Chris Blume

14.5K posts

Chris Blume banner
Chris Blume

Chris Blume

@ProgramMax

industry accolades: "software engineer" - BleepingComputer "developer" - Engadget "Twitter user" - XDA

Katılım Nisan 2009
948 Takip Edilen1.4K Takipçiler
Chris Blume
Chris Blume@ProgramMax·
@perthguppy @Dehiemi @oops4041555 I think Vanguard would need to stay kernel-level to enforce it. Otherwise, a kernel-level cheat could just lie and tell Vanguard "Yup, we definitely disables DMA within your memory space", right? Or heck, more simple than that. A kernel-level cheat won't need DMA to read memory
English
0
0
0
5
Damian Guppy
Damian Guppy@perthguppy·
@ProgramMax @Dehiemi @oops4041555 This specific feature however does not require kernel access, it is a standard windows syscall to request memory protection. So if implemented more widely riot wouldn’t need kernel access anymore.
English
1
0
0
11
404oops
404oops@oops4041555·
Here's what I understood and why I issued a retraction: 1. Riot uses IOMMU protection to only isolate its game's memory addresses from other devices 2. Just that.
Riot Games@riotgames

Does Vanguard physically damage hardware? No. Does this impact hardware or software in any ways unrelated to Riot’s games? No. The IOMMU security protection does not impact hardware, and would only impact the ability of players using DMA cheat devices to play our games. Are normal players affected? Players not using DMA cheat hardware are unaffected. Why target DMA cheats? DMA-based cheats are among the most sophisticated forms of cheating because they attempt to bypass traditional software detection by accessing memory directly through external hardware. I’m affected by this. How do I fix it? To continue cheating in other titles with this device, you may simply disable IOMMU in BIOS in the same place that you enabled it. Of course, you still won’t be able to play our games with these cheat devices enabled. Why did Riot joke about “bricking” PCs? We didn’t. The “paperweight” comment was about VALORANT cheat devices that no longer work in VALORANT. No hardware is being damaged and no other functionalities are impacted.

English
21
10
359
37.3K
Chris Blume
Chris Blume@ProgramMax·
@cr88192 @lauriewired I suspect (haven't read up yet) mainstream CPUs are the other way around. There are specialized instructions that are faster. But you can block them and follow some workaround code.
English
1
0
2
209
Brendan G Bohannon
Brendan G Bohannon@cr88192·
@ProgramMax @lauriewired Can't answer for mainstream CPUs, but for a soft-processor on FPGA, it can make sense to only implement core parts of the ISA in hardware; and effectively implement the rest as firmware. Using such an instruction effectively invokes an invisible trap handler, that fakes the op.
English
1
0
0
229
Chris Blume
Chris Blume@ProgramMax·
I feel like this might be a question for @lauriewired Suppose I am running my own local server. I might not want microcode updates that slow down my CPU. The mitigation is a non-issue here. And suppose one CPU is just perfect for my specific case. Market for non-updated CPUs??
English
4
1
118
20.8K
Lettuce Defender
Lettuce Defender@lettuce_isgood·
@ProgramMax @Dehiemi @oops4041555 User mode drivers wouldn’t work for an anticheat. Most drivers are still kernel mode on Windows and all (with exceptions like FUSE) are kernel mode on Linux.
English
1
0
0
116
Chris Blume
Chris Blume@ProgramMax·
@Dehiemi @lettuce_isgood @oops4041555 Agreed that other drivers or Windows itself could do the same. But you still want to limit the attack surface as much as possible. There are user-mode drivers, for example. And "no one has abused me yet" isn't a good take. If games weren't buggy, I wouldn't be *as* worried.
English
1
0
0
141
Edhie
Edhie@Dehiemi·
@lettuce_isgood @ProgramMax @oops4041555 It could do it but has it done it? people is really stupid and ignorant they think the anti cheat specially made to recognize cheats is out of nowhere going to modify the system
English
2
0
0
162
Chris Blume
Chris Blume@ProgramMax·
@m3M0RyHuN73R @lauriewired That's why I carefully spelled out the scenario and how the mitigations don't matter, despite the small tweet limitation. Spectre/Meltdown don't apply here.
English
0
0
0
5
memoryhunter.
memoryhunter.@m3M0RyHuN73R·
@ProgramMax @lauriewired That could introduce microarchitctural attacks such as Spectre/Meltdown, etc, depending on CPU manufacturer and microarchitecture version
English
1
0
0
19
Chris Blume
Chris Blume@ProgramMax·
@xdNeon1 @Dehiemi @oops4041555 Open Chrome, sign into Netflix, play a movie, screenshot it (win+shift+s). You'll see it is all black instead of the video. Because Chrome enables DRM there.
English
1
0
0
60
Chris Blume
Chris Blume@ProgramMax·
@xdNeon1 @Dehiemi @oops4041555 Ehhhh yes and no. You are right that any program run as User A can read memory from other programs run by User A. But it can't read User B memory. And it has to get permission from the kernel to read memory from those other programs. You can deny that. This is how DRM works.
English
2
0
0
73
Chris Blume
Chris Blume@ProgramMax·
@Dehiemi @oops4041555 Riot's Vanguard is kernel-level. It has full access to everything (except hypervisor). Reading, writing, you name it. When you type in your password to your bank account, Riot is watching that. Kernel-level is an arms race thing. It's scorched earth.
English
4
0
0
471
Edhie
Edhie@Dehiemi·
@ProgramMax @oops4041555 and yet people fail to understand that, still that riot only has access to memory readings not writings, they think their pc will break when it only breaks if your cheats are trying to modify the system to make it work, people is really stupid.
English
1
0
2
423
Chris Blume
Chris Blume@ProgramMax·
@lauriewired I don't know why, but I had in my mind that it was an elaborate fuse network. On-boot patching makes a lot more sense. Well now I'm curious about the internals of how a CPU handles patchable instructions. I had the wrong mental model. *off to the reading chair*
English
5
0
26
2.2K
LaurieWired
LaurieWired@lauriewired·
microcode get's hot-loaded every boot actually (for x86 at least), it's not persistent to the CPU itself it's the BIOS that loads the patch, and then often the OS on top of that so raw cpu -> bios (patch) -> os (patch again) really, if you want "old" microcode, that means an old BIOS + mitigations=off in the kernel, not an "old" CPU per se. (I think there might be some anti-rollback protections/fuses in some circumstances, but those are still rare-ish)
English
6
4
428
19.2K
Chris Blume
Chris Blume@ProgramMax·
Thinking more about the Riot Vanguard situation... You ever play Agar.io ? The game is intentionally designed for bots. When there aren't enough players, the server spins up bots to play against you. Server-side cheat detect. Shadow ban sus accounts to bot games
English
1
0
0
170
Chris Blume
Chris Blume@ProgramMax·
@pavitarsaini Oldie but goodie trick :) A lot of signup pages will have hidden fields with reasonable IDs. If a user signed up and filled in that field...no they didn't. It was a bot. Easy filter. (Note: This was before autofill.)
English
0
0
5
555
pav
pav@pavitarsaini·
Since when did Indeed start injecting invisible fake job cards as a scraper honeypot? They dupe a random entry to make it look real but hide it on the UI. I guess its an easy enough scraping signal.
English
11
1
196
44.2K
Chris Blume
Chris Blume@ProgramMax·
@gamaral23 @dystopiabreaker To clarify, write() is called and competed before the return. So hdr (and its address) will remain valid for the duration here. That's fine. Unless there is some hidden async going on here, which would be very unusual for C.
English
0
0
2
650
Gui A.
Gui A.@gamaral23·
@dystopiabreaker How has nobody mentioned that we are passing the address of a STACK variable to a function…
English
7
0
11
8K
⚡️🌙
⚡️🌙@dystopiabreaker·
can you spot the critical vulnerability in this?
⚡️🌙 tweet media
English
41
9
357
82.1K
Chris Blume
Chris Blume@ProgramMax·
Following up with some clarifying bits: It does force system-wide IOMMU, which at best slows down DMA (TLB misses) and at worst disables DMA on devices and drivers that are not IOMMU-aware. However, this is only set on systems identified as cheating.
English
2
0
0
81
Chris Blume
Chris Blume@ProgramMax·
@k1rallik BTW you can still MitM cheat (a different machine with the cheats intercepts traffic--Vanguard not installed there). Which means they still need server-side anti-cheat anyway. And server-side doesn't make my computer vulnerable.
English
0
0
0
65
Chris Blume
Chris Blume@ProgramMax·
@k1rallik "> internet calls it a Chinese rootkit" It still is that, though. Tencent owns ~93% of Riot. And it's a rootkit. "...and the only people mad are the guys who [cheated]" No. People who don't want rootkits just to play games are mad. That's worse than cheaters in a video game.
English
1
0
6
1.2K
BuBBliK
BuBBliK@k1rallik·
> be Riot > 2014 anti-cheat team is 3 guys > legacy system Packman barely works > 2020 ship Vanguard, kernel-level, on boot > internet calls it a Chinese rootkit > ship it anyway > ban 3.6M Valorant cheaters in 4 years > one ban every 37 seconds > 2024 force it onto League, 175K bans in months > scripting drops below 1% for the first time in 4 years > Elysium, Oasys, Zeitgeist all shut down > May 22 2026 flip IOMMU on DMA rigs, they blue-screen mid-match > tweet "congrats on your $6k paperweight" a Tencent rootkit just bricked a $6,000 wallhack rig and the only people mad are the guys who bought one
Riot Games@riotgames

Well, that escalated quickly. There’s been a wave of claims by cheaters about Vanguard “bricking” their PCs, so let’s clear that up: Vanguard does not damage hardware or disable your devices. The photo we posted is a picture of cheat hardware devices that are sold explicitly for cheating in VALORANT (not normal PCs or PC components). Through our latest updates, Vanguard now makes those devices worthless for VAL, but does not in any way brick PCs or PC components or PC software. Our latest update enforces standard platform security features, like the Input-Output Memory Management Unit (IOMMU), on accounts identified as using Direct Memory Access (DMA) cheating devices. These protections are already part of modern systems and when enabled, they block DMA cheat devices (such as those shown in the photo) from accessing memory in downstream applications, like our games. If a cheat setup continues attempting to cheat after those protections are enabled, the system may generate hardware faults or instability. This is expected behavior under IOMMU when attempts are made to read protected memory. Disabling IOMMU allows the cheat device to function again, but IOMMU will still be required to play our games. This means the cheat device won’t work with our games, but your PC isn’t “bricked.” We would not, and cannot, impact your PC’s functionality in any other fashion. This functionality only applies to systems attempting to use DMA cheat devices, and players who are not using DMA-based cheat setups are not affected. We’ll keep investing in anti-cheat to protect competitive integrity, and we’ll keep being as transparent as possible about how those systems work.

English
226
726
20.5K
3.8M
Chris Blume
Chris Blume@ProgramMax·
@Darpinian I had a weird experience where an online store that sold digital security products would not work when accessed via VPN. I can see a botting concern. But the irony made me laugh.
English
0
0
1
41
James
James@Darpinian·
the internet is slowly splitting into two kinds of websites. ones that only work when my VPN is off, and ones that only work when my VPN is on
English
2
0
1
182

Keşfet

@perthguppy @Dehiemi @oops4041555 @cr88192 @lauriewired @lettuce_isgood @m3M0RyHuN73R @xdNeon1