Ведущие: Роман Казанцев, Максим Вафин и Андрей Сомсиков Разработка чит-кодов к различным сетевым играм со временем превратилась в прибыльный бизнес. С помощью внедренных чит-кодов можно анализировать данные памяти и собирать статистику об игроках. На примерах из игры Unreal Tournament 4 докладчики расскажут о методах борьбы с подобным читерством, основанных на запутывании кода.

1. Roman Kazantsev, Maxim Vafin, Andrey Somsikov
April 17, 2016

2. 2
Why do People Love Cheating in Online Games?
 Have a fun;
 Become a gamestar;
 Earn money;
 Love freebie.

3. 3
 Game publishers can loose their fans and
subscribers (~subscription fee);
 eSport organizations (tournaments) …
 Newcomers never return to busy-cheat
game;
 Gamers want a fair play.
Motivations to fight with cheating?

4. 4
 3D-Skins to Display of Tank Modules;
 Removal of trees, leaves and bushes or
change transparency (see on the
pictures);
 Script for automated use of manually
activated equipment.
Cheating in World of Tanks

5. Cheating in Dota 2
5
 Script that automatically explodes the
exact number of mines to kill.

6. Cheating in Call of Duty
6
 Aimbot that automatically points a
weapon to a target;
 2D/3D radars that are useful to monitor
locations of insight and hidden
opponents to be ready to shooting;

7. “If you are from the
following list you may
not access this website”
Terms of service
Who are the Light Side?
7

8. Scan for cheat activity
 Detect Dll injection
 Anti debug measures
 etc.
Replay game on server
Workaround anti-cheat
 Hide DLL injection
 Ring 0 tricks
 …
“Visual” cheats
Cheat less but efficient
Catch Me if You Can
8

9. Detecting the Cheat
9

10. Server-side Anti-cheat. Are they worth?
Looks smart:
 Track player statistics
 Replicate playback on server
… But no access to game client:
 Cheat smart, do not cross the line
 Render the game you need
False-positive bans => dissatisfaction

11. Local Anti-cheat
Looks powerful:
 Scans kernel
 Pretend to be an anti-virus
 Take screen pictures and send them away
That scares not only Me
User privacy is the main issue

12. Hacks local game copy, do not work on
multiplayer games.
What it does:
 Search for values in the memory
 Change or/and freeze found values
Examples:
 Artmoney
 Cheat Engine
 Game Guardian (Android)
Simple Cheating Technique
12

13. What it does:
 Shows to player things he
must not see (for example
other players, pickups
locations)
 Helps player to aim, to
trigger, to move
Advanced Cheating Technique
PickUps Enemy insight Hidden enemy2D radar
HealthBounds
Distance
Head
Name
13

14. Process Monitor and IDA Pro
 Cheat uses anti-debug and it shut downs after it notices Process Monitor
 Cheat is obfuscated and IDA Pro was not helpful
14

15. Could not find WinAPI
functions cheat uses to inject
itself.
Only the fact that cheat gets
direct access to kernel32.dll
API Monitor
15

16. Found some cheat
traces in game
memory
Mandiant Redline®
16

17. Appeared differences are in
relocation sections only. It is
normal for any application
and do not reveal the fact
that memory is hacked.
HEX Analysis of Memory Dumps
17

18. How It Works?
Uses DLL injection to run its code
within the address space of game
process.
One part of the cheat running in a
process separate from the game injects
code into the game process and
creates a new thread to execute the
injected code.
Step 1
AttachCheat process Game code and data
Allocate MemoryCheat process Game code and data
Copy codeCheat process Game code and data
Injected cheat code
ExecuteCheat process Game code and data
Injected cheat code
Game code and data
Cheat Thread
Step 2
Step 3
Step 4
18

19. Protection Idea A
Sign non-writable memory of the game and check its integrity during runtime.
Have not worked, cheat have not modified the memory that we signed.
19

20. Protection Idea B
Encryption of the memory cheat reads. This solution worked.
20

21. Encrypted Information
Minimum data to encrypt:
 Camera coordinates (x, y, z) of the player
Additional data that was encrypted:
 Camera coordinates and rotation of all players
 Health of all players
 Names of all players
 Bounds of all players
21

22. We Got Banned
Cheat has Terms Of Use, where it is stated that you can not try to use your
account to hack cheat, which we were doing. Here is extract of that Terms Of
Use:
22

23. 23
Protects games against a simple cheat.
How anti-cheat works:
1. Function working with critical data
requests trusted authentication module
to update or verify signed data;
2. Trusted authentication module verifies
by what function is it called to update or
verify signed data;
3. The authentication module updates data
along with signature or verifies data
integrity using a key.
Data Integrity Verification Based Anti-cheat
Key
Game
Signed
data
Data
Trusted Integrity
Verification Module
obfuscated
Key

24. 24
Protects games against simple and
advanced cheats.
How anti-cheat works:
1. Function working with critical data
requests trusted encryption module to
encrypt or decrypt data;
2. Trusted encryption module verifies by
what function is it called;
3. The encryption module encrypts or
decrypts data using a key.
Data Encryption Based Anti-cheat
Key
Game
Encrypted
data
Data
Trusted Encryption
Module
obfuscated
Key

25. 25
Pros and Cons of our Anti-cheat
Pros:
 Triggers no false positives;
 Has no conflicts with anti-virus software;
 Does not affect user privacy;
Cons:
 Requires code refactoring.

26. Back to Future
SW measures are only piece in a puzzle
HW-based protections become available
 Superior robustness
 … but gamers care of HW for graphics, not for anti-cheat
Cheat resistant game engines
26

27. Backup
27