Ransomware Detection, Defense, and Analysis
This is how people cheat in computer games professionally
As long as computer games have been around, players have been trying to break records. Who can get the most points at Pacman or reach the highest level in Donkey Kong? There are numerous traditional records, some of them unbroken for decades and serving as motivation for newcomers to the scene.
Two of the long-standing titans in this field were Americans Todd Rogers and Billy Mitchell, who held a slew of records which were verified, maintained and publicized by the US-based organization Twin Galaxies. When confronted with skeptical inquiries about these records, which had even made it into the Guinness World Records, the two men would hit back with brazen arrogance. So the applause was all the louder when their decades of cheating were uncovered in 2018, and they were stripped of their records and titles. Both were banned for life.
Twin Galaxies provides referees and analysts for the purpose of validating records. Over the years, it has become a customary requirement for players to submit video recordings of their own game sessions. Through their contacts, Rogers and Mitchell managed to avoid this validation and chalked up records that in all likelihood were never real.
Todd Rogers held a record of 5.51 seconds for the Atari 2600 game Dragster. But when user Apollo Legend reverse engineered the game, it became apparent that the purported time was not even possible. The developer of the game confirmed this years later. Twin Galaxies annulled the record and banned Rogers.
Billy Mitchell’s downfall came when it came to light that he recorded his record-breaking game for the arcade title Donkey Kong using a MAME emulation rather than a printed circuit board (PCB). The user xelnia discovered this 35 years later by analyzing the sequential structure of sprites in the transition between levels. There are a few key differences between hardware and emulation, meaning that there are also different options for manipulation. All of his records were removed by Twin Galaxies and he too was barred.
The speedrunner scene is all about pace – the aim is to reach the end of the game as quickly as possible. The player uses any possible shortcuts that the game can offer, ideally without losing a life. These speedruns require an advanced understanding of the game, refined skills and the utmost concentration. If you’re a non-speedrunner and think you’ve got a particular knack for a game, you may well think again when you see what a professional speedrunner can do.
The race for the best time can be nerve-wracking and frustrating. This is why players occasionally resort to splicing, in which certain sequences are played through until the optimal recording can be achieved. These segments are then put together with an editing program to create the illusion of a perfect speedrun. Segment runs are allowed in some games, but they cannot be passed off as real-time attacks.
But these edited recordings turned out poorly, especially in the early years. Cheats tended to neglect the audio track in particular, which meant manipulation often became evident on closer inspection. Either splices were too rough or cut at the wrong point, or there was unexpected noise on the audio track.
Edits are best carried out during a simple or even static scene, like a loading sequence. But because many games don’t have sound for the loading screen, the speedrunning community has focused on the analysis of the image material in recent years. One particularly exciting case is a real-time attack run of the game Super Meat Boy from 2012. The user ExoSDA was caught red-handed because the bandage girl autosave animation has a particular rhythm that has to remain consistent across different loading sequences. By analyzing it frame by frame, it became apparent that the segments from different runs had been spliced together:
At 60 FPS, her arms move in a regular 40-frame cycle, so her arms will be up for 20 frames and then down for 20 frames. At 30 FPS, these values are halved, so we would expect a 20-frame cycle with 10 frames of arms up and 10 frames of arms down. Rinse and repeat.
Those discovered manipulating the results in this way are stripped of their records and lose their standing among their gaming peers. For anyone deeply involved in the scene, this is no doubt a major blow. But for the independent observer such cases seem more like trivial bickering.
The first officially documented computer game competition took place in 1972 at Stanford University, where enthusiasts played the classic game Spacewar for the prize of an annual subscription to Rolling Stone magazine.
Almost 50 years later, the eSports competitive computer game scene has become thoroughly professionalized. Now individual players or teams compete against each other. Typically this will involve games in the genres of real-time strategy (RTS), first-person shooter (FPS), fight games and multiplayer online battle arena (MOBA).
This professionalization has been driven by economic factors, with players now competing for prestigious, highly lucrative prizes. And well-known players have further opportunities for monetization with sponsoring and advertising deals. But for this to happen, competitions have to be held on the Internet and on broadcast live on TV stations. In 2015, there were 226 million viewers, with the eSports sector generating USD 325 million. The following year, revenues hit USD 493 million, and there is still a strong upward trend.
Cheating may have become a major issue once the sector started pulling in the big bucks, but it has been around for quite some time. It’s just that now that the stakes are higher, cheats are getting far more sophisticated in their methods. They are spending more and investing more heavily in manipulating the outcome of games.
Much like traditional sports, the eSports sector allows betting. Well-known betting outfits have specific areas on their sites for eSports. Typically they offer the options of winner/loser and score ratios, but major betting companies also allow game-specific and exotic or highly dynamic bets, such as first kills or even/odd kills.
Here, too, odds are calculated and offered, and betters can use them to decide where to place their wagers. Betting fraud makes it possible to force wins. This could involve collusion with one or more participants in a competition. Match fixing involves deciding who will lose (and consequently who will win). This kind of cheating to lose is very easy to implement and can even work without the cooperation of other players or referees (meaning only one party is involved).
On the one hand, manipulated betting may be discovered during the game itself, for example, when observers notice atypical gaming behavior, such as players performing below their normal, expected level. Computer-aided analysis, particularly when it is combined with artificial intelligence, can be used to detect unexpected behavior.
On the other hand, analysis of betting behavior can turn up signs that point to manipulation. Here, too, the aim is to detect anomalies. These might include a large number of bets placed at the same time, unusually large wagers or betting against the statistical odds. Among the well-documented examples are bets for games like StarCraft, Counter-Strike and League of Legends. Data correlations can uncover fraud networks and determine who is running the racket or who is involved.
Doping is traditionally associated with strength and endurance sports, such as weightlifting and cycling. But there are other sports that are prone to drug use, particularly those with a disproportionate emphasis on mental performance. And eSports are no exception.
In recent years, various active and now inactive players have confessed to taking performance-enhancing drugs, either on their own initiative or at the behest of their coach. The Electronic Sports League (ESL) has collaborated with the World Anti-Doping Agency to draw up a List of Prohibited Substances. The following are particular favorites among players, including those on the poker circuit:
These promise to enhance:
Anyone who consumes marijuana for medical reasons, for instance, must disclose this in advance and provide a doctor’s certificate.
Originally, there were plans for skin tests for prohibited substances, but testers decided on saliva samples for practical reasons. These are collected during the competition without warning. In contrast to sports such as football and tennis, there are (currently) no plans for tests outside of competitions.
One means of cheating that is very simple in theory is “whispering” or passing on information. In competitive games, a player gains an advantage if they become privy to unknown information at an early stage. That could include information about an opponent’s position or allocation of resources.
This kind of knowledge can be passed on by members of a team communicating information to each other. This could come from seeing this information on a screen (screen peek), which happened with the Azubu Frost team during the 2012 World Championship of League of Legends. Or a player might gain additional information about what is currently happening in the game after being eliminated (e.g. spectator mode).
On the other hand, information can be passed on by non-players, including spectators. Indirectly, this category of course also includes the overall behavior of the audience, which might greet moves or decisions with a murmur or a roar. But actors in the audience may also want to deliberately pass on information to players. This could include concrete examples of calling out information or instructions, or coded messages such as coughing as seen in the British version of Who Wants to Be a Millionaire?.
Information can also be passed on with technology, such as team members giving extra instructions through headsets. Manipulated headsets can be used to transmit instructions via radio, thus avoiding monitored communications through computers and networks.
Various measures are used to counter this form of external influence. Players often have to wear heavy-duty ear protection, and their headsets may additionally be fitted with white noise or noise-canceling functions to prevent undesirable communications.
So far, our look at cheating has concentrated largely on non-technical methods. But technical cheating is a huge factor in eSports, so let’s take a closer look at the various options for cheating at the technical level.
In contrast to manipulated betting, technical cheating is all about cheating to win. By breaking in-game rules, players attempt to exploit the idiosyncrasies of the game’s mechanics. These include:
These idiosyncrasies are often exploited during speedruns to set practically impossible records. For example, in Bioshock there is a skip glitch which can shave several minutes off a player’s time. But here, too, there is ongoing discussion about the validity of speedruns with glitches. Some argue that they are part of the program and therefore fair game for exploitation. Developers of Pokémon Gen 1, for instance, incorrectly implemented the Poké Doll object, which can provide a decisive advantage in the fight against the Marowak Ghost. The titles in the classic Metroid series are deliberately based on non-linear possibilities in the gaming environment. Others call for a clear distinction between speedruns with glitches and those without (“glitchless” or “no skips”).
But over time a hybrid status has emerged for certain games. In some difficult passages, such as those that depend on the time elements of luck and chance, skips and exploits are permitted (in Zelda and Fallout, for instance).
The classic example of an exploit in competitive eSports is the design flaw in the Overpass map in CS:GO. When one player climbed on top of another, they could view the map. This inevitably provided a tactical advantage. Using this boost led to the disqualification of the well-known Fnatic team in 2017.
Another example in competitive eSports was a wall glitch in PlayerUnknown’s Battlegrounds (PUBG), which was consistently and successfully exploited at the 2018 IEM event in Poland. There was no less than USD 50,000 in prize money at stake, so there was considerable outcry from gamers. These errors are one reason why the FIFA game series is yet to find a lasting place in commercial eSports.
It is up to the developers of the games to recognize these exploits and correct them with patches. This is the only way to guarantee a stable platform that prevents players gaining an underhand advantage. But it’s not as easy as it sounds. Many developers are simply not interested in creating the perfect eSports game. Some studios, for instance, discontinue support for their games after a certain time, so it’s up to the competitive scene to define what is and isn’t permitted. Sometimes the matter is even resolved with a custom patch.
Software hacks are particularly popular in competitive online gaming at the amateur level. Here an existing game is manipulated or expanded to provide advantage for the player.
One very simple method that some online gamers have had to contend with is the disconnect (abort game), which is when a player who is about to lose a game simply disconnects their system. In the case of many titles, the game isn’t counted and the lost points and lost game aren’t factored into the statistics. Developers can counter this by continuing to allow reconnects (for a certain time), by counting canceled games, or slapping a temporary ban on anyone with a suspicious number of disconnects to their name.
A similar approach is to use a local lag switch or (temporary) denial of service attack (DoS) to restrict an opponent’s network access through flooding. But this can also allow a player to deliberately direct the flow of the game by forcing a slow-motion effect or using arrhythmic movements (lagging).
Rapid fire has been used in video game consoles since the early days. In certain games where players have to shoot laboriously and repeatedly, a turbo button can automate this mechanical process. This prevents fatigue and under certain circumstances can reach a constant frequency that cannot be achieved through natural means.
Triggerbots are often used to enable shooters to force automatic firing as soon an opponent is fixed in the cross-hairs. This can save valuable time between recognizing the opponent, aiming and firing, because the player merely has to aim to force the required hit within a fraction of a second. This non-human response time can be statistically proven, which is why advanced bots try to evade detection through artificial delay.
Aimbots, also known as auto-aim, go one step further by taking care of the aiming as well. This usually happens at the code level, so it has no impact on the controls and therefore the direct gaming experience of the player. Aimbots can be detected through statistical information. In particular, the timing between identification of a target, aiming, and firing is consistently short and thus highly conspicuous (even more so than triggerbots).
With a wallhack, which can be excellently combined with aimbots, players can see or even shoot through walls (even if the physics of the game don’t allow it). Most implementations work by displaying the outline of the opponent behind the wall (x-ray view). This enables early detection of the number, position and movements of opponents, offering an anticipatory advantage.
One indirect option is extra-sensory perception (ESP), which involves modifying a game with additional mechanisms to pass on information to the player. This might include a joypad that vibrates on approach of opponents, even before they become visible. This approach is harder to detect as an anomaly in a game, as all ESP usually does is provide additional data; the player still has to respond to it, however. At first glance, the behavior may seem highly organic.
With round-based games, look-ahead can offer an advantage. This approach is particularly favored for strategy and card games where the player has to wait for other players to act before they can select and communicate their own move. A lockstep protocol can hinder this approach.
In his talk, John McDonald explains how Valve uses machine learning to identify and neutralize cheats based on their behavioral patterns. The Valve Anti-Cheat system (VAC) offers a promising approach and one that is urgently required if competitive (online) games are to remain appealing to legitimate players in the future.
In addition to the usual software hacks, there are also hardware hacks. These involve manipulating hardware to enhance and optimize functionality. Existing hardware may be modified or additional components added. The simplicity and accessibility of Arduino makes it a popular option.
Mechanical, computer-aided control of hardware is also an option in some cases. Joypads and phones, for instance, can be linked up in certain configurations so that they trigger mechanical input, although at present this is largely a trick carried out by hobbyists who still see it as being in the proof-of-concept phase.
In some tournaments, particularly in the lower leagues, players sometimes smuggle in built-in USB devices. These are illicit USB devices that are installed into legitimate components. A player may bring a hardware mouse, for instance, which additionally conceals a USB memory device. This might be a USB hub and a ‘BadUSB’ (e.g Rubber Ducky or Teensy).
This can be automatically opened by the operating system to offer expanded functionality as a cheat injector. Other methods hide the cheat code in the drivers of the hardware components, making them very difficult to detect.
These include hardware-based triggerbots. The demo videos of these triggerbots are contentious, as the functionality shown cannot be achieved solely through the hardware used. But the combination of different sensors and automatisms is certainly conceivable.
Cheating at games is probably as old as humanity itself. Competitive games, particularly where financial reward is involved, are of course particularly attractive targets.
And eSports are no exception. In addition to the classic methods of collusion, bet fixing and performance-enhancing substances, there may be various technical methods in play. By exploiting the idiosyncrasies of a game, players can gain an advantage just as they can by manipulating software and/or hardware.
Game developers, leagues and referees are all concerned with preventing, hampering or at least detecting this kind of fraud. The more money that is invested in eSports, the more effort goes into thwarting undesirable cheats – an interdisciplinary task that comes with plenty of challenges.
Our experts will get in contact with you!
Our experts will get in contact with you!
Further articles available here