The popularity of the topic of Overwatch plug-ins has always been high, and the game environment is getting worse and worse. Players are also panicking. Whenever you encounter an operation that is outrageous or higher than the accuracy of the current segment in daily competition, you feel that it is a plug-in.
Background of this article
When I was a student, I used to make some stand-alone game cheating tools by myself, and worked for a game company for several years after I worked. Amateurs have also done MMORPG, including some interest research on online game plug-ins, including the plug-ins of Overwatch.
Some B station UPs also try to explain the content in this respect, but they may have different professional directions, some explanations are ambiguous, have no technical background support, and even mislead people, even though they are all out of goodwill. Because I am not good at it and don't have enough time for video production, I want to try to supplement it through text, seeking common ground while reserving differences.
I have talked about some answers about plug-ins in Zhihu before, and I have also been commissioned by well-known media platforms to publish similar articles. My starting point is to popularize science technically, and discuss why plug-ins cannot be technically banned and how plug-ins are implemented, so as to help everyone understand plug-ins from a perspective that they have never contacted.
Therefore, this article has the following statement:
This article has simplified some technical terms, and strives to be understood by ordinary players without technical foundation, while retaining the professionalism as much as possible;
The plug-in I implemented has never participated in a competitive game or won any official game. It has only been tested in the training range, shooting range, and battle AI. The accounts that have been tested are no longer used;
This article will take the familiar Overwatch as an example to discuss the technical implementation of the plug-in, to help you better understand the plug-in, and it is strongly recommended that you not win the game by cheating;
This article will not show the specific name of any plug-in on the market;
This article will not do any moral judgment, nor will it discuss the moral issues of cheating in FPS;
This type of article is highly controversial, so I will control and comment in the comment area (only for malicious comments);
This article does not allow any form of unsigned reprinting, and the source and original author must be indicated when reprinting;
What function does the plug-in achieve
During this time, I did a lot of homework, including understanding the more popular plug-ins on the market and studying how to implement them. First of all, the plug-ins we have seen in Overwatch are nothing more than two main functions: aimbot and maphack. More advanced and more detailed, some people have heard of automatic melee, Genji automatic knife, Xiaomei residual blood automatic refrigerator, Junkrat automatic sight according to the target distance, which can calculate the falling point of the parabola and automatically help you raise the front sight, There are even auxiliary functions such as Tracer's automatic dodge close combat, DVA automatic swallowing of the enemy's big move, automatic matrix to protect teammates from lethal damage.
I believe you have heard of the term "memory hang". Of course, some players may say "script hanging" and "packet hanging" which actually sound ambiguous, but it doesn't matter, we will talk about it together.
How to implement the plug-in
Overwatch is more popular nowadays, and the more powerful plug-ins belong to the memory plug.
We may have played stand-alone games in our childhood. I wonder if you have used memory modifiers like Kingsoft Ranger and CE (Cheat Engine). In fact, we read and modify the value in the stand-alone game, which is similar to the implementation direction of the plug-in in Overwatch today.
Why does memory modification affect the game?
Everything in the game will be reflected in the memory. One of the most intuitive is the value, and the pointer to a little more complicated function. The stand-alone game is the most obvious, because as long as you modify a specific value, it can take effect directly. For example, if the health value is changed from 300 to 3000, you will immediately find that you are stronger.
Why is it almost impossible to modify the value in online games?
In Overwatch, is it possible to change the health of a hero (such as Pharaoh’s Eagle) from 200 to 10,000?
Currently impossible. Because we are usually in the game, all your numerical comparisons are exchanged with the server. Of course, you can see the value of 200 on the game screen, indicating that it must exist in our memory, but its function may only be for display.
Because all of the health changes that occurred when we were hit by a gun and were healed were actually implemented on the server. The server will tell you the result through network communication after calculating your life value, and your game client will store this value in memory and render it on the screen.
The above is the battle communication sequence diagram of Overwatch, and most real-time communication online games are also similar to the realization principle. Key parts including headshots, damage calculations, etc. will be placed on the server for calculations. It is known that:
It is almost impossible for us to invade the server because of the internal network isolation;
The server generally does not put the source code of the game;
Even if there is code, you are unlikely to compile successfully;
After successful compilation, it is impossible to restart all services;
Therefore, it is basically very difficult and almost impossible to invade the server, which is basically an artistic technique that only exists in novels.
What is scripting and packet-binding?
In fact, these two statements are distinguished from the perspective of technical realization. Both of these statements originate from ordinary players, and script hooks can generally be regarded as mouse macros, or some programs that always execute lightweight mechanical repetitive instructions. For example, the previous DNF burst tool.
"Package hanging" is actually a completely different concept from script and memory.
It exists in some previous RPG online games and is usually used as an offline plug-in. The production cost of this plug-in is not low. The premise is that you must be able to resolve all communication protocols between the client and the server. , And through its own programming, to achieve a client program that can communicate with the server normally.
In traditional RPG, many power leveling/jinning studios with technical resources will make offline plug-ins, run a large number of accounts on a computer, and complete various tasks in a one-stop manner. It is equivalent to the realization of a text version of the online game, because it only needs to be responsible for the network transceiver work and does not need to use the graphics card resources, so it is normal for an ordinary home computer to run hundreds or even thousands of accounts.
Of course, there was also a multi-screen radar map perspective of eating chicken earlier. The principle is to capture and analyze the content of the communication protocol of eating chicken. In the communication protocol, the enemy location, resource location and type, vehicle, and poison ring of the entire map will be issued. Range and so on. Then draw this information to a certain web page, and open a browser on another machine in the local area network to access the radar of this web page, in order to achieve the purpose of perspective (radar map). Once you get the perspective of God, you can definitely make it. More predictive behavior.
This can also be referred to as one of the ways to achieve cheating from network communication. This is why this kind of plug-in can never be detected.
But in Overwatch, this type of offline plug-in is of little significance, so no one will do it. Moreover, the server implementation of modern games is becoming more and more rigorous, with a lot of verification, and this kind of plug-in is basically useless. Especially the offline plug-in, at most help to complete some automation work, the profit is not high.
The principle of perspective technology
Next, I will combine some of the basic knowledge of network communication mentioned above to talk to you about how the "perspective" we have seen is achieved.
FPS is a very real-time game . We know that every player needs to rely on the synchronization of the server to complete the game, not to mention the fast-paced, fast-paced game of Overwatch.
So in order to meet the needs of players who can shoot immediately when they see people, your client must always know the location of all characters, including those behind the wall and in the room that you can't see.
Just imagine, if the enemy is behind the cover and you can’t see it, the server won’t tell you. What consequences will it bring?
First of all, the server must always calculate the direction of view of all characters and the occlusion relationship of the angle of view. The server has a considerable amount of calculation. Secondly, you can no longer hear the sound of people walking behind the wall. For the client, the server does not tell you that there is no one behind the wall.
And when the enemy quickly sprang from a corner, the delay of network communication is too late to synchronize the information to you immediately. When you receive the server telling you that there is an enemy, if the other party’s network is faster than you, you may have been Killed, think about what it feels like to delay blame.
Therefore, in order to meet the real-time requirements of the game, the server will tell every player in the game the coordinate information of all characters at all times. Therefore, your client actually knows the location of each player. The location information will be stored in the client's memory, but they may not be displayed.
So how does the plug-in allow you to see the location of all enemies?
The plug-in will read the memory data of Overwatch to get the coordinates of all the characters, what heroes, current health points, and even the progress of the ultimate move (in fact, I can’t see the progress of the enemy's ultimate, but I don’t know that Overwatch will be out For what considerations, the enemy’s ultimate move progress has also been issued, which can be learned from the memory) and other information.
All in all, all the elements that are reflected in your game screen must also be read in your memory.
We know that the perspective of the plug-in can mark the position of all players in the form of a box. So how does the plug-in let us see the box? The box we see seems to be drawn on your game screen, it looks like it is a feature of the game itself.
In fact, the plug-in just opens a transparent window on your game window. This window is derived from a completely different process from Overwatch. The plug-in will use the coordinate of the character that is read all the time and draw on it continuously. Draw on the transparent window.
(PS: Some plug-ins can display the outline of the model, I prefer to call a function in the memory that can always open the outline highlighting, similar to the outline in the playback mode is always bright, rather than drawn on the overlay)
This also involves the world coordinates (the 3D coordinates are read out, because Overwatch is a 3D world, with x, y, z axes) converted to 2D coordinates (screen coordinates, the three-dimensional coordinates seen by the camera, in a 2D way The problem of mapping to the screen), basically programmers who have experience in game development will know this simple conversion method.
This is why the plug-in usually requires you to run the game in window mode or borderless window mode. Because under Windows, a full-screen window is not allowed to have a top-level window. If it is in full-screen mode, a transparent overlay window cannot be overlaid on it, and you can’t see the drawn box, so there is no way to get a perspective effect.
Principle of self-pointing technology
Self-pointing is very simple, it is to help you move the mouse over the enemy's head and shoot. That's right, it is true, but from the technical mechanism, it actually needs to do some magic in it.
We know that it can read the character coordinates, and for assisted aiming, what it has to do is to capture your keyboard message when you shoot, and when you trigger the shooting button, it helps you move the front sight to the chest, Head, or nearby parts.
In fact, not only the coordinates of the entire character can be read in the memory, but also the position of the chest and head can be read, because the complete bone data can be obtained. So this is why the plug-in can choose to headshot or not.
Helping you to correct the position of the front sight is the work done by the external self-sight.
The plug-in usually has a FOV parameter. Friends who have done surveying and mapping or have played 3D games will not be unfamiliar. This is actually used to describe the angle of the field of view, and the plug-in self-sight uses this parameter to determine the range of your front sight. It will automatically correct it for you. The larger the value, it means that even if your crosshair is half a screen away from the enemy, it will automatically correct it for you.
And there are some parameters that make you look more like human aiming, such as the correction smoothness of the X and Y axes. The "gyro" that everyone usually talks about is actually the result of rapid correction after these parameters have been reset to zero, and the hostile character is targeted and shot with a large field of view. So this is actually not bullet tracking. I think it's purely because it turns too fast and the picture is too late to refresh. So when you see the playback perspective of the top plug-in, these plug-ins usually shoot at the floor, but the moment they shoot The reason for flashing.
After talking about the mechanism of self-pointing, let's talk about mouse control.
When we are playing games, we will definitely control the mouse. In fact, the plug-in is the same, it will take over your mouse as long as it calculates the point of sight of the front sight, and help you make aiming corrections. But the plug-in in Overwatch does not necessarily simulate your mouse events in the driver layer for control, it also achieves memory targeting. In other words, the memory call is used to directly call the existing methods in Overwatch for targeting. Of course, the two methods are only different in technical implementation, and the result is still the same.
Therefore, what we usually call "micro self-sighting" is actually aiming with corrections. Often the closer your front sight is to the target, the higher the hit rate. For people who already have a good aiming foundation, this small correction is even more important. Hard to be noticed. That is, the tens of milliseconds when you fire the shot, it will help you move to the target as much as possible according to the smoothness, so according to the difference of the moving distance and the smoothness (speed), the target may not be hit.
And precisely because of this mechanism, if you quickly move the front sight from right to left, and the front sight just moves to the left side of the target, and the range on the left is just the range that can trigger the auxiliary aiming, then the auxiliary aiming will be Start working, and then pull your crosshair to the right back to the head of the target. This operation is jokingly called the "triangular pull gun". This kind of fine adjustment operation is generally not available to humans, because the process of human response ability to control hand operation is much higher than 150 milliseconds, so only This subtle curve correction occurs only when the machine is aimed.
Of course, you said that you accidentally beat your hands with tremors, that makes sense, but your hands tremble only occasionally, not often. If you keep shaking hands, then I suggest you go to see if you have Parkinson's.
Ancient blood bar plug-in
In fact, as early as 2016, Overwatch's plug-ins were not so widespread, nor as advanced as they are currently (or there may be advanced ones, but there is no such wide spread).
At that time, the plug-in that Overwatch existed was something called a "blood bar hook".
We know that when Overwatch hits an enemy, a bright red blood bar will appear on the enemy's head. At that time, the health bar does not need to bypass anti-cheating, nor does it need to read the memory. Its principle is also very simple: Write a program by continuously taking screenshots of the game screen, and find the bright red (fixed color) To obtain the position of the head or body below the blood bar through a fixed offset, move the mouse to achieve the self-pointing function.
This method is simple and rude, and it is also used because of Overwatch's own design problems (a fixed-color health bar appears when hit). Of course, the disadvantage of this kind of plug-in is that you have to hit the enemy first to have the self-targeting effect.
(PS: In 2016, I learned about the principle of this plug-in. With a playful mentality, through some open source codes provided by friends, it took only half a day to implement a simple version by myself, and I recorded it at that time. The two videos were transmitted to station B, but the review found that the dispute was too serious and they were rejected. In the end, they were not resolved.)
Later, Overwatch added some simple anti-cheat mechanisms that can successfully detect screenshots and whether there is an external mouse input event. At that time, the high-tech plug-ins of the health bar all died, and only the old users who opened the hook would know that Overwatch has a "black number mode". When it detects that you are suspected of opening the device, you will It will enter a peculiar mode. First of all, your QQ, and other ordinary applications, there is no way to take a screenshot of Overwatch, and the screenshot is a black screen; secondly, the blood bar of the enemy you see has no color value. The original value is again, but a bit deeper. But all this is indistinguishable for ordinary players, but the health bar plug-in can't be used anymore. Of course, later the blood bar plug-in also has a set of methods to fight against this mode, I won't go into details here.
But this also shows that Blizzard is actually working silently, but Naihe can't solve the problem fundamentally.
Later, some tricks appeared in the blood bar linking. For example, I don’t directly take a screenshot of Overwatch, but I can use OBS (the most popular live broadcast software) to pretend that I’m live broadcast, and then I can get the game screen from OBS. Go find the position of the health bar again. In this way, the anti-cheat mechanism cannot be detected at all. After all, it can not allow you to take screenshots, but it can't prevent others from broadcasting live.
The screenshot problem is solved, and the core problem is returned to the mouse control problem. Because the health bar plug-in does not invade the game process, there is no such thing as memory self-seeing. This also promotes the further upgrade of the plug-in, but also greatly increases the difficulty of making the plug-in. That is to no longer simply use the mouse control function provided by the system, but to control the mouse in the driver layer.
Making a fuss under higher authority is far superior to Overwatch, after all, he is just a younger brother in the application layer.
Therefore, the U disk plug-in circulating in the arena is actually a USB device, and this device actually pretends to be a mouse, it is a real hardware, but this hardware also contains some private goods. You can even buy a keyboard and mouse analog USB chip with a price of only ten or twenty yuan, plus some development foundation, you can easily do this.
I just plugged in an extra "mouse". What does it have to do with your Overwatch? (Tactical backwards)
Technical principle of external bombing room
Actually, it is rarely encountered, but this thing does exist. The principle of house bombing is also simple and rude. In fact, it uses a large amount of data to attack the target server (DDoS) and block the network.
Therefore, the bombing of the house is actually a set of seven injuries, because there is no such thing as the person who bombed the house that he is fine, but others are.
In the past, Overwatch house bombing usually appeared in some key games. For example, one party was about to lose the game and attempted to block the network by bombing the house, causing players to quit the game unbearably. If the player does not return, the server will think that there is an unknown internal anomaly, triggering a certain fault-tolerant mechanism, thereby forcibly closing the current game and not counting the scores.
This fault-tolerant mechanism not only appears when the game is congested. In the past, there were some map out-of-bounds bugs. For example, when the character went to a magical place, it would also trigger such a fault-tolerant mechanism to invalidate the game.
But if sometimes the server is very stuck and everyone has a network delay, is it because someone bombed the house?
Not necessarily.
For example, the unstable network of the server room, the failure of the communication link, or the BUG at the server software level may cause similar problems.
If the ping value is high, it means that the communication delay between your network and the Overwatch access layer network server is high.
But if the ping value is normal, but everyone still sees each other teleporting, packet loss, and skills cannot be sent out normally in the game, it means that the network to the access layer is normal. It may be a problem with the software of Overwatch's intranet server or The house was bombed.
And it needs to be mentioned that if all the players in your game are very stuck, assuming that it is not a bug in the server software, but someone is blowing up the house, it is not necessarily your game that is blowing up.
In the game server architecture, a physical server may actually be responsible for multiple Overwatch games at the same time. For example, League of Legends is the case, and Overwatch is generally the same.
For example: if A is playing in Hanamura, and B is playing in King's Road, and it happens that A and B are allocated on the same server for calculation. Then in the A game, a younger brother stayed on the list and couldn't beat the robbery, so he opened the mysterious program in the D disk learning materials and started bombing the house. House bombing is actually a massive amount of junk data attacks on a certain server, so the players in the B game are also very innocently affected.
Some people will say why NetEase can't even prevent DDoS. In fact, this problem is hard to say. I think the computer room is more or less protected, but since it is a server, it will definitely not refuse legal data sources, as long as the data legally passes through the access layer and reaches the Overwatch of the intranet. The server side, and the server side has a certain prerequisite for processing data packets, that is, the data packets must be verified, and if they are illegal, they will be discarded. And this part of the calculation that happens to be the verification may consume a lot of CPU resources, causing legitimate requests not to be processed in time, and pile up in the queue, causing all operations in the game to become sluggish.
Due to some self-fault tolerance mechanisms of the Overwatch server, once a large-scale response exception occurs on the server, the current game will be forcibly terminated without score settlement.
Of course, in fact, I have never seen a bombing house in Overwatch in a few years. In addition, the plug-in is now very advanced, and the cost of actor behavior is low and stable. It is much easier to operate directly with capital if you can't beat it, or to open a plug-in and hurry up to the next game, than it is much easier to bomb a house with a high cost.
About cheating
Sometimes we may think, since plug-ins are so rampant, why are we repeatedly banned?
Principles of anti-cheating technology
If you have played the PC game of Goose Factory, you will find that a TenProtect (TP) loading interface will pop up every time you start the game. In fact, this is a high-privilege game protection process. It belongs to an external protection program. It has nothing to do with the game itself, but it protects the game process like a bodyguard. Its positioning is similar to the security software on your computer. .
We can treat the progress of the game as well as all the ordinary applications that you usually open as little brothers. You can only do your own things, but there is no way to interfere with other little brothers.
And TP is the big brother, it can kill the younger brother casually, and it can also protect the younger brother from being killed by other younger brothers. Even other younger brothers depend on your younger brother's privacy, and older brother can help you refuse.
This example may not be very rigorous, but here we only need to understand that there are different permissions between programs.
Tencent has ensured the basic security of its games because of the existence of TP. First of all, you can't directly get the handle and process ID of the game window, and you can't read and write memory. First of all, at this basic level, basic players who only use a simple debugger can't cheat. What's more, the game protection will also take over and detect the basic mouse and keyboard related functions. If you use a known script tool to simulate the keyboard and mouse in the application layer, it may also be an accident.
Of course, the legendary TP may scan other processes on your computer or files on the hard disk to ensure that you are playing the game in an ideal safe environment.
Therefore, relatively speaking, Tencent's games are currently the safest, and TP is also one of the best anti-cheat programs in the world. After all, after so many years and such a large number of users in China.
At this point, everyone may understand that Blizzard’s game is not well protected by the big brother because there is no similar protection process. The development of the plug-in is relatively smooth, and it also provides anti-cheating in the later stage. Work has brought great operational difficulties.
Does Overwatch have an anti-plug mechanism?
Yes, but they are all junior-level anti-plugins. They only do some work on some levels of anti-debugging and key-mouse message detection, but they are still helpless for the high-level permissions of the plug-ins.
This is also the reason why Overwatch can't detect the plug-in at the technical level.
At present, the popular memory plug-ins on the market, some use Intel hardware virtualization, and some use the signature-driven method, but without exception, these plug-ins are basically big brothers, and Overwatch has no way of knowing their technology. Exist, but they can easily read the memory of Overwatch, and even make function calls to Overwatch.
What Overwatch can do is to use manual methods to identify plug-ins in the game. But these plug-ins are well-made, and they have also spent a lot of effort to make Human-Like (human-like).
Cheating by high-level players is often mixed with normal game operations. Some players even only use perspective without auxiliary aiming, which brings great pressure and difficulty to manual identification. It must be said that it will be a huge problem in the long run. Challenge.
Game mechanics are flawed
Here we talk about the game mechanics.
Because of FPS games such as Overwatch (also including but not limited to PUBG, APEX and other similar games), they themselves can't completely eliminate plug-ins.
As we mentioned above, the real-time nature of FPS is extremely high, and information such as coordinates must be sent to all players' clients all the time, so perspective cannot be avoided. Knowing the coordinates of the character, self-targeting cannot be avoided, but aiming is a very core operation for FPS, which brings very high benefits, but because of the technical mechanism of the game, there is no way to avoid it.
FPS is not like other types of games we know well .
For example, in RPG online games like Fantasy Westward Journey and Sword 3, almost all of their values are stored on the server side, and all interactive behaviors are calculated on the server side, and what your client gets is just a cold number.
And what can the plug-ins of these games get?
If it’s a memory plug-in, you can hang up to complete certain mechanical behaviors, automatically complete tasks for you, automatically kill monsters, etc., but the benefits of these behaviors are not considered core benefits. At most, they share the player’s physical strength. Can't reach the core.