Some further details from an article released after this video was uploaded (I also joined PirateSoftware's stream to discuss this, VOD available soon): techcrunch.com/2024/03/20/apex-legends-hacker-said-he-hacked-tournament-games-for-fun/ - Destroyer2009 claiming responsibility for the incident - Not sharing further details on "how" until everything is patched - Claimed they did it just for the lolz, but has nothing to do with the server and did not go outside the Apex process - Didn't do vulnerability disclosure process because there is no bug bounty/vulnerability disclosure program 🤪
I still think there's a good possibility the first incident with the actual menu popping up on the guys stream was just an accident in which he pressed a button to toggle "Streamer mode," a feature in most cheats which changes how ESP and the cheat hud is drawn over the game so that it is invisible to OBS. Nobody I've watched has made note that in the top left, you can clearly see it says Streamer Mode disabled. For this reason I suspect the first guy to be cheating and he was able to use the scare of an RCE as a scapegoat to look innocent. While Destroyer2009 has commented in this article, there's no saying he isn't lying when he previously has made big claims on what he can modify in the Apex servers (ability to ban/unban any player at will, for instance) without showing any proof and without using these exploits. I still consider the possibility that the person who spoke in this article may not even be the real Destroyer2009, or he may be taking responsibility for something that wasn't necessarily his doing (I do believe he did create the TSM Halal Hook but I don't know if he was able to simply inject such a complicated menu into the game's process through game code, or if he had compromised the machines at an earlier time. )
@@abhishekajit1611it’s up the apex legends company to disclose it or not (if they even find out how it works). Otherwise, we rely on security researchers finding and showing the exploit or the hacker disclosing it
Really enjoy these kind of videos where gaming and cybersecurity collide. Would love to see more of these videos breaking down things like game hacks 🔥
Thank you for all your insigbt into the field. Yourr professional experience and field impressions are always greatly appreciated, Sir. I clicked immediately! Great and much needed to know info! I like the format and pacing 👍🏽 keep fighting the good fight
Something similar happened in Battlefield and Call of Duty (when it wasn't owned by Blizzard). Hackers were messing with OFFICIAL servers where players were joining from legal client. They could do literally everything for example "turn off gravity in entire lobby", "level up all players and weapons to max level", "unlock literally everything possible in the game for everyone in the lobby", "make ammo unlimited" etc and everyone who even accidently joined this lobby (you can't pick lobby yourself in CoD, game do it for you) was getting banned at later time (I was one of them, I still have VAC ban on steam because of this).
Not making accusations or anything but its weird cuz cod and bf’s anticheat is not Valve ac and only accounts flagged by valve ac get the vac ban flagging their steam profile
Well, Source based games that Respawn have developed in the past haven't been really well known for their security in the back end. Like it drove a few players to develop their own fully disconnected from Respawn multiplayer instance for Titanfall 2, where each induvidual could host their own servers because there was supposedly some vulnerability in the back end that dealt with the hosting of official servers. Sure they came along and fixed it but that took them over a year and probably the help of some graduate that asked to do it as a passion project on the side of other work. Hopefully the issue is discovered and the information can be dispersed out into the wider gaming community in the coming days or weeks.
A while back Secret Club claimed that one of their members discovered an RCE affecting ALL Source Engine games triggered by invites which they disclosed to Valve a few years back, but have been prevented from releasing a write-up on it as it is still yet to be patched. There also exists a video demo of the exploit in action, but no detailed information besides.
I really like you theory on a vulnerability in the game API. It seems very realistic that the hacker found a way to manipulate api requests and control the server; just by joining the game and modifying their client's requests.
Nice video but I'm a little bit confused; you mention this could be directX hooking/hijacking and then say that's not code execution? To me, the fact that you're creating your own directX object from within the game process means you're running your own code. There's nothing preventing you from popping calc.exe instead of an in game window at this point. Am I missing something?
Yes, you missed the very obvious fact that this guy records himself saying for 15 minutes "I don't know. We can't be sure. This article says there is nothing known." and he even doesn't know if it was a vulnerability or an exploit which means he has absolutely no real knowledge in this field if he can't tell the difference between those two. My guess is he thinks games are build like chromium where every thread is isolated in a sandbox with secured channels communicating outside lol
@@user-mj8bg3fw8w "He doesn't even know if it was a vulnerability or an exploit which means he has no knowledge in this field if he can't tell the difference between those two" Lmao what are you talking about? First of all he never said that. Second of all, those two words are essentially interchangeable. They're two ways to say the same thing. A vulnerability is something that can be exploited. An exploit requires a vulnerability. The distinction you're alluding to doesn't exist.
@@hnielsen123 Thats 100% the correct explanation. Now listen at 0:38 "There is a growing concern that there is an exploit or vulnerability" so we both now without an vulnerability there can't be an exploit and there can't be an exploit without an vulnerability. so why does he separate them?
@@user-mj8bg3fw8w dude come on. It's a figure of speech. The same way someone might say "I'm trying to find a fix or a solution to this problem". Sometimes people say something in two different ways for emphasis. You're reading way too much into it. Serious question, do you know anything about john hammond? Or did this video just show up on your feed and this is the first time you've ever heard of him?
Half-expecting this to become a more common occurrence. Once something like this happens once, in this day and age, you can expect it to happen over and over again, especially on older games.
btw, Thor figured out that the IP is just from a scanner, but he is a bit concerned that it could actually reach their computer, since it shouldn't be able to do that by default, so maybe some messed up port forwarding, or maybe some remnants the hacker didn't clean up.
As a crossover between gaming, coding and cyber security, I'd like to put a game called "BitBurner" on your radar. I'd be super interested in hearing your opinion on it as a way to learn the basics of coding and security.
You know the thing is getting real when Mr. Hammond speaks about it ❤ You, Thor, David Bombal and NetworkChuck should do a podcast about this one 😉 When this whole thing began to go viral most of the people started to abuse the word " RCE ", which kinda makes no sense since we have no official or correct info regarding to what kind of attack was it. Since the game engine is being an old one and being heavily patched; there might be a exploit with the client ( not offensively to EA..yk ). And when I saw the threat actor who claims to be " Destroyer2009 ", procceds to create a whole bot lobby using somewhat method ( I'm not a developer so I don't know about server or client side process that was behind this ) which began to follow a squad of 3 players ( ImperialHal and two more ) and in the end getting them eliminated, I thought " man, this guy got some real sh*t " 😅 So this seems this dude somehow has the ability to perform " Server-sided-actions " Assuming the server doesn't accept every command that the client sends, there'e been a server side error behind above action. And of course as Thor found out in Hal's PC, if there was access to the pc, this pc is most likely to be compromised using a server sided data strem ( like a reverse shell thing ) since this dude has no direct access to Hal's pc. There are lot of problems going around so as Thor and You said, we have to know more before concluding any statements. " The more you know, the better you become 😊 "
I remember that name destroyer... i got hacked by one with that name in Diablo 2 back when I as riding the top of the ladder in 2008-2010. I wonder if they are the same destroyer
Something to note, the cheat gui looking like it’s part of the game actually makes it more likely there either an rce or someone put a backdoor on their system, often for internal cheats (cheats that involve force loading a DLL into the process which either contains the cheat code or communicates with a corresponding driver to run the cheats) often will use whatever drawing apis are already used by the target, making it very common for the gui to be ingrained in the game (and makes it easier for the gui to have similar visuals to the game)
It's a menu drawn with a Nuklear, and yes is given through RCE, but the cheat that has it is ONLY a developer/private build, and this isn't made public at this point.
@@linear_pubit has to be a bug in the anticheat client unless they found some way to inject code into the process remotely either directly targeting your client with traffic or sending data to the server that somehow executes code on the client id say anticheat. because it would likely already have network capacity for downloading uploading files and has the privs to do anything on the system. its basically a free rootkit.
This is a kernel level anticheat. That would be a payday for the hacker who finds that vulnerability. Not likely. The hacker who is claiming responsibility said that it was a bug in the game, but that doesn't mean RCE. If it was just some trickery with the scripting engine turning on QA features and displaying a "fake cheat menu.png", that is not an RCE. They are limited to what the scripting engine can do, so, at that point it becomes a question on if you can escalate to arbitrary code execution from there.
@@nordgaren2358 not impossible at all. ACs are sloppy sometimes due to corporate issues. not to mention this isnt an image. its fully functional and also highlighted other players with ESP
As someone who has been in IT and gaming for a lot of years i wont out of hand dismiss the possibility of an RCE, some of the anti cheat software that comes with these games hooks into the system deep enough to be a real concern.. but that said there are only a few big ones out there, and a 0-day RCE in one big enough to be used in a large game like apex would be worth a metric sh*t tonne. to burn it on trolling some streamer on a game even if it was at the professional level, i cant see that happening. The supporting redistributable that was mentioned by your co-worker is also part of a massive number of games, so i would consider that being the 0-day or attack vector unlikely for the same reasons as above. The streamers themselves being infected with a RAT is far more likely, when you take into account that a lot of the more modern RAT's are capable of silently installing and running anything you want, my money would be on this vector not anything to do with the game, it's engine, supporting redistributables or anti-cheat
I think the streamers being infected with a RAT is the likely scenario. If it was an RCE, that would mean that the attacker would have to also patch the anticheat and the game while it is running, and not trigger the anticheat at all. This is quite the tall order. I'm more inclined to think these players installed cheats long ago, and the cheat client installed a RAT. Patching the game while it's already running (but more importantly while the anticheat is running.) is not impossible, but it makes it much harder if your patch wasn't loaded in while the game was being loaded. I patch games while they are running, but if I needed to bypass the anticheat, I would want, and maybe even NEED, to have my patch loaded before anything else. Hell, I might even want to replace the anticheats PE entirely, so that my own code gets ran, and not the actual anticheat.
I am a player of Apex Legends and I personally think it isnt a RCE exactly as RCE vulnerability exploit will affect the server side! Not selected players. But on the same time I also think it can be a successful phishing attack on the employees of respawn or It can be a vendetta against respawn as they recently laid off bunch of employees who have been working on the game since Day 1. I am open for a security perspective discussion on this! If anyone has any other things to add or modify please reply!
What an RCE effects is entirely dependent on the bug, itself. The bug might not be in the server code. It might be a client only bug. It's hard to say what it was, really. It still might not be an RCE if the attack was unable to effect anything outside of the game process.
Not sure that would be possible, seeing as there are time limits on AnyRun so you wouldn't be able to even get a copy of the game before the times up. On top of that, if you did manage to, you'd have to run around lobbies waiting for this to happen to you, and that's unlikely seeing as this is a feature used by 1 provider in a private build, not on a public provider.
@@zxph the other guy said he was on a fresh install of windows (just hours old) when it happened. always reinstalls for tournaments to negate any kind of negative performance impacts or crashing.
@@teabola Ah good to know. Sounds like a good idea, if a bit tedious. Too bad it didn't help very much. The fresh install, hacking in public servers, EAC finding nothing on their end, the fact that the hackers reportedly said they were "jokers and not clowns" and didn't want to perform a mass attack at the risk of facing severe consequences (which would explain why they would be comfortable burning the exploit on a small-scale attack like this), the fact that the second guy didn't appear have the TSM halal tool loaded suggesting there is not malware installed on his system.... looks to me like it all points to an exploit affecting Apex servers directly.
If you are referring to that RPC inbound connection.. that is kind of strange, because, as Hammond said, receiving an inbound connection on port 135 from a public internet address is very very unlikely, and that port must be exposed on purpose to the public internet, otherwise 99% of the times NAT would prevent it from working. Also svchost is really vague, since that process is, as the name suggests, a host for other executables that are meant to be run as a service on the system. At least knowing WHICH exact service was involved is a basic requirement for digging deeper in the root cause analysis of that malwarebyte alert.
@@zxph yep. A lot of people also fail to understand that apex runs on source which has been susceptible to rce and different exploits in the past. They also don't know that apex uses squirrel scripts, which if you have some access to the server, can be used to run said scripts.
Damn, as a security practitioner and forensic analyst i wish i had a chance to investigate the compromised clients :( My speculation is that they might have been compromised ahead of time via a different vector, and then the attacker used said compromise to showcase their tools capabilities. Yet i'm fairly sceptical that the game client could be abused to achieve RCE. unless that capability is coded in the client itself, but I mean.. come on? really? There's no way someone would code a game client in such a way that a backend service infrastructure could issue the execution of arbitrary code. And exploiting an RCE bug (memory corruption) in the game client by maintaining stability and preventing it from crashing? meh.. I know there are infinitely skilled hackers out there, but this would look REEEEALLY HARD.
i dont think they did it directly via the game client. not without exploiting the server in some manner or directly connecting to game clients as a fake server. no i think this is an issue with the anticheat. they typically have self updating capacity and if they could exploit the anticheat client running on the system or exploit the C&C system to push an update into the game (or access the target kernel)
@@nordgaren2358I quickly read through that (thanks for the suggestion). It looks like a memory corruption bug, and as far as i can understand, since the execution flow gets redirected to arbitrary code through a rop chain, the game integrity gets compromised and crashes in order to execute the payload. This didn't at all happen in the apex incident, reason why i'm a bit sceptical about that being the attack vector
@@francescormp3163Well, it is an example of back end infrastructure enabling the execution of arbitrary code, is it not? The client had this behavior, but the back end also had the ability to reject these packets. In fact, that was the suggestion to FromSoft, except there were more bugs that needed patching on the client side, so they patched both. The point being that a bug is a bug. RCE in the game client is a possibility. It's just not likely here. But who knows.
@@francescormp3163also the game crashing is a side effect. Doesn't mean that all RCEs will cause a crash. I don't even think the game is guaranteed to crash. There are some RCE vulnerabilities where it's not guaranteed. Like EternalBlue .
Reminds me of the PS Network vulnerability that was discovered not long ago. No wonder those get the highest bounties (surprised they were actually paid) considering you figure that out, their entire network is toast. Remember when the PS servers went down for a week or so? Fun times.
What are your thoughts regarding League of Legends and Riot Vanguard being another Kernel-level anti cheat software? From the little research I've done so far, it seems like there's quite a bit of room for security problems. Some other games like Fortnite and Halo: MCC have kernel-level anti cheats, what makes Vanguard different? I'll continue looking into this but what's your take, and what are some resources I could help inform myself and friends. Thanks!
"This whole scene is just to big." You're an expert bro. The meaning is just less than people give it credit for. If you have expert experience in the industry, you're an expert in some way shape and form. My 2 cents: this wouldn't be the dumbest thing a 16 year old ever blew an RCE on. I do have to agree with your assessment in most other respects though. Also... why malwarebytes and no real IR? a pretty halfbaked velociraptor dump would be better. edit: Also games are just programs that are like a fungus with root systems touching tons of things on the internet with capability to send phishing or other malware loaded cheats or a ton of other tricks to get people to do things they shouldn't for threat actors of all kinds. Between tricking people into running stupid mods, to actual in game exploits, it's a massive attack surface and while those attacks aren't likely they can and will happen. Just my 2 cents after a bit more thinking.
The fact that he can spawn bots in the servers at will is very concerning.....If he figured out how to do that to all the servers...he could make the game unplayable by constantly filling all the servers with bots so no human players can get in.
There have been bugs in Titanfall 2 (the game the apex engine is based on) that allow anyone to inject scripts in the games scripting language (Squirrel) into other clients connected to the same server. This is a form of RCE but it might not allow Arbitrary Code Execution. Seems likely this is a similar situation given the Titanfall bug happened multiple times.
@@nordgaren2358 the scripting in the game is good enough to let you implement esp and aim bots. It obviously took some work to pull this hack off and putting together a small cheat using it is not that hard. People did similar things in TF2 using these scripts. Please stop confidently stating things you have no clue about.
@@nordgaren2358 I have evidence, go and Google: northstar unrestricted script Also, compare the fonts used in the menus of the fake cheat to those of Titanfall 2. They are the same. Also pay close attention to which UI elements the cheat renders over or under. Compare this with footage of other Apex cheats that are easily found online. They are very different. Obviously none of this fully confirms anything but it does line up with it being a game scripting based attack.
Ironically I think this is one occasion people are right to blow it out of proportion, sure it's likely something less intimidating that is being portrayed but good on the people who actually avoided Apex for safety reasons - or any negative reason, legitimately some players are potentially addicted.
I think a lot of it is Squirrel script execution. It's been around since Apex came out, and was present in past Respawn games. There was a huge vulnerability in TF2 where you could literally bind server commands to a key and execute them, and the server wouldn't do any checks and just do whatever you told it. Respawn tries to keep up and patch the methods, but people are usually able to find ways around it. But everything destroyer has annoyed streamers with has been around forever. It's documented and actually insane how badly the servers can be manipulated. But the only thing I've never seen is how destroyer was able to give them cheats if he claims to have never gone outside the Apex process. It's probably an internal cheat since the menu seemed to have been drawn in-game. But I would've thought you needed to have a RAT that could drop a DLL and inject it. So I'm very curious to see how that was done. Aimbot doesn't seem impossible, but silent aim is something else, and also the ESP that Gen had. Whatever the case, I wonder how it'll be handled and fixed. I've seen some people on forums suggest it's not a difficult fix, while others say Respawn should just rewrite all the server code. We'll see.
@@sonofyupepeople like to believe in rumours without even verifying it because it's easier to believe. Making them sounds smart for knowing things eventhough it is just an unproven claim.
@@Armrongeddon it's the biggest match of the season so far, 1st prize is still $20k. But it's determining who goes onto the LAN playoffs where 1st prize is $300k
Wouldn’t Hal need port forwarding enabled on his router to allow connections inbound on port 135? I don’t for one second think RPC was exploited. I would understand an outbound connection (reverse shell) but not some inbound connection in a well known port (hoping port forwarding was enabled). Inbound RPC hack sounds so unlikely. Why would an attacker burn a million dollar exploit on RPC to hack a pro gamer? Not likely.
I commented about this on Thor’s video. It makes no sense. He would in deed have to port forward or have his pc exposed to the internet. Which I just find very suspicious
Coming from the counterstrike 1.5/6 days where you could push scripts and compromise users who connect to a game server. Nothing is really impossible these days. Some European servers created their own banning system that wiped the users system 32. 😂
I got infected by another online multiplayer fps game that I used to play, it was open source, the dev basically gave the hackers a free for all, they did a lot of damage and were involved in cp/voyurism/identity fraud/stalking/harassment and more.... people are disgusting...
I think its more simpler to believe these competitors had cheating software on their systems and this software gives the creators of these tools access to their game/their software.
They got caught, and tried to blame someone else for their stupidity. Hahahahaha 😂😂😂 As someone who develops those hacks, that's exactly what it was period they got caught using hacks and had to play it off as not them. The dude accidentally turned on his imgui menu and had his buddy tried to cover for him.
Everyone here doesn’t know about the apex competitive community. One of them(HAL) is the most popular streamer & has won the most tournaments, his reputation is too big to cheat. The first guy, genburten, who was given the mod menu is questionable tho.
Naah i think he has access to the servers somehow... could be via an employee's computer inside, maybe a friend that works at respawn installed some software a friend told him too ?... Could be that he had access long before the tournament seeing as he was spawning bots in... and it wont be the first time someone has access to their servers... looking back at titanfall, remember the great jeanu ? yeah i think the vulnerability definitely is employees... feel like this isn't the first time respawn gets hacked
I can see rce happening. Could be client side or server side depending on what's compromised. I could also see a closet cheater and or a cheater using cheats on a alt account and the cheat leaving a backdoor that will expose the cheat shall the cheater not comply to demands. Seeing the evidence presented so far, I believe this is a server sided rce. Being able to target specific users on the server and issuing a rce has been done before in the past, granted those where p2p type "server". Knowing how deep todays game have access to, kernal/ring0, it was bound to happen sooner or later.
It's a bit unbelievable, tbh. The theory that the aimbot and esp were internal game tools would make more sense, as the anticheat would have detected a cheat injection mid match.
Well, I would say it's very likely it would detect that. That's not an easy thing to pull off mid match. You also need to pause the entire game process while patching in your cheats, or you will likely cause a crash.
@@nordgaren2358 Why would a developer leave an obvious cheat tool inside a retail state game. There would have been a high chance someone found that long ago. Well, if that's a REX, it must have been something very long in the making to understand the RAM structure to hook itself in - and have it interactable as part of the GUI. Apex wasn't made in Unreal Engine, right?
@@Sypakabecause they used the wrong build command, or something similar. It happens more often than you think. Looking for debug code is something cheat devs do often. Dark Souls 3 is an example of this. the 1.15.0 build of the game contains most of the debug menu. the 1.15.1 build that was released to deal with the RCE exploit also removed most of the debug menu code. So we have a restored menu for 1.15.0, and someone needs to basically re-implement those debug functions again. Using internal debug tools would also explain why EAC didn't get triggered at all.
I wish the bot hackers for Team Fortress 2 got this much coverage... Then maybe something would be done about them after the 3+ years they been plaguing casual servers.
More likely to drum up biz, and second if they bet a large amount of money on the game and they wanted to disqualify these people. It's almost always about money.
Tbh in this case even if the pros will get unbanned they would have been unbanned very soon. Nothing really bad happened. So chapeau to the hackers, something like that isn't easy and depending on what it was could have been used much more malicious.
The fact that a colleague of yours is working on a bug like this tells me, there exists a likely RCE in the `Source` engine. It might not have been used here.
from what I’ve seen, you can play Apex on private and custom servers with a custom client ,so if they can have access to those files, they know the ins and outs of the game
Some further details from an article released after this video was uploaded (I also joined PirateSoftware's stream to discuss this, VOD available soon): techcrunch.com/2024/03/20/apex-legends-hacker-said-he-hacked-tournament-games-for-fun/
- Destroyer2009 claiming responsibility for the incident
- Not sharing further details on "how" until everything is patched
- Claimed they did it just for the lolz, but has nothing to do with the server and did not go outside the Apex process
- Didn't do vulnerability disclosure process because there is no bug bounty/vulnerability disclosure program 🤪
"no bug bounty so I brought down the whole tournament" definitely a logical progression.🤦
I still think there's a good possibility the first incident with the actual menu popping up on the guys stream was just an accident in which he pressed a button to toggle "Streamer mode," a feature in most cheats which changes how ESP and the cheat hud is drawn over the game so that it is invisible to OBS. Nobody I've watched has made note that in the top left, you can clearly see it says Streamer Mode disabled.
For this reason I suspect the first guy to be cheating and he was able to use the scare of an RCE as a scapegoat to look innocent. While Destroyer2009 has commented in this article, there's no saying he isn't lying when he previously has made big claims on what he can modify in the Apex servers (ability to ban/unban any player at will, for instance) without showing any proof and without using these exploits. I still consider the possibility that the person who spoke in this article may not even be the real Destroyer2009, or he may be taking responsibility for something that wasn't necessarily his doing (I do believe he did create the TSM Halal Hook but I don't know if he was able to simply inject such a complicated menu into the game's process through game code, or if he had compromised the machines at an earlier time. )
Thanks
he must be in another country without extridition.
tsm_halal_hook was TSM's custom cheats. he just exposed TSM for cheating.
Damn you know it’s real when John Hammond gets involved in this
ikr
I agree with John H. opinion and Thor's. I can't wait to see the security report for this incident.
bro where can you read security reports of this or other incidents?
@@abhishekajit1611it’s up the apex legends company to disclose it or not (if they even find out how it works). Otherwise, we rely on security researchers finding and showing the exploit or the hacker disclosing it
They both were wrong
@@FarewellOrwell why?
Seeing you and Thor aka Pirate Software talk about this as an apex fan that was watching this tournament live is great to see
Really enjoy these kind of videos where gaming and cybersecurity collide. Would love to see more of these videos breaking down things like game hacks 🔥
Thank you for all your insigbt into the field. Yourr professional experience and field impressions are always greatly appreciated, Sir. I clicked immediately! Great and much needed to know info! I like the format and pacing 👍🏽 keep fighting the good fight
Something similar happened in Battlefield and Call of Duty (when it wasn't owned by Blizzard). Hackers were messing with OFFICIAL servers where players were joining from legal client. They could do literally everything for example "turn off gravity in entire lobby", "level up all players and weapons to max level", "unlock literally everything possible in the game for everyone in the lobby", "make ammo unlimited" etc and everyone who even accidently joined this lobby (you can't pick lobby yourself in CoD, game do it for you) was getting banned at later time (I was one of them, I still have VAC ban on steam because of this).
Not making accusations or anything but its weird cuz cod and bf’s anticheat is not Valve ac and only accounts flagged by valve ac get the vac ban flagging their steam profile
Prior to Ricochet , call of duty was using Valve from what i gather.
Was that during MW2 days because that happend to me on PS3 in 2011
@@product_of_august Yes, it was exactly on MW2, like 10+ years ago
Ricochet ac became a thing in around 2019 ..
Well, Source based games that Respawn have developed in the past haven't been really well known for their security in the back end. Like it drove a few players to develop their own fully disconnected from Respawn multiplayer instance for Titanfall 2, where each induvidual could host their own servers because there was supposedly some vulnerability in the back end that dealt with the hosting of official servers.
Sure they came along and fixed it but that took them over a year and probably the help of some graduate that asked to do it as a passion project on the side of other work. Hopefully the issue is discovered and the information can be dispersed out into the wider gaming community in the coming days or weeks.
Idk if this was because of the source engine. This situation sounds like it is unrelated to the Titanfall problems.
@@nordgaren2358Apex is pretty much titanfall2 br, same engine/devs
@@nordgaren2358 other commenters remember destroy2009 being popular in titanf2 hacking
other commenters remember the 2009 guy being involved in tf2 hacking
@@nordgaren2358 its a heavily modified version of the source engine, so I wouldnt chalk it up to just a "source engine" problem either
Made some excellent points, Waiting to see how this all plays out. Kinda excited to hear more…from all vendors and analysts
A while back Secret Club claimed that one of their members discovered an RCE affecting ALL Source Engine games triggered by invites which they disclosed to Valve a few years back, but have been prevented from releasing a write-up on it as it is still yet to be patched. There also exists a video demo of the exploit in action, but no detailed information besides.
Pirate Software actually went through some steps in a live stream yesterday showing exactly what you're taking about here, Mr. Hammond.
Is there is a video for that?
@szahw If you go to pirate software's channel and check towards the end of yesterday's live stream you'll find it fairly easily
@@szahw also thor and John hammond are live together on his channel right now
@@Rogueferula really? Gotta go watch that VOD
I'll be damned, nice collab with Pirate Software IMMEDIATELY after this upload! 😂
1:50 how can you NOT link to this moment in descriptions... I never ever seen you this perplexed!!!
I really like you theory on a vulnerability in the game API. It seems very realistic that the hacker found a way to manipulate api requests and control the server; just by joining the game and modifying their client's requests.
I would love to see a John Hammond and Thor colab video!
Primeagen + Thor + John i sense a great crossover incoming
The Leaugue Of Intelligent Hackermen
I need this in my life 😂 fr
11:06 I am dying to see that collab
Nice video but I'm a little bit confused; you mention this could be directX hooking/hijacking and then say that's not code execution? To me, the fact that you're creating your own directX object from within the game process means you're running your own code. There's nothing preventing you from popping calc.exe instead of an in game window at this point. Am I missing something?
Yes, you missed the very obvious fact that this guy records himself saying for 15 minutes "I don't know. We can't be sure. This article says there is nothing known." and he even doesn't know if it was a vulnerability or an exploit which means he has absolutely no real knowledge in this field if he can't tell the difference between those two.
My guess is he thinks games are build like chromium where every thread is isolated in a sandbox with secured channels communicating outside lol
@@user-mj8bg3fw8w "He doesn't even know if it was a vulnerability or an exploit which means he has no knowledge in this field if he can't tell the difference between those two"
Lmao what are you talking about? First of all he never said that. Second of all, those two words are essentially interchangeable. They're two ways to say the same thing. A vulnerability is something that can be exploited. An exploit requires a vulnerability. The distinction you're alluding to doesn't exist.
@@hnielsen123 Thats 100% the correct explanation. Now listen at 0:38
"There is a growing concern that there is an exploit or vulnerability" so we both now without an vulnerability there can't be an exploit and there can't be an exploit without an vulnerability. so why does he separate them?
@@user-mj8bg3fw8w dude come on. It's a figure of speech. The same way someone might say "I'm trying to find a fix or a solution to this problem". Sometimes people say something in two different ways for emphasis. You're reading way too much into it.
Serious question, do you know anything about john hammond? Or did this video just show up on your feed and this is the first time you've ever heard of him?
Half-expecting this to become a more common occurrence. Once something like this happens once, in this day and age, you can expect it to happen over and over again, especially on older games.
What keyboard are you using looks amazing
I hope to see a discussion between Piratesoftware and John on this subject among others that'd be amazing!!
btw, Thor figured out that the IP is just from a scanner, but he is a bit concerned that it could actually reach their computer, since it shouldn't be able to do that by default, so maybe some messed up port forwarding, or maybe some remnants the hacker didn't clean up.
I just want to know what shirt that is and where to get one
As a crossover between gaming, coding and cyber security, I'd like to put a game called "BitBurner" on your radar. I'd be super interested in hearing your opinion on it as a way to learn the basics of coding and security.
Looks like I've been living under a rock
Or only playing single player games
@@balsalmalberto8086 Or no game at all lols
You know the thing is getting real when Mr. Hammond speaks about it ❤ You, Thor, David Bombal and NetworkChuck should do a podcast about this one 😉 When this whole thing began to go viral most of the people started to abuse the word " RCE ", which kinda makes no sense since we have no official or correct info regarding to what kind of attack was it. Since the game engine is being an old one and being heavily patched; there might be a exploit with the client ( not offensively to EA..yk ). And when I saw the threat actor who claims to be " Destroyer2009 ", procceds to create a whole bot lobby using somewhat method ( I'm not a developer so I don't know about server or client side process that was behind this ) which began to follow a squad of 3 players ( ImperialHal and two more ) and in the end getting them eliminated, I thought " man, this guy got some real sh*t " 😅 So this seems this dude somehow has the ability to perform " Server-sided-actions " Assuming the server doesn't accept every command that the client sends, there'e been a server side error behind above action. And of course as Thor found out in Hal's PC, if there was access to the pc, this pc is most likely to be compromised using a server sided data strem ( like a reverse shell thing ) since this dude has no direct access to Hal's pc. There are lot of problems going around so as Thor and You said, we have to know more before concluding any statements. " The more you know, the better you become 😊 "
It's rather surprising that there hasn't been a Thor/Hammond collab yet. Would definitely like to see that 😃
WE DID IT!
Email security add . . . That's a new one 😂
I remember that name destroyer... i got hacked by one with that name in Diablo 2 back when I as riding the top of the ladder in 2008-2010.
I wonder if they are the same destroyer
Something to note, the cheat gui looking like it’s part of the game actually makes it more likely there either an rce or someone put a backdoor on their system, often for internal cheats (cheats that involve force loading a DLL into the process which either contains the cheat code or communicates with a corresponding driver to run the cheats) often will use whatever drawing apis are already used by the target, making it very common for the gui to be ingrained in the game (and makes it easier for the gui to have similar visuals to the game)
It's a menu drawn with a Nuklear, and yes is given through RCE, but the cheat that has it is ONLY a developer/private build, and this isn't made public at this point.
@@linear_pubit has to be a bug in the anticheat client unless they found some way to inject code into the process remotely either directly targeting your client with traffic or sending data to the server that somehow executes code on the client
id say anticheat. because it would likely already have network capacity for downloading uploading files and has the privs to do anything on the system. its basically a free rootkit.
Idk how any of that points to it being an RCE. The cheat menu has nothing to do with the attack vector.
This is a kernel level anticheat.
That would be a payday for the hacker who finds that vulnerability. Not likely.
The hacker who is claiming responsibility said that it was a bug in the game, but that doesn't mean RCE. If it was just some trickery with the scripting engine turning on QA features and displaying a "fake cheat menu.png", that is not an RCE. They are limited to what the scripting engine can do, so, at that point it becomes a question on if you can escalate to arbitrary code execution from there.
@@nordgaren2358 not impossible at all. ACs are sloppy sometimes due to corporate issues. not to mention this isnt an image. its fully functional and also highlighted other players with ESP
Wasnt that destory guy a well known titan 2 hacker? I swear he was doing this same shit there as well...
maybe a tor collab that tor customises the browser with common stuff that you use
Those are the built in cheats shipped with the game. The interface is enabled if you sign contact with EA.
As someone who has been in IT and gaming for a lot of years i wont out of hand dismiss the possibility of an RCE, some of the anti cheat software that comes with these games hooks into the system deep enough to be a real concern.. but that said there are only a few big ones out there, and a 0-day RCE in one big enough to be used in a large game like apex would be worth a metric sh*t tonne. to burn it on trolling some streamer on a game even if it was at the professional level, i cant see that happening.
The supporting redistributable that was mentioned by your co-worker is also part of a massive number of games, so i would consider that being the 0-day or attack vector unlikely for the same reasons as above.
The streamers themselves being infected with a RAT is far more likely, when you take into account that a lot of the more modern RAT's are capable of silently installing and running anything you want, my money would be on this vector not anything to do with the game, it's engine, supporting redistributables or anti-cheat
I think the streamers being infected with a RAT is the likely scenario.
If it was an RCE, that would mean that the attacker would have to also patch the anticheat and the game while it is running, and not trigger the anticheat at all.
This is quite the tall order.
I'm more inclined to think these players installed cheats long ago, and the cheat client installed a RAT. Patching the game while it's already running (but more importantly while the anticheat is running.) is not impossible, but it makes it much harder if your patch wasn't loaded in while the game was being loaded.
I patch games while they are running, but if I needed to bypass the anticheat, I would want, and maybe even NEED, to have my patch loaded before anything else. Hell, I might even want to replace the anticheats PE entirely, so that my own code gets ran, and not the actual anticheat.
I remember that once i was playing cod bo2 on ps3 and a hacker just gave everyone at the lobby a cheat menu
I am a player of Apex Legends and I personally think it isnt a RCE exactly as RCE vulnerability exploit will affect the server side! Not selected players. But on the same time I also think it can be a successful phishing attack on the employees of respawn or It can be a vendetta against respawn as they recently laid off bunch of employees who have been working on the game since Day 1.
I am open for a security perspective discussion on this! If anyone has any other things to add or modify please reply!
What an RCE effects is entirely dependent on the bug, itself.
The bug might not be in the server code. It might be a client only bug.
It's hard to say what it was, really. It still might not be an RCE if the attack was unable to effect anything outside of the game process.
@@nordgaren2358 yeah thats true! Thanks for the info! Bro
The more interesting question is how does EAC behave if the game itself is compromised
I think some kids (from 2009 in name) put malware on the computers before the tournament started
thinking:
1) it's an audition for employment?
2) they had at least some monual process to it and only had the manpower to do the two?
keep us updated brother !
Thanks John for the information. It's possible to test the Apex video-game client in services like "Triage" and "App Any Run" ? Thanks!
Not sure that would be possible, seeing as there are time limits on AnyRun so you wouldn't be able to even get a copy of the game before the times up. On top of that, if you did manage to, you'd have to run around lobbies waiting for this to happen to you, and that's unlikely seeing as this is a feature used by 1 provider in a private build, not on a public provider.
I think it just came out last night that Thor found a rented server that was connected to ImperialHals PC. The thread begins to unravel.
Now I'm curious whether it's the same case for ther other guy that got hacked.
@@zxph the other guy said he was on a fresh install of windows (just hours old) when it happened. always reinstalls for tournaments to negate any kind of negative performance impacts or crashing.
@@teabola Ah good to know. Sounds like a good idea, if a bit tedious. Too bad it didn't help very much. The fresh install, hacking in public servers, EAC finding nothing on their end, the fact that the hackers reportedly said they were "jokers and not clowns" and didn't want to perform a mass attack at the risk of facing severe consequences (which would explain why they would be comfortable burning the exploit on a small-scale attack like this), the fact that the second guy didn't appear have the TSM halal tool loaded suggesting there is not malware installed on his system.... looks to me like it all points to an exploit affecting Apex servers directly.
If you are referring to that RPC inbound connection.. that is kind of strange, because, as Hammond said, receiving an inbound connection on port 135 from a public internet address is very very unlikely, and that port must be exposed on purpose to the public internet, otherwise 99% of the times NAT would prevent it from working.
Also svchost is really vague, since that process is, as the name suggests, a host for other executables that are meant to be run as a service on the system. At least knowing WHICH exact service was involved is a basic requirement for digging deeper in the root cause analysis of that malwarebyte alert.
@@zxph yep. A lot of people also fail to understand that apex runs on source which has been susceptible to rce and different exploits in the past. They also don't know that apex uses squirrel scripts, which if you have some access to the server, can be used to run said scripts.
Same take as me, glad I'm not crazy!
Damn, as a security practitioner and forensic analyst i wish i had a chance to investigate the compromised clients :(
My speculation is that they might have been compromised ahead of time via a different vector, and then the attacker used said compromise to showcase their tools capabilities.
Yet i'm fairly sceptical that the game client could be abused to achieve RCE. unless that capability is coded in the client itself, but I mean.. come on? really? There's no way someone would code a game client in such a way that a backend service infrastructure could issue the execution of arbitrary code.
And exploiting an RCE bug (memory corruption) in the game client by maintaining stability and preventing it from crashing? meh.. I know there are infinitely skilled hackers out there, but this would look REEEEALLY HARD.
i dont think they did it directly via the game client. not without exploiting the server in some manner or directly connecting to game clients as a fake server.
no i think this is an issue with the anticheat. they typically have self updating capacity and if they could exploit the anticheat client running on the system or exploit the C&C system to push an update into the game (or access the target kernel)
You should look up ds3-nssr-rce. It's a repo on GitHub that is a writeup of the dark souls 3 RCE.
@@nordgaren2358I quickly read through that (thanks for the suggestion).
It looks like a memory corruption bug, and as far as i can understand, since the execution flow gets redirected to arbitrary code through a rop chain, the game integrity gets compromised and crashes in order to execute the payload.
This didn't at all happen in the apex incident, reason why i'm a bit sceptical about that being the attack vector
@@francescormp3163Well, it is an example of back end infrastructure enabling the execution of arbitrary code, is it not?
The client had this behavior, but the back end also had the ability to reject these packets. In fact, that was the suggestion to FromSoft, except there were more bugs that needed patching on the client side, so they patched both.
The point being that a bug is a bug. RCE in the game client is a possibility. It's just not likely here. But who knows.
@@francescormp3163also the game crashing is a side effect. Doesn't mean that all RCEs will cause a crash. I don't even think the game is guaranteed to crash. There are some RCE vulnerabilities where it's not guaranteed. Like EternalBlue .
Reminds me of the PS Network vulnerability that was discovered not long ago. No wonder those get the highest bounties (surprised they were actually paid) considering you figure that out, their entire network is toast. Remember when the PS servers went down for a week or so? Fun times.
I wonder if their systems had something in particular. How come it didn't happen more?
want a colab with Pirate Software!
me too 😝
@@_JohnHammond That would be awesome. I only know him from his clips on yt but I enjoy them very much.
"in this industry there are no experts, just specialists"
What are your thoughts regarding League of Legends and Riot Vanguard being another Kernel-level anti cheat software? From the little research I've done so far, it seems like there's quite a bit of room for security problems. Some other games like Fortnite and Halo: MCC have kernel-level anti cheats, what makes Vanguard different? I'll continue looking into this but what's your take, and what are some resources I could help inform myself and friends. Thanks!
"This whole scene is just to big."
You're an expert bro. The meaning is just less than people give it credit for. If you have expert experience in the industry, you're an expert in some way shape and form.
My 2 cents: this wouldn't be the dumbest thing a 16 year old ever blew an RCE on.
I do have to agree with your assessment in most other respects though.
Also... why malwarebytes and no real IR? a pretty halfbaked velociraptor dump would be better.
edit: Also games are just programs that are like a fungus with root systems touching tons of things on the internet with capability to send phishing or other malware loaded cheats or a ton of other tricks to get people to do things they shouldn't for threat actors of all kinds. Between tricking people into running stupid mods, to actual in game exploits, it's a massive attack surface and while those attacks aren't likely they can and will happen. Just my 2 cents after a bit more thinking.
Could it be a schudled task as the time of tournament was known?!
The fact that he can spawn bots in the servers at will is very concerning.....If he figured out how to do that to all the servers...he could make the game unplayable by constantly filling all the servers with bots so no human players can get in.
I believe Imperial Hal has chat disabled.
Destroyer2009 purportedly said they "just did it for fun" and wanted EA/Respawn to fix the exploit.
Wow you have gotten 300,000 views in a few months, awesome :)
It would be hella cool to see you collab with Pirate Software!
There have been bugs in Titanfall 2 (the game the apex engine is based on) that allow anyone to inject scripts in the games scripting language (Squirrel) into other clients connected to the same server. This is a form of RCE but it might not allow Arbitrary Code Execution.
Seems likely this is a similar situation given the Titanfall bug happened multiple times.
No. This was an entire cheat client being injected. I don't think this has anything to do with it.
@@nordgaren2358 the scripting in the game is good enough to let you implement esp and aim bots. It obviously took some work to pull this hack off and putting together a small cheat using it is not that hard. People did similar things in TF2 using these scripts. Please stop confidently stating things you have no clue about.
@@Alex-qq1gm how do you know that the scripting is what implemented the esp and aim bots, though?
@@Alex-qq1gm wdym I have no clue about. This is literally my specialization.
You have no evidence of what you are claiming.
@@nordgaren2358 I have evidence, go and Google: northstar unrestricted script
Also, compare the fonts used in the menus of the fake cheat to those of Titanfall 2. They are the same. Also pay close attention to which UI elements the cheat renders over or under. Compare this with footage of other Apex cheats that are easily found online. They are very different.
Obviously none of this fully confirms anything but it does line up with it being a game scripting based attack.
John Hammond bro your the best for ever thanks for all videos & information security
Perhaps the two users already had software on their system that would allow said access?
Are you saying thats just a theory... a "GAME THEORY" :O
Ironically I think this is one occasion people are right to blow it out of proportion, sure it's likely something less intimidating that is being portrayed but good on the people who actually avoided Apex for safety reasons - or any negative reason, legitimately some players are potentially addicted.
This was inevitable.
I think a lot of it is Squirrel script execution. It's been around since Apex came out, and was present in past Respawn games. There was a huge vulnerability in TF2 where you could literally bind server commands to a key and execute them, and the server wouldn't do any checks and just do whatever you told it. Respawn tries to keep up and patch the methods, but people are usually able to find ways around it.
But everything destroyer has annoyed streamers with has been around forever. It's documented and actually insane how badly the servers can be manipulated. But the only thing I've never seen is how destroyer was able to give them cheats if he claims to have never gone outside the Apex process. It's probably an internal cheat since the menu seemed to have been drawn in-game. But I would've thought you needed to have a RAT that could drop a DLL and inject it. So I'm very curious to see how that was done. Aimbot doesn't seem impossible, but silent aim is something else, and also the ESP that Gen had.
Whatever the case, I wonder how it'll be handled and fixed. I've seen some people on forums suggest it's not a difficult fix, while others say Respawn should just rewrite all the server code. We'll see.
It better to wait but those just idea but good to be creative.
Talk about Ivanti VPN hack. 😊
Is there any published documentation on the alleged Source Engine vulnerability?
you should stream live ctfs like before. Used to enjoy them a lot.
It’s funny the cheat menu said “vote Putin”. It could be that other players were effected but stayed quiet
well the dev is from Belarus so theres that
Destroyer2009 is a Russian troll clearly
I think the majority of the players if not all are streaming during the tourney.
@@datmanjay420 is that for sure? Thought they’re still looking for this “destroyer” person
@@sonofyupepeople like to believe in rumours without even verifying it because it's easier to believe. Making them sounds smart for knowing things eventhough it is just an unproven claim.
I think it's insane to hold an event of that size with such a large cash prize online.
The really large cash prize isn't until the LAN matches at the end of the season. Regular season online matches have smaller prizes
@@Th3K1ngK00p4ah okay thanks, another video I saw made it sound like this was a major tournament.
@@Armrongeddon it's the biggest match of the season so far, 1st prize is still $20k. But it's determining who goes onto the LAN playoffs where 1st prize is $300k
They probably had it installed already!!! Some one just used a backdoor to get it activated in my opinion!!
Wouldn’t Hal need port forwarding enabled on his router to allow connections inbound on port 135? I don’t for one second think RPC was exploited. I would understand an outbound connection (reverse shell) but not some inbound connection in a well known port (hoping port forwarding was enabled). Inbound RPC hack sounds so unlikely. Why would an attacker burn a million dollar exploit on RPC to hack a pro gamer? Not likely.
I commented about this on Thor’s video. It makes no sense. He would in deed have to port forward or have his pc exposed to the internet. Which I just find very suspicious
Unless this was a test run for a larger attack.
CS:go to COD ,apex legends these Fps games so overrated from past couple of years.
I really miss cod as a single player shooter game.
Congrats John your live with Thor rn!!!
You’re* don’t want to edit lol
Thor sends goblins
How embarrassing for Respawn.
Coming from the counterstrike 1.5/6 days where you could push scripts and compromise users who connect to a game server. Nothing is really impossible these days. Some European servers created their own banning system that wiped the users system 32. 😂
This guy says he's not a gamer as if he isn't a retired Meta Knight legend
But always bested by your Marth! 😎
I got infected by another online multiplayer fps game that I used to play, it was open source, the dev basically gave the hackers a free for all, they did a lot of damage and were involved in cp/voyurism/identity fraud/stalking/harassment and more.... people are disgusting...
Thor and Hammond next video? 😬
I think its more simpler to believe these competitors had cheating software on their systems and this software gives the creators of these tools access to their game/their software.
this is the correct answer.
100%
They got caught, and tried to blame someone else for their stupidity. Hahahahaha 😂😂😂 As someone who develops those hacks, that's exactly what it was period they got caught using hacks and had to play it off as not them.
The dude accidentally turned on his imgui menu and had his buddy tried to cover for him.
Everyone here doesn’t know about the apex competitive community. One of them(HAL) is the most popular streamer & has won the most tournaments, his reputation is too big to cheat. The first guy, genburten, who was given the mod menu is questionable tho.
@@BlackShinobi.Is he bigger than Dream?
It's Gen like in generation or gin like the drink.
Naah i think he has access to the servers somehow... could be via an employee's computer inside, maybe a friend that works at respawn installed some software a friend told him too ?... Could be that he had access long before the tournament seeing as he was spawning bots in... and it wont be the first time someone has access to their servers... looking back at titanfall, remember the great jeanu ? yeah i think the vulnerability definitely is employees... feel like this isn't the first time respawn gets hacked
i am stumped on this
He should have a job at Hammond robotics
I can see rce happening. Could be client side or server side depending on what's compromised. I could also see a closet cheater and or a cheater using cheats on a alt account and the cheat leaving a backdoor that will expose the cheat shall the cheater not comply to demands. Seeing the evidence presented so far, I believe this is a server sided rce. Being able to target specific users on the server and issuing a rce has been done before in the past, granted those where p2p type "server". Knowing how deep todays game have access to, kernal/ring0, it was bound to happen sooner or later.
lmao, using a remote execution to inject an aimbot. That has to be the biggest troll someone did.
It's a bit unbelievable, tbh. The theory that the aimbot and esp were internal game tools would make more sense, as the anticheat would have detected a cheat injection mid match.
Well, I would say it's very likely it would detect that. That's not an easy thing to pull off mid match. You also need to pause the entire game process while patching in your cheats, or you will likely cause a crash.
@@nordgaren2358 Why would a developer leave an obvious cheat tool inside a retail state game. There would have been a high chance someone found that long ago.
Well, if that's a REX, it must have been something very long in the making to understand the RAM structure to hook itself in - and have it interactable as part of the GUI. Apex wasn't made in Unreal Engine, right?
@@Sypakabecause they used the wrong build command, or something similar. It happens more often than you think.
Looking for debug code is something cheat devs do often.
Dark Souls 3 is an example of this.
the 1.15.0 build of the game contains most of the debug menu. the 1.15.1 build that was released to deal with the RCE exploit also removed most of the debug menu code. So we have a restored menu for 1.15.0, and someone needs to basically re-implement those debug functions again.
Using internal debug tools would also explain why EAC didn't get triggered at all.
What if these guys had cheats installed and got into some sort of disagreement with the cheat providers?
Wouldn't that be the most obvious option?
I wish the bot hackers for Team Fortress 2 got this much coverage... Then maybe something would be done about them after the 3+ years they been plaguing casual servers.
Are consoles safe from this? Looks like it can affect pc users. This is why I’m asking
it was me , ze hackerman
He spared no expense
More likely to drum up biz, and second if they bet a large amount of money on the game and they wanted to disqualify these people. It's almost always about money.
"i don't call myself a cyber security expert..." jesus look at you channel and skill list YOU ARE FUCKING EXPERT MAN. Thanks for you efforts.
An apex hacker just responded
Tbh in this case even if the pros will get unbanned they would have been unbanned very soon. Nothing really bad happened. So chapeau to the hackers, something like that isn't easy and depending on what it was could have been used much more malicious.
They could have bet money on the matches and hacked to insure that they won thier bets
I stopped playing Apex because a bullet hit registration so knowing that they was hacked confirms there is no point to play this game anymore.
The fact that a colleague of yours is working on a bug like this tells me, there exists a likely RCE in the `Source` engine. It might not have been used here.
That was just their best guess. There's definitely been RCEs in source engine in the past, which is probably why they guessed it.
I know how its done, but not gonna give it away for free to EA. That's smartest response a hacker can give. They dont even do bounty rewards
from what I’ve seen, you can play Apex on private and custom servers with a custom client ,so if they can have access to those files, they know the ins and outs of the game
Wait isn't that how ALGs are actually set up?