Jump to content

Recommended Posts

Posted
21 hours ago, Trance said:

You're missing a couple of essential information, such as driver, etc.


I agree. You mention a lot about system calls. At which level? If your driver component runs in user mode, someone can pretty easily send whatever data he likes to the backend. Also, even if you load sys kernel driver using windows service manager, the driver still needs to be  signed  and comply with  secure boot policy, vbs / hvci / memory integrity restrictions if those protections are enabled.

Posted
10 hours ago, Seamless said:


I agree. You mention a lot about system calls. At which level? If your driver component runs in user mode, someone can pretty easily send whatever data he likes to the backend. Also, even if you load sys kernel driver using windows service manager, the driver still needs to be  signed  and comply with  secure boot policy, vbs / hvci / memory integrity restrictions if those protections are enabled.

 

Pretty much everything. I can write my own bootkit and inject whatever the hell I want to get around their protection or any usermode checks simply by hooking certain things. Most Kernel anticheats are also pretty much bypassable if you know what you're doing and how to sign a driver correctly. You can do many crazy things with it. On top of that it's easy to deobfuscate the red texts on IDA and make it readable, and in the end it's always going to have weak points no matter which one it is. 😄

Bootkits, USB injections, and other methods can be used to manipulate many anticheat systems. Honestly, Lineage 2 anticheats are some of the worst out there no one has been able to create anything truly reliable or decent yet. xD

Posted

you don't need to block the adrenaline users from the start!

you need to know only who use and then to ban at random time by your panel!

Posted
13 hours ago, mjst said:

you don't need to block the adrenaline users from the start!

you need to know only who use and then to ban at random time by your panel!

 

That only helps if you have some algos which you don't want them to find out.

Posted (edited)

Very nice attempt and good luck with your sales.

 

Don't let the voices in this topic discourage you. Most of those people are just flexing. So if Celestine decides to write a bootkit or hook system calls or whatever and false-feed your anti-cheat fake info just because it sits in user mode just to go play in a private server with 100 people, I'll tell you one thing:

 

Who the fuck cares ... 😛

 

The average player won't / can't make these things, the big players like adrenaline won't bother (yet) (they don't have signed drivers do they ? They also run in user mode I believe). And even if they somehow manage to do so, there's a minority of players who would trust putting this thing on their pc. I wouldn't let anyone tamper with my kernel mode even if he had a signed certificate from Microsoft. 

 

Also, in a scene where collusion has been brought out between bot makers and cheat guards, having many options is a blessing regardless of their strength. It makes colusion, conflict of interest and cartel more difficult, it drains from cheating software creators more resources to focus on more cheat guards, and it gives server owners plurality. 

 

This arms race is a numbers game, you stop 90% of the cheaters you add value to all of us. 

 

A couple of senior devs flexing their powers in a forum are not a concern.

 

If i'd ever make a server, I would definitelly buy from you, not because you have the best anti-cheat, but because you are not well known yet to be the focus of counter measures. 

 

 

Edited by aguy
Posted
On 7/7/2026 at 3:27 AM, Celestine said:

Bootkits, USB injections, and other methods can be used to manipulate many anticheat systems. Honestly, Lineage 2 anticheats are some of the worst out there no one has been able to create anything truly reliable or decent yet. xD

It requires a lot of research and money to create something that is actually worth having on someones server. But again, even if something worth trying appears,  I dont even trust vanguard at this point, and its even worse if theres some kernel driver signed by a single person without a real company behind it to take the hit if something goes wrong. Thats a huge security risk. Most people are naive and untrained for thinking its okay to elevate permissions for an executable created by someone in their moms basement. The same goes for people who run compiled shared / paid sources and assume its fine, with nothing malicious running inside them.

 

11 hours ago, aguy said:

A couple of senior devs flexing their powers in a forum are not a concern.

 

If i'd ever make a server, I would definitelly buy from you, not because you have the best anti-cheat, but because you are not well known yet to be the focus of counter measures. 

A user with 13 posts suddenly appears. This is a tech forum, and developers are not here to flex. We are simply discussing the potential risks and reliabilty of the product, since that is the whole purpose of a discussion forum. Otherwise, it becomes no different from marketplaces. In addition, it is  reasonable to question someones capabilities based on their available public data. How do you go from selling web apps to working with such low level concepts that require a lot of specialized knowledge? Think again then before you buy from him with a blind eye. 

12 hours ago, aguy said:

I wouldn't let anyone tamper with my kernel mode even if he had a signed certificate from Microsoft. 

 

12 hours ago, aguy said:

If i'd ever make a server, I would definitelly buy from you, not because you have the best anti-cheat, but because you are not well known yet to be the focus of counter measures. 

 

The first statement contradicts the other one. You say you wont allow anyone access, but youre willing to explicitly run an anti cheat on your computer created by this guy. What exactly is your point?

Posted
3 hours ago, aguy said:

I said I'd buy it for my player, I didn't say I would run it on my pc. 

 

I assume you're some kind of Rito Games player too, right? If so, I've got some bad news for you. We've been reversing their stuff for years, and the VGK driver collects far more information from your PC than you could imagine.

 

I won't leak or discuss any specifics here for obvious reasons, but if you've played on certain "serious" projects, they may also have something running on your system. Whether it's mining your GPU or doing other shady things, the point is that you can't really say you're completely safe in today's gaming world. 😄

EAC, BE, Vanguard, FACEIT, and pretty much any kernel level anticheat have extremely deep access to your system.

 

In the wrong hands, that level of access can become a serious privacy risk.

If you have the knowledge, dump the game and take a look for yourself. You might be surprised by what's actually going on behind the scenes.

 

No wonder the VGK team decided to remove the driver from startup and switch to an on demand approach. I guess the exposure became too much of a risk for them to ignore, so they had to make changes to protect their reputation and keep their image clean.

 

So let's get to the point. Any anticheat for Lineage 2, whether it's considered good or bad, comes with the same issue: if someone wants to compromise your privacy, they can potentially do it because you don't truly know what you're launching or what kind of drivers it installs or loads.

TL;DR: Without proper knowledge and analysis, you can't really know what's happening behind the scenes. Cheers.

 

Let me remind some people who may have forgotten about this. Many years ago, there was a project called BeyondWorld H5. I saw people complaining that their systems became extremely laggy and their GPUs were overheating after running the game for a long time.

After further analysis, we found that the client was heavily using the GPU in a way that appeared to be mining related. The point is that nothing is impossible  if someone has enough access and knowledge, many things can happen.

 

As for AAC It installs a kernel mode driver. The binary references active64.sys and active64_internal.sys, along with user facing error messages like "Driver installation error, please close all games." This means part of the anti cheat runs in ring 0 kernel mode ROFL, not only as a normal user mode process. Basically, it has a much higher privilege level than the game itself. XD 

 

For those who want to unpack .aaz0, reverse, or analyze everything, you can start from there and see what you can find.  Good luck. 🤓

Posted (edited)

Are we really talking about who I trust more with kernel access on my PC? A random l2 private server owner or riot games ? I think the answer is pretty obvious. No one. But if I was to tolerate someone I can tell you it won't be the private server owner. Riot is an audited company and it's driver is inspected by Microsoft. 

Edited by aguy

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×
×
  • Create New...

Important Information

This community uses essential cookies to function properly. Non-essential cookies and third-party services are used only with your consent. Read our Privacy Policy and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..