Store Page
Undecember
All Discussions Screenshots Artwork Broadcasts Videos News Guides Reviews

Undecember

Store Page
Undecember > General Discussions > Topic Details
Friedtofu Oct 15, 2022 @ 10:47pm
2
4
2
9
Is Nprotect gameguard a system security vulnerability? Is it a rootkit? yes. details inside.
I created this because Common Vulnerabilities and Exposures should be revolved around facts, and not a witch-hunts. Thank you for coming to attend my TED talk.

So to make things clear before I continue, nProtect GameGuard does indeed function as kernel-level aka Ring 0; anti-cheat software. Meaning it has the authority to execute and install services at a level higher than an administrator on your own PC. The reality is nProtect is just as safe as any other currently available game that includes anti-cheat software.

Wikipedia calls nProtect a rootkit, though I think it's safe to say the term rootkit itself is outdated and rootkits as an attack are hardly used anymore , how they're used, and what is in a typical payload has drastically changed since the early 2000s. nProtect has been around since that time, and if you played Maplestory or Rappelz back in the day or even PUBG before 2021 you were under the "protection" of game guard.[0]

The thing is, nearly every big multiplayer, ESPECIALLY F2P or competitive multiplayer based games use anti-cheat that has the same, previously mentioned kernel-level access while your game is running.[1] [levvvel.com] Why? Because cheaters would consistently find ways of getting past their protection, for popular games within hours of updating.

So, ultimately what everyone is asking is more or less "Am I more at risk of my computer being infected with nProtect vs EAC or XIGNCODE3?". That's something I can't answer, and even veterans in cyber-security can't answer unless there's some in-depth research done into how each anti-cheat operates. As users, anti-cheat software is installed as a completely baked application. You can't reverse engineer it, and somehow "de-encrypt" the contents to see *exactly* what it's doing behind the scenes.

At the end of the day, whenever you click "yes, I accept the TOS" before you start a game you're also saying "yes, you can see any and all files on my device, track my keystrokes and monitor my activity." Again, unless you're a Software Engineer or the like willing to spill the beans, its unlikely we'll ever see what sort of exchange goes on between anti-cheat, the game and our devices.

Sorry, I don't want to chastise another person for trying to protect others from a potential software threat, but when you're telling people to start messing with their registry files; that's a definite no no. Unless you're MCSE or CISSP certified of course; if you are then everything I say here is moot.

Breaking down OPs post


OK, with that said. Let's break down what the OP in the other thread highlighted/emboldened in the wikipedia article that I want to address. It seems like you were pointing to this wikipedia page as your proof for nGuard being a malicious rootkit.





Originally posted by OP:
blocks certain calls to Direct X functions and Windows APIs, keylogs keyboard input[citation needed], and auto-updates itself to change as new possible threats surface.

This is true, but again also true for every game with anti-cheat as hyperlinked to before. The wikipedia article may as well say total system control as they have kernel level access .

Originally posted by OP:
works like a rootkit,[2][6] players may experience unintended and potentially unwanted side effects

Uh...yes. but you should have emboldened the next few sentences:

Originally posted by OP:
If set, GameGuard blocks any installation or activation of hardware and peripherals (e.g., a mouse) while the program is running.

Yeah, that sounds more reasonable. Anticheat is only running while the game is running. MMO bots, FPS aimbotters, typically use cheats that involve the automation of mouse/keyboard functions with a virtual device to carry it out.

Check out this C#-oriented fishing bot in action, specifically the log at the bottom right.[picallow.com] The project is open-source, finding the repository and setting it up is pretty easy.

And it may be overkill but here's a Kotlin-based aimbot for a popular FPS game. Check out https://picallow.com/aimbot-2/ this section of a script which is emulating the left click button after snapping to a target.


Lastly:

Originally posted by OP:
Additionally, some versions of GameGuard had an unpatched privilege escalation bug, allowing any program to issue commands as if they were running under an Administrator account.[8]

There's actually only been one reported CVE including privilege escalation[cve.mitre.org] which happened in 2005 and I can't find much else on it, which games it affected, etc.

2005...that was a few years before Windows Vista, game anticheat systems were still in its infancy and there weren't nearly as many people interested in programming or even gaming for that matter back then. If you're comparing that to some of the more recent anti-cheat exploits, it's not that bad. The only thing I have left is to post some examples of the CVEs I talked about before with more recent games; only to show how vulnerable any and all games realistically are as long as the bad guy/girl(s) are motivated to hack it.

Dark Souls 3 RCE(Remote Code Execution) vulnerability that led to them installing EAC for Elden Ring [www.malwarebytes.com]

Genshin Impact driver turned rootkit. What would likely be the worst-case scenario for game guard if it were to happen.[www.trendmicro.com]

Our lord GabeN discussing Valve Anti-Cheat and a little bit of insight into what sort of data it exchanges.[www.pcgamesn.com]
< >
Showing 1-15 of 62 comments
Ashyne Oct 15, 2022 @ 11:29pm 
I remember playing with nProtect Gameguard as long ago as 2003 in GunBound.
#1
Tyrone Biggums Oct 15, 2022 @ 11:37pm 
the tin foil hat is strong with this one
#2
Friedtofu Oct 16, 2022 @ 12:24am 
Originally posted by MilkyTofu:
I remember playing with nProtect Gameguard as long ago as 2003 in GunBound.
Hell yes. Kinda wish they would try bringing it back.

Originally posted by Tyrone Biggums:
the tin foil hat is strong with this one

Uhhh...I guess you didn't read past the first paragraph but my post was explaining while information is collected for sure - only the company that makes the AC software knows the specifics. The whole point of the post is just saying that its another AC, most people have used it before, there is no current threat as far as malware/spyware/malicious code being deployed along with nguard. People heard the word rootkit and went crazy.

https://www.google.com/search?tbm=nws&sxsrf=ALiCzsbUq-AJzolX_eJqLntzbSWbafF80w:1665904997042&q=anti+cheat+kernel+controversy&spell=1&sa=X&ved=2ahUKEwjk1M_cm-T6AhWLmWoFHRbhDnAQBSgAegQIBhAB&biw=1920&bih=933&dpr=1

Here's

my[wellbia.com]

sources[www.riotgames.com]
Last edited by Friedtofu; Oct 16, 2022 @ 12:30am
#3
SirGuySW Oct 16, 2022 @ 4:42am 
Originally posted by Friedtofu:
At the end of the day, whenever you click "yes, I accept the TOS" before you start a game you're also saying "yes, you can see any and all files on my device, track my keystrokes and monitor my activity."
That's a bizarre overgeneralization. Not every ToS has clauses permitting unannounced remote perusal of users' files, keylogging, or other system/activity monitoring.

In any case, I do not believe the main concern is regarding the developer's *intention* with the rootkit, but is instead regarding the fact that the rootkit exists...

Said another way: Whether or not the developers *choose* to push malware to users' computers via their rootkit is not the issue (or whether they *choose* to do anything else to users' computers since they have full access). The issue is that that choice exists.

The owner of a computer ('user' here) should always have the final say about what happens to their computer. A rootkit bypasses that. By installing a rootkit (knowingly or not) that 'final say' is transferred away from the user to the owner of the rootkit. Essentially, the owner of the rootkit becomes the owner of the computer (albeit remotely; thus 'owner' and 'own' in the computer networking sense, not the 'bought it at the store, legal owner' sense).

I don't doubt this particular rootkit is "just as safe" as the others in the industry. That thought gives me no comfort at all because it's not relevant to the point: A rootkit is a rootkit regardless of the intentions behind it.
#4
Lightning Oct 16, 2022 @ 4:44am 
Originally posted by Tyrone Biggums:
the tin foil hat is strong with this one

Many IT's know exactly what nProtect is
#5
Grimbor Oct 16, 2022 @ 7:37am 
nProtect is administered through South Korea which until relatively recently was a police state and still has many laws on the books considered highly unconstitutional in most Western and some Asian countries like Japan. US intelligence loves this as they work hand in hand with SK to mass gather info. Any personal web search on North Korea or anything they choose to flag could potentially get you on a watch list. Or this is just paranoia. Regardless, no one gets admin rights to my computer and especially the ability to access higher levels of security than me in my own computer.
#6
Lightning Oct 16, 2022 @ 7:39am 
Your using an OS, that is already spying on you ?
#7
absinthe Oct 16, 2022 @ 7:55am 
here's the thing.

if you're truly paranoid, install a linux partition so you can watch your xxx content and infowars.

otherwise... microsoft windows is spyware itself, so is your entire browser. most online games track everything. gamers are not KGB/MI6/CIA, we have nothing to hide, most of all the data only improves the games.

what gamers WANT to hide is their xxx vids and "edgy" content.

no one cares bro, just install a linux partition.
#8
Grimbor Oct 16, 2022 @ 8:04am 
Most of us have nothing to hide, it's the principal of a slippery slope. Most of us would also tell a cop to go to hell if he wanted to search your car or home because they are canvassing the whole neighborhood.
#9
P e l l i Oct 16, 2022 @ 8:38am 
Anyone crying about gameguard should start to worry more about their phone, their pc web browsers and less about something that might or might not be collecting innocuous game data to improve a game and send it to a kr based company. Because I highly doubt nGuard can even be used as an attack vector.
Last edited by P e l l i; Oct 16, 2022 @ 8:39am
#10
PhamTrinli Oct 16, 2022 @ 9:05am 
All ring 0 AC are system security vuln's, yes
#11
Kerkain Oct 16, 2022 @ 9:32am 
If nProtect were a "malicious rootkit" it would be labeled like that? Wouldn't MS Defender, AVG, Kaspersky, McAfee, Symantec, Crowdstrike, MalwareBytes or other popular anti-virus programs be aware and flagging and quarantining it? Its not like its been under the radar since 2005 or something.

The cybersecurity world finds these things and does a very good job of reverse engineering and patching the vulnerability or getting it off a computer. Like I can't imagine those type of people go "ha look at this rootkit being deployed by this software... lets ignore that one".

There is so much software that leaves junk behind after its been uninstalled. Folders and files in your AppData, temp files, registry. Its crap packaging/programming.

We live in a world where we are the product and everything is tracked whether we are willing or unwilling to let it happen. Your phone data, texts and browsing is all saved with a phone carrier. Your internet data is with an ISP. Facebook for sure tracks your crap whether you like it or not. Google and Amazon practically own the internet and know everything about you. Microsoft especially tracks you. Steam. Epic games. Ubisoft. EA. nVidia. Anything with a "launcher" tracks your data.

Gonna put a second tin foil hat on but I am convinced that turning off tracking data on anything is purely cosmetic and its not really turned off. Unless you're in the EU then I could trust it more but not by much. Fines end up being cost of business.

I'm jaded. Google has a way to download and view all the data they collect on you, I think Facebook does to. Its a lot, down to recordings of the voice commands you give your phone. Give it a go:
https://takeout.google.com/
https://www.facebook.com/help/212802592074644
https://www.amazon.com/gp/privacycentral/dsar/preview.html
https://privacy.microsoft.com/en-US/

So yea, I don't care about nProtect.
#12
Friedtofu Oct 17, 2022 @ 1:14am 
Originally posted by SirGuySW:
Originally posted by Friedtofu:
At the end of the day, whenever you click "yes, I accept the TOS" before you start a game you're also saying "yes, you can see any and all files on my device, track my keystrokes and monitor my activity."
That's a bizarre overgeneralization. Not every ToS has clauses permitting unannounced remote perusal of users' files, keylogging, or other system/activity monitoring.

In any case, I do not believe the main concern is regarding the developer's *intention* with the rootkit, but is instead regarding the fact that the rootkit exists...

Said another way: Whether or not the developers *choose* to push malware to users' computers via their rootkit is not the issue (or whether they *choose* to do anything else to users' computers since they have full access). The issue is that that choice exists.

The owner of a computer ('user' here) should always have the final say about what happens to their computer. A rootkit bypasses that. By installing a rootkit (knowingly or not) that 'final say' is transferred away from the user to the owner of the rootkit. Essentially, the owner of the rootkit becomes the owner of the computer (albeit remotely; thus 'owner' and 'own' in the computer networking sense, not the 'bought it at the store, legal owner' sense).

I don't doubt this particular rootkit is "just as safe" as the others in the industry. That thought gives me no comfort at all because it's not relevant to the point: A rootkit is a rootkit regardless of the intentions behind it.

You're totally right about it being the owner/end-user's decision and I'm not trying to change the perception of what it is, I'm only trying to point out that nProtect isn't a virus, it's not spyware that blackhat hackers are using, it's an anti-cheat system that runs with privileged escalations on your machine just like every other anticheat system.

Here's the definition of a rootkit I think both you and I would agree on:

Originally posted by Oxford Dictionary:
a set of software tools that enable an unauthorized user to gain control of a computer system without being detected.

But for the large majority, if they hear the word rootkit - the first thing that pops into their head is: Malware/Spyware/Virus. Right? As far back as I can remember the term rootkit was always associated with a malicious payload. This is the definition of a rootkit from Kaspersky that is much more specific than Oxford's definition:

Originally posted by Kaspersky:
A rootkit is a type of malware designed to give hackers access to and control over a target device. Although most rootkits affect the software and the operating system, some can also infect your computer’s hardware and firmware. Rootkits are adept at concealing their presence, but while they remain hidden, they are active.

That's why I said in my post that if they label game guard as a rootkit on the software's wikipedia page, there's no reason BattleEye, EasyAntiCheat, punkbuster and XIGNCODE3 shouldn't be labelled the same. The word rootkit has become ambiguous, if there was any malware associated with game guard this post wouldn't exist.

I probably should have worded it differently but you're right and I apologize because a TOS is really just covering all of that companies bases in terms of any information that may be collected for any given reason as well as to protect themselves if customers try to prosecute a company after a data breach. I mean just recently Netflix was the target of a large-scale phishing campaign[www.inky.com] and had 2 data breaches just this year.[www.spiceworks.com]

Last thing, for anyone tech-inclined interested that hasn't already the monitoring process themselves, here's my upload. I'd like to also include some other popular services for reference:

nProtect GameGaurd [www.hybrid-analysis.com]

EasyAntiCheat [www.hybrid-analysis.com]

PunkBuster [www.hybrid-analysis.com]

BattleEye [www.hybrid-analysis.com]

Last edited by Friedtofu; Oct 17, 2022 @ 1:31am
#13
( ͡ᵔ ͜ʖ ͡ᵔ ) Feb 11, 2023 @ 3:47am 
Originally posted by Friedtofu:

So to make things clear before I continue, nProtect GameGuard does indeed function as kernel-level aka Ring 0; anti-cheat software. Meaning it has the authority to execute and install services at a level higher than an administrator on your own PC. The reality is nProtect is just as safe as any other currently available game that includes anti-cheat software.

Any anti-cheat that works like a rootkit is NOT SAFE. Period. It's like giving your house keys to random strangers in hope nobody robs you.

Other anti-cheat software that does not require administrator or kernel access is not comparable.

Keep slurping on your koolaid.
#14
wespe___o=/;;;:* Feb 11, 2023 @ 3:39pm 
Originally posted by ( ͡ᵔ ͜ʖ ͡ᵔ ):
Any anti-cheat that works like a rootkit is NOT SAFE. Period. It's like giving your house keys to random strangers in hope nobody robs you.
Exactly :steamthumbsup:
#15
< >
Showing 1-15 of 62 comments
Per page: 1530 50

Undecember > General Discussions > Topic Details
Date Posted: Oct 15, 2022 @ 10:47pm
Posts: 62

Discussions Rules and Guidelines