You know what is totally useless? Vague concepts on how to implement security products. Whenever someone is vague about how his software works and is promising everyone the pie in the sky – we have no choice but to call bullshit.
While Game:ref does not fall one hundred percent in this category, it had many shortcomings, also because details of the implementation where omitted or simplified or scrubbed of as minor disadvantage. But at least there was a proof of concept and a technical outline of how it should work.
Expectedly this still wasn’t enough. The Game:ref kickstarter, which was planned to collect no less than 200.000$ of funds recently, died without a message from the author [1].
Sadly this does not hold people off from announcing the holy grail of Anticheat with a big wall of text almost without any useful information.
Worse than that: There isn’t even a tiny shred of verifiable information given to us.
I am talking about this:
http://www.reddit.com/r/GlobalOffensive/comments/36bpgs/we_are_developing_an_anticheat_that_is_better_in/
So the very first thing which comes to mind is to question the motives of the post. Why post a big wall of text, promising to be „an anti-cheat that is better in every single way than any that exist„, when giving no information about the concept?
The first clue is in the questionare at the end of the post. The first two questions already start with „Would you pay..“.
Ha! Is it seriously that shallow and transparent? I am not even the slightest bit surprised. This is the same banter you get from payhack-developers, who promise undetectable, stable, cheap, and feature-rich hacks, when in reality the customer gets buggy, unstable hacks with unimpressive features (which every old free open source OGC hack trumped more than a decade ago) with expensive monthly fees and DRM mechanisms.
Now let’s work through important parts of the post bit by bit. Some of these comments are nothing more than poking in the dark, because – as i said – we have no real verifiable information to go on.
My background is in development.
I run a design, consulting and development company. I am self-taught, but also attended school in order to see if I was missing anything. I wasn’t, in some cases, I taught my professors things. I know PHP, Java, Python, Ruby, (among HTML, CSS and tons of random web/LAMP based languages) and have recently been learning C++.I connected with a friend who specializes in Javascript and Python, and he was able to connect me to his friend who is an expert in all variations of C, among many other low/high level development languages.
There were some good answers to this on reddit already. All he does is a block of tooting in his own horn, establishing credentials, making him more believable.
He clearly is deceiving himself, overestimating his self-importance and skills. The whole „i taught my professor things“ is simply a meaningless fallacy. Have you ever configured a mixminion remailer on OpenBSD? You didn’t? I must be smarter than you, then.
While all these remarks are true – i simply call irrelevance. I don’t care. Just show me what you got. What is you concept? Let me verify it, please. For the love of god, just let me try to hack it.
Let’s continue to read his tale.
We got onto a server together (not competitive), and started firing up various cheats, some before we started CS:GO, some after, in many iterations.
In some cases before they were even toggled on, or in basic terms, while it was gathering information in order to prepare the cheat to be toggled on, our anti-cheat detected successfully 12/16 cheats that we were testing.
One of the other four was detected in less than five minutes, two within fifteen minutes, while one cheat evaded us completely. Come to find out, the final cheat was not even working, thus why we did not detect it.
That’s a 15/15 score, with one non-operational cheat (which, doesn’t matter) not being detected.
What can we gather from this? They tested 16 cheats. One of them was unfunctional.
We don’t know which ones. We don’t know how these cheats work, what features they have, how intrusive they are, what mechanisms they exploit, nothing.
Next we get the information that some of the cheats were detected immediately, while others took minutes to detect. Knowing nothing about the anticheats architecture this would mean that the Anticheat processes data that takes minutes on modern systems to sift through and analyze. I am just taking a guess here: Maybe it just walks the whole physical memory and looks for x86/x64 assembly patterns that access and process internal structures of the game process. It wouldn’t be a bad approach, the heuristics might be a bit difficult, you would have false positives, false negatives and the usual problems, but why not.
Maybe this AC even uses techniques like PIN tracing or dynamic recompilation [2]…
I can take guesses all day, but let’s face it: A testable and verifiable concept encompasses much much more than just the vague mentioning of a method like this and the reddit post didn’t even do that. It leaves us with nothing than just anecdotes. And everybody knows that anecdotal evidence is poor and unreliable [3][4].
Moving on.
After we decompiled them, we anonymously sent many of them to various dev teams over the last month or so in order for them to better detect them. We even highlighted routines they should pay attention to.
Really? You decompiled all hacks and send them to Valve? Or do you mean just disassembled? Which is just a software job. Or did you really decompile every hack manually back to C or C++? Which would take years.
I think the most plausible explanation is: They pseudo-decompiled all hacks with a pirated copy of Hexrays [5] and maybe commented some structures and functions here and there …
Anyway: Here is another clue for my pattern-scanning on accessing gamestructures hypothesis. They highlighted routines to pay attention to. What routines you ask? Routines that probably access and or process often used offsets, addresses and constants of internal game structures.
Another reason why these cheats and routines might have been detected so easily, is because the sphere of payhacks is mostly just a big sad pile of publicly copypasted ressources, that are openly accessible [6].
But this also means: Everyone knowledgable enough would be able to obfuscate these easy to distinguish patterns into unrecognizable oblivion – even when tracing and emulating through it yourself, because you can almost always make execution dependable on input the emulator doesn’t have, unless the emulator paradoxically emulates the whole system with himself in it (much like the infinity computer that emulates the universe with itself in it) [7].
We plan over upcoming weeks to acquire many cheats, both public and private, both „detected“ and „not detected“ by VAC/ESEA, and decompile them to learn more about what makes some of these programs more special than others.
The fallacy in this approach is easily detectable, isn’t it? What would you say to an engineer of an operating system, that hasn’t been released, if he boasts: „I have tested all known exploits against my operating system and it still stands.“
That is not how it works. You need to put the anticheat openly to the test. Every client in the future will have access to the whole part of the anticheat that is running on his system. As such it will be open for scrutiny for every hacker. Let them be the judge. Be greatful for every hacker that will analyse your anticheat and openly release what he found. That is penetration testing [8] free of charge.
Your hidden tests on hacks that are not designed to bypass your unknown anticheat with your unknown detection method are of no value whatsoever.
No, I won’t post screenshots of the anti-cheat, and no I won’t post any of the code/share decompiled code from the cheats we have.
Why not? Releasing information about the hacks (or your AC for that matter) would advance public knowledge in general, on how those hacks work and on how to defend against them, analogous to Kerckhoffs princinple [9]. If you are really concerned about advances against online gaming cheats, you would release the information you have.
But you are not. You are not interested in the advancement of knowledge. Half of your post reveals nothing but economic interests and i am not surprised.
„because we need to patent and protect whatever we can“
„Hopefully, through this partnership, our software can notify Valve/ESEA or whatever companies partner“
„Would you pay $X/month for a 99% clean cheat environment?“
„Would you pay a monthly fee to Valve to see it added into matchmaking instead?“
Last but not least a confused remark on my side. This question just boggled my mind:
Does the intrusiveness level of an anti-cheat make you less likely to want to use it?
How on earth would i know how intrusive your anticheat is? You gave absolutely no information on what information the Anticheat collects, processes and sends out.
How can anybody possibly answer this question?
With this i end this tale on how bad and useless „vague concepts“ are. They are mostly nothing more than a sales pitch.
[1] https://www.kickstarter.com/projects/1094040691/game-ref-the-worlds-first-hardware-anti-cheat-devi
[2] https://medium.com/@oleavr/anatomy-of-a-code-tracer-b081aadb0df8
[3] http://blog.minitab.com/blog/adventures-in-statistics/why-anecdotal-evidence-is-unreliable
[4] http://scienceblogs.com/insolence/2012/04/16/a-homeopath-lectures-scientists-about-an/
[5] https://www.hex-rays.com
[6] http://www.unknowncheats.me/forum/counterstrike-global-offensive/103220-global-offensive-structs-offsets.html
[7] http://rationalwiki.org/wiki/Simulation_argument#Computing_complexity
[8] http://en.wikipedia.org/wiki/Penetration_test
[9] http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
#debuglog 