About 4 days ago, I wrote about EA’s new Anti-Cheat system that is able to access your non-volatile memory to spot malicious software. The story got covered by multiple publications and many of you shared it on Reddit, Facebook, Twitter and discussed what’s going on. Interestingly, the article also reached a professional “Reverse Engineer” with experience in analyzing Anti-cheat measures as a hobby/enthusiast, and he shared some rather insightful but concerning details about EA’s “unknown” and “secret” Anti-Cheat system.
First off, the Electronic Arts Anti-Cheat system has been in the work for a while, in fact, it is implemented in Battlefield 1 and Battlefield V already.
The first known sighting of this anti-cheat system was back in December 2017 on a hacking forum. However, according to our source, at the time the “modules were in very early stages of development, and not very sophisticated.”
EA created the system to counter hacks and perform better compared to other anti-cheat measures in place.
Electronic Arts engineers did their best to make sure this system remains “silent, unknown, undetectable, and nearly impossible to analyze.” The system utilized multiple modules, each with its own purpose but has now grown into more sophisticated software.
How Does It Work
In the beginning, a module would be very single purpose-driven, for example, taking a screenshot. Now, a single module can perform a wide variety of functions. They are loaded through a process commonly known as manual mapping, where all of the sections, imports, and exports are allocated and resolved manually. This is to keep the module from ever landing on the user’s hard drive, it is loaded directly into memory. Once it’s operations have completed and a response sent back to the server, the module is immediately freed from memory, leaving no trace. This makes catching them relatively difficult, as one must monitor memory allocation and protection statuses. The modules have the ability to enumerate all processes and windows running on the machine, and read the memory of any such application. This is common in signature scanning. They have the ability to verify the integrity of the game’s internal code, as to detect if any byte-patching or hooking has been performed. Screenshots can be taken using either a manually mapped BitBlt from GDI32, or a DirectX DesktopDuplication to entirely clone your desktop display. As is with the static in-game anticheat, care is taken to ensure only the game window is targeted. Overlay detection code exists, as does logic to even detect if “Test Mode” has been enabled in Windows (as to load unsigned drivers). The obfuscation techniques in the modules is extremely advanced. Not only are the modules themselves manually mapped, but imported WINAPI functions are too. Imports are dynamically resolved, with string encryption used for resolving the address of exports from Windows libraries (which have been manually re-loaded into the game’s address space, to counteract any corrupted data caused by cheat hooks). While the system is largely bullet-proof, hackers have developed ways to mitigate it. Since the libraries are unloaded after execution, if a hacker can detect their loading, they can unload all cheats and restore original bytecode wherever patched, wait for the module to unload, then re-inject their cheats. The biggest flaw of the anticheat system, is the frequency of loading. In my own personal testing, I have gone anywhere between an hour between module loads, to five hours before finally receiving a payload. I believe this infrequent loading scheme is to prevent analysis, and help maintain secrecy.
There Is Potential For Misuse
The nature and the design of the modules is what potentially makes them dangerous. For the record, they do not currently pose a threat or contain malicious code to my knowledge. They remain suspect to change at any moment, the game server controls when they’re loaded, and if a theoretical server RCE was found, a hacker could possibly load custom code onto user’s machines. However, I want to make it abundantly clear, I am in no way claiming that the anti-cheat system is malicious, or violates user’s privacy. I am simply stating the facts about the nature of such a system, and how it could be potentially misused/abused. Due to the nature of this manual mapping, it’s nearly impossible for AntiVirus software to detect or analyze. Additionally, because the modules may be rewritten whenever desired, constantly analyzing and monitoring the behavior of these modules is a full time job. Most of the functionality in this system is about on-par with other anticheat systems in regards to user privacy, however constant auditing and verification of such is not feasible. Previous static anticheat systems could be reverse engineered, audited, and their behavior analyzed, however this system of hidden dynamic code injection makes that impossible. As far as providing proof, 0x147E5B3F0 is the current address in BFV where modules are downloaded. Argument 3 is a pointer to the raw binary data, argument 4 is an unsigned integer of the size of the data. PersistenceInventory and PersistenceInventoryReplication are also passed to this function and can be ignored, argument 2 is a pointer to a character pointer specifying the name of payload so they can be filtered out. A weak signature of this function is 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 48 83 ec 30 4c 89 c5 48 8d 59 08. A simple hook can be placed at this function, and you can dump all payloads delivered to the client. However, I advise suspending the game when this function is executed, otherwise the detour will likely be detected and result in a ban.
Due to my limited understanding of how these systems work I choose to share the information as is to make sure I don’t misquote our source. But even with my limited knowledge of these matters, I can read this and understand what exactly is the problem Electronic Arts is facing. Some hackers, who are aware that this anti-cheat system exists and how it works, are able to detect the loading of anti-cheat modules onto your RAM, quickly unload the cheat/hack and restore the bytecode to its original state. Once the anti-cheat module unloads, they re-inject the cheat/hack and keep on playing without getting a ban. This is probably the reason why EA, despite its unlimited resources, hasn’t been able to counter hacking in Battlefield games.
The company, while it thinks is one step ahead of hackers, is actually two steps behind from those who know how EA’s “secret” anti-cheat system works. As a result, the select few hackers who know how to crack Electronic Arts’ anti-cheat are selling some of the most sophisticated hacks for Battlefield games.
Since only a handful of hackers know of this system, and there are no public postings of the system, I believe EA thinks it is largely unthreatened at the moment. In reality, several of these hackers sell some of the most sophisticated and damaging cheats on the market, with their popularity having exploded by their competitors not being able to crack the new anti-cheat system.
Last month BBC ran a story where a hacker explained how some of the best, top-ranked Rainbow Six Siege players also use hacks. In some cases, hacks are sophisticated enough to even be used at pro gaming tournaments. So this problem isn’t limited to EA.