Jump to content

Mass outrage as VrChat introduces Epic Game's Easy anti-cheat to block all mods including ones required for people with accessibility needs.

 Share

Go to solution Solved by Requi,

I'm one of the mod developers for the VRCMG (VRChat Modding Group) and I want to shed some light into this situation.

Modding has always been against the Terms of Service of VRChat but they kind off let it slide if you weren't being a dick about it. Over the past 2 years the game has grown a lot thanks to the lockdowns and affordable headsets. With that the modding community also grew a ton. Mods from the VRCMG were always about fixing problems in the game, introducing Quality of Life improvements, adding new features that just aren't/weren't in the game yet and most importantly fix security vulnerabilities like specific avatar crashers or network based crashers/laggers.

The VRCMG has always been about open-source accessible and safe-to-use mods. Every mod there is inspected by trusted members of the team to make sure that no malicious or harmful code makes it out into the public. And this has been working for the past 2 years.

 

There is a minority of people that use modding just to be toxic nuisances that want to ruin others people experience in VRChat for reasons unknown. They will buy closed-source obfuscated mods that contain malicious/toxic features.
Usually those mods also contain code from the VRCMG without disclosing that they are, but that's another story.

 

VRChat obviously wants to combat that minority, but this isn't the way to do it. They've been ignoring year old issues that have been fixed by mods for a while.
And with EAC in place those mods won't be usable anymore. We have no intent of playing the cat-and-mouse game because it just doesn't make sense.

Malicious mods will continue to exist, because they are closed source and they have the funds to buy bypasses for EAC because they make a profit off of the mods they made.
 

So everyone will lose their QoL features and their protection against crashers while malicious users (even without mods by just using crasher avatars) continue to roam public instances.
 

Whoever has made that decision at VRChat seems to be so out of touch with the community, that they don't understand how big the modding community is and that they need them.

 

Some members of the VRCMG team have also prepared a document which further explains what EAC will do and doesn't do:
https://docs.google.com/document/d/1tpF-zAvLCCPnmpMcmEUvHe_47M1F8ZLYSI3W4II0Z2s/

7 hours ago, Ryuikko said:

I've never played the game before, but how exactly do you cheat in that game? Afaik it's just people talking to each other with character models 

People managing to somehow get a IRL life...

Only the best hackers and cheats enable such a thing XD

Link to comment
Share on other sites

Link to post
Share on other sites

Truly, this is a sad day in history.

VRChat was one of the best things that has ever happened to me, it had given me friends when I had none, and let me kill sussy among us players.

I guess now, I just have Beat Saber.

F

Link to comment
Share on other sites

Link to post
Share on other sites

So normally i just lurk here but Vrchat is quite a close topic of mine as in part its allowed me to meet new people over the years and also led to me learning how to 3d model and even earn money.

 

overall this is a tough pill to swallow for a lot of the vrchat community because of well the lack of progress in many QoL and even bug fixes that have been reported over the years that in the end has led to many just modding to fix the issues and add some QoL.

now smaller part of community is also going to be hit hard in the fact over the 5 years of being involved they have added 0 accessibility options to the game itself so everything became reliant on mods. recently OSC was introduced but its very much in a basic form that has extreme limitations and its own set of issues but it may in the end allow some of the accessibility mods that have been lost to be built to use it but many wont be able to.

 

now about the malicious aspects - during my time creating content you happen to meet and talk with others who create content for the game this also means eventually you do actually meet those who create malicious content so ive seen 1st hand how they operate. most will not care 1 bit about EAC as it does not affect how most of the malicious actions are done. for example in the case of "avatar ripping" they do not even need to load the game to do this, vrchat like many other unity and well most game engines they will store all the 3d model data on your pc that means once they meet somebody in game they can log out of vrchat and proceed to unpack the render data that they have had to download in order to see that persons 3d model in the game and that is why EAC will do nothing to stop that.

 

crashing people's clients is another malicious act that again generally is done through what is called a photon shader, a shader is the material information that handles how a model will look(will it be shiny/colour etc) everybody again downloads this because again if you didnt you wouldnt be able to see the other person and so when this shader is downloaded it will proceed to run a script that causes some kind of memory leak or other issue that makes the game crash. but again this is not something EAC cares about because it is not a mod it is using tools vrchat developers gave the playerbase.

 

now im sure most here already understand the issues of most anti cheat software and the whole host of false flags and well just not working issues they tend to bring and i feel EAC is one of the worst ones for having issues constantly and i expect even more so in a game that is very "open" with the players creating the content.

 

sorry for the long post but i just wanted to add a bit more information to why players are not happy over this and also add what the 2 general malicious aspects people do and why this does nothing to combat it

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

8 hours ago, Requi said:

So everyone will lose their QoL features and their protection against crashers while malicious users (even without mods by just using crasher avatars) continue to roam public instances.

True,Client mods are not the only way.

 

You can inject code into RAM addresses associated with the game or the anti-cheat itself.

There are entire communities dedicated for doing just that for every game out there,

Also there is big money in selling cheats and a lot of demand.

 

As for the issues that the game devs\publisher want to solve -  I would recommend looking into server side mitigations.

Just obtain the malicious stuff that you want to disappear from the game,see what it does and block/restrict what's necessary for it to work on the server side.

A PC Enthusiast since 2011
AMD Ryzen 7 5700X@4.65GHz | GIGABYTE GTX 1660 GAMING OC @ Core 2085MHz Memory 5000MHz
Cinebench R23: 15648cb | Unigine Superposition 1080p Extreme: 3566
Link to comment
Share on other sites

Link to post
Share on other sites

13 hours ago, Caroline said:

btw Epic/EAC = Chinese (computer) Virus

Yeah, I believe it runs at L2 on Windows startup even if you don't open the game. It made me stop playing War Thunder.

Link to comment
Share on other sites

Link to post
Share on other sites

11 hours ago, ouroesa said:

A review bomb is an Internet phenomenon where a large number of people—or in other cases, a few people with multiple accounts—leave negative user reviews online. The target can be a published work, a business, a product, or a service, and review bombs are made in an attempt to harm its sales or popularity."

By this definition large number of negative reviews is 'review bombing'.

 

So people being disappointed with Cp2077 or Bf2044 were alse 'review bombing' according to this definition. Whereas in my opinion it was simply users reviewing game as-is. And same can be said about this time, removal of mods removes many QoL improvements as far as I understand.

 

Review bombing is when Russians started giving negative reviews to Timberborn for adding Ukrainian language lmao.

Link to comment
Share on other sites

Link to post
Share on other sites

14 hours ago, Jamie Stewart said:

Seems like they understand the accessibility concerns yet are continuing to release the update anyway. Even if they put all the efforts towards "fast tracking" It seems like a waste of efforts considering its already been made by someone else. Its also hard to believe that they will be able to replicate all the mods and will probably only tackle the main ones leaving some people in the dark still.

Hilarious that they seem to be "halting" all other feature development to work towards implementing certain UNNAMED features that the community wants but yet still go ahead and push the update anyways. It's just begging for this to be read as a "oh yeah sure uhhuh we hear you guys! /s" Why dont you talk about the features you are looking into?? Why not talk about the development cycle here. Your community has done more for the game than you, the developers, ever have and yet they decide to say fuck it and release the update anyways immediately after recognizing the backlash.

Link to comment
Share on other sites

Link to post
Share on other sites

11 hours ago, Haaselh0ff said:

Hilarious that they seem to be "halting" all other feature development to work towards implementing certain UNNAMED features that the community wants but yet still go ahead and push the update anyways. It's just begging for this to be read as a "oh yeah sure uhhuh we hear you guys! /s" Why dont you talk about the features you are looking into?? Why not talk about the development cycle here. Your community has done more for the game than you, the developers, ever have and yet they decide to say fuck it and release the update anyways immediately after recognizing the backlash.

in the VR Chat discord. one of the VR Chat Devs was talking to the community and answering questions, taking abuse etc. keep in mind this person has taken hours out of their sleep schedule to answer questions that someone else in the team should be doing. it was not his job to talk to the VR Chat community but he did it anyway. they never got mad or started insulting anybody and when confronted with "When will this be put into the game then" its the common answer of they don't have a definitive answer. they didn't seem to even have a roadmap from the beginning though. once i asked them about how this effects the people on Linux and if they can fix it we got a "it's not off the table to make it work natively" so at least the Linux community got recognized after the lie that was that the game would still work after EAC was enabled. they also told me that the people in their department do have a few Distributions around them. so there is hope that Linux will have Native support for VR Chat in future but i would 100% take this with a Grain of Salt as Nobody else cared enough to talk about it. most features were said to be looked into but nothing more was said so we just have to wait for it to happen. we don't know whats going to happen with EAC, if it doesn't ever get removed, i will not be playing ever again. EAC is a backdoor to your Kernel and having your drive held ransom. 

Link to comment
Share on other sites

Link to post
Share on other sites

58 minutes ago, BionicSeaSerpent said:

in the VR Chat discord. one of the VR Chat Devs was talking to the community and answering questions, taking abuse etc. keep in mind this person has taken hours out of their sleep schedule to answer questions that someone else in the team should be doing. it was not his job to talk to the VR Chat community but he did it anyway. they never got mad or started insulting anybody and when confronted with "When will this be put into the game then" its the common answer of they don't have a definitive answer. they didn't seem to even have a roadmap from the beginning though. once i asked them about how this effects the people on Linux and if they can fix it we got a "it's not off the table to make it work natively" so at least the Linux community got recognized after the lie that was that the game would still work after EAC was enabled. they also told me that the people in their department do have a few Distributions around them. so there is hope that Linux will have Native support for VR Chat in future but i would 100% take this with a Grain of Salt as Nobody else cared enough to talk about it. most features were said to be looked into but nothing more was said so we just have to wait for it to happen. we don't know whats going to happen with EAC, if it doesn't ever get removed, i will not be playing ever again. EAC is a backdoor to your Kernel and having your drive held ransom. 

My take was definitely extremely cynical and it's good that at least some one is communicating things like this but my main point was and is still that I dont remotely believe they will implement the key changes that will stop bad actors from causing havoc upon unsuspecting users. Also that going ahead and pushing the update knowing that there were no current ways to counter the bad actors after pushing the update just does not scream good faith to me REGARDLESS of how other members of the VR Chat dev staff are trying to make it seem.

 

Again, I get it. They're just now starting to try and figure out a way to fix this... but if thats the case HOLD OFF ON PUSHING THE UPDATE. What good does the conversation do if you went ahead and did it anyways! It's really just mind blowing to me that they wouldn't delay the update in this case.

Link to comment
Share on other sites

Link to post
Share on other sites

28 minutes ago, Haaselh0ff said:

My take was definitely extremely cynical and it's good that at least some one is communicating things like this but my main point was and is still that I dont remotely believe they will implement the key changes that will stop bad actors from causing havoc upon unsuspecting users. Also that going ahead and pushing the update knowing that there were no current ways to counter the bad actors after pushing the update just does not scream good faith to me REGARDLESS of how other members of the VR Chat dev staff are trying to make it seem.

 

Again, I get it. They're just now starting to try and figure out a way to fix this... but if thats the case HOLD OFF ON PUSHING THE UPDATE. What good does the conversation do if you went ahead and did it anyways! It's really just mind blowing to me that they wouldn't delay the update in this case.

well part of it is apparently that the person who does the interacting as their job is kinda bad at it. i haven't been in the discord up until a few hours after the update but i hear that people really don't like them and that they are hard to get communications correct with even with the developers themselves. the decision of Anticheat was dumb in the first place but picking EAC was the worst part. as of Typing this they have now released a blog. i will read up on that to see what is being done

EDIT: they will be adding a few features but they said absolutely nothing about Removing EAC. the root of the problem 

Link to comment
Share on other sites

Link to post
Share on other sites

So either the developers are run by people who's brains are at room temperature or there's something else going on. Which, as one should normally do first in these situations, where's their money coming from? 

 

80 Million in Series D funding in 2021.

 

https://www.crunchbase.com/organization/vrchat/company_financials

 

Looks like "Makers Fund" might be the largest current investor. 

 

https://www.makersfund.com/

 

Lead investor on the recent Series D was Anthos Capital. 

 

I would agree with the sentiment that the implementation of EAC is prelude to much more integrated monetization. They need to make real cash flow in the next 24 months. For over 40k concurrent, their server load has to be rather high. So, they're losing money. Quite a lot of money. For reference, a game with in the same range of users, Warframe, is doing >400 Million in Revenue and Tencent acquired it for 1.5 billion in 2020.

 

The problem isn't monetization, obviously. People are more than happy to spent money to get things they want, and "online fashion" is definitely one of them. (I mentioned Warframe specifically because the "end game" there is called Fashion Frame for a reason.)

 

To save many paragraphs of thoughts on a topic I've only just looked into, they simply need a new CEO and CTO.  They're this far in and no one is coming calling with a 9 figure offer to buy them. They clearly lack the leadership necessary to make it a viable company.

Link to comment
Share on other sites

Link to post
Share on other sites

Side point: I didn't know the forums had a Moderator-Approved mode. Good use on potentially explosive topics. While having no "dog" in this one, I like that use of the function.

 

On topic, a trip to the r/VRChat reddit has been fun. 

 

This exchange sums this entire thing up pretty well:

 

Quote

Should have implemented a whitelist mod section like Bethesda, or just paid the modders to implement the mods into the actual game like ark has. Alot of the mods are harmless tweaks that improve the users qol.

link

 

Best reply:

 

Quote

When someone is saying you should copy something Bethesda is doing you should know that you have fucked up.

link

 

Though I don't think this is about money with respect to the mods. The discussion focusing around features going to the subscription service are probably misplaced. It's easy to focus on but likely incorrect. EAC would be part of a system interaction overhaul, which would be about in-game monetization in general. It's not 2002. Subscriptions would not be enough to support a game/platform like VRChat. 

Reddit thread probably closest to the reality.

 

Mods don't really remove the monetization process. EAC is going to be far more about in-game currency and other system checks, but I stand by my point about CEO & CTO. They only can see there's an issue and simply don't understand how to get from point A to point B then point C, all of which are technical from the start. VRChat either needs to create a system that brings in "whales" or they're going to sell extensive user data. My suspicion would be the latter is the real reason for EAC being the first stage method.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Taf the Ghost said:

The problem isn't monetization, obviously. People are more than happy to spent money to get things they want, and "online fashion" is definitely one of them. (I mentioned Warframe specifically because the "end game" there is called Fashion Frame for a reason.)

I would say the problem is the monetization. VRChat does sell some kind of VRChat premium subscription and some swag but that's pretty much it. Their income is probably pretty low compared to costs and especially if compared to other similar "products". From money making standpoint VRChat is abysmally bad when compared to it's close-by peers, it's definedly and by far the most known and biggest but, let's just compare it to the Rec Room (more later on this one), that $80M sourced last year by VRChat is peanuts compared to Rec Room sourcing for the same reason (forming ingame economy) $100M and $145M on two rounds in 2021 and standing at valuation of $3.5B, and for statistics the first $100M round was in March and after it Rec Room Inc. was valued $1.25B and in December after the second round it was valued that $3.5B.

 

Rec Room doing funding round for "ingame economy" actually could give something that VRChat also might be thinking. Rec Room has started developing system where players create cosmetic items and can sell them in game using "premium" currency, which is pretyt much selling cosmetic mods within a game but bigger point being managing to create income source that requires very little work from the team. What is different between Rec Room and VRChat in this topic would be that Rec Room hasn't been so heavily modded so they do have room for mt-cosmetics, where VRChat has always been a modfest and probably 90% of the game content is made by modders and players. Try to monetize cosmetics in heavily modded game and welcome to be example of failing with Bethesda and their "Horse armor store".

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Thaldor said:

I would say the problem is the monetization. VRChat does sell some kind of VRChat premium subscription and some swag but that's pretty much it. Their income is probably pretty low compared to costs and especially if compared to other similar "products". From money making standpoint VRChat is abysmally bad when compared to it's close-by peers, it's definedly and by far the most known and biggest but, let's just compare it to the Rec Room (more later on this one), that $80M sourced last year by VRChat is peanuts compared to Rec Room sourcing for the same reason (forming ingame economy) $100M and $145M on two rounds in 2021 and standing at valuation of $3.5B, and for statistics the first $100M round was in March and after it Rec Room Inc. was valued $1.25B and in December after the second round it was valued that $3.5B.

 

Rec Room doing funding round for "ingame economy" actually could give something that VRChat also might be thinking. Rec Room has started developing system where players create cosmetic items and can sell them in game using "premium" currency, which is pretyt much selling cosmetic mods within a game but bigger point being managing to create income source that requires very little work from the team. What is different between Rec Room and VRChat in this topic would be that Rec Room hasn't been so heavily modded so they do have room for mt-cosmetics, where VRChat has always been a modfest and probably 90% of the game content is made by modders and players. Try to monetize cosmetics in heavily modded game and welcome to be example of failing with Bethesda and their "Horse armor store".

My use of monetization in that line was vague, mostly because I was talking about it in general before I was going to go off onto a multi-paragraph discussion on the topic. Why I said they needed a new CEO & CTO. Because, having some knowledge of the game/platform's existence & seen a few videos, it took less than 10 minutes to realize they never have had any clue how to make money from the game. Funding rounds are nice, but they should have been clearing 100mil a year in revenue 4 years ago. An in-game store, a sales marketplace and in-game currency. On the transaction fees alone they'd probably not needed a funding round.

 

This is basic RMT stuff in any online game since 2008. They're not going to make Roblox's billions, but they could have been the VR-eBay and completely setup to be bought by Meta for 4 billion. Instead, they've 5 years behind where they could be when it comes to being a viable business.

Link to comment
Share on other sites

Link to post
Share on other sites

5 hours ago, TheOmegaSystem said:

if they care about their users they won't go through with it

Read up. they already have and will not reverse it 

Link to comment
Share on other sites

Link to post
Share on other sites

mmmm just as I was thinking of buying a VR headset.

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 9 5900X          Case: Antec P8     PSU: Corsair RM850x                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition

Link to comment
Share on other sites

Link to post
Share on other sites

i have a deaf friend in vrchat who uses a speech to text mod and this is going to make it much harder for her. there are anticrashing mods that are useful when it comes to public servers and btw this doesnt solve the crashing avatars issue because those people are not using mods but people who use mods to combat it will be unable to now. also this will make using full body tracking much more annoying because vrc for some reason doesnt save the calibration data between avatars and sometimes even between worlds. there are a ton of other of QoL things that the vrc devs for some reason refuse to implement and they are angry at us for trying to fix their game. 

Link to comment
Share on other sites

Link to post
Share on other sites

So here's VRChats response to the feedback:

https://hello.vrchat.com/blog/addressing-your-feedback

https://ask.vrchat.com/t/developer-update-29-july-2022/10900

 

TL;DR: They are going to add a ton of features that were earlier available only as mods in just few weeks.

 

However, just as ThrillSeeker, this does peck me a question: Why now? As in why now they are almost ready to ship ton of features that players have asked for years? What stopped them from implementing these earlier and not be the incompetent fools they have been? And I count this whole thing as a BIG part of being incompetent fools because a lot of this was completely unnecessary and avoidable by just releasing the features before the EAC and making the mods unnecessary beforehand.

 

Oh yeah, and talking about incompetence. Wanna guess the next part of this wonderful saga?

 

🥳It's our favorite topic! Cease and Desist!🎉

 

Yeah, for real VRChat sunk that low. I would think it's not the most newest idea and project to make private unofficial VRChat servers but as the EAC-stick went to the wheel of the VRChat by their own hand, so did their lawyer and send cease and desist order for the VRC Private Server Project:
Couldn't find better source so here's imgur from Discord https://imgur.com/a/p6jBvO9#P7iiJza

 

For me that is all the same and there is legal grounds for it since most likely they did ripoff VRCs code for the project and so on. BUT as with any online game and unofficial servers, my opinion is that if you make your game and server that much exploitative that someone manages to clone the server and trick the clients to contact their server instead, you have been digging blood from your nose for a long time. Even less if the VRC private server project was done in a week... Like either there's some really skilled people behind the project or VRC devs are completely, utterly and absolutely incompetent when it comes to security. If the project was done in a week and they got it working, I would go as far as to say that's almost the same as you pressed "forgot password?" for VRC and you were sent the password you set in plain text back, which is a point where you should TYDAR; Take Your Data And Run, because the admins of the site clearly have no glue about security (this applies to any and every site and service, if you ever get plain text password back from "forgot your password", they are far off from what should be the minimum security in 2022).

Link to comment
Share on other sites

Link to post
Share on other sites

On 7/28/2022 at 1:25 AM, BionicSeaSerpent said:

a "it's not off the table to make it work natively" so at least the Linux community got recognize

Not really, its just a more polite way to say "we arent against it but atm no plans to do it". Dont expect native linux client anytime soon ( more likely dont expect it at all).

Link to comment
Share on other sites

Link to post
Share on other sites


 

Quote

 

7 hours ago, Thaldor said:


For me that is all the same and there is legal grounds for it since most likely they did ripoff VRCs code for the project and so on.

...


Even less if the VRC private server project was done in a week... Like either there's some really skilled people behind the project or VRC devs are completely, utterly and absolutely incompetent when it comes to security.

 


No, it's utterly easy to decompile Unity code. None of the mods would have been possible if it was Unreal, or some home-brew thing.

 

You have to realize that decompiling CLR, even code run through IL2CPP is trivial. No mods, for any Unity game, would exist if it was difficult. This is because the underlying language is still .NET standard 2.0. IL2CPP might be slightly unwieldly but it's not a magic bullet against hacking, it's more obscurity than anything resembling security.

 

I'd place my bets on three things:

1. The Private server was reverse engineered from the pre-EAC build of VRChat and more than one likely exist, primarily as a way to dodge bans and do private, bannable things, but also to to build mods on the vanilla client.

2. The Private server likely was already known, long before the EAC being added to VRChat

3. The official client likely needed to be modded to connect to the unofficial server to override the encryption and ip address on the network connection, since this is how all other private servers for other games work. And no, it's never AES, it's usually a simple XOR cipher, because anything more complicated adds latency. What you really thought sub-50ms latency was possible in a game with an encrypted connection?  Hence, usually once the "key" is discovered, figuring out the packet messages are trivial.

 

More complicated games (eg MMORPG's) all have private servers, simply because the developers never encrypt the right parts of the game at the right time. They overly rely on anti-cheat programs that hook into the game and the OS, and getting rid of it is usually slightly more trivial than patching the runtime (read: they drop a DLL file into the game directory so that the game is guaranteed to call before it calls the anti-cheat program, to install a trampoline between it and the anti-cheat program.)

 

If you want your game to be unhackable, the first thing you have to do is statically compile the game engine leaving no shared libraries touched on the OS. Which on Windows is impossible since you need to access the GPU, Audio and input at some point. DirectX is not a static library. The fact that anti-cheat programs themselves are separate from the game also their fatal weakness.

 

Link to comment
Share on other sites

Link to post
Share on other sites

7 hours ago, jagdtigger said:

Not really, its just a more polite way to say "we arent against it but atm no plans to do it". Dont expect native linux client anytime soon ( more likely dont expect it at all).

pretty much period. even though it would be extremely lazy for them not to, Considering it is based off of unity Alone. outdated at that

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×