How gaming cheats pay off below the operating system


Cheating has been around since the dawn of electronic gaming, dating back to 1981. Players have always wanted to take advantage of shortcuts or tools to complete the game faster or gain an advantage over other players. However, despite the development of “gaming cheats” the motivation has always remained the same – people just like to make things easy – and without getting caught.

Since the humble days of the Commodore 64, gaming has grown into a multi-billion dollar industry with mega brand names and live broadcasting of eSports events. These events are so widespread that it has become common to see online betting and gambling at eSports tournaments and events.

Additionally, online gaming has evolved into an entirely new business model in recent years, based on in-game microtransactions. In this model, players have the option to purchase in-game items or exclusive in-game access rights with real dollars. World of Warcraft is a classic example where players could spend a lot of time gathering and mining resources, or they could just buy in-game currency with real money. This led to an entire industry of “gold digger.” This allowed game developers to establish ongoing revenue streams where players are initially allowed to play for free. However, microtransactions later spread to all types of games as well.

And as gaming has become more competitive and in-game features more valuable, the value of cheating has also increased. This has made anti-cheating its own business and started a back-and-forth “war” between cheat creators and game developers. Over the years, the industry has seen iterative advances in offensive and defensive techniques on both sides of the “trench”.

The connection to computer security

As both sides have progressed, cheat developers are forced to find new and creative ways to hide their code from anti-cheat engines. In fact, in some games, the anti-cheat engines are more complex and powerful than the protections such as antivirus used to protect more traditional applications. This is because games have stricter requirements. Any manipulation of game data such as changing player stats, health or inventory can fundamentally change the game.

Oddly enough, the high privileges and deep access to the operating system have made these anti-cheat engines a target for attackers. Just in the last few weeks, researchers have uncovered ransomware operators using vulnerabilities Anti-cheat driver from the popular game Genshin Impact. In this case, the attackers were able to use the anti-cheat drivers to disable antivirus services on a compromised host.

It has also been known for years that the cheat community is often at the forefront of security, discovering workarounds and new exploit techniques long before they are publicized as a cybersecurity threat or concern. In addition, gaming cheats bring a lot of rewards with a fraction of the risk. Gaming cheats can be very profitable without bearing the same risk compared to more offensive security scenarios like using malware. Simply put, there is a lot of money in gambling, and it is far more legal than cybercrime.

Another interesting feature of cheats is that the scammer often hacks their own device. In multiplayer games, there are two main classes of devices that can be attacked by hackers; the server that runs the game and coordinates between all clients and the clients themselves. Some types of cheats may require hacking the server, but this is generally more difficult and probably better protected than the client software itself. When the goal is victory, there are many benefits for the player in targeting their own computer on which the client software is running. Because the player is usually the valid owner of the client device, they often have the privileges of disabling various security controls. Unlike a traditional malware threat, which often needs to escalate privileges without being seen by a user, scammers typically have full control over their devices. And in online multiplayer games, important data is often delivered to the client where a cheating player can easily manipulate it. To reduce game lag due to network traffic and server-side processing, games often send data to the client that shouldn’t be visible to the player. This can give an advantage to players who can see or otherwise use this secret information that other players do not have access to.

Cheats take up the fight below the operating system

In the gaming world, scammers are most commonly known as “hackers,” a nickname for those who “use hacks” and not the ones that actually “hack”. In the cybersecurity world, “hackers” are those who create and use hacks, and those who simply use tools are referred to as “script kiddies” or “skids.”

But regardless of the terminology, scammers are constantly trying to trick the operating system. This makes sense since the operating system is responsible for both running the game and for all anti-cheating technologies. A common technique is for cheat tools to use a known vulnerable Windows driver to gain read/write access to and modify game memory. For example the three year old kdmapper Driver exploits a vulnerable Intel driver. The vulnerable iqvw64e.sys The driver is included with the Intel LAN drivers and provides the ability to copy, read and write user/kernel memory, map physical memory and perform virtual to physical address translation. To achieve the actual code execution, we can use the method described here to run shellcode.

Example for a vulnerable driver that cheaters can be used to read and write memory.

And here it gets even more interesting. Since the goal is to read and modify data while bypassing protections, we’ve seen an increase in gaming cheats that lie beneath the operating system and use UEFI firmware as a base of operations. Because the firmware is more privileged than the operating system, some creative developers and researchers have created ways to introduce a bypass in the system before the operating system loads, such as: B. Ways to spoof hardware IDs. This allows scammers to avoid being banned if they are simply caught Spoofing of certain hard-to-forge hardware properties to trick the game into allowing them to create a new account on the same locked computer.

These UEFI based tools/cheats would allow a computer owner to change the boot process flow by introducing these tools in the middle of the process. Normally, Secure Boot is designed to prevent such boot tampering, but since the “attacker” in this case is the computer owner/user, he can simply turn off Secure Boot and run the code.

In recent years, game developers have increasingly tried to ensure that client devices are properly using various protection and security features. For example, developers are increasingly checking that Secure Boot is enabled and the system has a Trusted Platform Module (TPM) before the game can be played. This, in turn, necessitated a new type of cheat that can make it appear that Secure Boot is properly enabled when it isn’t. And once again, since the goal is to lie to the operating system, the UEFI proved to be an ideal place to do it fake the presence of Secure Boot.

Where do we go from here

This leads to an incredibly interesting intersection between gaming and cybersecurity. Malicious hackers, from the most sophisticated state-based attackers to the most common malware and ransomware groups, have turned to UEFI and firmware to subvert a system’s operating system and security controls. Firmware and security below the operating system is a really deep topic and an active area of ​​research. If you want to learn more, we recommend checking out some of them latest research on the Eclipse to blog.

Gaming cheats have done many of the same things as attackers and for many of the same reasons. However, the fraud scenario actually presents some unique challenges as the “attacker” is also the valid user/owner of the system. Instead of attempting to prevent external attackers from taking control of the boot process and execution of pre-OS code, anti-cheating technologies must do so when the “attacker” has complete and legal control over the device itself .

It also creates the potential for cross-pollination between game cheats and cyber threats. Will scammers lead the way by discovering new security bypass techniques? On the other hand, will scammers dive into the malware arsenal and use exploits and techniques as lower-risk uses of malicious code? One thing is certain – this will be an intriguing area to keep an eye on in the future.


About Author

Comments are closed.