Anti-Cheat: Anti-Speedhack

[Sewer56]

About Speedhacks

We should detect for Speedhacks as accurately as possible, as changes in speed can be made subtle (e.g. 105%).

Offending Functions

Speed hack implementations typically hook the following functions:

• QueryPerformanceCounter
• GetTickCount
• TimeGetTime

In our case of Sonic Riders, frame pacing is probably performed using the function at 0x00527CE0 and the API function used is GetTickCount.

Detecting Speedup

To detect speedup of a client, perform 2 checks:

• Server-side Time Check
  • Use APIs not touched by common speed hacks e.g. GetSystemTime
• Server-side Message Arrival Check
  • Compare arrival times between messages.

The frame pacing function should be hooked. Every 5 seconds (300 frames), the client should send a ping to the server. This will occur faster if speedhack is used.

The ping should contain a timestamp with the current date/time (from GetSystemTime (unaffected by speed hacks)) and the amount of frames since the last ping (affected by speed hacks).

struct TimeStamp
{
    DateTime dateTime;
    short framesElapsed;
}

The server can then perform the following checks:

• ToRealTime(framesElapsed) < SystemTime = Player is Cheating. (1% Error Margin)
• Current Message Arrival - Last Message Arrival < 5 seconds (5% Error Margin + PingOfClient)

Assume cheating if no messages received at all from client.

Detecting Common Implementations

Cheat Engine

Check if module speedhack-i386.dll is loaded into the process.
Raise flag if present.