it's nice seeing someone open with telling everyone that GTA V is some of the most poisoned online gameplay with regards to cheating.
I don't agree with the conclusion that it's because it's peer-to-peer. that's not why -- it's because of lazy developer methods and a lower prioritization of security effort.
the biggest genuine effort that Rockstar puts into anti-cheat effort is an occassional memory-structure shuffle to kick sand into cheat-engine users eyes, and the occassional honey-pot that bans a few hundred people -- and these efforts come after begging Rockstar for years to do something, and the most it accomplishes is selling additional copies of the already dirt-cheap game.
These ban cycles and 'enforced ignorance' to the problem nets them more profit than it would otherwise; disenchanted players play less, reducing infrastructure costs -- and banned players buy another 2 dollar copy of the game -- but it kills user experience outside of single player entirely.
They don't care. I get it, but it sucks -- and it's not some GTA6 thing, they never cared.
Yeah, they absolutely don't care. It cannot be hard to detect griefing and obnoxious cheating by just looking at player behavior. How hard can it be to detect 90000000000 in-game dollars to be added to players, how hard can it be to detect that someone is blowing up everyone in the server, ... They just don't care, and it's a shame because GTA V still holds up as a fantastic game even after all these years.
> How hard can it be to detect 90000000000 in-game dollars to be added to players
Don't give them ideas ;) You either get a small loan of a billion dollars from a friendly cheater, or they try to bleed your wallet dry with Shark Cards. Rockstar are incapable of coming up with a balanced and rewarding progression system because it's in direct conflict with their financial goals.
For what it's worth, I used to play GTA online a lot and was getting bored with it. For a last hurrah, I had my account hacked by a friend to give me billions. I bought all the stuff I wanted even though I was told to be careful with buying too much (as if I was money laundering).
I opened it up recently and my money was back to normal. I imagine I did something that got me detected. In all honesty, it was a blessing, because I realized I was only playing the game for the addictive grind and I didn't enjoy the game itself. The online mode is like a second job, and it's exacerbated by the highest rewards being specifically designed to grief new players. Rocket bikes with car seeking missiles really killed the game for me
Yeah, it's suspected a very common trigger for R*, for whatever reason, is depositing cash into your in-game bank account. You're far less likely to be banned if you only pay in cash.
Rockstar doing something about cheaters on their online experience won't affect a thing for what this post is talking about. The exploit in this post is for FiveM servers, a third-party mod. The interactions on here are not usually peer-to-peer.
>These ban cycles and 'enforced ignorance' to the problem nets them more profit than it would otherwise; disenchanted players play less, reducing infrastructure costs -- and banned players buy another 2 dollar copy of the game -- but it kills user experience outside of single player entirely.
Game devs vehemently deny this but there are games out there with perverse incentives for the game devs regarding cheaters. Escape From Tarkov is another game that is losing many players to the cheater issue while the devs drag their feet addressing the problem, or any problem in that game really. Why would they? Once the devs have legitimate players' money, them playing the game is just costing them money by paying for servers. Banning enough cheaters just frequently enough to buy another copy is how they get recurring revenue. As much as I hate the subscription model taking over everything I think if it was used in games like Tarkov it would be a much better game because it would align incentives to keep players engaged. On the other hand that would probably come with a bunch of dark patterns.
I have a personal conspiracy that Tarkov kept making the early game for new players harder and more insufferable while making the game more easy after you have grinded long enough, (for people like streamers who basically are the advertising) was a decision to get people excited to buy the game watching streamers with their far better experience, then shortly quit by making their experience insufferable.
True, but the main game is similarly plagued by some of the worst cheats I've ever encountered in an online game and I'm almost certain there are some serious security vulnerabilities to be found there.
I stopped playing when some cheater impersonated me in the game chat and then crashed my game, after I insulted them (mostly out of curiosity to see what else their cheats can do). It's just so far beyond what happens with cheats in other online games. I've also heard of people being followed by cheaters across game sessions and being DDOSed.
The only thing that's similarly bad to the cheats in GTA Online is (the original) Modern Warfare 2 which has had RCEs.
> True, but the main game is similarly plagued by some of the worst cheats I've ever encountered in an online game
Why is it even possible for a player to change the entire map for all players on the server to winter? Why is it even possible to "attach" a helicopter to someone's head? Why is it even possible for players to spontaneously burst into flames, even after dying and respawning?
These are dumbfounding "cheats" that only exist to troll players. I have no idea why the client/server even accepts these environment changes. It seems really easy to prevent...
Is it possible to automate a process that leads to random memory-structure changes, that could be done regularly? How would that look for developement and debugging
CORS isn't related to XSS. CORS actually isn't a security protection at all. It's a way for web apps to explicitly disable standard protections that browsers apply to enforce same origin policy.
You might be thinking of Content Security Policy (CSP).[0] That's the most effective protection I'm aware of for XSS, but it's not very widely used because so few JavaScript libraries are compatible with it.
Yeah, eval is the main culprit, but there's also Function, setTimeout, setInterval and friends.[0]
The other gotcha is that with a secure CSP policy, you can no longer do things like <button onclick="handleClick"> because that's inline JS, so that's kind of a bummer.
I can sorta share this sentiment. Luckily (for us) tech seems to be moving in the direction of embedding Chromium everywhere which always leads to some fun exploits :)
I think GP confused DLL injection with return to libc.
I see why; in return to libc, which is prevented by ASLR, you are injecting the control of flow into the middle of a DLL(that DLL is libc). The terminology is a little confusing.
meant hooking functions statically or even dynamically with a minimal amount of codegolf'd asm instructions inserted via buffer overflow, and repairing the stack to sneak by stack smashing detecting, but yea, libc is implied in the linux environment
My friend, you seem genuine in your enthusiasm if a little misinformed, so in the spirit of trying to stoke that rather than smother it, can I gently alert you to the thousands of bug bounty write ups you can read online? A decent place to start is the various H1 Disclosed writeups [0] but there's an avalanche of this sort of content on Medium (most not as well written as OP's, it must be said, but still very technical and detailed.) Good news! The time you're nostalgic for is right now! If people would like to share other blogs below which also post technical writeups for this poster, feel free. I'll throw in another one [1] too.
Thank you, this was precisely what I was looking for, as searching for "bug bounty write ups" in the past was more noise than signal; but this is what I wanted, thank you a lot!
A bit off topic but I played a bit of GTA online recently after not playing for years, was really amazed at how little it had developed in terms of core gameplay. Lots of new weapons and vehicles but very little to make a compelling game.
That’s modern gaming now. Once they figured out the concept of the Skinner box it was all downhill
I do wonder if there are statistics on how many of the attempts at creating micro transaction economies fail though. I hope it’s high. I feel like it has to be, but I guess at the same time it’s a question of as long as game sales recoup development costs any micro transaction stuff just needs to cover server and admin costs and then the rest is all profit. But I feel like so many studios go in hoping to recreate Fortnite, Roblox, or gta V and that’s just so unlikely.
I don't agree with the conclusion that it's because it's peer-to-peer. that's not why -- it's because of lazy developer methods and a lower prioritization of security effort.
the biggest genuine effort that Rockstar puts into anti-cheat effort is an occassional memory-structure shuffle to kick sand into cheat-engine users eyes, and the occassional honey-pot that bans a few hundred people -- and these efforts come after begging Rockstar for years to do something, and the most it accomplishes is selling additional copies of the already dirt-cheap game.
These ban cycles and 'enforced ignorance' to the problem nets them more profit than it would otherwise; disenchanted players play less, reducing infrastructure costs -- and banned players buy another 2 dollar copy of the game -- but it kills user experience outside of single player entirely.
They don't care. I get it, but it sucks -- and it's not some GTA6 thing, they never cared.