It’s no secret that cheaters and security researchers want to get their hands on anti-cheat software. Many anti-cheat developers virtualize and pack their binaries, making static analysis harder. This forces adversaries to analyze the anti-cheat software dynamically, which could entail stepping through the unpacking process manually then dumping the anti-cheat driver from memory. Attaching a kernel debugger can also be a problem due to anti-debugging checks, so how are people dumping anti-cheat drivers? And how could they prevent this in the future? That leads us to our topic today.

In 2002 Valve created an Anti-Cheat solution called “Valve Anti-Cheat” aka VAC. The first game they implemented VAC into was Counter-Strike. When VAC was introduced it only operated in User Mode (Still does) meaning it runs entirely in user space ¹ and has no kernel component.

So i’ve been playing rocket league for as long as I can remember, and I have this mod called BakkesMod. I have BakkesMod to use skins I don’t have unlocked, you can basically call it a “skin changer” with one caveat, you can only see the skins client side. On the other hand it has loads of functionality.

Welcome to the second installment of “Land Of The PEB”. Last post we talked about what the PEB was and some ways it could be used to ones advantage. You can’t run from it trust me.. You can find it in your nearest neighborhood even the one you’re using to read this post (If you’re on windows), but one thing we may be able to run from is the debugger. Using the PEB for Anti-Debugging purposes is a fairly known technique but don’t let that fool you it’s still a good thing to know.