Beth Domon - Twitch Partner

Hello Everyone, In a previous life, I used to do offensive and defensive anti-cheat research professionally, and one thing I’d like to say is that this game is doing the absolute bare minimum to secure and protect itself against cheaters. To give the team some credit, combating cheating is extremely difficult because cheat developers are constantly adapting (especially with AI) and testing new methods faster than most of these developers can realistically respond to. I’m going to outline what the anti-cheat team does right and what they do wrong, and then let you come to your own conclusions about the overall state of the game’s anti-cheat efforts. Vocabulary: - DLL: This term will be used heavily, and it refers to a piece of software that is injected into a process (for ex. Marvel Rivals) and is capable of executing arbitrary code within the game process. This allows cheaters to modify or manipulate different parts of the game in order to gain an unfair advantage (f.ex reading from or writing to the game state). - DLL Sideloading // hijacking: Replacing a legitimate DLL that the game uses with a malicious DLL that allows an actor to execute arbitrary code within the game process while masquerading as the legitimate DLL. - XIM: A cheating device primarily used on consoles to for example mask a keyboard and mouse as a controller allowing malicious actors to essentially have aim-assist, and run a ton of other scripts that give malicious actors to gain a competitive edge over players - Function Hooking: This allows a malicious user to redirect how the code normally works, giving them control over how the program behaves and letting them change the result of certain functions. What they do right: - Sending telemetry from the game process to the anti-cheat backend server, even without the kernel anti-cheat running, to determine whether a game session appears legitimate or illegitimate (cheating). What they do wrong: - The Kernel Anti-Cheat component is pretty useless. It’s really only meant to serve a few purposes (it does a bit more, but these are the main components you should actually care about), and the entire system becomes redundant when you can simply disable the kernel component. The first purpose is acting as a preventative measure against DLL injection, which it does a poor job at because you can use DLL Sideloading and the game will blindly accept illegitimate DLLs and inject them into the game process. Another purpose is sending telemetry to the anti-cheat backend, which collects data about the process and scans for cheat signatures, abnormal process conditions, and unauthorized modifications. The Kernel Anti-Cheat probably does more than that, but it becomes pretty useless when you can just disable the kernel anti-cheat component entirely. - There have been claims that if you run a certain command line argument it completely disables the anti-cheat, but this is only partially false. It disables the kernel anti-cheat component, but it does not disable the anti-cheat that lives inside the game process, “QSec.” QSec is another anti-cheat component inside the game process, and it does a bit of the heavy lifting by sending increased telemetry about your aim score, XIM score, and other unusual process events. This can also be disabled by patching the game executable on disk, preventing the system from even being initialized. (I’ve sent this directly to the developers a while ago, and they’ve done nothing with it.) One thing I will give them credit for is that they’ve at least attempted to protect this code, but they’ve done a terrible job executing it. There’s also another component they use called “AC (Anti-Cheat) SDK.” This component exists in an extremely niche location within the game process, but I won’t explain it further because it could lead to additional attack vectors, although the team already knows where it lives. From what I understand, this component also sends additional telemetry and periodically sends screenshots of your game to the anti-cheat backend (at least for high-risk players) in an attempt to detect cheats like ESP, which gives exact player locations through walls. This component can also be disabled. - The anti-cheat team also has an additional QSEC (anti-cheat) component that is completely server-side. This anti-cheat automatically scans replay files and match data to determine whether a player is cheating based on heuristics. This approach is extremely flawed because a cheater can disable the components I explained above and “humanize” their cheats to avoid detection. It can also lead to false bans if the system’s assumptions are incorrect, which appears to happen periodically. - The Anti-Cheat team actually does nothing to validate whether the kernel component is running or not, this is one thing some anti-cheats like "Easy Anti Cheat" does right, the game server will kick you out if it doesn't receive a valid token from the client generated by the anti-cheat. Sure some telemetry may give the team some insight saying "Hey so this user isn't running our anti-cheat, they're probs sus asf", but when those telemetry components are disabled and your only component is the server sided anti-cheat it makes the entire system super redundant. - The Marvel Rivals team claims that a user who gets banned will get device bans, and IP bans. From my understanding they don't IP ban, but they do attempt to device ban (HWID Ban) and they do a terrible job at it, since you can disable the kernel component of the anti-cheat the game process is left with only one way.. do call windows functionality to generate a Hardware Identifier based on the limited functionality that Microsoft gives them. This is completely redundant when you can disable all of the components I've mentioned earlier and the use Function Hooking to essentially "spoof" your hardware identifier, and once you get banned, you can clean all of the traces the game process leaves and create a brand new account as if nothing happened. There's a few more components that I haven't talked about or may not completely know about, but I hope this gives you a slight idea on how the team actually handles cheating. I've actually sent most of what is currently in this post directly to the team months ago, and they haven't done anything with it. You know where to contact me NetEase. Chào👋