PROTECTING AGAINST POLYMORPHIC CHEAT CODES IN A VIDEO GAME

US 20100162405A1
Filed: 12/23/2008
Published: 06/24/2010
Est. Priority Date: 12/23/2008
Status: Active Grant

First Claim

Patent Images

1. A network device useable in managing detecting cheat code in a executable code, comprising:

a network interface component for receiving and sending information a network;

a processor, in communication with the network interface component that includes machine instructions that cause the processor to perform operations, including;

receiving a hook/parasite signature from a client device, wherein the hook/parasite signature provides information about modification to a game client and a suspect code residing on the client device, wherein the modification to the game client includes a hook from the game client to the suspect code;

analyzing the hook/parasite signature information to detect one or more cheat code elements;

generating a probability value based on a weighted combination of the one or more cheat code elements;

if the probability value indicates that the suspect code is game cheat code, implementing a cheat prevention policy; and

storing information from the hook/parasite signature for use in detecting changes to the suspect code directed toward hiding the cheat code elements.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards protecting against polymorphic cheat codes in a video game environment. A detour analyzer analyzes game code in client memory for possible hooks to parasite code. For each detected hook to parasite code, hook and/or parasite information is determined to generate a hook/parasite signatures, which are sent to a remote network device. Based on the hook/parasite signatures a weighted combination of scores are generated that is useable to determine a probability value that the parasite code is cheat code. If the determined probability value indicates cheat code, the user of the client device may be banned from future game play. Additionally, the hook/parasite signature information may be used to update the data store to detect polymorphic changes in the cheat code.

Citations

20 Claims

1. A network device useable in managing detecting cheat code in a executable code, comprising:
- a network interface component for receiving and sending information a network;
  
  a processor, in communication with the network interface component that includes machine instructions that cause the processor to perform operations, including;
  
  receiving a hook/parasite signature from a client device, wherein the hook/parasite signature provides information about modification to a game client and a suspect code residing on the client device, wherein the modification to the game client includes a hook from the game client to the suspect code;
  
  analyzing the hook/parasite signature information to detect one or more cheat code elements;
  
  generating a probability value based on a weighted combination of the one or more cheat code elements;
  
  if the probability value indicates that the suspect code is game cheat code, implementing a cheat prevention policy; and
  
  storing information from the hook/parasite signature for use in detecting changes to the suspect code directed toward hiding the cheat code elements.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The network device of claim 1, wherein the game client modifications are detected using a client detour analyzer that is configured to perform a comparison of the game client in memory to a master copy of the game client.
  - 3. The network device of claim 1, wherein the hook/parasite signature includes at least one of an address in the game client where the hook is located, a landing offset inside of the suspect code where the hook detours execution flow from the game client to the suspect code, or at least a portion of the suspect code in proximity to a landing address into the suspect code.
  - 4. The network device of claim 1, wherein analyzing the hook/parasite signature further comprises at least one of:
    - examining a data store to identify known cheat code elements within the hook/parasite signature;
      
      executing at least a portion of the suspect code to determine if the suspect code operates as a cheat code element;
      
      orexamining text strings within the hook/parasite signatures to determine if one or more of the text strings are on a blacklist of text strings indicating a cheat code element.
  - 5. The network device of claim 1, wherein generating a probability value further comprises:
    - summing weighted values for each of the one or more cheat code elements;
      
      determining a weighted value for each unidentifiable code element and cheat code elements; and
      
      dividing the weighted values for each of the one or more cheat code elements by the weighted value for each unidentifiable code element and cheat code elements to generate the probability value.
  - 6. The network device of claim 1, wherein storing information from the hook/parasite signature further comprises:
    - if the suspect code is detected as game cheat code, further identifying any code elements from the hook/signature information that is not identified as cheat code elements, also as cheat code elements.
  - 7. The network device of claim 1, wherein the hook/parasite signature includes a plurality of hook signatures each hook signature being associated with information about a detected hook in the game client, and wherein each hook signature provides information about at least one code element.
  - 8. The network device of claim 1, wherein implementing a cheat prevention policy further comprises identifying a user associated with the client device, and implementing a ban of the user from a future interactive multiplayer game activity.

9. A computer based method of detecting cheat code in a computer game environment, comprising:
- analyzing, on a client device, a game client to detect a modification to the game client that includes a hook to suspect code;
  
  examining, on the client device, the game client modification and the suspect code to generate one or more hook signatures and a parasite signature;
  
  providing the hook and parasite signatures over a network to a server device;
  
  analyzing, on the server device, the hook and parasite signatures to detect one or more cheat code elements;
  
  generating, on the server device, a probability value based on the one or more cheat code elements;
  
  if the probability value indicates that the suspect code is game cheat code, implementing a cheat prevention policy that includes at least inhibiting participation by a user associated with the client device in a subsequent use of the game client; and
  
  storing information from the hook and parasite signatures for use in detecting changes to the suspect code directed toward hiding the cheat code elements.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The computer based method of claim 9, wherein the parasite signature includes information indicating whether a format header is absent or otherwise obfuscated from the suspect code, the format header being at least one of a Portable Executable (PE) format header or a Common Object File Format (COFF) header.
  - 11. The method of claim 9, wherein the computer based method further comprises:
    - if a number of cheat code elements detected is below a threshold value, then;
      
      allowing the user to play the game code; and
      
      storing code elements not identified as cheat code elements to a suspect list for use in a subsequent analysis.
  - 12. The computer based method of claim 9, wherein examining the game client modification further comprises collecting information that includes an address within the game client that a hook is located, and at least one a length of code changed in the game client for the hook, a landing address into the suspect code from the hook, or an defined number of bytes of the suspect code from the landing address.
  - 13. The computer based method of claim 9, wherein analyzing the game client to detect a modification further comparing the game client in memory on the client device to a protected copy of the game client.
  - 14. The computer based method of claim 9, wherein detecting one or more cheat code elements further comprises analyzing a code portion from within the suspect code to determine if the code portion is associated with a prior identified cheat code.

15. A system for detecting cheat code within a game environment over a network, comprising:
- a client device, comprising;
  
  memory having an executable game code and suspect code within; and
  
  a detour analyzer that is configured to perform actions, including;
  
  analyzing the game client to detect a modification to the game client that includes a plurality of hooks to suspect code;
  
  examining the game client modification and the suspect code to generate a plurality of hook signatures and a parasite signature; and
  
  providing the plurality of hook signatures and parasite signature over the network; and
  
  a network device that is configured to perform actions, including;
  
  analyzing, on the server device, the plurality of hook and parasite signatures to detect one or more cheat code elements;
  
  generating, on the server device, a probability value based on the one or more cheat code elements;
  
  if the probability value indicates that the suspect code is game cheat code, implementing a cheat prevention policy; and
  
  storing information from the hook and parasite signatures for use in detecting changes to the suspect code directed toward hiding the cheat code elements.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein each hook signature is associated with information about a detected hook in the game client, and wherein each hook signature provides information about at least one cheat code element.
  - 17. The system of claim 15, wherein detecting one or more cheat code elements further comprises identifying at least one cheat code if a plurality of addresses associated with the plurality of hooks are determined to be associated with used by a prior identified cheat code.
  - 18. The system of claim 15, wherein detecting one or more cheat code elements further comprises analyzing a code portion from within the suspect code to determine if the code portion is associated with a prior identified cheat code.
  - 19. The system of claim 15, wherein detecting one or more cheat code elements further comprises analyzing a code portion from within the suspect code for a text string that is on a blacklist for the game client.
  - 20. The system of claim 15, wherein storing information from the hook and parasite signatures further comprises:
    - If the probability valued indicates the suspect code is game cheat code based on a first number, but not a second number of code elements for the suspect code, then identifying the second number of code elements as also being cheat code elements; and
      
      storing the second number of code elements for use in detecting a subsequent change to the suspect code in another client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valve Corporation
Original Assignee
Valve Corporation
Inventors
Cook, John, Otten, Martin

Granted Patent

US 9,317,684 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

A63F 13/335   using Internet

A63F 13/75   Enforcing rules, e.g. detec...

A63F 2300/535   for monitoring, e.g. of use...

G06F 21/552   involving long-term monitor...

G07F 17/3241   Security aspects of a gamin...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

PROTECTING AGAINST POLYMORPHIC CHEAT CODES IN A VIDEO GAME

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PROTECTING AGAINST POLYMORPHIC CHEAT CODES IN A VIDEO GAME

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links