Bypassing ricochet's Anti-Cheat with one hook

Table of Contents

What is Ricochet #

Ricochet Anti-Cheat is a proprietary anti-cheat system developed by Activision for its popular video games, including the "Call of Duty" series. It aims to detect and prevent cheating in online multiplayer games, ensuring a fair gaming environment. The system employs a combination of server-side tools and a kernel-level driver for Windows, which provides deeper access to monitor and manage the integrity of the game's processes. By analyzing game data and behaviors, Ricochet can identify and mitigate cheating tactics more effectively. The implementation of this anti-cheat technology reflects Activision's commitment to combating cheating and enhancing the overall player experience.

bdEventLog::RecordEventsMixed #

"bdEventLog::RecordEventsMixed" is essentially a telemetry function used by Demonware, a subsidiary of Activision, for logging and sending various in-game events and data. This function collects detailed information about player activities and behaviors, including potential detection vectors that might indicate cheating. When certain suspicious activities or patterns, referred to as "infractions," are detected, these events are recorded and sent to the server. This data helps the anti-cheat system analyze and identify possible cheats or exploits, ultimately contributing to the decision-making process for triggering bans and maintaining game integrity. The use of "bdEventLog::RecordEventsMixed" is crucial for enhancing the effectiveness of the anti-cheat measures and ensuring a fair gaming environment.

The Bypass #

As of 30/05/2024 this bypass works but will most likely be fixed in the coming days or weeks.

• Hooking bdEventLog::RecordEventsMixed and returning '0' Makes the usermode not report any 'infractions' bypassing the kernel level Anti-Cheat.
• Returning '0' within the bdEventLog::RecordEventsMixed hook on MW3 will result in server disconnects. This occurs because, in MW3, it is necessary to modify the event information to allow certain events to pass through before blocking other events.
  
• Unlike MW3, you can return '0' in MW2 and MW2019 without encountering these issues, eliminating the need for additional code modifications.

  std::int64_t BdEventLog_RecordEventsMixed(std::int64_t context, std::int64_t* output, eventInfo* events, unsigned int totalEvents, std::int64_t event_log_ids)
  {
    return 0;
  }

  BdEventLog_RecordEventsMixed = findPatternRef("4C 8D 44 24 40 48 89 4C 24 20 48 8D 54 24 30 48 8B C8 41 B9 01 00 00 00 E8", 24);

  void* originalBdEventLog_RecordEventsMixed = nullptr;

  constexpr std::array whitelistedEventIDs = {9000, 9001, 9002, 9003, 9007, 9008};

  std::int64_t BdEventLog_RecordEventsMixed(std::int64_t context, std::int64_t* output, eventInfo* events, unsigned int totalEvents, std::int64_t event_log_ids)
  {
    int eventType = events->eventTypeCode;

    if (std::find(whitelistedEventIDs.begin(), whitelistedEventIDs.end(), eventType) == whitelistedEventIDs.end())
    {
      std::memset(events, 0, sizeof(eventInfo));
      return 0;
    }

    return reinterpret_cast(originalBdEventLog_RecordEventsMixed)(context, output, events, totalEvents, event_log_ids);
  }

    originalBdEventLog_RecordEventsMixed = findPatternRef("4C 8D 44 24 40 48 89 4C 24 20 48 8D 54 24 30 48 8B C8 41 B9 01 00 00 00 E8", 24);

  Signature: 4C 8D 44 24 40 48 89 4C 24 20 48 8D 54 24 30 48 8B C8 41 B9 01 00 00 00 E8 + 24
                        

Summary #

Ricochet Anti-Cheat is Activision's proprietary system designed to prevent cheating in games like the "Call of Duty" series by using a combination of server-side tools and a kernel-level driver. The "bdEventLog::RecordEventsMixed" function, developed by Demonware, logs player activities and detects potential cheating infractions, aiding in the enforcement of game integrity. As of May 30, 2024, a known bypass exploits this function by hooking it and making it return '0', thus preventing the reporting of infractions and bypassing the anti-cheat system. This bypass is used by some cheating software and affects all Ricochet-protected titles.

I reached out to an Activision employee, who wishes to remain anonymous, to get their perspective on the recent bypass of the Ricochet Anti-Cheat system. They emphasized that breaches in the anti-cheat system are taken very seriously. The employee assured that the Ricochet team is actively working on a fix to address the vulnerability and reinforce the integrity of their anti-cheat measures.