Warning: (STEAM)Dungeon Defenders

[Vespian]

Edit:
My post on Trendy net.
http://forums.trendyent.com/showthre...l=1#post250732 * was removed due to illegal content*
(jezus I just noticed they have a typo in NET *correction* it's supposedly Trendy Entertainment :P)

Hey all, I'm posting this due to the "shock" I got last weekend concerning the Steam game Dungeon Defenders.

The last few weeks, I started seeing "shops" (games with a shop) with items that seemed to stretch a bit further than what could be accomplished, in terms of stats and/or damage. I also encountered more and more "OP" characters ingame.

The game advertises with the lines that it has now installed "Steam cheat protection", or something along those lines, and that it's actively banning "hackers".

Sadly, there are no hackers. Nothing gets hooked into the game during playtime at all. No processes get violated, Steam anti cheat can't prevent "hacking", because the game itself is built to read items into memory and save the game only occasionally. This last part is where it starts going wrong. Instead of directly writing items from and into the database, it uses the clients (PC's) local memory to keep track of items and it only occasionally saves them to the database.

The reason for this is probably to prevent too much stress on the servers, but it makes it extremely easy to "hack" any existing statistic in the game. To see what was possible, I employed a pre-built memory editor to alter statistics on weapons and gear. I'm currently at work, but I can testify that I am equiped with a Crystal Tracker-type of weapon that does about 250.000.000 damage per shot, has a fire rate of, to prevent lag, 6 shots per second and 12 projectiles. We could virtually hack this item to have 128 stats on all available modifications, including resistances (on a weapon).

For the record, I'm against cheating. I play my games completely clean, unless it's a single player game and I'm just fucking around in the console after clearing it. I'm not holier than the pope, but I prefer fair play. I have not used these hacked weapons in an open game, but can testify that it's saved to the database and active in any game I join.

I'm posting this, because (a.) I want to put the developers to shame and (b.) I want to warn people before they buy the game. The game is fun. Play it with friends, play it solo, but realize that the community is polluted by item hacks and even the official forum has items being offered that cannot be real.

I'm aware that I could be banned from Dungeon Defenders, hopefully not from steam, based on this post and the "hacking", but the fact that they only write items to the database from MEMORY occasionally without any form of protection or check, means that the game is written extremely badly and open to many forms of cheating.

Edit: Examples:



========= Response from a moderator on the Trendy Ent Forums, that does not work for Trendy Ent *shrug*=================

Two things:

upon request from the moderator in question, I have deleted the content in this quote. The moderator has been quite friendly, decent guy, and I'm not here to cause a riot.

Edited in for completion and to make sure nothing is left out.

- I agree with the argument concerning hosting. The client is being run client side (PC) and a player hosts the game on his machine. This is correct, by all means and does indeed make it harder to enforce an anti-hack policy, but by no means impossible.
- I do not understand what's meant by "VAC does a delayed ban and will be removing the easy/common hacks you talk about in the first wave. so these programs will no longer work." Common sense would dictate that if VAC was already functioning, it would remove the items as soon as the first wave, but it won't stop these programs from working at all. It takes 6 seconds to make a godly weapon out of nothing. It takes more time to remove it.
- Yes, my account will likely get banned.

[inux94]

Your point of the thread?

VAC is giving delayed bans, it isn't the only anti-cheating measure they use, they got admins (like Jdanford) browsing through the playerbase looking for any people who have cheated.

If VAC has detected you, then it isn't an instant ban. They give delayed wave bans to players.

[Vespian]

Your point of the thread?

VAC is giving delayed bans, it isn't the only anti-cheating measure they use, they got admins (like Jdanford) browsing through the playerbase looking for any people who have cheated.

If VAC has detected you, then it isn't an instant ban. They give delayed wave bans to players.

My point is, that they have no actual checks to secure gameplay without cheating. I'm convinced I can make items, sell them and never hear from it again. My point is, that it's so fantastically easy to manipulate the game, that you'll never be sure that you bought a fake weapon, or a real one. My point is, that the game might be able to ban a few extreme cases of hacking, much like we did with the numbers in the millions, but can't detect the difference between a slightly overpowered hacked version of a weapon and the legit version of a weapon. There are several "perfect scores", but they have no current automatic built-in checks to secure these maximum values, allowing people to accumilate mana and any number of altered stats quite quickly.

Will I be banned, yes, would it be possible for me to pollute the game within a timeframe of 2 days, without anyone ever knowing that they bought hacked item, also yes. That's the point of this thread. People walking around with 30 billion mana, you really think they got that by fair-trading?

I'm not inclined to make a profit, but the game is polluted and I'm making the effort to warn people about it. Call it a point, or don't, but I think that's the point I'm making and what I've noticed, imho, is enough of a problem to make a point about.

[inux94]

My point is, that they have no actual checks to secure gameplay without cheating. I'm convinced I can make items, sell them and never hear from it again. My point is, that it's so fantastically easy to manipulate the game, that you'll never be sure that you bought a fake weapon, or a real one. My point is, that the game might be able to ban a few extreme cases of hacking, much like we did with the numbers in the millions, but can't detect the difference between a slightly overpowered hacked version of a weapon and the legit version of a weapon. There are several "perfect scores", but they have no current automatic built-in checks to secure these maximum values, allowing people to accumilate mana and any number of altered stats quite quickly.

Will I be banned, yes, would it be possible for me to pollute the game within a timeframe of 2 days, without anyone ever knowing that they bought hacked item, also yes. That's the point of this thread. People walking around with 30 billion mana, you really think they got that by fair-trading?

I'm not inclined to make a profit, but the game is polluted and I'm making the effort to warn people about it. Call it a point, or don't, but I think that's the point I'm making and what I've noticed, imho, is enough of a problem to make a point about.

You're convinced, you don't have evidence.
As I said before VAC bans are delayed and it isn't instant, people have been banned for altering with files.

If people want to cheat, they can do so but they're trying their luck, just like buying gold in WoW. There will always be cheaters, they will always risk their dear accounts when they do so.


There's no warning for this game, it's a great game when you play with your friends. (I usually play with my girlfriend and 2 people from Iceland)

[Shrouded]

Good post, OP, thank you. I bought it, but haven't actually played it yet.

[Jaerin]

Play with random pugs and you're going to get cheaters and hackers.

Not unusual in any game. Especially one that is a coop game and not an MMO.

[Doombringer]

Thanks for the heads up, OP. VAC may not catch it.

Ignore the second poster, he's just looking to argue with someone.

[Deleted]

Was considering buying it, looks fun, but probably won't play it it's swamped with hackers.

[imtehrogue]

Who cares? Game is awesome, thats all that matters.

[Vespian]

You're convinced, you don't have evidence.
As I said before VAC bans are delayed and it isn't instant, people have been banned for altering with files.

If people want to cheat, they can do so but they're trying their luck, just like buying gold in WoW. There will always be cheaters, they will always risk their dear accounts when they do so.

There's no warning for this game, it's a great game when you play with your friends. (I usually play with my girlfriend and 2 people from Iceland)

The point you are making is valid, but has no effect on the point I'm making. I'm saying that I personally can't hack into WoW if my life depended on it, because Memory hacks simply aren't that effective in WoW. In the case of DD, you can download a simple tool that every monkey with an IQ below 60 can use and you can generate your own items.

If that's not a fuck-up on the part of the developers, I don't know what is.

[Deleted]

The OP actually has a valid point about the programmers being "lazy" here: The way he describes it is similar to the way editing your Diablo I characters worked, and that was in 1997 (14 years ago!). It is a basic flaw in the architectural design of the software if you have the client application handle validity of data, without the server checking it; a brute but easy way to fix it is have the server keep a checksum for each item you own and be notified of each change in items immediately, so it can update the checksum. If you tamper with your items in the client application the checksum mismatches and the server can force the client to revert to the checksum-approved, valid version.

OP, have you filed a bug report with the developers? One might want to give them a chance to fix that; if they ignore it they are guilty of accepting cheating in their online game. Then one can contact Valve about it, I am sure they will not like the fact an online game that accepts cheating is on STEAM, would be very bad PR.

[Purlina]

You can always decide to not play with those people, it's a co-op game...

So just find a game with all legit players.

[Vespian]

The OP actually has a valid point about the programmers being "lazy" here: The way he describes it is similar to the way editing your Diablo I characters worked, and that was in 1997 (14 years ago!). It is a basic flaw in the architectural design of the software if you have the client application handle validity of data, without the server checking it; a brute but easy way to fix it is have the server keep a checksum for each item you own and be notified of each change in items immediately, so it can update the checksum. If you tamper with your items in the client application the checksum mismatches and the server can force the client to revert to the checksum-approved, valid version.

OP, have you filed a bug report with the developers? One might want to give them a chance to fix that; if they ignore it they are guilty of accepting cheating in their online game. Then one can contact Valve about it, I am sure they will not like the fact an online game that accepts cheating is on STEAM, would be very bad PR.

I am, how to put this, contemplating to do so, but there's a minor issue with all of this. Just like Blizzard, or any good games company, their response will probably be to shut down my account, since I would provide them with the evidence that I "hacked" one of their games. Regardless of motive. I'm completely, utterly, behind such an action, but fear it nonetheless. I'd hate to lose my Steam account with a rough estimate of at least 25 AAA titles.

I dont mind risking my account in DD, but directly approaching Steam is a risk I'm not sure of taking.

And indeed, the way this game can be compromised is of "classic" origin, when data simply couldn't be handled by the internet and/or remote databases. That's a long time ago. In an age where the so called "CLOUD computing" is slowly gaining in popularity (even though it's a fake term and means nothing other than hosting your data(base) somewhere externally), you'd expect people to be able to come up with a better and more secure solution to an issue that shouldn't be an issue.

Edit: Added a few images.

[Halicia]

So just find a game with all legit players.

the problem here though, is that there 'are no legit players'.

Let's say there's two players selling an item. One is a hacker, the other isn't. The item is exactly the same.

Ten players want the item, the hacker just keeps generating more of them. Suddenly EVERYONE has the item, and only a small percentage is 'legitimate'.

If you play with random strangers, how do you know whose gear is legit and whose isn't, especially if THEY cant even know if their gear was legit ?

The moment this sort of stuff is handled clientside, the entire multiplayer experience becomes corrupted.

Granted, this is a FUN game, and I still intend to play it... but if what the OP states is true, it's going to require a lot of work to FIX the game, and not just apply a bandage to the problem and 'ban the hackers'.

If players could dupe items in WoW, do you really think banning the worst offenders would solve anything ?

[Vespian]

Added a response from a TE moderator that does not work for TE. Just stating it the way he did.

[Baltasar]

Steam dont even have phone support,they suck ass for taking 4 days to reply a email.

[Vespian]

upon request from the moderator in question, I have deleted the content in the quotes. The moderator has been quite friendly, decent guy, and I'm not here to cause a riot.