ZEBLOG #1 - My opinion on different methods for cheating in 2023

[zebleer]

Internal cheats: Many people argue about if internal cheats are as safe or less safe than external cheats. The reason this is up for debate is that it seems like internal cheats get detected more quickly by anti-cheat teams. The truth is that internal cheats are harder to keep undetected than external cheats & internal cheats tend to be more targeted by anti-cheat teams. We saw this with COD where internal cheats got hit for awhile (even from user-mode) before external cheats started to get hit. It was just about what types of cheats they focused on mixed with the fact that the level of skill required to keep an internal UD is much greater. Right now they seem to still target internal cheats more but certainly have began to pay attention to external cheats as well. I still think that right now external cheats are easier to keep safer because the work Ricochet does against internals seems to be their focus (more frequent, more work) over targeting externals. Also since externals are easier to keep safer, if you buy an external from a developer with a lot of experience making externals it's more likely to go well. Internal cheats in 2023 have to do some serious "1337" stuff to stay UD, especially on stronger anti-cheats. As for CS2, internals and externals that "do it right" are certainly bullying VAC. VAC is going to go after internals from their user-mode module but proper internals and externals are remaining mostly invisible to them. The only exception would be feature rich internals that are hooking a ton of game functions. The problem is that most internal developers don't "do it right" which is why we see some of them getting hit on CS2. The future of internals to me is basically that only the most experienced, talented, & quite frankly stubborn developers will have lasting internals while the rest switch methods such as going external.

External cheats: Right now this is the best type of cheat in my opinion (it's why I make this type of cheat). It is the perfect balance between limiting detection vectors/avoiding anti-cheat focus while also having a lot of cheating power. Externals are easier to keep UD. External cheat developers who do it correctly can really only be detected easily by a kernel-mode component (driver). Even better, for example some like PO do not even write to the game's memory. External cheats in the future will be targeted more and more by anti-cheat teams in which case we will either have to get more crafty or switch methodology but I think that external is the place to be in 2023.

Boot loaders: The only person I really know of who used a boot loader in the popular p2c space was Laz who is gone now. Boot loader doesn't refer to an internal/external cheat but just how everything is loaded. Basically everything is mapped from boot via EFI. No compromised or legitimate driver is used. EFI variable hooks (command from user-mode) are easily detected so it's likely that successful p2c with this method embed their driver or whatever they want to map completely into the EFI. The main issue I have with this method is that it requires secure boot to be disabled and as time passes in the near future there is no way this will remain a successful method for cheating with all of the changes Windows is making. It's also currently not that much safer than other popular methods of cheating if not done correctly but it certainly is interesting and can currently be stronger against anti-cheats when paired with good methods. I know of one provider in particular that did some insane work with a boot loader loading a hypervisor and they are really killing it for now against certain anti-cheats.

Hypervisors: Many cheats you see today use a hypervisor. There is even a cheat provider named after what is considered ring negative one (one below ring zero which is what the Windows kernel is considered). Ring negative one is where a hypervisor is considered to be. Modern anti-cheats can still detect hypervisors but they are still considered a little more crafty in some use cases than using a driver for the cheat. It just depends. Stronger anti-cheats such as RIOT Vanguard and FACEIT/ESEA have done a lot against hypervisors and EAC/BE have gotten pretty good at detecting them especially the proof of concept ones on GitHub that people paste from. However currently for Ricochet/VAC & in cases of custom work, hypervisors are still extremely effective. Hypervisors are a core part of any running machine using Windows. Hypervisors are used in virtualization based protection by third party anti-cheats and Windows Security itself. Developers who make their hypervisor look legitimate can hold a lot of power against anti-cheats. Again it just depends who the dev is. Method doesn't matter if the developer has weak/pasted methods. PO doesn't use a hypervisor and has beaten out some providers that use one. It really just depends but right now it can offer a huge upper hand against many anti-cheats.

DMA cheats: I don't have much positive to say about DMA because the investment to setup DMA cheats is not worth it considering they are still certainly detectable. However I will be fair in saying that DMA firmware providers will adapt just as any other internal/external provider adapts. I just don't like to see people drop rent money for DMA cheating thinking it's undetectable. There are many ways for anti-cheats to check for DMA devices and also detect popular firmware. This is already being done by the better anti-cheats of the world and now that DMA popularity is exploding, most anti-cheats in the near future will have plenty of checks and detections related to DMA. COD will probably just start shadow banning anyone using a DMA device and then follow up with some firmware detections. Them being owned by Microsoft now will also make things interesting. As for CS2, I think that VAC won't do a damn thing about DMA for a long time but it eventually will happen as DMA popularity explodes. For now only expect third party anti-cheats and clients to stop DMA for CS (which the stronger ones already do).

Computer vision cheats: This is an interesting field of cheating because people are training CV bots to recognize enemies in games. What they can then do is capture the screen as you play, recognize enemies, and then move your mouse to aim at the head of the enemy. They can also do things like triggerbot and flickbot. These cheats currently perform very poorly compared to cheats that read the game's memory for the origin (XYZ) of enemies & their bones, but they could get better in the future. My major issue with the conversation surrounding these cheats is that they are "less detectable". This is true and untrue. They still have plenty of detection vectors: the AI bot running on the PC, reading the screen, mouse movement. However anti-cheats are mostly focused on cheats that read or write the game's memory right now. In the near future they will probably start to focus on these types of cheats too and the developers of these cheats will have to adapt for that. For now though it's pretty funny watching some of the more "1337" CV cheat developers shit on anti-cheats like EAC due to not being paid attention to.

Biological cheats: These cheats are when you are just born better. You have faster reaction time and cracked mechanical skill. Make no mistake, you are still cheating. You paid God with Fortnite v-bucks in purgatory and he gave you cat like reflexes and mechanical skill then sent you back so you could impress e-girls on Valorant and say "I'm actually cheating uwu" every time you get a cracked kill. This type of cheating is basically undetectable on most games however you will still get shadow banned after 2 kills on Call of Duty.

[Khabib2170]

18 hours ago, zebleer said:

Internal cheats: Many people argue about if internal cheats are as safe or less safe than external cheats. The reason this is up for debate is that it seems like internal cheats get detected more quickly by anti-cheat teams. The truth is that internal cheats are harder to keep undetected than external cheats & internal cheats tend to be more targeted by anti-cheat teams. We saw this with COD where internal cheats got hit for awhile (even from user-mode) before external cheats started to get hit. It was just about what types of cheats they focused on mixed with the fact that the level of skill required to keep an internal UD is much greater. Right now they seem to still target internal cheats more but certainly have began to pay attention to external cheats as well. I still think that right now external cheats are easier to keep safer because the work Ricochet does against internals seems to be their focus (more frequent, more work) over targeting externals. Also since externals are easier to keep safer, if you buy an external from a developer with a lot of experience making externals it's more likely to go well. Internal cheats in 2023 have to do some serious "1337" stuff to stay UD, especially on stronger anti-cheats. As for CS2, internals and externals that "do it right" are certainly bullying VAC. VAC is going to go after internals from their user-mode module but proper internals and externals are remaining mostly invisible to them. The only exception would be feature rich internals that are hooking a ton of game functions. The problem is that most internal developers don't "do it right" which is why we see some of them getting hit on CS2. The future of internals to me is basically that only the most experienced, talented, & quite frankly stubborn developers will have lasting internals while the rest switch methods such as going external.

External cheats: Right now this is the best type of cheat in my opinion (it's why I make this type of cheat). It is the perfect balance between limiting detection vectors/avoiding anti-cheat focus while also having a lot of cheating power. Externals are easier to keep UD. External cheat developers who do it correctly can really only be detected easily by a kernel-mode component (driver). Even better, for example some like PO do not even write to the game's memory. External cheats in the future will be targeted more and more by anti-cheat teams in which case we will either have to get more crafty or switch methodology but I think that external is the place to be in 2023.

Boot loaders: The only person I really know of who used a boot loader in the popular p2c space was Laz who is gone now. Boot loader doesn't refer to an internal/external cheat but just how everything is loaded. Basically everything is mapped from boot via EFI. No compromised or legitimate driver is used. EFI variable hooks (command from user-mode) are easily detected so it's likely that successful p2c with this method embed their driver or whatever they want to map completely into the EFI. The main issue I have with this method is that it requires secure boot to be disabled and as time passes in the near future there is no way this will remain a successful method for cheating with all of the changes Windows is making. It's also currently not that much safer than other popular methods of cheating if not done correctly but it certainly is interesting and can currently be stronger against anti-cheats when paired with good methods. I know of one provider in particular that did some insane work with a boot loader loading a hypervisor and they are really killing it for now against certain anti-cheats.

Hypervisors: Many cheats you see today use a hypervisor. There is even a cheat provider named after what is considered ring negative one (one below ring zero which is what the Windows kernel is considered). Ring negative one is where a hypervisor is considered to be. Modern anti-cheats can still detect hypervisors but they are still considered a little more crafty in some use cases than using a driver for the cheat. It just depends. Stronger anti-cheats such as RIOT Vanguard and FACEIT/ESEA have done a lot against hypervisors and EAC/BE have gotten pretty good at detecting them especially the proof of concept ones on GitHub that people paste from. However currently for Ricochet/VAC & in cases of custom work, hypervisors are still extremely effective. Hypervisors are a core part of any running machine using Windows. Hypervisors are used in virtualization based protection by third party anti-cheats and Windows Security itself. Developers who make their hypervisor look legitimate can hold a lot of power against anti-cheats. Again it just depends who the dev is. Method doesn't matter if the developer has weak/pasted methods. PO doesn't use a hypervisor and has beaten out some providers that use one. It really just depends but right now it can offer a huge upper hand against many anti-cheats.

DMA cheats: I don't have much positive to say about DMA because the investment to setup DMA cheats is not worth it considering they are still certainly detectable. However I will be fair in saying that DMA firmware providers will adapt just as any other internal/external provider adapts. I just don't like to see people drop rent money for DMA cheating thinking it's undetectable. There are many ways for anti-cheats to check for DMA devices and also detect popular firmware. This is already being done by the better anti-cheats of the world and now that DMA popularity is exploding, most anti-cheats in the near future will have plenty of checks and detections related to DMA. COD will probably just start shadow banning anyone using a DMA device and then follow up with some firmware detections. Them being owned by Microsoft now will also make things interesting. As for CS2, I think that VAC won't do a damn thing about DMA for a long time but it eventually will happen as DMA popularity explodes. For now only expect third party anti-cheats and clients to stop DMA for CS (which the stronger ones already do).

Computer vision cheats: This is an interesting field of cheating because people are training CV bots to recognize enemies in games. What they can then do is capture the screen as you play, recognize enemies, and then move your mouse to aim at the head of the enemy. They can also do things like triggerbot and flickbot. These cheats currently perform very poorly compared to cheats that read the game's memory for the origin (XYZ) of enemies & their bones, but they could get better in the future. My major issue with the conversation surrounding these cheats is that they are "less detectable". This is true and untrue. They still have plenty of detection vectors: the AI bot running on the PC, reading the screen, mouse movement. However anti-cheats are mostly focused on cheats that read or write the game's memory right now. In the near future they will probably start to focus on these types of cheats too and the developers of these cheats will have to adapt for that. For now though it's pretty funny watching some of the more "1337" CV cheat developers shit on anti-cheats like EAC due to not being paid attention to.

Biological cheats: These cheats are when you are just born better. You have faster reaction time and cracked mechanical skill. Make no mistake, you are still cheating. You paid God with Fortnite v-bucks in purgatory and he gave you cat like reflexes and mechanical skill then sent you back so you could impress e-girls on Valorant and say "I'm actually cheating uwu" every time you get a cracked kill. This type of cheating is basically undetectable on most games however you will still get shadow banned after 2 kills on Call of Duty.

 Read everything thanks for sharing this information with us! Super interesting post, this to improve my knowledge about types of cheats and how they work! Brought me up onto some ideas but also raised some questions at the same time! 😄 How do you see the future of the current method see yourself? Also does your post answer to a lot of questions i had regarding Faceit, I've used to pay 5k one time at a dev with 100 monthly but never got anything that was UD over a month. On fortnite it did work with the same method, it was some internal thing i guess on an application as discord or teamspeak or anything that u have on ur pc.