}w!"#$%&'()+,-./012345<ya

Transcription

1 }w!"#$%&'()+,-./012345<ya MASARYK UNIVERSITY FACULTY OF INFORMATICS Analysis and detection of online game cheating software BACHELOR THESIS Tomáš Čurda Brno, 2014

2 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Advisor: RNDr. Petr Švenda, Ph.D. ii

3 Acknowledgement I would like to thank my thesis advisor RNDr. Petr Švenda, Ph.D. for his support and help. iii

4 Abstract The main goal of this thesis is to describe behavior of typical cheating software used in competitive online computer games. The first part describes a implementations of cheat software in Windows operating system environment and introduces tools used for developing cheats. Second part describes most common techniques used by cheat software. It explains how cheat software gains access to game s process and memory. It also describes methods that cheats use to modify game s behavior. The last part introduces most common anti-cheat services. One of them is analyzed by using reverse engineering in order to find out how effective are current anti-cheat technologies and what can be done to improve them. iv

5 Keywords online games, cheat, anti-cheat, code injection, function hooking v

6 Contents 1 Introduction Cheat software Cheat software in Windows operating system External vs Internal cheats User mode vs Kernel mode Cheats and Exploits Tools Cheat Engine IDA ReClass Availability of cheats Legal aspect Most common techniques used by cheats Code injection into a remote process DLL injection via CreateRemoteThread Injection of arbitrary code Injection via thread hijacking Function hooking Inline hooking Virtual method hooking Game engine exploiting Source Engine Anti-Cheating software Comparison of anti-cheats Analysis of Valve Anti-Cheat Client-Side implementation Process monitoring Code blacklisting Integrity checking Environmental checking Kernel mode cheats detection Suggested improvements Conclusion

7 Chapter 1 Introduction Video game industry has grown significantly over the last decade. More and more games are now providing online mode for playing against other players. This provides great opportunities for competitive games which gained huge popularity in last few years. Competitive gaming is now recognized as a professional sport in U.S [1]. With increased amount of players playing competitively, money involved in tournaments and every year increasing prize pools, it s now an attractive target for players who are trying to exploit those games with cheats. The motivation behind creation and usage of cheats is profit. Cheat developers are either developing their own cheats for their needs or providing cheating services to any player who can pay for the access without any knowledge of developing them. Several specialized websites are dedicated to providing their own cheat software. A price of such software varies depending on features provided by those cheats and their protection against anti-cheat detections. Some of them are designed to be used in tournaments and leagues and there are known cases of professional players using cheats [2]. Cheating is often not taken seriously by game developers although it has huge negative impact on a game. Most games are blindly relying on third party anti-cheat solutions which is often not enough to stop cheats which are getting more sophisticated. Much like anti-virus companies, anti-cheat detections are constantly bypassed and new detection methods must be developed in order to detect latest cheats. This thesis describes basics of online game cheating problem and explains current situation in arms race between cheat and anti-cheat creators. Simple game cheat source code is included as example usage of techniques described in this thesis. Most common gaming environment is described, i.e. an Intel-x86 game application running on Windows. 2

8 Chapter 2 Cheat software Cheat is anything that can be used by a player to gain an unfair gameplay advantage. Cheats are sometimes included by game developers in singleplayer games but are strictly forbidden in multiplayer games. Cheat software described in this thesis is a software which modifies game environment in a way not indented by game developers to give player an unfair gameplay advantage against other players. This unfair advantage can be provided by: displaying critical gameplay information which would be normally hidden from the player modifying game behavior to allow player to perform actions which wouldn t normally be available automating client actions, simulating mouse movements and keyboard presses Methods similar to methods used by a typical malware are used by cheat software to achieve those actions. Those are, but not limited to: code injection into remote process manipulation of remote process code and data installation of services and drivers into operating system changes to operating system configuration to hide cheat existence The main difference is that cheats are executed with full knowledge of the user with a purpose of cheating in a computer game. 3

9 2. CHEAT SOFTWARE 2.1 Cheat software in Windows operating system Just like malware, cheat software has to work around security protections of an operating system. In Windows operating system various techniques are used to ensure system stability. One of them is concept of process isolation. Every process is assigned a private range of virtual memory which can be only accessed by the owning process. It s called virtual address space [3]. Memory regions inside process address space are additionally protected by memory protection constants, limiting what operations can be performed on a memory region. For example writing into a memory region marked as read-only or executing a memory region not marked as executable will fail. If a process, for instance a debugger, needs to access address space of another process it has to do it explicitly via provided Windows API functions. These functions are also used by cheats to access game process address space External vs Internal cheats Typical and most straightforward way to inject a cheat code into another process is by creating a Dynamic-link library (DLL) and forcing game process to load this DLL. In this case cheat code operates in game s process and has access to it s whole address space just like the original game code. Cheat code can directly read all data structures, modify them and directly call game functions. In such case it is called Internal cheat. Another process, an injector, is then used to inject cheat code into game process. Injector usually terminate itself after the code injection is completed. There are several methods of code injection and most common are described in part three of this thesis. Another case are External cheats. In this case a cheat is compiled as an executable and runs as separate process with its own address space. Once the process terminates, the cheat stops operating. All memory operations between cheat process and the game are executed remotely, using Windows API functions. In both cases a new process is created to execute cheat code. In case of Internal cheat the process can exit immediately after code injection, 4

10 2. CHEAT SOFTWARE while External cheat has its process running the whole time. The difference between External and Internal approach is whether cheat is running inside the game s address space or not User mode vs Kernel mode In Windows operating system there is a major difference between a code running in user mode and code running in kernel mode [4]. Cheat developers take advantage of using kernel mode since it brings advantages over user mode solutions: cheat code and data aren t accessible to programs running in user mode cheat has full access to whole computer memory cheat can change behavior of Windows API functions, preventing attempts of detecting the cheat from user mode 2.2 Cheats and Exploits A game exploit is a glitch or a bug in game code which can be used by players to gain an unfair competitive advantage. While typical exploits can be abused by a normal game actions, there are many exploits which can be only exploited via direct memory modification or game function call with unexpected parameters. 2.3 Tools Since majority of games do not have source code available, in order to understand game internals and stored gameplay-critical data a cheat developer needs to use reverse engineering tools to identify location and structures of such data. The most common tools used are Cheat Engine, IDA Pro and ReClass. 5

11 2. CHEAT SOFTWARE Cheat Engine Cheat engine 1 is an open-source tool designed for modifying computer games behavior. It can be used to modify specific game variables and structures inside game memory, such as player health, speed, amount of gold etc, in order to make game easier or harder. Originally designed for singleplayer games as author claims on his website, it s also working in online games, where it s often used to change behavior of a client s part of the game. For example in the game Team Fortress 2, just one byte memory patch allows player to enable a developer mode in which player can then see other players trough walls (Figure 2.1). Figure 2.1: Example usage of memory patching. The main functional part s of this program are memory scanner, memory viewer and debugger. Memory scanning function has various filters which allow a user to find addresses of specific game variables and structures (Figure 2.2). Memory viewer (Figure 2.3) allows a user to display and modify whole game memory, even read-only memory, so user is able to patch functions to behave differently. Debugger part can set breakpoints on functions, detect changes of specific game variables and list all functions which access them. 1. Available from: 6

12 2. CHEAT SOFTWARE Figure 2.2: Cheat Engine main window. Cheat engine also works as a DLL injector. User can select any DLL file on his computer and Cheat Engine will force a game to load this DLL. Cheat Engine comes with several pre-made DLLs which can then be used to provide more features. For example a DLL which enables cheats, such as speedhack which enables player to move faster in-game, or a DLL which prevents Cheat Engine to be detected by a game IDA IDA 2 is a popular disassembler and debugger. It is used for both static and dynamic analysis of binaries whose source code isn t available. IDA 2. Available from: 7

13 2. CHEAT SOFTWARE Figure 2.3: Memory viewer in Cheat Engine. is commercial, offers a demo version and an older version is available for free. Disassembler portion of IDA is able to create a graphical representation of function in assembly language from instructions stored inside binary file. User is able to rename generated variables and function names to make assembly more readable. From the disassembled assembly code it s even able to generate an decompiled C-like source-code, which might look similar to the original source code. As a debugger, IDA can be attached to a running process and user is then able to set breakpoints directly into previously analyzed assembly code. IDA makes reverse engineering much easier and is a standard for malware analysis. For same reasons cheat developers are using IDA to reverse engineer games and anti-cheat services. 8

14 2. CHEAT SOFTWARE ReClass ReClass 3 is an open-source tool for reverse engineering unknown data structures and classes inside game memory. Once user attaches program into a game process and enters address of a data structure he can start describing structure members (Figure 2.4). Figure 2.4: Data representing a game structure. Program allows user to extend size of unknown data structure, add new members, change type of structure members until structure represents reasonable data. Described data structure can be also exported into c-like structure. 2.4 Availability of cheats Cheats can come from different sources. Depending on a way that users obtain a cheat, three categories exists: 1. Public cheats Available on public websites and forums as either compiled binaries, ready to compile projects or code examples. 3. Available from: 9

15 2. CHEAT SOFTWARE (2000) - forum and community focused on cheating on multiplayer games, whole content of website is created by it s users who post their cheats (database of more than 9800 cheats and tools), tutorials and source codes, users share their research on newly released games and anti-cheats, site is powered by donations. (2001) - provides free and paid cheats based on game memory patching, despite claim that they only provide cheats for singleplayer games, some of their cheats do work in multiplayer mode. (2002) - forum focused on cheating in multiplayer games, forum has over 2.9 million of registered members who share their cheats and tutorials, site is powered by advertisements. 2. Private cheats (Commercial) Companies providing ready to use cheat packages, cheat users are required to purchase it or pay monthly subscriptions to gain access to the cheat. Commercial cheats typically come with some kind of piracy protection (i.e. DRM) and are constantly updated by their authors to keep their cheats undetected. (2005) - a hacking forum with over 2 million registered members and 43 million threads created. Except computer hacking forum is also about programming, gaming and graphic design. Forum also works as a black market where people can buy various hacking programs including a cheat software for popular online games. 3. Private cheats (Personal) Developed and used by single individual. 2.5 Legal aspect It s common practice to legally protect a game from cheat providers (and by extension players exploiting it with cheats) by explicitly forbidding such actions via the end-user license agreement (EULA). This gives game 10

16 2. CHEAT SOFTWARE publisher legal ground to punish player by denying his access to multiplayer part of the game (a.k.a ban). Legal battles between game owners and cheat providers aren t very common. The most common legal method to fight cheats from a legal standpoint is the Digital Millennium Copyright Act (DMCA) Takedown. This indirect approach is used in the USA to take down sites and services which are distributing game cheats and exploits on legal grounds of copyright law. Blizzard Entertainment, Inc. (Blizzard) is known to be active in using law to enforce cheats sites and services to be shut down. In 2008 they won a 2 years long legal battle against MDY Industries, LLC (MDY) which used to sell cheats for Blizzard s popular game World of Warcraft (WoW). Court concluded that by providing the cheat, MDY is guilty of tortious interference as MDY knowingly aided WoW players in violating Blizzard s EULA. MDY assisted players in gaining an unfair advantage over other WoW players and also helped players to avoid detection by Blizzard [6]. Another case from 2013 against Ceiling Fan Software LLC (CF) was also successful for Blizzard. Just like in previously stated case, CF was found guilty of tortious interference [5]. The main problem of fighting cheats with lawsuits is the fact that cheat providers are hosting their services in various countries with different laws. Another problem is that once a cheat provider is forced to close it s service, it is often promptly replaced by a new one which makes legal battles ineffective as a long term strategy. 11

17 Chapter 3 Most common techniques used by cheats There are several Windows API functions which can be used for manipulation with other processes. Before they can be used on certain process, a process handle must be created with OpenProcess function. OpenProcess requires PID of the process and required access flag. Flags should reflect what we plan to do inside the remote process. Cheat typically need to read process memory, write into it and create remote threads. There are several cases when Windows will refuse to create a handle, for example when User Account Control (UAC) is enabled and process runs under a unprivileged user, the user will not be able to create handle to process ran by SYSTEM or Administrator. Reading and writing into remote process is done via ReadProcess- Memory and WriteProcessMemory. Both functions require a process handle, address in remote process address space and local buffer which will hold input or output data. Just by using those three Windows API functions it s possible to write a program which will read and write remote data into a remote process based on a local process algorithm. To modify static data and code, memory protection must be disabled. This is done by calling VirtualProtect function for local process address space and VirtualProtectEx for remote process address space. 3.1 Code injection into a remote process First step before injecting a code into remote process is generating the code which will be injected. The easiest way is to write a DLL and then force a remote process to load it. Another approach would be writing a code in assembly language, compiling it into raw binary code and writ- 12

18 3. MOST COMMON TECHNIQUES USED BY CHEATS ing this raw code into remote process address space. Assembly code can be compiled for example with Flat assembler 1, which is open-source x86 assembly code compiler DLL injection via CreateRemoteThread When a process needs to load certain DLL file it uses the LoadLibrary function to do so. LoadLibrary maps a DLL library into the address space of a calling process and returns handle to the loaded DLL, which can be then used to for example to call it s exported functions. To remotely execute LoadLibrary function inside different process a CreateRemoteThread Windows API function can be used. This technique of DLL Injection is the most straightforward way how a process can force another process to inject a foreign DLL file. Function has 7 parameters but only 3 of them are important for this method. Those are: 1. a process handle created by OpenProcess function 2. pointer of function from remote process address space of a function which will be executed 3. pointer to argument which will be used as parameter for executed function, zero if no argument should be passed CreateRemoteThread only has up to one parameter. This in turn means that it s only possible to remotely execute functions with either one or zero parameters. LoadLibrary function has exactly one parameter, which is a filesystem path to a DLL file. To perform this method the injection code must: 1. Open a handle to remote processes. 2. Write a path to the DLL file which should be injected into address space of remote process. 3. Create a new thread by calling CreateRemoteThread, where parameters would be the handle to remote process, pointer to Load- Library function and pointer to the DLL path string. 1. Available from: 13

19 3. MOST COMMON TECHNIQUES USED BY CHEATS 1 HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, false, processid); The path to the DLL file can be written anywhere inside remote process address space if is memory region marked as writeable. Alternatively it s possible to allocate a writable memory region inside remote process with VirtualAllocEx. 1 LPVOID remotepath = VirtualAllocEx(process, NULL, strlen(filepath) + 1, MEM_COMMIT, PAGE_READWRITE); 2 3 if(!remotepath) 4 return NULL; 5 6 if(!writeprocessmemory(process, remotepath, (LPVOID)filepath, strlen(filepath) + 1, NULL)) 7 return NULL; Next step is getting LoadLibrary location in the remote address space. LoadLibrary is exported function of Kernel32.dll library. Since Windows Vista, Address space layout randomization technique is used, which cause libraries which are compiled to support this technique, to be placed in random position in a process address space. Randomization only happens at a boot time, this means every time a process loads specific DLL, it will be placed at the same randomized address [9]. If we get address of LoadLibrary inside our local process, same address will work across all running processes. 1 FARPROC loadlibraryaddress = GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"); Remote thread can be now created which will execute LoadLibrary function with custom DLL path as a parameter. 1 HANDLE hthread = NULL; 2 if(!(hthread = CreateRemoteThread(process, NULL, NULL, (LPTHREAD_START_ROUTINE)loadLibraryAddress, 14

20 remotepath, NULL, NULL))) 3 return NULL; 3. MOST COMMON TECHNIQUES USED BY CHEATS DLL will be now loaded by remote process. Code can then, for example, wait for thread to finish, get return value of LoadLibrary function, free allocated memory region and close process handle. 1 WaitForSingleObject(hThread, INFINITE); 2 3 DWORD exitcode = NULL; 4 if (!GetExitCodeThread(hThread, &exitcode)) 5 return NULL; 6 7 CloseHandle(hThread); 8 9 if(!virtualfreeex(process, remotepath, 0, MEM_RELEASE)) 10 return NULL; return exitcode; Injection of arbitrary code This method is based on writing and executing a raw byte array into remote process. Byte array can represent just one function written in assembly language. One of the usage cases of this method is bypassing one parameter limitation of CreateRemoteThread injection method. To call a method with multiple parameters it s possible to write a parameter wrapper over this method with one or zero parameters. The wrapper will store function call of the original function and the essential parameters as local constants. To achieve this the injection code must: 1. Allocate a writeable and executable memory region in a remote process 2. Modify constant data in the wrapper function to point to correct data in remote process 3. Execute wrapper function in remote process by creating a new thread 15

21 3. MOST COMMON TECHNIQUES USED BY CHEATS Example wrapper of MessageBox function: 1 push 0x30 // MB_ICONWARNING 2 push 0 // window caption 3 push 0xcccccccc // window text 4 push 0 // main window handle 5 mov eax, 0xffffffff // address of MessageBox function 6 call eax // call the function 7 ret // return Flat assember produces following byte code: 1 byte wrapper[19] = { 2 0x6A, 0x30, 3 0x6A, 0, 4 0x68, 0xCC, 0xCC, 0xCC, 0xCC, 5 0x6A, 0, 6 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 7 0xFF, 0xD0, 8 0xC3 }; Aditionally, the memory region of remote process allocated for the wrapper code must be marked as executable. This is due to Data Execution Prevention (DEP) security feature included in Windows systems [7]. 1 LPVOID remotewrapper = VirtualAllocEx(process, NULL, sizeof(wrapper), MEM_COMMIT, PAGE_EXECUTE_READWRITE ); MessageBox has to display some text, which must be as well allocated and written into remote process. Address of this text is passed to MessageBox as second parameter (0xcccccccc) in the assembly code. 1 char* text = "Injected Hello World!"; 2 3 LPVOID remotetext = VirtualAllocEx(process, NULL, sizeof(text)+1, MEM_COMMIT, PAGE_READWRITE ); 4 5 WriteProcessMemory(process, remotetext, (LPVOID)text, strlen(text)+1, NULL); 16

22 3. MOST COMMON TECHNIQUES USED BY CHEATS Address of the allocated text in remote process will be replaced with 0xcccccccc constant. Same for address of MessageBox function in the remote process, which will be the same as an address in the local process (as explained in 3.1.1). Variable wrapper is stored in read-only memory. Memory protection must be adjusted first to allow editing via Virtual- Protect function. 1 VirtualProtect(wrapper, sizeof(wrapper), PAGE_READWRITE, NULL); 2 3 *(DWORD*)(wrapper + 5) = (DWORD)remoteText; 4 *(DWORD*)(wrapper + 12) = (DWORD)GetProcAddress(LoadLibrary("USER32.DLL"), "MessageBoxA"); Wrapper is now ready to be written into the allocated memory region and remotely executed. 1 WriteProcessMemory(process, remotewrapper, (LPVOID)wrapper, sizeof(wrapper), NULL); 2 3 CreateRemoteThread(process, NULL, NULL, (LPTHREAD_START_ROUTINE)remoteWrapper, NULL, NULL, NULL); Injection via thread hijacking In some cases a cheat or an injector may not be able to create new threads in a remote process. This might be due to an anti-virus or anti-cheat protection for example. In such case, instead of creating a new thread, one of already existing threads inside remote process can be manipulated to execute remote code. Every thread has a defined state which is represented by it s thread context which contains state of all thread registers. Windows provides GetThreadContext and SetThreadContext functions which are used to retrieve and modify thread context. To achieve this method the injection code must: 17

23 1. Suspend remote process main thread 2. Get thread s current context 3. MOST COMMON TECHNIQUES USED BY CHEATS 3. Modify EIP (instruction pointer) register to point to custom code 4. Resume thread Example source code: 1 SuspendThread(threadHandle); 2 3 CONTEXT context; 4 memset(&context, NULL, sizeof(context)); 5 context.contextflags = CONTEXT_ALL; 6 GetThreadContext(threadHandle, &context); 7 8 context.eip = remotefunction; 9 10 SetThreadContext(threadHandle, &context); 11 ResumeThread(threadHandle); Handles to all threads inside a remote process can be retrieved by Thread32First and Thread32Next WinAPI functions. 3.2 Function hooking Function hooking is used to modify behavior of an existing software of which we don t have source code. Hook is a function which is added to existing software code in other to replace functionality of an existing function. There are various methods to modify software in order to call a hooked function instead of the original one. A new hooking methods are developed in order to bypass an anti-cheat detections. Cheats often use function hooking to modify: 1. scene rendering function to display hidden information about other players 2. models and textures rendering function to draw transparent walls 18

24 3. MOST COMMON TECHNIQUES USED BY CHEATS 3. user input collecting function to fake mouse movements and keyboard pressses 4. Windows API functions behavior in order to bypass anti-cheat detections Legitimate applications also use function hooking such as debuggers and profilers. For example application Fraps 2 uses function hooking on a scene drawing function in order to display information about game rendering performance (Frames Per Seconds). Those techniques are also used by malware, which do not limit themselves to only a runtime modification of running processes but also infecting files stored on a physical media. In case of cheats it is unfeasable to modify game files in order to hook functions or any other method of code modification due to ease of detection of such integrity violation Inline hooking Inline hooking (also known as detours) takes control of a code flow right after an original function is called. First five bytes of original function are replaced with unconditional jump to a hook function. This ensures that every time original function is called, the hook function will start executing instead. Hook function cannot call original function as it would produce infinite recursion. To solve this problem a trampoline function is created. This function contains first five bytes of the original function which were overridden by the unconditional jump followed by a jump to next instruction in the original function after those modified 5 bytes. Figure 3.1 displays a diagram representing how inline hooking works. Another limitation to consider is that a memory which contains executable code is typically marked as read-only. To bypass this, protection flags can be adjusted to allow modifications of a memory page. 1 VirtualProtect(originalFunction, sizeof(byte) * 5, PAGE_EXECUTE_READWRITE, NULL); 2. Available from: 19

25 3. MOST COMMON TECHNIQUES USED BY CHEATS before hooking after hooking originalfunction: push 0x1000a433 mov eax, 0x1000 call eax ret originalfunction: jmp hook mov eax, 0x1000 call eax ret hook: custom code... jmp trampoline trampoline: push 0x1000a433 jmp originalfunction + 5 Figure 3.1: Inline hooking. Libraries with inline hooking functionality Microsoft Detours 3 is a library which provides inline hook functionality for 32bit and 64bit applications. It is commercial software which also provides a version for non-commercial usage. The function responsible for hooking is called DetourAttach. 1 LONG DetourAttach(PVOID *pppointer, PVOID pdetour); First parameter is pointer to a pointer to originalfunction. Second parameter is pointer to a hook function. Alternatively Deviare In-Process 4 can be used which provides similar functionality and it s available under GPLv3 license Virtual method hooking Virtual Method Table (VMT) implementation itself is dependant on a compiler used. Although most implementations are very similar, some compilers for example handle multiple inheritance differently. Following text will be describing Microsoft Visual C++ (MSVC) implementa- 3. Available from: detours/ 4. Available from: 20

26 3. MOST COMMON TECHNIQUES USED BY CHEATS tion. Virtual methods are implemented as indirect calls through VMT. VMT is implemented as an array of function pointers with static indexes determined on a compile time and is stored in read-only memory region. Pointers inside VMT are ordered in same order as they are specified in class definition. A code calling virtual function only needs a pointer to an instance and a function index. Pointer to VMT is stored as a hidden first member in the class instance. All instances of one class use the same VMT. If VMT is modified, it will affect all instances. Figure 3.2 displays diagram representing implementation of virtual method table. before hooking: object pointer to vmt virtual method table pointer to function01 function01:... pointer to function02 function02:... pointer to function03 Figure 3.2: Virtual method table. Hooking method based on replacing function pointer inside virtual method table. Assuming a code needs to hook the RenderFinish method of following object: 1 class Rendering 2 { 3 public: 4 virtual void RenderStart() { }; 5 virtual void RenderFinish() { printf("original function called\n"); }; 6 }; 21

27 3. MOST COMMON TECHNIQUES USED BY CHEATS If an address of virtual method table is known, for example by reverse engineering the code, it can be used directly or it can be obtained from object instance: 1 //accesing first member of the object to get address of virtual method table 2 void** vmttable = (void***)instance[0]; 3 void* function02 = vmttable[1]; //backing up pointer to the second function 4... Just like reading the pointer value, it can also be modified. Note that this part of the memory is read-only and therefore memory protection must be adjusted before the pointer can be modified. Hook in this case is a function of which pointer will be placed into VMT instead of the pointer to original function RenderFinish. 1 DWORD origprotection = 0; 2 VirtualProtect(&vmtTable[1], sizeof(void*), PAGE_EXECUTE_READWRITE, &origprotection); 3 4 vmttable[1] = &Hook; 5 6 VirtualProtect(&vmtTable[1], sizeof(void*), origprotection, NULL); A hook must have exactly the same number of parameters and use same calling convention [? ]. Virtual functions are usually using thiscall calling convention which allows callee to pass this pointer via ECX register. This calling convention isn t guaranteed to be used and as it depends on compiler optimizations. Before replacing a function in VMT a calling convention should be verified by using reverse engineering. MSVC will not allow a function to be explicitly defined as thiscall. There are two calling conventions, compatible with thiscall, which can be used instead. First is stdcall, which does not directly provide this pointer but can be obtained by accessing ECX register via assembly. Second is fastcall which passes first two parameters via ECX and EDX registers. 22

28 3. MOST COMMON TECHNIQUES USED BY CHEATS 1 2 typedef void ( thiscall* Virtual_t )( void* thisptr ); 3 Virtual_t original = (Virtual_t)function02; 4 5 //stdcall variantion 6 void stdcall Hook() { 7 DWORD instance; 8 _asm mov instance, ECX 9 10 function02(instance); //calling original function 11 printf("hook function called\n"); 12 } //fastcall variantion 15 void fastcall Hook(void* thisptr, int edx) { 16 function02(thisptr); //calling original function 17 printf("hook function called\n"); 18 } Once the hooking is done, calling RenderFinish willl produce following output: 1 Original function called 2 Hook function called Figure 3.3 represents hooking via VMT function pointer replacement. after hooking: object pointer to vmt virtual method table pointer to function01 pointer to hook function01:... hook:... pointer to function03 function02:... Figure 3.3: Replacing function pointer inside VMT. 23

29 3. MOST COMMON TECHNIQUES USED BY CHEATS Hooking method based on replacing pointer to virtual method table inside object. Another approach is to create a copy of original VMT and keep the original VMT untouched. All instances of a class must be modified so their pointer to VMT points to the copy of VMT. This approach require hooking code to have access to all instances, but has a huge advantage of modifying the read-only memory. 1 void** vmttable = (void***)instance[0]; 2 int vmtsize = 2; 3 4 void* hooktable = new void*[vmtsize]; 5 memcpy(hooktable, vmttable, sizeof(void*) * vmtsize); 6 7 //replacing VMT pointer to point to new VMT 8 (void***)instance[0] = hooktable; 9 10 //replacing pointer to a first function in new VMT 11 hooktable[1] = &Hook; Figure 3.4 represents hooking via replacing VMT pointer. 3.3 Game engine exploiting In this case we think of a game engine as a software which provides functionality cheat developers typically need to have in a working game. This usually includes scene rendering, physics, sounds, scripting, networking, etc. While reusing an game engine helps significantly with a development of a game, it also makes it easier to develop a cheat for it. If technical details about specific game engine are known, creating a cheat for any game using that engine is a trivial task. A good example of this are Call Of Duty game series. Every Call of Duty game is using the same game engine albeit this engine gets improved every year and introduces new features. Because of this, it s very easy to create cheats due to public information available about prior versions of the engine collected after years of reverse engineering. This al- 24

30 3. MOST COMMON TECHNIQUES USED BY CHEATS after hooking: object pointer to hook table virtual method table pointer to function01 pointer to function02 function01:... function02:... pointer to function03 hook table pointer to function01 function01:... pointer to hook pointer to function03 hook:... function02:... Figure 3.4: Replacing VMT pointer inside object. lowed private cheat provider (who is providing cheats for Call of Duty series) to develop a cheat for a new title Call of Duty: Modern Warfare 2 in less than 24 hours after game release date. Games based on same engine also tend to share the same game engine bugs. If a game engine happens to have a bug, the bug could get exploited across all games based on that engine Source Engine Source engine is a game engine created and developed by Valve Corporation (Valve). It comes with Source SDK which can be used to build mods or even whole new games based on Source Engine [10]. Source engine is highly modularized. Every part of engine (rendering, networking, physics, sounds, etc. ) has a independent interface which communicates with other and are used by game code. Source SDK provides access to those interfaces via C++ header files and pointers to their 25

31 3. MOST COMMON TECHNIQUES USED BY CHEATS instances. The easiest way to gain control over a game is to get access to game engine interfaces and modify them. Every engine DLL which provides interfaces has exported function CreateInterface. Prototype of this function is : 1 void* CreateInterface(const char* name, int* returncode); First parameter is a string constant telling the function which interface and version of the interface is requested. Function returns pointer to instance of the requested interface. All instances this function returns pointer to are singletons, this means whole game code uses the same instance. Example cheat code, which is attached to this thesis, works by modifying virtual method table of those interfaces. 26

32 Chapter 4 Anti-Cheating software Anti-Cheating software is designed to be a countermeasure for cheating in competitive online games. Technical implementations of anti-cheats are very similar to anti-viruses. Typical anti-cheat is checking player s computer for known cheat software. Actions followed after a cheat is detected varies between anti-cheats and is part of different anti-cheat strategies. Unlike an anti-virus, an anti-cheat is working in hostile environment. Cheats are designed have superior system permissions and are therefore able to manipulate anti-cheat to make it s detection methods ineffective. 4.1 Comparison of anti-cheats Anti-cheat software is typically required to be active when player wants to play online with other players. Anti-cheat can be either provided by a game owner and be therefore builtin into the game or it can be required to be installed as a specialized software before player is able to join specific game server or participate in a tournament. Various anti-cheat softwares can differ in several ways and therefore various categories of anticheats services exist. Table 4.1 lists most common anti-cheat services. Client side integration Depending on how integrated is client s part of anti-cheat on player s machine we can distinguish three categories. 1. Zero client integration Anti-cheat without any code running on client s part. Typically based on analyzing client s behavior by verifying incoming client 27

33 4. ANTI-CHEATING SOFTWARE network data. In this case client doesn t have access to anti-cheat code and therefore cheat developer doesn t know which client behavior triggers a detection or a time when anti-cheat is updated. 2. User mode client integration Anti-cheat implemented as a running process or a system service. Has limited access to computer memory. 3. Kernel mode client integration Anti-cheat implemented as a driver, running in kernel address space and therefore having access to whole computer memory. Most effective solution, but possibly a source of system instability. Anti-cheat can be also split into multiple modules with each module having different level of integration. For example a game can be protected by user mode service, with additional kernel mode layer and server-side analyze of incoming client network data. Game server integration To be effective, an anti-cheat must also be integrated into game servers where it s used to deny access of players who are banned to play online (Figure 4.1). It is also used to verify that client-side part of anticheat is active and functional while connecting to a secured game server. This minimal functionality can be also extended with features which give game server administrators ability to perform additional anti-cheat checks of a specific player. For example to request a capture of player s game screen. Banning strategy Once anti-cheats detects a cheat, an action can be either performed immediately or rather can be performed in the future. There can be various reason why delay the action against player who was detected to use cheat. It can be either technical reason, to create space for manual analysis of the detection to ensure the detection was correct, or it can be part of long term anti-cheat strategy. Typically are bans permanent or at least one year long. 28

34 4. ANTI-CHEATING SOFTWARE client scan game anti-cheat game traffic scan report game server player status query anti-cheat master server Figure 4.1: game. Typical anti-cheat implementation in server-client online Ban details sharing Once a player is banned or kicked from a game, anti-cheat can either provide player details about his violation, such as name of the detected program or the detection method used. The fact that player was banned can be announced to other players, for example in-game or on a game s official website. License and pricing A game developer usually relies on third party anti-cheat service instead of developing it s own. There are various anti-cheat providers with different licensing and pricing. For leagues it is typical to provide their own anti-cheat solutions. 29

35 4. ANTI-CHEATING SOFTWARE One game usually have one anti-cheat, but depending on requirements a game server owner can use anti-cheat provided by game developer and additionally purchase license for another anti-cheat with higher level of client side integration to for example provide better security on a tournament. If a different anti-cheat service is found to be active in player s computer anti-cheats are typically adjusting their behavior to prevent false detections. While using third party anti-cheat service, game developer typically doesn t have access to any administrative part of the anti-cheat. If he wants the anti-cheat to detect specific cheat he must send it to company who provides the anti-cheat service for analysis. 30

36 31 Anti-cheat Company No. games Client integration Availability Valve Anti-cheat Valve Corporation 320+ User mode Steam games Punkbuster Even Balance 17 User mode Commercial Warden Blizzard Entertainment 6 User mode Blizzard games GameGuard Inca Internet 320+ Kernel mode Commercial HackShield AhnLab 200+ Kernel mode Commercial ESL Wire Turtle Entertainment 35+ Kernel mode ESL League ESEA Client E-Sports Entertainment 3 Kernel mode ESEA League EasyAntiCheat EasyAntiCheat 13+ Kernel mode Commercial BattleEye BattlEye Innovations 3 Kernel mode Commercial FairFight GameBlocks 5+ Server only Commercial Table 4.1: List of most common anti-cheat services. 4. ANTI-CHEATING SOFTWARE

37 Chapter 5 Analysis of Valve Anti-Cheat Valve Anti-Cheat (VAC) is an anti-cheat system developed and operated by Valve Corporation. It was designed to punish players who are using cheats while playing online matches against other players by permanently banning them from playing the game online. It is integrated into Steam client and currently supports over 320 games on Steam. It works by scanning player s computer to find known cheats. It is designed to only ban for cheats that are in database of known cheats [11]. Every player is required to have registered Steam account, linked to his purchased copy of a game. Once a known cheat is detected to be active on player s computer, player s Steam account is marked for future ban. Player is then given opportunity to play with the marked Steam account for a few more days giving him a false idea that the cheat remains undetected. Once the player s Steam account gets banned, no ban details are provided to him and he must create a new Steam account and repurchase the game. Cheat providers typically provide detection status of their cheats, either detected, undetected or unknown, based on ban reports from the cheat users. This information might be highly inaccurate because of the delay between detection and the actual ban. 5.1 Client-Side implementation VAC is implemented as a library which operates in user mode and uses various scan methods to detect cheat programs running on a player s computer. Since a game is not guaranteed to be running with elevated privileges, it cannot operate within boundaries of the game s memory space and instead it is running inside Steam.exe hence all memory operations are executed remotely. If Steam happens to be ran with a limited 32

38 5. ANALYSIS OF VALVE ANTI-CHEAT permissions SteamService.exe which is registered as a Windows service comes into play. VAC is currently used in two versions, VAC2 and VAC3. VAC2 client hasn t been updated for a while and is probably only used for legacy reasons. Reading compile date inside PE Header of latest VAC2 library reveals that it was compiled on 03/11/2010. The main difference between second and third version is the way how Steam loads them. VAC2 is implemented as a single DLL called sourceinit.dat which is located in Steam directory. Once a game is ran, a function inside Steamclient.dll copies this DLL into system temp directory with a random name and loads it via LoadLibrary function. This approach has multiple disadvantages: 1. Since the library file is part of Steam client, a Steam client update is required to update anti-cheat 2. Whole anti-cheat code is stored in user s machine therefore it s much easier to analyze/circumvent it 3. It s trivial to detect anti-cheat updates (by using file checksum) Contrary to VAC2 s approach, VAC3 uses totally different method of loading. This time the loading function is located inside Steamservice.dll and VAC library isn t stored locally but downloaded from Steam servers and loaded on-the-fly anytime during playing a VAC protected game using Injection of arbitrary code method. This new approach solves all previously mentioned disadvantages of VAC2 loading method: 1. VAC library isn t part of Steam client, it can be updated anytime or even multiple libraries can be loaded at the same time 2. Instead of having single VAC library it can be split into multiple VAC libraries so cheat developer never has access to whole anticheat code at once 3. Specific VAC libraries can be used just on a small subset of total players playing the game so cheat developer cannot be sure if and when a new library has been released 33

39 5. ANALYSIS OF VALVE ANTI-CHEAT The structure of VAC library is very similar between VAC2 and VAC3, the main difference being that instead of holding whole anti-cheat like in VAC2, VAC3 usualy contains only one or two scan functions at the time. Once a VAC library is loaded, an exported function runfunc is called to execute a cheat scan. The implementation prototype of this function is: 1 int runfunc(int scanid, void* VACPacket, int packetsize, void* responsebuffer, int responsesize); int scanid - id of the scan the server wants VAC to execute void* VACPacket - structure holding parameters for the scan function, for example PID of the external process anti-cheat wants to analyze int packetsize - size of VACPacket structure void* responsebuffer - structure holding result of the scan functions int responsesize - responsebuffer size Return value can be either: 1 - scan function executed and responsebuffer holds valid data 2 - unknown error 3 - unknown scanid 4 - packetsize or responsesize is too small Loaded libraries are also ready to execute different scans with different parameters at anytime on server s request. 5.2 Process monitoring Process monitoring is important for detecting external cheats, cheat injectors and other suspicious programs which could be used for accessing game address space. It ensures that when a player runs a suspicious program, it gets reported to VAC servers with additional data required to identify the program. VAC is only active after a player joins a VAC secured game server. Because of this, the process monitor is implemented inside Steam client which allows Process monitor to detect suspicious programs even before a game starts. Once a suspicious process is detected, it is put on a 34

40 5. ANALYSIS OF VALVE ANTI-CHEAT list which is accessed by VAC once a player connects to a VAC secured gameserver. VAC then collects information about those programs and sends a report about them to VAC servers. If those programs are then identified as cheats, player gets banned for cheating. First part of process monitor implementation is listener of a process creation and termination events. If the process is created during critical time interval, for example right before a player starts a game or later when is game running, the process gets marked as a candidate for a later VAC scan. Second part is implemented in Steam API library which is loaded by a game. Steam API library is running inside a game address space therefore it is able to detect creation of new local threads and handles created by other programs. A process gets marked for a later VAC scan if it creates a new thread inside a game or creates a handle via OpenProcess function. 5.3 Code blacklisting Code injection, especially DLL injection is often used by legitimate programs, for example anti-virus software. Because of this, detection of injected code is be based on blacklisting of known libraries and binary code. VAC is scanning whole game s address space to detects all loaded DLL files and all executable memory regions. Function GetMappedFile- Name is called for all memory regions. If memory region represents a mapped file, typically a loaded DLL, GetMappedFileName returns a full file path to the file. Both the mapped memory region and the file are hashed and reported to VAC servers for identification. If memory region does not belong to a mapped file, but contains a section marked as executable, it is suspicious and further analysis is performed on the memory region by VAC. 5.4 Integrity checking Integrity checking is a process of validation of integrity of a game code and static data. All game DLL files are scanned and their read-only sec- 35

41 5. ANALYSIS OF VALVE ANTI-CHEAT tions, typically.text and.rdata, are hashed and compared to their local copy on the disk. This effectively works against hooking methods which are based on modifying read-only data. Further analysis of the modified memory modification is then performed to distinguish between a modification created by a cheat and possible memory corruption. While this method is effective in detecting new cheats, it is widely known to cheat developers and is also prone to result in a false-positive detection [13]. Figure 5.1 shows error caused by modification of critical game DLL files from game Counter-Strike. Figure 5.1: Integrity check of local files. 5.5 Environmental checking Cheat developers are often configuring operating systems on which their cheats are deployed to make VAC scans non-functional or less effective. The most common requirement by private cheats providers is that users disable DEP in order to allow cheat to hide it s code in memory regions that are not marked as executable. This effectively circumvents code blacklisting technique mentioned above. Cheats operating in kernel mode aren t typically signed by certificate, therefore require user to disable Signed Driver Enforcement to allow unsigned drivers to be used in Windows operating system [8]. Environmental checking is partially done on the client-side, where specific VAC modules check current system settings, and also on serverside, where VAC servers check reports sent by VAC modules. If VAC 36

42 5. ANALYSIS OF VALVE ANTI-CHEAT happens to find incorrect system configuration or VAC server receive incorrect or corrupted results, player will not be able to play on VAC secured servers until the issue, which prevents VAC from working, is fixed [14]. Figure 5.2 shows error caused by disabling DEP. Figure 5.2: VAC environmental checking. 5.6 Kernel mode cheats detection VAC runs in user mode and hence it does not have access to Kernel mode address space. This makes any Kernel mode code blacklisting impossible and therefore detecting specific Kernel mode cheat require to create specific method of detection. Even when is cheat running in Kernel mode it affects user space environment, for example by creating new files, registry entries, etc. which can be detected by user mode applications. Every User mode change done by kernel cheat can be used for creating a detection method. In spite of this, cheat developers typically react fast on new detection methods and work on minimizing detection vector of their cheats. There are known cases of specialized VAC modules used to detect kernel mode cheats. The most recent one was module which scanned local DNS cache. Module was looking for specific DNS records of known cheat DRM servers. Gabe Newell (co-founder of Valve) once said about kernel mode cheats:,,kernel-level cheats are expensive to create, and they are expensive to detect. Our goal is to make them more expensive for cheaters and cheat 37