7
\$\begingroup\$

I'm looking for a better way to actually detect "cheats" by checking if the source code of my game has been modified and if any code has been injected to the original code in C#.

The issue is that I'm not sure if it's possible in VR development since file management for Meta Quest (the platform I'm targeting) is rather limited.

Is it possible to directly check for source code modification under these conditions?

Pikalek
13.3k5 gold badges49 silver badges54 bronze badges
asked Apr 22 at 11:00
\$\endgroup\$
2
  • 3
    \$\begingroup\$ What type of cheating are you trying to detect? \$\endgroup\$ Commented Apr 23 at 20:25
  • \$\begingroup\$ Not to be mean but if your IT security know-how is on this level then I'd suggest an off-the-shelf solution. \$\endgroup\$ Commented Apr 25 at 11:39

3 Answers 3

41
\$\begingroup\$

This will not work.

Most fundamentally, because the source code of your game does not exist in the player's device. It only exists on the developer's devices. When you create a build of your game, you compile the source code into either IL bytecode (on platforms that run managed .NET and use just-in-time compilation) or to machine language (on platforms that use ILCPP for ahead-of-time compilation).

So, can you just check if the IL / machine language code is unmodified?

No, because "the client is in the hands of the enemy".

Any routine you write that checks your game's executable for modifications is itself also something an attacker can modify.

They can just change the signature the cheat-checker looks for to match the result of their modifications. Or patch out the routine entirely so it becomes a no-op, or always reports a pass, "no cheats here!" without ever doing the check.

At most, you slow attackers down a little. But if your game attracts dedicated folks motivated to hack it, it's only a matter of time before they overcome any client-side protection you can come up with.

If your game uses online multiplayer or leaderboards, the best place to stop cheating is on the server. There, your code is out of the attacker's hands and you can validate messages from players to check that they're following the right rules.

If your game is offline / single-player, then it might be advisable to not worry that much about cheating. A cheater only "ruins" their own experience, or their friends in local multiplayer quickly learn not to play with them. They don't impact your game for the wider community. And sometimes, players cheat in solo games to make them more accessible, or because they just like playing that way. So, fighting to block this might not make the game better — our energy may be better spent elsewhere.

answered Apr 22 at 11:16
\$\endgroup\$
2
  • 2
    \$\begingroup\$ If someone would like to post a new answer about using trusted computing tech as an anti-cheat, I'd love to read that. Comments are not for extended discussion, so I'd recommend taking it to Game Development Chat if you want to talk about this further without posting a new answer. \$\endgroup\$ Commented Apr 23 at 10:56
  • \$\begingroup\$ Comments have been moved to chat; please do not continue the discussion here. Before posting a comment below this one, please review the purposes of comments. Comments that do not request clarification or suggest improvements usually belong as an answer, on Game Development Meta, or in Game Development Chat. Comments continuing discussion may be removed. \$\endgroup\$ Commented Apr 24 at 20:44
3
\$\begingroup\$

Yes and it's super easy

Go to your git repository (or whatever you use for source code versioning) and have a glance at who created those commits.

Because that is where source code is: on your machines.

What you actually mean is binary modification and let's just say that AAA studios spend millions on that and frequently still fail.

The pretty much only not-off-the-shelf anti cheat measure you can achieve meaningful results with is to have the logic (re-) run server-side. This is a near absolute anti cheat measure against anything logic-wise (random chance events, trades, crafting etc).

It does however not in any way address or impact anything that happens clientside: anything in local coop or singleplayer, information-extracting cheats (like X-ray in Minecraft*), manipulation of inputs (aimbots, scripting etc.) and probably several others I forgot.

For the latter class of cheats there are several solutions, the latest fad being kernel-mode drivers but that is - inferring from your question - far outside of your technical expertise.

What you could do is make it harder to cheat. A first and easy step would be to "sign" (hash and verify) the binary code before launch. This would be moderately easy to bypass and most modern cheat engines work at runtime anyway, so nothing here gets injected prior to ram loading, where it's far harder to integrity-check consistently. Secondly, run a code obfuscation script in your build process. It won't help much but Unity and other projects are easy to disassemble and this will help a tiny bit with little cost on your part (and no cost to honest players).

But more importantly: Give up. accept that people will cheat. If it's a singleplayer game: let them have fun. If its with peer-to-peer coop or custom servers: let the hosts deal with it. If it's online: do statistical analyses to catch and ban client-side cheaters in the aftermath. Not that useful for F2P games but if a cheater has to buy the game over and over again it's a hurdle. Beware false positives here though.

*there are defenses against X-ray cheaters on most bigger minecraft servers. They work by withholding the relevant data from the client until they can legitimately access it (aka the row of blocks behind those they can see is replaced by dirt and updated when revealed). Alternatively they let players -ray and analyse for suspicious behaviour patterns that can then be investigated by a human (mod) and banned. This last approach is widespread across all kinds of online games.

answered Apr 25 at 11:54
\$\endgroup\$
-1
\$\begingroup\$

So i heard about hash anticheats its pretty much for checking if the player is on a patched game, and i would say that for vr projects it can be really helpfull since most of the cheaters on there uses modded apks which are just a patched version of the original game.

answered Apr 25 at 10:20
\$\endgroup\$
2
  • 3
    \$\begingroup\$ This answer would be more helpful if it explained how to check for a patched version in a way that the creator of the patch can't patch-out or deceive. \$\endgroup\$ Commented Apr 25 at 10:53
  • \$\begingroup\$ @DMGregory yeah but those would either be trivially bypassed with existing tools or would be industry secrets worth billions that Moussaa definitely can't afford to leak if they have them. \$\endgroup\$ Commented Apr 25 at 11:55

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.