Statement about cheating prevention is missing

yodased

Ch4mpTW wrote: »

@yodased
Very true. I'm assuming you and @cuyler are both programmers as well? .

I am a LAMP certified developer, but my true passions is fullstack Javascript.

MongoDB, angular, node.js are so sexy

Rohamad_Ali

yodased wrote: »

@roehamad_ali

LoL that isn't something I just came up with, it's basic anti-intrusion. There are a few ways around this problem:

1. Never trust the client, so you always store sensitive data on the server only.
The client is readonly. This is done on games like gta V, the client literally is a presentation layer only, but this server arch can't handle that, so buhbye.

2. Encrypt your variables and then decrypt them server side.
This is more fesible, but it requires a two step process and depending on where you keep the keys, its trivial to unlock.

3. Sanity checks
This is more in line with what most online games do. They send a specific query to the client with a specific expected answer. If that answer is out of bounds, they are cheating. For instance, you could do something like on character load, bring all resources to 0, then start regen timer. Depending on the variables send back by the client, you would have a specific answer from the server as to the time to 100. If that time to 100 is faster, there is an issue, drop the client.

4. Memory scanning;
This is my idea above. Basically you include 'cheat engine' within the launcher and you watch the hooks from windows that the program will attach to. If you see activity along that BUS, kill the client.

There are more in my head, but I would start with one of them for sure.

@yodased I believe you ! You could draw this in crayon , make a power point presentation or even make a popup children's book for me and I'll still be scratching my head . lol

Now if you want to talk about bypassing your smog O2 sensors on your car or modifying the exhaust on your Harley ... I can help with that . But that's boring to gamers . Save Cyrodiil !

r.jan_emailb16_ESO

yodased wrote: »

@roehamad_ali

LoL that isn't something I just came up with, it's basic anti-intrusion. There are a few ways around this problem:

1. Never trust the client, so you always store sensitive data on the server only.
The client is readonly. This is done on games like gta V, the client literally is a presentation layer only, but this server arch can't handle that, so buhbye.

2. Encrypt your variables and then decrypt them server side.
This is more fesible, but it requires a two step process and depending on where you keep the keys, its trivial to unlock.

3. Sanity checks
This is more in line with what most online games do. They send a specific query to the client with a specific expected answer. If that answer is out of bounds, they are cheating. For instance, you could do something like on character load, bring all resources to 0, then start regen timer. Depending on the variables send back by the client, you would have a specific answer from the server as to the time to 100. If that time to 100 is faster, there is an issue, drop the client.

4. Memory scanning;
This is my idea above. Basically you include 'cheat engine' within the launcher and you watch the hooks from windows that the program will attach to. If you see activity along that BUS, kill the client.

There are more in my head, but I would start with one of them for sure.

Depending on their logging capabilities*, they could also scan for anomalies in player behaviour. This could be done on another server cluster, and not necessarily during actual play time.

*) I really don't know to what extend the client submits trustworthy data. It sounds like you can't trust anything though, which makes the logging worthless until you somehow find a way to get trustworthy stuff from the client.

rhapsodious

Roehamad_Ali wrote: »

@yodased I believe you ! You could draw this in crayon , make a power point presentation or even make a popup children's book for me and I'll still be scratching my head . lol

Now if you want to talk about bypassing your smog O2 sensors on your car or modifying the exhaust on your Harley ... I can help with that . But that's boring to gamers . Save Cyrodiil !

Here, I'll try to provide layman's explanations:

1. "You, Client, are a drooling idiot. I, Server, know how to do this. But you need something to do, so I will tell you exactly what you can and can't do and you will either do or not do it."

2. Server goes on vacation for the week and asks Client to watch his house. Client is given the punchcode to disable the alarm.

2b. Cheater is hiding in the bushes watching Client punch in the code. Client leaves. Cheater uses the punchcode and breaks in.

3. Server knows that 2+2 = 4. Client knows that 2+2 = 4.

3b. Cheater is very convincing and leads Client to conclude that 2+2 = 5. Client gets into a heated argument with Server that 2+2 does in fact equal 5. Server isn't having any of that.

4. Cheater keeps breaking into Server's house and wreaking havoc. Server finally starts getting annoyed and pretends to leave the house with the lights off. Server actually hides in his bushes waiting for Cheater to come along. Client comes up to the house with his new friend Cheater who said he just needs to use the bathroom. Client unlocks the door. Cheater starts to walk in behind him. Server shoots Client because he's in the way and the bullet goes through Cheater as well. In this universe homocide isn't a thing so we'll leave it at that.

Ch4mpTW

Xjcon wrote: »

There is so many questionable things going on in the game it's sad. I really hope the people using the CE software feel like it's OK to keep using it, and at some point when ZoS finally figures out how to detect people using it they drop the ban hammer again.

It's not hard. It's really not. I promise you it's not. Lol. It's really, really, easy. Probably someone still in college could whip something up to do so. Seriously. It's that simple.

yodased wrote: »

Ch4mpTW wrote: »

@yodased
Very true. I'm assuming you and @cuyler are both programmers as well? .

I am a LAMP certified developer, but my true passions is fullstack Javascript.

MongoDB, angular, node.js are so sexy

Niiiiiice. My certifications are in computer system integrity penetration testing and things like overall software architecture security. And the things that go with it. I can probably rip a system or piece of software apart in hours to its base like nothing. All in the name of authorized testing of course. My favorite code currently is Swift, because I love everything Apple/Mac. Adore it. Not to mention Swift is incredibly beautiful to look at, and analyze. And I think we both know how important "beautiful code" is, compared to "ugly code". Lmao. But before Swift it was probably Objective-C for obvious reasons.

By the way, I wonder if ZOS would offer guys like us to show them a thing or two. OR perhaps give them some advice on things regarding their software. I mean, if anything it would help. Considering they're having some extra hands on deck evaluating things in terms of more perspectives being given. But, that's only wishful thinking of course. Lol.

RinaldoGandolphi

@yodased


3 and 4 are probably the most feasible, maybe combining 3-4 with some like VAC may be a way moving forward. Its not perfect, but nothing is. However, the games scaling limitations and whatever they put in place to deal with bots that butchered Cyrodiil performance when they changed their netcode really limits their options.

yumyum

@yodased
1. Yes all games should be server side
2. Encrypt and decrypt method can lag servers( works ok on games which have low numbers )
3. Sounds ok but what about players which may have a virus ( has came up before when this method has set of a false positive)
4. Very easy to bypass.

Cuyler

Ch4mpTW wrote: »

yodased wrote: »

@roehamad_ali

LoL that isn't something I just came up with, it's basic anti-intrusion. There are a few ways around this problem:

1. Never trust the client, so you always store sensitive data on the server only.
The client is readonly. This is done on games like gta V, the client literally is a presentation layer only, but this server arch can't handle that, so buhbye.

2. Encrypt your variables and then decrypt them server side.
This is more fesible, but it requires a two step process and depending on where you keep the keys, its trivial to unlock.

3. Sanity checks
This is more in line with what most online games do. They send a specific query to the client with a specific expected answer. If that answer is out of bounds, they are cheating. For instance, you could do something like on character load, bring all resources to 0, then start regen timer. Depending on the variables send back by the client, you would have a specific answer from the server as to the time to 100. If that time to 100 is faster, there is an issue, drop the client.

4. Memory scanning;
This is my idea above. Basically you include 'cheat engine' within the launcher and you watch the hooks from windows that the program will attach to. If you see activity along that BUS, kill the client.

There are more in my head, but I would start with one of them for sure.

@yodased
Very true. I'm assuming you and @cuyler are both programmers as well? Or people who handle cyber forensics? Offensive security? Breech testing? By the way, what you posted applies to not just video games but a lot of software in general. Lol. It's pretty basic trivial stuff really, so why ZOS hasn't implemented something like this but to a higher degree is beyond me.

@Ch4mpTW I'm far from it, I took an intro C++ course during my studies to becoming an environmental engineer. That's as far as it goes for me lel.

Edit: I'm simply the GM of a long standing competitive raid guild on the PC-NA server. We don't take lightly to cheaters. And being in my position, I get no less than a small army of people coming to me daily with their frustrations regarding this issue.

yodased

yumyum wrote: »

@yodased
1. Yes all games should be server side
2. Encrypt and decrypt method can lag servers( works ok on games which have low numbers )
3. Sounds ok but what about players which may have a virus ( has came up before when this method has set of a false positive)
4. Very easy to bypass.

If you have a virus and that is giving you a false positive on a video game, fix the *** virus.

Ch4mpTW

RinaldoGandolphi wrote: »

@yodased


3 and 4 are probably the most feasible, maybe combining 3-4 with some like VAC may be a way moving forward. Its not perfect, but nothing is. However, the games scaling limitations and whatever they put in place to deal with bots that butchered Cyrodiil performance when they changed their netcode really limits their options.

VAC? As in the Valve's toy? If so, that'd be a relatively amazing idea for ZOS to incorporate. Or rather something like it. I mean VAC has a few glaring flaws, but it's far better than what is currently there.

yodased

@Ch4mpTW Yeah valve anti-cheat. Which actually uses a combination of memory scanning and sanity checks, plus server side encryption of server only variables lol

You know what? People still cheat in VAC secured servers lol

Lord_Wrath

Zos has always been known to claim to about to do something and then turn around and do whatever the F they want.

I had asked for over a month about what happened to Jubilee cake submission and giveaways that never happened, but was constantly ignored. It took until a moderator gave me a 'double post' that i had enough and asked that moderator if he could at least be one person to make an effort to answer a question and he came around to it, apparently prizes were already given but i dont think anyone got anything at all.

Rohamad_Ali

rhapsodious wrote: »

Roehamad_Ali wrote: »

@yodased I believe you ! You could draw this in crayon , make a power point presentation or even make a popup children's book for me and I'll still be scratching my head . lol

Now if you want to talk about bypassing your smog O2 sensors on your car or modifying the exhaust on your Harley ... I can help with that . But that's boring to gamers . Save Cyrodiil !

Here, I'll try to provide layman's explanations:

1. "You, Client, are a drooling idiot. I, Server, know how to do this. But you need something to do, so I will tell you exactly what you can and can't do and you will either do or not do it."

2. Server goes on vacation for the week and asks Client to watch his house. Client is given the punchcode to disable the alarm.

2b. Cheater is hiding in the bushes watching Client punch in the code. Client leaves. Cheater uses the punchcode and breaks in.

3. Server knows that 2+2 = 4. Client knows that 2+2 = 4.

3b. Cheater is very convincing and leads Client to conclude that 2+2 = 5. Client gets into a heated argument with Server that 2+2 does in fact equal 5. Server isn't having any of that.

4. Cheater keeps breaking into Server's house and wreaking havoc. Server finally starts getting annoyed and pretends to leave the house with the lights off. Server actually hides in his bushes waiting for Cheater to come along. Client comes up to the house with his new friend Cheater who said he just needs to use the bathroom. Client unlocks the door. Cheater starts to walk in behind him. Server shoots Client because he's in the way and the bullet goes through Cheater as well. In this universe homocide isn't a thing so we'll leave it at that.

I have a Chihuahua and a shotgun for home security . The Chihuahua hears real good , barks real loud and is very small so if I fire off the shotgun in the dark I don't accidentally shoot the dog .

Also I tore out the electronic passcode thing on my garage and installed a sliding deadbolt with a master lock .

Not sure where I was going with this but that's how bad I am with tech . If my Son wasn't around , my PC would be wreck . But somehow , I can figure out how to play this game pretty well . But thank you for trying to enlighten me on this !

yumyum

yodased wrote: »

yumyum wrote: »

@yodased
1. Yes all games should be server side
2. Encrypt and decrypt method can lag servers( works ok on games which have low numbers )
3. Sounds ok but what about players which may have a virus ( has came up before when this method has set of a false positive)
4. Very easy to bypass.

If you have a virus and that is giving you a false positive on a video game, fix the xxxxxxxx virus.

And that shows how little you know about anti cheat and if you took the time you know that it can sometimes take time for AV soft ware to update detections of a virus. I love players like you who think he knows what he is talking about but knows nothing

Ch4mpTW

yodased wrote: »

@Ch4mpTW Yeah valve anti-cheat. Which actually uses a combination of memory scanning and sanity checks, plus server side encryption of server only variables lol

You know what? People still cheat in VAC secured servers lol

LMAO! Shhhhh! It's better than what's available now for ESO. >_<

@yodased
So I've been thinking... Being as some bums using C.E. have been able to cause this much of a disturbance in the community and shine so much light on ZOS' system weaknesses. . . As well as its standard for defenses. . . What would happen if someone really let loose on ZOS' system, and just let the scripts spray? I mean just it rip with some serious tools... What hypothetically would happen, and how would ZOS handle it? Because let's be real with each other. C.E. is super lightweight and primitive. It's a piece of fuzz compared to the stuff out there. Trust me. C.E. is a joke compared to what's out there. I can name some stuff right now that would probably give the developers nightmares for weeks. Lol. But anyway, would ESO just shutdown entirely, and be blacked out for like months? It's scary when you really think about it, and how ZOS handled this. I'm not trying to scare anyone, but provide food for thought. ZOS really needs to invest in some better protection and overall server and system integrity.

yodased

yumyum wrote: »

yodased wrote: »

yumyum wrote: »

@yodased
1. Yes all games should be server side
2. Encrypt and decrypt method can lag servers( works ok on games which have low numbers )
3. Sounds ok but what about players which may have a virus ( has came up before when this method has set of a false positive)
4. Very easy to bypass.

If you have a virus and that is giving you a false positive on a video game, fix the xxxxxxxx virus.

And that shows how little you know about anti cheat and if you took the time you know that it can sometimes take time for AV soft ware to update detections of a virus. I love players like you who think he knows what he is talking about but knows nothing

LOL this is hilarious. So you are saying that an anti-virus giving a false positive to a video game anti-cheat mechanism is enough to not use an anti-cheat mechanism? WTF?

r.jan_emailb16_ESO

Ch4mpTW wrote: »

yodased wrote: »

@Ch4mpTW Yeah valve anti-cheat. Which actually uses a combination of memory scanning and sanity checks, plus server side encryption of server only variables lol

You know what? People still cheat in VAC secured servers lol

LMAO! Shhhhh! It's better than what's available now for ESO. >_<

@yodased
So I've been thinking... Being as some bums using C.E. have been able to cause this much of a disturbance in the community and shine so much light on ZOS' system weaknesses. . . As well as its standard for defenses. . . What would happen if someone really let loose on ZOS' system, and just let the scripts spray? I mean just it rip with some serious tools... What hypothetically would happen, and how would ZOS handle it? Because let's be real with each other. C.E. is super lightweight and primitive. It's a piece of fuzz compared to the stuff out there. Trust me. C.E. is a joke compared to what's out there. I can name some stuff right now that would probably give the developers nightmares for weeks. Lol. But anyway, would ESO just shutdown entirely, and be blacked out for like months? It's scary when you really think about it, and how ZOS handled this. I'm not trying to scare anyone, but provide food for thought. ZOS really needs to invest in some better protection and overall server and system integrity.

I'd say it is not so much about finding a way to prevent hacking (you'll never achieve this) or detecting a hacker, which is imo much easier and doable, if you're willing to commit.

Ch4mpTW

yodased wrote: »

yumyum wrote: »

yodased wrote: »

yumyum wrote: »

@yodased
1. Yes all games should be server side
2. Encrypt and decrypt method can lag servers( works ok on games which have low numbers )
3. Sounds ok but what about players which may have a virus ( has came up before when this method has set of a false positive)
4. Very easy to bypass.

If you have a virus and that is giving you a false positive on a video game, fix the xxxxxxxx virus.

And that shows how little you know about anti cheat and if you took the time you know that it can sometimes take time for AV soft ware to update detections of a virus. I love players like you who think he knows what he is talking about but knows nothing

LOL this is hilarious. So you are saying that an anti-virus giving a false positive to a video game anti-cheat mechanism is enough to not use an anti-cheat mechanism? WTF?

That should never even happen in the first place. Lmao. If anti-virus is giving a false positive to a video game's means of an anti-cheat mechanism, then there are some major underlying issues at play. And whoever is receiving that notification of said false positive, should be scrambling OD to figure out the source ASAP. Lmao. Because I promise you, there are much large issues at stake. Seriously.

yumyum

yodased wrote: »

yumyum wrote: »

yodased wrote: »

yumyum wrote: »

@yodased
1. Yes all games should be server side
2. Encrypt and decrypt method can lag servers( works ok on games which have low numbers )
3. Sounds ok but what about players which may have a virus ( has came up before when this method has set of a false positive)
4. Very easy to bypass.

If you have a virus and that is giving you a false positive on a video game, fix the xxxxxxxx virus.

And that shows how little you know about anti cheat and if you took the time you know that it can sometimes take time for AV soft ware to update detections of a virus. I love players like you who think he knows what he is talking about but knows nothing

LOL this is hilarious. So you are saying that an anti-virus giving a false positive to a video game anti-cheat mechanism is enough to not use an anti-cheat mechanism? WTF?

Yes it can, and the method you listed can and has set them of, you have to be very careful in what you ban for when checking the game exe

I do know what i am taking about
https://www.linkedin.com/in/nick-b92b5a47

yodased

@yumyum I wasn't saying you should check the executable, you check the windows processes that cheat engine would hook to. I also said to kill the client, not ban the user sheesh.

Also, these are just ideas from the top of my head. I am not creating a RFP here, so can we get off my *** a bit?

yumyum

Yes you did and if you look at my 1st reply to you, you see that i said that it is easy to bypass that method.

Xylphan

Cuyler wrote: »

Nifty2g wrote: »

Roehamad_Ali wrote: »

Look , fellas , they're not gonna go into detail anymore . They already said they're being vague on purpose . I seriously doubt you're gonna get an answer on perma bans being lifted or what they can or can't do to catch cheaters anymore after that statement . It's a waste of energy to keep shoving the microphone in their face for more clarity .

We do not want information on the perma bans. We want information on this program being used and what is being done about it's uses. Seems like people can still use it from no comments about it

This is exactly what everyone I talk to and myself would like to know. Can they still use Cheat Engine or not. And when will ZOS eliminate the opportunity to do so. I could care less HOW they do it, as long as it's done. Confidence will remain low until such time.

Unless they implemented additional server side checks, then the answer is most likely yes. You wouldn't even need to use cheat engine. Any program that can read the stream and be scripted to alter/create messages would be able to do the same thing (or worse).

This is basically what bot programs do. The difference here though is that someone figured out that server side checking for other actions besides moving and farming were either lax or missing. Once they figured that out it was just a matter of creating/finding the best tool for the job. In this case, it seems simply altering the right memory addresses was enough instead of directly parsing/modding the stream.

I'm really hoping this was simply an oversight/bug and not representative of a fundamental flaw in design. A bug can usually be fixed in short order. A design flaw can mean a significant amount of work that could take a long time (along with an irate manager or two swinging the axe on those most responsible).

I'm an SSE with a major corporation, and if something like this had cropped up in software that I designed, I'd be kicked out the door so fast there would be scorch marks. :P

dsalter

Lava_Croft wrote: »

Meanwhile, Blizzard names, shames and permanently bans anyone found to be (doing something remotely related to) cheating in Overwatch...

ESO's ToS explicitly states that exploiting in-game bugs a breach of the ToS, just as much as using an external hack like Cheat Engine is.

thats cause blizzard have had plenty of experience in the mmo sector and know that that course of action helps BOLSTER customer numbers not cripple it.

Ch4mpTW

yumyum wrote: »

yodased wrote: »

yumyum wrote: »

yodased wrote: »

yumyum wrote: »

@yodased
1. Yes all games should be server side
2. Encrypt and decrypt method can lag servers( works ok on games which have low numbers )
3. Sounds ok but what about players which may have a virus ( has came up before when this method has set of a false positive)
4. Very easy to bypass.

If you have a virus and that is giving you a false positive on a video game, fix the xxxxxxxx virus.

And that shows how little you know about anti cheat and if you took the time you know that it can sometimes take time for AV soft ware to update detections of a virus. I love players like you who think he knows what he is talking about but knows nothing

LOL this is hilarious. So you are saying that an anti-virus giving a false positive to a video game anti-cheat mechanism is enough to not use an anti-cheat mechanism? WTF?

Yes it can, and the method you listed can and has set them of, you have to be very careful in what you ban for when checking the game exe

I do know what i am taking about
https://www.linkedin.com/in/nick-b92b5a47

But out of curiosity, do you or do you not have larger issues at stake than if a game's anti-cheat system reporting back to you false positives from the anti-virus software? Because if I ever received some crap like that, I'd be scrambling. Because the event alone would raise numerous red flags in my mind. And I mean numerous. Lol.

Also, it goes without saying that you should be careful for what you ban for involving a game application/program. Which is why there should be a myriad of checks setup to prevent any accidental bans. I may not be certified in the field of video game security, but I have certifications involving software security (as previously stated). I also test software for vulnerabilities for a living, along with other programming-based things. And I use both code that I wrote myself, and some of the penetrating tools provided by others.

yodased

Xylphan wrote: »

representative of a fundamental flaw in design.

Been like this since day one with never a 'fix'. You tell me.

Xylphan

yodased wrote: »

@roehamad_ali

LoL that isn't something I just came up with, it's basic anti-intrusion. There are a few ways around this problem:

1. Never trust the client, so you always store sensitive data on the server only.
The client is readonly. This is done on games like gta V, the client literally is a presentation layer only, but this server arch can't handle that, so buhbye.

2. Encrypt your variables and then decrypt them server side.
This is more fesible, but it requires a two step process and depending on where you keep the keys, its trivial to unlock.

3. Sanity checks
This is more in line with what most online games do. They send a specific query to the client with a specific expected answer. If that answer is out of bounds, they are cheating. For instance, you could do something like on character load, bring all resources to 0, then start regen timer. Depending on the variables send back by the client, you would have a specific answer from the server as to the time to 100. If that time to 100 is faster, there is an issue, drop the client.

4. Memory scanning;
This is my idea above. Basically you include 'cheat engine' within the launcher and you watch the hooks from windows that the program will attach to. If you see activity along that BUS, kill the client.

There are more in my head, but I would start with one of them for sure.

1. Server side validation is the correct design.
2. Fails. Period. Symmetric key encryption requires client and server knowing the keys, and any hacker worth their salt will crack it in the span of days.
3. Essentially the same as one.
4. Fails. Period. Trivial to bypass using any number of techniques, including direct message manipulation. It's why programs like "hackshield" and the like fail.

Additional server side validation is the only real fix. Any client side "fixes" would be cracked in a matter days.

OdinForge

Publius_Scipio wrote: »

I think this topic warrants a few minutes of mention on the next ESO Live. I think the players deserve at least that.

They thought about it.


But then they made this dope ass mount color.


sooo

yumyum

not came across any issues with AV software setting of a false positives.

Ch4mpTW wrote: »

yumyum wrote: »

yodased wrote: »

yumyum wrote: »

yodased wrote: »

yumyum wrote: »

@yodased
1. Yes all games should be server side
2. Encrypt and decrypt method can lag servers( works ok on games which have low numbers )
3. Sounds ok but what about players which may have a virus ( has came up before when this method has set of a false positive)
4. Very easy to bypass.

If you have a virus and that is giving you a false positive on a video game, fix the xxxxxxxx virus.

And that shows how little you know about anti cheat and if you took the time you know that it can sometimes take time for AV soft ware to update detections of a virus. I love players like you who think he knows what he is talking about but knows nothing

LOL this is hilarious. So you are saying that an anti-virus giving a false positive to a video game anti-cheat mechanism is enough to not use an anti-cheat mechanism? WTF?

Yes it can, and the method you listed can and has set them of, you have to be very careful in what you ban for when checking the game exe

I do know what i am taking about
https://www.linkedin.com/in/nick-b92b5a47

But out of curiosity, do you or do you not have larger issues at stake than if a game's anti-cheat system reporting back to you false positives from the anti-virus software? Because if I ever received some crap like that, I'd be scrambling. Because the event alone would raise numerous red flags in my mind. And I mean numerous. Lol.

Also, it goes without saying that you should be careful for what you ban for involving a game application/program. Which is why there should be a myriad of checks setup to prevent any accidental bans. I may not be certified in the field of video game security, but I have certifications involving software security (as previously stated). I also test software for vulnerabilities for a living, along with other programming-based things. And I use both code that I wrote myself, and some of the penetrating tools provided by others.

Not came across any issues with AV software setting of a false positives, all anti cheat software have a false positives from time to time and i can't speak for them

Ch4mpTW

Xylphan wrote: »

yodased wrote: »

@roehamad_ali

LoL that isn't something I just came up with, it's basic anti-intrusion. There are a few ways around this problem:

1. Never trust the client, so you always store sensitive data on the server only.
The client is readonly. This is done on games like gta V, the client literally is a presentation layer only, but this server arch can't handle that, so buhbye.

2. Encrypt your variables and then decrypt them server side.
This is more fesible, but it requires a two step process and depending on where you keep the keys, its trivial to unlock.

3. Sanity checks
This is more in line with what most online games do. They send a specific query to the client with a specific expected answer. If that answer is out of bounds, they are cheating. For instance, you could do something like on character load, bring all resources to 0, then start regen timer. Depending on the variables send back by the client, you would have a specific answer from the server as to the time to 100. If that time to 100 is faster, there is an issue, drop the client.

4. Memory scanning;
This is my idea above. Basically you include 'cheat engine' within the launcher and you watch the hooks from windows that the program will attach to. If you see activity along that BUS, kill the client.

There are more in my head, but I would start with one of them for sure.

1. Server side validation is the correct design.
2. Fails. Period. Symmetric key encryption requires client and server knowing the keys, and any hacker worth their salt will crack it in the span of days.
3. Essentially the same as one.
4. Fails. Period. Trivial to bypass using any number of techniques, including direct message manipulation. It's why programs like "hackshield" and the like fail.

Additional server side validation is the only real fix. Any client side "fixes" would be cracked in a matter days.

LOL! Hackshield is terrible! Better yet, it's "terri-bad". I recall testing that software out not too long ago, and it failed horribly. Lmao. OMG. The memories. Archeage used that pos right?

Edit:
MapleStory used it at one point too, yes?

Kahl_dur