From: raylopez99 on
On Jun 9, 4:28 pm, Jackie <Jac...(a)an.on> wrote:
> raylopez99 wrote:
> > [snip]
>
> I doubt this belongs in the C# group or AV group. Probably not chess
> either. More like software security or something, I think.

Feel free to cross-post it there then.

>
> I have some ideas on how they do this and how they do it in any other
> online game. I won't go into the details on exactly how you can do the
> same or how you can defeat it.

Hell why not? I guess you might be giving away company secrets?

>
> > Speculation: how do they do that?  How to they detect software
> > remotely--isn't this a security breach?
>
> You have two choices, at least: Take a risk or not play it.
> There's no way to to detect such things remotely without the local
> machine sending some data first that allows the remote machine to detect
> it. Internal data of the game could be changed by the analyzer one way
> or another (you don't see this anywhere on the outside), and the game
> can either detect it locally or send a hash of or chunk of the data for
> verification.

Well of course I assume the local machine sends data.

>
> > Some theories:
>
> > 1) They have some software that can check out what programs are
> > running in your memory, and:
>
> Either that or what I mentioned earlier. These are the simplest methods
> I can think of at the moment at least.

I have a feeling this is not so simple...

> If so, it can of course check its internal data and let the server know
> either if something is suspicious, or simply let the server decide if it
> looks suspicious. I doubt it would be allowed to check what other
> applications are running and read from their memory if it's a Java
> applet, since that sounds very dangerous. But it's an IE or Firefox
> plugin.. Yes, I think that would be possible. Just like the Flash
> plugin. You may know it has been vulnerable for exploitation.
>

A plugin to check memory, to see if chess playing software resides in
said memory? Dangerous sounding.


> > 2) They are faking it:  they simply analyze some games played by
> > suspected cheaters--maybe people reported by opponents who are
> > suspicious --and if enough of the game show that nearly all moves were
> > the 'recommended' moves played by typical chess playing software like
> > Rybka or Fritz, then the accounts are deleted.  

Well this turns out to be one way--but not the only way--cheating is
detected according to the poster FromTheRafters.


>
> Cheat detection methods do it one way or another with some variations,
> but I believe it's basically the same thing (of course, some are better
> than others).
> I have not tried to give you very informational technical details on
> this. Just enough, I hope. :)

Not enough I pray. But don't give away the kimono and compromise the
internet just to satisfy my curiosity.

Thanks,

Ray
From: Arne Vajhøj on
On 09-06-2010 05:47, raylopez99 wrote:
> As anybody who plays chess online knows, on occasion a chess playing
> site like the one PlayChess by Chessbase will say "Player XYZ detected
> using chess playing software--their account has been deleted".
>
> Also when recently the Topolov-Anand match was played, the Bulgarian
> servers stated (when I was checking out the live match): "Warning:
> Chessbase detected!". Apparently they were upset that Chessbase
> software was being used to analyze the match, which they wanted
> exclusive live rights to (they have sense sued Chessbase).
>
> Speculation: how do they do that? How to they detect software
> remotely--isn't this a security breach?
>
> Some theories:
>
> 1) They have some software that can check out what programs are
> running in your memory, and:
> (a) this software is bundled with the chess interface used by online
> chess playing programs, or
> (b) this is a Java applet that runs under any browser
>
> If 1)(b), isn't this something an anti-virus program would catch?
> Maybe not.
>
> 2) They are faking it: they simply analyze some games played by
> suspected cheaters--maybe people reported by opponents who are
> suspicious --and if enough of the game show that nearly all moves were
> the 'recommended' moves played by typical chess playing software like
> Rybka or Fritz, then the accounts are deleted. In the case of the
> Bulgarian servers--since the organizers of this match were upset with
> Chessbase before the match because Chessbase stated they were going to
> rebroadcast the moves--which BTW I don't think Chessbase has legal
> rights to--the Bulgarian organizers simply added a message "Warning:
> Chessbase detected!" just to show anybody they were upset with
> Chessbase, to scare them, since most serious chess players use
> Chessbase. In other words, it was a fake message that everybody saw,
> even those not using Chessbase software.

I think it must be 1a.

An unsigned Java applet can not go outside the sandbox and
a signed Java applet will prompt for additional access.

Arne
From: Jackie on
http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html

I had a look here just now to figure out exactly what a Java applet is
allowed to do.

AWTPermission > readDisplayPixels
Screenshots to detect the analyzer.

FilePermission
Search for known "bad applications" in the file system to see if they
are installed.

RuntimePermission > setContextClassLoader
I am not sure exactly which system they are talking about here. But if
it is kind of the same as the SetThreadContext API on Windows, and in
addition the code is somehow injected into the remote process (which I
doubt), this is one way to take complete control over that process (read
from its memory and send something back to the chess applet?).

RuntimePermission > writeFileDescriptor
"may allow malicous code to plant viruses" (and other things)

RuntimePermission > loadLibrary.{library name}
"Java security architecture is not designed to and does not prevent
malicious behavior at the level of native code"

Well, this would be very dangerous and would allow anything to be done
in the OS as far as permissions allow it. Even outside the sandbox.

--
Regards,
Jackie
From: Jackie on
raylopez99 wrote:
>> I doubt this belongs in the C# group or AV group. Probably not chess
>> either. More like software security or something, I think.
>
> Feel free to cross-post it there then.

I would just assume you would take on that responsibility.

>> I have some ideas on how they do this and how they do it in any other
>> online game. I won't go into the details on exactly how you can do the
>> same or how you can defeat it.
>
> Hell why not? I guess you might be giving away company secrets?

Not worried about giving away "secrets", I just don't know what people
would do with that information once they know the details. I don't
support cheating in online games. If you take a look at MSDN, you can
look through APIs, read what they do and then form your own ideas on
what you can use them for. If you want to dig into their chess software
to figure out their protection, I suggest first learning some basics of
x86/x64 assembly and then using a debugger to begin. I like OllyDbg.

>>> Speculation: how do they do that? How to they detect software
>>> remotely--isn't this a security breach?
>>
>> You have two choices, at least: Take a risk or not play it.
>> There's no way to to detect such things remotely without the local
>> machine sending some data first that allows the remote machine to detect
>> it. Internal data of the game could be changed by the analyzer one way
>> or another (you don't see this anywhere on the outside), and the game
>> can either detect it locally or send a hash of or chunk of the data for
>> verification.
>
> Well of course I assume the local machine sends data.

If I didn't explain it well enough without giving you *C# code* that
either detects these analyzers for *chess games*, or a way to bypass *AV
software* so that you can use them, I am not sure exactly how to answer.

>>> 1) They have some software that can check out what programs are
>>> running in your memory, and:
>>
>> Either that or what I mentioned earlier. These are the simplest methods
>> I can think of at the moment at least.
>
> I have a feeling this is not so simple...

Okay. :)

>> If so, it can of course check its internal data and let the server know
>> either if something is suspicious, or simply let the server decide if it
>> looks suspicious. I doubt it would be allowed to check what other
>> applications are running and read from their memory if it's a Java
>> applet, since that sounds very dangerous. But it's an IE or Firefox
>> plugin.. Yes, I think that would be possible. Just like the Flash
>> plugin. You may know it has been vulnerable for exploitation.
>>
>
> A plugin to check memory, to see if chess playing software resides in
> said memory? Dangerous sounding.

I think they would have access to the system. Checking for example
window titles or checking each process' memory to see if it matches
known "bad applications". Maybe checking the file system with Flash or
Java if they have enough permissions, or taking screen shots. You can
see my other post about Java permissions at least.

>> Cheat detection methods do it one way or another with some variations,
>> but I believe it's basically the same thing (of course, some are better
>> than others).
>> I have not tried to give you very informational technical details on
>> this. Just enough, I hope. :)
>
> Not enough I pray. But don't give away the kimono and compromise the
> internet just to satisfy my curiosity.
>
> Thanks,
>
> Ray


--
Regards,
Jackie