Trigger Bot 😱🎮
#game #gamer #cheat #software #fail #bug #chat #problem #News
♲ anonymiss - 2024-10-18 09:07:32 GMT
tl;dr: write "trigger bot" in the chat to #exploit #gaming #anticheat #software. This will result in permanently ban for the #gamer 😱- - - - - -
OVERVIEW
Signature scanning is a mechanism implemented by all modern anticheats. When used correctly, it is an effective way to catch and ban cheaters in video games.
Also antiviruses use this technique to catch and identify malware so the method is not new or fundamentally flawed.
The way signature scanning works is that it scans your computers memory for footprint of known cheat software.
This requires that the anticheat devs carefully analyze the cheat and create an UNIQUE signature that is only found in your RAM when the cheat is loaded and NEVER found when the cheat is not loaded.
RICOCHET AND SIGNATURE SCANS
As expected, Ricochet also uses signature scanning as one of its many methods of detecting and banning cheaters.
Earlier this year, when I was tracking memory allocations of their kernel module, I stumbled upon a memory region that caught my attention. Unlike most regions, this one contained
a lot of strings, all of them cheating related. Reversing the structure confirmed my suspicions; it was a list of signatures for a signature scan routine.
THE SIGNATURES
As I said before, anticheats must be extra careful when creating signatures for cheats - a bad signature could lead to innocent players being banned.
Well, without further ado, lets take a look at a few signatures Ricochet has been using:
53 63 72 65 65 6e 73 68 6f 74 20 63 6f 75 6e 74 65 72 (Screenshot counter)
54 72 69 67 67 65 72 20 42 6f 74 (Trigger Bot)
42 00 75 00 62 00 62 00 6c 00 65 00 20 00 45 00 53 00 50 00 (B.u.b.b.l.e. .E.S.P.)
As you can see, Ricochet is a big fan of using plaintext ASCII (and multibyte) strings for their signature scans. What could go wrong?
THE EXPLOIT
So now we know that anyone who has the sequence "Trigger Bot" in their games memory will be flagged as a cheater.
This might sound reasonable at first glance since "Trigger Bot" is a common occurrence in cheat menus. Surely you are using one if this phrase is found from your game, right?
Well, unfortunately for Ricochet, that's not the case. Someone sends a message in game chat, that message will be in your games memory. Someone sends you a friend request - their name will be in your games memory.
When you are playing a game, all the player names in your lobby - guess what? In your games memory.
THE IMPLICATIONS
For quite some time it has been possible to get people permanently banned by sending them a friend request or posting a message ("Nice Trigger Bot dude!") in game chat.
I even heard of someone who made an autohotkey script to spam join Warzone lobbies and post messages in chat to get anyone in the lobby banned who is scanned by Ricochet during the game (couldn't be me, honest).
I am in a position where I can say that several thousand random COD players were banned by this exploit before the streamers began to be targeted. Censor, Parasite - etc and the others were targeted before the big reveal. I planned to target more but it seems when several major streamers are perma banned, Ricochet will turn bans off and investigate. No fun. x)
This is the result of major oversight from the Ricochet team by using improper signatures.
Activision has already started to unban accounts that were banned using this exploit, but this comes with a caveat: also real cheaters who were caught by these signatures will get unbanned. Also Ricochet seems to not understand how many people got pwned by this with their small number claims. x)
You can read their statement here with highly downplays the number of false bans issued - https://x.com/CODUpdates/status/1847001212761350574
#bot #cheat #fail #bug #game #security #Problem #chat #string #trigger #news #cod
