Professional Documents
Culture Documents
!"#$%&'()+,-./012345<yA|
M ASARYK U NIVERSITY
FACULTY OF I NFORMATICS
Tomas Curda
Brno, 2014
Declaration
Hereby I declare, that this paper is my original authorial work, which I
have worked out by my own. All sources, references and literature used
or excerpted during elaboration of this work are properly cited and listed
in complete reference to the due source.
Acknowledgement
iii
Abstract
The main goal of this thesis is to describe behavior of typical cheating
software used in competitive online computer games. The first part describes a implementations of cheat software in Windows operating system environment and introduces tools used for developing cheats. Second part describes most common techniques used by cheat software. It
explains how cheat software gains access to games process and memory. It also describes methods that cheats use to modify games behavior.
The last part introduces most common anti-cheat services. One of them
is analyzed by using reverse engineering in order to find out how effective are current anti-cheat technologies and what can be done to improve
them.
iv
Keywords
online games, cheat, anti-cheat, code injection, function hooking
Contents
1
2
Introduction . . . . . . . . . . . . . . . . . . . . . . .
Cheat software . . . . . . . . . . . . . . . . . . . . .
2.1 Cheat software in Windows operating system .
2.1.1 External vs Internal cheats . . . . . . . .
2.1.2 User mode vs Kernel mode . . . . . . .
2.2 Cheats and Exploits . . . . . . . . . . . . . . . .
2.3 Tools . . . . . . . . . . . . . . . . . . . . . . . .
2.3.1 Cheat Engine . . . . . . . . . . . . . . .
2.3.2 IDA . . . . . . . . . . . . . . . . . . . . .
2.3.3 ReClass . . . . . . . . . . . . . . . . . . .
2.4 Availability of cheats . . . . . . . . . . . . . . .
2.5 Legal aspect . . . . . . . . . . . . . . . . . . . .
3 Most common techniques used by cheats . . . . . .
3.1 Code injection into a remote process . . . . . .
3.1.1 DLL injection via CreateRemoteThread
3.1.2 Injection of arbitrary code . . . . . . . .
3.1.3 Injection via thread hijacking . . . . . .
3.2 Function hooking . . . . . . . . . . . . . . . . .
3.2.1 Inline hooking . . . . . . . . . . . . . . .
3.2.2 Virtual method hooking . . . . . . . . .
3.3 Game engine exploiting . . . . . . . . . . . . .
3.3.1 Source Engine . . . . . . . . . . . . . . .
4 Anti-Cheating software . . . . . . . . . . . . . . . .
4.1 Comparison of anti-cheats . . . . . . . . . . . .
5 Analysis of Valve Anti-Cheat . . . . . . . . . . . . .
5.1 Client-Side implementation . . . . . . . . . . .
5.2 Process monitoring . . . . . . . . . . . . . . . .
5.3 Code blacklisting . . . . . . . . . . . . . . . . .
5.4 Integrity checking . . . . . . . . . . . . . . . . .
5.5 Environmental checking . . . . . . . . . . . . .
5.6 Kernel mode cheats detection . . . . . . . . . .
5.7 Suggested improvements . . . . . . . . . . . .
6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2
3
4
4
5
5
5
6
7
9
9
10
12
12
13
15
17
18
19
20
24
25
27
27
32
32
34
35
35
36
37
38
40
Chapter 1
Introduction
Video game industry has grown significantly over the last decade. More
and more games are now providing online mode for playing against
other players. This provides great opportunities for competitive games
which gained huge popularity in last few years. Competitive gaming is
now recognized as a professional sport in U.S [1]. With increased amount
of players playing competitively, money involved in tournaments and
every year increasing prize pools, its now an attractive target for players who are trying to exploit those games with cheats.
The motivation behind creation and usage of cheats is profit. Cheat
developers are either developing their own cheats for their needs or providing cheating services to any player who can pay for the access without any knowledge of developing them. Several specialized websites are
dedicated to providing their own cheat software. A price of such software varies depending on features provided by those cheats and their
protection against anti-cheat detections. Some of them are designed to
be used in tournaments and leagues and there are known cases of professional players using cheats [2].
Cheating is often not taken seriously by game developers although it
has huge negative impact on a game. Most games are blindly relying on
third party anti-cheat solutions which is often not enough to stop cheats
which are getting more sophisticated. Much like anti-virus companies,
anti-cheat detections are constantly bypassed and new detection methods must be developed in order to detect latest cheats.
This thesis describes basics of online game cheating problem and explains current situation in arms race between cheat and anti-cheat creators. Simple game cheat source code is included as example usage of
techniques described in this thesis. Most common gaming environment
is described, i.e. an Intel-x86 game application running on Windows.
2
Chapter 2
Cheat software
Cheat is anything that can be used by a player to gain an unfair gameplay advantage. Cheats are sometimes included by game developers
in singleplayer games but are strictly forbidden in multiplayer games.
Cheat software described in this thesis is a software which modifies game
environment in a way not indented by game developers to give player
an unfair gameplay advantage against other players. This unfair advantage can be provided by:
The main difference is that cheats are executed with full knowledge
of the user with a purpose of cheating in a computer game.
3
2. C HEAT SOFTWARE
2. C HEAT SOFTWARE
while External cheat has its process running the whole time. The difference between External and Internal approach is whether cheat is running
inside the games address space or not.
2.1.2 User mode vs Kernel mode
In Windows operating system there is a major difference between a code
running in user mode and code running in kernel mode [4]. Cheat developers take advantage of using kernel mode since it brings advantages
over user mode solutions:
2.3 Tools
Since majority of games do not have source code available, in order to
understand game internals and stored gameplay-critical data a cheat developer needs to use reverse engineering tools to identify location and
structures of such data. The most common tools used are Cheat Engine,
IDA Pro and ReClass.
5
2. C HEAT SOFTWARE
2.3.1 Cheat Engine
Cheat engine1 is an open-source tool designed for modifying computer
games behavior. It can be used to modify specific game variables and
structures inside game memory, such as player health, speed, amount
of gold etc, in order to make game easier or harder. Originally designed
for singleplayer games as author claims on his website, its also working
in online games, where its often used to change behavior of a clients
part of the game. For example in the game Team Fortress 2, just one
byte memory patch allows player to enable a developer mode in which
player can then see other players trough walls (Figure 2.1).
2. C HEAT SOFTWARE
2. C HEAT SOFTWARE
2. C HEAT SOFTWARE
2.3.3 ReClass
ReClass3 is an open-source tool for reverse engineering unknown data
structures and classes inside game memory. Once user attaches program
into a game process and enters address of a data structure he can start
describing structure members (Figure 2.4).
Public cheats
Available on public websites and forums as either compiled binaries, ready to compile projects or code examples.
3. Available
from:
http://www.unknowncheats.me/forum/generalprogramming-and-reversing/104942-reclass-x64.html
2. C HEAT SOFTWARE
http://unknowncheats.me (2000) - forum and community focused on cheating on multiplayer games, whole content of website
is created by its users who post their cheats (database of more than
9800 cheats and tools), tutorials and source codes, users share their
research on newly released games and anti-cheats, site is powered
by donations.
http://cheathappens.com (2001) - provides free and paid cheats
based on game memory patching, despite claim that they only provide cheats for singleplayer games, some of their cheats do work
in multiplayer mode.
http://mpgh.net (2002) - forum focused on cheating in multiplayer games, forum has over 2.9 million of registered members
who share their cheats and tutorials, site is powered by advertisements.
2.
3.
2. C HEAT SOFTWARE
publisher legal ground to punish player by denying his access to multiplayer part of the game (a.k.a ban).
Legal battles between game owners and cheat providers arent very
common. The most common legal method to fight cheats from a legal
standpoint is the Digital Millennium Copyright Act (DMCA) Takedown.
This indirect approach is used in the USA to take down sites and services which are distributing game cheats and exploits on legal grounds
of copyright law.
Blizzard Entertainment, Inc. (Blizzard) is known to be active in using law to enforce cheats sites and services to be shut down. In 2008
they won a 2 years long legal battle against MDY Industries, LLC (MDY)
which used to sell cheats for Blizzards popular game World of Warcraft
(WoW). Court concluded that by providing the cheat, MDY is guilty of
tortious interference as MDY knowingly aided WoW players in violating
Blizzards EULA. MDY assisted players in gaining an unfair advantage
over other WoW players and also helped players to avoid detection by
Blizzard [6]. Another case from 2013 against Ceiling Fan Software LLC
(CF) was also successful for Blizzard. Just like in previously stated case,
CF was found guilty of tortious interference [5].
The main problem of fighting cheats with lawsuits is the fact that
cheat providers are hosting their services in various countries with different laws. Another problem is that once a cheat provider is forced to
close its service, it is often promptly replaced by a new one which makes
legal battles ineffective as a long term strategy.
11
Chapter 3
2.
3.
2.
Write a path to the DLL file which should be injected into address
space of remote process.
3.
Create a new thread by calling CreateRemoteThread, where parameters would be the handle to remote process, pointer to LoadLibrary function and pointer to the DLL path string.
13
The path to the DLL file can be written anywhere inside remote process address space if is memory region marked as writeable. Alternatively its possible to allocate a writable memory region inside remote
process with VirtualAllocEx.
1
2
3
4
if(!remotePath)
return NULL;
5
6
7
if(!WriteProcessMemory(process, remotePath,
(LPVOID)filepath, strlen(filepath) + 1, NULL))
return NULL;
FARPROC loadLibraryAddress =
GetProcAddress(GetModuleHandle("KERNEL32.DLL"),
"LoadLibraryA");
Remote thread can be now created which will execute LoadLibrary function with custom DLL path as a parameter.
1
2
14
DLL will be now loaded by remote process. Code can then, for example,
wait for thread to finish, get return value of LoadLibrary function, free
allocated memory region and close process handle.
1
WaitForSingleObject(hThread, INFINITE);
2
3
4
5
6
7
CloseHandle(hThread);
8
9
10
11
12
return exitcode;
2.
3.
byte wrapper[19] = {
0x6A, 0x30,
0x6A, 0,
0x68, 0xCC, 0xCC, 0xCC, 0xCC,
0x6A, 0,
0xB8, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xD0,
0xC3 };
Aditionally, the memory region of remote process allocated for the wrapper code must be marked as executable. This is due to Data Execution
Prevention (DEP) security feature included in Windows systems [7].
1
MessageBox has to display some text, which must be as well allocated and written into remote process. Address of this text is passed to
MessageBox as second parameter (0xcccccccc) in the assembly code.
1
2
3
4
5
16
2
3
4
*(DWORD*)(wrapper + 5) = (DWORD)remoteText;
*(DWORD*)(wrapper + 12) =
(DWORD)GetProcAddress(LoadLibrary("USER32.DLL"),
"MessageBoxA");
WriteProcessMemory(process, remoteWrapper,
(LPVOID)wrapper, sizeof(wrapper), NULL);
2
3
2.
3.
4.
Resume thread
1
2
CONTEXT context;
memset(&context, NULL, sizeof(context));
context.ContextFlags = CONTEXT_ALL;
GetThreadContext(threadHandle, &context);
3
4
5
6
7
context.Eip = remoteFunction;
8
9
SetThreadContext(threadHandle, &context);
ResumeThread(threadHandle);
10
11
2.
user input collecting function to fake mouse movements and keyboard pressses
4.
VirtualProtect(originalFunction, sizeof(byte) * 5,
PAGE_EXECUTE_READWRITE, NULL);
19
before hooking
originalFunction:
originalFunction:
push 0x1000a433
mov eax, 0x1000
call eax
ret
jmp hook
mov eax, 0x1000
call eax
ret
hook:
custom code ...
jmp trampoline
trampoline:
push 0x1000a433
jmp originalFunction + 5
from:
http://research.microsoft.com/en-us/projects/
from:
http://nektra.com/products/deviare-api-hook-
20
before hooking:
object
pointer to vmt
pointer to function01
pointer to function02
function01:
....
function02:
....
pointer to function03
class Rendering
{
public:
virtual void RenderStart() { };
virtual void RenderFinish() { printf("Original
function called\n"); };
};
21
Just like reading the pointer value, it can also be modified. Note that
this part of the memory is read-only and therefore memory protection
must be adjusted before the pointer can be modified. Hook in this case
is a function of which pointer will be placed into VMT instead of the
pointer to original function RenderFinish.
1
2
DWORD origProtection = 0;
VirtualProtect(&vmtTable[1], sizeof(void*),
PAGE_EXECUTE_READWRITE, &origProtection);
3
4
vmtTable[1] = &Hook;
5
6
VirtualProtect(&vmtTable[1], sizeof(void*),
origProtection, NULL);
A hook must have exactly the same number of parameters and use
same calling convention [? ]. Virtual functions are usually using thiscall
calling convention which allows callee to pass this pointer via ECX register. This calling convention isnt guaranteed to be used and as it depends on compiler optimizations. Before replacing a function in VMT a
calling convention should be verified by using reverse engineering.
MSVC will not allow a function to be explicitly defined as thiscall.
There are two calling conventions, compatible with thiscall, which can
be used instead. First is stdcall, which does not directly provide this
pointer but can be obtained by accessing ECX register via assembly. Second is fastcall which passes first two parameters via ECX and EDX registers.
22
4
5
6
7
8
//stdcall variantion
void __stdcall Hook() {
DWORD instance;
_asm mov instance, ECX
10
11
12
13
14
15
16
17
18
//fastcall variantion
void __fastcall Hook(void* thisptr, int edx) {
function02(thisptr); //calling original function
printf("Hook function called\n");
}
function01:
....
pointer to function01
pointer to hook
hook:
....
pointer to function03
function02:
....
23
3
4
5
6
7
8
9
10
11
pointer to function01
pointer to function02
function01:
....
function02:
....
pointer to function03
hook table
pointer to function01
pointer to hook
function01:
....
hook:
....
pointer to function03
function02:
....
26
Chapter 4
Anti-Cheating software
Anti-Cheating software is designed to be a countermeasure for cheating
in competitive online games. Technical implementations of anti-cheats
are very similar to anti-viruses. Typical anti-cheat is checking players
computer for known cheat software. Actions followed after a cheat is
detected varies between anti-cheats and is part of different anti-cheat
strategies.
Unlike an anti-virus, an anti-cheat is working in hostile environment.
Cheats are designed have superior system permissions and are therefore
able to manipulate anti-cheat to make its detection methods ineffective.
3.
Anti-cheat can be also split into multiple modules with each module having different level of integration. For example a game can be
protected by user mode service, with additional kernel mode layer and
server-side analyze of incoming client network data.
Game server integration
To be effective, an anti-cheat must also be integrated into game servers
where its used to deny access of players who are banned to play online (Figure 4.1). It is also used to verify that client-side part of anticheat is active and functional while connecting to a secured game server.
This minimal functionality can be also extended with features which
give game server administrators ability to perform additional anti-cheat
checks of a specific player. For example to request a capture of players
game screen.
Banning strategy
Once anti-cheats detects a cheat, an action can be either performed immediately or rather can be performed in the future. There can be various reason why delay the action against player who was detected to use
cheat. It can be either technical reason, to create space for manual analysis of the detection to ensure the detection was correct, or it can be part
of long term anti-cheat strategy. Typically are bans permanent or at least
one year long.
28
game
anti-cheat
game traffic
game server
scan report
anti-cheat
master server
30
Company
Valve Corporation
Even Balance
Blizzard Entertainment
Inca Internet
AhnLab
Turtle Entertainment
E-Sports Entertainment
EasyAntiCheat
BattlEye Innovations
GameBlocks
No. games
320+
17
6
320+
200+
35+
3
13+
3
5+
Client integration
User mode
User mode
User mode
Kernel mode
Kernel mode
Kernel mode
Kernel mode
Kernel mode
Kernel mode
Server only
Availability
Steam games
Commercial
Blizzard games
Commercial
Commercial
ESL League
ESEA League
Commercial
Commercial
Commercial
31
Anti-cheat
Valve Anti-cheat
Punkbuster
Warden
GameGuard
HackShield
ESL Wire
ESEA Client
EasyAntiCheat
BattleEye
FairFight
Chapter 5
Since the library file is part of Steam client, a Steam client update
is required to update anti-cheat
2.
3.
2.
3.
39
Chapter 6
Conclusion
Most common cheat software techniques were described in this thesis.
Several methods of code injecting and function hooking were described
and used to develop simple cheat software for Source Engine. Special attention was devoted to current anti-cheat software and one of them was
analyzed by reverse engineering to find out how effective are current
cheat detection mechanisms. Some suggestions were made to improve
its detection methods.
Cheat and anti-cheat developers are both starting to take advantage
of implementing their software for kernel mode. Kernel mode offers access to whole computer memory and gives anti-cheat a huge advantage
over most common cheats. Anti-cheat measures shouldnt only depend
on kernel mode access but the anti-cheat strategy should be included in
development cycle of a game. Game developers should be aware of possibilities of client modifications which allow players to cheat. A balance
should be found between client and server-sided processing of the game
environment to minimize possibilities of cheating while not dramatically
increasing cost of running a game server.
This work may be followed by describing kernel mode cheats and
methods of detecting them.
40
Bibliography
[1] MAKUCH, Eddie. US government recognizes League of
Legends players as pro athletes [online]. 2013-7-12. Url:
<http://www.gamespot.com/articles/us-governmentrecognizes-league-of-legends-players-as-proathletes/1100-6411377/> [2014-10-30].
[2] GRAYSON, Nathan. Top Counter-Strike Players Caught In
Big Cheating Scandal [online]. 2014-11-24. Url: <http:
//kotaku.com/top-counter-strike-players-caughtin-big-cheating-scand-1662810816> [2014-11-11].
[3] MICROSOFT. Virtual Address Space [online]. Url: <http:
//msdn.microsoft.com/en-us/library/windows/
desktop/aa366912> [2014-11-05].
[4] MICROSOFT. User mode and kernel mode [online]. Url:
<http://msdn.microsoft.com/en-us/library/
windows/hardware/ff554836> [2014-11-05].
[5] SELNA, James. Blizzard Entertainment Inc v. Ceiling Fan Software LLC et al [online]. 2013-09-23. Url:
<http://legal.ceilingfansoftware.com/docs/147%
20Order%20Granting%20Blizzard%27s%20Motion%
20for%20Summary%20judgment%20and%20Denying%
20Defendants%27%20Motion%20for%20Summary%
20Judgment%20%282013-09-24%29.pdf> [2014-12-21].
[6] CAMPBELL, David. MDY Industries, LLC v. Blizzard Entertainment, Inc. et al [online]. 2008-07-14. Url: <http:
//docs.justia.com/cases/federal/district-courts/
arizona/azdce/2:2006cv02555/322017/82/> [2014-12-21].
41
Url:
[8] MICROSOFT. Driver Signing Requirements for Windows [online]. Url: <http://msdn.microsoft.com/en-US/library/
windows/hardware/dn653563> [2014-11-07].
[9] HOWARD, Michael . Address Space Layout Randomization in Windows Vista [online]. 2006-05-26. Url: <http:
//blogs.msdn.com/b/michael_howard/archive/2006/
05/26/address-space-layout-randomization-inwindows-vista.aspx> [2014-12-01].
[10] VALVE. SDK Docs [online]. 2013-12-10. Url: <https:
//developer.valvesoftware.com/wiki/SDK_Docs> [201412-01].
[11] VALVE. Valve Anti-Cheat System (VAC) [online]. 2014-12-01.
Url: <https://support.steampowered.com/kb_article.
php?ref=7849-Radz-6869> [2014-12-01].
[12] VALVE. Steam Family Sharing [online]. Url: <http://store.
steampowered.com/promotion/familysharing> [2014-1220].
[13] MEER, Alec. Valve offers free game after 12,000 false Steam bans
[online]. 2010-07-27. Url: <http://www.gamesindustry.biz/
articles/valve-offers-free-game-after-12-000false-bans> [2014-12-06].
[14] VALVE. An issue with your computer is blocking the VAC
system. You cannot play on secure servers. [online]. Url:
<https://support.steampowered.com/kb_article.
php?ref=2117-ILZV-2837> [2014-12-20].
[15] NEWELL, Gabe. Valve, VAC, and trust [online]. 2014-02-18. Url:
<http://www.reddit.com/r/gaming/comments/1y70ej/
valve_vac_and_trust> [2014-12-20].
42