Reverse engineering Call of Duty anti-cheat
ssno.cc497 points by deverton a day ago
497 points by deverton a day ago
I experienced the trust factor (banning, w/o banning officially) issues on my Linux CS:GO account in 2021, dropping to yellow and then red. This made it difficult to find teammates, as I was constantly matched with cheaters.
I discovered I wasn't alone, as many other Linux users with Radeon GPUs and 16GB+ VRAM were experiencing similar problems. We created a GitHub issue to track the problem and try to find a solution: https://github.com/ValveSoftware/csgo-osx-linux/issues/2630
After some investigation, we found that Valve was punishing Linux users with certain hardware configurations (radeon cards with >=16GB of VRAM, which were quite new at this time).
Eventually, after a user reached out to gaben directly, the issue was fixed: https://github.com/ValveSoftware/csgo-osx-linux/issues/2630#...
I suspect this was because Valve was preparing to launch the Steam Deck, and gaben wanted to ensure that Linux users had better experience with the device (just a guess).
Could it be that Gabe Newell is a nice guy?
It's possible, but it's also important to be aware of the business side of things.
Valve makes a significant amount of money from in-game transactions, and some of their practices around this are shady. Issues like kids using their parents' CCs, gambling industry built around in-game items, and the potentially addictive nature of colorful virtual items marketed towards kids are valid concerns.
So, while gaben might be nice, it's unlikely that this gets in the way of Valve's drive to maximize profits in every way they can legally get away with.
That email address goes to a team of people, but if you send something substantial and well-meaning, they'll look into it.
He does respond to minor inquiries frequently, but do remember that his company supports a gigantic predatory underage gambling market.
> supports a gigantic predatory underage gambling market
Last year Valve updated their code of conduct and effectively banned gambling. They've also been known to send cease-and-desist orders to various CS:GO gambling sites.
So I wouldn't say that they support it, though for much time they weren't actively combating it either.
I’ve tried searching and found the below, is that the sort of thing you mean?
https://www.seattletimes.com/business/bellevue-game-maker-va...
Yes and not much has changed since then. pyth0's sibling comment links the relevant Coffeezilla video.
You could say “support a virtual market with insufficient controls” and be more truthful and engender a more productive discussion. They’ve come down pretty heavily on the gambling side, no?
> They’ve come down pretty heavily on the gambling side, no?
Not really. Back when this was a big story (around 2016-2017) they sent out some cease and desists to a number of the big CS:GO gambling websites but many did not comply and there was no follow-up. To this day many of those original sites are still around and have since grown. Essentially Valve (and the skin market as a whole) benefit so greatly from this grey-market that there is no incentive for them to stop it. This is covered in part 2 of Coffeezilla's latest series investigating CS:GO gambling [1]
>I suspect this was because Valve was preparing to launch the Steam Deck, and gaben wanted to ensure that Linux users had better experience with the device (just a guess).
Wait, how is punishing Linux users ensure Linux users have better experience?
Interesting though.
Probably meant that fixing it quickly was for the steam deck users. It might not have received attention otherwise.
> dropping to yellow and then red
How do you know what your trustfactor is? Or were you just speculating because the quality of games was lower? As far as I understand TF is hidden specifically so it can't be gamed.
Someone mentioned how they were testing it in the linked Github issue: https://github.com/ValveSoftware/csgo-osx-linux/issues/2630#...
EDIT: formatting x 2
In CS, the difference between high and low Trust is very noticeable; it's a big change when your games with silent / mostly-nice teammates and enemies start to become slur-fests. The value itself is not visible to the end-user, but its effects are certainly felt.
Cheating is ultimately a human problem. You can have some safeguards and heuristics like the ones the article describe, to weed out 90% the most blatant cheaters, so I think anticheats like these are fundamentally a good thing. But the anti-cheat can and should err on the safe side because ultimately it should be the players and admins themselves that sort this out.
Online multiplayer games must (yes must) take place on servers with human admins. Admins should be present for a majority of the time any players are playing.
Ideally with admins the players recognize. Bonus points if players themselves can perform some moderation when no admin is present (votekick, voteban etc). There is no difference between kicking cheaters and kicking people who are abusing chat etc. Obviously this means that "private" or "community" servers are the only viable types of server for online multiplayer games.
This process of policing cheaters and other abuse can not be something that is done via a reporting system and handled asynchronously. Kicking/banning must be done by the admins of the game, and it must be handled quickly.
If you are considering buying/playing an online multiplayer game and it doesn't have this functionality (e.g. the only way to play online is via matchmaking on servers set up by the publisher, and the only way cheaters and chat abusers are policed is via some web form) then please, avoid that game. Vote with your wallet.
> Online multiplayer games must (yes must) take place on servers with human admins.
The sheer scale of this arbitrary requirement is hilarious.
This was the norm. It just changed in the last few years (say, 10). And it could be the norm again. I still play games with zero cheaters because I return to the same server every night, playing against 63 other players where I usually have seen most of them before. And there is usually an admin there, or someone who can ping one if needed.
I have no idea why this changed in more recent games. While every other online thing moved to have users create content abd self-moderate, games for some reason moved the other direction.
> I have no idea why this changed in more recent games.
I thought the reasons were basically:
(a) accessibility - running a game server requires some technical knowledge, and if you're doing it from home, possibly changes to your network (and home connections likely won't have as good of routing)
(b) cheat detection - since the server is run by the game developers, it's easier to find misbehaving clients and ban them across all servers.
(c) DRM - it's harder to crack a game that has to sign-in to cloud servers.
So I just checked the player count of Counter-Strike 2. It's at 936,330 players. At 10 players per match, that's a requirement of 93,633 game moderators...
Trying to also account for total players in every other competitive game seems like an impossible ask.
> It's at 936,330 players. At 10 players per match, that's a requirement of 93,633 game moderators...
I'm not sure why this seems impossible to you? As the number of players increases, one would expect the number of players willing to act as an admin/moderator to increase linearly.
Typically admins are players also - that's why they choose to host a server.
I am still playing Quake Live, and it's all user-run servers. Hacks and cheats can be a problem, but users get banned via their Steam account, and there's a real cost (to buy the game) if you want to come back.
When you go back this was the norm. You go to irc, search in #5on5: high server on (counter-strike 1.6)
You either have a server and they come to you or you don't and message people. If they/you feel like are hacking go next. There were tons of servers where you had admins all the time.
Human admins still can only see the obvious spin/aimbots.
Companies took this from us as hosting your own servers is rarely an option these days and you rely on the company never shutting them down.
> If they/you feel like are hacking go next.
This here is why I find matchmaking is such a frustrating experience at high ELO compared to the old times. With an IRC scrim you aren't held hostage by blatant cheaters, you just leave - but on matchmaking, you cannot choose to forfeit and have to waste 30 minutes or be penalised.
I only play with a 5 stack so us choosing to leave doesn't ruin anyone's experience. I kept two CS accounts (same rank) purely so that we could skip the cooldown and requeue if the opponent had blatant cheaters/spinbots.
> Online multiplayer games must (yes must) take place on servers with human admins. Admins should be present for a majority of the time any players are playing.
> Ideally with admins the players recognize.
Let's just make each game have a visible referee that is visible to everyone, and then after each infraction, the play can be reviewed under a video assistant. They can even have a group that does nothing but moderates the referees.
Or, we could just have games
Why do you think human admins are the only viable solution? Plenty of games thrive without them—e.g., Apex Legends uses robust reporting and anti-cheat systems, and Rocket League's moderation is largely automated yet effective.
Depends on how the game works a suppose. Mostly it depends on whether a cheater would ruin one short game, or many hours of games. I usually find async reporting useless because it already ruined my evening (this is under the assumption I’m playing a server and have no interest playing anywhere else, but a single cheater can ruin the game for everyone for a whole day). Whether that cheater gets disciplined later doesn’t help anyone in that scenario unless they were kicked from the game right away.
Apex had plenty of cheaters when I played it, if there's a cheater and they're not detecting it there's not much I can do, just 20-30 minutes wasted.
If its a server with admins I can contact them on discord and get them banned pretty quickly. As a system it worked pretty well, had some badmins but there was plenty of servers so could just join another. Though its not really compatible with the matchmaking style games we have today.
I don't think you appreciate:
1. How many active Apex/whatever games there are at any one time 2. How many users will just report anyone they die to as a cheater
I agree for the most part, there are other ways, like a phone number, manual verification with a photo, require players to play 10hr before they can play competitive, have a recommendation from other players, etc, or even a pay-once 5 dollars game pass on top of all those things.
Although I recommend you to watch the valve presentation of AI anti cheat if you did not already. Their work is quite interesting, and they claim they catch 99% of cheaters.
Although obviously there are also very subtle ways to cheat, too.
> they claim they catch 99% of cheaters
But that's easy. The tricky part is catching the cheaters _without_ also catching non-cheaters.
A 2-year legal battle with Activision to overturn a false permanent ban. Activision showed up with zero evidence of cheating and lost: https://antiblizzard.win/2025/01/18/my-two-year-fight-agains...
The exact same thing happened to me with League of Legends. I was inexplicably banned for cheating, despite never having done any such thing (and despite regularly playing on three accounts (this is fully permitted), the other two of which were not banned!) Their support people repeatedly said "we reviewed your case and the ban is correct", etc. all the while giving zero information about what I did so I could correct it. I have a couple of the rarest skins in the game, and have played thousands of hours since 2009. I only play ARAM, so the suggestion I was risking my account of great sentimental value by cheating at the most casual mode in the game is beyond ridiculous. Anyway, nothing in gaming has ever stressed me out more. I got unbanned solely because of a contact in the industry who had it looked into, and the ban was inexplicably lifted. I still play, but I think about the false ban almost every time, and League will probably be the last competitive multiplayer game I ever put any time towards. Part of me doesn't want to play it anymore because I dread that happening again. :(
I feel that. I'm not against playing video games, but I'm uneasy about getting too attached to virtual property, considering it's controlled by a gaming company who has no obligation to you and no inclination to keep games alive beyond their shelf life.
To be fair though, real life property is only slightly less ephemeral.
Yeah for real, my Steam account could just be erased and I instantly lose like $1000 of games I "bought" (by some vague definition of the word). As soon as online-only services started becoming more prevalent, it became quickly apparent how ephemeral they are, and how unilaterally they can be taken away from me with zero recourse. "Don't get too attached", as they say >_>
I'm working on something that allows you to mirror your online (my game world) virtual "possessions" locally, open-source, free, forever.
Maybe take it as a signal from universe that intense gaming is waste of life and a net loss for you? I know its harsh and double that in gaming thread, but I don't see any other way. We don't talk 3-5h a week, and it seems neither are you.
You will almost certainly badly regret when on that proverbial death bed and most probably well before that, life goes darn fast and the feeling of losing out in the most important aspect of our existence - how well we live our lives is soul crushing. Its not that gaming hard is bad per se (apart from addictions and abysmal effect on health), but you are losing on much better aspects of life which are just out there for the grab.
Or don't take my word, just check what old people regret in their lives. Sure gaming is not there yet, but it will find its place firmly among too much work and not spending enough time on family and relationships, which are consistently on top.
> gaming is waste of life and a net loss for you?
Is it? Can you share peer reviewed sources? In my experience, it's been quite the opposite.
I play games very little, a few hours a week. I am very social and not lacking in that area -- don't worry about me lol :) I don't engage in "intense gaming", notice how I said I've played since 2009, that's 16 years ago :P
I got a false permanent ban as well. Despite the fact that cheating is damn near impossible on consoles, and the fact that I worked way too long to get to an absolutely mediocre rank (gold 1) on ranked play, and the fact that I had never even had a warning or complaint for any behavior whatsoever, they permanently banned me with no explanation.
Unlike the blogpost, I just decided I would just never spend any money on an Activision product ever again. It's what everybody should do.
>>Despite the fact that cheating is damn near impossible on consoles
Unfortunately, aim assist devices for consoles are very widespread now and a big problem for competitive gaming. .
>>I had never even had a warning or complaint for any behavior whatsoever
That's the gold standard in the industry though, you don't warn(suspected) cheaters to not give them opportunity to adjust their tactics. Sorry you got caught by this unfairly.
> That's the gold standard in the industry though, you don't warn(suspected) cheaters to not give them opportunity to adjust their tactics.
Is this supposed to do any good? The actual cheater is still getting a signal that they've been detected, because they get banned. Then they figure out how, make a new account and go back to cheating.
Meanwhile the normal user is both confused and significantly more inconvenienced, because their rank etc. on the account you falsely banned was earned legitimately through hard work instead of low-effort cheating.
>>The actual cheater is still getting a signal that they've been detected, because they get banned.
So....yes. But there are mitigating tactics around this, I really recommend looking into it because it's a fascinating topic. As the simplest thing - you don't ban cheaters the moment they are detected to not give off how you detected them. That's why Activision bans people in waves and all at once, even though they know some people are cheating and still active. Unfortunately a lot of people are paying for cheats nowadays, and the cheat makers usually have some kind of refund policy where if you get detected you get your money back - games companies want to inconvenience those buyers as much as possible, so you can't claim your refund straight away because hey, the game worked for a good while even while you were cheating, must have been something else :P
>>Meanwhile the normal user is both confused and significantly more inconvenienced
Yes, which is why the aim is to have 0 legitimate players getting caught by this, obviously.
> Yes, which is why the aim is to have 0 legitimate players getting caught by this, obviously.
You can't just say that though, you have to actually do that, which is apparently not what's happening.
The problem is obviously the same as in many other industries - how do you distinguish honest legitimate players who swear they haven't cheated from people who will say anything to get you to unban them. I don't work in that department personally, but I've seen reports shared internally where the player literally went to local news station to say how unfairly they are treated and how we banned him without any info or any reason and how it's affecting his mental health and his family and he basically made a huge stink around it, and then we pull up the ban report for his account and we clearly see a screenshot from his machine where he's running cheat engine with cheats for our game enabled. Some people will just lie through their teeth to get their way. So you have to rely on what you know with absolute certainty - you detected something that is absolutely indicative of cheating? You ban them. Anything else is a no no. At least where I used to work no one used any kind of algorithm for automatic bans, those were only used for manually reviewed cases where someone would actually watch a replay of your game before issuing a ban.
Does that mean the system is foolproof? No, of course not. But banning honest paying users is a huge risk to any business - so obviously no one wants to do that, every system like this errs on the side of caution by default for that reason alone.
And obvious disclaimer - I can only comment on my own experiences, I have no idea what every company out there is doing.
> how do you distinguish honest legitimate players who swear they haven't cheated from people who will say anything to get you to unban them.
It's mostly not about the appeals process. You want to avoid the false positive accusations to begin with.
> and then we pull up the ban report for his account and we clearly see a screenshot from his machine where he's running cheat engine with cheats for our game enabled.
Hypothetically things like this can happen where someone is reusing passwords that end up in a data breach and then some script kiddie gets their hands on it and wants to dip their toes into some cheating without risking their own account. Then you have the original account holder screaming at you because they know they didn't cheat.
Or they could just be cheaters who doth protest too much.
But there are ways you can at least try to distinguish these things, e.g. did the cheating happen on the same PC or IP address the account normally uses?
> Does that mean the system is foolproof? No, of course not. But banning honest paying users is a huge risk to any business - so obviously no one wants to do that, every system like this errs on the side of caution by default for that reason alone.
It's apparently failing enough that this thread has multiple people saying they've experienced false positives, and it doesn't seem like they're interested in getting their accounts back.
I would not be surprised to learn some gaming company is selling cheats for their own games.
there is no money back from the cheat makers, its paypal, visa et al which does that.
Well I don't know if it's universally true for every single cheat, but cheat makers do in fact offer refunds/compensation if your account gets banned. As ths simplest example:
https://battlelog.co/forums/topic/12037-sorry-frost-you-can-...
(Frost is one of the owners of the site that sells cheats - he offers refunds and compensation whenever anyone has issues with their cheats)
>> Yes, which is why the aim is to have 0 legitimate players getting caught by this, obviously.
One thing this is missing is that forcing addicted players to buy again helps bring in the cash flow, so what a few legit people got wrapped up, enough buy back the equation for the shadier game companies (usually the big ones) will go ahead and never rescind a ban.
Literally no one does this in the industry, even if it sounds like a great idea on paper. Every big publisher knows that cheaters always bring negative cashflow to your company because they put off other players from playing. A single cheater in a 20 player game can put half of them off playing again, tarnishing your reputation at the same time. There is no universe in which "we'll just make cheaters buy our game again" makes any financial or any other sense - the goal is to get them to stop playing, permanently, and be enough of a pain in the ass that they never buy your game again.
>> so what a few legit people got wrapped up, enough buy back the equation
I've never seen any data that would support this. It just doesn't happen - if you accidentally ban a legit player they just get really pissed off and there's about 0% chance they will give you money again. Which is why you try extremely hard to not do that.
I used to work at a game company fresh out of college, and this is simply untrue. The company made roughly 40% of sales from cheater whales (one can imagine how much the chest makers made), and there were guidelines on repeated bans where we recognized similarities to make sure we wouldn't ban them again too early.
I left the industry because of thah and the other things like loot boxes and matchmaking for profit and to push micro transactions. It's a terrible place.
I guess you worked somewhere where that was considered a good business strategy then. I worked at a large publisher for over 10 years on couple big competitive titles and the idea always was to get cheaters off our service asap and permanently, no matter their spend(in fact we couldn't see that and it never made any impact on our engineering decisions around the problem).
>>It's a terrible place.
Some companies sure.
And yes sorry I realize I said "no one does this" - let me correct myself to say that in my experience at a couple big publishers this isn't a strategy anyone pursues because it's not worth the losses to your legit playerbase and reputation. But there might be companies that do this, I concede.
The intent is usually to gather data then ban in waves. If a new tool comes out and you ban a couple of players the tool authors might figure out why and update it. Let it sit a while and you can get hundreds/thousands of players who get a message to rethink their choice to cheat.
An additional benefit is that this can include multiple cheat programs and versions in one ban wave, so it may be harder to narrow down exactly what the flaw was. That's the why for no warnings (or explanations) - false positives and recourse if mistakenly flagged is another matter entirely.
> An additional benefit is that this can include multiple cheat programs and versions in one ban wave, so it may be harder to narrow down exactly what the flaw was.
That seems like it could go the other way. There are five cheat programs that each have a dozen versions and now you know that everybody using program A and D got banned, the people using program C and E didn't, and the people using program B got banned but only if they were using version 1.2 or lower and not exclusively version 1.3 where they added a new anti-detection method that A and D don't use and C and E do. Now they know what to do.
Whereas if you ban them as soon as you can detect them, the people using program B get banned before version 1.3 is even out, they have to issue all of those refunds immediately and stop getting sales because their cheat stops working now instead of months from now, and then version 1.3 may not ever get released. Now all they know is that C and E are doing something the others weren't, but that could have been any of a dozen things so A and D don't know what to change.
Doing it that way also has another major problem: Suppose you do the ban wave. Do the people using the existing known detectable cheats now get to make new accounts and keep cheating? If you ban them again right away then the cheat makers get to keep making variants until that stops happening, but if you don't then the game is back to being full of cheaters the next day and the cheat makers are still making money selling the old detectable cheats to fund the development of undetectable ones.
I mean "then they figure out how" and "make a new account" are each doing quite a bit of the heavy lifting here.
Using Activision as the example, when they do a mass ban after you've been cheating for 4 months straight how exactly are you going to figure out how it happened?
Isn't the whole point of the ban that it's not as simple as just "make a new account?" Isn't it tied to the PS+ / XBox Gold membership, or even the physical hardware?
> This ban also ruined other games for me. If I ever did well in a game, someone would look at my profile to see how many hours I have and instantly see the red marker that shows “I am a cheater”.
I wonder if that label can be considered to be libel. Probably harder in the US, but from what I understand in UK (or just England?) the defendant must prove that it's true.
On the UK though, computer data is proof. If the computer says you cheated, it’s proven.
This is about to change though, since the national postal services got a whole bunch of people convicted of fraud based on a system they knew buggy.
For context, (I assume) this is referencing the Horizon IT Scandal in which faulty accounting software used by post offices in the UK indicated there were financial discrepencies suggesting embezzlement, and over 900 innocent people were convicted of crimes that never happened.
Holy ….. what a fight you had to do. So glad i hardly play any mulitiplayer shooter games. I’d hate to have my insane Steam library stripped away from me.
His steam library was not restricted, just the game in which he was accused/banned.
And his account was publicly flagged as being a known cheater, which affected other games: https://antiblizzard.win/2025/01/18/my-two-year-fight-agains...
Interesting article
Maybe he was banned because as a developer, he had development tools installed on his machine, which increased the odds of him being labeled as a potential cheater.
Sometimes I even wonder if other hackers could not hack the machine or other players, to install a software that triggers anti-cheat system: it becomes then difficult to lift the ban.
>Sometimes I even wonder if other hackers could not hack the machine or other players, to install a software that triggers anti-cheat system: it becomes then difficult to lift the ban.
This appears to be the case in Apex Legends: https://old.reddit.com/r/CompetitiveApex/comments/1bhicc6/cl...
Also I wish more "good" hackers were in games, like the guy in GTA Online I ran into once who was shooting me with a money machine gun because Rockstar are greedy assholes.
> Also I wish more "good" hackers were in games, like the guy in GTA Online I ran into once who was shooting me with a money machine gun because Rockstar are greedy assholes.
Eh? Rockstar doesn't force you to buy Shark Cards, and everyone has gotten 11 years worth of DLCs for free. Making in-game money IS an essential part of the game. You also don't have to purchase every single vehicle or other item the game offers.
During my years of playing, I've met only a few cheaters who weren't complete douchebags (though some of them did act that way towards other players). I consider the "good" cheater to be a myth.
Honestly I'd prefer it if games could permaban based on just heuristics and the EULA simply stated "tough luck, buy the game again". I'd happily pay for that, knowing my money is at least not going to some 2 year legal fight.
I get that I might be the one accused of cheating next time. But if that risk is tiny and the cost when it happens is $50 or $100 it sounds a lot more attractive than the alternative.
Also (obviously) I don't care about the account itself. I wouldn't play a game where I aggregate long term stats/items/status/whatever.
In a perfect world you just have private servers where you can have 90% effective anticheat and have humans sort out the rest.
I think stat based bans are the ultimate solution for all the client side bullshit.
If you use statistics, you will sometimes get it wrong, but in the other cases the cheaters are completely out of luck. You could offer the source code to your game willingly and it wouldn't help them very much.
If the cost of a false positive is $50 for the gamer and the chance of it happening is rare, I think many would quickly understand the value proposition from a game experience perspective.
Assuming your false negative rate is low (I.e., you have high classification margins), you can make it extremely undesirable for players to engage in unfair play. Even soft cheating like aiding teammates with streaming and discord side channels could get picked up by these techniques.
I feel like pretty much all cheaters can be detected by just looking at mouse movements vs enemy positions. If you can easily spot cheaters through a killcam or spectator view, they can be detected through a serverside watchdog, no?
Unfortunately the cheats are way ahead of this. Most modern aimbots in shooters like Counter-Strike are (intentionally) not-obvious. They give minor advantages and do tiny corrections for an already-immensely-skilled player to gain a small edge. In a game where the difference between a great player and an elite player is small, they can be the invisible difference maker.
Nah, that won't do it. Even if you had a rare false positive rate, it would be significantly higher for players with a profile similar to ones that trigger bans.
It would be even worse than the bans some developers hand out now because their inherit randomness would be essentially just that. Not acceptable for any form of service.
> I think stat based bans are the ultimate solution for all the client side bullshit.
When I play basketball I keep getting stuck playing against 7'6" guys with an 83% free throw percentage which is statistically very unlikely.
Alas my arguments they should be banned on statistical grounds have fallen on deaf ears :)
>I think many would quickly understand the value proposition
I think thousands of innocent teenagers without credit cards will be furious. Not to mention anyone that takes a game semi-seriously and cares about their reputation after getting banned. Also, with real-dollar values tied to skins, you’re not just nuking someone’s $50 account — accounts and their associated items can be worth a lot of money.
Anti-cheats should need to be certain. They should also, however, ban the hardware ID, which lots of games companies choose not to do (because they’d lose money).
I wonder how these anti-cheat tools are impacted by flatpak and its partial sandboxing. Otherwise they sound quite invasive.
I'm very curious about the jump obfuscation. Maybe somebody who's done more reverse-engineering can answer this for me:
a) Are unconditional jumps common enough that they couldn't be filtered out with some set of pre-conditions?
b) It seems like finding the end of a function would be easy, because there's a return. Is there some way to analyze the stack so that you know where a function is returning to, then look for a call immediately preceding the return address?
There's some other cool tricks you can do, where you symbolically execute using angr or another emulator such as https://github.com/cea-sec/miasm to be able to use control flow graph unflattening. You can also use Intel's PIN framework to do some interesting analysis. Some helpful articles here:
- https://calwa.re/reversing/obfuscation/binary-deobfuscation-...
- https://www.nccgroup.com/us/research-blog/a-look-at-some-rea...
Unconditional jumps are very common and everything in x86 assembly is very very messy after optimizations. Many functions do not end in ret.
How do functions that not end in ret work?
A function with an unlikely slowpath can easily end up arranged as
top part
jxx slow
fast middle part
end:
bottom part
ret
slow:
slow middle part
jmp end
In addition to what others said, I'd simply point out that all 'ret' does on x86 is pop an address off the top of the stack and jump to it. It's more of a "helper" than a special instruction and it's use is never required as long as you ensure the stack will be kept correct (such as with a tail-call situation).
`ret` also updates the branch predictor’s shadow stack. Failing to balance `call` and `ret` can seriously impact performance.
Right, I didn't want to get into it but definitely using 'ret' "properly" has big performance benefits. My point was just that it won't prevent your code from running, it's not like x86 will trigger an exception if they don't match up.
RET does more these days. If Intel CET is enabled then it also updates the hardware shadow stack, and the program will crash if RET is bypassed unless the SSP is adjusted. IIRC Windows x64 also has pertinent requirements on how the function epilog restores registers and returns since it will trace portions of the instruction stream during stack unwinding.
There are things like compiling a tail call as JMP func_addr.
Would you not have to use a jump instead of call for it to be a tail call at all- ie otherwise a new frame is created on each call
the call is still in tail position whether or not it reuses the stack frame. there are also more involved ways to do tail call optimization than a direct single-jump compilation when you leave ret behind entirely, such as in forth-style threaded interpreters
I guess were talking about optimising tail recursion. Would there be any reason to refer to a tail call other than that optimisation?
I’ll do some reading on the latter part of your post, thank you!
i only meant that "optimized/eliminated tail call" is more useful terminology than an uneliminated tail call not counting as "a tail call". i find this distinction useful when discussing clojure, for instance, where you have to explicitly trampoline recursive tail calls and there is a difference between an eliminated tail call and a call in tail position which is eligible for TCO
i'm not sure how commonly tail calls are eliminated in other forthlikes at the ~runtime level since you can just do it at call time when you really need it by dropping from the return stack, but i find it nice to be able to not just pop the stack doing things naively. basically since exit is itself a threaded word you can simply¹ check if the current instruction precedes a call to exit and drop a return address
in case it's helpful this is the relevant bit from mine (which started off as a toy 64-bit port of jonesforth):
.macro STEP
lodsq
jmp *(%rax)
.endm
INTERPRET:
mov (%rsi), %rcx
mov $EXIT, %rdx
lea 8(%rbp), %rbx
cmp %rcx, %rdx # tail call?
cmovz (%rbp), %rsi # if so, we
cmovz %rbx, %rbp # can reuse
RPUSH %rsi # ret stack
add $8, %rax
mov %rax, %rsi
STEP
You don’t need recursion to make use of tail call elimination. In Scheme and SML all tail calls are eliminated. GCC also does it, but less often. Still, it’s not recursion that triggers it.
Few common issues.
1. Some jumps will be fake. 2. Some jumps will be inside an instruction. Decompilers can't handle two instructions are same location. (Like jmp 0x1234), you skip the jmp op, and assume 0x1234 is a valid instruction. 3. Stack will be fucked up in a branch, but is intentional to cause an exception. So you can either nop an instruction like lea RAX, [rsp + 0x99999999999] to fix decompilation, but then you may miss an intentional exception.
IDA doesn't handle stuff like this well, so I have a Binary Ninja license, and you can easily make a script that inlines functions for their decompiler. IDA can't really handle it since a thunnk (chunk of code between jmps), can only belong to one function. And the jmps will reuse chunks of code between eachother. I think most people don't use it since there was a bug with Binary Ninja in blizzard games, but they fixed it in a bug report a year or so ago.
Yeah, should be easy enough to filter these particular jumps out. It's an obfuscation designed to annoy people using common off-the-shelf tools (especially IDA pro)
Most obfuscations are only trying to annoy people just enough that they move on to other projects.
What are off the shelf tools/methods people use now? Ida was pretty standard goto when I was into RE
Not much has changed, except there are more entrants. Binary Ninja, Ghidra, radare (last two being open source). For debugging, there's x64dbg. Some use windbg and gdb (for non windows os), but it still is mostly IDA as king though the others are catching up.
I evaluated entering the space by building something with AI native however, the business case just didn't make sense
I tried Ghidra recently and the decompilation seemed decent enough. The UI seemed a bit less complete than IDA's though (I couldn't see a couple of things that IDA does/has though they might just be hidden away in menus).
You don't even need to cheat at COD. They are so buggy they'll do it for you. They'll load a gun in place of your knife in ranked. They clearly have a faulty case/if-else statement in the ranked gun loadout checker to allow that and also to default to XM4 if the gun shown in the load out picker isn't allowed.
It's probably the only game I know of where the ranked version is more broken than the casual version...
Needs to be a law against the taking away of product functionality after the sale, even if it's contractual/EULA. A ban should never take the game away from the owner, and in cases where it does then they need to be refunded (treble damages on top of license, lawyer, and court fees if it takes a judgment to induce the refund). Getting banned on Steam, say, in the sense that all of one's purchases are invalidated should be impossible legally. In cases where an account is prevented from login, items and inventory must still be accessible for trade as those represent real time effort put in by a paying customer. Want to enforce your code of ethics in a multiplayer game? Can't charge for the game or users legally have rights against bans, and bans must follow a proportionality continuum and you must have a human-attended cost capped (at license cost, and only on loss) appeals tribunal system with record.
Cheating will not get you banned on steam though, at worst your account is publicly shamed if its a VAC game.
People play multiplayer games to have fun and interact with others. If you behave badly, be it cheating or otherwise, you should be banned from using the multiplayer service because your behavior impacts other people.
> If you behave badly, be it cheating or otherwise, you should be banned from using the multiplayer service because your behavior impacts other people.
What if you behaved great but some guy fresh out of code boot camp's algorithm bans you?
Bugs and mistakes happen, when that happens it's typically some misidentification of a process or driver so a group of players get banned. And in every one of those cases I've seen they've been unbanned. The call of duty case is probably the worst one I've read about, also an outlier.
> And in every one of those cases I've seen they've been unbanned
"I'm locked out of my account because of a buggy algorithm and there is no recourse" is a recurring thing here.
Why is that different from speeding while driving ?
Be a nuisance to society -> get fucked. That's a pretty universal principle
Because there is no court, just algorithm flagging people with some false positives
For "get fucked" measures you need pretty low rate of false convictions
imo the problem would be solved if there was the ability and a culture of running your own game servers. Because I agree, being softlocked from a game you paid for sucks.
But also, cheaters suck, and whoever's running the server should be allowed to kick you out.
While I get where you're coming from, that's a really bad comparison to make. Speeding while driving can and will kill people.
I don't mind cheaters getting their asses kicked. Let them lose real money. If you accidentally get banned, that's a different story though.
And it's just a game that's not playable anymore, not the whole Steam account, isn't it?
The entire Steam account is tainted: that's the issue.
Some random commercial third party can make an accusation and damage the value of thousands of games on a lark.
Meanwhile, any determined cheater just bought another copy of the game on an account dedicated solely to that task. This person suffers no extended consequence.
Maybe then just label them as cheaters and allow them to only game against other cheaters.
The money loss is kinda the point. Cheaters can fake a new identity but if they get caught fast enough cheating becomes unaffordable.
Not sure it applies with CoD in particular but my impression is a lot of these games with super invasive anti-cheat went F2P which reduces the punishment of getting caught to wasting time. Combined with the no dedicated servers resulting in little manual admin being possible with new games you've basically created the perfect environment to cheat entirely for business reasons. So then they started adding things like requiring phone verification (not even just requiring mobile numbers but requiring POST PAID mobile numbers) and kernel level modules, making a super invasive PITA solution to a problem.
Personally, I opted out of these games, F2P already perverts most game design away from fun IMO. And despite all this crap it seems like people are complaining about cheaters more than ever, but maybe I'm just old now!
I don't think it's you being older, this F2P stuff was almost non-existent outside of the MMORPG genre. If you wanted to play video games, you essentially had four choices:
- Play a limited demo of a full game.
- Buy a full offline game for your console or PC.
- Play a F2P MMORPG (no anti-cheat software to speak of).
- Pay for an MMORPG subscription (also no anti-cheat software to speak of).
Cheats were less developed and so were anti-cheats. The F2P model was not as wide-spread either. The mobile app market didn't exist.
This is not the reality we live in anymore.
I've decided to not waste as much time as I used to on this stuff, because as I got older I learned more about how valuable time actually is.
> not even just requiring mobile numbers but requiring POST PAID mobile numbers
Wow, I live in a first world country and that would still ban like half the adults I know (Mostly because our bill pay phone plans are terrible value), along with basically every teenager (which for COD, you would think is the core target market).
If there's a thing that's worse than over-priced stuff is free stuff. No free lunch
If you cheat or ruin game for other players, you deserve to lose the access.
Other players paid too.
Where did you learn how to do this? I would love to learn more about understanding half of what this article said but I don’t know how to start.
I learned a lot of this stuff ~15 years ago from reading a book called Reversing: Secrets of Reverse Engineering by Eldad Eilam. The book is old but amazing. It takes you through a whole bunch of techniques and practical exercises. State of the art tooling has changed a bit since then, but the x86 ISA & assembly more generally hasn't changed much at all.
One of my biggest takeaways was learning about "crackmes" - which are small challenge binaries designed to be reverse engineered in order to learn the craft. They're kinda like practice locks in the lockpicking community. The book comes with a bunch on a CD-ROM from memory - but there's plenty more online if you go looking. Actually doing exercises like this is the way to learn.
You don't start trying to reverse engineer COD. You build up to it.
UnknownCheats. I'm active there and it has one of the best resources on this kind of stuff. I'm more interested in how Linux userspace Anti-cheats works notably VAC.
You need to be just comfortable in assembly.
Its a hard first step, but I highly suggest you take the time to analyze a small binary, starting with understanding the registers for the architecture, understanding the different function calls, and then looking at the elf file and analyzing every section and how static linked libraries work, and how dynamic linking works with PLT/GOT. GPT models are REALLY good at helping you understand this, and you can also use Ghidra for decompilation. Do everything on Linux btw, as the tools are very easy to use and much less Cumbersome than windows.
Once you understand all of that, tracing assembly is pretty easy - its either register move operations, math operations, compare operations, jumps, and function call and returns (which basically are just shortcuts for handling the stack frames), with a few special instructions here and there which are usually just some optimizations that you can look it up ad hoc. Once you get handy at ghidra, you can look at decompiled C code and start replacing variable names to make the code readable, and then you generally get a good idea of project flow.
Dang, I'm old. I was going to say hang out in Gamedeception, but apparently it's been gone for years!
greetz to readers of Unknowncheats, cs.rin.ru, etc.
Gosh, haven't been to cs.rin.ru for years.
UnknownCheats was (still is?) good for getting information on undocumented APIs when game modding (for a good while the Half-Life SDK was incomplete).
I used to frequent cs.rin.ru for all things non-steam back when I operated non-steam CSS servers.
UnknownCheats is also absolutely amazing for cheat development. Back when I was writing undetected kernel cheats for my own experimentation purposes, I learned so much there.
I made my lifelong best friends hosting non-Steam servers, and writing the first cracks in Lua to generate fake Steam IDs from IP addresses.
I got started with Lena151's tutorials back in the day. https://github.com/kosmokato/Lena151
I have been doing a bit of reverse engineering on a popular Horde/Alliance based MMO game and it follows almost the exact same steps (including the FNV32 export hashes). It almost seems very similar as I have seen it employ very similar tricks. I wonder if it's packed using the same protection?
The source 2 engine also uses fnv to hash the schema (basically entity properties)
Wouldn't it be possible or relevant to periodically, electronically sign the game state, to prevent cheating? Or with some proof of work?
I am starting to think that cheat are just too hard to fight against, I am making a small, cheap online FPS, and I would let users trust each other instead, and hunt cheaters themselves, or maybe use AI like valve is doing. I would not bother have a anti cheat software.
Also players would have to manage and administrate their servers themselves.
Players would require to have a cellphone number attached, have a reputation score given by other players, maybe give an id or some other strong auth method, manual verification with like a photograph, like it's done for some dating apps. Players would have to play like 10 hours before they could play competitive.
I am confident hardcore players would be motivated to do all those things to make sure there are fewer cheaters.
> and I would let users trust each other instead, and hunt cheaters themselves
If you've ever played a decent amount of basically any online game you'd know that players make cheating accusations CONSTANTLY based on very little evidence. And then there's also the social aspect of just reporting players you don't like to get them banned
In such a system you'd get way more false positives than any kind of anti-cheat
At a high level, you can just simulate the game without cheats, sign that, and then do the cheats separately.
I don’t play this game, but my partner does. I sometimes see him “spectating” a player that is below the ground - regardless of if the client is hacked/cheating, aren’t there some server-side checks that the player state is valid?
Phenomenal piece of research. Clearly this is not the author's first rodeo :)
Not really relevant, but this triggered a memory of being around 14 years old and getting scammed on Runescape which drove an evil character arch from me to somehow find out how to DDOS players in the duel arena and make absolute bank. I still feel a little guilty about my actions to this day. At the same time, I'm surprised that at 14 I was able to find and pay for a denial of service provider and figure out players IP addresses to intentionally disconnect them
Signature scanning is indeed the hot shit.
It's like the most addicting part of reverse engineering to me. Building signature lists, and then writing bindings to scripting languages to call those function pointers.
It's also the foundation of how many third-party mod platforms work, because you need to build a meaningful API to modders that isn't exposed by the first-party.
No idea what signature scanning is, but found this resource for those curious:
https://www.unknowncheats.me/forum/general-programming-and-r...
Signature scanning is just scanning for unique bytes from a compiled function that will remain consistent across builds. You search memory for those bytes and when you find them, you find the function you're interested in.
Here's an example from some shellcode loader I wrote: https://github.com/exploits-forsale/solstice/blob/c3fc9a55c6...
Thanks for explaining. How do you identify such byte patterns that are likely stable across builds? Is it experimental - i.e., look at a few versions of the binary and check if it has changed?
You can actually usually get a pretty good starting point from just a single build, and only refine it once you find a build it breaks on. It's essentially just finding a unique substring. In my experience this almost always involves some wildcard sections, so the signature in the parent got lucky not to need them. I like to think about it as more of matching the shape of the original instructions than matching them verbatim.
To manually construct a signature, you basically just take what the existing instructions encode to, and wildcard out the bits which are likely to change between builds. Then you'll see if it's still a unique match, and if not add a few more instructions on. This will be things like absolute addresses, larger pointer offsets, the length of relative jumps, and sometimes even what registers the instructions operate on. Here's an example of mine that needed all of those:
"48 8B ?? ????????", // mov rcx, [rdi+000001D0]
"48 85 C9", // test rcx, rcx
"74 ??", // je Talos2-Win64-Shipping.exe+25EE729
"E8 ????????", // call Talos2-Win64-Shipping.exe+25E45F0
"48 63 ?? ????????", // movsxd rax, dword ptr [rbx+000005D0]
"8D 70 FF" // lea esi, [rax-01]
https://github.com/nosoop/ghidra_scripts/blob/master/makesig...
From my limited experience, it refers to the act of reverse engendering the function (signatures) contained the code of a binary.
A binary, like the underlying code, has commonly used code split into functions that may get called in multiple places. These calls can be analyzed either through static analyzers or by a human, who may analyze context of the callsite to guess what each Arg is supposed to do/be.
For modding, e. G. in a single player game, one might want to find out where the engine adjusts the health points of a player or updates progress.
> It's also the foundation of how many third-party mod platforms work
Sure is - I believe a few Source engine plugins do this when required (though mostly I think they use offsets into vtable pointers).
As much as I loved that article, I'm not sure it's really moral thing to do.
I mostly quit gaming when I realized (load times+match maching+updated) < time playing.
and that was before drm and anti chat rootkits.
imagine having to upgrade my pc just to run memory obfuscation sha256. whole industry is like the 80s processed food era just advertise, don't even matter what you're selling.
Cheating in multiplayer games has become such a huge problem, it has destroyed trust across every major FPS.
I am a long time CS player, but I did briefly play one of the new CoD games, before they went crazy with Nicki Minaj skins and bong-guns.
A person was so convinced I was cheating, they started doing OSINT on me while still in a match, and they found my old UnKnOwNcHeAtS account as some kind of proof that I am cheating (that account was 12 years old by that point).
I abhor cheating, and I have a lot of interest in computer science, so of course I wanted to see how all of it works and did my research during my youth, taking care to never compromise the competitive integrity of the games I played, but if you look around, there is not a single game that I can recommend to people anymore.
Games like Escape From Tarkov are so busted, cheaters are stealing the barrels off people's guns and crashing their game/PC on command.
My beloved counter-strike's premier competitive game mode has a global leaderboard that acts as a cheat advertisement section within the game.
Games like Valorant are a cut above the rest on account of their massively invasive anti-cheat, but are nowhere near as clean as most fans claim, I mean, you could write a cheat for the game using nothing but AHK and reading the color of a pixel.
There is a whole industry of private matchmaking for counter-strike, built solely on the back of their anti-cheat and promises of pro-level play to the top players.
EDIT: I found the screenshot, it was MPGH not UnknownCheats, but yeah, they also had a game ban on their account.
We’re seeing a clear divide where both competitive gamers and hackers are retreating into their own ecosystems, away from public matchmaking. Public matchmaking has simply become too optimized/lucrative to sustain trust or meaningful competition. Private matchmaking and closed communities are thriving, raising the average skill ceiling in competitive. Similarly, hacking communities are evolving with easier forms of payment and distribution. The monetary aspects are huge. But most importantly, both cultures push each away. Your persona of someone who plays with integrity and crosses the competitive and hacker mentality is pretty much gone.
Escape From Tarkov was so busted, because first they've supported cheaters (one cheater, with bought cheat for a few $, made around $2k++ monthly boosting players etc.) when Tarkov dev banned them, they will easily rebuy new account. Easy money for both parties, win-win scenario.
Second, their code for networking was complete BS, they didn't even sanity-check player movement/location server-side and many more things. Ridiculous.
fwiw, cheating in CS(GO) taught me x86 RE and low-level programming way younger than is usual. sophomore year of high school.
I still recommend writing an HvH cheat to anyone that wants to get into proggin' -- you get a taste of both static and dynamic RE, memory-level programming, UI development, bare dxsdk (usually), a skid-saturated environment, sysadmin (if you try to set yourself up an uber1337 cheat page), and a bunch of other little things, all in an environment where you're quite directly competing with others in the same situation.
still, it ruined game for other players.
though personally I can't be that mad if you wrote cheats yourself, I will be a bit angry but impressed too ;)
Most hackers in the space start out at the freshman year or middle school age, my dude. Was the case 20 years ago.
it wasn't a brag or anything, i just don't know by what means i would've been introduced to that stuff other than game cheats. 15-year-old-me definitely did not care about crackmes or malware reversing.
i did start writing code in middle school, though. php, mostly :)
you sound like me, I was a little younger though ... aimbots, wallhacks, esp, textures, radar, it was all intriguing and I hated encountering cheaters in CS 1.4 and 1.5. I also began dabbling in writing bots around this time, as POD Bot was awesome!
php had also been a thing of mine, I spent many months in DALnet and EFnet #php. Primarily around the time of v3 prior to v4's big launch...
The game I probably have the most hours in is Overwatch. In that time I've encountered not enough cheaters (at least those that are noticable enough) to say that they are even remotely a problem. I don't know what they are doing, but they don't use a kernel-mode anti-cheat (to my knowledge).
You simply don't notice since overwatch cheats tend to be very advanced. They also have a really strict system around reports and players actually use it.
EFT also uses kernel level anti-cheat “Easy Anti-Cheat” (as invasive as what valorant uses (vanguard)). Don’t know why ETF implementation sucks.
I’ve been on CS since 1.3, and i think their system is pretty good. Sure you get cheaters sometimes, but it’s not that bad, maybe I’ve been pretty lucky.
EFT uses battleye. Most commercial anti cheats have had a kernel component for many years because cheaters moved there, anti cheats just followed them out of necessity. Valve VAC being one of the few exceptions, but its practically useless as an anti cheat. Vanguard is better because they designed the game with anti cheating in mind, not just slapping it on at the end as an afterthought. And it protects against certain cheats loaded at boot which other kernel based anti cheat don't protect against.
Unless you use multiple users on Windows a user space anticheat (or anything you run) can already read all your files and even memory of other processes (Windows provides an API for this), putting it in kernel adds the ability to do so for the other users. Invasiveness isn't really that good of an argument as normal software can already do so much.
One difference between EAC and Vanguard is that the latter needs to be loaded on boot, so you need to reboot every time you want to play if you don't want to have it running all the time (which is a common use-case since it has a history of interfering with legitimate programs).
> Cheating in multiplayer games has become such a huge problem, it has destroyed trust across every major FPS.
Is it because normal people are out of public competitive multiplayer so you're left with the cheaters and toxic hypercompetitives?
Personally I've quit when Starcraft 2 was new. Got tired of being called a stupid noob ... when I won.
Cheating is such a bummer in CS, even in casual matches. Luckily it’s usually pretty obvious and you can either kick the cheater or find a better lobby. Having friends on there has made finding good lobbies in general much easier
around the year 2000, a friend of mine from school got banned from many large Half-Life servers because they claimed he was cheating. He was not, he was just that good. I swear even if you watched him playing you could have sworn he used an aim bot. The crosshair was almost permanently stuck to the other players' heads. But that's just how good he was. Shame that E-Sports wasn't a thing back then, he could have earned a fortune
I disagree that cheating "has become" a huge problem, it was always a huge problem.
I can't remember a single multiplayer game that didn't have cheaters of some form or another. None. Zilch. Zero. It's kind of why I never grew beyond playing MMORPGs, and even that passion ultimately died out.
Back in the old days, before even xbox, online play was almost exclusively on computers on privately hosted servers, so you had mods actively banning anyone who gave any hint of cheating.
That doesn't refute my point, though; probably supports it, even. Private server owners went scorched earth in ye olde days because cheating was (and still is) a huge problem.
As a player it was just less annoying back in the dedicated server days, since cheaters were dealt with immediately. Nowadays you have to report them in most of the competitive games and then it can take anywhere from several hours to weeks before anything happens. It just feels like the protections have become more and more invasive, yet are still far behind the original community managed servers from back in the day.
As long as you can read and write to memory, you'll never stop cheating in multiplayer games.
Sure, and that's why there's more and more "trusted" hardware to try and get computers to a place where their users cannot read and write to or from their own memory.
Those kinds of things tend to be their own undoing.
You added a security processor to your hardware at ring -2, but hardware vendors are notoriously bad at software so it has an exploit that the device owner can use to get code running at ring -2. Congrats, your ring 0 anti-cheat kernel module has just been defeated by the attacker's code running on your "trusted" hardware.
But in the meantime you've now exposed the normal user who isn't trying to cheat to the possibility of ring -2 malware, which is why all of that nonsense needs to be destroyed with fire.
Good luck ensuring every PCIe device with DMA access is "trusted."
IOMMU defeats DMA attacks.
There is no reason for a GPU or network driver, or anything to have arbitrary physical memory access.
If a GPU needs space for a draw-calls, allocate it in the kernel and explicitly give permission to the GPU to access it.
IOMMU gives the PCIe device access to whatever range of memory it's assigned. That doesn't prevent it from being assigned memory within the address space of the process, which can even be the common case because it's what allows for zero-copy I/O. Both network cards and GPUs do that.
An even better example might be virtual memory. Some memory page gets swapped out or back in, so the storage controller is going to do DMA to that page. This could be basically any memory page on the machine. And that's just the super common one.
We already have enterprise GPUs with CPU cores attached to them. This is currently using custom interconnects, but as that comes down to consumer systems it's plausibly going to be something like a PCIe GPU with a medium core count CPU on it with unified access to the GPU's VRAM. Meanwhile the system still has the normal CPU with its normal memory, so you now have a NUMA system where one of the nodes goes over the PCIe bus and they both need full access to the other's memory because any given process could be scheduled on either processor.
We haven't even gotten into exotic hardware that wants to do some kind of shared memory clustering between machines, or cache cards (something like Optane) which are PCIe cards that can be used as system memory via DMA, or dedicated security processors intended to scan memory for malware etc.
There are lots of reasons for PCIe devices to have arbitrary physical memory access.
I feel like in pretty much every case here they still do not need arbitrary access. The point of DMA cheating is to make zero modification of the target computer. The moment a driver needs to be used to say allow an IOMMU range for a given device, the target computer has been tainted and you lose much of the benefit of DMA in the first place.
Does a GPU need access to memory of a Usermode application for some reason, okay, the GPU driver should orchestrate that.
> We haven't even gotten into exotic hardware that wants to do some kind of shared memory clustering between machines, or cache cards (something like Optane) which are PCIe cards that can be used as system memory via DMA, or dedicated security processors intended to scan memory for malware etc.
Again, opt-in. The driver should specify explicit ranges when initializing the device.
> I feel like in pretty much every case here they still do not need arbitrary access.
Several of those cases do indeed need arbitrary access.
> The moment a driver needs to be used to say allow an IOMMU range for a given device, the target computer has been tainted and you lose much of the benefit of DMA in the first place.
The premise there being that the device is doing something suspicious rather than the same thing that device would ordinarily do if it was present in the machine for innocuous reasons.
> Does a GPU need access to memory of a Usermode application for some reason, okay, the GPU driver should orchestrate that.
Okay, so the GPU has some CPU cores on it and if the usermode application is scheduled on any of those cores -- or could be scheduled on any of them -- then it will need access to that application's entire address space. Which is what happens by default, since they're ordinary CPU cores that just happen to be on the other side of a PCIe bus.
> Again, opt-in. The driver should specify explicit ranges when initializing the device.
What ranges? The security processor is intended to scan every last memory page. The cache card is storing arbitrary memory pages on itself and would need access to arbitrary others because any given page could be transferred to or from the cache at any time. The cluster card is presenting the entire cluster's combined memory as a single address space to every node and managing which pages are stored on which node.
And just to reiterate, it doesn't have to be anything exotic. The storage controller in a common machine is going to do DMA to arbitrary memory pages for swap.
Re everything above the below, you are naming esoteric reasons for allowing unfettered access to physical memory. That's fine, but what percent of players of X game are going to have such a setup in their computer? Not enough that detecting that and preventing you from accessing a server would be a problem.
> And just to reiterate, it doesn't have to be anything exotic. The storage controller in a common machine is going to do DMA to arbitrary memory pages for swap.
I'd like a source for that if you have one. I'd be very surprised if modern IOMMU implementations with paging need arbitrary access. The CPU / OS could presumably modify the IOMMU entries prior to the DMA swap. The OS is still the one initiating a DMA transaction.
> That's fine, but what percent of players of X game are going to have such a setup in their computer?
If the "put some CPU cores on the GPU" thing becomes popular, probably a lot.
> I'd like a source for that if you have one. I'd be very surprised if modern IOMMU implementations with paging need arbitrary access. The CPU / OS could presumably modify the IOMMU entries prior to the DMA swap. The OS is still the one initiating a DMA transaction.
Traditional paging implementations didn't use IOMMU at all -- a lot of machines don't even physically have one, and even the ones that have one, that doesn't mean the OS is using it for that. It might end up going through it if you have something like the storage controller is mapped as a device to a VM guest and then the host uses the IOMMU to map the storage controller's DMA to the memory pages corresponding to what the guest perceives as its physical memory, or things along those lines.
But remapping the pages for each access, even if theoretically possible, would be pretty expensive. Page table operations aren't cheap and have significant synchronization overhead, and to swap a page that way would require you to both map the page and then almost immediately do another operation to unmap it again. For each 4kB page, since they're unlikely to be contiguous. You can do the math on how many page table operations that would add if you were swapping in, say, 500MiB, which a modern SSD could otherwise do in tens of milliseconds. Notice in particular that this would make operating systems that do this get lower scores in benchmarks. And that this applies not just to swap as a result of being out of memory, but ordinary file accesses which are really a swap to the page cache.
You could also run into trouble if you tried to do that because the IOMMU may only support a finite number of mappings, or have performance issues if you create too many. Then you get a slow device with too many pending I/O operations and the whole system locks up.
And even if you paid the cost, what have you bought? The OS could still give a device access to any given memory page for legitimate reasons and you have no way to know if the reason was the legitimate one or the user arranged for those circumstances to exist so they could access the page.
[dead]
As long as you can read and write to memory, you will never stop online cheating in FPS games.
This is true, but what is "reading and writing to memory" here? The article outlines dozens of ways of doing that with various hooks etc. And how they try to avoid that.
If I put a hardware connection to the memory (basically WIRES to my memory bus) then yes, it's very hard to detect. But that's also very hard and expensive to do...
It's cheaper and more accessible than ever to use DMA/hardware cheats from cheat vendors.
DMA cheats are only usable as many games aren't willing to pull-up their minimum requirements to play. IOMMU defeats DMA attacks. Secureboot (largely) solves pre-boot EFI related concerns.