}w


!"#$%&'()+,-./012345<yA|

M ASARYK U NIVERSITY
FACULTY OF I NFORMATICS

Analysis and detection of online

game cheating software
B ACHELOR THESIS

Tomas Curda

Brno, 2014

Declaration
Hereby I declare, that this paper is my original authorial work, which I
have worked out by my own. All sources, references and literature used
or excerpted during elaboration of this work are properly cited and listed
in complete reference to the due source.

Advisor: RNDr. Petr Svenda,

Ph.D.
ii

Acknowledgement

I would like to thank my thesis advisor RNDr. Petr Svenda,

Ph.D. for his
support and help.

iii

Abstract
The main goal of this thesis is to describe behavior of typical cheating
software used in competitive online computer games. The first part describes a implementations of cheat software in Windows operating system environment and introduces tools used for developing cheats. Second part describes most common techniques used by cheat software. It
explains how cheat software gains access to games process and memory. It also describes methods that cheats use to modify games behavior.
The last part introduces most common anti-cheat services. One of them
is analyzed by using reverse engineering in order to find out how effective are current anti-cheat technologies and what can be done to improve
them.

iv

Keywords
online games, cheat, anti-cheat, code injection, function hooking

Contents
1
2

Introduction . . . . . . . . . . . . . . . . . . . . . . .
Cheat software . . . . . . . . . . . . . . . . . . . . .
2.1 Cheat software in Windows operating system .
2.1.1 External vs Internal cheats . . . . . . . .
2.1.2 User mode vs Kernel mode . . . . . . .
2.2 Cheats and Exploits . . . . . . . . . . . . . . . .
2.3 Tools . . . . . . . . . . . . . . . . . . . . . . . .
2.3.1 Cheat Engine . . . . . . . . . . . . . . .
2.3.2 IDA . . . . . . . . . . . . . . . . . . . . .
2.3.3 ReClass . . . . . . . . . . . . . . . . . . .
2.4 Availability of cheats . . . . . . . . . . . . . . .
2.5 Legal aspect . . . . . . . . . . . . . . . . . . . .
3 Most common techniques used by cheats . . . . . .
3.1 Code injection into a remote process . . . . . .
3.1.1 DLL injection via CreateRemoteThread
3.1.2 Injection of arbitrary code . . . . . . . .
3.1.3 Injection via thread hijacking . . . . . .
3.2 Function hooking . . . . . . . . . . . . . . . . .
3.2.1 Inline hooking . . . . . . . . . . . . . . .
3.2.2 Virtual method hooking . . . . . . . . .
3.3 Game engine exploiting . . . . . . . . . . . . .
3.3.1 Source Engine . . . . . . . . . . . . . . .
4 Anti-Cheating software . . . . . . . . . . . . . . . .
4.1 Comparison of anti-cheats . . . . . . . . . . . .
5 Analysis of Valve Anti-Cheat . . . . . . . . . . . . .
5.1 Client-Side implementation . . . . . . . . . . .
5.2 Process monitoring . . . . . . . . . . . . . . . .
5.3 Code blacklisting . . . . . . . . . . . . . . . . .
5.4 Integrity checking . . . . . . . . . . . . . . . . .
5.5 Environmental checking . . . . . . . . . . . . .
5.6 Kernel mode cheats detection . . . . . . . . . .
5.7 Suggested improvements . . . . . . . . . . . .
6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

2
3
4
4
5
5
5
6
7
9
9
10
12
12
13
15
17
18
19
20
24
25
27
27
32
32
34
35
35
36
37
38
40

Chapter 1

Introduction
Video game industry has grown significantly over the last decade. More
and more games are now providing online mode for playing against
other players. This provides great opportunities for competitive games
which gained huge popularity in last few years. Competitive gaming is
now recognized as a professional sport in U.S [1]. With increased amount
of players playing competitively, money involved in tournaments and
every year increasing prize pools, its now an attractive target for players who are trying to exploit those games with cheats.
The motivation behind creation and usage of cheats is profit. Cheat
developers are either developing their own cheats for their needs or providing cheating services to any player who can pay for the access without any knowledge of developing them. Several specialized websites are
dedicated to providing their own cheat software. A price of such software varies depending on features provided by those cheats and their
protection against anti-cheat detections. Some of them are designed to
be used in tournaments and leagues and there are known cases of professional players using cheats [2].
Cheating is often not taken seriously by game developers although it
has huge negative impact on a game. Most games are blindly relying on
third party anti-cheat solutions which is often not enough to stop cheats
which are getting more sophisticated. Much like anti-virus companies,
anti-cheat detections are constantly bypassed and new detection methods must be developed in order to detect latest cheats.
This thesis describes basics of online game cheating problem and explains current situation in arms race between cheat and anti-cheat creators. Simple game cheat source code is included as example usage of
techniques described in this thesis. Most common gaming environment
is described, i.e. an Intel-x86 game application running on Windows.
2

Chapter 2

Cheat software
Cheat is anything that can be used by a player to gain an unfair gameplay advantage. Cheats are sometimes included by game developers
in singleplayer games but are strictly forbidden in multiplayer games.
Cheat software described in this thesis is a software which modifies game
environment in a way not indented by game developers to give player
an unfair gameplay advantage against other players. This unfair advantage can be provided by:

displaying critical gameplay information which would be normally

hidden from the player

modifying game behavior to allow player to perform actions which

wouldnt normally be available

automating client actions, simulating mouse movements and keyboard presses

Methods similar to methods used by a typical malware are used by

cheat software to achieve those actions. Those are, but not limited to:

code injection into remote process

manipulation of remote process code and data

installation of services and drivers into operating system

changes to operating system configuration to hide cheat existence

The main difference is that cheats are executed with full knowledge
of the user with a purpose of cheating in a computer game.
3

2. C HEAT SOFTWARE

2.1 Cheat software in Windows operating system

Just like malware, cheat software has to work around security protections of an operating system. In Windows operating system various techniques are used to ensure system stability. One of them is concept of process isolation. Every process is assigned a private range of virtual memory which can be only accessed by the owning process. Its called virtual
address space [3].
Memory regions inside process address space are additionally protected by memory protection constants, limiting what operations can be
performed on a memory region. For example writing into a memory region marked as read-only or executing a memory region not marked as
executable will fail.
If a process, for instance a debugger, needs to access address space
of another process it has to do it explicitly via provided Windows API
functions. These functions are also used by cheats to access game process
address space.

2.1.1 External vs Internal cheats

Typical and most straightforward way to inject a cheat code into another
process is by creating a Dynamic-link library (DLL) and forcing game
process to load this DLL. In this case cheat code operates in games process and has access to its whole address space just like the original game
code. Cheat code can directly read all data structures, modify them and
directly call game functions. In such case it is called Internal cheat. Another process, an injector, is then used to inject cheat code into game
process. Injector usually terminate itself after the code injection is completed. There are several methods of code injection and most common
are described in part three of this thesis.
Another case are External cheats. In this case a cheat is compiled as
an executable and runs as separate process with its own address space.
Once the process terminates, the cheat stops operating. All memory operations between cheat process and the game are executed remotely, using Windows API functions.
In both cases a new process is created to execute cheat code. In case
of Internal cheat the process can exit immediately after code injection,
4

2. C HEAT SOFTWARE
while External cheat has its process running the whole time. The difference between External and Internal approach is whether cheat is running
inside the games address space or not.
2.1.2 User mode vs Kernel mode
In Windows operating system there is a major difference between a code
running in user mode and code running in kernel mode [4]. Cheat developers take advantage of using kernel mode since it brings advantages
over user mode solutions:

cheat code and data arent accessible to programs running in user

mode

cheat has full access to whole computer memory

cheat can change behavior of Windows API functions, preventing

attempts of detecting the cheat from user mode

2.2 Cheats and Exploits

A game exploit is a glitch or a bug in game code which can be used by
players to gain an unfair competitive advantage. While typical exploits
can be abused by a normal game actions, there are many exploits which
can be only exploited via direct memory modification or game function
call with unexpected parameters.

2.3 Tools
Since majority of games do not have source code available, in order to
understand game internals and stored gameplay-critical data a cheat developer needs to use reverse engineering tools to identify location and
structures of such data. The most common tools used are Cheat Engine,
IDA Pro and ReClass.
5

2. C HEAT SOFTWARE
2.3.1 Cheat Engine
Cheat engine1 is an open-source tool designed for modifying computer
games behavior. It can be used to modify specific game variables and
structures inside game memory, such as player health, speed, amount
of gold etc, in order to make game easier or harder. Originally designed
for singleplayer games as author claims on his website, its also working
in online games, where its often used to change behavior of a clients
part of the game. For example in the game Team Fortress 2, just one
byte memory patch allows player to enable a developer mode in which
player can then see other players trough walls (Figure 2.1).

Figure 2.1: Example usage of memory patching.

The main functional parts of this program are memory scanner, memory viewer and debugger. Memory scanning function has various filters
which allow a user to find addresses of specific game variables and structures (Figure 2.2). Memory viewer (Figure 2.3) allows a user to display
and modify whole game memory, even read-only memory, so user is able
to patch functions to behave differently. Debugger part can set breakpoints on functions, detect changes of specific game variables and list all
functions which access them.
1. Available from: http://www.cheatengine.org/

2. C HEAT SOFTWARE

Figure 2.2: Cheat Engine main window.

Cheat engine also works as a DLL injector. User can select any DLL
file on his computer and Cheat Engine will force a game to load this
DLL. Cheat Engine comes with several pre-made DLLs which can then
be used to provide more features. For example a DLL which enables
cheats, such as speedhack which enables player to move faster in-game,
or a DLL which prevents Cheat Engine to be detected by a game.
2.3.2 IDA
IDA2 is a popular disassembler and debugger. It is used for both static
and dynamic analysis of binaries whose source code isnt available. IDA
2. Available from: https://www.hex-rays.com/products/ida/

2. C HEAT SOFTWARE

Figure 2.3: Memory viewer in Cheat Engine.

is commercial, offers a demo version and an older version is available

for free.
Disassembler portion of IDA is able to create a graphical representation of function in assembly language from instructions stored inside binary file. User is able to rename generated variables and function names
to make assembly more readable. From the disassembled assembly code
its even able to generate an decompiled C-like source-code, which might
look similar to the original source code. As a debugger, IDA can be attached to a running process and user is then able to set breakpoints directly into previously analyzed assembly code.
IDA makes reverse engineering much easier and is a standard for
malware analysis. For same reasons cheat developers are using IDA to
reverse engineer games and anti-cheat services.
8

2. C HEAT SOFTWARE
2.3.3 ReClass
ReClass3 is an open-source tool for reverse engineering unknown data
structures and classes inside game memory. Once user attaches program
into a game process and enters address of a data structure he can start
describing structure members (Figure 2.4).

Figure 2.4: Data representing a game structure.

Program allows user to extend size of unknown data structure, add
new members, change type of structure members until structure represents reasonable data. Described data structure can be also exported into
c-like structure.

2.4 Availability of cheats

Cheats can come from different sources. Depending on a way that users
obtain a cheat, three categories exists:
1.

Public cheats
Available on public websites and forums as either compiled binaries, ready to compile projects or code examples.

3. Available
from:
http://www.unknowncheats.me/forum/generalprogramming-and-reversing/104942-reclass-x64.html

2. C HEAT SOFTWARE
http://unknowncheats.me (2000) - forum and community focused on cheating on multiplayer games, whole content of website
is created by its users who post their cheats (database of more than
9800 cheats and tools), tutorials and source codes, users share their
research on newly released games and anti-cheats, site is powered
by donations.
http://cheathappens.com (2001) - provides free and paid cheats
based on game memory patching, despite claim that they only provide cheats for singleplayer games, some of their cheats do work
in multiplayer mode.
http://mpgh.net (2002) - forum focused on cheating in multiplayer games, forum has over 2.9 million of registered members
who share their cheats and tutorials, site is powered by advertisements.
2.

Private cheats (Commercial)

Companies providing ready to use cheat packages, cheat users are
required to purchase it or pay monthly subscriptions to gain access
to the cheat. Commercial cheats typically come with some kind of
piracy protection (i.e. DRM) and are constantly updated by their
authors to keep their cheats undetected.
http://hackforums.net/ (2005) - a hacking forum with over 2
million registered members and 43 million threads created. Except
computer hacking forum is also about programming, gaming and
graphic design. Forum also works as a black market where people
can buy various hacking programs including a cheat software for
popular online games.

3.

Private cheats (Personal)

Developed and used by single individual.

2.5 Legal aspect

Its common practice to legally protect a game from cheat providers (and
by extension players exploiting it with cheats) by explicitly forbidding
such actions via the end-user license agreement (EULA). This gives game
10

2. C HEAT SOFTWARE
publisher legal ground to punish player by denying his access to multiplayer part of the game (a.k.a ban).
Legal battles between game owners and cheat providers arent very
common. The most common legal method to fight cheats from a legal
standpoint is the Digital Millennium Copyright Act (DMCA) Takedown.
This indirect approach is used in the USA to take down sites and services which are distributing game cheats and exploits on legal grounds
of copyright law.
Blizzard Entertainment, Inc. (Blizzard) is known to be active in using law to enforce cheats sites and services to be shut down. In 2008
they won a 2 years long legal battle against MDY Industries, LLC (MDY)
which used to sell cheats for Blizzards popular game World of Warcraft
(WoW). Court concluded that by providing the cheat, MDY is guilty of
tortious interference as MDY knowingly aided WoW players in violating
Blizzards EULA. MDY assisted players in gaining an unfair advantage
over other WoW players and also helped players to avoid detection by
Blizzard [6]. Another case from 2013 against Ceiling Fan Software LLC
(CF) was also successful for Blizzard. Just like in previously stated case,
CF was found guilty of tortious interference [5].
The main problem of fighting cheats with lawsuits is the fact that
cheat providers are hosting their services in various countries with different laws. Another problem is that once a cheat provider is forced to
close its service, it is often promptly replaced by a new one which makes
legal battles ineffective as a long term strategy.

11

Chapter 3

Most common techniques used by cheats

There are several Windows API functions which can be used for manipulation with other processes. Before they can be used on certain process,
a process handle must be created with OpenProcess function.
OpenProcess requires PID of the process and required access flag.
Flags should reflect what we plan to do inside the remote process. Cheat
typically need to read process memory, write into it and create remote
threads.
There are several cases when Windows will refuse to create a handle,
for example when User Account Control (UAC) is enabled and process
runs under a unprivileged user, the user will not be able to create handle
to process ran by SYSTEM or Administrator.
Reading and writing into remote process is done via ReadProcessMemory and WriteProcessMemory. Both functions require a process handle, address in remote process address space and local buffer which will
hold input or output data. Just by using those three Windows API functions its possible to write a program which will read and write remote
data into a remote process based on a local process algorithm.
To modify static data and code, memory protection must be disabled.
This is done by calling VirtualProtect function for local process address
space and VirtualProtectEx for remote process address space.

3.1 Code injection into a remote process

First step before injecting a code into remote process is generating the
code which will be injected. The easiest way is to write a DLL and then
force a remote process to load it. Another approach would be writing a
code in assembly language, compiling it into raw binary code and writ12

3. M OST COMMON TECHNIQUES USED BY CHEATS

ing this raw code into remote process address space. Assembly code can
be compiled for example with Flat assembler1 , which is open-source x86
assembly code compiler.
3.1.1 DLL injection via CreateRemoteThread
When a process needs to load certain DLL file it uses the LoadLibrary
function to do so. LoadLibrary maps a DLL library into the address space
of a calling process and returns handle to the loaded DLL, which can be
then used to for example to call its exported functions.
To remotely execute LoadLibrary function inside different process
a CreateRemoteThread Windows API function can be used. This technique of DLL Injection is the most straightforward way how a process
can force another process to inject a foreign DLL file. Function has 7 parameters but only 3 of them are important for this method. Those are:
1.

a process handle created by OpenProcess function

2.

pointer of function from remote process address space of a function

which will be executed

3.

pointer to argument which will be used as parameter for executed

function, zero if no argument should be passed

CreateRemoteThread only has up to one parameter. This in turn means

that its only possible to remotely execute functions with either one or
zero parameters. LoadLibrary function has exactly one parameter, which
is a filesystem path to a DLL file.
To perform this method the injection code must:
1.

Open a handle to remote processes.

2.

Write a path to the DLL file which should be injected into address
space of remote process.

3.

Create a new thread by calling CreateRemoteThread, where parameters would be the handle to remote process, pointer to LoadLibrary function and pointer to the DLL path string.

1. Available from: http://flatassembler.net/

13

3. M OST COMMON TECHNIQUES USED BY CHEATS

1

HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, false,

processId);

The path to the DLL file can be written anywhere inside remote process address space if is memory region marked as writeable. Alternatively its possible to allocate a writable memory region inside remote
process with VirtualAllocEx.
1

LPVOID remotePath = VirtualAllocEx(process, NULL,

strlen(filepath) + 1, MEM_COMMIT, PAGE_READWRITE);

2
3
4

if(!remotePath)
return NULL;

5
6
7

if(!WriteProcessMemory(process, remotePath,
(LPVOID)filepath, strlen(filepath) + 1, NULL))
return NULL;

Next step is getting LoadLibrary location in the remote address space.

LoadLibrary is exported function of Kernel32.dll library. Since Windows
Vista, Address space layout randomization technique is used, which cause
libraries which are compiled to support this technique, to be placed in
random position in a process address space. Randomization only happens at a boot time, this means every time a process loads specific DLL,
it will be placed at the same randomized address [9]. If we get address
of LoadLibrary inside our local process, same address will work across
all running processes.
1

FARPROC loadLibraryAddress =
GetProcAddress(GetModuleHandle("KERNEL32.DLL"),
"LoadLibraryA");

Remote thread can be now created which will execute LoadLibrary function with custom DLL path as a parameter.
1
2

HANDLE hThread = NULL;

if(!(hThread = CreateRemoteThread(process, NULL, NULL,
(LPTHREAD_START_ROUTINE)loadLibraryAddress,

14

3. M OST COMMON TECHNIQUES USED BY CHEATS

remotePath, NULL, NULL)))
return NULL;

DLL will be now loaded by remote process. Code can then, for example,
wait for thread to finish, get return value of LoadLibrary function, free
allocated memory region and close process handle.
1

WaitForSingleObject(hThread, INFINITE);

2
3
4
5

DWORD exitcode = NULL;

if (!GetExitCodeThread(hThread, &exitcode))
return NULL;

6
7

CloseHandle(hThread);

8
9
10

if(!VirtualFreeEx(process, remotePath, 0, MEM_RELEASE))

return NULL;

11
12

return exitcode;

3.1.2 Injection of arbitrary code

This method is based on writing and executing a raw byte array into
remote process. Byte array can represent just one function written in assembly language. One of the usage cases of this method is bypassing
one parameter limitation of CreateRemoteThread injection method. To
call a method with multiple parameters its possible to write a parameter wrapper over this method with one or zero parameters. The wrapper
will store function call of the original function and the essential parameters as local constants. To achieve this the injection code must:
1.

Allocate a writeable and executable memory region in a remote

process

2.

Modify constant data in the wrapper function to point to correct

data in remote process

3.

Execute wrapper function in remote process by creating a new

thread
15

3. M OST COMMON TECHNIQUES USED BY CHEATS

Example wrapper of MessageBox function:
1
2
3
4
5
6
7

push 0x30 // MB_ICONWARNING

push 0 // window caption
push 0xcccccccc // window text
push 0 // main window handle
mov eax, 0xffffffff // address of MessageBox function
call eax // call the function
ret // return

Flat assember produces following byte code:

1
2
3
4
5
6
7
8

byte wrapper[19] = {
0x6A, 0x30,
0x6A, 0,
0x68, 0xCC, 0xCC, 0xCC, 0xCC,
0x6A, 0,
0xB8, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xD0,
0xC3 };

Aditionally, the memory region of remote process allocated for the wrapper code must be marked as executable. This is due to Data Execution
Prevention (DEP) security feature included in Windows systems [7].
1

LPVOID remoteWrapper = VirtualAllocEx(process, NULL,

sizeof(wrapper), MEM_COMMIT, PAGE_EXECUTE_READWRITE );

MessageBox has to display some text, which must be as well allocated and written into remote process. Address of this text is passed to
MessageBox as second parameter (0xcccccccc) in the assembly code.
1

char* text = "Injected Hello World!";

2
3

LPVOID remoteText = VirtualAllocEx(process, NULL,

sizeof(text)+1, MEM_COMMIT, PAGE_READWRITE );

4
5

WriteProcessMemory(process, remoteText, (LPVOID)text,

strlen(text)+1, NULL);

16

3. M OST COMMON TECHNIQUES USED BY CHEATS

Address of the allocated text in remote process will be replaced with
0xcccccccc constant. Same for address of MessageBox function in the remote process, which will be the same as an address in the local process
(as explained in 3.1.1). Variable wrapper is stored in read-only memory.
Memory protection must be adjusted first to allow editing via VirtualProtect function.
1

VirtualProtect(wrapper, sizeof(wrapper), PAGE_READWRITE,

NULL);

2
3
4

*(DWORD*)(wrapper + 5) = (DWORD)remoteText;
*(DWORD*)(wrapper + 12) =
(DWORD)GetProcAddress(LoadLibrary("USER32.DLL"),
"MessageBoxA");

Wrapper is now ready to be written into the allocated memory region

and remotely executed.
1

WriteProcessMemory(process, remoteWrapper,
(LPVOID)wrapper, sizeof(wrapper), NULL);

2
3

CreateRemoteThread(process, NULL, NULL,

(LPTHREAD_START_ROUTINE)remoteWrapper, NULL, NULL,
NULL);

3.1.3 Injection via thread hijacking

In some cases a cheat or an injector may not be able to create new threads
in a remote process. This might be due to an anti-virus or anti-cheat protection for example. In such case, instead of creating a new thread, one
of already existing threads inside remote process can be manipulated to
execute remote code.
Every thread has a defined state which is represented by its thread
context which contains state of all thread registers. Windows provides
GetThreadContext and SetThreadContext functions which are used to
retrieve and modify thread context. To achieve this method the injection
code must:
17

3. M OST COMMON TECHNIQUES USED BY CHEATS

1.

Suspend remote process main thread

2.

Get threads current context

3.

Modify EIP (instruction pointer) register to point to custom code

4.

Resume thread

Example source code:

SuspendThread(threadHandle);

1
2

CONTEXT context;
memset(&context, NULL, sizeof(context));
context.ContextFlags = CONTEXT_ALL;
GetThreadContext(threadHandle, &context);

3
4
5
6
7

context.Eip = remoteFunction;

8
9

SetThreadContext(threadHandle, &context);
ResumeThread(threadHandle);

10
11

Handles to all threads inside a remote process can be retrieved by

Thread32First and Thread32Next WinAPI functions.

3.2 Function hooking

Function hooking is used to modify behavior of an existing software of
which we dont have source code. Hook is a function which is added
to existing software code in other to replace functionality of an existing
function. There are various methods to modify software in order to call
a hooked function instead of the original one. A new hooking methods
are developed in order to bypass an anti-cheat detections. Cheats often
use function hooking to modify:
1.

scene rendering function to display hidden information about other

players

2.

models and textures rendering function to draw transparent walls

18

3. M OST COMMON TECHNIQUES USED BY CHEATS

3.

user input collecting function to fake mouse movements and keyboard pressses

4.

Windows API functions behavior in order to bypass anti-cheat detections

Legitimate applications also use function hooking such as debuggers

and profilers. For example application Fraps2 uses function hooking on
a scene drawing function in order to display information about game
rendering performance (Frames Per Seconds).
Those techniques are also used by malware, which do not limit themselves to only a runtime modification of running processes but also infecting files stored on a physical media. In case of cheats it is unfeasable
to modify game files in order to hook functions or any other method of
code modification due to ease of detection of such integrity violation.
3.2.1 Inline hooking
Inline hooking (also known as detours) takes control of a code flow right
after an original function is called. First five bytes of original function
are replaced with unconditional jump to a hook function. This ensures
that every time original function is called, the hook function will start
executing instead.
Hook function cannot call original function as it would produce infinite recursion. To solve this problem a trampoline function is created.
This function contains first five bytes of the original function which were
overridden by the unconditional jump followed by a jump to next instruction in the original function after those modified 5 bytes. Figure 3.1
displays a diagram representing how inline hooking works.
Another limitation to consider is that a memory which contains executable code is typically marked as read-only. To bypass this, protection
flags can be adjusted to allow modifications of a memory page.
1

VirtualProtect(originalFunction, sizeof(byte) * 5,
PAGE_EXECUTE_READWRITE, NULL);

2. Available from: http://fraps.com/

19

3. M OST COMMON TECHNIQUES USED BY CHEATS

after hooking

before hooking

originalFunction:

originalFunction:

push 0x1000a433
mov eax, 0x1000
call eax
ret

jmp hook
mov eax, 0x1000
call eax
ret

hook:
custom code ...
jmp trampoline

trampoline:
push 0x1000a433
jmp originalFunction + 5

Figure 3.1: Inline hooking.

Libraries with inline hooking functionality
Microsoft Detours3 is a library which provides inline hook functionality
for 32bit and 64bit applications. It is commercial software which also
provides a version for non-commercial usage.
The function responsible for hooking is called DetourAttach.
1

LONG DetourAttach(PVOID *ppPointer, PVOID pDetour);

First parameter is pointer to a pointer to originalFunction. Second

parameter is pointer to a hook function.
Alternatively Deviare In-Process4 can be used which provides similar
functionality and its available under GPLv3 license.
3.2.2 Virtual method hooking
Virtual Method Table (VMT) implementation itself is dependant on a
compiler used. Although most implementations are very similar, some
compilers for example handle multiple inheritance differently. Following text will be describing Microsoft Visual C++ (MSVC) implementa3. Available
detours/
4. Available
windows/

from:

http://research.microsoft.com/en-us/projects/

from:

http://nektra.com/products/deviare-api-hook-

20

3. M OST COMMON TECHNIQUES USED BY CHEATS

tion.
Virtual methods are implemented as indirect calls through VMT. VMT
is implemented as an array of function pointers with static indexes determined on a compile time and is stored in read-only memory region.
Pointers inside VMT are ordered in same order as they are specified in
class definition. A code calling virtual function only needs a pointer to
an instance and a function index. Pointer to VMT is stored as a hidden
first member in the class instance. All instances of one class use the same
VMT. If VMT is modified, it will affect all instances. Figure 3.2 displays
diagram representing implementation of virtual method table.

before hooking:

object

virtual method table

pointer to vmt

pointer to function01

pointer to function02

function01:
....

function02:
....

pointer to function03

Figure 3.2: Virtual method table.

Hooking method based on replacing function pointer inside virtual

method table.
Assuming a code needs to hook the RenderFinish method of following
object:
1
2
3
4
5
6

class Rendering
{
public:
virtual void RenderStart() { };
virtual void RenderFinish() { printf("Original
function called\n"); };
};

21

3. M OST COMMON TECHNIQUES USED BY CHEATS

If an address of virtual method table is known, for example by reverse engineering the code, it can be used directly or it can be obtained
from object instance:
1
2
3
4

//accesing first member of the object to get address

of virtual method table
void** vmtTable = (void***)instance[0];
void* function02 = vmtTable[1]; //backing up pointer
to the second function
...

Just like reading the pointer value, it can also be modified. Note that
this part of the memory is read-only and therefore memory protection
must be adjusted before the pointer can be modified. Hook in this case
is a function of which pointer will be placed into VMT instead of the
pointer to original function RenderFinish.
1
2

DWORD origProtection = 0;
VirtualProtect(&vmtTable[1], sizeof(void*),
PAGE_EXECUTE_READWRITE, &origProtection);

3
4

vmtTable[1] = &Hook;

5
6

VirtualProtect(&vmtTable[1], sizeof(void*),
origProtection, NULL);

A hook must have exactly the same number of parameters and use
same calling convention [? ]. Virtual functions are usually using thiscall
calling convention which allows callee to pass this pointer via ECX register. This calling convention isnt guaranteed to be used and as it depends on compiler optimizations. Before replacing a function in VMT a
calling convention should be verified by using reverse engineering.
MSVC will not allow a function to be explicitly defined as thiscall.
There are two calling conventions, compatible with thiscall, which can
be used instead. First is stdcall, which does not directly provide this
pointer but can be obtained by accessing ECX register via assembly. Second is fastcall which passes first two parameters via ECX and EDX registers.
22

3. M OST COMMON TECHNIQUES USED BY CHEATS

1
2
3

typedef void ( __thiscall* Virtual_t )( void* thisptr );

Virtual_t original = (Virtual_t)function02;

4
5
6
7
8

//stdcall variantion
void __stdcall Hook() {
DWORD instance;
_asm mov instance, ECX

function02(instance); //calling original function

printf("Hook function called\n");

10
11
12

13
14
15
16
17
18

//fastcall variantion
void __fastcall Hook(void* thisptr, int edx) {
function02(thisptr); //calling original function
printf("Hook function called\n");
}

Once the hooking is done, calling RenderFinish willl produce following

output:
1
2

Original function called

Hook function called

Figure 3.3 represents hooking via VMT function pointer replacement.

after hooking:
object
pointer to vmt

virtual method table

function01:
....

pointer to function01

pointer to hook

hook:
....

pointer to function03
function02:
....

Figure 3.3: Replacing function pointer inside VMT.

23

3. M OST COMMON TECHNIQUES USED BY CHEATS

Hooking method based on replacing pointer to virtual method table
inside object.
Another approach is to create a copy of original VMT and keep the original VMT untouched. All instances of a class must be modified so their
pointer to VMT points to the copy of VMT. This approach require hooking code to have access to all instances, but has a huge advantage of
modifying the read-only memory.
1
2

void** vmtTable = (void***)instance[0];

int vmtSize = 2;

3
4
5

void* hookTable = new void*[vmtSize];

memcpy(hookTable, vmtTable, sizeof(void*) * vmtSize);

6
7
8

//replacing VMT pointer to point to new VMT

(void***)instance[0] = hookTable;

9
10
11

//replacing pointer to a first function in new VMT

hookTable[1] = &Hook;

Figure 3.4 represents hooking via replacing VMT pointer.

3.3 Game engine exploiting

In this case we think of a game engine as a software which provides functionality cheat developers typically need to have in a working game. This
usually includes scene rendering, physics, sounds, scripting, networking, etc.
While reusing an game engine helps significantly with a development of a game, it also makes it easier to develop a cheat for it. If technical details about specific game engine are known, creating a cheat for
any game using that engine is a trivial task.
A good example of this are Call Of Duty game series. Every Call
of Duty game is using the same game engine albeit this engine gets improved every year and introduces new features. Because of this, its very
easy to create cheats due to public information available about prior versions of the engine collected after years of reverse engineering. This al24

3. M OST COMMON TECHNIQUES USED BY CHEATS

after hooking:
object

virtual method table

pointer to hook table

pointer to function01
pointer to function02

function01:
....

function02:
....

pointer to function03

hook table
pointer to function01

pointer to hook

function01:
....

hook:
....

pointer to function03

function02:
....

Figure 3.4: Replacing VMT pointer inside object.

lowed private cheat provider www.artificialaiming.net (who is
providing cheats for Call of Duty series) to develop a cheat for a new
title Call of Duty: Modern Warfare 2 in less than 24 hours after game
release date.
Games based on same engine also tend to share the same game engine bugs. If a game engine happens to have a bug, the bug could get
exploited across all games based on that engine.
3.3.1 Source Engine
Source engine is a game engine created and developed by Valve Corporation (Valve). It comes with Source SDK which can be used to build
mods or even whole new games based on Source Engine [10].
Source engine is highly modularized. Every part of engine (rendering, networking, physics, sounds, etc. ) has a independent interface which
communicates with other and are used by game code. Source SDK provides access to those interfaces via C++ header files and pointers to their
25

3. M OST COMMON TECHNIQUES USED BY CHEATS

instances. The easiest way to gain control over a game is to get access to
game engine interfaces and modify them.
Every engine DLL which provides interfaces has exported function
CreateInterface. Prototype of this function is :
1

void* CreateInterface(const char* name, int*

returnCode);

First parameter is a string constant telling the function which interface

and version of the interface is requested. Function returns pointer to
instance of the requested interface. All instances this function returns
pointer to are singletons, this means whole game code uses the same instance. Example cheat code, which is attached to this thesis, works by
modifying virtual method table of those interfaces.

26

Chapter 4

Anti-Cheating software
Anti-Cheating software is designed to be a countermeasure for cheating
in competitive online games. Technical implementations of anti-cheats
are very similar to anti-viruses. Typical anti-cheat is checking players
computer for known cheat software. Actions followed after a cheat is
detected varies between anti-cheats and is part of different anti-cheat
strategies.
Unlike an anti-virus, an anti-cheat is working in hostile environment.
Cheats are designed have superior system permissions and are therefore
able to manipulate anti-cheat to make its detection methods ineffective.

4.1 Comparison of anti-cheats

Anti-cheat software is typically required to be active when player wants
to play online with other players. Anti-cheat can be either provided by a
game owner and be therefore builtin into the game or it can be required
to be installed as a specialized software before player is able to join specific game server or participate in a tournament. Various anti-cheat softwares can differ in several ways and therefore various categories of anticheats services exist. Table 4.1 lists most common anti-cheat services.
Client side integration
Depending on how integrated is clients part of anti-cheat on players
machine we can distinguish three categories.
1.

Zero client integration

Anti-cheat without any code running on clients part. Typically
based on analyzing clients behavior by verifying incoming client
27

4. A NTI -C HEATING SOFTWARE

network data. In this case client doesnt have access to anti-cheat
code and therefore cheat developer doesnt know which client behavior triggers a detection or a time when anti-cheat is updated.
2.

User mode client integration

Anti-cheat implemented as a running process or a system service.
Has limited access to computer memory.

3.

Kernel mode client integration

Anti-cheat implemented as a driver, running in kernel address space
and therefore having access to whole computer memory. Most effective solution, but possibly a source of system instability.

Anti-cheat can be also split into multiple modules with each module having different level of integration. For example a game can be
protected by user mode service, with additional kernel mode layer and
server-side analyze of incoming client network data.
Game server integration
To be effective, an anti-cheat must also be integrated into game servers
where its used to deny access of players who are banned to play online (Figure 4.1). It is also used to verify that client-side part of anticheat is active and functional while connecting to a secured game server.
This minimal functionality can be also extended with features which
give game server administrators ability to perform additional anti-cheat
checks of a specific player. For example to request a capture of players
game screen.
Banning strategy
Once anti-cheats detects a cheat, an action can be either performed immediately or rather can be performed in the future. There can be various reason why delay the action against player who was detected to use
cheat. It can be either technical reason, to create space for manual analysis of the detection to ensure the detection was correct, or it can be part
of long term anti-cheat strategy. Typically are bans permanent or at least
one year long.
28

4. A NTI -C HEATING SOFTWARE

client
scan

game
anti-cheat

game traffic

game server

player status query

scan report

anti-cheat
master server

Figure 4.1: Typical anti-cheat implementation in server-client online

game.
Ban details sharing
Once a player is banned or kicked from a game, anti-cheat can either
provide player details about his violation, such as name of the detected
program or the detection method used. The fact that player was banned
can be announced to other players, for example in-game or on a games
official website.
License and pricing
A game developer usually relies on third party anti-cheat service instead
of developing its own. There are various anti-cheat providers with different licensing and pricing. For leagues it is typical to provide their own
anti-cheat solutions.
29

4. A NTI -C HEATING SOFTWARE

One game usually have one anti-cheat, but depending on requirements a game server owner can use anti-cheat provided by game developer and additionally purchase license for another anti-cheat with
higher level of client side integration to for example provide better security on a tournament. If a different anti-cheat service is found to be
active in players computer anti-cheats are typically adjusting their behavior to prevent false detections.
While using third party anti-cheat service, game developer typically
doesnt have access to any administrative part of the anti-cheat. If he
wants the anti-cheat to detect specific cheat he must send it to company
who provides the anti-cheat service for analysis.

30

Company
Valve Corporation
Even Balance
Blizzard Entertainment
Inca Internet
AhnLab
Turtle Entertainment
E-Sports Entertainment
EasyAntiCheat
BattlEye Innovations
GameBlocks

No. games
320+
17
6
320+
200+
35+
3
13+
3
5+

Client integration
User mode
User mode
User mode
Kernel mode
Kernel mode
Kernel mode
Kernel mode
Kernel mode
Kernel mode
Server only

Table 4.1: List of most common anti-cheat services.

Availability
Steam games
Commercial
Blizzard games
Commercial
Commercial
ESL League
ESEA League
Commercial
Commercial
Commercial

31

4. A NTI -C HEATING SOFTWARE

Anti-cheat
Valve Anti-cheat
Punkbuster
Warden
GameGuard
HackShield
ESL Wire
ESEA Client
EasyAntiCheat
BattleEye
FairFight

Chapter 5

Analysis of Valve Anti-Cheat

Valve Anti-Cheat (VAC) is an anti-cheat system developed and operated
by Valve Corporation. It was designed to punish players who are using cheats while playing online matches against other players by permanently banning them from playing the game online. It is integrated into
Steam client and currently supports over 320 games on Steam. It works
by scanning players computer to find known cheats. It is designed to
only ban for cheats that are in database of known cheats [11].
Every player is required to have registered Steam account, linked to
his purchased copy of a game. Once a known cheat is detected to be active on players computer, players Steam account is marked for future
ban. Player is then given opportunity to play with the marked Steam account for a few more days giving him a false idea that the cheat remains
undetected. Once the players Steam account gets banned, no ban details are provided to him and he must create a new Steam account and
repurchase the game. Cheat providers typically provide detection status
of their cheats, either detected, undetected or unknown, based on ban reports from the cheat users. This information might be highly inaccurate
because of the delay between detection and the actual ban.

5.1 Client-Side implementation

VAC is implemented as a library which operates in user mode and uses
various scan methods to detect cheat programs running on a players
computer. Since a game is not guaranteed to be running with elevated
privileges, it cannot operate within boundaries of the games memory
space and instead it is running inside Steam.exe hence all memory operations are executed remotely. If Steam happens to be ran with a limited
32

5. A NALYSIS OF VALVE A NTI -C HEAT

permissions SteamService.exe which is registered as a Windows service
comes into play.
VAC is currently used in two versions, VAC2 and VAC3. VAC2 client
hasnt been updated for a while and is probably only used for legacy
reasons. Reading compile date inside PE Header of latest VAC2 library
reveals that it was compiled on 03/11/2010.
The main difference between second and third version is the way
how Steam loads them. VAC2 is implemented as a single DLL called
sourceinit.dat which is located in Steam directory. Once a game is ran, a
function inside Steamclient.dll copies this DLL into system temp directory with a random name and loads it via LoadLibrary function.
This approach has multiple disadvantages:
1.

Since the library file is part of Steam client, a Steam client update
is required to update anti-cheat

2.

Whole anti-cheat code is stored in users machine therefore its

much easier to analyze/circumvent it

3.

Its trivial to detect anti-cheat updates (by using file checksum)

Contrary to VAC2s approach, VAC3 uses totally different method of

loading. This time the loading function is located inside Steamservice.dll
and VAC library isnt stored locally but downloaded from Steam servers
and loaded on-the-fly anytime during playing a VAC protected game
using Injection of arbitrary code method.
This new approach solves all previously mentioned disadvantages of
VAC2 loading method:
1.

VAC library isnt part of Steam client, it can be updated anytime or

even multiple libraries can be loaded at the same time

2.

Instead of having single VAC library it can be split into multiple

VAC libraries so cheat developer never has access to whole anticheat code at once

3.

Specific VAC libraries can be used just on a small subset of total

players playing the game so cheat developer cannot be sure if and
when a new library has been released
33

5. A NALYSIS OF VALVE A NTI -C HEAT

The structure of VAC library is very similar between VAC2 and VAC3,
the main difference being that instead of holding whole anti-cheat like in
VAC2, VAC3 usualy contains only one or two scan functions at the time.
Once a VAC library is loaded, an exported function runfunc is called
to execute a cheat scan.
The implementation prototype of this function is:
1

int runfunc(int scanId, void* VACPacket, int packetSize,

void* responseBuffer, int responseSize);

int scanId - id of the scan the server wants VAC to execute

void* VACPacket - structure holding parameters for the scan function,
for example PID of the external process anti-cheat wants to analyze
int packetSize - size of VACPacket structure
void* responseBuffer - structure holding result of the scan functions
int responseSize - responseBuffer size
Return value can be either:
1 - scan function executed and responseBuffer holds valid data
2 - unknown error
3 - unknown scanId
4 - packetSize or responseSize is too small
Loaded libraries are also ready to execute different scans with different parameters at anytime on servers request.

5.2 Process monitoring

Process monitoring is important for detecting external cheats, cheat injectors and other suspicious programs which could be used for accessing game address space. It ensures that when a player runs a suspicious
program, it gets reported to VAC servers with additional data required
to identify the program.
VAC is only active after a player joins a VAC secured game server.
Because of this, the process monitor is implemented inside Steam client
which allows Process monitor to detect suspicious programs even before a game starts. Once a suspicious process is detected, it is put on a
34

5. A NALYSIS OF VALVE A NTI -C HEAT

list which is accessed by VAC once a player connects to a VAC secured
gameserver. VAC then collects information about those programs and
sends a report about them to VAC servers. If those programs are then
identified as cheats, player gets banned for cheating.
First part of process monitor implementation is listener of a process
creation and termination events. If the process is created during critical
time interval, for example right before a player starts a game or later
when is game running, the process gets marked as a candidate for a later
VAC scan.
Second part is implemented in Steam API library which is loaded
by a game. Steam API library is running inside a game address space
therefore it is able to detect creation of new local threads and handles
created by other programs. A process gets marked for a later VAC scan if
it creates a new thread inside a game or creates a handle via OpenProcess
function.

5.3 Code blacklisting

Code injection, especially DLL injection is often used by legitimate programs, for example anti-virus software. Because of this, detection of injected code is be based on blacklisting of known libraries and binary
code.
VAC is scanning whole games address space to detects all loaded
DLL files and all executable memory regions. Function GetMappedFileName is called for all memory regions. If memory region represents a
mapped file, typically a loaded DLL, GetMappedFileName returns a full
file path to the file. Both the mapped memory region and the file are
hashed and reported to VAC servers for identification. If memory region
does not belong to a mapped file, but contains a section marked as executable, it is suspicious and further analysis is performed on the memory
region by VAC.

5.4 Integrity checking

Integrity checking is a process of validation of integrity of a game code
and static data. All game DLL files are scanned and their read-only sec35

5. A NALYSIS OF VALVE A NTI -C HEAT

tions, typically .text and .rdata, are hashed and compared to their local
copy on the disk. This effectively works against hooking methods which
are based on modifying read-only data. Further analysis of the modified
memory modification is then performed to distinguish between a modification created by a cheat and possible memory corruption. While this
method is effective in detecting new cheats, it is widely known to cheat
developers and is also prone to result in a false-positive detection [13].
Figure 5.1 shows error caused by modification of critical game DLL
files from game Counter-Strike.

Figure 5.1: Integrity check of local files.

5.5 Environmental checking

Cheat developers are often configuring operating systems on which their
cheats are deployed to make VAC scans non-functional or less effective. The most common requirement by private cheats providers is that
users disable DEP in order to allow cheat to hide its code in memory
regions that are not marked as executable. This effectively circumvents
code blacklisting technique mentioned above. Cheats operating in kernel mode arent typically signed by certificate, therefore require user to
disable Signed Driver Enforcement to allow unsigned drivers to be used
in Windows operating system [8].
Environmental checking is partially done on the client-side, where
specific VAC modules check current system settings, and also on serverside, where VAC servers check reports sent by VAC modules. If VAC
36

5. A NALYSIS OF VALVE A NTI -C HEAT

happens to find incorrect system configuration or VAC server receive
incorrect or corrupted results, player will not be able to play on VAC
secured servers until the issue, which prevents VAC from working, is
fixed [14]. Figure 5.2 shows error caused by disabling DEP.

Figure 5.2: VAC environmental checking.

5.6 Kernel mode cheats detection

VAC runs in user mode and hence it does not have access to Kernel mode
address space. This makes any Kernel mode code blacklisting impossible and therefore detecting specific Kernel mode cheat require to create
specific method of detection.
Even when is cheat running in Kernel mode it affects user space environment, for example by creating new files, registry entries, etc. which
can be detected by user mode applications. Every User mode change
done by kernel cheat can be used for creating a detection method. In
spite of this, cheat developers typically react fast on new detection methods and work on minimizing detection vector of their cheats. There are
known cases of specialized VAC modules used to detect kernel mode
cheats. The most recent one was module which scanned local DNS cache.
Module was looking for specific DNS records of known cheat DRM servers.
Gabe Newell (co-founder of Valve) once said about kernel mode cheats:
,,Kernel-level cheats are expensive to create, and they are expensive to
detect. Our goal is to make them more expensive for cheaters and cheat
37

5. A NALYSIS OF VALVE A NTI -C HEAT

creators than the economic benefits they can reasonably expect to gain.
[15].

5.7 Suggested improvements

Further analysis of VAC revealed several parts of the service which could
be modified to increase its effectiveness.

Alternative Steam accounts

Cheaters are aware of the risk of getting their Steam account banned. For
that reason they create secondary Steam account which are dedicated
for playing with cheats. If their cheat gets detected only the secondary
Steam account gets banned. Following this pattern, typical cheater has
main Steam account with most of his purchased games, which isnt used
for cheating. And he keeps cheating on secondary Steam accounts which
he recreate them every time his cheat gets detected. Changing banning
policy to also ban main Steam accounts of those who were banned multiple times on different Steam accounts will decrease financial benefits
from cheating. Steam already does similar thing via their Family Sharing
program. Family Sharing allows two Steam accounts to share one purchased game copy. If one of the Steam accounts happens to be banned
for cheating, second Steam account gets banned as well [12].

Usage of collected data for later analysis

Once a cheat is added into a database of know cheats, from that time
any player that will be caught using the cheat will be punished for using
it. The problem is that a player must be caught cheating after the cheat
was added into the database of known cheats. To remove this limitation
VAC could store previously collected data about suspicious programs
and loaded modules, which were detected on players computer and
compare their hashes with just added cheat detection. This way VAC
could punish all users of the cheat, and not just those who kept using it
after the detection was added.
38

5. A NALYSIS OF VALVE A NTI -C HEAT

Detection of common function hooks
The hooking method described in section 3.2.2 is currently undetected
by VAC as it does not modify read-only memory. A sample code attached
to this thesis demonstrates one possible way of detecting this hooking
method by comparing allocation base of the object and VMT.
Kernel mode
As a part of long term solution VAC could include kernel module to extend current user mode detection mechanism into kernel address space.

39

Chapter 6

Conclusion
Most common cheat software techniques were described in this thesis.
Several methods of code injecting and function hooking were described
and used to develop simple cheat software for Source Engine. Special attention was devoted to current anti-cheat software and one of them was
analyzed by reverse engineering to find out how effective are current
cheat detection mechanisms. Some suggestions were made to improve
its detection methods.
Cheat and anti-cheat developers are both starting to take advantage
of implementing their software for kernel mode. Kernel mode offers access to whole computer memory and gives anti-cheat a huge advantage
over most common cheats. Anti-cheat measures shouldnt only depend
on kernel mode access but the anti-cheat strategy should be included in
development cycle of a game. Game developers should be aware of possibilities of client modifications which allow players to cheat. A balance
should be found between client and server-sided processing of the game
environment to minimize possibilities of cheating while not dramatically
increasing cost of running a game server.
This work may be followed by describing kernel mode cheats and
methods of detecting them.

40

Bibliography
[1] MAKUCH, Eddie. US government recognizes League of
Legends players as pro athletes [online]. 2013-7-12. Url:
<http://www.gamespot.com/articles/us-governmentrecognizes-league-of-legends-players-as-proathletes/1100-6411377/> [2014-10-30].
[2] GRAYSON, Nathan. Top Counter-Strike Players Caught In
Big Cheating Scandal [online]. 2014-11-24. Url: <http:
//kotaku.com/top-counter-strike-players-caughtin-big-cheating-scand-1662810816> [2014-11-11].
[3] MICROSOFT. Virtual Address Space [online]. Url: <http:
//msdn.microsoft.com/en-us/library/windows/
desktop/aa366912> [2014-11-05].
[4] MICROSOFT. User mode and kernel mode [online]. Url:
<http://msdn.microsoft.com/en-us/library/
windows/hardware/ff554836> [2014-11-05].
[5] SELNA, James. Blizzard Entertainment Inc v. Ceiling Fan Software LLC et al [online]. 2013-09-23. Url:
<http://legal.ceilingfansoftware.com/docs/147%
20Order%20Granting%20Blizzard%27s%20Motion%
20for%20Summary%20judgment%20and%20Denying%
20Defendants%27%20Motion%20for%20Summary%
20Judgment%20%282013-09-24%29.pdf> [2014-12-21].
[6] CAMPBELL, David. MDY Industries, LLC v. Blizzard Entertainment, Inc. et al [online]. 2008-07-14. Url: <http:
//docs.justia.com/cases/federal/district-courts/
arizona/azdce/2:2006cv02555/322017/82/> [2014-12-21].
41

[7] MICROSOFT. Data Execution Prevention [online].

<http://msdn.microsoft.com/en-us/library/
windows/desktop/aa366553> [2014-11-07].

Url:

[8] MICROSOFT. Driver Signing Requirements for Windows [online]. Url: <http://msdn.microsoft.com/en-US/library/
windows/hardware/dn653563> [2014-11-07].
[9] HOWARD, Michael . Address Space Layout Randomization in Windows Vista [online]. 2006-05-26. Url: <http:
//blogs.msdn.com/b/michael_howard/archive/2006/
05/26/address-space-layout-randomization-inwindows-vista.aspx> [2014-12-01].
[10] VALVE. SDK Docs [online]. 2013-12-10. Url: <https:
//developer.valvesoftware.com/wiki/SDK_Docs> [201412-01].
[11] VALVE. Valve Anti-Cheat System (VAC) [online]. 2014-12-01.
Url: <https://support.steampowered.com/kb_article.
php?ref=7849-Radz-6869> [2014-12-01].
[12] VALVE. Steam Family Sharing [online]. Url: <http://store.
steampowered.com/promotion/familysharing> [2014-1220].
[13] MEER, Alec. Valve offers free game after 12,000 false Steam bans
[online]. 2010-07-27. Url: <http://www.gamesindustry.biz/
articles/valve-offers-free-game-after-12-000false-bans> [2014-12-06].
[14] VALVE. An issue with your computer is blocking the VAC
system. You cannot play on secure servers. [online]. Url:
<https://support.steampowered.com/kb_article.
php?ref=2117-ILZV-2837> [2014-12-20].
[15] NEWELL, Gabe. Valve, VAC, and trust [online]. 2014-02-18. Url:
<http://www.reddit.com/r/gaming/comments/1y70ej/
valve_vac_and_trust> [2014-12-20].

42