The Cracks in Riot Vanguard’s Shield: Anti-Cheat and The Secret Battle With Hackers

Izento 2024-02-05 03:05:20
  Cheating is the greatest cardinal sin in online gaming. Whether you're a Valorant player that just got into a game against an aimbotter, or a League of Legends player that got full combo’d by a perfectly accurate Xerath, we all understand each other’s frustration in dealing with hackers. The hopeless experience transcends genres. This is the situation that Riot Games are trying to fight against with their anti-cheat Vanguard. The software detects the cheater and immediately stops the game, kicks the cheater, and refunds your rank status while also saving your sanity by not having to play the game out with the unscrupulous player. Gaming companies have had an extensive history trying to fight hackers, sometimes with legal repercussions. Back in 2016, Riot sued a company called LeagueSharp for $10M, citing damages from the company producing scripting hacks to cheat and compromising the integrity of their ladder system. In 2023, Bungie sued a player for using hacks in Destiny 2, and was ordered to pay $500K in damages, with a lifetime IRL ban from playing all Bungie games. But legal action can only do so much and the first defense must be through anti-cheat. Riot has promised that Valorant is no place for cheaters and Vanguard is the answer. Finally, a company that has defeated cheaters and restores order to the land! In all reality though, Vanguard is not a panacea to cheating. The recent announcement of Vanguard coming to League of Legends was a move prompted after the League of Legends source code was stolen, along with the anti-cheat software named Packman, which was first reported by Vice and later reported by Esports Heaven that the hacker was selling the source code for $700,000 on the black market. Esports Heaven decided to really see if hacking is a problem in LoL, what techniques hackers are using, how Vanguard functions from a programming perspective, the current cheats available and the privacy concerns surrounding Vanguard and kernel level anti-cheats. But first, we had to take a step back and look at cheating in Valorant. Esports Heaven went onto the black market of cheats and spoke with several cheat developers, one such cheat known as Unnamed. A shorter and more opinionated video version of this article is available at the bottom

Hacking in Valorant

  This cheating service offers aimbot, wallhacks (ESP), radar and even the ability to enable streamer mode so that your hacks are not discovered by your viewers. We spoke with an individual representing Unnamed known as smd, who agreed to share with us on record, that as of December 12, 2023 Unnamed has been detected by Riot and a ban wave was issued. Unnamed has since circumvented this ban by creating a unique build of the software that must be downloaded each time the cheat is used, therefore bypassing any efforts Riot makes in attaining the software and directly banning it. At its peak, Unnamed had 5,000 users in two months, and although they wouldn’t give us their exact revenue they were making off the cheat, their weekly access costs $30, which would equate to more than $150,000 a month, normally accepted through cryptocurrency. When asked about where their largest market was, they responded with “Asia”.

Types of Valorant Cheats

  Currently there are several cheats available for Valorant and the simplest ones are referred to as color bots or triggerbots. These function by detecting humanoid figures and colors that enter your crosshair and automatically clicks your mouse button when a certain colored pixel enters your crosshairs. Many Valorant fans should be familiar with the recent fiasco involving an esports player from the Valorant Indonesia circuit, where the player posted an Instagram story and mistakenly showed a folder containing their cheat with files such as Netflix.exe and a file with a DLL extension. The cheat he revealed was a trigger/color bot. The readme contained instructions specifically telling the user, “before you play, make sure the outline color is purple, you also can’t have a purple crosshair”. The reason for this is because there is an enemy outline setting in Valorant that changes the character model outline to red, yellow or purple. Therefore whenever an enemy enters your crosshair, the purple color will trigger the bot to fire. This is also why he was instructed to not play with a purple crosshair. Once you go further into the hacking world, cheats become more sophisticated. We spoke with another cheat developer, who chose to remain anonymous, touting the use of AI as the basis for their code. We learned this is in relation to a method for aimbot developers from an open-source code called You Only Look Once (YOLO)--a real-time object detection model– to develop the base of their aimbot. To add even more complexity, developers are even putting in advanced mathematical equations to their code, known as bezier curves, which humanize the aim and add randomization to the algorithm, therefore throwing off anti-cheat that only looks for snapping movements. But to understand how anti-cheats work, we must discuss the basics of how Vanguard works and the main advantage of Riot’s system, and this starts with preventing hackers from loading cheats at the very beginning.

How Kernel Anti-Cheats Work

  The general way most cheats work is by injecting files into the game’s memory. This is done through DLL injection. Most cheats are referred to as external or internal, with internal cheats being ones that read or write to game memory and external cheats being things like color/trigger bots and image recognition. The easiest way to DLL inject is through the system drivers to avoid detection, and that’s where Vanguard comes in. Vanguard operates at what computer experts describe as “Ring 0”; this is known as the kernel level. This level has the highest privilege on the computer system and can make administrative decisions, which include loading things before software applications. Most applications a computer runs does not run at this level. Microsoft describes the kernel as, “a single virtual address space. As a result, a kernel-mode driver isn't isolated from other drivers or the operating system. If a kernel-mode driver mistakenly writes to the wrong virtual (RAM) address, it could compromise data belonging to the operating system or another driver. If a kernel-mode driver crashes, it causes the entire operating system to crash (BSOD)”. Several system drivers operate at this level, including but not limited to graphics card drivers, antivirus drivers, and audio interface drivers. A kernel level anti-cheat is meant to prevent read/writes of the game’s memory and therefore stop DLL injection. Vanguard’s initial kernel technology is nothing new as far as anti-cheats are concerned (we’ll get into specific new tech from Vanguard later in this article), as kernel anti-cheats such as Faceit, which is used with the popular game CS2, as well as EasyAnti-Cheat, a software used in Apex Legends, Fortnite and several other titles. A large reason for the move to kernel level anti-cheat is that the software maintains integrity of system drivers before other programs have a chance to load. Kernel level anti-cheats have diverse tools to stop cheats, and this includes hardware cheats, which are some of the most powerful cheats on the market.

DMA Hardware Cheats

  If Valorant is meant to prevent cheats from loading on a computer, why not load the cheat on another computer? A Direct Access Memory (DMA) device comes in two different types. The first type allows the cheater to connect two computers together through a central device. One such popular device is called a Kmbox, which can be purchased for $50 on ecommerce websites. This safely allows the cheater to run the cheating program on one computer, and plug peripherals from the main PC into the Kmbox. The cheat essentially doesn’t touch the primary computer, preventing any flags from the anti-cheat software. This is done by having the hardware mask itself as a keyboard or mouse. This method is deemed as one of the safest (but most expensive due to needing a second PC) methods of cheating. The next method of DMA is by far the most popular. Popular DMA devices such as an Arduino can be purchased for $20 on ecommerce websites. Similarly a Raspberry Pi Pico WH can be purchased for $7 and converted to a DMA device. These DMA hardware are connected through a COM or USB port, or straight into a PCI slot, and masks itself as a mouse, keyboard or other peripheral. This device then runs the cheat, separate from your computer and directs it back into the computer system. There are several tutorials online that show cheaters how to develop their own aimbot with the Arduino hardware. We spoke with cheat developers about cheating with DMA, and specifically the Arduino, and many of them confirmed that Riot has been targeting these devices, particularly because they do not involve another PC. Even one Riot insider confirmed with Esports Heaven that Arduinos have been detected since around 2021 or 2022, presumably through detecting the firmware, although there are still ways to circumvent Vanguard detection with these devices. The fight against DMA devices is analogous to million dollar Russian tanks fighting $300 Ukrainian drones, the price of upkeep for a multi-million dollar anti-cheat like Vanguard against a $7 Raspberry Pi was not lost on us. Despite that, DMA hardware is rare though, even in the cheating world, and most work through scripting and DLL injection. Like with all anti-cheats, the primary purpose is to prevent the use of manual banning and watching game replays (demo reviewing). For a developer, falsely banning players is something that can quickly lead to distrust from the community, and not having hard data to do bans, such as demo reviewing, does not cut it for evidence. Even recently companies such as Waldo Vision, or Anybrain are claiming to use emerging AI technology to recognize cheaters just from watching demos but many are skeptical of the accuracy of such technology since it does not have direct access to the game’s code. Riot themselves are not impervious to manually banning players, as they currently still have a manual process for more complex cases.

Manual Bans

  The Valorant Police Department is a public Discord that was first started by Gamerdoc, a cheat watchdog that started detecting cheats for Blizzard’s Overwatch title in 2018, and later for Valorant. He was then hired by Riot in 2020 as an anti-cheat analyst for Valorant. The Valorant Police Department Discord is used to report cheaters directly to Riot and allows them to further investigate specific cheaters. Currently the Discord has almost 5000 users, but despite this, some cheaters are still able to avoid bans. Several hackers claim their cheats have been undetected for months or even years on end, even for things Riot claimed were impossible to do in their game such as wallhacking, but we’ve seen several hacks do just that. We wondered if LoL’s current anti-cheat was up to the task of stopping hackers, especially considering a MOBA is a bit more complex and less intuitive than an FPS. As it turns out, the problem exists in LoL as well.

Hacking in LoL

  Currently LoL hacking consists of a skillshot bot which allows the user to have a near 100% of landing abilities on their opponents, an evade bot which prevents the user from being hit from skillshots with a near 100% success rate, summoner spell tracking, enemy cooldown tracking, and more. We spoke with one LoL cheat developer for a cheat called Vision–which they also develop a cheat for Valorant as well–that was selling a private cheat for about $550 for a lifetime membership and would only take signups every two months since the news of Vanguard coming to LoL. This is to not draw attention from Riot, in what many in the cheating community describes these cheats as private cheats. When asked about Vision’s most popular market, they responded with, “Korean and Japanese users far outnumber those on other servers”. There were several LoL hacking communities Esports Heaven talked to that announced they were going private with the announcement of Vanguard, often pausing memberships until they could provide a bypass for Vanguard to continue their cheat service. Often these communities would make announcements via private discord channels, some of which we were given access to, and were in excess of 500 users. When asked how strong the current anti-cheat is in LoL, the Vision developer commented, “it’s nowhere near as tough as Vanguard, not even a fifth as strong”. Additionally, we saw several botting services available for purchase. Botting refers to either software or individuals who level accounts and either reach them to level 30 (which is the level that unlocks most of the features in LoL) or they promise a specific rank, such as the coveted Diamond or Master tier. Often these services use scripting software to cheat and efficiently climb the account to high elo. The issue with combatting scripting in LoL is that these cheats are used repeatedly, even if they’re detected. Hackers have developed a method called a bypass, which allows the use of the original cheating software, and the bypass script is layered with the cheat to allow it to execute undetected. These bypass scripts often support multiple cheating softwares, and therefore have created a business off of other programs. One bypass Discord community we visited contained over 700 users. With so many different scripts, bypasses and even services that give software along with DMA hardware and setup instructions, the fight against hackers seems impossible and when we asked the Vison script developer if they had Riot’s current anti-cheat source code Packman, they responded, “no, but we have a method called full game dumping and decrypting all parts, and preparing them for decompilation. It’s not like having the source code of the game, but with tricks and knowledge of assembly language, it’s very easy to understand where the anti-cheat check is, what functions it monitors, and how to bypass it”. With such skilled hackers operating in a low-level programming language such as assembly–which is often referred to as one of the closest languages to binary–it becomes that much more difficult for Riot to hide how their anti-cheat works. Valorant remained no exception to this disassembly.

Reverse Engineering Vanguard

  As Valorant released to the public, reverse engineers immediately began disassembling Vanguard to decipher exactly how the anti-cheat works, with some Vanguard reverse engineering community threads reaching over 2 million page views, with several hackers using disassemblers such as a Cheat Engine and reading Riot’s internal coding. We spoke with reverse engineers about how Vanguard works, and a user by the name of Xyrem–who now volunteers with Riot’s Vanguard anti-cheat team–said “Vanguard allocates 2 mb of RAM, and the virtual address of the memory range is sent to Packman on initialization”. If that sounds a little complicated, we’ll explain that through an article by Xyrem detailing how he reverse engineered part of Vanguard. The Vanguard kernel software essentially goes so deep into the RAM area called the page table. These are virtual addresses that act as a directory to physical places on the RAM. Vanguard creates a clone of the page table, sometimes called shadow memory or region, and then whitelists that clone. According to the article, “this approach allows the game to access the shadow region from a whitelisted thread without any noticeable impact on performance. This is an ingenious solution that demonstrates the level of innovation and dedication that goes into developing an effective anti-cheat system like Vanguard”. When asked to rank anti-cheats from 1-10, 10 being highest, Xyrem responded: Vanguard 10 EasyAntiCheat 9 (Fortnite, Rust, Apex Legends, etc) Unity 7 Battleye 4 (Tarkov, Pub G, Rainbow 6) Ricochet 1 (CoD Warzone) Another reverse engineer rated: EasyAntiCheat 8/9 Battleye 6 We also asked the developer smd of Unnamed Valorant cheat to rank the anti-cheats they’ve encountered from best to worst. They responded with: 1. Mrac (CoD Warface) 2. EAC (Fortnite, Rust, Apex Legends, etc) 3. Faceit (CS2) 4. Vanguard When we asked why they ranked EasyAntiCheat so high, and Vanguard so low, they responded, “I think EasyAntiCheat has more potential than Vanguard”. We asked another reverse engineer who chose to remain anonymous about how EasyAntiCheat uses a similar method to Valorant for cloning a page table (virtual RAM addresses) and they said, “EasyAntiCheat was recently inspired by Vanguard. In fact, they do shadow regions better. They have the same end result but they can detect more often when cheaters try to get access to the game via CR3 by effectively locking off the entire game away from the cheater unless they use certain Windows functions. These functions then ultimately allow them to determine that a cheater was trying to access the game which is a big trap”. For a more in-depth and technical explanation, this can be found here by another reverse engineer, and as it turns out, the Riot Vanguard team are well aware of EasyAntiCheat’s progress. As one can see, Vanguard and EasyAntiCheat are very similar, but for some reason Vanguard gets more publicity, and that may be due to privacy concerns in relation to the parent company of Riot Games, Tencent. China flag is depicted on a sports cloth fabric with many folds. Sport team waving banner

Privacy Concerns and Exploits Through Vanguard

  With heavy skepticism against China, LoL players are perturbed that their data will now be used against them to take more control as Riot Games is owned by Tencent, a Chinese company, and one that is heavily controlled by the Chinese Communist Party, as they recently were coerced to pay $7.7B for China’s Common Prosperity goal, a move that many believe was brought on by veiled threats to levy larger taxes against giant conglomerates. Alibaba–a giant ecommerce company which is often compared to Amazon–also pledged $15.5B for the Common Prosperity goal. Western onlookers are confused considering the sum is quite large and businesses are often reluctant to pay anything to a government body. This concern has also been echoed in the US, with previous announcements of Chinese company ByteDance–the company responsible for the popular social media TikTok–being potentially banned from the US market due to privacy and national security concerns. The US National Counterintelligence & Security Center (NCSC) raised awareness of China’s disregard for data privacy, with director William Evinina saying “Article 7 of China’s National Intelligence Law states, “any organization or citizen shall support, assist, and cooperate with state intelligence work in accordance with the law, and maintain the secrecy of all knowledge of state intelligence work. Article 28 of China’s Cybersecurity Law states, “network operators shall provide technical support and assistance to public security organs and national security organs that are safeguarding national security and investigating criminal activities in accordance with the law”. Some view giving Riot such great access to player computers as giving more control to a company that has had sinister motives with retaining power such as shadow banning content creators on Reddit, secretly mandated pay caps on esports casters, and conducting psychological experiments on its user base. We asked several hackers and reverse engineers about the privacy concerns the public has surrounding Vanguard, and none of them believe it to be an issue. Some of them responded saying that Riot could already read all of your data in user mode and there’s no need to go into the kernel. Riot has also stated that “this isn’t giving us any surveillance capability we already didn’t have”. Other trepidations about Vanguard include how irresponsible Riot will be with such privileged access to player computers, as they suffered a security breach as recent as 2023 on their own servers, along with one of the largest data breaches in gaming history in 2013. This worry is also not alleviated, as another company in the anti-cheat space, ESEA–who are the creators of the popular third-party kernel anti-cheat software for esports tournaments in CS:GO (and now CS2)--were caught hiding a bitcoin miner in their software in 2013. A spokesman from ESEA claimed that it was a rogue employee that injected this bitcoin miner into the main software. Security expert Saleem Rashid spoke with Ars Technica about Vanguard, saying "whenever you have a driver like that, you're at risk of introducing security and reliability issues to the computer”. With any driver, there is a risk of hackers using it to gain kernel level access to your computer through an exploit, and this could affect a multitude of computers with Vanguard installed. In discussing this with a reverse engineer they said, “it doesn’t happen often, but it does pose a risk. I covered an exploit a few years back in EasyAntiCheat where I could inject virtually anything into the game and hide it from the system by virtue of the anti-cheat’s protection”. If Vanguard were compromised, Riot would need to remove Vanguard from user computers through a forced update, although that doesn’t mean this would necessarily undo damage already inflicted on users. When we spoke with an anonymous Riot insider about the fear of potential malware exploits in Vanguard, they responded, “there’s zero room for error but again, the trust really has to be earned and if the players do not trust it, there really isn’t much that can be done”. A large reason why Riot are pushing for more computer access is to take the fight to the lowest level and prevent cheaters from having access to the game in the future, which is why their anti-cheat implements one of the most innovative pieces of technology, and Vanguard’s secret weapon, the Trusted Platform Module.

Vanguard’s Secret Weapon: TPM

  The Trusted Platform Module (TPM) is a piece of hardware on almost all computers produced after 2016. TPM was created in coalition with 83 companies under the Trusted Computer Group (TCG). Some of those companies include Microsoft, AMD, Intel, Nvidia, Qualcomm, IBM, Huawei, HP, Dell, and many more. The TPM hardware can either exist on your motherboard or embedded inside your processor, with the processor type being called firmware TPM (fTPM). Apple has their own proprietary fTPM, as well as Intel with PTT. The TPM stores a cryptographic key which is impossible to crack through software and signs drivers, along with SSL website certificates (Chrome and Firefox use this) to make sure they are authentic. A good layman explainer of how TPM works can be found here by the Youtuber Computerphile. The reason TPM is a critical component for Vanguard is because it ensures that all drivers are signed and not tampered with. This allows Vanguard to use the TPM module to keep track of each driver, and this is made easier since Windows 11 requires TPM enabled (technically you can run Windows 11 without TPM, but you will not receive any updates or support). When we asked an anonymous reverse engineer about TPM usage in other anti-cheats such as EasyAntiCheat, they remarked, “although [EasyAntiCheat] does work with the TPM, they aren’t fully using it to attest the security of the system. It’s quite rudimentary at the moment for EasyAntiCheat”. For Valorant’s use case, TPM verifies all drivers–which is where hackers like to hide their cheats–and if those drivers are tampered with, Valorant will know, and then they’ll ban via the user’s hardware IDs (HWID). The motherboard, hard drive, router, and other equipment have unique serial IDs, some of which Riot is able to ban, meaning that a cheater would need to change out multiple components in order to evade a ban, along with the usual change of IP and MAC addresses. For reference, one source confirmed that the similar anti-cheat, EasyAntiCheat, tracks around 30 HWIDs. Players that cheat receive a 120 day HWID ban according to the Valorant Police Department Discord server, and the account that was caught cheating is permanently banned, so the user will need to create an entirely new account after their 120 days are up to continue playing Valorant. Several Valorant cheat developers aren’t concerned with their users getting banned even if they get caught. When asked about Vanguard’s hardware bans affecting Unnamed’s user base, smd responded, “we provide a free spoofer with our cheat to all users”. A spoofer is a program which creates or masks your HWID, therefore avoiding even the most aggressive detection methods and bans. We saw several cheat developers offering this service, completely circumventing Vanguard bans and allowing users to continue cheating. But the one thing that cheaters cannot spoof is the TPM, with even Gamerdoc recently memeing that hackers cannot circumvent this method. There is no way to duplicate a TPM key other than through a virtual machine, which Riot forces users to disable. This is also why products like GeForce NOW–a popular cloud gaming service–does not work with Valorant, along with the likes of Linux which often uses virtual machines to run a copy of Windows (or Linux Wine which runs in user mode, not kernel, which would defeat the purpose of Vanguard). This would also mean that Riot will effectively get rid of bot farms in LoL, as there is no way to run virtual machines with Vanguard, meaning that multiple instances of the game cannot be recreated. Cheaters avoid the use of a TPM entirely through staying on Windows 10, but Valorant has already started forcing some Windows 10 players to enable TPM. But for now, hackers can largely stay on Windows 10, although this version of Windows comes with some drawbacks for the average user. Vanguard still allows users to play on Windows 10, but requires that Virtualization-Based Security is disabled (VBS). Additionally, Valorant requires Windows 10 users to turn off Core Isolation and Memory Integrity, which could create security vulnerabilities for users. Memory integrity “protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Kernel mode code integrity is the Windows process that checks all kernel mode drivers and binaries before they're started, and prevents unsigned or untrusted drivers or system files from being loaded into system memory”. More cynically, several security experts are referring to TPM modules as a disguised Digital Rights Media (DRM) device.

The Insidious Usage of TPM

  DRM technology came out in the mid 2000s, as it was trying to combat online piracy. The use in video games often meant that the user would need to have a steady internet connection to play the game. Those too young to understand how much of a problem this was should refer to Assassins Creed 2 back in 2010, which famously had DRM technology that prevented users from playing the game offline, forcing a constant internet connection in a time where only 60% of American households had a broadband internet connection. How this relates to TPM is that now companies can either ban users from using their software, or a competitor's software, and more problematically, prevent unauthorized hardware from being used on the platform. The pause for concern should be immediate with companies like Apple, notorious for their aggressive stance against the right-to-repair, have developed their own TPM version, which bricked iPhones when users installed third-party hardware. HP is also another company which has fought against third-party hardware and are currently being sued for rendering printers that have third-party ink inoperable. Tesla is an auto manufacturer that is heavily against right-to-repair and has paywall features such as heated seating, using TPM to prevent access to these features, even though they already exist on the physical car, they just haven’t been unlocked. Along with that, Tesla could ban cars from accessing their Supercharger network via TPM hardware checks. The use of TPM hardware is a much larger problem than just Riot, as it could be used for more nefarious things by bigger companies. For now, Riot has officially won the war against hackers, as they can now start banning them permanently, although the hackers will continue to fight, looking for any vulnerabilities. When we asked a hacker what they thought about the fight against Vanguard, Gamerdoc, and Everdox–the senior software engineer responsible for large parts of Vanguard’s code–they responded, “it’s us who made it possible for them to have a job. If they have specific opinions about us, I’m all ears”.
If you're a zoomer and your attention span is shot. Come watch the Youtube video version on this here. Izento has been a writer for the LoL scene since Season 7, and has been playing the game since Season 1. Follow him on Twitter at @ggIzento for more League content. For more LoL content, check out our LoL section

Latest Poll

first poll

Which race in Stormgate are you more excited for right now?