Factorio Forums

I have been attempting to break this game's anti-cheat for about 4 months now. I have found a big fat 0 number of exploits... I can't believe the only game I've never been able to hack the multiplayer for, is some $30 nothing game... I've hacked every game I've ever played online since Doom 2. Everything from Counter-Strike, to Battlefield 2, TFC, all of the Far Cry games that had MP, almost every single COD (including Warzone 1 and 2), PUBG, Apex Legends, Dota 2, League of Legends, Rise of Nations, Starcraft 1 and 2, Valorant, Fortnite, GTA IV and V (with BattleEye), untold numbers of mobile games. And the one game, THE ONE GAME I haven't been able to break is Factorio. I don't know what mad genius coding engineer you have working for you, but they deserve a raise.

I mapped out every single class, function, memory handler, Lua interface I could find with IDA, and not one of them is vulnerable. At first, I tried basic cheat-engine style of attacks. But I was being detected by the game flat-out, even so much the game would log in the file "Cheat engine detected, ignore log!." I thought: "How stupid are these guys leaving strings in the binary for attackers to find? I found out, it wasn't stupidity, it was brazenness... It would force-crash on functions that did basic sanity checks where it would store a backup of the value, and if the backup didn't match, it would just fail fast. Those were easy to patch out with ASM replacement, but what I couldn't defeat was the sync code. The MOMENT your client falls out of sync with another, you just desync. I tried Lua injection, I tried memory attacks, I tried packet crafting. NOTHING works. The moment the other client doesn't agree with what you said, they just drop. Absolutely outstanding work. You have finally given me a challenge. A challenge I could not best.

Yeah. Neat.

What's the point of "cheating" in a sandbox game?

There are many ways to play the game. I am glad you are able to find Fun in looking for holes, even if it does make the Leaderboards less appealing for the rest of us…. Factorio sidesteps a lot of these competitive issues by not having one!

The flags which decide if a Save game is eligible for Achievements are the closest thing to an actual “Cheat” - and those can be cheesed with a Hex editor, using data on the game’s wiki. All that will earn you is “100% completion on Steam”, which is of dubious value. I am still working on obtaining them all organically myself….

Once you have started running the game’s Sandbox you have already connected to a Multiplayer server, downloaded the map, exchanged tokens, etc. As you’ve discovered, the deterministic nature of the Simulation makes it impossible to make changes outside of the Game’s rules, without causing a Desync… I have done some fuzz testing before running the Factorio daemon on my networks, and it seems pretty solid - though I would not trust it with root privileges or Private VLAN access, like any non-open-source program. All of the network paths seems resilient to un-authenticated packets - achieving a crash or Denial of Service requires you to Login, or resort to old-school packet floods to “slowdown” a server and cause players to drop. Abuse of the User Auth Tokens mechanism to impersonate other users is discouraged, so I have not touched that myself. You could maybe find some way to send “bad updates” to the server which come from your User Token (ie, manually crafting UDP packets as a fake client), but any reasonable multiplayer server would just ban you.

When you “Win the Game” in Space Age you are able to upload a package to the Galaxy of Fame…. It is already possible to cheese this using the Scenario Editor. While you could submit a carefully-crafted upload to the API manually, this would also not be a great idea.

So yeah, what’s the point? Just install some Overpowered Modules and use the Infinity Chest in Editor mode. It’s a Sandbox.

Forgive me if I'm wrong, but is this post about "hack", rather than "cheat"?

Anyone can use the in-game console to "cheat" in the game. Or, if it's about the achievements, by downloading blueprints/saves.

Of course, there is no point cheating in Factorio. Cheating in solo games is usually useful only if you are bored and want to fast track to the end to be done with the game.

Anyway, back to the topic, it's interesting to know that Factorio's executable is so robust to tampering. I haven't read any FFF about that!

Factorio's robust multiplayer is underrated. A gem in the sea of kernel level "anti-cheat" spyware.

It's not explicitly an anti-cheat. As far as I see how the engine implements multiplayer, it's just a byproduct of ensuring a consistent game state of all connected players. Its intended use is to find multiplayer-breaking bugs in Factorio itself and in any mods.

Since the engine doesn't work with a client/server model, every player runs the whole game map. The server is just managing the master game map, so every player gets the same map on connect. But the game runs individually on every player's computer. If someone injects an item or an action for cheating into his own map, this item and any usage of it would not appear for any other player, because there is no means to distribute that item to other game instances. The engine simply has no functionality to send and receive items. Any cheating would not have any impact on the other players.

Even if you were able to somehow disable the consistency check for everyone, you will not be able to transmit any cheated items or actions, since the engine has no means to send and receive such things.

The cheater would simply start to run a different map than the other players, so it is desynced, so it is disconnected by the consistency checks.
The only thing exchanged between the game instances are mouse and keyboard interactions. Any cheat is limited to user interactions - for example, if it is any advantage to click inhumanly fast, you can do that. But you cannot create 10 stacks of blue chips to cheat, because there is no way to make this known to the other player instances. And if you kill one player with a cheated weapon, this player isn't killed for any other player, since the other player instances don't have that cheated weapon. The only thing you can inject artificially is a 'fire weapon" action, since this is what the user inputs with mouse or keyboard, but not "do 1000000 damage", since the result of the action is computed by every player instance individually.

@gir489 It's a mystery to me why you even started trying to cheat by injecting the game. Anyone with a little bit of Factorio game engine (and modding) knowledge would know this cannot work. You wasted your time, and you could have known that.

I like to split cheats into two groups:

• Resource based: Anything that gives you a resource benefit, regardless whether actual resources, unit health, etc.
  These will be detected (in multiplayer) by factorios deterministic nature, as several posters above already mentioned. Note that the server is prevented from using resource based cheats as well.
• Knowledge based: Anything giving you a knowledge advantage without changing the game state, e.g. removing fog of war.
  These are possible: Save the map locally, open it in a second instance of factorio, have fun exploring. A suitably edited client binary could offer the same options live. The debug options (F4) can leak quite a bit if information as well.

I haven't yet come across a game or set of techniques that prevents both kinds at the same time.

Edit: I should add a third kind to the list:

• Scripting: Executing legal actions, but with inhuman speed and/or reaction time.
  Possible using a suitably edited client binary.

When you look at the Factorio multiplayer system as a whole, it is a very short distance away from avionics-grade reliability and redundancy. The only thing missing is proactive error correction in some places. This happens to be the direction the developers chose to put a lot of their time and energy, and in my opinion it paid off.

Illegal actions are prevented by design or proactive measures, and everything else is explicitly allowed hy the modding API or wiki. There is no gray zone.

Factorio has raised my standards for software quality across the board.
Nobody at work understands when I'm grumpy about how inefficient and wasteful some programs (including OneDrive!) are.

This is so interesting to hear. I'd thought about it several times, and it makes sense that it should hold up quite well, but I had no proof that it would work this well.

If there was some way to cheat in Factorio it without breaking consistency it would most likely be player input related. Something along the lines of "my mouse is simultaneously mining a building while also aiming and shooting at a biter". Or of course some kind of aimbot. Now obviously an aimbot is kind of superfluous on its own, but something like an aimbot that automatically cycles between different weapons for higher DPS or targets specific enemies with certain weapons seems possible.

HadesSupreme wrote: Sat Mar 22, 2025 1:31 am an aimbot is kind of superfluous on its own, but something like an aimbot that automatically cycles between different weapons for higher DPS or targets specific enemies with certain weapons seems possible.

Totally possible to do within the modding framework. But you're talking about doing it outside the game for multiplayer/achievements in vanilla.

Atraps003 wrote: Thu Mar 13, 2025 10:29 am Factorio's robust multiplayer is underrated. A gem in the sea of kernel level "anti-cheat" spyware.

I agree. I was hired recently to pentest an upcoming anti-cheat for a to-be-released Bungie game. While I found many vulnerabilities in the kernel anti-cheat to hide from it, their cope always is “well no anti-cheat can completely stop cheaters.” To which I like to now cite Facotrio as proof as yes you can fully stop cheaters, and no you really don’t need access to ring0. The method I used to bypass their anti cheat involves infecting the machine with a boot kit that runs from the UEFI, an attack vector I use for Fortnite and PUBG. There are undocumented rings colloquially known as Ring -1 and Ring -2, and there are also physical DMA attacks you can do to bypass kernel anti cheats.

The problem with any system is once you know how it works, you can (try) to figure out ways to defeat it. Obfuscation and delayering are only going to slow an experienced attacker down. If your system is trustless, then you’ve already won against the attacker.

gir489 wrote: Tue Apr 15, 2025 3:02 pm To which I like to now cite Facotrio as proof as yes you can fully stop cheaters, and no you really don’t need access to ring0.

The problem with Factorio as a networking model shows up for games that rely on input skills or imperfect information. Factorio's network model can't stop aim bots for games where your gun perfectly tracks your mouse position and slew rate is unlimited. Factorio's network model alone also can't help with things like map hack in Starcraft or other games of imperfect information.

But for games of perfect information where having a machine produce inputs for you doesn't give an advantage, Factorio's network model is a perfect anti cheat. Unfortunately for the security world, that only describes a tiny subset of games. It doesn't even describe chess!

computeraddict wrote: Tue Apr 15, 2025 3:54 pm

gir489 wrote: Tue Apr 15, 2025 3:02 pm To which I like to now cite Facotrio as proof as yes you can fully stop cheaters, and no you really don’t need access to ring0.

The problem with Factorio as a networking model shows up for games that rely on input skills or imperfect information. Factorio's network model can't stop aim bots for games where your gun perfectly tracks your mouse position and slew rate is unlimited. Factorio's network model alone also can't help with things like map hack in Starcraft or other games of imperfect information.

That’s an argument from false assumption. You’re presuming that the “all seeing eye” model of Factorio wouldn’t stop things like map hacks. When in fact it most certainly can. For example, take something like blockchain where everyone (51%) has to agree on the next block. They can verify who is sending messages and for how much, but the message itself is encrypted. So you can verify the basics while still maintaining integrity. a similar system could be applied to Star Craft, where your enforcing “how much” you are spending on resources and for what. But not necessarily where the buildings are. This lapse in SC2 is a fundamental problem with Blizzard just sucking ass at programming and putting a lot of faith in report-based bans rather than preventing the problem at the source (math is hard!).

As for aimbots, again, you couldn’t prevent things like naturalized aimbot, but you can stop egregious attacks like norecoil and nospread. There has been a long standing exploit in the source engine I’ve been abusing since TF2 where you can force your own command number because reasons, the engine allows this. You could also prevent sending information about units behind the wall to players when they don’t need to see them. Putting all this work on the server (most don’t have a graphics card to even do the calculations) would be taxing, but assuming at least 10% or less of your clients are compromised, you could have them report to the server their Z culling results so it can more accurately prevent sending information to the client until the absolute last moment. Aimbots work on a delta. Meaning the change in velocity and direction factors greatly into its calculation. Delaying this until the last possible moment makes aimbots almost useless.

gir489 wrote: Tue Apr 15, 2025 5:00 pm That’s an argument from false assumption. You’re presuming that the “all seeing eye” model of Factorio wouldn’t stop things like map hacks. When in fact it most certainly can. For example, take something like blockchain where everyone (51%) has to agree on the next block. They can verify who is sending messages and for how much, but the message itself is encrypted. So you can verify the basics while still maintaining integrity. a similar system could be applied to Star Craft, where your enforcing “how much” you are spending on resources and for what. But not necessarily where the buildings are. This lapse in SC2 is a fundamental problem with Blizzard just sucking ass at programming and putting a lot of faith in report-based bans rather than preventing the problem at the source (math is hard!).

You are describing transfer of game state information. Factorio doesn't do this.

gir489 wrote: Tue Apr 15, 2025 5:00 pm As for aimbots, again, you couldn’t prevent things like naturalized aimbot, but you can stop egregious attacks like norecoil and nospread. There has been a long standing exploit in the source engine I’ve been abusing since TF2 where you can force your own command number because reasons, the engine allows this. You could also prevent sending information about units behind the wall to players when they don’t need to see them. Putting all this work on the server (most don’t have a graphics card to even do the calculations) would be taxing, but assuming at least 10% or less of your clients are compromised, you could have them report to the server their Z culling results so it can more accurately prevent sending information to the client until the absolute last moment. Aimbots work on a delta. Meaning the change in velocity and direction factors greatly into its calculation. Delaying this until the last possible moment makes aimbots almost useless.

As long as recoil and spread is deterministic, it can be defeated by perfect input. And again, hiding gamestate is a fundamental departure from deterministic lockstep that Factorio uses.

computeraddict wrote: Tue Apr 15, 2025 7:06 pm As long as recoil and spread is deterministic, it can be defeated by perfect input. And again, hiding gamestate is a fundamental departure from deterministic lockstep that Factorio uses.

That brings up another interesting point. Factorio is deterministic *for a given time sequence of user inputs*. If the order of seemingly unrelated actions changes, the result of each pseudorandom number can be different and lead to a wildly different outcome. (See: the recent bugfix where player behavior determines whether a particular space platform would live or die since asteroid generation was using the global rand instead map-seed-specific rand.)

Unless I'm mistaken, the way latency hiding works in Factorio means that when the aimbot is supposed to decide where to point, it *cannot* know the exact sequence of inputs that will ultimately be processed that tick because they have not been transmitted from the other clients yet. You could assume the other players will do nothing, but that will almost never be correct on a busy server. Maybe it could fake high latency, and wait until it receives all the other players' actions before sending its own action to them. But then it obviously fails if more than one player tries to use the bot.

So yeah, even knowing the entire game state at a particular tick, it's hard to defeat Factorio with perfect input.

robot256 wrote: Tue Apr 15, 2025 11:38 pm That brings up another interesting point. Factorio is deterministic *for a given time sequence of user inputs*. If the order of seemingly unrelated actions changes, the result of each pseudorandom number can be different and lead to a wildly different outcome. (See: the recent bugfix where player behavior determines whether a particular space platform would live or die since asteroid generation was using the global rand instead map-seed-specific rand.)

Unless I'm mistaken, the way latency hiding works in Factorio means that when the aimbot is supposed to decide where to point, it *cannot* know the exact sequence of inputs that will ultimately be processed that tick because they have not been transmitted from the other clients yet. You could assume the other players will do nothing, but that will almost never be correct on a busy server. Maybe it could fake high latency, and wait until it receives all the other players' actions before sending its own action to them. But then it obviously fails if more than one player tries to use the bot.

So yeah, even knowing the entire game state at a particular tick, it's hard to defeat Factorio with perfect input.

Because it's deterministic, though, you should be able to predict what inputs will be processed in what order. Or even barring that, a machine could guarantee that its input went first or last in the processing order if there's sub-tick timing involved by just spoofing its input timestamp. And that's assuming the game isn't doing something lazy like CS:S did and spread was a predefined, repeatable pattern.

computeraddict wrote: Wed Apr 16, 2025 12:53 am Because it's deterministic, though, you should be able to predict what inputs will be processed in what order. Or even barring that, a machine could guarantee that its input went first or last in the processing order if there's sub-tick timing involved by just spoofing its input timestamp.

I did some more reading (https://factorio.com/blog/post/fff-302) and it's even tighter than you assume. The server acts as an aggregator and relay for client inputs. It waits until every client has submitted its inputs, then forwards the entire input "blob" for that tick to every client. Latency hiding means that your screen (the "latency state") assumes no other players made any inputs between the last tick you received a blob for. Once you receive the blob for that tick, there is no going backwards, the master game state is updated. If you don't submit your inputs on time to be included in the blob, you get dropped from the game. So it is in fact impossible to base your inputs on the inputs that other clients submit and have them affect the game state for the same tick. It's like poker, where you all have to put your cards face down before the dealer turns them all over.

A memory-snooping attack will probably work fine for PvE when other players are not providing input while you are shooting. But if you are trying to cheat in PvP, then you're basically guaranteed to be working with incomplete information no matter what.

And that's assuming the game isn't doing something lazy like CS:S did and spread was a predefined, repeatable pattern.

I think it's safe to assume Factorio wouldn't fall into that trap. If each gun/player had its own state machine to remember which frame of the spread table it was supposed to use for the next shot, that would actually take up more game state data than calling the centralized random number generator each time you fire.

robot256 wrote: Wed Apr 16, 2025 2:17 am So it is in fact impossible to base your inputs on the inputs that other clients submit and have them affect the game state for the same tick. It's like poker, where you all have to put your cards face down before the dealer turns them all over.

It's less changing your inputs based on others' inputs than determining what order your inputs get processed in so you can pick a number out of the upcoming cards about to be dealt. Because everyone knows the order of the deck. The order in which inputs gets processed is also known to you unless the order is based on what is in the input. But if you know the rules for how input processing is ordered, they are potential ways to make sure yours is processed first or last. And if your opponents are humans who aren't using machine inputs, their inputs typically don't change very fast, so you can often make a safe guess that their inputs for the next frame are going to be the same or similar to their inputs this frame.

Suffice it to say, there are heaps of ways to cheese deterministic lockstep. And even if you aren't doing spread/recoil RNG cheesing for a shooter, you can still use it for snap-to-head aiming and memory peek to x-ray.