@LowLevel-TV I really wish the slop at the center of Windows would stop conflating itself with real modern operating systems by calling itself a kernel.
If you’re gonna cover news at least cover the news, the entire time I sat there hoping you’d cover more of the article, especially where it was claimed thousands were effected. Instead I got almost pure editorial. Damn waste of time….
Ricochet is deliberately crap, they know AC on PC is a waste of time in 2024, so instead of leaning away back towards locked-bootloaders (eg Xbox Playstaion) where ESP hacks are impossible as are DMA, they figure they(M$) will lean into making the sheep pay for their own hardware because they have their eyes on steam.. That's why COD on Xbox doesn't let you disable cross-play, PlayStation can but watch that go bye-bye when their SLA expires and then gaming will be all but ruined forever... well the old days of (mostly) fair Skill-Based Multiplayer gaming anyways
Yeah, thanks but no thanks, Windows has had it's day, it's time for GNU/Linux Gentoo to take over the wheel. (PS. Never would I allow this garbage to be installed on my system, fuck that)
Unfortunately, they'll move all the games to android with its locked down ecosystem. People need to vote blue, but also speak up and send messages to all their representatives. The party that has backed consumer rights so far is our only hope. The republicans want to stop things like wikipedia and the internet archive. If a rich moron is not making all the money, it's not allowed. Legislation could put a stop to unloackable bootloaders, no source access to block flexible use of hardware you paid for, and this low level spying on your device over a video game. Devs need to figure things out without resorting to this unacceptable level of intrusion. It is like having a camera in your toilet that someone else controls without you ever being told about it. All to play a video game. It makes zero sense. If we don't vote for freedom now, drm laden OSes will control all the content with ever rising fees for less and less content. Execs will do what they always do and squeeze everyone around them. Rich vs poor is real and its all the rich people doing it. Musk will have spent over a billion dollars on this election and his goal is to take away your rights while making rich people immune to laws like an oligarch or a high level ccp member.
That's really funny, because i remembered funny times in Lineage 2 when you could ban LITERALLY THE ENTIRE SERVER by chatting "UOPilot" in the world chat. (UOPilot being the scripting engine that can help you to automate some of the grind). Anticheat of the game saw "UOPilot" in memory of the game's process and instantly banned you. Funny part here is that it was happening 10-15 years ago. And here we are, as you said, AAA and AAAA anticheat devs cant evade stepping on the same old rake.
People don't learn. Doesn't have to do with cheating but same stupidity: Heroes of the storm hadn't a functioning report system. Toxicity spiraled out of control, it was brutal. They admitted that they didn't had a functioning report system and then fixed it. Couple of years later: The exact same thing in Overwatch and the same procedure. Both from Blizzard btw
Step 1) Make all users agree to TOS including forced arbitration. Step 2) Make all users give your program Kernal level access to their PC. Step 3) "Forget" some key safety measures that protect your users personal information and private data. Step 4) ?????? Step 5) Profit.
What baffles me the most is that CoD has like a 2 decade history of people just throwing verbal abuse and cheating accusations left and right, so the memory region with chat messages would be like the first place to think about when designing an anti-cheat and where to disable its checks, no?
@@Wielkimati Well, no, because them the chat is a possible vector of attack. What we're seeing here is the big inherent flaw of intrusive external anticheats, there's too many false positives and it's still not an ironclad wall. The solution is designing the code for security and having the anticheat be part of the code base itself, something as simple as server-side checks. But no one's going to bother with that now, are they?
How is it possible that an anti-cheat tool can permanently banning accounts, robbing people of something they legitimately paid for, based on such a flawed logic (or even total lack thereof)? That isn't just stupid, that is outright criminal. Companies deeming it acceptable to integrate such tools in their product should be held fully responsible.
@@PatashuAnd no one reads them or thinks "I don't do anything criminal, that won't hjt me anyway." Like our legal system where there are people who say "We don't need privacy, I don't do anything wrong. they can see what I do." But our system can have flaws same as an anti-cheat and your friend sends you a chat in which president and b0mb occur randomly and some secret service scan puts you on a list.
I just stick to older games now. Modern gaming is a massive joke. "Yeah guys, let's diminish all our privacy and security and hand complete control over to a game's software so that we can play another bottom tier game with 0.0001% less cheaters!"
@@RottenMuLoT fun fact: if you run a modern game where you can blow up a barrel, you can physically feel the heat coming out of your GPU whenever you do so.
"There will be no cheaters, if we'll ban all players" - Activision P. S. No more likes, 666 is perfect. If you break it, you're python developer. P. S. Foukin python developer, you broke it.
Thank you! I had to look it up, learn what it was :) I didn't know there was a name for this kind of thing. Some of the examples in Wikipedia are hilarious!
Yeah, that is the same reason I am against kernel level anti cheats. You can't trust specialized security companies like Crowdstrike with kernel access and you can definitely not trust random game companies with access to your kernel, even if it doesn't get used by bad actors it leaves plenty of room for companies wanting money to abuse the access you agreed to to play their game.
So do you run each of your game under its own user and never grant the game's installer elevated privileges without first reverse-engineering it and checking what it does? Kernel level drivers are primarily a security problem, but from a privacy standpoint, it's not a night and day difference unless you go out of your way to manually isolate everything, which no one does. And those who do wouldn't use that PC to play games.
@@hovnocuc4551no, you check what anticheat the game uses (if any, they're not mandatory) and if it runs outside userspace you play something else and don't install it, stop bikeshedding.
@@hovnocuc4551 i have made a quick bash script to start all my games in their own wine instance, while also being isolated. I wish more people did this because it wasnt really that hard to do. im still working on polishing it, but it works well enough for me and my games.
@@hovnocuc4551 The issue isn't that kernel-level anti-cheats can destroy your privacy (although with kernel-level access, they definitely could). It's that they could do stuff that either destabilizes your system or, worse, corrupt your OS in such a way as to brick it, potentially rendering all of your data inaccessible indefinitely. This is why, if you *HAVE* to write kernel-level code, that you take *EVERY* step to ensure it *NEVER* messes with *ANYTHING* but the data it is *DESIGNED* to handle. And you *DEFINITELY* don't want to allow unauthorized access to this kernel-level code, *that is asking for all the trouble in the universe.*
The moment the text "trigger bot" in game chat was mentioned I was struck with a flashback of some 15 year old discussion where someone theoretized that PunkBuster could get people needlessly banned if they simply received the same text strings PB was identifying cheats with in a messaging program. A more understandable issue when scanning around the whole system, you don't know where some text originated from or if word.exe is legit or cheats. But when scanning YOUR OWN GAME PROCESS?? That's the one thing in memory they actually have control over...
When I had learned that PunkBuster was doing that, it suddenly made sense to me why PB bans weren't worth anything back in the day, since they were constantly being revoked. This is an embarrassment that companies are still doing this.
it's hilarious as long as noone gets hurt. what people need to realize is that we're one loose pointer away from a crowdstrike level event happening to the pc gaming community
This reminds me of tricks that were used back in the dialup days. Send AT commands in hex strings and it'd cause people's modems to do weird stuff, including but not limiting to hanging up, waiting a bit, and dialing a different number as specified by the one sending the command.
@@kevikiru the "reason" they use a kernel level scan is because if an external process is injecting itself into processes, and then passing on legitimate calls, it's somewhat undetectable by the host process. A game side detection method is easier to bypass. On the other hand, it's also limited to the user space for exploits.
So, it's 'startkeylogger' from the golden IRC-Age all over again (nod to 'Norton Anti Virus ') The 'security software' industry has an extremely flat learning curve, as it seems.
Activision banned me from playing Modern Warfare using the Battlenet Client 1-2 months ago. Purchased back in 2019 It was a clean installation. No cheat used or something that could modify the game files. I played a few matches and then quit. 5 hours or so later. I got an email from Activision saying that I was permanently banned. Tried to appeal. Could only type 1000 characters. What a joke. But was talking to deaf ears and got the final email stating, that the decision was final. Their "security team" had reviewed my case. They have reviewed shit and nothing. Is the first time I have got banned for just playing the game, just as anyone else does. The matches I played was also normal, and nothing abnormal with them. I will never buy another call of duty title after this. 60$ dollars lost and a lost game. Still til this day, I have recieved no unban and no justice. Trust me, If I did something shady. I will own it and move on. But this is just pathetic from Activision. I'm 100% sure I'm not the only victim, and we most likely will go unnoticed. I hope everyone thinks twice before purchasing another Call of Duty title. You don't think It can happend to you, but It can. All I can do now, is to never buy another activision title, and stay away from their anti cheat.
You aren't alone. It's the most idiotic "anti-cheat" and handling of appeals for unjustified bans that I've ever seen. Money down the drain and a permanent mark on the account 4 years ago. Neither Activision nor any other company associated with Activision will get my support ever again.
what's even the point of it running at kernel level if it's just reading the game's memory to look for signatures and not checking if another process is doing something??? genuine question
It's another one of those development cost issues. Examining a process and determining what it's doing is likely a complex software problem. On the other hand, it's cheap and easy to just scan everything for a signature hit and double down on cheating allegations because the software is law. There were various ways to hide a process on older versions of windows and newer versions have isolation modes, so my guess is they're simply using kernel mode to get around those limitations.
Not sure how Ricochet works, but from what I know, a core part of Anti-Cheat software is to check all input sources to make sure a user isn’t using, for example, a joystick while pretending to play with a Keyboard and Mouse, or prevent unsigned drivers from being used in the game. It also needs to monitor system calls to check for weird behavior.
It's funny that Valve gets hated for being one of the few developers that are actively against kernel-level anti-cheats. They are simply thinking ahead of everybody else with their AI model concept as a server-sided anti-cheat
Developers: *Keep putting invasive kernel-level anti-cheat in their games.* Us players: _"How many times do we have to teach you this lesson old men!?"_
That's not how it works. The message isn't stored within COD memory while you're typing it out, it's stored in a separate string buffer which is then directly sent to the recipient.
@@karlp2277 I don't think we got the full story on how it's being done.bfor example it says "send a friend request or..." How will sending a friend request get anyone banned?
The scariest part about all this to me is how easy it's been in some games in the past for cheat devs to find ways to inject data into /other players/ games, not just through chat. Look at the pro players who had literal aim-hacks forced onto them remotely by a known hacker during a major tournament for APEX Legends like half a year ago. That kind of vulnerability happening in a game with kernal anti cheat could cause cheat devs to build features that target ban other players by causing them to appear to have certain strings like this inside their memory beyond the "expected" places like chat, even if the kernel anti cheat was /correctly/ scanning and didn't have the bug featured in this video.
A similar thing happened with Vangaurd way back when it was first introduced. You could send an image in a discord chat appended with a known detected cheat vector at the end of the image data, and anybody who viewed the image while Vanguard was installed would get flagged and banned since it would just indiscriminately scan memory. Great times
What I find most offensive about this, is that they asked for kernel level access to do CTRL+F. I’d expect a higher sophistication from a Kernel Anti-Cheat than this naive approach to perma banning.
Windows is not android Apk app mod is yes signature changed . In windows the game still original and cheat tools inject without modding the game installer
@@alexandergabadze2361 xX_momthumper_69420_Xx sent you a message: *"WALLHACK CHEATER KYS!!!"* alexandergabadze2361 has been permanently banned xX_momthumber_69420_Xx to rest of game: "Git rekt, scrub! DEATH TO WALLHACK CHEATERS!!!" xx_momthumper_69420_Xx and 8 others have been permanently banned xX_momthumber_69420_Xx to himself: "... oops."
Could you do a video explaining how DRM works and why it is so complex to bypass? This could link to online shows, games etc. Might be a good topic for a security video.
asymmetric keys. example, there are two keys signed by HP, one is being used in their printers and the second one is being used on their ink cartridges and they are used to check on each-other. if the printer key does not align with the cartridge key, it's an invalid cartridge. and you can't generate those keys since they need to be signed by HP. that's the basics, you can over-engineer this as much as you want to make it invulnerable.
@@kkuribohSay, there should be a code block that should always return a 'true', a number, or anything that makes the program run after the checks Can't someone just, bypass all that? The only way I could think of protecting everything is to actually cypher the program bytes with the key so it's valid when decoded
@@mystcat3That's how some software cracks work, but DRM makers like to reduce performance through slow and obfuscated encryption/decryption of game assets, and multiple hidden calls to phone home and other nasty stuff.
Conflicted: I want you to show how bad kernel level anti-cheat is. But I don't want kernel level anti-cheat software to improve. It's such a fundamentally bad idea to have kernel level anti-cheat, period.
@@jpr4232 So, along with the recently banned accounts being reversed, multiple streamers have reported that their _previously_ banned accounts going back several years _(including accounts legitimately banned for cheating)_ have also had access restored out of the blue. Now I'm no programmer, but simple logic tells me that if Activision are unbanning accounts that they _CORRECTLY_ detected cheats on 6, 8, 12 or more months ago, Ricochet is a disaster waiting to happen. And the kicker is that Activision has been proudly pushing back on unfairly banned _paying_ customers for _years_ saying _"there is no such thing as a false perma-ban."_ I suspect that they just don't have the infrastructure built to track & manage ban events with enough granularity to review, isolate & correct errors... ie. Risk Management 101.
Blizzard banned a bunch of Linux users at least once while I worked there, because some Linux dll had the same name as a cheat dll and that's all that was being checked. EDIT: For the Linux apologists that seem to be coming out of the woodwork, yes it was technically a “Wine” DLL, but since that has no use outside of Linux, it’s a DLL that’s used for Linux and the “technicality” doesn’t change the fact that only Linux systems are impacted by that DLL.
Blizzard perma banned my overwatch account for cheating except I never cheated. It was an 8 year old account that was from day 1 of overwatch 1 release with thousands of hours on it. I never even had warnings on the account before it was randomly permabanned. Of course any attempt to reach customer service was met by automated responses. Fuck that company. I had been purchasing blizzard content for 20 years now ill never send them another penny. Worst of all if I actually WAS a cheater I'd just make a new account because it's f2p, now I simply don't play it anymore.
Accusing some one falsely, and creating a loss is no small beer. Imagine the same quality of code running at the tax office or your bank. Oh wait, that already is the case...
The fact that a simple string-based exploit caused widespread bans is a huge red flag, and it does raise questions about the robustness of other parts of the system
was waiting on your take on this. would have been interesting if whispers or squad messages affected more than the targeted persons and reveal some more shoddy programming
Same thing happened to PunkBuster back in the day. But back then PB was scanning all of your memory. So people were spamming the signatures into Counter Strike IRC channels and getting people kicked from games…. The more things change, the more they stay the same…
@@bulletflight Yes, I watched video about it how money grab policy became disgusting to those devs who used to make good games and who sincerely wanted to make good game and not money grabs so they just went to other companies that are more customer friendly.
Sounds like another Crowdstrike on the way. @4:30 Hmmmm maybe they are using a Crowdstrike service with their filter rules to detect the cheats and it's just looking across the whole apps memory space? So they have little control over the scanned range.
PunkBuster used to do kinda something like that, it scanned all memory regions of all running programs, seeking patterns. And then someone found out and posted an offending string to popular IRC channels. Good times.
Back in the day punk buster had this same issue. You could send someone a message on any messenger , including IRC, with a memory address. If it was running in the background while they were playing it would get them busted. This also worked for games that used it with PM systems. The anti cheat that gunbound and Ragnarok online had the same issue but it was a specific text phrase that got you hit because it was a hard coded check to make sure the system was working. You could go into town square in RO and say the phrase. It would lead to everyone, including GMs, getting banned. Finally EAC had the same thing and was patched out in around 2017. However, that patch also counted RGB software as cheats. So if you used any RGB software to manage your system EAC would ban you. This also included razor and Logitech RGB.
So, what, if anything is stopping anyone from using screen capture and AI to implement software based hardware control and auto-aiming? That never touches the COD memory.
Mainly, how slow AI runs Except stuff like YOLO, most image processing AIs take too long to identify images, so they wouldn't be able to act in time based on the images
This is already done but not with "AI". There are mice with firmware level scripts for spray control, or hardware/firmware level macros that allow you to do certain things no humans could do (super human timing, etc.) Of done right those are very hard to detect.
@@user-zz6fk8bc8u that's kind of my point. If ricochet is detecting only cheats that access COD memory, then all anyone needs is a cheat that doesn't do that. I've only ever played CODM, but I quit a few months ago because it's either full of aimbots, or I suddenly sucked in ways that I never sucked before. Either way, it was too frustrating.
Client-side anticheat is rubbish anyway. Never trust the client with anything important. Validate all input server-side, client should be only responsible for rendering images and UI.
@@nordgaren2358 oh thanks i didn't think about that. but why would they do such a thing getting people banned just speaks on their trustworthiness, and all for nothing.
1) There's an argument for hardware requiring drivers to install something at the kernel level. There is no argument _ever_ for any piece of software to do so. None. 2) Anti-cheat has never worked and will never work. Let users run their own server, force clients in to a reliable identifier for online interaction, and let users handle banning bad actors from their own online servers.
The requirement to apply for a job at Activision must be; 1- Ability to dress up in the morning without the help of your parents 2-Must be having a face (that is to have your picture printed on your badge)
So does it also mean that if someone renames the triggerbot software into cauliflower, then the super advanced, kernel level anti-cheat software cannot recognize it?
So, Ricochet is reading the memory and based on that it can ban you or (i dont know if this is a thing) flag your account. So any injection in the game code, through ricochet, can only do these two things lets say? The big trouble is really only if ricochet code is compromised. So, the engineers who wrote it may have mapped out their threat factors and with the comfort of knowing that as long as the Ricochet code can only make two things happen, and the development pipeline is secure, a silly harmless bug was introduced. In summary, the engineers took care of everything where a real threat could lie and made a silly omission - or so we can hope.
Now if they're this rudimentary about detecting it, imagine how shoddy the rest of the anticheat must be. Security exploits to gain kernel level access galore!
That's not a bug. It's a breach of privacy everyone saw problematic. Like if any official party did this outside gaming, it would be a huge legal issue. Scanning your computer deeply and permanently banning someone for a word is exactly the dystopia people have wanted to avoid and why the laws about privacy in EU are so tight.
Nothing new here. When I was young and playing Counter-Strike 1.6, which was like a million years ago, there was one anti-cheat program that checked for many hack names in the memory. I remember that if I joined a server with a name that matched one of the banned strings, it would instantly ban all the players in the serve, It was hilarious, and I would often join servers with a blacklisted hack name just to see everyone get banned immediately :D
Most of companies try to do this kind of anticheat, kernel level client scanning is literally compromising Your privacy and i would uninstall. All game publishers who require usage of such software should disclose it before purchase. On the second note banning player wrongly because of the software that users have no control over and game company is fully responsible should be punished and if that happened to me i would simply ask for chargeback as they banned my account and i lost interest in game because of that :). Why? because if it happened once it ll happen again
The funny thing about an anti-cheat with a high false positive rate is that it might end up being counterproductive. As in, the likelihood that you'll meet a cheater in a lobby goes up because there are less legitimate players that haven't been banned.
This reminds me of the Diablo 2 internationalization bug. Back in the day for some reason Koreans were always trying to grieve you, they join your game but not respond, or send you a friend request so they could get your location, get a waypoint, then go hostile. You'd give it a few minutes to make sure they were really griefers, then as soon as they were in the dungeon looking for you, you would type all periods into the chat and it would make their client crash. A minute later "BlizzTroll has disconnected". 😂
Think about this... If you know or have any experience building a Kernel-driver in Windows, you'd know that someone with that skill simply does not make these types of "mistakes".
If the in game messaging was used to trigger this , then why is the person sending it not likewise banned, the message presumably would also have a footprint in their own pc, likely in the actual game process. Is this some indication there is some logic at play. It strikes me that maybe the reason they do not do anything clever is because they want to generalize the detection across different games, otherwise each game would require a memory map of its running process and the detection software would have to apply logic to those described map regions. If such a map were complex then the logic becomes complex and adds an performance overhead , which will effect all other processes on the machine. Get them out the kernel.
Bugs like this are insane as they commit criminal offenses against players. They take their legitimate access away due to extremely bad software design. Those developers should be personally accountable for the financial damage they cause for essentially stealing accounts from innocent players.
Moraly speaking it's true, but legaly they give you access as they want, because it's written in the TOS that they reserve the right to cut the service at any time... They could even say "I don't like you without any reason and I ban you from my game" and it would be legal. Welcome to liberal capitalism.
@@pierrotA Depends on the country you are in. In parts of Europe banning people for something they didn't do is an offense. Unfortunately those offenses have no consequences for the offenders except that they are required to restore access. In the US this might be completely different tho.
Moving certain code, such as anti-cheat systems or EDR software, from kernel mode to user mode can reduce the risk of bugs and vulnerabilities. However, it also exposes that code to greater threats from other user-mode applications. Many EDR tools that operate in user mode, particularly those monitoring API calls, inject a DLL into each process to "hook" specific Windows APIs. This allows the EDR software to inspect the API call's arguments before passing control back to the original Windows API. Although these solutions often include some kernel-level monitoring, the user-mode hooks can frequently be bypassed. Attackers can invoke the original Windows API directly by accessing it through various methods, such as loading the DLL from disk, inspecting the executable's import table, or querying the DLL's export table. This only requires modifying the process's own memory, at most! A similar issue arises with user-mode anti-cheat software. While I don't know much about their mechanisms, if the majority of the protection resides in user mode, it becomes vulnerable to manipulation by external processes, potentially allowing attackers to bypass its safeguards.
@@nordgaren2358 I think anti-cheat code has bigger argument on why it is on kernel. In case of the EDR, the attacker is some user process, but in case of anti-cheat the attacker is the user controlling the system, which can kill any process or unload any DLL that tries to check for signatures in game's memory if it was in user mode instead of kernel.
@@aymensekhri the attacker isn't always just some user process. It wasn't in Eternal Blue. Anticheat has less of a reason to be there. EDR has all the reason to be.
I don't know what's stupider, the cheat makers putting TRIGGER BOT in their chear application to make it obvious to any scanners, or that the anti-cheat authors thinking scanning for that phrase in a game where users can send arbitrary messages to each other would be foolproof.
The question is that the defense against cheaters is a good enough excuse having a spyware on the computer or not, and also how the anti-cheat corporations collect and share data, and who owns these corporations.
No they’re not. Microsoft is interested in offering sensors that can reduce or remove the need for kernel level access, but they’re not going to block access.
haha anyway if you want to learn to code check out my courses at lowlevel.academy (on sale)
@LowLevel-TV
I really wish the slop at the center of Windows would stop conflating itself with real modern operating systems by calling itself a kernel.
Please do a video on DMA cheats using DMA cards.
If you’re gonna cover news at least cover the news, the entire time I sat there hoping you’d cover more of the article, especially where it was claimed thousands were effected. Instead I got almost pure editorial. Damn waste of time….
Ricochet is deliberately crap, they know AC on PC is a waste of time in 2024, so instead of leaning away back towards locked-bootloaders (eg Xbox Playstaion) where ESP hacks are impossible as are DMA, they figure they(M$) will lean into making the sheep pay for their own hardware because they have their eyes on steam.. That's why COD on Xbox doesn't let you disable cross-play, PlayStation can but watch that go bye-bye when their SLA expires and then gaming will be all but ruined forever... well the old days of (mostly) fair Skill-Based Multiplayer gaming anyways
Did the banned players from this event get unbanned?
Sounds like the kind of engineers I want running kernel-mode code on my machine. I'll stick with my Doom community projects, thanks.
Yeah, thanks but no thanks, Windows has had it's day, it's time for GNU/Linux Gentoo to take over the wheel. (PS. Never would I allow this garbage to be installed on my system, fuck that)
@@Siim-m8r nice bait
Unfortunately, they'll move all the games to android with its locked down ecosystem. People need to vote blue, but also speak up and send messages to all their representatives. The party that has backed consumer rights so far is our only hope. The republicans want to stop things like wikipedia and the internet archive. If a rich moron is not making all the money, it's not allowed.
Legislation could put a stop to unloackable bootloaders, no source access to block flexible use of hardware you paid for, and this low level spying on your device over a video game. Devs need to figure things out without resorting to this unacceptable level of intrusion. It is like having a camera in your toilet that someone else controls without you ever being told about it. All to play a video game. It makes zero sense.
If we don't vote for freedom now, drm laden OSes will control all the content with ever rising fees for less and less content. Execs will do what they always do and squeeze everyone around them. Rich vs poor is real and its all the rich people doing it. Musk will have spent over a billion dollars on this election and his goal is to take away your rights while making rich people immune to laws like an oligarch or a high level ccp member.
@@Siim-m8rYou quite literally have no clue what you’re talking about kiddo
Congratulatuons, folks. Enjoy your linux
when you lied on your resume and now you have to make an anticheat program with code you copied from stackoverflow:
My friend Kevin did this one time
That's really funny, because i remembered funny times in Lineage 2 when you could ban LITERALLY THE ENTIRE SERVER by chatting "UOPilot" in the world chat. (UOPilot being the scripting engine that can help you to automate some of the grind). Anticheat of the game saw "UOPilot" in memory of the game's process and instantly banned you.
Funny part here is that it was happening 10-15 years ago.
And here we are, as you said, AAA and AAAA anticheat devs cant evade stepping on the same old rake.
Instantly hearing Kelsey Grammer
People don't learn.
Doesn't have to do with cheating but same stupidity:
Heroes of the storm hadn't a functioning report system. Toxicity spiraled out of control, it was brutal.
They admitted that they didn't had a functioning report system and then fixed it.
Couple of years later: The exact same thing in Overwatch and the same procedure.
Both from Blizzard btw
Ah good old surveillance -states- games, taking away your freedom to do what you want in exchange for supposed entertainment!
@@iwakureal - Good games make it optional, where if you don't use anti-cheat there's still single player and private servers.
@@iwakureallearned from the best. Ah, the Romans lol😂
Step 1) Make all users agree to TOS including forced arbitration.
Step 2) Make all users give your program Kernal level access to their PC.
Step 3) "Forget" some key safety measures that protect your users personal information and private data.
Step 4) ??????
Step 5) Profit.
Step 4) Spy on users every activity because KLAC doesn't shut down after user turns off the game.
Step 4) Mine crypto in the background in kernel mode.
Step 6) Lawsuits are now illegal so you never face any consequences for your cybercrime!
What baffles me the most is that CoD has like a 2 decade history of people just throwing verbal abuse and cheating accusations left and right, so the memory region with chat messages would be like the first place to think about when designing an anti-cheat and where to disable its checks, no?
But if there's a region of memory that's safe from scrutiny, wouldn't you design your cheating software to use that region? It's an arms race.
You think that any developers working on CoD have any knowledge of CoD history? They’re all outsourced third party folks
@@Wielkimati Well, no, because them the chat is a possible vector of attack. What we're seeing here is the big inherent flaw of intrusive external anticheats, there's too many false positives and it's still not an ironclad wall.
The solution is designing the code for security and having the anticheat be part of the code base itself, something as simple as server-side checks. But no one's going to bother with that now, are they?
How is it possible that an anti-cheat tool can permanently banning accounts, robbing people of something they legitimately paid for, based on such a flawed logic (or even total lack thereof)? That isn't just stupid, that is outright criminal. Companies deeming it acceptable to integrate such tools in their product should be held fully responsible.
ToSes are usually like 'we can ban you for any reason and don't have to explain what the reason is'.
@@PatashuAnd no one reads them or thinks "I don't do anything criminal, that won't hjt me anyway."
Like our legal system where there are people who say "We don't need privacy, I don't do anything wrong. they can see what I do." But our system can have flaws same as an anti-cheat and your friend sends you a chat in which president and b0mb occur randomly and some secret service scan puts you on a list.
Its really a consumer rights issue but gamers in general would chop off their own legs if they thought a cheater somewhere was getting banned.
isn't enforceable in the EU, but the player has to sue@@Patashu
Have fun risking thousands of eurodollarbucks worth of money and working for dozens of hours out of pure spite.
I just stick to older games now. Modern gaming is a massive joke. "Yeah guys, let's diminish all our privacy and security and hand complete control over to a game's software so that we can play another bottom tier game with 0.0001% less cheaters!"
This. And games 5-10 years ago are running generally butter smooth on today's computer and are dirt cheap. Sounds like a win win win situation to me.
Doubt act🎉ivion cares
@@RottenMuLoT fun fact: if you run a modern game where you can blow up a barrel, you can physically feel the heat coming out of your GPU whenever you do so.
The only purpose of many modern games is to just sell microtransactions as well.
An anti-cheat running on kernel mode is a nice way to greatly increase an attack surface.
"There will be no cheaters, if we'll ban all players"
- Activision
P. S. No more likes, 666 is perfect. If you break it, you're python developer.
P. S. Foukin python developer, you broke it.
"There will be no acti, if we fuck with the vision"
"the most secure computer is one that's permanently off"
Call of doodie am I right?
"Acti-vate all kill bots, kill all players!" "Game Over!" heh
Someone made it 667 😭😭
They turned the Scunthorpe problem into a method of digital assassination.
Wouldn't have thought to hear about the Scunthorge problem again ever - feels like so few know it.
10/10. :D
Wow, there is no reason for this kind of language! You could have at least said S****horpe instead!
Thank you! I had to look it up, learn what it was :) I didn't know there was a name for this kind of thing. Some of the examples in Wikipedia are hilarious!
I miss Tom Scott :(
Did you mean digital buttbuttination?
Yeah, that is the same reason I am against kernel level anti cheats. You can't trust specialized security companies like Crowdstrike with kernel access and you can definitely not trust random game companies with access to your kernel, even if it doesn't get used by bad actors it leaves plenty of room for companies wanting money to abuse the access you agreed to to play their game.
So do you run each of your game under its own user and never grant the game's installer elevated privileges without first reverse-engineering it and checking what it does? Kernel level drivers are primarily a security problem, but from a privacy standpoint, it's not a night and day difference unless you go out of your way to manually isolate everything, which no one does. And those who do wouldn't use that PC to play games.
@@hovnocuc4551 no. I just don't play games that act as malware.
@@hovnocuc4551no, you check what anticheat the game uses (if any, they're not mandatory) and if it runs outside userspace you play something else and don't install it, stop bikeshedding.
@@hovnocuc4551 i have made a quick bash script to start all my games in their own wine instance, while also being isolated. I wish more people did this because it wasnt really that hard to do.
im still working on polishing it, but it works well enough for me and my games.
@@hovnocuc4551
The issue isn't that kernel-level anti-cheats can destroy your privacy (although with kernel-level access, they definitely could). It's that they could do stuff that either destabilizes your system or, worse, corrupt your OS in such a way as to brick it, potentially rendering all of your data inaccessible indefinitely.
This is why, if you *HAVE* to write kernel-level code, that you take *EVERY* step to ensure it *NEVER* messes with *ANYTHING* but the data it is *DESIGNED* to handle. And you *DEFINITELY* don't want to allow unauthorized access to this kernel-level code, *that is asking for all the trouble in the universe.*
The moment the text "trigger bot" in game chat was mentioned I was struck with a flashback of some 15 year old discussion where someone theoretized that PunkBuster could get people needlessly banned if they simply received the same text strings PB was identifying cheats with in a messaging program.
A more understandable issue when scanning around the whole system, you don't know where some text originated from or if word.exe is legit or cheats.
But when scanning YOUR OWN GAME PROCESS??
That's the one thing in memory they actually have control over...
When I had learned that PunkBuster was doing that, it suddenly made sense to me why PB bans weren't worth anything back in the day, since they were constantly being revoked. This is an embarrassment that companies are still doing this.
it's hilarious as long as noone gets hurt. what people need to realize is that we're one loose pointer away from a crowdstrike level event happening to the pc gaming community
But the PC gaming community isn't as important as infrastructure
@@nordgaren2358 no its bigger than you think alot biggger
He said important
indeed
@@nordgaren2358 Sure but it could still be hundreds of thousands of people getting ID thefted / PCs bricked
This reminds me of tricks that were used back in the dialup days. Send AT commands in hex strings and it'd cause people's modems to do weird stuff, including but not limiting to hanging up, waiting a bit, and dialing a different number as specified by the one sending the command.
oh no. i need to know more. *grabs popcorn*
And this is why I don't want kernel level anti cheat on my system.
It would also be a problem if it was game level, it would still ban you because it seems the chat is part of the game. Am I wrong?
@@kevikiruyou‘re not these people probably didn’t watch the video lmao
@@kevikiru it’s not the specific code that is the problem. it is the level of care and attention given to what they put into the kernel.
@@zarakiyt4758 If they made this rookie mistake, what _else_ did they do wrong?
@@kevikiru the "reason" they use a kernel level scan is because if an external process is injecting itself into processes, and then passing on legitimate calls, it's somewhat undetectable by the host process. A game side detection method is easier to bypass. On the other hand, it's also limited to the user space for exploits.
3:26 Bro created an overflow without doing any code
So, it's 'startkeylogger' from the golden IRC-Age all over again (nod to 'Norton Anti Virus ')
The 'security software' industry has an extremely flat learning curve, as it seems.
Essentially they recreated a medieval justice system, where a single accusation from one trusted witness could get you... permabanned.
"Use your player base as a botnet" I'm literally dying 🤣🤣🤣
Users should be able to sue for false bans. This could be a huge loss in wages and reputation which is a big deal these days.
In the EU, they probably can. If they can afford enough lawyering for a lawsuit, and decline any settlement offers.
Activision banned me from playing Modern Warfare using the Battlenet Client 1-2 months ago. Purchased back in 2019
It was a clean installation. No cheat used or something that could modify the game files. I played a few matches and then quit. 5 hours or so later.
I got an email from Activision saying that I was permanently banned. Tried to appeal. Could only type 1000 characters. What a joke.
But was talking to deaf ears and got the final email stating, that the decision was final. Their "security team" had reviewed my case.
They have reviewed shit and nothing.
Is the first time I have got banned for just playing the game, just as anyone else does.
The matches I played was also normal, and nothing abnormal with them.
I will never buy another call of duty title after this. 60$ dollars lost and a lost game.
Still til this day, I have recieved no unban and no justice. Trust me, If I did something shady. I will own it and move on. But this is just pathetic from Activision.
I'm 100% sure I'm not the only victim, and we most likely will go unnoticed.
I hope everyone thinks twice before purchasing another Call of Duty title. You don't think It can happend to you, but It can.
All I can do now, is to never buy another activision title, and stay away from their anti cheat.
You aren't alone. It's the most idiotic "anti-cheat" and handling of appeals for unjustified bans that I've ever seen. Money down the drain and a permanent mark on the account 4 years ago. Neither Activision nor any other company associated with Activision will get my support ever again.
Class action lawsuit
tbf cod is such a slop you shouldn't be buying it even w/o this anti-cheat fiasco
Techno feudalism this is. Yes mi-lord. Thank you mi-lord.
In those 100 characters, you should have message them "Nice Trigger Bot dude!" to crash their banning network. lol
what's even the point of it running at kernel level if it's just reading the game's memory to look for signatures and not checking if another process is doing something??? genuine question
It's another one of those development cost issues. Examining a process and determining what it's doing is likely a complex software problem. On the other hand, it's cheap and easy to just scan everything for a signature hit and double down on cheating allegations because the software is law. There were various ways to hide a process on older versions of windows and newer versions have isolation modes, so my guess is they're simply using kernel mode to get around those limitations.
Not sure how Ricochet works, but from what I know, a core part of Anti-Cheat software is to check all input sources to make sure a user isn’t using, for example, a joystick while pretending to play with a Keyboard and Mouse, or prevent unsigned drivers from being used in the game.
It also needs to monitor system calls to check for weird behavior.
>allows remote kernel level triggering
"It's perfectly safe guys"
Makes me wonder what Ricochet's K/D ratio is...
@@makebreakrepeat It's 0 now. They unbanned everyone that has ever been banned.
It's funny that Valve gets hated for being one of the few developers that are actively against kernel-level anti-cheats. They are simply thinking ahead of everybody else with their AI model concept as a server-sided anti-cheat
Stop paying for software that the publisher can take away from you. Simple.
Developers: *Keep putting invasive kernel-level anti-cheat in their games.*
Us players: _"How many times do we have to teach you this lesson old men!?"_
without even trying, no less.
If it didn't differentiate memory at all then it should also be possible to get banned just by typing it to send it to another player.
Lol
That's not how it works. The message isn't stored within COD memory while you're typing it out, it's stored in a separate string buffer which is then directly sent to the recipient.
@@themichaelconnor42 So you can't see what you typed yourself after you sent it?
Yea, but the people sending these messages probably have bypassed the anticheat on their end.
@@karlp2277 I don't think we got the full story on how it's being done.bfor example it says "send a friend request or..." How will sending a friend request get anyone banned?
Love to see everyone adopting the Pirate Software MS paint meta
The scariest part about all this to me is how easy it's been in some games in the past for cheat devs to find ways to inject data into /other players/ games, not just through chat. Look at the pro players who had literal aim-hacks forced onto them remotely by a known hacker during a major tournament for APEX Legends like half a year ago. That kind of vulnerability happening in a game with kernal anti cheat could cause cheat devs to build features that target ban other players by causing them to appear to have certain strings like this inside their memory beyond the "expected" places like chat, even if the kernel anti cheat was /correctly/ scanning and didn't have the bug featured in this video.
A similar thing happened with Vangaurd way back when it was first introduced. You could send an image in a discord chat appended with a known detected cheat vector at the end of the image data, and anybody who viewed the image while Vanguard was installed would get flagged and banned since it would just indiscriminately scan memory. Great times
What I find most offensive about this, is that they asked for kernel level access to do CTRL+F. I’d expect a higher sophistication from a Kernel Anti-Cheat than this naive approach to perma banning.
Not saying they shouldn’t have these checks, but their method shows immaturity. Any cheat could easily avoid the words or obfuscate them.
@@Bry4nMWthere is likely more than one check, targeted at different "audiences"
Dang, this is like the tiananmen square copypasta for everyone else. Hilarious.
Very dumb way to check cheats, what a company. Disgusting. Thats why anticheat is not working.
Signature based detection is cheap, fast and easy. It will always be part of detection system.
@@MiesvanderLippe What signature?
I have an idea for them, ban if there is string 'WALLHACK' in memory.
Windows is not android
Apk app mod is yes signature changed .
In windows the game still original and cheat tools inject without modding the game installer
@@alexandergabadze2361
xX_momthumper_69420_Xx sent you a message: *"WALLHACK CHEATER KYS!!!"*
alexandergabadze2361 has been permanently banned
xX_momthumber_69420_Xx to rest of game: "Git rekt, scrub! DEATH TO WALLHACK CHEATERS!!!"
xx_momthumper_69420_Xx and 8 others have been permanently banned
xX_momthumber_69420_Xx to himself: "... oops."
Crowdstrike flavoured kernel monitoring
Could you do a video explaining how DRM works and why it is so complex to bypass? This could link to online shows, games etc.
Might be a good topic for a security video.
asymmetric keys.
example, there are two keys signed by HP, one is being used in their printers and the second one is being used on their ink cartridges and they are used to check on each-other. if the printer key does not align with the cartridge key, it's an invalid cartridge. and you can't generate those keys since they need to be signed by HP.
that's the basics, you can over-engineer this as much as you want to make it invulnerable.
@@kkuribohSay, there should be a code block that should always return a 'true', a number, or anything that makes the program run after the checks
Can't someone just, bypass all that?
The only way I could think of protecting everything is to actually cypher the program bytes with the key so it's valid when decoded
@@mystcat3That's how some software cracks work, but DRM makers like to reduce performance through slow and obfuscated encryption/decryption of game assets, and multiple hidden calls to phone home and other nasty stuff.
3:11 dude get some ad blocker 🤦♂️
incredible cut at 2:09
Conflicted: I want you to show how bad kernel level anti-cheat is. But I don't want kernel level anti-cheat software to improve. It's such a fundamentally bad idea to have kernel level anti-cheat, period.
What happened to the banned players? How do you rectify an anti-cheat doing its job wrong?
Sometimes manually by hand unfortunately.
they have to appeal and have a person review it and HOPe thye get unbanned
DELETE from bannedtbl WHERE date > (when bug was introduced);
@@jpr4232 So, along with the recently banned accounts being reversed, multiple streamers have reported that their _previously_ banned accounts going back several years _(including accounts legitimately banned for cheating)_ have also had access restored out of the blue.
Now I'm no programmer, but simple logic tells me that if Activision are unbanning accounts that they _CORRECTLY_ detected cheats on 6, 8, 12 or more months ago, Ricochet is a disaster waiting to happen.
And the kicker is that Activision has been proudly pushing back on unfairly banned _paying_ customers for _years_ saying _"there is no such thing as a false perma-ban."_ I suspect that they just don't have the infrastructure built to track & manage ban events with enough granularity to review, isolate & correct errors... ie. Risk Management 101.
the Genshin Impact Anticheat driver was used to distribute maolware. It was used to disable the antivirus, but who knows how else this could be used.
So an anti-cheat engine named "Richochet" backfired? Oh, the irony.
That is a beginner mistake or lazy coding, the dev's need to be ashamed about that mistake 😒
As a colorblind person, I feel like I'm back at university when you put green, red, and yellow text all on the same document.
It's better to ban 100 innocent player rather than let 1 cheater go unpunished -activision probably 😂
Blizzard banned a bunch of Linux users at least once while I worked there, because some Linux dll had the same name as a cheat dll and that's all that was being checked.
EDIT: For the Linux apologists that seem to be coming out of the woodwork, yes it was technically a “Wine” DLL, but since that has no use outside of Linux, it’s a DLL that’s used for Linux and the “technicality” doesn’t change the fact that only Linux systems are impacted by that DLL.
@@Ilix42 Linux doesn't use DLLs.
Must've been too cold of a blizzard for a penguins
Blizzard perma banned my overwatch account for cheating except I never cheated. It was an 8 year old account that was from day 1 of overwatch 1 release with thousands of hours on it. I never even had warnings on the account before it was randomly permabanned. Of course any attempt to reach customer service was met by automated responses. Fuck that company. I had been purchasing blizzard content for 20 years now ill never send them another penny. Worst of all if I actually WAS a cheater I'd just make a new account because it's f2p, now I simply don't play it anymore.
@@eeroi6118 maybe they ment a wine dll?
@@adamruck Do you still play the game though?
Accusing some one falsely, and creating a loss is no small beer. Imagine the same quality of code running at the tax office or your bank. Oh wait, that already is the case...
The fact that a simple string-based exploit caused widespread bans is a huge red flag, and it does raise questions about the robustness of other parts of the system
was waiting on your take on this. would have been interesting if whispers or squad messages affected more than the targeted persons and reveal some more shoddy programming
Same thing happened to PunkBuster back in the day. But back then PB was scanning all of your memory. So people were spamming the signatures into Counter Strike IRC channels and getting people kicked from games….
The more things change, the more they stay the same…
Activision back in the day: makes banger games
Activision now: fails in basic software architecture design due to sheer, unadulterated laziness
The good developers with 20 years of experience have been headhunted by consulting companies. They've been left with the interns and fresh graduates.
@@bulletflight Yes, I watched video about it how money grab policy became disgusting to those devs who used to make good games and who sincerely wanted to make good game and not money grabs so they just went to other companies that are more customer friendly.
Sounds like another Crowdstrike on the way.
@4:30 Hmmmm maybe they are using a Crowdstrike service with their filter rules to detect the cheats and it's just looking across the whole apps memory space?
So they have little control over the scanned range.
Oh yes!
PunkBuster used to do kinda something like that, it scanned all memory regions of all running programs, seeking patterns. And then someone found out and posted an offending string to popular IRC channels. Good times.
Back in the day punk buster had this same issue. You could send someone a message on any messenger , including IRC, with a memory address. If it was running in the background while they were playing it would get them busted. This also worked for games that used it with PM systems.
The anti cheat that gunbound and Ragnarok online had the same issue but it was a specific text phrase that got you hit because it was a hard coded check to make sure the system was working. You could go into town square in RO and say the phrase. It would lead to everyone, including GMs, getting banned.
Finally EAC had the same thing and was patched out in around 2017. However, that patch also counted RGB software as cheats. So if you used any RGB software to manage your system EAC would ban you. This also included razor and Logitech RGB.
kernel antic is largely to prevent people from reskinning locally cause they charge for skins as mtx lol
So, what, if anything is stopping anyone from using screen capture and AI to implement software based hardware control and auto-aiming? That never touches the COD memory.
Mainly, how slow AI runs
Except stuff like YOLO, most image processing AIs take too long to identify images, so they wouldn't be able to act in time based on the images
Already happened
This is already done but not with "AI". There are mice with firmware level scripts for spray control, or hardware/firmware level macros that allow you to do certain things no humans could do (super human timing, etc.) Of done right those are very hard to detect.
@@user-zz6fk8bc8u that's kind of my point. If ricochet is detecting only cheats that access COD memory, then all anyone needs is a cheat that doesn't do that.
I've only ever played CODM, but I quit a few months ago because it's either full of aimbots, or I suddenly sucked in ways that I never sucked before. Either way, it was too frustrating.
Client-side anticheat is rubbish anyway. Never trust the client with anything important. Validate all input server-side, client should be only responsible for rendering images and UI.
Not the first time this has happened. PunkBuster fell victim too many years ago (early CoD and other games) , plain text or hex
it's (or was i guess) funny how a malware that runs in Kernel mode got destroyed by an exploit
comparing to colors is quite a clever way to explain this to an layman
The security of your computer is more important than the sanctity of your game.
Great video Mr. Learning.
Wouldn't they both get banned? Just wondering
Not if you're running a bypass for the anticheat on your side.
@@nordgaren2358 oh thanks i didn't think about that. but why would they do such a thing getting people banned just speaks on their trustworthiness, and all for nothing.
1) There's an argument for hardware requiring drivers to install something at the kernel level. There is no argument _ever_ for any piece of software to do so. None.
2) Anti-cheat has never worked and will never work. Let users run their own server, force clients in to a reliable identifier for online interaction, and let users handle banning bad actors from their own online servers.
This video is great. Hope you do more gaming content like this.
it's a feature, it's a chatbot that if you mention cheating, everyone gets banned 😂
That actully so funny eveyday i shock more on how these big companies fall into these stupid mistakes
The requirement to apply for a job at Activision must be; 1- Ability to dress up in the morning without the help of your parents 2-Must be having a face (that is to have your picture printed on your badge)
I use sponsor block and it flagged your mention of the Ford f150 as an ad read 😂😂😂
HA
@@portobellomushroom5764 SponsorBlock doesn't flag anything itself, the segments are user-created.
My guy reppin lil rhody. Big ups!
So does it also mean that if someone renames the triggerbot software into cauliflower, then the super advanced, kernel level anti-cheat software cannot recognize it?
So, Ricochet is reading the memory and based on that it can ban you or (i dont know if this is a thing) flag your account. So any injection in the game code, through ricochet, can only do these two things lets say?
The big trouble is really only if ricochet code is compromised. So, the engineers who wrote it may have mapped out their threat factors and with the comfort of knowing that as long as the Ricochet code can only make two things happen, and the development pipeline is secure, a silly harmless bug was introduced.
In summary, the engineers took care of everything where a real threat could lie and made a silly omission - or so we can hope.
Now if they're this rudimentary about detecting it, imagine how shoddy the rest of the anticheat must be. Security exploits to gain kernel level access galore!
I appreciate the irony of an anti-cheat system named Ricochet getting the wrong target.
Imagine setting your name to triggerbot 😂 and ban every lobby you join ... i guess you would be banned first though 😅
That's not a bug. It's a breach of privacy everyone saw problematic. Like if any official party did this outside gaming, it would be a huge legal issue. Scanning your computer deeply and permanently banning someone for a word is exactly the dystopia people have wanted to avoid and why the laws about privacy in EU are so tight.
Nothing new here. When I was young and playing Counter-Strike 1.6, which was like a million years ago, there was one anti-cheat program that checked for many hack names in the memory. I remember that if I joined a server with a name that matched one of the banned strings, it would instantly ban all the players in the serve, It was hilarious, and I would often join servers with a blacklisted hack name just to see everyone get banned immediately :D
1:37 - "You need this level of access" - uh, no, you don't, that's an easy way out and a never-ending battle at the _wrong battlefront_
Can we talk about how smooth that twitch ad for his channel was
Most of companies try to do this kind of anticheat, kernel level client scanning is literally compromising Your privacy and i would uninstall. All game publishers who require usage of such software should disclose it before purchase. On the second note banning player wrongly because of the software that users have no control over and game company is fully responsible should be punished and if that happened to me i would simply ask for chargeback as they banned my account and i lost interest in game because of that :). Why? because if it happened once it ll happen again
This is objectively funny
4:35 a teeny-tiny correction: a triggerbot is a type of cheat that only automates the shooting action, but not the aiming
The funny thing about an anti-cheat with a high false positive rate is that it might end up being counterproductive. As in, the likelihood that you'll meet a cheater in a lobby goes up because there are less legitimate players that haven't been banned.
I wish we've had this back when the screaming-14-year-old stereotype was far more common. It'd be so much easier to just clear them out XD
“Ricochet” more like deflecting the ban bullets
This is kind of stuff you get in end-game enshittification
This reminds me of the Diablo 2 internationalization bug. Back in the day for some reason Koreans were always trying to grieve you, they join your game but not respond, or send you a friend request so they could get your location, get a waypoint, then go hostile.
You'd give it a few minutes to make sure they were really griefers, then as soon as they were in the dungeon looking for you, you would type all periods into the chat and it would make their client crash. A minute later "BlizzTroll has disconnected". 😂
Think about this...
If you know or have any experience building a Kernel-driver in Windows, you'd know that someone with that skill simply does not make these types of "mistakes".
If the in game messaging was used to trigger this , then why is the person sending it not likewise banned, the message presumably would also have a footprint in their own pc, likely in the actual game process. Is this some indication there is some logic at play.
It strikes me that maybe the reason they do not do anything clever is because they want to generalize the detection across different games, otherwise each game would require a memory map of its running process and the detection software would have to apply logic to those described map regions. If such a map were complex then the logic becomes complex and adds an performance overhead , which will effect all other processes on the machine.
Get them out the kernel.
Bugs like this are insane as they commit criminal offenses against players. They take their legitimate access away due to extremely bad software design. Those developers should be personally accountable for the financial damage they cause for essentially stealing accounts from innocent players.
Moraly speaking it's true, but legaly they give you access as they want, because it's written in the TOS that they reserve the right to cut the service at any time...
They could even say "I don't like you without any reason and I ban you from my game" and it would be legal.
Welcome to liberal capitalism.
@@pierrotA Depends on the country you are in. In parts of Europe banning people for something they didn't do is an offense. Unfortunately those offenses have no consequences for the offenders except that they are required to restore access. In the US this might be completely different tho.
would be fun to pwn all kernel mode anti cheats, and troll them til they give up their scummy practices
The best part about this is they could just exclude certain parts of memory when scanning for strings like this.
I don't think it's as easy as that. The memory locations probably change constantly.
@@davidt01 that's completely normal. That's not hard to deal with at all, especially if you have access to PDBs and source code.
Moving certain code, such as anti-cheat systems or EDR software, from kernel mode to user mode can reduce the risk of bugs and vulnerabilities. However, it also exposes that code to greater threats from other user-mode applications. Many EDR tools that operate in user mode, particularly those monitoring API calls, inject a DLL into each process to "hook" specific Windows APIs. This allows the EDR software to inspect the API call's arguments before passing control back to the original Windows API. Although these solutions often include some kernel-level monitoring, the user-mode hooks can frequently be bypassed. Attackers can invoke the original Windows API directly by accessing it through various methods, such as loading the DLL from disk, inspecting the executable's import table, or querying the DLL's export table. This only requires modifying the process's own memory, at most!
A similar issue arises with user-mode anti-cheat software. While I don't know much about their mechanisms, if the majority of the protection resides in user mode, it becomes vulnerable to manipulation by external processes, potentially allowing attackers to bypass its safeguards.
I think EDRe have a valid reason to run in the Kernel. Anticheats do not.
@@nordgaren2358 I think anti-cheat code has bigger argument on why it is on kernel. In case of the EDR, the attacker is some user process, but in case of anti-cheat the attacker is the user controlling the system, which can kill any process or unload any DLL that tries to check for signatures in game's memory if it was in user mode instead of kernel.
@@aymensekhri the attacker isn't always just some user process. It wasn't in Eternal Blue. Anticheat has less of a reason to be there. EDR has all the reason to be.
Scanning memory is the lazy way of doing anticheat. Validate all user inputs server-side. Do not trust the client, the client is an unreliable liar.
@@bulletflight it's not the lazy way. Memory scanning is s a valuable technique.
The anti cheat really be like:
If memory strings contains (cheat | hack) then: ban player
I don't know what's stupider, the cheat makers putting TRIGGER BOT in their chear application to make it obvious to any scanners, or that the anti-cheat authors thinking scanning for that phrase in a game where users can send arbitrary messages to each other would be foolproof.
You know, know that I think about it, the companies should pay us for doing our own security checks.
These electricity bills ain't paying themselves.
shouldn't that also result in a perma ban of the person who send the message? it would be in their systems memory as well.
How come the person sending the message doesn't get the same issue?
The question is that the defense against cheaters is a good enough excuse having a spyware on the computer or not, and also how the anti-cheat corporations collect and share data, and who owns these corporations.
Well Microsoft is going to be limiting or eliminating kernel-mode code, so anti-cheat software is going to have to come up with new methods.
No they’re not. Microsoft is interested in offering sensors that can reduce or remove the need for kernel level access, but they’re not going to block access.
I am more puzzled by the logic of banning variable strings and names rather then the exploit itself.
I think same exact thing is in GTAO with their new anticheat. People typed in chat something like "Invincible Vehicle" or "Godmode" and game hangs 😂