Path of Exile Anti-Cheat Postmortem

[pushedx]

I spent some time today putting together a paper of my past experiences with the Path of Exile ACs.

In the paper, I cover specifics of the past v1 and v2 systems, offer some commentary about the topic, and go over how I missed the latest v3 system.

This is intended for anyone who is interested in reversing and knows ASM, but is also setup in a way where you're meant to draw your own conclusions from what is presented. In other words, it's not a specific guide on how you should go about reversing or battling an AC, but rather just me sharing my experiences and brief thoughts on the topic as it pertains to this game.

I don't cover any specifics of the current v3 system, as I don't have it reversed yet. I don't have any plans to publish my findings while it is live though, assuming I even decide to reverse it, but if you are interested in tackling it, then knowing how v1 and v2 worked will certainly be useful if you weren't around pre-3.0.

Lastly, from the brief parts of the supposed v3 system I've come across, it really does look like a v3 system, and not some new system they got from Tencent. While the timing is suspect in regards to how 3.0, 3.1, 3.2 went, I do really feel it was purely coincidental these changes happened when they did. If there was no Tencent deal, I think the outcome would have been the exact same. If you consider that 3.0 was the massive game expansion, 3.1 was the massive endgame expansion, and then 3.2 was a massive "new game mechanic expansion" that they never finished fixing, then it stands to reason when they approached 3.3, which was more in line with previous expansions of the past, they would be able to tackle this issue finally, as before they needed everyone working on literally everything else post Legacy league.

Link: Path_of_Exile_Anti-Cheat_Postmortem_1.0.pdf - Google Drive

I'll be happy to hear any feedback or questions, as it's currently version 1.0, but is part of some new content I finally have some time to work on.

[uumas]

Thank you for sharing your thoughts and experiences. Good luck on your next buddy project or w/e it may be.

[henkiedemol]

Now i remember who you reminded me off, werent u behind a silkroad online cheat bunch of years ago?

[jxqdy123]

Thank you for sharing

[Deathax]

Interesting stuff, thanks for sharing.

[xCROv]

Was a great read. Nice!

[GameHelper]

Nice read! would be nice if you elaborate a bit more on the following para in your paper.

To work around v2, we had to make some changes again avoid potentially getting caught by the functionality. For this, it was very targeted to what the AC was doing when it came to external process scanning if you had a handle open to it. There?s some clever workarounds nowadays to this, but at the time the only way I knew of was to be more intrusive with the AC itself.

maybe provide the ref for workarounds and what you did etc.

[darkbluefirefly]

When are you making your own game? I want to bot it.

[MATRASUS]

Thank you for sharing! Really interesting to read

[madeyemoodi]

Dear PUSHEDX - you were on the right track regarding 'Looking back, I was searching for something new and creative, such as streaming it over packets'. If you want to discuss this further in private -- shoot me a PM!

[pushedx]

Now i remember who you reminded me off, werent u behind a silkroad online cheat bunch of years ago?

Yeap! Almost a lifetime ago, but SRO was my origin.

Nice read! would be nice if you elaborate a bit more on the following para in your paper.

maybe provide the ref for workarounds and what you did etc.

I was thinking about the best way to cover that without just saying for X do Y. I'll most likely expand upon that for a future revision.

I'll give you the thought process of how I approached it, since the specifics were for us and our setup (which doesn't help any tools here, because they would need to increase their detection surface to do similar).

First, you really do need to know what the AC is capable of to be able to get an idea of how you should work around it. However, directly working around the AC's functionality leads you down that boring path of cat and mouse that I feel is not very productive. For example, if you know the AC uses CreateFileW to open a file to check its contents, you could use an API hook to counter it. But if you stop there, then while you have worked around the current detection, you're just waiting waiting for the next change that will get you after the fact (which you can't count on getting warnings from cheating forever).

Ideally, your "response" to the AC change needs to be more than just a hard counter.

Rather than only target CreateFileW, you need to look at the general principle of "how to open a file" and look at all the different methods possible and whether or not you can detect those being used. This is where things start to get tricky, because there's a lot of Win32 API functions that can be creatively used for different things, so if you're up against an out-of-the-box thinker, then you could easily fall into some nasty traps (for example, in v1 the people who modified the AC and GGG sending legit client bytes).

There are limits to doing certain things though, but that stops mattering when one side is willing to take things to the next level. I mentioned OpenProcess was one giveaway in v2, which is an easy to hook API. It's not feasible to ban/detect API hooks because of how Windows works (you could if you like headaches), so you either have to explore the hook itself, or go down to using NtOpenProcess directly. So round 1 is us hooking OpenProcess, then game uses NtOpenProcess. Round 2 is us hooking NtOpenProcess, and then the game emulates the system call in its own memory which won't be hooked, and they enjoy their chicken dinner. Round 3 is us using a driver and they can't do anything about it for a while, so we enjoy the chicken dinner.

That process is fun to some, which is why it still happens nowadays for cheats and hacks, but I'm not a fan of it. The problem with conventional thinking is that you'll get conventional results. Yes, client sided security is an eventual losing battle almost always, but if you're able to get away with things for a certain period of time and profit, then when you are forced out, you're leaving the game ahead. I don't think I've said too much to help with your question how you'd like, but the point I want to emphasis is: if you're going to be fighting AC, it better be for a profit because it's almost always a losing battle.

Dear PUSHEDX - you were on the right track regarding 'Looking back, I was searching for something new and creative, such as streaming it over packets'. If you want to discuss this further in private -- shoot me a PM!

Thanks, I won't ask for spoilers since I might spend some free time looking into it eventually for fun, but it does sound like the challenge of getting away with things is indeed getting harder and harder.

Hi PushedX, we develope bots/cheats for different games (in private way). Have success in bypassing newest AntiCheat systems. Now when the bot is closed, we are interesting in your experience in PoE botting, mayby we can find some interesting ways to cooperate with, or just purchase some of you knowledge, or parts of your work.
PM me if interesting.

Exilebuddy code is Bossland GmbH property for all intents and purposes, so we won't be doing anything with that just because there's things we'll still be using and whatnot for the future. I'm still with Buddy, just taking a little break at the moment to catch up on a lot of things I couldn't do the past years.

I do plan on writing and sharing my experiences with bot development in general, but it will take a lot of time, and be a very large paper. I look at it in terms of, if I want to get better at things, I have to continually move forward, then look back and reflect, make adjustments, and then putting that knowledge to use on something new. While PoE has it's own set of interesting challenges still, I feel like I've spent long enough in this environment to where if I kept going, I need to do a number of big changes to things to continually get better, and that was not practical for the EB project. if PoE was my final destination, then it would have been a different story, but it's not, so I feel like it's the right time to move on, but I'll cover more on this topic later most likely.

Main point is, my focus in life is to continually get better, gain new experiences, and enjoy the journey. I'm not one to just settle into something and just get paid if there's no potential for my growth.


Thanks everyone for your comments and feedback!

[dlr5668]

Dear PUSHEDX - you were on the right track regarding 'Looking back, I was searching for something new and creative, such as streaming it over packets'. If you want to discuss this further in private -- shoot me a PM!

chris_wilson please relog

[SpaceGuy119]

I'm new to EB, but it didn't take me long to realize your skills and dedication. no matter what the future holds, thank you for everything you've done. Some people enjoy playing, some enjoy botting, some enjoy the HUD, etc. etc. For me, and likely many people that have used your product, I enjoy the hype of waking up/getting home from work, and seeing what the bot found. Without this hype, I probably would stop playing PoE. I hope you overcome this v3 challenge and better your skills as a result. God bless.

[maper]

Interesting walk through history. The v2 layout change you referred to is because they switched to using __forceinline to stop the compiler from generating individual functions for everything. Did you do much investigation into the v2 process peeking code? I remember some of it was specifically targetting Exile Buddy at one point.

Something I would add to this is that there was actually a "v0" anti-cheat for a little while. It accepted no input from the server but just ran in a loop in the client looking for changes to certain functions. I don't believe they ever used that for a ban, but it existed in the client for some time before v1 came out.

[pushedx]

Do you remember which client version v0 was around and if it had anything that made it stand out? It's been so long, I don't even remember if I saw something like that or not, because our guidelines were not to touch the client's code section for the project, ever, so it's possible I saw something and just disregarded it because it didn't affect us and forgot about it. I do have all the clients though, but if it wasn't using any API functions, would be hard to track down again if it just read a fixed address.

Yes, I did a lot of v2 work to the same degree of v1, just because I figured they were out to get us and had to know exactly what it was doing. At one point, they added detection for users running on Wine to not trigger the AC, but I think that was because they finally tracked down 3 months worth of people complaining about random client crashes. I found a forum thread that correlated to changes I noticed in the AC, when they started to run it, and when the crash reports started rolling in. People did post a wine bypass here on OC, but I thought that was a pretty bad idea (TM) just because all it did was not run the AC, but then you're account is flagged because you're not sending AC response packets anymore. I don't think any bans resulted from that though, so people got another free pass.

Yeap, the inlining was brutal. I did a few updates by hand when they made minor adjustments, then just wrote some code to do the sig for me because of how large it was. Actually I should add that in a future revision because it made my life so much easier. We were using Udis86 (Udis86 Disassembler Library for x86 / x86-64), so what I did was use a simple sig to find the inlined AC thread, then walked through instructions fixing calls and dynamic addresses. It wasn't much code at all, and once I verified it was working as expected (since I had to go byte by byte to check against my manual sig) I could rely on that moving forward. I think 2.4.0.18 (~Sept 23, 2016) was the last change I detected in that code before it got removed (unless I missed a SVN commit log where I didn't note a change I made), and the sig itself matched 25.7kB (with wildcards for the memory addresses that would change patch to patch). However, it was still the same variant of the AC so even though it changed structure from the inlining, I still count that as the v2 system. It had some east to exploit design flaws, so I had confidence in my workaround being enough, even though I knew there was no practical way to determine if they were actually going after us.

However, I never logged anything specific to them finding us, but then again that doesn't mean much since I wasn't logging 24/7 so I could have easily missed the scans. It's one of the hard things to fight in these setups. Obviously, you can't bot 24/7 on such a data collector character due to the risk, but you also just can't sit in town and hope you catch something, because they could easily trigger scans over a certain level, in a certain area of the game, etc... That's another aspect of our bot project that would have had to change moving forward, and it's not an easy thing to manage in this game vs say a big mmo like WoW. That's why even in light of realizing I missed the v3 system, and the degree of the bans we saw, I still think significant server sided detections were made for 3.3 that got us, because even during the times where the AC was being worked around, we still had a good amount of bans because that's just what type of game it was.

Thanks for the comments!