Further analysis of VAC revealed several parts of the service which could be modified to increase it’s effectiveness.
Alternative Steam accounts
Cheaters are aware of the risk of getting their Steam account banned. For that reason they create secondary Steam account which are dedicated for playing with cheats. If their cheat gets detected only the secondary Steam account gets banned. Following this pattern, typical cheater has main Steam account with most of his purchased games, which isn’t used for cheating. And he keeps cheating on secondary Steam accounts which he recreate them every time his cheat gets detected. Changing banning policy to also ban main Steam accounts of those who were banned mul- tiple times on different Steam accounts will decrease financial benefits from cheating. Steam already does similar thing via their Family Sharing program. Family Sharing allows two Steam accounts to share one pur- chased game copy. If one of the Steam accounts happens to be banned for cheating, second Steam account gets banned as well [12].
Usage of collected data for later analysis
Once a cheat is added into a database of know cheats, from that time any player that will be caught using the cheat will be punished for using it. The problem is that a player must be caught cheating after the cheat was added into the database of known cheats. To remove this limitation VAC could store previously collected data about suspicious programs and loaded modules, which were detected on player’s computer and compare their hashes with just added cheat detection. This way VAC could punish all users of the cheat, and not just those who kept using it after the detection was added.
Detection of common function hooks
The hooking method described in section 3.2.2 is currently undetected by VAC as it does not modify read-only memory. A sample code attached to this thesis demonstrates one possible way of detecting this hooking method by comparing allocation base of the object and VMT.
Kernel mode
As a part of long term solution VAC could include kernel module to ex- tend current user mode detection mechanism into kernel address space.
Conclusion
Most common cheat software techniques were described in this thesis. Several methods of code injecting and function hooking were described and used to develop simple cheat software for Source Engine. Special at- tention was devoted to current anti-cheat software and one of them was analyzed by reverse engineering to find out how effective are current cheat detection mechanisms. Some suggestions were made to improve it’s detection methods.
Cheat and anti-cheat developers are both starting to take advantage of implementing their software for kernel mode. Kernel mode offers ac- cess to whole computer memory and gives anti-cheat a huge advantage over most common cheats. Anti-cheat measures shouldn’t only depend on kernel mode access but the anti-cheat strategy should be included in development cycle of a game. Game developers should be aware of pos- sibilities of client modifications which allow players to cheat. A balance should be found between client and server-sided processing of the game environment to minimize possibilities of cheating while not dramatically increasing cost of running a game server.
This work may be followed by describing kernel mode cheats and methods of detecting them.
[1] MAKUCH, Eddie. US government recognizes League of Legends players as pro athletes [online]. 2013-7-12. Url: <http://www.gamespot.com/articles/us-government- recognizes-league-of-legends-players-as-pro- athletes/1100-6411377/>[2014-10-30].
[2] GRAYSON, Nathan. Top Counter-Strike Players Caught In Big Cheating Scandal [online]. 2014-11-24. Url: <http: //kotaku.com/top-counter-strike-players-caught- in-big-cheating-scand-1662810816>[2014-11-11].
[3] MICROSOFT. Virtual Address Space [online]. Url: <http: //msdn.microsoft.com/en-us/library/windows/
desktop/aa366912>[2014-11-05].
[4] MICROSOFT. User mode and kernel mode [online]. Url: <http://msdn.microsoft.com/en-us/library/
windows/hardware/ff554836>[2014-11-05].
[5] SELNA, James. Blizzard Entertainment Inc v. Ceil- ing Fan Software LLC et al [online]. 2013-09-23. Url: <http://legal.ceilingfansoftware.com/docs/147% 20Order%20Granting%20Blizzard%27s%20Motion% 20for%20Summary%20judgment%20and%20Denying% 20Defendants%27%20Motion%20for%20Summary% 20Judgment%20%282013-09-24%29.pdf>[2014-12-21].
[6] CAMPBELL, David. MDY Industries, LLC v. Blizzard En- tertainment, Inc. et al [online]. 2008-07-14. Url: <http: //docs.justia.com/cases/federal/district-courts/ arizona/azdce/2:2006cv02555/322017/82/>[2014-12-21].
<http://msdn.microsoft.com/en-us/library/ windows/desktop/aa366553>[2014-11-07].
[8] MICROSOFT. Driver Signing Requirements for Windows [on- line]. Url: <http://msdn.microsoft.com/en-US/library/ windows/hardware/dn653563>[2014-11-07].
[9] HOWARD, Michael . Address Space Layout Randomiza- tion in Windows Vista [online]. 2006-05-26. Url: <http: //blogs.msdn.com/b/michael_howard/archive/2006/ 05/26/address-space-layout-randomization-in- windows-vista.aspx>[2014-12-01].
[10] VALVE. SDK Docs [online]. 2013-12-10. Url: <https: //developer.valvesoftware.com/wiki/SDK_Docs> [2014- 12-01].
[11] VALVE. Valve Anti-Cheat System (VAC) [online]. 2014-12-01. Url: <https://support.steampowered.com/kb_article. php?ref=7849-Radz-6869>[2014-12-01].
[12] VALVE. Steam Family Sharing [online]. Url: <http://store. steampowered.com/promotion/familysharing> [2014-12- 20].
[13] MEER, Alec. Valve offers free game after 12,000 false Steam bans [online]. 2010-07-27. Url: <http://www.gamesindustry.biz/ articles/valve-offers-free-game-after-12-000- false-bans>[2014-12-06].
[14] VALVE. An issue with your computer is blocking the VAC system. You cannot play on secure servers. [online]. Url: <https://support.steampowered.com/kb_article. php?ref=2117-ILZV-2837>[2014-12-20].
[15] NEWELL, Gabe. Valve, VAC, and trust [online]. 2014-02-18. Url: <http://www.reddit.com/r/gaming/comments/1y70ej/ valve_vac_and_trust>[2014-12-20].