2020/08/10 - HackMD

# 2020/08/10 ## Participants - Adrian - Buck - Giang - Nick - Karl - Matthias - Tim - John ## Notes - We'll need a lawyer who looks into the specifics of the contract. - So nobody can run away with it - We need to research how the shares work. - Whoever will end up doing it, will also setup the company and shares. - America or Norway? - Adrian will look into it - Contracting or being part of the company? - US LLC and let everyone shares. - Contracting is always possible (It's just a different type of tax form). - First game to protect: See @Adrians presentation - Module system - Game/Engine specific detections - RPC based architecture: Code is still on the client -> can be reverse engineered - Networking: KM or UM? - KM: - May be critical - We need a library that is 100% safe (using WinSock). - [Supported by Microsoft](https://docs.microsoft.com/en-us/windows-hardware/drivers/network/introduction-to-winsock-kernel). - Makes tampering with it a little harder. - [Example](https://github.com/hsluoyz/wskudp/blob/master/wsktcp/wsktcp.c) - **Only send requests to the server when the driver is loaded.** - UM: - Safer? - Can be obfuscated - Costs / Legal stuff: - To set up the entire LLC is shouldn't cost more than a few hundreds. - We don't want to have one person in control. - People who invest get a bonus. Investors will get 100% of their investments out of the profit but after that it's getting split. - Kernel streaming: - 1 mb space in .text that gets overwritten? - Problem: - Public image. Kernel driver is already a huge issue for people. - Microsoft probably wouldn't like it. - Encrypt certain parts of the code and transfer the key. - Only an issue if Microsoft finds out. - As long as we pass WHQL it's fine. - Streaming alternative: Have different drivers. - Encrypting: - Even if an employee goes rogue there's no way to exploit it. - Prevention vs Detection: - Prevention allows you to do much harsher detections. - Legit applications cannot be interact with the process anymore. - **Focus on prevention** - Obfuscation: Ask for private versions - Virtualization: Hurts the performance of the games. - Strip symbols: Simple renaming and remapping (.NET) - 1-2 days effort - Violate assumptions tools make: - Call doesn't always return to the next instruction - Prevent automatic sdk generation - **Obfuscation can be advertised.** - Should be built by us. Can be built once and then used for everything after that. Features are optional. - Custom llvm version that has the obfuscation. - Obfuscation: - Some obfuscation that shouldn't hurt performance too much but make things annoying for RE for when we have the time to do it: - Simple constant mutation - Control flow (very annoying to deobfuscate if done right) - Violate common assumptions - Go below rsp (safe in UM) - make CALL not always return to next instruction - general stack fuckery - turn ret into jump - replace with sub + deref and so on, swap rsp with another register - custom abi: - buffer on the stack with the return address - randomized and obfuscated - rsp - 0x20 = return address of function A - rsp - 0x10 = return address of function B - Hypervisor: - Maybe in the future - Intel and AMD support - We probably need to hire some experts. - Monorepo - Ban system: - EAC: - They mess with your head. - They let you play with detected stuff. - Allows them to: - detect the cheat and the users -> determine threats - gather data - dump cheat - Public image - Live statistics on the website (flexing statistics) -> only when big - Ask game developers first. - If somebody is complaining on reddit -> refer to the statistics - Based on the reports: Accelerate it - Next steps: - Adrian: Setup client/driver template - Kernel driver will probably be in C - Multirepo: - Client - Server - Frontend