
How anti-cheats catch cheaters using memory heuristics - atomlib
https://vmcall.blog/battleye-stack-walking/
======
ARandomerDude
Serious question for you gamers out there:

Why would a person go to such great lengths to cheat at a video game? Is there
a monetary incentive? Otherwise, it seems like a lot of effort just to
increase one's standing on a leader board.

~~~
izzydata
With the rise of esports there is a lot of money to be made with no real
consequences. It isn't illegal to essentially steal prize money by cheating at
a video game.

Also game streaming is big now and being "good" attracts more viewers so there
is also a lot of money to be made by cheating.

I have completely stopped taking video games seriously in any capacity as I am
pretty confident the entire culture of competitive gaming is completely
infested with cheating.

~~~
Buttons840
Any competitive game with big money on the line has the top players gather in
the same room (on a stage most likely), and play using computers controlled by
the event organizers. The players winning these big tournaments do not cheat.

~~~
izzydata
You aren't thinking outside the box enough. If you could commission cheating
software for $10,000+ then there is plenty you could do to circumvent the PCs
being provided. It should also be noted that they allow self provided
peripherals in most cases.

~~~
Buttons840
An interesting idea. Now I'm curious. First, has there ever been an example of
someone caught cheating this way?

Second, what kinds of cheats would you expect using peripherals? Any visual
cheats would likely be detected, since player's screens are often viewed by
referees and/or televised. I suppose an audio based cheat is conceivable. The
screen and the audio are the only output from most computer games.

~~~
izzydata
[https://hackaday.com/2017/07/29/injecting-code-into-mouse-
fi...](https://hackaday.com/2017/07/29/injecting-code-into-mouse-firmware-
should-be-your-next-hack/)

Aimbots these days look almost indistinguishable from good playing. The point
isn't to be perfect. It's to give some kind of competitive edge. If you can
take even 15% of the effort away then you can focus on other things.

------
wayneftw
How long until you can point another computer at your game pc or console, to
play for you?

That’s game over for anti-cheat IMO.

~~~
Topgamer7
Or you just write your own game client like china has been doing for WoW for
ages.

~~~
yutuytuyt
It doesn't sound so good

Client v1 sends packet A for command Attack

So does China Client v1

Developer updates client to v2 and now packet A is non-existent, so no legit
user is going to send it

so after patch everyone who sends packet A can be banned

~~~
penagwin
This is currently already the case for cheats. When the game updates then the
cheat needs to be updated as well. And you can definitely catch cheaters with
the method you mentioned, so many cheats check the game version before doing
anything.

This means immediately after an update many cheats stop working until they’re
updated (or their creator flags the new game version as compatiable)

~~~
neodymiumphish
I wonder how much success there's been in hiding the version information from
visibility by any software... Obviously the cheat developer could just hash
the game files directly and halt if there's a discrepancy between the known-
vulnerable versions, but it'd be interesting to see whether that was tried
with any highly-cheated-in games.

------
saagarjha
What I don't understand is why the cheats can't just prevent the shellcode
from running, or preempting the exception handler from being called by
installing their own. Is spoofing the return of NtQueryVirtualMemory not
possible, either?

~~~
phire
If the shellcode doesn't run, then it can't respond to the server's challenge-
response query.

And the server knows the user is cheating.

~~~
nneonneo
It doesn’t really even have to be a real challenge-response since the server
controls the shellcode. Just have the shellcode unconditionally submit
something (maybe a value that requires a minimum amount of computation or
WinAPI sanity checks). If you don’t run that bit of code, down comes the ban
hammer.

------
pastrami_panda
Speaking in terms of fps games I believe it to be very easy for any human to
detect aimbots when reviewing gameplay footage. Wallhacks are a bit trickier
to detect, and probably requires longer reviews, but I'd estimate that above
average players could quite accurately detect this hack as well. This leads me
to believe this should be quite a good fit for machine learning, no? It just
seems like a problem that lives in that space of "It's hard to define but I
sure can tell when I see it" \- which ML seems to excel in?

~~~
mantap
By that logic you could also use AI to create an undetectable aimbot that
mimics a very good human player.

~~~
rhodo
You definitely could

------
kgwxd
By installing spyware.

~~~
saagarjha
I wouldn't call this spyware; it doesn't seem to reach outside of its own
process (though I guess it does report back what you could call analytics).

~~~
nneonneo
BattlEye apparently comes with a kernel component called BEDaisy which
preemptively tries to block attempts to patch Windows API functions. That has
some people calling it a root kit or spyware.

~~~
Red_Leaves_Flyy
Many long running undetected game hacks use kernel hooks. If the hack runs
before the anti cheat or with higher privileges then the anti cheat is just a
resource hog.

------
Shivetya
well this sent me down a rabbit hole that is utterly fascinating.

with regards to cheating, I understand the need to present a fair playing
experience to all customers but as with anything else, people are the one
variable we have the least control over and with the numbers games as with any
service have to deal with you are guaranteed to get bad actors.

the simple avoidance to those who see this is spyware/etc is not you play. I
do not see this choice as a bad one. for some it is abhorrent but for others
playing where cheaters have free reign is just as abhorrent. so unless you can
fix people you choose what you are willing to accept

~~~
TeMPOraL
> _the simple avoidance to those who see this is spyware /etc is not you play.
> I do not see this choice as a bad one. for some it is abhorrent but for
> others playing where cheaters have free reign is just as abhorrent._

Problem is, it's all-or-nothing. I'd be better if games could be sandboxed, so
that its cheat-prevention spyware doesn't leak to the rest of the system. But
I suppose the practical answer to that would be, "buy a console".

------
mnowicki
How hard would it be to just copy and modify the packets being sent to the
anti-cheat servers? Are they sent directly to the anti-cheat server or do they
go back to the game server first and then get forwarded from there?

~~~
sevenf0ur
That's the first thing hackers try. The packets are almost certainly encrypted
and checksum'ed in a way where tampering is immediately obvious. You end up at
the same place - having to modify/hook into the game internals to bypass the
anti-cheat.

------
thenewnewguy
> and we refer to it as shellcode8kb

Who is "we" in this context? Is there a community of anti-cheat reverse
engineers out there?

------
mike_hock
So those games put infrastructure in place for the server to execute arbitrary
code on my machine?

No, thanks.

~~~
cortesoft
You bought a game from them... you are already letting them run arbitrary code
on your machine.

~~~
mike_hock
The original game code, as well as automatically installed updates can be
vetted and compared to other installations. Any malware injected into either
of them risks being exposed over time.

This allows the server to execute arbitrary, ephemeral code fragments on any
client at any time, with no trace. If the server is _ever_ compromised, so are
_all_ clients, _instantly._

This is absolutely insane from a security POV. Just because I gave you a
program once that you're using doesn't mean that you want to give me an SSH
login to your machine.

~~~
smileybarry
Some games -- recently Overwatch -- send hotfixes as live hotpatches. Those
couldn't be scrutinized by anyone except the developer until they're included
in the next formal patch.

~~~
jcranmer
You say that like people aren't capable of converting the current memory space
back into an executable.

~~~
cortesoft
Which also applies to the code the anti-cheat stuff is having you run. The
point is they have a mechanism to download and run code without you explicitly
validating the code.

That is happening with or without this anti-cheat stuff, so what is the
difference?

------
M-11
I write bots for older MMOs so I can do group content to make a game playable
when you can't get a group big enough to do the content you need. Sometimes
taking a break from a game you want to do old content that needs a party and
no one is interested or you can't play at consistent times to be able to get
static groups.

------
m4rtink
Heavy duty sandboxing of game software can't come quickly enough. Game
software reading arbitrary memory outside of its own on a machine is half step
from outright malware and must stop.

~~~
crazygringo
Sandboxing prevents code from getting _out_ of a sandbox.

It doesn't prevent outside code (i.e. your cheat software) getting in.

As long as you control the computer running the sandbox, you can have it do
whatever you want.

~~~
neodymiumphish
Yeah, but I think his issue is with the anti-cheat software. If the anti-cheat
is sandboxed, it can't see any other memory or processes that are running.
It's a fair privacy concern.

~~~
m4rtink
This is what I mean - putting the game and all it's "anticheat" malware into a
sandbox, so it has not chance to interact with the rest of the system for
privacy and security reasons.

