Reverse engineering Call of Duty anti-cheat
222 comments
·January 20, 2025jagrsw
ryao
Could it be that Gabe Newell is a nice guy?
jagrsw
It's possible, but it's also important to be aware of the business side of things.
Valve makes a significant amount of money from in-game transactions, and some of their practices around this are shady. Issues like kids using their parents' CCs, gambling industry built around in-game items, and the potentially addictive nature of colorful virtual items marketed towards kids are valid concerns.
So, while gaben might be nice, it's unlikely that this gets in the way of Valve's drive to maximize profits in every way they can legally get away with.
hnuser123456
That email address goes to a team of people, but if you send something substantial and well-meaning, they'll look into it.
solarkraft
He does respond to minor inquiries frequently, but do remember that his company supports a gigantic predatory underage gambling market.
Levitating
> supports a gigantic predatory underage gambling market
Last year Valve updated their code of conduct and effectively banned gambling. They've also been known to send cease-and-desist orders to various CS:GO gambling sites.
So I wouldn't say that they support it, though for much time they weren't actively combating it either.
lostlogin
I’ve tried searching and found the below, is that the sort of thing you mean?
https://www.seattletimes.com/business/bellevue-game-maker-va...
DiggyJohnson
You could say “support a virtual market with insufficient controls” and be more truthful and engender a more productive discussion. They’ve come down pretty heavily on the gambling side, no?
johnisgood
>I suspect this was because Valve was preparing to launch the Steam Deck, and gaben wanted to ensure that Linux users had better experience with the device (just a guess).
Wait, how is punishing Linux users ensure Linux users have better experience?
Interesting though.
LanceH
Probably meant that fixing it quickly was for the steam deck users. It might not have received attention otherwise.
skizm
> dropping to yellow and then red
How do you know what your trustfactor is? Or were you just speculating because the quality of games was lower? As far as I understand TF is hidden specifically so it can't be gamed.
llucy3
In CS, the difference between high and low Trust is very noticeable; it's a big change when your games with silent / mostly-nice teammates and enemies start to become slur-fests. The value itself is not visible to the end-user, but its effects are certainly felt.
PinkSheep
Now that you've written it out, it explains why my solo games are better than when we queue with a friend, who never plays outside our games together. And I end up promising "I just had nice team mates the last game!" :)
bingo-bongo
Someone mentioned how they were testing it in the linked Github issue: https://github.com/ValveSoftware/csgo-osx-linux/issues/2630#...
EDIT: formatting x 2
alkonaut
Cheating is ultimately a human problem. You can have some safeguards and heuristics like the ones the article describe, to weed out 90% the most blatant cheaters, so I think anticheats like these are fundamentally a good thing. But the anti-cheat can and should err on the safe side because ultimately it should be the players and admins themselves that sort this out.
Online multiplayer games must (yes must) take place on servers with human admins. Admins should be present for a majority of the time any players are playing.
Ideally with admins the players recognize. Bonus points if players themselves can perform some moderation when no admin is present (votekick, voteban etc). There is no difference between kicking cheaters and kicking people who are abusing chat etc. Obviously this means that "private" or "community" servers are the only viable types of server for online multiplayer games.
This process of policing cheaters and other abuse can not be something that is done via a reporting system and handled asynchronously. Kicking/banning must be done by the admins of the game, and it must be handled quickly.
If you are considering buying/playing an online multiplayer game and it doesn't have this functionality (e.g. the only way to play online is via matchmaking on servers set up by the publisher, and the only way cheaters and chat abusers are policed is via some web form) then please, avoid that game. Vote with your wallet.
dpig_
> Online multiplayer games must (yes must) take place on servers with human admins.
The sheer scale of this arbitrary requirement is hilarious.
alkonaut
This was the norm. It just changed in the last few years (say, 10). And it could be the norm again. I still play games with zero cheaters because I return to the same server every night, playing against 63 other players where I usually have seen most of them before. And there is usually an admin there, or someone who can ping one if needed.
I have no idea why this changed in more recent games. While every other online thing moved to have users create content abd self-moderate, games for some reason moved the other direction.
alstonite
So I just checked the player count of Counter-Strike 2. It's at 936,330 players. At 10 players per match, that's a requirement of 93,633 game moderators...
Trying to also account for total players in every other competitive game seems like an impossible ask.
johnmaguire
> I have no idea why this changed in more recent games.
I thought the reasons were basically:
(a) accessibility - running a game server requires some technical knowledge, and if you're doing it from home, possibly changes to your network (and home connections likely won't have as good of routing)
(b) cheat detection - since the server is run by the game developers, it's easier to find misbehaving clients and ban them across all servers.
(c) DRM - it's harder to crack a game that has to sign-in to cloud servers.
dpig_
I also miss the server browser. That said, there is no world in which it could ever become the norm again. It essentially died in the same wave as personal blogs and other casualties of Web 2.
ThatMedicIsASpy
When you go back this was the norm. You go to irc, search in #5on5: high server on (counter-strike 1.6)
You either have a server and they come to you or you don't and message people. If they/you feel like are hacking go next. There were tons of servers where you had admins all the time.
Human admins still can only see the obvious spin/aimbots.
Companies took this from us as hosting your own servers is rarely an option these days and you rely on the company never shutting them down.
eertami
> If they/you feel like are hacking go next.
This here is why I find matchmaking is such a frustrating experience at high ELO compared to the old times. With an IRC scrim you aren't held hostage by blatant cheaters, you just leave - but on matchmaking, you cannot choose to forfeit and have to waste 30 minutes or be penalised.
I only play with a 5 stack so us choosing to leave doesn't ruin anyone's experience. I kept two CS accounts (same rank) purely so that we could skip the cooldown and requeue if the opponent had blatant cheaters/spinbots.
mvdtnz
It's not that long ago this was the norm.
dpig_
Yep, I remember. It was nice to play regularly on a server with names you came to recognise. That will never be the norm again though unfortunately. It still exists in the indie space, however, like for example on VR games such as Pavlov where the playerbase is too small for formal matchmaking.
dylan604
> Online multiplayer games must (yes must) take place on servers with human admins. Admins should be present for a majority of the time any players are playing.
> Ideally with admins the players recognize.
Let's just make each game have a visible referee that is visible to everyone, and then after each infraction, the play can be reviewed under a video assistant. They can even have a group that does nothing but moderates the referees.
Or, we could just have games
dsjoerg
Why do you think human admins are the only viable solution? Plenty of games thrive without them—e.g., Apex Legends uses robust reporting and anti-cheat systems, and Rocket League's moderation is largely automated yet effective.
alkonaut
Depends on how the game works a suppose. Mostly it depends on whether a cheater would ruin one short game, or many hours of games. I usually find async reporting useless because it already ruined my evening (this is under the assumption I’m playing a server and have no interest playing anywhere else, but a single cheater can ruin the game for everyone for a whole day). Whether that cheater gets disciplined later doesn’t help anyone in that scenario unless they were kicked from the game right away.
Hikikomori
Apex had plenty of cheaters when I played it, if there's a cheater and they're not detecting it there's not much I can do, just 20-30 minutes wasted.
If its a server with admins I can contact them on discord and get them banned pretty quickly. As a system it worked pretty well, had some badmins but there was plenty of servers so could just join another. Though its not really compatible with the matchmaking style games we have today.
snet0
I don't think you appreciate:
1. How many active Apex/whatever games there are at any one time 2. How many users will just report anyone they die to as a cheater
jokoon
I agree for the most part, there are other ways, like a phone number, manual verification with a photo, require players to play 10hr before they can play competitive, have a recommendation from other players, etc, or even a pay-once 5 dollars game pass on top of all those things.
Although I recommend you to watch the valve presentation of AI anti cheat if you did not already. Their work is quite interesting, and they claim they catch 99% of cheaters.
Although obviously there are also very subtle ways to cheat, too.
mdswanson
A 2-year legal battle with Activision to overturn a false permanent ban. Activision showed up with zero evidence of cheating and lost: https://antiblizzard.win/2025/01/18/my-two-year-fight-agains...
amatecha
The exact same thing happened to me with League of Legends. I was inexplicably banned for cheating, despite never having done any such thing (and despite regularly playing on three accounts (this is fully permitted), the other two of which were not banned!) Their support people repeatedly said "we reviewed your case and the ban is correct", etc. all the while giving zero information about what I did so I could correct it. I have a couple of the rarest skins in the game, and have played thousands of hours since 2009. I only play ARAM, so the suggestion I was risking my account of great sentimental value by cheating at the most casual mode in the game is beyond ridiculous. Anyway, nothing in gaming has ever stressed me out more. I got unbanned solely because of a contact in the industry who had it looked into, and the ban was inexplicably lifted. I still play, but I think about the false ban almost every time, and League will probably be the last competitive multiplayer game I ever put any time towards. Part of me doesn't want to play it anymore because I dread that happening again. :(
MetaWhirledPeas
I feel that. I'm not against playing video games, but I'm uneasy about getting too attached to virtual property, considering it's controlled by a gaming company who has no obligation to you and no inclination to keep games alive beyond their shelf life.
To be fair though, real life property is only slightly less ephemeral.
arminiusreturns
I'm working on something that allows you to mirror your online (my game world) virtual "possessions" locally, open-source, free, forever.
amatecha
Yeah for real, my Steam account could just be erased and I instantly lose like $1000 of games I "bought" (by some vague definition of the word). As soon as online-only services started becoming more prevalent, it became quickly apparent how ephemeral they are, and how unilaterally they can be taken away from me with zero recourse. "Don't get too attached", as they say >_>
jajko
Maybe take it as a signal from universe that intense gaming is waste of life and a net loss for you? I know its harsh and double that in gaming thread, but I don't see any other way. We don't talk 3-5h a week, and it seems neither are you.
You will almost certainly badly regret when on that proverbial death bed and most probably well before that, life goes darn fast and the feeling of losing out in the most important aspect of our existence - how well we live our lives is soul crushing. Its not that gaming hard is bad per se (apart from addictions and abysmal effect on health), but you are losing on much better aspects of life which are just out there for the grab.
Or don't take my word, just check what old people regret in their lives. Sure gaming is not there yet, but it will find its place firmly among too much work and not spending enough time on family and relationships, which are consistently on top.
stronglikedan
> gaming is waste of life and a net loss for you?
Is it? Can you share peer reviewed sources? In my experience, it's been quite the opposite.
amatecha
I play games very little, a few hours a week. I am very social and not lacking in that area -- don't worry about me lol :) I don't engage in "intense gaming", notice how I said I've played since 2009, that's 16 years ago :P
darksaints
I got a false permanent ban as well. Despite the fact that cheating is damn near impossible on consoles, and the fact that I worked way too long to get to an absolutely mediocre rank (gold 1) on ranked play, and the fact that I had never even had a warning or complaint for any behavior whatsoever, they permanently banned me with no explanation.
Unlike the blogpost, I just decided I would just never spend any money on an Activision product ever again. It's what everybody should do.
gambiting
>>Despite the fact that cheating is damn near impossible on consoles
Unfortunately, aim assist devices for consoles are very widespread now and a big problem for competitive gaming. .
>>I had never even had a warning or complaint for any behavior whatsoever
That's the gold standard in the industry though, you don't warn(suspected) cheaters to not give them opportunity to adjust their tactics. Sorry you got caught by this unfairly.
AnthonyMouse
> That's the gold standard in the industry though, you don't warn(suspected) cheaters to not give them opportunity to adjust their tactics.
Is this supposed to do any good? The actual cheater is still getting a signal that they've been detected, because they get banned. Then they figure out how, make a new account and go back to cheating.
Meanwhile the normal user is both confused and significantly more inconvenienced, because their rank etc. on the account you falsely banned was earned legitimately through hard work instead of low-effort cheating.
buzer
> This ban also ruined other games for me. If I ever did well in a game, someone would look at my profile to see how many hours I have and instantly see the red marker that shows “I am a cheater”.
I wonder if that label can be considered to be libel. Probably harder in the US, but from what I understand in UK (or just England?) the defendant must prove that it's true.
ArnoVW
On the UK though, computer data is proof. If the computer says you cheated, it’s proven.
This is about to change though, since the national postal services got a whole bunch of people convicted of fraud based on a system they knew buggy.
shit_game
For context, (I assume) this is referencing the Horizon IT Scandal in which faulty accounting software used by post offices in the UK indicated there were financial discrepencies suggesting embezzlement, and over 900 innocent people were convicted of crimes that never happened.
b3lvedere
Holy ….. what a fight you had to do. So glad i hardly play any mulitiplayer shooter games. I’d hate to have my insane Steam library stripped away from me.
minihat
His steam library was not restricted, just the game in which he was accused/banned.
cwillu
And his account was publicly flagged as being a known cheater, which affected other games: https://antiblizzard.win/2025/01/18/my-two-year-fight-agains...
b3lvedere
Apologies. I stand corrected. Thank you for this insight.
xnorswap
This is worthy of it's own submission, a very interesting post.
jokoon
Interesting article
Maybe he was banned because as a developer, he had development tools installed on his machine, which increased the odds of him being labeled as a potential cheater.
Sometimes I even wonder if other hackers could not hack the machine or other players, to install a software that triggers anti-cheat system: it becomes then difficult to lift the ban.
HideousKojima
>Sometimes I even wonder if other hackers could not hack the machine or other players, to install a software that triggers anti-cheat system: it becomes then difficult to lift the ban.
This appears to be the case in Apex Legends: https://old.reddit.com/r/CompetitiveApex/comments/1bhicc6/cl...
Also I wish more "good" hackers were in games, like the guy in GTA Online I ran into once who was shooting me with a money machine gun because Rockstar are greedy assholes.
bunnybender
> Also I wish more "good" hackers were in games, like the guy in GTA Online I ran into once who was shooting me with a money machine gun because Rockstar are greedy assholes.
Eh? Rockstar doesn't force you to buy Shark Cards, and everyone has gotten 11 years worth of DLCs for free. Making in-game money IS an essential part of the game. You also don't have to purchase every single vehicle or other item the game offers.
During my years of playing, I've met only a few cheaters who weren't complete douchebags (though some of them did act that way towards other players). I consider the "good" cheater to be a myth.
fuzzy2
Interesting stuff! Though I don’t get why b00lin would have to prove that they weren’t cheating. This is not a criminal case, but still. Activision was denying access to a service that was paid for.
ArnoVW
Cheating was not allowed according to the terms and conditions.
MisterTea
I wonder how these anti-cheat tools are impacted by flatpak and its partial sandboxing. Otherwise they sound quite invasive.
adiabatichottub
I'm very curious about the jump obfuscation. Maybe somebody who's done more reverse-engineering can answer this for me:
a) Are unconditional jumps common enough that they couldn't be filtered out with some set of pre-conditions?
b) It seems like finding the end of a function would be easy, because there's a return. Is there some way to analyze the stack so that you know where a function is returning to, then look for a call immediately preceding the return address?
mahmoudimus
There's some other cool tricks you can do, where you symbolically execute using angr or another emulator such as https://github.com/cea-sec/miasm to be able to use control flow graph unflattening. You can also use Intel's PIN framework to do some interesting analysis. Some helpful articles here:
- https://calwa.re/reversing/obfuscation/binary-deobfuscation-...
- https://www.nccgroup.com/us/research-blog/a-look-at-some-rea...
russdill
Unconditional jumps are very common and everything in x86 assembly is very very messy after optimizations. Many functions do not end in ret.
jychang
How do functions that not end in ret work?
mananaysiempre
A function with an unlikely slowpath can easily end up arranged as
top part
jxx slow
fast middle part
end:
bottom part
ret
slow:
slow middle part
jmp end
DSMan195276
In addition to what others said, I'd simply point out that all 'ret' does on x86 is pop an address off the top of the stack and jump to it. It's more of a "helper" than a special instruction and it's use is never required as long as you ensure the stack will be kept correct (such as with a tail-call situation).
duskwuff
The return is somewhere before the end of the function, e.g.
loop:
do stuff
if some condition: return
do more stuff
goto loop
jcranmer
There are things like compiling a tail call as JMP func_addr.
to11mtm
My gut (been a while since I've been that low level) is various forms of inlining and/or flow continuation (which is kinda inlining, except when we talk about obfuscation/protection schemes where you might inline but then do fun stuff on the inlined version.)
ngneer
If compilation uses jmp2ret mitigation, a trailing ret instruction will be replaced by a jmp to a return thunk. It is up to the return thunk to do as it pleases with program state.
0xC0ncord
This video[1] on reverse-engineering parts of Guitar Hero 3 covers a few similar techniques that were used to heavily obfuscate the game code that you might find interesting.
maldev
Few common issues.
1. Some jumps will be fake. 2. Some jumps will be inside an instruction. Decompilers can't handle two instructions are same location. (Like jmp 0x1234), you skip the jmp op, and assume 0x1234 is a valid instruction. 3. Stack will be fucked up in a branch, but is intentional to cause an exception. So you can either nop an instruction like lea RAX, [rsp + 0x99999999999] to fix decompilation, but then you may miss an intentional exception.
IDA doesn't handle stuff like this well, so I have a Binary Ninja license, and you can easily make a script that inlines functions for their decompiler. IDA can't really handle it since a thunnk (chunk of code between jmps), can only belong to one function. And the jmps will reuse chunks of code between eachother. I think most people don't use it since there was a bug with Binary Ninja in blizzard games, but they fixed it in a bug report a year or so ago.
Fokamul
Why you cannot make same script for IDA. Anyway I don't like them, Hexrays are POS. Just curious.
phire
Yeah, should be easy enough to filter these particular jumps out. It's an obfuscation designed to annoy people using common off-the-shelf tools (especially IDA pro)
Most obfuscations are only trying to annoy people just enough that they move on to other projects.
ackbar03
What are off the shelf tools/methods people use now? Ida was pretty standard goto when I was into RE
mahmoudimus
Not much has changed, except there are more entrants. Binary Ninja, Ghidra, radare (last two being open source). For debugging, there's x64dbg. Some use windbg and gdb (for non windows os), but it still is mostly IDA as king though the others are catching up.
I evaluated entering the space by building something with AI native however, the business case just didn't make sense
jamesfinlayson
I tried Ghidra recently and the decompilation seemed decent enough. The UI seemed a bit less complete than IDA's though (I couldn't see a couple of things that IDA does/has though they might just be hidden away in menus).
rustcleaner
Needs to be a law against the taking away of product functionality after the sale, even if it's contractual/EULA. A ban should never take the game away from the owner, and in cases where it does then they need to be refunded (treble damages on top of license, lawyer, and court fees if it takes a judgment to induce the refund). Getting banned on Steam, say, in the sense that all of one's purchases are invalidated should be impossible legally. In cases where an account is prevented from login, items and inventory must still be accessible for trade as those represent real time effort put in by a paying customer. Want to enforce your code of ethics in a multiplayer game? Can't charge for the game or users legally have rights against bans, and bans must follow a proportionality continuum and you must have a human-attended cost capped (at license cost, and only on loss) appeals tribunal system with record.
Hikikomori
Cheating will not get you banned on steam though, at worst your account is publicly shamed if its a VAC game.
People play multiplayer games to have fun and interact with others. If you behave badly, be it cheating or otherwise, you should be banned from using the multiplayer service because your behavior impacts other people.
AyyEye
> If you behave badly, be it cheating or otherwise, you should be banned from using the multiplayer service because your behavior impacts other people.
What if you behaved great but some guy fresh out of code boot camp's algorithm bans you?
Hikikomori
Bugs and mistakes happen, when that happens it's typically some misidentification of a process or driver so a group of players get banned. And in every one of those cases I've seen they've been unbanned. The call of duty case is probably the worst one I've read about, also an outlier.
lm28469
Why is that different from speeding while driving ?
Be a nuisance to society -> get fucked. That's a pretty universal principle
nurumaik
Because there is no court, just algorithm flagging people with some false positives
For "get fucked" measures you need pretty low rate of false convictions
spencerflem
imo the problem would be solved if there was the ability and a culture of running your own game servers. Because I agree, being softlocked from a game you paid for sucks.
But also, cheaters suck, and whoever's running the server should be allowed to kick you out.
Sophira
While I get where you're coming from, that's a really bad comparison to make. Speeding while driving can and will kill people.
brettermeier
I don't mind cheaters getting their asses kicked. Let them lose real money. If you accidentally get banned, that's a different story though.
And it's just a game that's not playable anymore, not the whole Steam account, isn't it?
15155
The entire Steam account is tainted: that's the issue.
Some random commercial third party can make an accusation and damage the value of thousands of games on a lark.
Meanwhile, any determined cheater just bought another copy of the game on an account dedicated solely to that task. This person suffers no extended consequence.
dolmen
With Family accounts it's even worse: the tainting is attached to the account owning the licence of the game, not to the account playing the game. So if you share a game with a kid and (s)he's caught cheating, your account will be tainted, not just the kid's.
hhjj
Maybe then just label them as cheaters and allow them to only game against other cheaters.
StefanBatory
If you cheat or ruin game for other players, you deserve to lose the access.
Other players paid too.
int0x29
The money loss is kinda the point. Cheaters can fake a new identity but if they get caught fast enough cheating becomes unaffordable.
reginald78
Not sure it applies with CoD in particular but my impression is a lot of these games with super invasive anti-cheat went F2P which reduces the punishment of getting caught to wasting time. Combined with the no dedicated servers resulting in little manual admin being possible with new games you've basically created the perfect environment to cheat entirely for business reasons. So then they started adding things like requiring phone verification (not even just requiring mobile numbers but requiring POST PAID mobile numbers) and kernel level modules, making a super invasive PITA solution to a problem.
Personally, I opted out of these games, F2P already perverts most game design away from fun IMO. And despite all this crap it seems like people are complaining about cheaters more than ever, but maybe I'm just old now!
yupyupyups
I don't think it's you being older, this F2P stuff was almost non-existent outside of the MMORPG genre. If you wanted to play video games, you essentially had four choices:
- Play a limited demo of a full game.
- Buy a full offline game for your console or PC.
- Play a F2P MMORPG (no anti-cheat software to speak of).
- Pay for an MMORPG subscription (also no anti-cheat software to speak of).
Cheats were less developed and so were anti-cheats. The F2P model was not as wide-spread either. The mobile app market didn't exist.
This is not the reality we live in anymore.
I've decided to not waste as much time as I used to on this stuff, because as I got older I learned more about how valuable time actually is.
Macha
> not even just requiring mobile numbers but requiring POST PAID mobile numbers
Wow, I live in a first world country and that would still ban like half the adults I know (Mostly because our bill pay phone plans are terrible value), along with basically every teenager (which for COD, you would think is the core target market).
yard2010
If there's a thing that's worse than over-priced stuff is free stuff. No free lunch
sdwr
Even banks in the real world don't have that level of customer protection.
some_random
It's a video game, it's really not that big of a deal.
giantg2
You don't even need to cheat at COD. They are so buggy they'll do it for you. They'll load a gun in place of your knife in ranked. They clearly have a faulty case/if-else statement in the ranked gun loadout checker to allow that and also to default to XM4 if the gun shown in the load out picker isn't allowed.
It's probably the only game I know of where the ranked version is more broken than the casual version...
shj2105
Where did you learn how to do this? I would love to learn more about understanding half of what this article said but I don’t know how to start.
josephg
I learned a lot of this stuff ~15 years ago from reading a book called Reversing: Secrets of Reverse Engineering by Eldad Eilam. The book is old but amazing. It takes you through a whole bunch of techniques and practical exercises. State of the art tooling has changed a bit since then, but the x86 ISA & assembly more generally hasn't changed much at all.
One of my biggest takeaways was learning about "crackmes" - which are small challenge binaries designed to be reverse engineered in order to learn the craft. They're kinda like practice locks in the lockpicking community. The book comes with a bunch on a CD-ROM from memory - but there's plenty more online if you go looking. Actually doing exercises like this is the way to learn.
You don't start trying to reverse engineer COD. You build up to it.
therein
I got started with Lena151's tutorials back in the day. https://github.com/kosmokato/Lena151
andrewmcwatters
Dang, I'm old. I was going to say hang out in Gamedeception, but apparently it's been gone for years!
greetz to readers of Unknowncheats, cs.rin.ru, etc.
jorvi
Yoo haha Unknowncheats, now there's a blast from the past.
Milworm (milw0rm?) also got me started back in the day.
therein
I used to frequent cs.rin.ru for all things non-steam back when I operated non-steam CSS servers.
UnknownCheats is also absolutely amazing for cheat development. Back when I was writing undetected kernel cheats for my own experimentation purposes, I learned so much there.
andrewmcwatters
I made my lifelong best friends hosting non-Steam servers, and writing the first cracks in Lua to generate fake Steam IDs from IP addresses.
jamesfinlayson
Gosh, haven't been to cs.rin.ru for years.
UnknownCheats was (still is?) good for getting information on undocumented APIs when game modding (for a good while the Half-Life SDK was incomplete).
kamikazechaser
UnknownCheats. I'm active there and it has one of the best resources on this kind of stuff. I'm more interested in how Linux userspace Anti-cheats works notably VAC.
frosting1337
https://pwn.college is a great educational resource.
ActorNightly
You need to be just comfortable in assembly.
Its a hard first step, but I highly suggest you take the time to analyze a small binary, starting with understanding the registers for the architecture, understanding the different function calls, and then looking at the elf file and analyzing every section and how static linked libraries work, and how dynamic linking works with PLT/GOT. GPT models are REALLY good at helping you understand this, and you can also use Ghidra for decompilation. Do everything on Linux btw, as the tools are very easy to use and much less Cumbersome than windows.
Once you understand all of that, tracing assembly is pretty easy - its either register move operations, math operations, compare operations, jumps, and function call and returns (which basically are just shortcuts for handling the stack frames), with a few special instructions here and there which are usually just some optimizations that you can look it up ad hoc. Once you get handy at ghidra, you can look at decompiled C code and start replacing variable names to make the code readable, and then you generally get a good idea of project flow.
mrsaint
My recipe: "Windows 95 System Programming Secrets" by Matt Pietrek and "Unauthorized Windows 95" by Andrew Schulman, years of fooling around with NuMega SoftICE, lots of IRC, lost youth, yet lots of fun.
sitzkrieg
i miss softice so much (but not fixing my clock)
b8
The secret.club is a good resource.
mahmoudimus
I have been doing a bit of reverse engineering on a popular Horde/Alliance based MMO game and it follows almost the exact same steps (including the FNV32 export hashes). It almost seems very similar as I have seen it employ very similar tricks. I wonder if it's packed using the same protection?
roflmuffin
The source 2 engine also uses fnv to hash the schema (basically entity properties)
2c2c2c
would make sense to reuse warden for Activision IP post merge
andrewmcwatters
Signature scanning is indeed the hot shit.
It's like the most addicting part of reverse engineering to me. Building signature lists, and then writing bindings to scripting languages to call those function pointers.
It's also the foundation of how many third-party mod platforms work, because you need to build a meaningful API to modders that isn't exposed by the first-party.
Cyph0n
No idea what signature scanning is, but found this resource for those curious:
https://www.unknowncheats.me/forum/general-programming-and-r...
landr0id
Signature scanning is just scanning for unique bytes from a compiled function that will remain consistent across builds. You search memory for those bytes and when you find them, you find the function you're interested in.
Here's an example from some shellcode loader I wrote: https://github.com/exploits-forsale/solstice/blob/c3fc9a55c6...
Cyph0n
Thanks for explaining. How do you identify such byte patterns that are likely stable across builds? Is it experimental - i.e., look at a few versions of the binary and check if it has changed?
null
c0balt
From my limited experience, it refers to the act of reverse engendering the function (signatures) contained the code of a binary.
A binary, like the underlying code, has commonly used code split into functions that may get called in multiple places. These calls can be analyzed either through static analyzers or by a human, who may analyze context of the callsite to guess what each Arg is supposed to do/be.
For modding, e. G. in a single player game, one might want to find out where the engine adjusts the health points of a player or updates progress.
jamesfinlayson
> It's also the foundation of how many third-party mod platforms work
Sure is - I believe a few Source engine plugins do this when required (though mostly I think they use offsets into vtable pointers).
jokoon
Wouldn't it be possible or relevant to periodically, electronically sign the game state, to prevent cheating? Or with some proof of work?
I am starting to think that cheat are just too hard to fight against, I am making a small, cheap online FPS, and I would let users trust each other instead, and hunt cheaters themselves, or maybe use AI like valve is doing. I would not bother have a anti cheat software.
Also players would have to manage and administrate their servers themselves.
Players would require to have a cellphone number attached, have a reputation score given by other players, maybe give an id or some other strong auth method, manual verification with like a photograph, like it's done for some dating apps. Players would have to play like 10 hours before they could play competitive.
I am confident hardcore players would be motivated to do all those things to make sure there are fewer cheaters.
shawabawa3
> and I would let users trust each other instead, and hunt cheaters themselves
If you've ever played a decent amount of basically any online game you'd know that players make cheating accusations CONSTANTLY based on very little evidence. And then there's also the social aspect of just reporting players you don't like to get them banned
In such a system you'd get way more false positives than any kind of anti-cheat
jezzamon
At a high level, you can just simulate the game without cheats, sign that, and then do the cheats separately.
marcosscriven
I don’t play this game, but my partner does. I sometimes see him “spectating” a player that is below the ground - regardless of if the client is hacked/cheating, aren’t there some server-side checks that the player state is valid?
StefanBatory
As much as I loved that article, I'm not sure it's really moral thing to do.
I experienced the trust factor (banning, w/o banning officially) issues on my Linux CS:GO account in 2021, dropping to yellow and then red. This made it difficult to find teammates, as I was constantly matched with cheaters.
I discovered I wasn't alone, as many other Linux users with Radeon GPUs and 16GB+ VRAM were experiencing similar problems. We created a GitHub issue to track the problem and try to find a solution: https://github.com/ValveSoftware/csgo-osx-linux/issues/2630
After some investigation, we found that Valve was punishing Linux users with certain hardware configurations (radeon cards with >=16GB of VRAM, which were quite new at this time).
Eventually, after a user reached out to gaben directly, the issue was fixed: https://github.com/ValveSoftware/csgo-osx-linux/issues/2630#...
I suspect this was because Valve was preparing to launch the Steam Deck, and gaben wanted to ensure that Linux users had better experience with the device (just a guess).