The 4 year late postmortem of an Advanced Aimbot Detection system
Posted on August 06, 2016 in anticheat
Around four years ago in a large Skype group chat, I stumbled upon an administrator of a reasonably large Minecraft server network. This was before the time of every second server being a network with 12 different servers, so this one stood out from the rest.
The network in question was about to launch a new rank-based PvP server, and they were very concerned about the possibility of cheaters ruining the experience. At the time NoCheat was the largest AntiCheat system available, with most larger servers using it. However, NoCheat didn’t have in-depth detection of aimbot cheats. They were looking to hire someone to write an AntiCheat plugin that mainly focused on preventing aimbots.
The network also did not want it to revert the actions done by cheaters, just to log them. They had active staff that responded instantly to reports, but needed a plugin that could find and report the harder to detect aimbots.
At this time in the community, hack clients were becoming more popular and elitist groups were forming with private clients that they only gave to those they trusted. This differs from today where money is the only entry point to accessing the clients. These clients used much more advanced forms of aimbots compared to the others at the time, and bypassed NoCheat entirely. The aimbots were still very basic compared to today’s standards, however.
The first step to creating this aimbot detection system, was to actually have access to what I was trying to prevent. To do this, I worked to gain trust of the ‘elitist’ members by posting questions and tutorials on the forums that they operated in. I posted some tutorials on how to make some very basic non-harmful cheats, such as a ‘FullBright’.
I was eventually added on Skype by developers of a few of the bigger cheat clients. After chatting, I was able to get a good selection of clients to test with.
(If anyone wants to try and find the posts I made, they still exist… However I must warn you that I was 13 at the time, and overall didn't make much sense.)
Now that I had the clients, I was able to determine how they bypassed aimbot detections of the AntiCheat solutions of the time. As they were coded in Java, mostly using the obfuscation provided by MCP (Mod Coders Pack), it was trivial to decompile and deobfuscate them. With the code, I discovered that a majority of these clients just used a gradual movement that tapered towards the end, rather than immediately snapping to face the opponent.
My solution to patch these aimbots was rather simple. It calculated the trajectory of the movement, checked if it was the same over the course of 5 network ticks, and then checked for intersection between the snapping point of any potential targets and the line of the trajectory. This is what I presume most current AntiCheat solutions for the game do.
It was here that I decided to write my own aimbot for the game. Not to use, but to try and bypass my own anti-aimbot solution. My first change that I made was to include jitter on the movement of the camera. The jitter bypassed my solution, as it no longer had constant trajectory.
Here I rethought my original solution, and instead of generating the trajectory for the first 5 network ticks, I tracked general movements and determined the positions that were probably the beginning and end of each camera movement. These positions were estimated based on a mixture speed of movement, and sharpness of angle change. I determined if it was an aimbot or not by smoothing the line, and determining if it directly targeted a player. This still only worked in a motion that went straight to the target, but detected small amounts of jitter.
To bypass my new protections I made a simple modification. Replacing the jitter with a reasonably flat sine curve. I came up with this solution after mapping my mouse movements when moving to targets that I had setup to randomly appear ingame. This gave me insight into what a legitimate mouse movement looked like. When smoothed, most of my movements could be best described as a sine curve.
At this point I was starting to notice a performance impact on the server. I knew I couldn't make the detection much more complex in this regard. I made it check the smoothness of any line, basically triggering if the angles were changing in a predictable manner. I then optimized all I had done as much as possible, and then went to add another type of detection. My new detection occurred as soon as the movement started. It checked for player movement, and logged the exact tick that a player became able to attack another player. It then crosschecked this with the start of movements, and if they correlated it logged it down. Using this information, it tightened the checks done by the other detection system when it correlated with the new detection. The higher the stored violations, the stricter it was. This did end up with false positives in the end, however a legitimate player should never have reached that level of violation.
With the patches that were in place, no one would be able to reliably determine what was setting it off without insider knowledge. However, just to be safe, I made one last minor change. I made the detections for the snap target much more lenient on locations. It would still trigger if the aimbot stopped 3 pixels to the right of the target, or overlooked by 4 pixels before panning back to the target point.
This experience basically had me understand what I believe to be a core tenet of security.
“It’s not about making it impossible, it’s about making it so hard they won’t bother.”
It’s not possible to completely block aimbotters without punishing legitimate players severely. In my testing, this didn’t pick up legitimate players enough to actually impact them, and it did pick up every aimbot I could find. In my mind, this was a successful project.
Before writing this post I attempted to find the network that I made this for, to see if they were still using it. However it appears they have sadly shut down sometime since then.
I know this is a very late post, however I was being asked about this project recently which brought it back to mind.