Jump to content

Cheating in Counter-Strike

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 70.185.250.195 (talk) at 15:32, 25 September 2005 (Methods of creating cheats). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Cheating in Counter-Strike has long been a topic of controversy and discussion in the online Counter-Strike community.

Counter-Strike has become the prime example in the subject of online cheating since its retail release publicity and rise to fame. It is often used as a warning of what cheats can do to an online computer game, and the attempts at combating cheating by game-server administrators and Valve Software are also cited as examples of what does and does not work. These attempts to keep the situation under control and the reactions to these attempts by cheat developers also presents a unique example for those in the fields of applied computer science and software engineering.

Background information

What is Counter-Strike?

Main article: Counter-Strike

Counter-Strike (CS) is a popular team-based mod of Valve Software’s first-person shooter Half-Life. The game pits a team of players playing as counter-terrorists against another team of players playing the role of terrorists in rounds of competition won by completing an objective or eliminating the opposing team.

The game was originally available as a free download but due to it’s success the game was bought by Valve who released it as a retail product and continued the development of the title. This has also lead to a remaking of the game on Valve's new Source engine which was developed for Half-Life 2, known as incarnation of the game, Counter Strike: Source. Counter-Strike is currently the most popular online first-person shooter in the world and Counter-Strike: Source is also extremely popular.

What constitutes cheating in Counter-Strike?

In online gaming there are many offenses which may fall under the term cheating. Some offenses are only considered cheating in competitive leagues and whereas more serious offenses such as using a hacked executables or data files are almost always considered unacceptable by legitimate players. Even in organized leagues a punishment such as forfeiting a match may be seen as appropriate for breaking most league rules but being caught using a hack will often result in a ban from the league and can ruin a players reputation in the community for good. So, in online gaming there is a spectrum of what is considered cheating and a spectrum of acceptability even when cheating is recognized as such. Using hacked executables, data files or using any other external influence to alter the game are the practices most generally accepted as cheating. There are however also a number of grey areas in what is accepted as cheating, usually these grey areas involved taking advantage of bugs in the game, sometimes these exploits are widely considered to be cheating and other times they are considered acceptable usage of the game’s capacity for configuration. These exploits usually take the form of bugs in the map or bugs in the game engine which can be used to a players advantage through altering commands in the console or configuration file.

Also some game server administrators may treat practices such as team-killing as cheating, this kind of anti-social activity is usually easily controlled by enforcing server bans on the culprit.

History of Cheating in Counter-Strike

Up to late 2000, it is safe to say that cheats were a more isolated, if annoying phenomenon, and only started to become such a raging problem for the community in as late as 2001. By late 2004, the battle against cheating seemed utterly lost, with the numbers of cheaters continuously increasing and anti-cheat utilities slowly giving up their uphill battle.

The History of Cheating in Counter-Strike is as long as the history of Counter-Strike itself, as cheating has been with Counter-Strike from the very beginning in 1999, although only in 2001, the problem became so apparent and painful that Counter-Strike became the synonym with cheating that it is today.

1999 - 2000

The beginning: protohacks

When Counter-Strike hit the scene, it was an almost immediate success. However, cheating appeared to be a problem from the start. Both Half-Life deathmatch, Team Fortress Classic and Action Halflife were popular mods at the time, and primitive protohacks were ported from these mods.

Altered versions of a particular file, client.dll, allowed so-called headshot scripts and gave players norecoil (a basic type of aiming help intended to reduce or negate the recoil that made aiming with most guns in Counter-Strike so tricky). Because similar hacks had been appearing for Team Fortress Classic and Action Half-Life, Valve updated server software so Half-Life servers verified the client.dll file of the players, hindering such hacks. Included with other updates, functionality of many variables that allowed an unfair advantage like lambert (which could be used to reduce the effect of a flashbang), were removed or toned down.

At this time, cheats weren't deemed too big of a problem, as they either lacked the necessary power to make them useful (compare a headshot script attempt, to contemporary multihacks with zero recoil and fully automatic headshots), or were easily detected. Stealth was not considered at this time: a wallhacker would just stand behind a closed door and gun down everything he or she could see. Cheating at this point was not a way to damage competitive gameplay, but more of a new way disruptive players could harm the gaming experience of others. However, cheating subtly in online competitions occurred very soon, and occasionally even LAN parties, as simple cheats like 'spiked models' or 'lambert' weren't as stigmatized and detested by the mainstream community as they were after OGC ravaged the public servers.

XQZ

XQZ was a true milestone in Counter-Strike hacking. Not only did it include a highly lethal aimbot, and a relatively simple to use interface, but it featured wallhacks, and if desired, almost complete stealth. Initially XQZ was a private hack, but eventually it was released to the public. It relied on replacing (and in later versions, hooking) the OpenGL DLL file for Microsoft Windows systems (opengl.dll) instead of replacing the client.dll.

This combination of an aimbot and stealth made XQZ truly lethal for its time. It could be configured to not give any indication of the presence of a hack on the screen, and the aimbot could be turned on and off through subtle keyboard commands. Thus, it could be used, like what it was designed for, at a LAN party, without anyone suspecting the cheating player to be anymore than 'a good shot'.

Up to today, the legacy of XQZ, its various rewrites, extensions and rip-offs dominate subtle and competitive cheating in Counter-Strike.

2001 - 2002

OGC

In 2001, a new public cheat appeared in the scene: OGC for Counter-Strike. OGC, short for "Online Game Cheats", became synonymous with easily-installed, powerful, multifunctional hacks that supplied the cheater with everything, from a strong aimbot to a built-in MP3 player.

Before arrival of OGC, most cheaters were easily identified due to clumsy wallhack tactics, or more rarely, claiming to be professional players where, due to their mundane tactics and simplistic play, it was obvious that they were amateurs. Thus Counter-Strike remained relatively cheat-free until early 2001. When OGC arrived, everyone had the opportunity to completely annihilate an entire team of experienced players swiftly and violently or they could subtly just use an aimbot with a low-key configuration or a wallhack without any blatant exploiting to enhance their score.

The first anti-cheat tools

When gameplay became more and more unbearable on public servers, the outcry was loud enough to create a long succession of anti-cheat tools.

As early as 2000, Punkbuster tried to rid the scene of cheats, as it used variable checking and process validation while authorizing with the server. Soon it was followed by the short-lived, server-based 'TSC' which was the first anti-cheat tool able to detect OGC. It however was quickly rendered useless as an anti-cheat mechanism by OGC’s very fast development cycle. CSGuard by OLO, another server based plugin, could utilize a script to check on variables and filenames. CSGuard was the first anti-cheat mechanism which could stop early versions of OGC consistently, along with hundreds of cheats and violations, as it was script based, and its scripts could be updated as soon as a new cheat was discovered. With its successor HLGuard, it is the only anti-cheat mechanism still in use in Counter-Strike, while Punkbuster stopped supporting CS and moved on to other FPS like Americas Army or Quake 3 Arena

Cheating-Death

Cheating-Death is still used today and is thought by many as one of the best anti-cheat mechanism available. Its strategy is not to detect a cheat but to prevent its working in the first place. Anti-cheats like CSGuard merely checked for the presence of an already-known cheat, which required constant updating. This made such tools completely ineffective against private hacks. Cheating-Death (C-D), on the other hand, made it harder to develop working cheats, although in time C-D produced its own Code Race similiar to HLGuard and Punkbuster, with cheat coders finding constantly new ways to disable and circumvent C-D.

Valve Anti-Cheat

In 2002, Valve Software released Counter-Strike update 1.4, which included VAC. VAC was Valve’s answer to many player’s prayers, as VAC (a client-side implementation integrated into the Half-Life engine) could be enforced by the server and didn't require any special work from the players. Forcing the players to install a separate program and keep it up to date was what kept many server admins from implementing other, less integrated client-based anti-cheat tools like the failing PunkBuster or the more successful Cheating-Death.

VAC however, had another advantage. Valve were able to ban an offender from accessing any VAC server ever again with the WON ID which they were caught with. While some cheaters may have been able to acquire new WON IDs, a large percentage of the regular, disruptive cheaters were eventually removed from VAC-secured servers and had to resort to servers which did not utilize VAC. Thus cheating in the game became much less of a nuisance to regular players on VAC servers.

2003 - 2004

Counter-Strike 1.6

Valve Software released Counter-Strike 1.6 in 2003. While it was delivered on Steam exclusively, there were not many changes to the engine and many hacks for Counter-Strike 1.5 continued to work, though sometimes only partially. Valve turned off WON in mid 2004, forcing people to upgrade to Steam. Until today, 1.6 is the most popular variant of Counter-Strike.

The introduction of Steam also seems to have lead to problems with the development of Cheating-Death as many of the smaller and more regular Steam updates are causing C-D to have issues.

Counter-Strike: Source

In late 2004, Counter-Strike: Source was released. The Source engine (the engine Counter-Strike: Source uses) is a lot different from the original Half-Life engine, so it has yet to be tested against the ploys of cheaters, hackers, and mischievous players to the extent that the original engine was.

VAC 1's failure

Cheating at a time required acquiring a private hack, since both VAC and Cheating-Death used to detect a public cheats within a few hours. Non-publicly released cheats remained the bane of the competitions due to anti-cheat developers being unable to analyze them. The effect of such nonpublic cheats however was at least reduced to a smaller user base than publicly available cheats. Underground trading of hacks became a side-business for many cheating clans and coders.

The state of affairs degenerated to a complete disaster for Valve Software, as VAC stopped receiving updates after March/April 2004. This had the effect of making cheating rife on public servers. In the following months, after a period of relative tranquility, it became more common for a blatant wallhack/speedbot/aimbot/spinhack to enter a server, only to have two thirds of the players who appeared to have been playing legitimately turn their own hacks on, in order to remain competitive and fight back.

Nosteam

The problem is further exacerbated by the No(n)-Steam/SiX-Steam exploit, which enables people to create Steam accounts at will with full access to all of Valve’s titles through Valve Software’s Steam software distribution platform. Because of Valve’s policy regarding VAC, where cheats are not instantly banned, even when VAC2 does eventually catch up with cheats and bans their Steam account, it appears that cheats will still be able to generate a new Steam account and resume cheating.

In January of 2005, however, Valve Software upgraded their "ticket system". Now people using a Steam exploit such as No(n)-Steam or SiX-Steam must have a legal, purchased copy of Half-Life or any of its mods on their Steam account in order to play any game. For example, a normal user could only play Counter-Strike: Source if they had it purchased and on their account. Before January 2005, anyone using a Steam exploit could play it. Now, you must have Half-Life or Half-Life 2 registered on your account in order to play it, using a Steam exploit. This has reduced the number of exploiters, as most of them do not wish to risk getting their pricey account permanently revoked.

Today

VAC2

As of August 2005, cheats in Counter-Strike:Source have almost disappeared from VAC2-enabled Source servers, whereas the situation seems almost unchanged in VAC2-enabled Counter-Strike 1.6 servers. Whether the introduction of VAC2 will result in a mass ban in Counter-Strike v1.6 remains to be seen, but there does seem to be a major discrepancy between the numbers of cheats in Source. One explanation for this may be that it is easier to protect CS:S because it is Direct3D only whereas CS 1.6 uses both Direct3D and OpenGL.

The biggest change of VAC2 over previous anticheats and VAC1 however is the delayed banning system, that gives any detected user a high, but not 100% probability to have his Steam privileges removed by the end of a several-weeks cycle, depraving the mainstream cheaters of accurate informations on which cheats are currently detected and how.

The main drawback for this approach is that a large number of cheaters are rampaging public servers, unaware that they will be banned at a later date, or even while aware, exploiting the time given to them for destructive behavior. This means that often while public servers appear cheat-free at the beginning of the week, they seem 1.6ish at the end.

The large amount of experience with the cheats-anticheat race and the very large number of cheaters in Counter-Strike additionally seem to have spoiled many cheaters. In a lucrative turn of events for Valve, incidents are known where cheaters get 2 or 3 legitimate steam accounts banned, only to cheat happily with their newest one.

Only time can tell if Valve manages to keep up the pressure on the cheating community.

Counter-Strike cheats

This section describes the different types of cheats available for Counter-Strike, how they operate and how to tell when they are being used. While many single hacks may differ, they are always relatively simple, these simple hacks are however often combined into so called "multihacks" which usually include an aimbot, a wallhack and other features packaged in one handy executable.

Some of these cheats are freely downloadable from a website, sometimes even advertised by the cheat in-game with or without the cheater noticing it. Other cheats are private, although often enhanced versions of public cheats, maintained to stay undetected by anti-cheats. Due to their nature, private cheats are not normally available to anti-cheat coders which makes it very hard for them to know how to detect them. Some public hacks are released but receive so little attention that they slip by the radar of anti-cheat authors and these public hacks become just as useful to cheaters as private cheats.

While many cheats are released by the authors simply to get attention or a desire to share what they've created, a common reason why public hacks are released is to have the hack gather passwords and potentially other sensible data for the author, see also: e-mail phishing.

Examples of executable cheats

Wallhacks and ESP

Main article: wallhack
  • Wallhacks — Makes walls and sometimes entities semitransparent to allow the user to see through walls.
  • ESP — Extrasensory Perception, or Expanded Perception, draws player’s hit-boxes and information such as status, class, names, health and current weapon on the screen or make them more audible, allowing the cheater to see through walls.
  • Spiked models — Long 'spikes', visible through walls, announce the presence of another player on the computer of a cheater.

These are the simplest to implement since a few changes, or sometimes even bugs in the graphics cards drivers, can lead to the ability of a player to see other players through walls. XQZ offered an alternative to this: a ball floating above all players that was visible through walls, even if the players themselves were hidden. But this so called "ballhack" gave the players less information, especially about the armament or the heading of enemies, and thus was not very popular. Wallhacks can even be so simple that the addition of two lines of code in an OpenGL wrapper is enough to facilitate a wallhack.

Usually, wallhack users can eventually give themselves away by acting illogically when viewed naturally, but very straightforward when observed with a wallhack. Additionally, certain effects of being able to see through walls, such as pre-aim that seems almost indistinguishable from an aimbot, can be detected server-side. Wallhacks and other similar cheats which use visual cues are impossible to hide when playing over a LAN when other players can see the cheater’s monitor.

Aimbots

Main article: aimbot

Aimbots use the computer’s accurate knowledge of the enemy’s figure and aligns, and shoots automatically. Aimbots usually aim at the head, but some hacks have adjustable vectors to aim at different parts of the enemy body. Some have randomizing algorithms intended to make the identification of an aimbot user harder by spectators observing the player. In their most basic form, aimbots facilitate hitting the enemy player more accurately. However, that is where the similarities stop.

  • XQZ’s early, relatively primitive aimbot would be bound to a button on the keyboard or a mouse, and as long as the button was pressed, the aimbot would take care of properly aligning the crosshair on the head (or if necessary, a different body part). This button could be the same button as the fire button and thus could enable the aimbot to only aim while firing. But this gave away its presence to an alert observer by its tendency to "slave" (the all-too-proper, inhuman following of the motion of an enemy player).
  • Early OGC’s aimbot portion was already much more advanced, and could be configured in a variety of ways. Auto-aiming allowed automated proper aiming and slaving. Auto-shot was another feature, where the bot would automatically cause the player avatar to fire their weapon if the aimbot locked up. It could be configured freely with an aimbot FOV (field of view). XQZ style aiming could also be employed.
  • Later versions of OGC’s aimbot portion allowed for punctual aiming, where one hit of a button (commonly the fire button) would merely result in one single adjustment of aim, without any form of "slaving".
  • Modern, so called "LAN-Proof" cheats implement what is called charged aiming which is yet another improvement over punctual aiming. Punctual aiming mode is only active (charged) when a specific button is pressed shortly before the aiming is needed, and firing in turn empties this charge. While this may be inconvenient, it allows anyone at a tournament to briefly check the suspected cheater’s game for any inconsistencies, only to find nothing.
  • Some highly advanced and private aimbots do not even bother to move the crosshair as they are proxies and work on the network level. While essentially charged aimbots with a small FOV, the hits appear to be the result of an overabundance of luck rather than anything magically moving the crosshair. The advantage of this is to make nospread (see below) cheats less obvious and thus increase the effectiveness of them while only minimally affecting stealth.
LAN-Proof aimbots

The first well known aimbot, XQZ, was specifically designed to work at LAN parties where other players could look over the shoulders of the cheater. A modern cheat is a highly sophisticated tool with the potential employed relatively undetected at a LAN party, making what most casual cheaters and anti-cheaters know as cheats (especially the infamous OGC) look like children’s toys.

Many modern stealthy aimbots employ 'charging', where only a subtle key combination (e.g. shift + the key to buy ammo, or strafe left and right at the same time) would load the aimbot for a brief time and only for a few bullets. Even if a tournament administrator were to replace the cheater in order to look for anything suspicious, they would find nothing, for they would not know the subtle key combination to charge the aimbot. A series of occurrences of people apparently using their "timeleft" key to charge their bot has eventually made observers dub this type of aimbot Timeleft cheat.

Furthermore, a stealthy aimbot is configured to use only a small FOV (field of view), forcing the cheater to actually move their mouse to aim the crosshair sufficiently close to the position of the enemy. By relying on the cheaters normal reactions for the initial part of aiming the cheat becomes more natural looking and harder to detect but still allows the cheater dead-on accuracy once activated. Alternatively an aimbot can be configured to be charged for auto-aim and auto-fire only when a player is in dire situations. Furthermore, well made stealthy aimbots don't slave - they are aimed and fired the instant the mouse button is pressed, and do not move again until the mouse is pressed a second time. Even an experienced observer trying to verify if mouse and screen movements correlate would have a tough time seeing anything out of the ordinary, with the cheating being almost indistinguishable from a skilled player with good aim and reflexes.

There are rumors about a few exclusive and private aimbots which appear to work with a proxy-type lucking technique rather than actual aiming, to make the screen’s movement even less visible. The mouse would be dragged near the enemy, and upon pressing the fire button, the bullet magically hits the head of the target despite the crosshair not being directly on top of it. While this would be very obvious with large FOVs, it would be almost impossible to notice with sufficiently small FOVs due to Counter-Strike’s often inaccurate weapons and inexplicable hits/misses, which do not make such hits seem impossible, except for their extreme frequency.

There is a rumor amongst some Counter-Strike players is that it would be possible to insert a small hack into the memory of a mouse, which would be executed upon being plugged into the USB connector of the computer. This would allow cheaters to cheat even in tournament situations where they may use nothing but their own keyboard and mouse on a secure machine. The lack of such programmable mouse memory and the lack of evidence of an operating system exploit which would allow this almost certainly confirms this story as nothing but an urban legend but it serves as a good illustration of the paranoia widespread cheating has inflicted on the gaming community.

No-Recoil and no-spread

Essentially the same thing, no-recoil and no-spread attempt to reduce the inaccuracy of weapons when firing. No recoil describes the automated compensation of recoil on the vertical axis, while no spread tries to compensate the horizontal spread of the weapon. As the recoil and spread of gunfire in Counter-Strike is pseudo-random, it can be reverse-engineered and predicted, allowing a cheat to compensate for inaccuracy.

The different names for no recoil and no-spread are mostly historical. No-recoil is much older and could be performed by protohacks - all that was necessary was to move the aiming reticle downwards in a distinctive way to accommodate for the vertical recoil of the weapons. No spread is by comparison, a relatively recent invention that can accurately predict the deviation and compensate for any inaccuracy, making all bullets hit exactly the same spot.

While both variants can be used independently, some older, slaving aimbots make the use of at least a no-recoil cheat a necessity, thus effectively making them part of the aimbot itself. Even with modern, punctual/charged aimbots it is very common to utilize no-spread if stealth isn't as important as performance. More stealthy, chargeable aimbots usually link the spread-suppressing factor to the charge and state of the aimbot. This prevents any stray, unaimed shots at a wall from giving away the presence of a no-spread cheat. They may also only remove the spread from the first 3-5 shots, or even only the first two bullets fired from a gun. However, they can eventually be detected by observers from subtle, rapid movements of the crosshair and are thus often disabled completely when stealth is paramount, like at LAN parties.

Speedhacks

Speedhacks change the computer’s perception of time and lets the cheater act extraordinarily fast. Most of the time they are found in combination with other cheats. Speedhacks can offer high time rates to clean out maps within seconds, or very slightly increased time rates to subtly improve the performance of an aimbot. Any client with a speed hack installed will find that their in-game movement and weapon rate-of-fire are far faster than other players. Like no-recoil, a timehack (or speedhack) is most often used in combination with an aimbot. Depending on the rate of time acceleration, a timehack can be used to rush to the enemy team’s spawn point and kill all enemy players within the first seconds of a round, or it can be used with a very low time acceleration (e.g. a rate of 1.1 or 1.2) to improve total damage over time of weapons. A timehack with a low time acceleration can also be used to reduce the time required to reload weapons.

While timehacks are often disabled when stealth is paramount, in laggy Internet play, very small accelerations are near impossible to detect without dedicated timing or software.

Examples of exploiting the configuration files

  • ex_interp — Changing the "ex_interp" variable changes the interpolation time. Half-Life’s network code interpolates the movement of the last N (N being the value of the ex_interp variable, defaulted to 100ms), thus the actual movement of an enemy player is seen N milliseconds later than when it actually arrives at the server. The result was that immobile players often got the impression of being shot before they even saw the shooter running around the corner. Since version 1.6 this command has become an acceptable configuration change due to changes in how the games network code handles this variable.
  • gl_monolights — was a quick way to make all the walls uniformly bright, taking away all shadows. This resulted in a visibility advantage for the player using this exploit. In recent versions of Counter-Strike this command has been completely disabled..

Examples of map exploitation

  • One well known map exploit is on the map de_dust at the Counter-Terrorist spawn point. By having two players on top of certain boxes, then crouch-jumping on top of each other, it is possible to break the "ceiling" of the map and walk on "air" (since the top boundary of that map represents the sky).

Examples of data file cheats

  • Replacing player skins with brighter colored ones which are easier to spot at a distance or in darker areas of the maps.
  • Replacing sounds of silenced weapons by their normal counterparts, making them more audible.
  • Currently, the Half-Life engine and the Source engine both prevent those sensitive data files from being altered in such ways. This means it is only possible to use maliciously altered data files online when combined with an executable cheat that suppresses the engine’s own integrity check.

Methods of creating cheats

Replacing client.dll and datafiles
  • One of the first type of cheats that appeared for Counter-Strike were the so called headshot scripts. They utilized an altered client.dll that offered additional functions to scripts, therefore a script written in extended CS script replaced the more common mouse/keyboard bindings for attacks.
  • Similarly, data file cheats exchanged data like sound files, but mostly models for variations that imposed some sort of drawback for the enemies of the cheater, like, louder silenced weapons or player models that were visible through walls and doors due to spikes, or in the dark due to luminous / brightly colored textures.
  • Neither of the two types of cheats are considered effective at this time. Regular aimbots prove to be far more powerful than headshot scripts, and client.dll, like player models / sound file changes are restricted as servers are provided checksums by clients and can choose to disconnect them if they differ from the checksum values on the server. Although theoretically a new generation of hacks could fake checksums or filesystem calls.
Hooks
  • Client Hooks make use of the fact that any system that employes Dynamic Link Libraries allows the relatively easy replacement and/or redirection of function calls within dynamically loaded libraries. These systems include Linux, FreeBSD, Mac OSX, Windows, and just about every other modern operating system.
  • The reason why Counter-Strike is considered to be vulnerable to this attack is, because the mod is itself a separate entity from the Half-Life engine, and the two parties communicate to each other with easily-intercepted DLL calls. Most people consider this a special weakness of the Counter-Strike architecture that is not directly applicable to all games. However, few contemporary games are one monolithic executable, and almost all of them are utilizing DLL calls for various purposes - if not just driver calls.
  • The source of the loaddll library, written by the author of the original OGC was eventually released into open source, and lead to a multitude of OGC-like cheats that utilized the same facility to wedge itself between the game’s engine and the mod’s game logic.
  • The same thing may also have lead to the relative hook-proofness of current anti-cheats. VAC appears, and C-D even claims to be able to detect client hooks reliably, although there has been a history of hooks which managed to work without being detected either one or both.
  • Amongst the first aimbots were color based aimbots, known to exist only for relatively early versions of Counter-Strike. They colored either team in its distinctive color (e.g. bright green or bright red) and would automatically fire on any pixel with this color. Since they could sometimes been foiled by using multi-colored logos, they did not have much success. A key was pressed to switch from auto-aiming at one team to the other.
Driver manipulation
  • Beginning with XQZ, Counter-Strike has had a long tradition of being susceptive to altered drivers. As any modern computer game, Counter-Strike makes heavy use of Win32 infrastructure - Windows API, DirectX for input, networking and sound, and the ability to use either Direct3D or OpenGL for the graphics. Theoretically, each one of these components could be manipulated to gain an unfair advantage. Although almost all drivers could be used, in practice, almost exclusively OpenGL and DirectX infrastructure, and more rarely, mouse drivers are manipulated.
  • Cheating-Death, unless disabled properly by specialized support hacks, generally detects replaced OpenGL drivers, VAC at one time banned users with a certain ASUS graphics card because the drivers replaced the normal DLL supplied with Windows during installation. Coincidentally, certain ASUS drivers at some point also allowed for wallhacks without requiring any additional drivers. Such False positives have seriously harmed the efforts of the ban-them-all proponents. VAC currently does not detect these cheats, which are the easiest to create.
  • Driver manipulations are especially nasty to detect, as basically every file on the computer could be part of a legitimate driver or a cheat. Therefore it is essentially impossible for both a Lan-Party admin or an anti-cheat tool to detect such a cheat, even when being freely available to search the suspected cheater’s computer.
Proxies
  • There are no known public cheats that utilize proxies, and thus are never detected. But some people suspect that proxy-like cheats exist, which could allow a cheater to remain safe from both visual detection on a lan-party, and known client- and server-side anti cheat mechanisms.
  • Proxies are exclusively aimbots and are giving themselves away by not having the crosshair correlate to the position of the actual impact. With small FOVs however, these cheats can be both extremely stealthy and effective even in lan play, as hits can easily be attributed to Counter-Strike’s relatively inaccurate weapons, so called lucking.

Counter-Strike anti-cheats

Anti-cheats are programs designed to detect cheats and deal with cheaters. Anti-cheats come in two main forms, anti-cheat clients and server-side only anti-cheats. Anti-cheat clients usually have a server-side component which they authenticate with to enforce purity of the client. One downside to anti-cheat clients is that they have to be kept up to date by the player, which is tedious and can lead to players avoiding the servers which use the anti-cheat rather than dealing with the inconvenience of downloading it. A server-side only anti-cheat does not require any additional programs or actions from the players to play on the server, as only the server admin has to take care of the anti-cheat mechanism. However, server-side only anti-cheats are usually less effective (producing more false negatives than client side anti-cheats).

Punkbuster: The original client-side anti-cheat

  • Punkbuster was the first attempt at a client-side cheat prevention. It appeared in mid-2000 and was able to detect some protohacks of the time, but found little use as most players did not want to put up with running yet another program in the background while playing online, and was rendered nearly useless by OGC’s fast development cycle. Representatives from Punkbuster then asked for financial and development support from Valve to improve and/or integrate Punkbuster, as it is in Quake 3 and other games, but were turned down. Thus the involvement of Punkbuster with Counter-Strike was over.
  • It authenticated to the server’s Punkbuster plugin.
  • OGC particularly impressed by its circumvention of Punkbuster’s screenshot function: when the server admin requested a screenshot of the Punkbuster client, an alarm sound would ring, and for the instant the screenshot was taken, all traces of the cheat’s presence were removed. This function of Punkbuster however had some limited success against cheaters who used bugs (Or features, depending on the point of view) in their drivers to utilize as an effective wallhack.

CSGuard: Server-side file and variable checking

  • CSGuard was later renamed to HLGuard, as it was redesigned to protect other Half-Life mods, not just Counter-Strike.
  • Favored by many server admins, because it would not require any special programs running on the client’s computer, a requirement that usually reduced the number of players on a server.
  • An interpreter for its own script language that utilized a facility of the Half-Life protocol: the ability of the server to execute console commands on the client. It would simply check for existence of certain variable names and files, that were exactly defined in the plugin’s config file. Because of the extendable script, cheats with known filenames and variables could quickly be added without requiring the server to restart.
  • This approach is completely ineffective against modern multihacks, which usually store no information in (predictable) cvars, nor have their files within the Half-Life directory structure. CSGuard always has, and always will be, completely ineffective against private hacks.
  • Still it is in widespread use on many servers today, as it has few drawbacks and can detect many older cheats quite reliably

VAC: Valve’s Anti Cheat

  • Essentially a client side anti-cheat mechanism that is integrated in the Half-Life engine and automatically kept up to date, it combines the ease of use of server-side anti-cheats with the detection rate of a client-side anti-cheat.
  • A few months after introduction of VAC, Valve began banning detected cheaters from all servers that are secured with VAC. To today, this is arguably the most effective way to keep public servers safe - While a cheat may not be detected immediately, a cheater is likely going to use a different cheat now and then, at last with a new version of Counter-Strike—a positive hit of VAC will remove the cheater’s ability to play on secure servers for a long time however.
  • The number of valid CD keys, which are required to play on both WON and Steam, is limited and not computable. Because of the availability of huge lists of valid CD keys, there have been rumors about hacking incidents where CD keys were extracted from WON, but it is much more likely that the majority of such freely available CD keys originate from cheat software which transmits the CD key to the author. Valve also invalidate CD keys which they find through the various channels on the internet, so the new lists stopped being made available. It can be safely assumed that at least some cheat authors have a near unlimited supply of valid CD keys.
  • Valve has also been accused, especially by the cheater community, that they were only banning CD keys to force players to buy a new copy of Counter-Strike or Half-Life.
  • While still mostly based around detection of known cheats, and thus mostly ineffective against private hacks VAC has managed to allow a mostly cheat-free game on most secured public servers, unlike C-D servers - where the detection / prevention rate of cheats may be much higher, but all cheaters are forced to play on after they were banned from VAC-secured servers, and they can simply try again if one cheat is detected/prevented.
  • Unfortunately VAC has not been updated since April 2004. VAC2 is supposed to have been released in April 2005, and is supposedly in Beta Testing at the time of writing (April 2005). From what has been reported thus far, is that VAC2 does not appear to be a revolutionary change over the way VAC has done things in the past, and cheat creators are still very confident of being able to bypass VAC2 once it has been implemented.

HackCam

There is a lot of hope being placed in a program called HackCam which does not use standard methods of cheat detection, but uses advanced heuristic’s to detect the actions of cheating players and score them accordingly. Thus far the methodology appears sound, but the program is yet to be widely released, and there is a fair bit of concern about CPU/Server overhead when running the Hack Cam software as a server side add-on. Additionally, the algorithm can not only produce false negatives but also false positives.

Unfortunately lawyers have got involved with HackCam’s development and the one and only main developer has been shipped overseas as well. These turn of events, seemed to have caused the release of HackCam to be completely stalled, with no ETA as to when, if ever, it will be released.

Cheating-Death: Prevention instead of detection

  • Cheating-Death is praised for its ability to prevent whole classes of cheats, rather than detect single instances of such a class. It tries not to punish a cheater but instead either prevents his connection to a C-D secured server for as long as a detected cheat is active, or tries to render cheats useless.
  • It attempts to render cheats useless by wedging itself between the mod and the engine, and giving the mod (where presumably a cheat hooks) false information about positions to confuse aimbots. In case of wallhacks, it draws players behind walls in the wrong position (usually several hundred meters above their actual position).
  • Not banning anyone permanently, and not allowing the server admins to know why a certain player disconnected, hampers the effectivity of C-D as a means to keep a server 'pure'. A cheater may simply test through various cheats until he finds one, or once 'caught', wait for an update from the cheat’s author
  • While trying to disable whole classes of cheats rather than detecting single instances, there were repeatedly cheats C-D proof despite using exactly a mechanism C-D was supposed to prevent. Cheat authors seem to be able to create single instances which appear to be able to circumvent C-D with relative ease, thus the true effectivity of C-D is highly disputed. There are presumably hundreds of different, private cheats which all are able to circumvent C-D. And if someone is caught, there is no punishment - one can go and simply find a new, C-D proof cheat.
  • Still, it remains the premier option of anti-cheat means for server admins which prefer not use VAC to secure their server for one reason or another, for example NOWON servers. But because of the listed problems, and because cheaters detected by VAC are forced to play on C-D or insecure servers, the cheater rate of many public C-D servers is estimated as high as 40% (2004)

ScreenShotClient: Players catching cheaters

  • ScreenShotClient (SSC) uses a different approach to most other anti-cheat programs.
  • By taking periodic screenshots of a client's game screen, other players may be able to detect cheats by observing suspicious material.
  • When you connect a server, the server tries to SSC authenticate you (by taking a screenshot). If you pass, the client begins taking screenshots and uploading them to a webserver at specific intervals (usually 5 minutes).
  • The client submits the screenshots to a server, where they are publicly available to anyone interested (depending on connection and the size of the image) within 5 seconds to 1 minute.
  • SSC proof hacks exist, but are mainly private. As the interval of screenshots can be varied, a SSC-proof hack would either need to warn a cheating player when a screenshot is about to be taken, or be server-specific.
  • SSC does have bugs. For example, the server might kick you for not being SSC authenticated, even though you have SSC enabled.
  • SSC is effective at detecting wallhacks and ESPs, but is relatively ineffective at detecting hacks that cannot be seen in screenshots, like aimbots and speedhacks.
  • SSC is usually not compatible with other anti-cheat programs such as Valve Anti-Cheat.
  • SSC is mostly used in finnish servers using Admins.fi, the UnitedAdmins's finnish part, as they have an IRC channel where you can report proof (CS recorded demos and SSC shots) of cheating, and they will be added to an universal banlist, where they will be banned on all servers attached to Admins.fi. The reason for that is, because anyone can give a shot up (not only admins) every shot including a cheater will be reported in some time, so all cheaters using hacks on Admins.fi SSC-using servers will be banned.
  • SSC is also used a lot in clan matches and other banlist-based things that need proof.

Cheating detection

  • Cheating detection describes detection of the actual cheating, rather than the detection of the hacks. Theoretically in Counter-Strike, hacking approaches being undetectable, but any experienced player himself can manually detect the cheating in effect to a high probability. Cheating detection thus means the automated search and identification for the effects of cheating.
  • The first working effect detection was present in CSGuard, which allowed the server to continuously track the movements of the player’s crosshair and tried to detect suspicious, repeated sudden lock-on headshots.
  • CSGuard’s aimbot detection was miserable, as the alarm rate was almost the same with a well trained player and a player using an aimbot set up for stealth. It was hardly ever used, and the function has supposedly been removed from HLGuard, CSGuard’s successor.
  • HackCam, which is rumored to become a supplemental anti-cheat mechanism to VAC2, Valve’s anti-cheat for the source engine, uses a wide range of elaborate detection methods to discover both ESP and aimbots, and awards points for suspicious actions.
  • One disadvantage of such elaborate cheating detection is the greatly increased resource consumption on the server, as the software continuously analyzes all behaviors that a player exhibits for suspicious actions.
  • The other problem is the realistic possibility of false positives and false negatives, and the relative arbitrariness of what may be considered a cheat-indicating behavior or just luck. The creators of hackcam claim that all CAL-I players remained below a 70 points mark, where as more than 65 points would mean 'suspicious' and more than 85 points would indicate a very high probability of cheating. However it is questionable if that is means the method is not producing false positives, or if it produces false negatives on the CAL-I players.

This section discusses why Counter-Strike may be more susceptible to cheating than other, similar online first-person shooters.

Game engine Design
  • Counter-Strike was designed as a mod for Half-Life - essentially the game consists of a single DLL and a series of media files (models, sounds). Half-Life, attempting to be mod-able with ease is itself designed to have many elements changed and replaced on the client’s computer.
  • This also leads to the comfortable facility of the client-hook vulnerability that is used by so many cheats
  • Half-Life itself was already a heavily hacked game before Counter-Strike came into existence. Many cheat authors could have gathered experience with Half-Life deathmatch or Team Fortress Classic. A cheat for Counter-Strike could easily be adapted to work for the various other Half-Life mods.
  • Half-Life and Counter-Strike both have been around for a very long time now, only recently with serious changes to the engine. The longer a game is being played by more people, the higher the probability someone writes a hack for it. So partially the mere popularity of both games, both Half-Life and Counter-Strike may have increased its cheat volume.
  • Counter-Strike is often humorously described as being a "hack itself" (on the Half-Life engine) and thus "ask" for being hacked.
Game physics
  • Counter-Strike equipment is dominated by very accurate, high-powered hitscan type weapons, an ideal setup for aimbots. If e.g. bullets travelled at a realistic, limited speed, the effects and lethality of aimbots may be much less dramatic.
  • Similarly, turning speed is unlimited. A cheat is thus basically only limited to the frame/s rate and the weapon performance in terms of killing speed.
  • The tactical gameplay, which favors stealthiness and using everything as cover make wallhacks very powerful. Additionally, they allow a great reduction in reaction time needed to shoot a player coming around a corner dead in his tracks.
  • Playing Counter-Strike, especially dying can make players very anxious or raging with fury. Death comes very swift and often surprising, and is penalized by not being able to do anything for the time of the round. The players are kept from immediately venting the anger of the moment "of death" and have to watch, rendered completely impotent. This trait, while arguably existing in all first-person shooters, or all computer games even, is very extreme in Counter-Strike, noticeable especially at Lan parties: The only ones who shout loud enough to be heard from the entire lan party are the Counter-Strike players. As death is so much more unfavorable than in other games, the desire to "survive" in the virtual world may become real enough to be a strong argument for cheating.
Theoretical limits to purity

Two essential hacks are in the way of being able to making a server pure: Aimbots and Wallhacks. The client software cannot be trusted, and the only way to be absolutely sure no excessive information reaches the client (and thus, a potential hack) is to render both picture and sound on the server and sending it to the client, who merely displays the pre-rendered picture and plays the pre-mixed sound. This is of course not possible with contemporary server hardware, but it means that it is theoretically possible to defeat a wallhack or any type of ESP for that matter. Partially this approach is already being used by Half-Life, as csguard, Cheating-Death, VAC and even recent servers themselves do no longer give the player the accurate position of an enemy player - they are shifted vertically. This is because not giving the client the information of players around the corner would result in missing sounds. Counter-Strike lacks a sound-info part in its protocol where an approximate 3d information of sound without any reference to its source is being transmitted. Future games will hopefully be aware of such fundamental design flaws that jeopardize purity.

An aimbot on the other hand can be considered a piece of AI, and it is theoretically always possible to create an AI that can play the game in place of the player (or even just partially in place, in the case of the Aimbot). However, aimbots in Counter-Strike do not require optical recognition like the human player does, nor do they require to shove a possibly inaccurate mouse around. The cheats in Counter-Strike receive the exact XYZ coordinates of the enemy player, and can calculate a trajectory and fire the weapon within the end of a frame. Theoretically it could be possible to create a model-free game engine where the client’s computer would have no conception on what is what, unless it did actually start using virtual optical recognition. This goes into the same direction as the ESP preventing approach - the client’s computer is given too much information by telling it (the client) to draw an enemy there rather than something. In Counter-Strike, the enemy players are always from a set of predictable models, and when a model is drawn, the client and the cheat both know not just where it is, but also what it is and can therefore shoot at it.

Finally, for lan-party administrators there is an easy way to secure a tournament: forcing them to play on secured machines that are offered by the lan-party. As long as the provided computers are sufficiently able to be both secure and and playable, there’s nothing that can enable potential cheaters to gain an uncompetitive advantage over another.

Immature Players

Counter-Strike is often perceived to have a large number of immature players. For example players of MMORPG games often use the term Counter-Strike player disparagingly to refer to player killers and other players who choose a more violent form of play. Also, many players of faster paced, less realistic first person shooters such as Quake series and the Unreal Tournament series are known to joke about the immaturity Counter-Strike players. It is often assumed by those players that the semi-realism and the paramilitary image of Counter-Strike is likely to attract a different, more immature brand of players whereas players of less realistic games are more likely to be attracted purely by how the game plays.

Whether or not the stereotype of the immature Counter-Strike player is true, it is widely believed, even by some Counter-Strike players. There are many theories as to why Counter-Strike may have attracted a more immature following. Another common explanation is that the large amount of coverage the game received in the gaming press when it went retail in 2000 attracted many newer, younger players who had little experience with online FPS games.

Why Counter-Strike players cheat

There is a lot of speculation over what would incline a player, or a clan, to start cheating in a computer game that is presumably fun to play. One of the most often heard assumptions is that cheaters do it as a type of compensation for low self esteem. Cheaters often fall into one of the following group or will cheat for a mixture of these reasons:

Those who cheat in order to keep up

These cheaters tend to be of low to middling skill, usually use publicly available hacks, and usually restrict themselves to public servers. They are not always experienced cheaters and will often give themselves away by moving in a way that shows their inexperience and lack of knowledge about the game despite appearing to be very skilled. Other inexperienced cheaters may give themselves away by using the cheat in a blatant fashion. It is believed by some that when the game went retail and new players started playing the game they clashed with veteran gamers who had more experience of Counter-Strike and other FPS games and that rather than dealing with being outclassed by the more experienced players by practicing, some of these new players resorting to cheating.

Those that cheat for the ego boost, stats or to be seen to be the top of the scoreboard

These cheaters tend to be above average skill level, unless facing people who play and win at Counter-Strike competitively, and feel the need to be at the top of the scoreboard at any cost. Also the advantages of having just a wallhack enables the above average skilled player to make clever tactical decisions to either engage in or avoid specific situations they would not have been aware of without a wallhack, as well as giving them the ability to shoot people the instant they come around the corner as opposed to the >100ms reaction time that is the theorectical limit of human reflexes. These types of players are the most insidious as they will actively engage in hiding their actual cheat usage by playing like a very good player for the most part, in the way they move around the map and when/where they look. Some people who do not cheat on LAN or when playing competitively, simply cheat on public servers to keep up appearences and to avoid having to maintain the sort of concentration level required to get a high kill/death ratio as well as avoid being random'ed. eg. Doing everything right and coming around a corner on an 18 player server, and running into all 9 players of the opposition team, who by rights should never have been there in the first place, is an example of randomness that competitive players like to avoid on public servers.

Those who cheat to disrupt

Disruptive cheaters are normally blatant in their approach, they will usually use their cheats in an obvious manner or readily admit that they are cheating with the sole aim of making other players' gaming experience miserable. These unruly cheaters sometimes band together in order to make their disruption more effective, one example of such a group is myg0t.

Those who cheat in competitions

Counter-Strike is often played in competitive leagues and tournaments and over the last few years has been one of the most popular electronic sports. However, like all sport there is an element of cheating and when it is hard to verify cheating it becomes more common than usual. Those who cheat in competition sometimes do it to disrupt but others do it in order to win. Those who use it to win naturally try to avoid being caught leading to a less conspicuous style of cheating. Private cheats are therefore incredibly attractive to these cheaters for whom getting caught would be the end (or at least an extreme inconvenience). Although many online leagues are widely accepted to contain cheaters, most competitive gamers still claim it would be impossible or highly unlikely to cheat in a professional LAN environment.

Those whose competition is cheating

Not to be confused with cheating in mainstream competition, there is known to be a small community of cheaters, who compete against other cheaters, the quality of the cheat being what decides the outcome of the match. Participants in this are usually cheat creators themselves who use the games to test out their own private hacks.

See also

Anti-Cheat resources
  • Counter Hack – A website dedicated to spreading awareness about cheating in online gaming, particularly Counter-Strike.
  • United Admins – A large anti-cheat community which maintains Cheating-Death and HLGuard, amongst other projects.
  • VAC Forums - The official forum for Valve Anti-Cheat.
  • PunkBuster - A popular anti-cheat software which was once used for Counter-Strike.
  • Hack Cam Forum Forum for an anti-cheat (registration required).
  • X-Spectate Official page for an anti-cheat tool.

References

Retrieved from "https://en.wikipedia.org/w/index.php?title=Cheating_in_Counter-Strike&oldid=24001650"