If you don't encrypt your network traffic, you can quite easily decrypt it on another PC (as you can just set promiscuous mode on your 2nd PC NIC), giving you undetectable read-only hacks like "radar", where you basically have a map of the game with the enemy positions, health, gun, ...
If you encrypt it, this is no longer possible.
If a cheater wants to decrypt it, he has to get access to the decryption key, which usually is send over an TLS encrypted connection (with certificate pinning in place) [Or in some cases self made encryption :/].
Therefore he has to either reverse the game to get the certificate or has to attempt to read it while the game is running.
In the first case the game developers (and the Anti-Cheat providers) will try there best by obfuscating the specific regions.
And the 2nd case is basically what AC is all about, and therefore difficult for modern Anti-Cheats.
I think reading the encryption key from memory is usually easy and cannot really be detected in any way if done from the kernel or hypervisor by parsing page tables and accessing physical memory (except by looking for known code if the anti-cheat has as much privileges as the extractor, which the hypervisor approach avoids).
In first approximation, there are only two kind of difficulty levels: the impossible things you don't know how to do, and the trivial things that you do.
I always wished that CPU/GPU manufacturers would make a "online gaming edition" with hardware level encryption/anti-cheat. I know many people would love to play exclusive lobbies where it is virtually guaranteed there are no cheaters.
You can just hook the networking system calls and you have the unencrypted buffer. TLS encryption doesn't do anything since you can just look at it unencrypted on the network function when they pass in the buffer.
If they encrypt before the network functions, you can just look at the callstack and trace the variable containing the buffer backwards until it's non encrypted.
Yes. Sometimes software will encrypt HTTP calls while relying on the operating system certificate authorities, so it's easy to intercept again using tools such as mitmproxy.
Sometimes you will be forced to hack the software, to allow interception or to replace a key. Unless they use a symmetric key that is easily found, but I have never seen that.
It doesn't, we are just in 90's security mindset. We even have the typical idiot here chiming in, "it doesn't have to be perfect". Meanwhile in adult software engineer world, we know we can just not send the state of the entire world to every player and that would also save costs.
Decompiling (in a meaningful way) an optimized binary generated from C without debug symbols is much harder than what the author has shown in C#. It is not impossible, but probably very time consuming.
Versus just reading clean packages from a network.
If you encrypt it, this is no longer possible. If a cheater wants to decrypt it, he has to get access to the decryption key, which usually is send over an TLS encrypted connection (with certificate pinning in place) [Or in some cases self made encryption :/].
Therefore he has to either reverse the game to get the certificate or has to attempt to read it while the game is running. In the first case the game developers (and the Anti-Cheat providers) will try there best by obfuscating the specific regions. And the 2nd case is basically what AC is all about, and therefore difficult for modern Anti-Cheats.