hzFishy's Game Dev Notes

Anti cheats and security

Thanks to the Unreal Source Discord people

Info

This page mostly concerns and assume we are using Windows OS.

Introduction

Kernel

Introduction

Kernel is a computer program running at the core of a operating system.

Simplified plan

Programs

When using Run as administrator you are still in user mode. Any software that runs in the kernel namespace is referred to as a “driver”.

You need to write a driver to make it runnable at kernel level. And kernel level has no code error tolerance, any issue is assumed to be critical and for safety reasons it throws a BSOD.

You don’t have anything to accept to have a driver installed by a software, it is just a file copy to system folder (C:\Windows\System32\drivers) and registration. If a driver sys was signed by a Microsoft approved key the OS will load it. If not, a warning message will show up, and you can choose to ignore the driver or run it.

See this tutorial on how to make a basic kernel program on Windows.

Protection rings

Protection rings are used to give to a program a set of permissions.

For example, here are the rings for the x86 available in protected mode.

But most desktop OSs only uses 2 rings, r0 and r3

Cheats

Examples

Aimbots

Modern soft aimbots can mimic human inconsistency.

Anti recoil

A popular anti recoil hardware and software is Cronus

Cronus is a physical device that you plug your controller in and at the moment it’s not detectable or bannable by any game as far as we know, even tho it’s literally cheating.

It even comes with scripts to run on it for many popular games, like for Apex Legends it comes with anti recoil scripts* and there are even some that specifically try to boost the effect of aim assist. It’s being sold online like a legit product.

*Apex legends has public static (non random) recoil patterns for every gun in the game.

Anti recoil software knows what gun you are playing and uses that to know how to behave.

A solution would be to add some randomness in the recoil pattern, that a human wouldn’t notice, keeping a skill game (= good and legit player can learn the pattern).

Others

Trigger Bot A trigger bot is something common in cheat menus. A trigger bot shoots for you if you aim at a target.

Tools

Warning!

Please do not use these in multiplayer games, go for a solo game or your own game. I am listing them for research and testing purposes.

Disassemblers

  • Ghidra
    • Shows you the disassembly for a Windows executable.
    • Can generated pseudocode.
  • IDA Pro

Other

  • Cheat Engine

Anti cheats

Types

There are different types of Anti Cheats.

  • Behavioural: The anti cheat analyse the overall behaviour of the player, and makes a decision on that. Its also close to data science (ex: “is the player doing insane 360s at a high amount?“)
  • Programmatic: The anti cheat just do “maths”, it sees if you killed a player through 5 walls, if you did a impossible angle shot. This is more hardcoded.

Behavioural is probably better than programmatic since bots are becoming more human-like.

With the increased difficulty to detect very well implemented cheats, AI Anti cheats are now a thing, since manual anti cheats are hard to implement and can be reverse engineered, meaning the dev team has to constantly update it to make it harder for cheat authors. But this costs time and money. The idea is to analyse how legit player plays, and how cheaters plays to find the difference and ban only the cheaters. This could mean a algorithm constantly running, analysing, updating itself, reverse engineering known cheats to see how it works, and more.

Video about AI Anti Cheats: https://www.youtube.com/watch?v=LkmIItTrQP4.

Considerations

It’s really hard to tell the difference between an average player with a humanized cheating device and a good player.

This is why anti cheats (ACs) is never 100% sur if a player is cheating or not. Also, the fact the an AC usually runs on kernel makes it a potential security issue. For example in 2024 a RCE (Remote Code Execution) vulnerability was used on streamers while playing a tournament on Apex Legends, which seemed to be linked to the Source Engine, and not EAC.

Here are one article and one Steam post of Helldivers 2 anti cheat controverse.

Software’s

Vanguard, Easy Anti Cheat (EAS) and RICOCHET runs on the kernel level.

Vanguard seems more restricting since it asks for a reboot when its first installed or updated. Easy Anti Cheats doesn’t require a system restart, its seems that it runs on demand.

Games using EAC: Fortnite, Apex Legends, Rust and more Vanguard is used by Riot Games. RICOCHET is used on some specific COD versions.

Vanguard files are located in your EFI system partition. Right next to Windows boot img. It looks like Vanguard is “hijacking” the Windows boot process from outside. Probably to be able to load the earliest.

In depth

Reading RAM

RAM holds everything that’s running on your PC, including game code and data. This means that you can technically read the game state, or even override the game state by reading or manipulating RAM.

This is why ACs tries to prevent RAM access (read/write).

Each app has a unique memory signature. The signature is a sequence of bytes.

If you simply try to read/write memory you will probably get strike by a anti cheat. Anti viruses do very similar behaviour/pattern scanning.

How does this works ?

Known case #1
RICOCHET was known for reading literal strings in the memory. It was simply searching memory for strings like “Trigger Bot”. A bad actor could send you a chat message containing one of the strings and you’d get banned. Article about it here.

Known case #2
League Of Legends had something similar a few years back, it scanned your browser tabs and if any of them matched “cheat engine” the game would close.