Presentation Material
Abstract
With the increasing popularity of games having a competitive element, cheats have become a common method for hackers to gain an advantage. Game developers like Fortnite, Valorant, and Apex Legends constantly face the pressure to prevent hackers from cheating. In this talk, we share the current state of Cheats and Anti Cheat mechanisms, dive deep into the history of anti-cheats, how they actually work, and several techniques hackers are using to bypass them. The session includes the release of a basic kernel-mode driver and an External Hardware cheat that can be used as a learning resource for bypassing different anti-cheats in the market.
Presented at Security Fest 2023.
AI Generated Summary
The presentation detailed technical methods used to create undetectable cheats for competitive multiplayer games, focusing on bypassing modern kernel-level anti-cheat systems. The speaker outlined the historical shift from user-mode cheats to kernel drivers, explaining that kernel-level access is necessary to circumvent protections like Vanguard or Easy Anti-Cheat.
Key techniques covered included reverse engineering to find dynamic memory offsets, hooking Windows system calls to establish communication with an unsigned kernel driver, and developing that driver to perform memory reads/writes. A critical step is loading the unsigned driver by exploiting a vulnerability in a signed third-party driver (e.g., using a tool like KD mapper) rather than test signing, which anti-cheat detects. The driver must implement custom hook logic and shellcode to avoid signature-based detection.
For games with exceptionally robust kernel anti-cheat (specifically Valorant), the speaker described the evolution of “pixel bots.” These cheats bypass memory interaction entirely by analyzing screen pixels to identify enemy outlines, then using external hardware—an Arduino with a USB Host Shield—to simulate mouse movement. This hardware approach avoids detection because the mouse input appears to originate from a legitimate HID device. The pixel bot process involves screen capture, color filtering (often with OpenCV), coordinate calculation, and serial communication with the Arduino, which spoofs vendor/product IDs to mimic a commercial mouse.
Practical implications include the transferable skills for malware analysis and kernel development. The arms race is highlighted: anti-cheat developers must now detect hardware-based input manipulation and potentially remove game visual cues (like enemy outlines) that pixel bots rely on. The work demonstrates that cheat development requires deep systems knowledge and constant