[Scarjit]

If you don't encrypt your network traffic, you can quite easily decrypt it on another PC (as you can just set promiscuous mode on your 2nd PC NIC), giving you undetectable read-only hacks like "radar", where you basically have a map of the game with the enemy positions, health, gun, ...

If you encrypt it, this is no longer possible. If a cheater wants to decrypt it, he has to get access to the decryption key, which usually is send over an TLS encrypted connection (with certificate pinning in place) [Or in some cases self made encryption :/].

Therefore he has to either reverse the game to get the certificate or has to attempt to read it while the game is running. In the first case the game developers (and the Anti-Cheat providers) will try there best by obfuscating the specific regions. And the 2nd case is basically what AC is all about, and therefore difficult for modern Anti-Cheats.

[devit]

I think reading the encryption key from memory is usually easy and cannot really be detected in any way if done from the kernel or hypervisor by parsing page tables and accessing physical memory (except by looking for known code if the anti-cheat has as much privileges as the extractor, which the hypervisor approach avoids).

[vsnf]

You didn't mean it this way, but your post reads like comedy. The juxtaposition of "very easy" with everything else you wrote is a striking image.

[gpderetta]

In first approximation, there are only two kind of difficulty levels: the impossible things you don't know how to do, and the trivial things that you do.

[lobf]

It’s simple!

[Workaccount2]

I always wished that CPU/GPU manufacturers would make a "online gaming edition" with hardware level encryption/anti-cheat. I know many people would love to play exclusive lobbies where it is virtually guaranteed there are no cheaters.

[devit]

That's what game consoles usually attempt to be.

[throwbadubadu]

But the bar is much higher than just network sniffing and reversing a dumb protocol?

[maldev]

You can just hook the networking system calls and you have the unencrypted buffer. TLS encryption doesn't do anything since you can just look at it unencrypted on the network function when they pass in the buffer.

If they encrypt before the network functions, you can just look at the callstack and trace the variable containing the buffer backwards until it's non encrypted.