🥳 OCheats Launched 🍾 - Learn more

BattlEye Anti-Cheat Explained

Last Updated August 13, 2022

BattlEye (BE) is an anti-cheat software system that was founded by Bastian Suter in October 2004. It is used to stop players who use third-party tools from acquiring an unfair edge in PC player games and to identify and safeguard against cheating and hacking.

It was incorporated into the first professional league at the beginning of 2005. BattlEye was then adapted to Battlefield 1942 at the network's request, and several leagues started using it again. A few months later, the breakthrough occurred as BattlEye underwent additional development for the highly anticipated Battlefield 2. The demand for BattlEye from a large and active network increased after its launch in June 2005, and it quickly became included in several leagues (consisting of all big German ones). In addition, many server administrators occasionally made the decision to use the machine to protect their public servers as well.

For the first time, BattlEye was legitimately integrated by the makers into a game in 2006 called Warsow, a well-known freeware first-person shooter. It now functions within the game, enabling a much better level of cheats/hacks detection than was previously possible with the Battlefield Series' external solution. Furthermore, a new significant milestone was reached when BattlEye was implemented into the popular online multiplayer games : Shadow of Chernobyl and ArmA: Armed Assault in 2007 and 2008, respectively.

A kernel module called BEDaisy.Sys was introduced by BattlEye in late 2014, playing Arma Series video games. This initially started on Arma 2 but then went to DayZ SA, Arma 3, and so forth. The OBRegister Callback, which created the game, is the kernel module's main beneficiary. As a result of this callback, entry rights are reduced to nearly nothing. Write Process Memory, Read Process Memory, and any other winapi feature that requires a deal with an ordinarily open obtain admission to will fail because you lack the rights to access the system's memory.

There are, however, a variety of strategies to avoid this. To observe their precise actions, you may also refer to the driver's unloading.

Currently, the popular video games ArmA and its mods are the only ones that still feature BattlEye (BE), which was discontinued in Warsow. It was first made public in 2004 as a third-party anti-cheat for Battlefield Vietnam, and a lot of video games have since made use of it., including several of the following:

Games Using BattlEye

These are the games that all employ the anti-cheat software technology to stop online game hacking and cheating.

Exploits

A BattlEye exploit is a protective bypass that occurs on the game process to stop injectors and attempts to read, write, or read processes' memory. The creator can control the ObRegisterCallback through a driver, an SSDT hook on the function, the callback desk, or other means, such as;

Entities

There are four primary entities that work together to catch and prevent the cheaters who play the games online.

  • BEService: A Windows system service that interacts with the BattlEye server BEServer to provide server-to-client communication between BEDaisy and BEClient.
  • BEDaisy: A driver for the Windows kernel that registers preventive callbacks and mini filters to stop cheaters from unauthorized game modification.
  • BEClient: The Windows dynamic link library is accountable for most detection vectors, including those in this article. After startup, it is transferred into the sports technique.
  • BEServer: A proprietary backend server that collects information and directs actions against cheaters.

Shellcode

After seeing a recent online sale of BattlEye's shellcode, it was determined to write up exactly what the most current version of BattlEye is actively seeking. The last piece of shellcode leaked is most likely outdated because there hasn't been any new development on BattlEye in six months. In this most current dump, certain pieces of code have been fully detected as being entirely from memory, indicating that BattlEye only adds to the shellcode and no longer delays earlier detection steps.

BattlEye likely feeds its shellcode from its server to the BEService carrier for Windows. This service interacts with the BEClient battleye module housed inside the sports system. The conversation takes place over the Battleye named pipe \\.\namedpipe\Battleye and was encrypted for the first 12 months before becoming unencrypted. Plaintext attacks are relatively easy to detect because all communication is encrypted using a xor cipher with very few keys. Furthermore, the shellcode is allocated and completed outside of any known modules when it is streamed to the customer, making the difference clear.

To dump the shellcode, you can either hook standard Windows-api features like CreateFile, ReadFile, etc., and unload any caller's respective memory segment that is outside of any recognized module (query memory information at the return address), or you can periodically search the game's virtual memory for executable memory outside of any recognized module and dump it to disk. Be sure to keep track of the portions you have discarded so that you do not end up with thousands of dumps that are the same.

The following pieces of pseudo-code have been extensively refined. Due to the shellcode's lack of feature calls and several unrolled algorithms, you will no longer be able to sell off the BattlEye shellcode and instantly recognize some of these components. That doesn't really matter because you'll have a whole day to skip it once you've finished learning about this horrible anti-cheat:

Memory scanning

Memory enumeration and scanning are anti-cheat software's most popular detection methods to locate available cheat images. As long as you remember easy assembly and don't blacklist a standard function prologue, as we've seen in the past, it's straightforward to implement and reasonably practical when done well. Every time a page is executable, and outside of the corresponding shellcode memory space, Battleye executes several tests and enumerates the whole control area of the game method (referred to as the "cutting-edge method" in the following context).

Memory Issue

Any anomalies in the memory dealing with space will be flagged by BattlEye, frequently executable memory that doesn't match a loaded picture.

Scans for Patterns

As known, BattlEye also searches the local procedure's memory for various hardcoded patterns, as shown in the following implementation. If you analyze this pseudo-code, you might realize that you can pass those tests by overwriting the code section of any loaded module because they won't conduct any pattern scans on recognized images. Since you can't run integrity tests without simulating the packer, load any packed, whitelisted module and replace any code designated as RWX to avoid being hit by integrity checks.

Module Particular: (Microsoft)

If you have unique modules loaded into the game in a certain way, the module-specific tests will notify you of this.

Memory Guard

Additionally, BattlEye has a highly dubious detection routine that, in our opinion, searches for memories that have the PAGE GUARD flag set without really verifying that the flag is set.

Window Enumeration

BattlEye's shellcode iterates across windows from the top-down to enumerate every window currently visible while the game is running (z-value). GetWindowThreadProcessId determines that window handles inside the game method are not included in the enumeration, as mentioned earlier. As a result, you can use the appropriate feature to pretend to be in control of the window and prevent BattlEye from counting your windows.

Steam Game Overlay

BattlEye is closely checking the mechanism that powers the in-sport overlay that most Steam users are familiar with. Gameoverlayui is the entire image call for the Steam reconstruction overlay host. Exe and has a history of being misused for rendering tasks because it's so easy to take control of and draw maliciously to the game window.

The following applies to the check:

File size!= 0 && contains in image name (case insensitive) game overlay

The following tests specific to the Steam reproduction overlay are identical to the tests being run on the game's actual gameplay; therefore, they were not noted in the pseudo-code.

Report Types

The following list contains the report type's known shellcodes:

MEMORY GUARD is set to 0x21, and MEMORY SUSPICIOUS is set to 0x2F, WINDOW TITLE is set to 0x33, MEMORY is set to 0x35, PROCESS ANOMALY is set to 0x38, DRIVER BEEP PRESENCE is set to 0x3E, DRIVER NULL PRESENCE is set to 0x3F, MISCELLA

SLEEP ANOMALY = 0x45, MEMORY MODULE SPECIFIC = 0x46, GENERIC ANOMALY = 0x48, MEMORY MODULE SPECIFIC2 = 0x5B, LSASS MEMORY = 0x42

Conclusion

The safe and reliable anti-cheat software system BattlEye contributes to maintaining the fairness of the game. It frequently starts a signature-based scanner to look for any potential weaknesses in a machine's memory and running processes. This reliable program detects you cheat images and instantly imposes bans.

Not Ready to Dive In?

Take a $4.99 Test Drive

Get Instant Access to Any Hack for 24 Hours
Discover Our OCheats Trials
© 2022 OCheats - Strada Vasile Alecsandri 31, Chișinău, Moldova