always on the road
There is no anti-cheat system that cannot be cracked. Anti-cheat is a process of confrontation and needs to be continuously upgraded. Our anti-cheat team will take a confrontational approach to improve defense, and will also study competing products for inspiration. Anti-cheat is also very interesting, you can learn a lot of low-level knowledge.
A good fighter has no great merit
Anti-cheat, it is difficult to make achievements, if you protect the game as solid as gold, you will appear mediocre and dispensable. But if there is a plug-in that cannot be defended in time, you will appear very incompetent, so I chose to leave this industry, mainly because there are not many choices in the city where I live.
The structure of this article is as follows:
1 Anti-debugging
Anti-debugging is a very important link in anti-cheat, which can raise the threshold for cheat authors. Every anti-cheat method is called a "hidden stake". In fact, there is no anti-cheat method that cannot be cracked, but if there are too many "hidden stakes", it will be difficult for cheat authors to debug the game.
Let's start to introduce some anti-plug-in methods. There is a good website here, which contains 8 categories of anti-debugging technologies, you can take a look if you are interested.
https://anti-debug.checkpoint.com/
1.1 Debugging and detection
1.1.1 Execution time
When the game is debugged, it will definitely run slower. We can detect the running time of the main loop of the game to determine whether it is debugged. In fact, this detection is the most difficult "hidden stub" to pull out.
1.1.2 Debug bit detection
Windows provides some APIs to detect, such as IsDebuggerPresent , CheckRemoteDebuggerPresent .
// IsDebuggerPresentstatic bool xx_is_debug_1() {
return IsDebuggerPresent();}// CheckRemoteDebuggerPresentstatic bool xx_is_debug_2() {
BOOL debuged = false;
bool ret = CheckRemoteDebuggerPresent(GetCurrentProcess(), &debuged);
return ret && TRUE == debuged;}
1.2 Hardware breakpoint detection
Hardware breakpoints are not only a debugging method, but also a hook method, which must be detected when anti-cheat. There are two methods of detection:
GetThreadContext : Obtain register information, and judge that if Dr0~Dr3 is not 0, a hardware breakpoint has been set.
Hardware breakpoint occupation: There are only 4 hardware breakpoints, and the anti-plug-in system occupies the hardware breakpoints. I only need to detect the existence of my breakpoints.
I used the detection method of hardware breakpoint occupation, because it is easy to be hooked when calling GetThreadContext detection.
Later, when we were doing confrontation, we found that setting memory attributes can be used to bypass hardware breakpoints, and we will write an article to introduce them later.
2 Cheat Detection-Features
The game anti-cheat system will "proactively attack" and detect some "well-known" general-purpose cheating tools, such as cheat engine, OD debugger, transmission gear, etc. The detection method may be information such as process name, window name, module name (dll), etc. The anti-cheat system will also dynamically pull some feature libraries from the server to realize non-stop upgrade of the anti-cheat system.
Of course, the feature detection is mainly to improve the threshold of plug-in production, and it can't play a big role. It is better than nothing.
3 Self-protection
No matter how good the game anti-cheat system is, no matter how well it protects the game, but if the anti-cheat system is killed by itself, it will be useless, so self-protection is the top priority.
3.1 Anti-cheat thread protection
The anti-cheat system will start an anti-cheat thread to detect and not run in the main thread, so as not to slow down the game program. First of all, we must protect the anti-cheat thread from being killed.
We use the main thread of the game to help each other with the anti-cheat thread, and the main thread is used to detect the inventory of the anti-cheat thread. The anti-cheat thread can update variables, signals, etc. to notify the main thread that it is alive. If the main thread detects that the anti-cheat thread is not working properly, it will exit the game program.
3.2 Safe Exit
When a plug-in is found or it is found to be debugged, the game program will pop up a box to prompt the player, and then exit the game. If there is no protection, the cheat author can analyze the working principle of the anti-cheat from the pop-up box and follow the clues, and then specify the cracking method.
The main defenses here are: delayed exit; stack cleanup.
3.2.1 Delayed Exit
When an exception is found, the anti-cheat system will not exit immediately, mark it and then exit after a while, so that it will not be the first thread when it is analyzed, and the working principle cannot be located.
3.2.2 Stack cleanup
When popping up the frame, we need to clean up the stack and mess up the stack, so that the plug-in author cannot analyze the calling relationship.
DWORD dwEBP = 0,dwEBPMain = m_MainEBP.GetT();
__asm {
mov dwEBP,ebp }
while (dwEBP < dwEBPMain)
{
*((DWORD*)dwEBP) = 0;
dwEBP += 4;
}
4 Game Protection
Game protection is the foundation of anti-cheat and the internal strength of the anti-cheat system, which can respond to all changes with the same.
4.1 Code Protection
When protecting the code, it is necessary to consider the execution efficiency and implement different protection methods.
Anti-plug-in code: Packing protection, packing can confuse the code and increase the difficulty of debugging. I choose to use the strongest shell in the universe, vmprotect.
Game code: The game code should consider efficiency and cannot be packed. Here we use the code integrity check introduced earlier to relocate the PE file, repair the import table and then check it.
4.2 Data protection
Some game memory data also need to be protected, some sensitive strings, some important game attributes.
String protection: For example, "cheat found", if it is saved in plain text, it is easy to be searched by od, and then locate the used location. We adopt simple encryption, as long as it cannot be searched.
Game memory protection: I use dynamic multi-level pointers, and each time I start the series of random pointers, I don’t know how useful this is, after all, I haven’t discussed it with the cheat author. Many protection measures were reinforced during the offensive and defensive experiments of our anti-cheat team.
5 Information Collection
Information collection is an important part of the anti-cheat system, which can help us collect evidence of players using cheats, collect cheats, etc.
Player monitoring: We will focus on monitoring the information of "key players". Key players come from player reports, and we will join the monitoring and observation for a week.
Game program modification: The anti-cheat system will fully detect the code segments of the game.exe and d3d9.dll, and report the version and address of the modification if any modification is found, and will regularly analyze suspicious smells.
File upload: This function is a bit rogue. Our console can specify to upload the player's local files, which is an important means for us to collect cheats.
Finally, please pay attention, like, and forward, thank you~