League Of Legends Undetected Scripts

[Willy Aucoin]

Its getting to be about that time, and I must once again extend to you our quadrennial anti-cheat greetings. I'm "mirageofpenguins," an anti-cheat artisan with lifetime 85 million bans served, and I'm manifesting today to talk to y'all about Vanguard.

You actually may've already suffered through our LoL anti-cheat literature in the past, and here is some of the recommended prerequisite reading. Feel free to skim through it, but this material is now known to the state of California to cause bone lengthening and will not be on this semester's midterm.

League of Legends is a fairly secure video game. The server simulates the entirety of the game state, and the client is really only responsible for making "requests" to it. Often referred to as an authoritative model, it essentially means that our server is the final arbiter of truth, and things like "sending spells on cooldown" should fail once we've added enough server validation. This is why we don't see as many exploits anymore, and instead, most cheaters resort to input automation, or more colloquially, "scripting."

Scripting developers create platforms that are essentially wrappers for the LoL client. They rebroadcast the game as an event stream and allow the end-user to create (or more likely, copy and paste) a selection of "scripts" that automate certain behaviors in response to these events. The end result is usually a frame-perfect Zeri kiting on what appears to be a near-lethal dose of caffeine or a god-touched Cassiopeia that, through the power of prayer, has been rendered untouchable by any skillshot. It's not fun to play against cheaters, and worse, once you know scripts are out there, it's hard not to suspect other players of using them.

Throughout 2023, the lovable rascals on our anti-cheat team have been sneaking detections into the LoL client that offer glimpses into the size of the scripting epidemic. These cheeky security maneuvers, also called "honeypots" or "spicy values," only work once, as any bans issued on them will be met with excess scrutiny, followed by their immediate discovery in cheat communities. We only have so many tricks up our sleeves, so this pattern is about as sustainable as bunker fuel. However, we now have access to mankind's greatest weapon: Statistics.

In recent months, as many as 1 in 15 games globally has had a scripter or botter in it, but in some regions, this number is as high as 1 in 5. Cheating isn't really region-specific, cheaters just go wherever cheating is easiest. In eastern countries, we see higher rates of scripting, because they're getting spillover from cheaters in China and Korea, both of which have region-exclusive anti-cheats and more importantly, identity requirements for gaming from their regional governments.

It's only worth making cheats if there's glory worth stealing, so attempts at cheating are actually the sign of a successful competitive environment. However, this is far too many for a game with Olympic-level ambitions, and if we want the win to mean something, we must protect its integrity.

The second problem is that scripting is rather effective, and to their credit (if you can call it that), scripters have gotten quite good at playing without the use of their hands. When piloted optimally, scripter win rates hover around 80% in Ranked games, continually propelling their unyielding supply of accounts through the ladder.

The polyphonic rainbow you're now bearing witness to is the percentage of Ranked games completed with a cheater, bucketed by what tier the scripter was in at the end of the game. You are reading that correctly, more than 10% of Master+ games had a cheater in them. Even Challenger, which we manually audit on a regular cadence, has suffered from a significant number of cheaters. Statistically, this is what analysts might refer to as a "Bad Line," and we're seriously not jazzed about the trend.

For all the reasons we're about to get into, we didn't want to push the Vanguard button until we absolutely had to, so up until now, League has been surviving (for nearly six years) on an anti-tamper called "Packman." However, due to an unrelenting volley of cheats and bans, the anti-cheat technological space moves at recursive lightspeed. After factoring in for hyperbaric time-dilation, the resulting bistromath makes Packman roughly 250 million "cheat-years" old, pushing the pre-mesozoic boundary.

Packman's primary objective is to make analysis of the game binary more difficult, and this includes "hiding" the anti-cheat detections that it appends to a game client. The problem is that dumping the deobfuscated game binary and bypassing the anti-cheat checks are now something closer to a training exercise, and it's one that's only been made potentially easier by the breach earlier last year. Packman was never meant to last this long, and iterating on it has become prohibitively expensive.

This chart attempts to visualize our emotional turmoil, though its true intensity could never be captured in two-dimensional form. Pictured are weekly LoL scripting bans, bucketed based on those issued for a detection within Packman (blue), versus those that were banned "manually" (reviewed by an anti-cheat agent). As Packman's effectiveness wanes, we are unable to keep up with the scripting "demand," and an infinite number of hands reviewing an infinite number of scripters is not a strategically viable option. If we want a fair video game, we must upgrade.

Like most anti-cheats, Vanguard is made up of preventative and detective layers. We endeavor to outright block as many cheating methods as possible, but in gap areas where "preventing" a cheat locally (and obviously) would too easily allow our vector to be audited, we instead passively "detect" the intrusion and take action on a delay. Putting our darkest detection magic behind the scrutiny of our server gives us the opportunity to hide our methods by occluding signals to the developer through seemingly arbitrary bans. This mouthful is often called "the cat and mouse game," and it's an absurd waltz that every anti-cheat developer worldwide steps to on the daily.

By uncoupling ourselves from the game client and moving more of Vanguard to the server, we can deliver different "checks" to riskier players, making our intrusion detection far more targeted and much faster.

To demonstrate, here is a graph of "Time to Action" on both games, though it's not a totally fair comparison. Cheating is far, far more sophisticated in first person shooters, so even though LoL games are shorter in duration, League was already heavily favored to win this race. However, because of Vanguard's aerodynamic design (and the speed at which it can be adapted), it has become so large a chore to stay undetected that most cheaters don't even bother. Instead they rage for a few games and get banned, just as nature intended.

LoL x Vanguard comes with a TPM 2.0 requirement, and while Microsoft originally intended to require one for all new Windows 11 installations, their actual implementation of this enforcement was relatively weak and easily bypassable. We took them up on their original offer and instead elected to enforce it ourselves. So, a select few Windows 11 users may find their ability to play League is impacted, especially if you modified registry keys to bypass this requirement.

TPM stands for "Trusted Platform Module," and we require it for two reasons. The first is because it adds security to cert signing validation (something we rely on to know if other software can be trusted), but the second (and more important), is because it acts as an extremely non-fungible form of hardware ID. If it's on and working, we can pretty much assume you don't intend to cheat, because if you did, we could easily banish the chip from this realm forever.

We want to move as much of our anti-cheat into a "preventative" pattern as is feasible (and safe). Windows is easily corruptible, and the current threat landscape necessitates that we validate its defenses ourselves. We need to be able to trust what the operating system is telling us about the VALORANT process, otherwise cheaters could compromise it, middleman our checks, eat hot chip, and "lie" that everything is good to go.

Through the friction of its checks to host security, Vanguard drives up the cost of repeatedly cheating. Sure, a cheater can still put their harddrives through the dishwasher's sanitize cycle or manually map their own code into kernel memory (I dare you to try either), but the point is that these things cost cheaters money and time.

Vanguard is not really "running all the time." The driver loads at boot, but nothing is making calls to it, and there's no network connectivity until you run one of Riot's games. It's literally just sitting there (menacingly), so that it can attest to the fact that nothing's happened between Windows loading and the game starting that would break the operating system.

When you launch League, the Vanguard client contacts the driver to confirm that it thinks everything is 100%, and if so, you receive a valid anti-cheat session and may connect to the game server. Instructions from the client then start enabling features within the driver to watch for things that might tamper with the signed League process and prevent them. You can always disable the driver whenever you'd like-you'll just need a fresh reboot to "recertify" the integrity of the trust chain before you jump into game.

With heightened VM prevention, we'll drive up the cost of botting and inflict significant friction onto re-offenders. Bot supply for boosting accounts will dry up, and bypassing bans will no-longer be "buy another level 30." With its device fingerprinting, Vanguard also gives us a renewed opportunity to sink teeth into boosting, smurfing, and account compromise. We'll be able to revoke rewards boosters didn't deserve, get smurfs to their proper rating faster, and maybe even invalidate "unfair" premades.

3a8082e126