravy. Call Of Duty or whatever big games they supported were far more profitable.
After studying hacking for a while, I started looking at how to make our game more frustrating to update the hack. At the core of the game loop was an array of all currently viewable people/vehicles (nominally up to 128). This fixed structure contained most of the dynamic game, so clearly, this was easy to attack if you were writing a hack. However, when you were live in the game, if the server did not receive the heartbeat network packets in a timely fashion, it would drop the client after a short while, so debugging while live was not really possible. We had an offline mode, where you could practice everything (the game had many vehicles and infantry types). It was the same game loop in a unique game "location," with no network required. The author was building his hacking code offline.
Our game had been written in a mishmash of C, C++, Lua, and Javascript nearly a decade before I started there. The code was ugly, frustrating, and a pain to work on. However, having C macros available would make things easier. So, I tackled the vehicle/infantry array first, using macros and accessor functions. I first made the offline and online arrays different but transparent to the programmers. Then, I started building macros for common datatypes like locations, which scrambled the contents in various ways and biased the values. Each build would have different offsets. I also built shadow values, which duplicated (with different biases) important data. Often, a hack is built by watching memory changes while playing the game.
These would not entirely stop a hack, but the investment of time in updating the hack would increase substantially after every release, and the current hack would be less useful until it was fixed. Knowing only one author meant he would waste time updating something that made them little money. I also changed the OpenGL pipeline sufficiently to make the wall hacks painful to update.
One thing we had in the game was a particular "vehicle" used by game managers and the company to watch people play. It was usually invisible but could be turned on and used to scare people who were breaking the rules. I read in the forum that they could always see the "vehicle," so they knew to act normal when it was around. The server programmer and I worked together to make it no longer be in the vehicle list unless it was made visible. Then the forum complained they didn't know when anyone was watching anymore. Somehow, they still thought we (in this case, me!) were stupid. Ha!
Now that I had begun to frustrate the programmer, I focused on identifying who was using the hack. I knew the hacking team had been angered by someone stealing their hack binary, so they changed it to download the hack at runtime. Our app had a launcher containing various settings that launched the game, so the hack had to be running when the game launched.
So, I figured there had to be an open port to download the hack. I found an API in Windows that let me see what ports were open. It was simple enough to discover what IP addresses they were using. Anyone with open ports to those IP addresses had to be running the hack application. If I saw that, I would set an innocuous bit in our launch data that our game would read (in multiple places), and the game binary would then set another innocuous bit in several packets sent to the server as the game ran that the server code would see and mark this user as being a hack user.
After shipping a release with this code, we could tell who the customers who used the hack were, including the programmer (who likely was the first since he had to test it). It turned out to be around a couple of dozen people, thankfully. We then had a fun meeting to decide what to do with this information. It ranged from slowly reducing the accuracy of any weapons during a session to changing them to Bozo The Clown to having a giant arrow floating in the sky pointing to the location of the hacked user, but not in their view. Ultimately, we decided the best idea was to do nothing for a few weeks and then ban them with a generic TOS violation.
After that, the hacking company gave up and removed the product; after all, it was not worth the effort.
None of this is relevant today. But it was a fun couple of months, and I was satisfied with "winning" a small battle. I don't understand why some people feel the need to cheat in a game; I also think that cheating gets boring fast, and likely most people just move on. The whole point of a game, especially one based more on skill than luck, is the challenge; if you remove that, the fun rapidly vanishes. Cheating like this also ruins the game for those who enjoy playing since skill is insufficient.
Games like World of Tanks (which I play today) are server-adjudicated, so all decisions based on user input are made in the safety of the server. This makes hacking the game to gain an advantage difficult or even impossible. There are still ways to cheat; a popular thing in WOT is to pay companies to join in games in low population times that they have stuffed with non-playing tanks, which you can then kill for enormous damage or experience, for bragging rights. It seems stupid to me, and WOT should be able to identify the players who do this and the accounts used to spawn non-playing tanks, but they don't seem to do much. Given that they do analytics on every player, every tank, and every map, this shouldn't be difficult. Like many multiplayer game companies, it's a matter of investment and caring.
Anti-cheat technology today is a big business. It sometimes ruins the game experience for those who don't cheat, but it's also necessary because it makes a lot of money for those who develop the cheats, and that makes the game no fun. Like in war, offense, and defense are constantly fighting each other.
At least, in my case, it was a fun battle! Soon after, I left the company and spent the rest of my career building iOS apps until I retired.