Skip to main content

The Reality of Modern Anti-Cheats

·1720 words·9 mins
Vulnerability Research EasyAntiCheat Kernel Reverse Engineering

The Reality of Modern Anti-Cheats
#

By: sebwebneb

Disclaimer: Before we dive into the technicals, I have to say that all information described in this post is already public and can be figured out by independent research. Nothing I describe here is bound to a specific contract between me and Epic Games, nor does it involve proprietary detection methods that I have reported. Anything discussed is either already detected or a common industry standard for how anti-cheats work. This is for educational and research purposes only and should in no scenario be used to operate against good-faith.

My name is sebwebneb. I am currently a Security Analyst with Epic Games (H1), but formerly a cheat developer for various titles, I am writing this because I am genuinely tired of the large amount of misinformation that content creators and self-proclaimed experts are pushing out. Most of these people don’t actually understand the cat and mouse game being played in the kernel.

The Evolution of Cheating
#

First off, let me address something: what the actual evolution of cheating is. It’s not what these influencers try to tell you. They literally talk about DMA like it’s some brand new, unstoppable magic trick. It isn’t. I’ll be addressing DMA later on, but first, we need a little chat about how an anti-cheat actually works.

Most people view an anti-cheat as a singular program. If you look at Fortnite, it is actually a split system: you’ve got UAC, which is the in-house user-mode counterpart, and then EAC, which is the kernel-module. Think of an anti-cheat similar to how an antivirus works, except that it monitors for cheats instead of malware. But don’t get it twisted—if you threw a regular antivirus developer on an anti-cheat, the project would fail. They don’t know the detection vectors cheat devs use.

The AI Misconception
#

Lately, I’ve seen a lot of “developers” who seem to be looking to AI to tell them how to use stuff like kdmapper. It’s a complete joke. Most of the time, AI only knows about detection vectors from kdmapper’s first few years of release. In this field, experience is way more reliable than qualifications or what an LLM tells you.

Talking about the kernel component, people who tell you it directly monitors for “tampering” with the game are just listening to what AI tells them. Dont get me wrong, AI is good for general coding but you need to be prepared to correct it. AI is also clueless for undocumented things because well, they are undocumented. They aren’t just sitting there checking every register and reference to the game’s memory every millisecond. What they do have is total viewership of your PC. Unless you are running a hypervisor or in SMM, which is a topic for another day, the anti-cheat sees everything. If you have a cheat loaded for another game in the kernel, they can still ban you from that since an anti-cheat is a static being. It can’t 100% determine that a specific cheat was only for CSGO or something else. If you meet rootkit behaviour, they won’t be afraid to ban you.

They also can’t just hook memory read functions due to PatchGuard compliance. PatchGuard pretty much prevents Windows internal functions and drivers from being modified. While the Valorant anti-cheat does this, they technically make it compliant.

The Data Game: Why You Weren’t Banned Instantly
#

It is also important to note that Epic Games did not create EAC themselves; they had bought the company and worked their magic on it. This was a massive win because Epic is a rich company. Once they started handing out the free version of Easy Anti-Cheat to other developers, some said it sucked. But in reality, the free version of EAC is super reduced in terms of detection and capability, all while keeping data collection to a maximum to follow their TOS. Brilliant for Epic since anti-cheats work based on data.

If you think you have an “undetected method” for loading a driver, you are probably wrong. There’s almost no way to load a driver illegitimately in Windows without an anomaly. Now, this brings us to NMI (Non-Maskable Interrupt) callbacks: the anti-cheat can interrupt the CPU and check what’s running at this exact moment. If you show up on these callbacks, it is already game over. They’ll upload that memory region to their server and banwave everyone else who showed up with those flags by building a profile on it.

For example: If the system sees forty users who all have memory actively executing inside a discardable section of a specific driver, or the .text section of a driver, and they also see an unsigned EXE running with VMProtect flagged on the UAC side, that is a profile. They don’t need to ban you instantly. They wait, collect data, and then banwave everyone who fits that profile. If you are already automatically detected by EAC, they have no need to build a profile on you. You will always be the statistical outlier in their data collection.

The truth many cheat developers won’t understand is that while you are celebrating something being undetected, EAC is already working on building a profile. They can’t just push out a detection all willy-nilly and get users false-banned.

Reverse Engineering and Flag Thresholds
#

Cheat developers often work on assumptions. They use something similar to A/B testing, which is commonly done by me for Epic Games. They test an implementation, see if it gets banned, and then try another. This happens because these developers are not skilled enough in terms of reverse engineering to actually figure out how an anti-cheat does its checks. Stuff like BattlEye is easy, but EAC uses their own in-house virtualizer. They used to rely on VMProtect, but that got fully deobfuscated back in 2021. Now, I am required to deobfuscate their current checks for my research and for Epic to find vulnerabilities. I am not allowed to share any programs regarding this, but that is quite the learning curve.

Another thing cheat developers don’t understand is that flags lead to detection. Say EAC has a flag threshold of 40. If you are hitting 39 flags, you think you are undetected. Then you get reported, it goes to 40 temporarily while they investigate, and you are already banned. “Undetected” is a word thrown around way too often. Almost nothing is truly undetected forever.

Addressing DMA (Direct Memory Access)
#

Now, about DMA. People believe anti-cheats can’t detect that. Originally, they could, easily. If you have a specific card plugged in, it is suspicious. But DMA happens at the hardware level, meaning memory reads aren’t going through the local CPU. When EAC looks at what is happening, it looks fine because the operations are external. Currently, the way to fight this is through banwaves and looking for anomalies in firmware.

Cheat developers use firmware to disguise the DMA card as a legit network card or sound card. I’ve dumped enough firmware in my time, namely network cards, and have ideas regarding how to detect specific firmware, but that I am unable to share here.

Just look at the recent attempts to circumvent IOMMU enforcement on Vanguard as proof that these modern cheat developers actually suck; they are now making drivers just to load and bypass them, completely defeating the point of using DMA. DMA is to be hardware level for staying off the radar, but introducing a local driver to bypass IOMMU makes them present local anomalies that flag. It just goes on to show how little they really know and to what length they will take to keep their P2C active.

The Illegal Reality of Cheat Selling
#

Unfortunately, there’s also a very illegal aspect to cheat selling. Although different from cheat development, they’re often related, so I thought I’d point it out. A lot of cheat developers do this illegally, not just for the copyright aspect of selling cheats, but because they use and buy verified PayPal and Stripe accounts. This goes into fraud and identity theft because it isn’t their documents. That’s the sad part of the scene.

When I get these cheats to dump, which happens about 80% of the time without me needing to buy them, it’s pretty simple. Customers send the loader, I crack it while emulating the requests to the server for the bytes to be sent, and then I get their payment processor from their website and let PayPal and Stripe know about the fraud. Obviously, if their authentication is secure, then there’s nothing I can do without a key since I can’t lie to the server.

Final Thoughts
#

I have a huge amount of respect for analysts such as ItsGamerDoc. It is hilarious to see analysts drop cheats like GamerDoc, since developers get banwaved and panic. Huge respect for analysts like him; that level of work is where the real impact happens.

I am passionate about this because it is my career. I love the technical challenge of finding what is hidden. While I’m currently enjoying my work as an analyst for Epic, I’m always open to work and looking to push myself further. My goal is to eventually move into a team like Vanguard at Riot, where the approach to security is even more aggressive and in touch with the community. Vanguard pushes Windows Internals to their limits. EAC does things like the KDTrap hook, but Vanguard does their SwapContext hook, which, from what I remember, is PatchGuard protected, and they just hook functions to see when PatchGuard fires. Don’t quote me on specifics about Vanguard, though, because I haven’t had a chance to reverse it since I don’t know how to get into their HackerOne program yet.

Times are changing. The ones who depend on AI or old forum posts to keep them updated or undetected will get left in the dust.

Note: I apologize if the post was a bit too technical for basic user understanding. I tried dumbing stuff down as much as I could to explain it to everyone, but this field is complex and there’s only so much you can dumb down before you stop telling the truth about how these systems work. I used AI on this post to dumb it down better and make it more readable.