# Is it possible to prevent players from altering the client side graphics in a game?

## Recommended Posts

glhf    585
First of all I'm not sure which is the best forum to post this question in so it's ok to move it if you think there's a better place for it.

So yeah it's a pretty simple question..
I don't want players to alter graphics like trees or remove darkness from caves/night etc.
It completely ruins so many wonderful game features in many games.. They remove trees so it's only a stub or the root whtever you want to call it remaining. 100% daylight everywhere always. Remove pretty much anything that might cover their view or make the game harder.

Arma2 is a good example where they've removed everything pretty much client side and the whole aspect of crawling in the grass to stay hidden is ruined.. Very hard to stealth though forests when there's barely anything to cover you.. etc.

##### Share on other sites
Telastyn    3777
There's no current technological solution to this. The most effective mechanism is to punish people caught doing it and foster a playerbase that frowns upon such cheating.

turch    590

##### Share on other sites
spek    1240
Not sure how they do it, but one simple way to cheat is tweaking shader code or adjusting images being used in the game. For example, making all the leaves/grass transparent.

Maybe a wild idea, but maybe this helps detecting cheaters (as far that as is possible):
- For each map, before starting, render a special part of the scene in the background. This scene is a compilation of typical content of that map. Grass, a soldier, coverage, and whatsoever.
- Render the scene and take a snapshot
- Compare the snapshot with a prebuild (hardcoded) bitmap that contains the same image how it *should* look
- If not (almost) equal, it means the player tweaked something
- Shout Al Qaeda and blow up his computer

Basically it's sort of an iris-scan.

Of course, there are some practical issues as images never look 100% the same, especially not if there are many options. So there must be some tolerance in the comparison, otherwise noone will be able to play. But other than that, the comperator should detect invisible grass, blue colored handgrenades, or whatever that has been visually changed by adjusting the textures/shaders...

I bet there are still workarounds, as said, it's just a wild idea that popped up suddenly.

##### Share on other sites
SimonForsman    7642
[quote name='spek' timestamp='1333739572' post='4928873']
Not sure how they do it, but one simple way to cheat is tweaking shader code or adjusting images being used in the game. For example, making all the leaves/grass transparent.

Maybe a wild idea, but maybe this helps detecting cheaters (as far that as is possible):
- For each map, before starting, render a special part of the scene in the background. This scene is a compilation of typical content of that map. Grass, a soldier, coverage, and whatsoever.
- Render the scene and take a snapshot
- Compare the snapshot with a prebuild (hardcoded) bitmap that contains the same image how it *should* look
- If not (almost) equal, it means the player tweaked something
- Shout Al Qaeda and blow up his computer

Basically it's sort of an iris-scan.

Of course, there are some practical issues as images never look 100% the same, especially not if there are many options. So there must be some tolerance in the comparison, otherwise noone will be able to play. But other than that, the comperator should detect invisible grass, blue colored handgrenades, or whatever that has been visually changed by adjusting the textures/shaders...

I bet there are still workarounds, as said, it's just a wild idea that popped up suddenly.
[/quote]

While this would prevent a user from simply changing the assets it would be far easier then to just grab a checksum for the assets and shaders and send to the server.

The real problem is that any user could also modify the client and have it render the background scene(or generate checksums) using the original assets while using the modified ones for the part the player sees, (This isn't that difficult to do and if you get a decent number of players you can be almost certain that someone will do it and upload a patch or loader on the internet for less tech-savvy cheaters to use), Any kind of clientside anticheat prevention will basically go down the same path as copyprotection schemes, at best it will delay the cheaters/pirates by a few days or weeks.

The only solution then is to update so frequently that client modifications become too much of a hassle, something which you most likely cannot afford to keep doing for a very long time.

##### Share on other sites
glhf    585
I know in big games like WoW, rift etc I've never heard about any clients where they've altered client side graphics like removing trees etc.
But I guess it's less meaningful to do that in those games.

But in Darkfall Online, Which I haven't played much but I don't think there was those type of clients available there either.
And in this game it would be a big time advantage removing all trees etc to easier spot players.

So is it just fluke no one have done it for these games or have they some kind of prevention?
Or were there altered client side graphics clients available that I didn't know about?

##### Share on other sites
glhf    585
The problem is that they can change anything on their client side..
So solution is to make game art to NOT be on the client side... or at least on on the players computer.

Is it possible to stop them if the game is browser based or if they have to play from some kind of VPS or something?
Then we could limit them from doing anything else but playing the game?

##### Share on other sites
Chris_F    3030
[quote name='glhf' timestamp='1333754478' post='4928929']
I know in big games like WoW, rift etc I've never heard about any clients where they've altered client side graphics like removing trees etc.
But I guess it's less meaningful to do that in those games.
[/quote]

On the contrary. I remember map editing being a problem in WoW. It would allow for various "wall hack" and related exploits.

In the end there was really no technical prevention that Blizzard could possibly concoct to stop it. Instead they relied on good old game master monitoring and harsh punishments.

##### Share on other sites
ddn3    1610
You can but it would require you to run the full rendering on the server side like Onlive does. Tweak the shaders to your hearts delight on the client side, nothing is rendered there.. However that doesn't mean u can't hack, just means those hacks are not possible.. Maybe u can do round robin, where your rendering is rendered by your neighbor etc.. so the client would have no incentive to hack their side? That's kinda crazy though..

-ddn

##### Share on other sites
markr    1692
In general it's impossible.

If it annoys you that much, then either:

* Develop for a platform which has DRM and is protected against being rooted (e.g. XBox, iPad). They can still be rooted, but the hardware provider typically discourages it and makes it difficult, you can have your game refuse to run on jailbroken / rooted hardware, and indeed, deactivate the player's account if he tries to play on using a (known) rooted client. The providers typically already have such mechanisms in place.
OR
* Don't write games which are susceptible to this kind of cheat

In general, the types of games which are most hard to cheat on are

* Games where all information is known to all players anyway. Imagine a resource-management game where all info is available to all players - there is no benefit from a player modifying the client-side graphics (i mean, they COULD if they wanted, but it would not confer a specific advantage).
* Hey why not open up your network protocol AND open-source your client, then people can write their own client (including bots) legitimately if they want

##### Share on other sites
glhf    585
[quote name='ddn3' timestamp='1333759516' post='4928938']
You can but it would require you to run the full rendering on the server side like Onlive does. Tweak the shaders to your hearts delight on the client side, nothing is rendered there.. However that doesn't mean u can't hack, just means those hacks are not possible.. Maybe u can do round robin, where your rendering is rendered by your neighbor etc.. so the client would have no incentive to hack their side? That's kinda crazy though..

-ddn
[/quote]

But hacking is a serious crime all over the world though?
So I think that's not going to be a big issue since most people would be scared from getting arrested for hacking just to accomplish altering the graphics.

I am not sure what OnLive is.

##### Share on other sites
Antheus    2409
[quote name='glhf' timestamp='1333794807' post='4929011']
But hacking is a serious crime all over the world though?[/quote]
It's not. Either a crime, felony, misdemeanor or anything similar.

At most it will be a violation of EULA, causing your account to be banned.

And once more - there is no way to prevent it.

Each GPU model renders graphics differently - if you compare pixels, they are not identical, even geometry will be different. So each client is already free to render any way it wants.

[quote]WoW, rift etc[/quote]
All important logic runs on server. You may hack the client any way you want, nothing will change, since all actions work with server's state.

WoW and later MMOs take compromised client into account. They assume that client will be completely "hacked". So each client is given only minimal information and no authority.

[quote]I remember map editing being a problem in WoW.[/quote]

WoW doesn't enforce topology checks, it merely periodically verifies them. So instead of validating every single move, it merely tests for valid coordinates every few seconds or so.

Wallhacks were exploited for teleporting between zones. While there exist robust algorithms for preventing them, the naive client-side collision detection works just as well and a handful of offenders can be trivially detected later, so using much more complex code and asset design isn't necessary.

##### Share on other sites
glhf    585
[quote name='Antheus' timestamp='1333801048' post='4929018']
[quote]WoW, rift etc[/quote]
All important logic runs on server. You may hack the client any way you want, nothing will change, since all actions work with server's state.

WoW and later MMOs take compromised client into account. They assume that client will be completely "hacked". So each client is given only minimal information and no authority.
[/quote]

Can you please go a bit more indepth on this?
Sorry if I'm slow to understand this but I'm not a programmer but I think it's important to understand the theory at least so we know what kind of games we can make.

Specifically what do you mean by "All important logic runs on server".. You say that nothing will change no matter how much they hack the client..
It sounds like it's a working prevention?
The most important thing for me to prevent is to not let them alter the assets like trees, walls, bushes, tall grass etc on the client side.
Because if they can remove all that while other players can't then it's very unfair.
And secondly to not allow them to create light hacks.

It's just so sad if there's no way to stop it..
It's so hard to make an immersive game with all the cheaters that will ruin it.
So they can remove any object on their client side in a game?
Sounds like only way to make it fair for all players is to make a completely flat map with only transparent objects.

##### Share on other sites
Hodgman    51336
[quote name='Antheus' timestamp='1333801048' post='4929018']
All important logic runs on server. You may hack the client any way you want, nothing will change, since all actions work with server's state.
....
WoW doesn't enforce topology checks, it merely periodically verifies them. So instead of validating every single move, it merely tests for valid coordinates every few seconds or so.[/quote]These two paragraphs contradict each other -- the first one implies no cheats are possible, while the 2nd implies that restricted teleport-hacks are possible (which they are, along with reveal-hidden-knowledge hacks, etc...).

WoW's ([i]and most game's[/i]) best anti-cheat weapon is money -- you pay for an account, and when a GM ([i]or a service like PunkBuster[/i]) bans you for cheating, you lose that money.

##### Share on other sites
Bacterius    13165
[quote]WoW's (and most game's) best anti-cheat weapon is money -- you pay for an account, and when a GM (or a service like PunkBuster) bans you for cheating, you lose that money.[/quote]
Well, at the same time, bots and the like also have an account, which is ultimately income to Blizzard (or any MMO company), so I guess for maximum profit they would balance the amount of bots "playing" against the number of players quitting because of the presence of said bots. Because let's face it... they [i]are[/i] doing just that.

##### Share on other sites
Antheus    2409
[quote]Well, at the same time, bots and the like also have an account, which is ultimately income to Blizzard (or any MMO company), so I guess for maximum profit they would balance the amount of bots "playing" against the number of players quitting because of the presence of said bots. Because let's face it... they [i]are[/i] doing just that.[/quote]

Not really.

Sure, it's money in the bank, but as far as economics go, allowing bots is definition of short-sighted pump-and-dump approach do business. It's a losing proposition that doesn't even cover the cost of upkeep.

Bots are disposable and nor them (being code) nor their owners have any vested interest. Each bot needs to produce more than it's worth or it's dumped. They don't create any network effects, don't socialize, have no wide impact on ecosystem as such. Bots exist painfully inside the game only, whereas the most valuable part lies in humans (recommend game, fill out polls, generate buzz).

Impact of bots can is somewhat similar to increasing number of NPCs. They may change perceived content

it depends on game though. There is a certain cost to acquisition of a new customer weighted vs. their return. Bots have a flat curve. The profit however, increasingly so in social/free games lies in golden geese. While 50% of users won't pay anything ever (pure loss) and while 40% may come close to breaking their acquisition cost, the remaining 10% will be generating all the revenue. So first 90% are leveraged against the paying 10% as content. Bots in this case don't provide much if any value.

While the $15 subscription fee (which is a rarity these days) may seem like pure profit, the number is actually weighted against general demographics. That price does not scale from 1 to 1 million users. If you have 1 user and 10,000 bots, it may be enough to cover the operating costs, but there will be no growth - and you will have no budget left for marketing to attract new real users. Once the 1 real user leaves, the bots will figure out there's no profit to be made anymore and leave - bam, you're broke. And once you have 15 million users, the minority of$15 bots is a drop in the bucket.

Obviously, all of the above are just possible scenarios, running such things as a business requires understanding of actual server-side numbers, not the PR releases and those always paint a completely different picture. It's also possible to find good value in bots.

##### Share on other sites
slicer4ever    6769
[quote name='glhf' timestamp='1333803735' post='4929024']
[quote name='Antheus' timestamp='1333801048' post='4929018']
[quote]WoW, rift etc[/quote]
All important logic runs on server. You may hack the client any way you want, nothing will change, since all actions work with server's state.

WoW and later MMOs take compromised client into account. They assume that client will be completely "hacked". So each client is given only minimal information and no authority.
[/quote]

Can you please go a bit more indepth on this?
Sorry if I'm slow to understand this but I'm not a programmer but I think it's important to understand the theory at least so we know what kind of games we can make.

Specifically what do you mean by "All important logic runs on server".. You say that nothing will change no matter how much they hack the client..
It sounds like it's a working prevention?
The most important thing for me to prevent is to not let them alter the assets like trees, walls, bushes, tall grass etc on the client side.
Because if they can remove all that while other players can't then it's very unfair.
And secondly to not allow them to create light hacks.

It's just so sad if there's no way to stop it..
It's so hard to make an immersive game with all the cheaters that will ruin it.
So they can remove any object on their client side in a game?
Sounds like only way to make it fair for all players is to make a completely flat map with only transparent objects.
[/quote]

You could do something like, shoot a ray from the player, to all enemy's players, and see if it's possible to see them on the server, if so, the server sends a draw command for the enemy player. so the client can never actually "see" a player, until the server says so.

but that would be alot of backend work for the server, per match. it's pretty unrealistic imo. As well, for people with slower connections, they are pretty much screwed.

In the end, your just going to have to live with it, the only true way to prevent such things is with something like onLive(essentially, onLive receives input from the player, renders a scene, and sends the final image back to the player. it's essentially streaming video/input, and the client does no work on their end.)

another suggestion was to use a checksum method on your graphics, but that well most likly be overcome. hackers are notoriously well able in defeating almost any security on client side games. the most fundamental problem is you are developing for open hardware, where anyone could just straight up modify the ram at run-time if they wanted.

So, either you have to just accept it, or have some serious funding to pull off all server side rendering.

##### Share on other sites
Antheus    2409
[quote]Can you please go a bit more indepth on this?
Sorry if I'm slow to understand this but I'm not a programmer but I think it's important to understand the theory at least so we know what kind of games we can make.[/quote]

[quote]The most important thing for me to prevent is to not let them alter the assets like trees, walls, bushes, tall grass etc on the client side.[/quote]

WoW assumes that client was hacked. That user has a maphack, showing all the nearby foes and that same hack can auto target them. It assumes client changed textures so instead of camo everyone wears a big blinking red HIT ME sign. That they are running a macro spamming buttons at 1000Hz.

So they design gameplay with that in mind. Each client is only sent data about nearby units. Targeting is sticky. Aiming and hitzones are not used. Visibility is not a major factor. All actions are on a cooldown and most exploits involved those without cooldown (I seem to remember the druid shapeshift macro which got around "intended" behavior). And so on...

Same principles were explored for detailed simulations. For example, if player is hiding behind a bush, visibility is computed on server and instead of sending entire character data, only the shoulder that is visible is sent to player. But none of this solves anything, I can still replace every part of player geometry with bright red while I change world textures to gray. Most of work was done to minimize bandwidth.

Alternative solution is to develop for consoles, where malicious behavior is controlled to a degree.

##### Share on other sites
glhf    585
[quote name='slicer4ever' timestamp='1333817103' post='4929082']
You could do something like, shoot a ray from the player, to all enemy's players, and see if it's possible to see them on the server, if so, the server sends a draw command for the enemy player. so the client can never actually "see" a player, until the server says so.

but that would be alot of backend work for the server, per match. it's pretty unrealistic imo. As well, for people with slower connections, they are pretty much screwed.
[/quote]

I like the rays idea.. But would still be slightly unfair.
For example.. Some leaves are covering top half of body on a character a bit in the distance while he's running between trees.
But the cheater who has no trees or leaves or any obstacles blocking view.. he will have it really easy to see the half body running in the distance when there's nothing for it to blend into or distract the view. Plus it sounds difficult to only render parts of the body depending on what the rays hit. And then as you say it's probably too much server work.

I'll ask now what are some easy + efficient ways to detect if a player has altered the game?

[quote name='slicer4ever' timestamp='1333817103' post='4929082']
another suggestion was to use a checksum method on your graphics, but that well most likly be overcome. hackers are notoriously well able in defeating almost any security on client side games. the most fundamental problem is you are developing for open hardware, where anyone could just straight up modify the ram at run-time if they wanted.
[/quote]

This is great, Even though it can be beat.. If you use the technique of waiting a week or two before banning the account (which was bought).
It adds to the scare factor because they don't know if they have been detected or not.

Are there any more ways to detect if someone has altered the client side graphics?

##### Share on other sites
glhf    585
[quote name='Antheus' timestamp='1333817843' post='4929085']
[/quote]

I def wouldn't design a game for trusted clients.. That's why I started this thread to find out what kind of game I can make.

But I just can't think of any fun and meaningful games if you have to design the game so everyone has the power of a cheater.
A cheater can as you said, remove all colors in the game except for the players, and remove trees, walls, ANYTHING... everythign transparent.. They could make the game just a flat map with nothing blocking the view except the players.

Does that sound like a fun game?

##### Share on other sites
Antheus    2409
[quote]But I just can't think of any fun and meaningful games if you have to design the game so everyone has the power of a cheater.[/quote]

WoW and all later high-profile MMO projects (indie and similar tend to be a mixed bag).
Zynga, Playfish, Facebook and other social gaming (trivial gameplay which automation devastates).
Also, Starcraft 2 (competitive), Diablo 3 (includes real money, so kinda a big deal), etc...

Whether the games above are fun is subjective, but all of them assume, in their design, the client is untrusted.

FPS in mean time require minimal amount of trust. Since as article above points out that isn't possible, they usually separate servers on those that add third-party checks or other methods to control the behavior.

[quote]They could make the game just a flat map with nothing blocking the view except the players.[/quote]

Yes, that can be done without even touching the game, just intercept the DX/OGL calls. That's a fact.

Yet online FPS genre continues to exist despite that. So apparently it's not that big a deal. You may however require administered servers and additional tools to determine who actually does that. It's also possible to analyze movement patterns to notice who "knows" too much.

All of these methods are more expensive.

Adventure games were a genre that required such secrecy. When internet happened, the genre died out - all puzzles were just a search away. It is quite possible that your idea is obsolete as well. It happens.

##### Share on other sites
slicer4ever    6769
[quote name='glhf' timestamp='1333819058' post='4929093']
[quote name='Antheus' timestamp='1333817843' post='4929085']
[/quote]

I def wouldn't design a game for trusted clients.. That's why I started this thread to find out what kind of game I can make.

But I just can't think of any fun and meaningful games if you have to design the game so everyone has the power of a cheater.
A cheater can as you said, remove all colors in the game except for the players, and remove trees, walls, ANYTHING... everythign transparent.. They could make the game just a flat map with nothing blocking the view except the players.

Does that sound like a fun game?
[/quote]

The problem is that your trying to force cheaters to not cheat. If a person wants to cheat, their's not alot you can do to stop them. instead, i'd recommend not worrying about them, just give methods to other players to both check(such as COD's killcam), and kick people whom are clearly cheating(for example a game of 8 people, if 5 or 6 people vote for a player to be kicked, then he's kicked from the match.) let players regulate the match themselves. which in turn, well weed out other annoying problems in multiplayer games.

it's not a full proof method, but it's probably one of the best anti-cheating mechanism's.

for single player games, well, people are only cheating themselves in the end, and their's nothing you can do to stop that.

##### Share on other sites
glhf    585
[quote name='slicer4ever' timestamp='1333819938' post='4929099']
[quote name='glhf' timestamp='1333819058' post='4929093']
[quote name='Antheus' timestamp='1333817843' post='4929085']
[/quote]

I def wouldn't design a game for trusted clients.. That's why I started this thread to find out what kind of game I can make.

But I just can't think of any fun and meaningful games if you have to design the game so everyone has the power of a cheater.
A cheater can as you said, remove all colors in the game except for the players, and remove trees, walls, ANYTHING... everythign transparent.. They could make the game just a flat map with nothing blocking the view except the players.

Does that sound like a fun game?
[/quote]

The problem is that your trying to force cheaters to not cheat. If a person wants to cheat, their's not alot you can do to stop them. instead, i'd recommend not worrying about them, just give methods to other players to both check(such as COD's killcam), and kick people whom are clearly cheating(for example a game of 8 people, if 5 or 6 people vote for a player to be kicked, then he's kicked from the match.) let players regulate the match themselves. which in turn, well weed out other annoying problems in multiplayer games.

it's not a full proof method, but it's probably one of the best anti-cheating mechanism's.

for single player games, well, people are only cheating themselves in the end, and their's nothing you can do to stop that.
[/quote]

I think the vote thing is one of the worst designs ever.
Bad players and average almost always thinks the enemy player is cheating.
Players often start votes even though they don't think he's cheating, just because they are angry at him because he's a better player.
Or if server is capped on players and 5 out of the 8 players are friends they might vote one of the other 3 players to make room for a friend.

This is one of the most abused anti cheat systems ever and is a great feature for griefers to ruin the fun of others.

It's just so boring to make a game that's designed so everyone has the power of a cheater.
Auto target system etc... bleh.
Oh well.. Thanks all, It's been very insightful thread but I'm also really really disappointed that it's impossible to make interesting games. [img]http://public.gamedev.net//public/style_emoticons/default/sad.png[/img]

Maybe should just make singleplayer games where cheating players only cheat themselves as you said.

##### Share on other sites
Antheus    2409
[quote]Thanks all, It's been very insightful thread but I'm also really really disappointed that it's impossible to make interesting games.[/quote]

Maybe the examples I gave weren't obvious.

The entire market today, the \$100 million titles that sell 50 million copies are all designed with cheating in mind. It's hard to consider that "impossible" or "not interesting". These titles find millions upon millions of players that love these games. Are BF3, Halo and similar "not interesting"? What about Farmville? Or Starcraft2?

What are you making? A tactical FPS? Where's the fun there? Killboards, killcams, achievements, teabagging.
Are you making a hide-and-seek simulator? Where is the fun in there? There aren't many examples of that.

Sure, map and wall-hacks may give someone the edge. Solution: inaccurate weapons, open maps, reduced emphasis on line-of-sight.

So map design comes into play - how to design a map that doesn't determine the outcome through ability to hide.

[quote]Bad players and average almost always thinks the enemy player is cheating.
Players often start votes even though they don't think he's cheating, just because they are angry at him because he's a better player.
Or if server is capped on players and 5 out of the 8 players are friends they might vote one of the other 3 players to make room for a friend.[/quote]

Not quite.

Things like that happen, but until you have actual metrics, it's impossible to tell what kind of impact this has. If 1% of matches experience such votes, how many and what kind of people are affected by it? How does their perception of fairness change? Do they even notice it?

There are plenty of fairly successful examples where cheaters are matched against cheaters after an automated server-side guess without appeal.

And experience shows that public response to such events isn't proportional to actual frequency. Vocal individuals can generate more publicity than thousands of players. For recent example, see ME3 response. It got EA voted as worse company than Bank of America. One collapsed global economy, the other saved a few millions in an animation deal.

##### Share on other sites
Ashaman73    13715
There're several options to make it harder to hack your client. First off, you should reduce the effects of man in the middle/external tools, that is, network sniffer or hooked graphics APIs which will not directly manipulate your game.

There are some options to detect a man in the middle (network: client <===[i]comminicated[/i]===> man in the middle(=hack/bot) <===[i]comminicated[/i]===> server), although you could try to encrypt your network communication with a public key encryption method (legal issues in some countries ?).

For API hacks you could use a software renderer in your engine to determine occlusion, this makes it harder to implement some wall-hacks (as far as I remember some engines, like the frostbite engine(DICE), already utilise software renderer for atleast light culling).

Thought, the effort to implement such counter measures will be only worthwhile if your game is popular enough to be hacked.