Anti-Cheat Transparency

[Reckonr]

This reddit user claims that Ephinea's anti-cheat dll is quite intrusive. I'm hoping for some insight into what it exposes to the staff team, what gets logged, and whether or not it is active even when the game is closed. After some googling, I stumbled across this wine page, which suggests that it could be a rootkit.

With all that said, I fully trust that the staff have no malicious intent, and that their sole motivation is to improve the quality of the game by keeping it as cheat-free as possible. I'm just curious and would like to know more about how it's impacting my privacy.

 

[Yuffie]

Kostaki?

 

[Reckonr]

Kostaki?

I'm assuming you're asking if I'm this guy? https://www.pioneer2.net/community/threads/a-dark-meteor-45-0-0-45-60-done.17412/

Nope. But that's funny because I'm also from the Bay Area.

 

[Yuffie]

Well, I doubt if you would be kostaki, that you would agree to it omegalul. I also doubt that u get insight, but I might be wrong. I'm 100% sure the client does nothing more then it should do.

 

[Nikki]

Problems with the exe's being flagged are false positives. This happens on other PSOBB servers as well with their DLL. It's just a way to deliver custom content to users, it gets flagged because it loads things into memory and AV's see this as a trojan. Since editing the client without Sega's source code for the client is like poking around for a needle on a haystack to find what you're trying to change, it's simpler to load things into a DLL file that loads after the client.

Probably just some butthurt whiner who got banned posting up a cringefest because they're booty bothered. That all aside, it does say on the patcher screen on logging in that the server collects info for the sole use of identifying users properly, if people are bothered by this they're free to leave.

 

[Reckonr]

Problems with the exe's being flagged are false positives. This happens on other PSOBB servers as well with their DLL. It's just a way to deliver custom content to users, it gets flagged because it loads things into memory and AV's see this as a trojan. Since editing the client without Sega's source code for the client is like poking around for a needle on a haystack to find what you're trying to change, it's simpler to load things into a DLL file that loads after the client.

Probably just some butthurt whiner who got banned posting up a cringefest because they're booty bothered. That all aside, it does say on the patcher screen on logging in that the server collects info for the sole use of identifying users properly, if people are bothered by this they're free to leave.

I completely understand why it gets detected as a virus--because it sounds like in a lot of ways, it acts similarly to one. Like I said, I fully believe the devs have honest intentions. Not sure why you guys assume I'm angry, or trying to start drama. I played a few years ago and want to get back into it. Just want to know a bit more about what I'd be agreeing to run. Seems perfectly reasonable to me.

 

[Sodaboy]

With two exceptions, everything it does is confined to the memory of the game.

The two exceptions are:

- Scanning of currently open window titles for specific strings.
- Scanning of currently open processes for specific strings.

That's it.

If you're worried about the game scanning your currently open windows or process names for strings that would trigger the game to crash, then don't play on the server.

 

[Reckonr]

With two exceptions, everything it does is confined to the memory of the game.

The two exceptions are:

- Scanning of currently open window titles for specific strings.
- Scanning of currently open processes for specific strings.

That's it.

If you're worried about the game scanning your currently open windows or process names for strings that would trigger the game to crash, then don't play on the server.

I'm not concerned about it scanning open windows or process names. Although, I would like to know:

- Are scans only performed when the game is open?
- Do all process names get logged? Or are they only recorded if they meet the criteria?
- If the processes are logged, are the logs erased after a certain amount of time?

Thanks.

 

[Sodaboy]

I'm not concerned about it scanning open windows or process names. Although, I would like to know:

- Are scans only performed when the game is open?
- Do all process names get logged? Or are they only recorded if they meet the criteria?
- If the processes are logged, are the logs erased after a certain amount of time?

Thanks.

Yes, because it's not a rootkit running on your system. The DLL is only executed when psobb.exe is running as it ran at startup of the game and persists as the game is running. (Easy to test since you can just delete it while the game is not running plus installing or uninstalling the game does not require you to reboot, so nothing is constantly running.)
No, nothing is logged.
N/A since they're not logged.

 

[Reckonr]

Yes, because it's not a rootkit running on your system. The DLL is only executed when psobb.exe is running as it ran at startup of the game and persists as the game is running. (Easy to test since you can just delete it while the game is not running plus installing or uninstalling the game does not require you to reboot, so nothing is constantly running.)
No, nothing is logged.
N/A since they're not logged.

That's reassuring. Thanks Soda. =)

 

[Mylandra]

The original PSOBB used to use Gameguard which was a thousand times more intrusive than anything private servers will ever make. In fact, the original Gameguard had it's own kernel driver that installed on your system that persisted even after you completely uninstalled the game. The system driver could cause complete system crashes causing bluescreens on certain computers. I remember people making step by step tutorials on how to remove the anticheat from their system. I have bad news for you if you ever wanna try to play pso2 and those things bother you. I believe they still use Gameguard. Oh and Gameguard also logged your process list on their servers.

For your personal information. What triggers antivirus on private servers is the obfuscation/packing methods they use so that people can't easily reverse their anticheat/custom content rather than what the process itself does. Antivirus don't like it because they can't easily tell what it does and would show you high confidence/high entropy as the cause. This tells you the antivirus will have trouble protecting you against the file since it cannot tell what's inside. Sometimes, the same public packer/obfuscation algorithm is used by a virus (Viruses almost always do the same in an attempt to make it harder to reverse them/hide themselves from antivirus softwares, at least initially) which leads to the antivirus erroneously detecting the packer signature as a virus.