Introduction
Creating a robust usermode anti-cheat for the HorizonMW project has been one of the most challenging yet rewarding experiences I've undertaken. Without kernel access, the task became exponentially more complex, as many conventional cheat detection mechanisms rely heavily on low-level privileges to scan and monitor system memory, hooks, and other hidden activities. Operating purely in usermode, I had to develop innovative strategies to ensure the integrity of the game environment, all while maintaining performance and avoiding conflicts with legitimate applications.
One of my primary goals was to ensure the integrity of not only the game’s memory and files but also the communication between the client and backend servers. This was crucial because any vulnerabilities in these areas could allow cheaters to exploit the system undetected. I focused on secure memory validation, file verification, and encrypted communication channels to build a comprehensive defense against external tampering and therefore prevent cheating in the first place. With serversided heuristic and behavioral detections I aimed to retrospectivly detect cheaters, which isn't as satisfying.
Unfortunately, despite all the work and learning I poured into this project, the anti-cheat will never see a public release. HorizonMW didn’t gain enough players, and I eventually had to quit the project as it wasn't worth the time invested. Ultimately, my goal was to gain experience in building advanced usermode security, and while I achieved that, the project's unfortunate end meant my anti-cheat remains an unrealized solution. (Quick note: The team @ HMW is amazing, i wish em all the best)
The Plan To Prevent Cheating
The core idea behind my approach was to prevent cheating as effectively as possible and, when cheating did occur, detect behavior in such a detailed and informative way that manual reviews and report analysis would lead to accurate bans. Prevention formed the foundation of the system, and I built a comprehensive backend to handle everything from user authentication to cheat detection management. A major element of this backend was sophisticated hardware identifier tracking and file-based tracking mechanisms, which made it more difficult for players to bypass detection through hardware changes or file tampering. Additionally, I implemented a report and detection management system that enabled easy handling of player reports and automated detection alerts, streamlining the review process for administrators.
The goal was to prevent cheating at the source by ensuring the integrity of game files, memory, and communication with the backend servers. Prevention was the top priority, even though achieving it in usermode presents significant challenges. In usermode, cheats can easily bypass basic detection methods using kernel-mode drivers, which operate at a much lower level, making it difficult for usermode anti-cheats to intervene. The key, therefore, wasn’t to block every sophisticated kernel cheat, but to make it as frustrating as possible for cheaters to reverse-engineer game structures and avoid the simplest forms of cheating, such as external memory reads or basic internal hacks.
To combat these simpler cheating methods, I hooked functions like LoadLibrary and scanned memory regions for new allocations, detecting any injected or loaded libraries. The integrity of these libraries was then verified using signature checks and hash comparisons against a known whitelist of allowed libraries. Any unauthorized or malicious libraries were either blocked outright or flagged for manual review. In addition to these measures, I collected and analyzed heuristic data to detect ban evaders, identify cheat overlays that used specific window properties (e.g., "topmost" or "layered" flags), and monitored critical memory regions and functions for manipulations, such as user command manipulations, which could be exploited to override player input data like angles and movements.
One key focus of my anti-cheat system was server-side data gathering and analysis, which became essential for detecting cheating behaviors post-exploitation. By analyzing player data, I was able to compute various statistics and angles to identify malicious behavior. For example, after a damage or kill event was triggered, I calculated the attacking player’s angles and verified whether their weapon was actually aimed at the target. This analysis had to account for different weapons and situations, so that false positives, such as kills by grenade or killstreaks, wouldn't trigger the detection systems.
Ensuring the accuracy and relevance of the collected data was paramount. This allowed for smooth manual reviews and reliable automated detections based on the server-side data. The result was a system where rage hacking or obvious cheating became nearly impossible, even when using advanced cheating methods. However, detecting "legit cheats" that utilized kernel-mode access to read memory remained a more difficult challenge. While these cheats were harder to detect due to the lack of kernel access in the anti-cheat, they were also not the priority for this specific game. Catching those would have required kernel-level anti-cheat mechanisms or, alternatively, would rely on manual reviews and player reports which would luckily be very efficient in an average 120 Player environement.
The Challenges I encountered
One of the biggest challenges I faced during the development of the anti-cheat was the nature of the game itself. HorizonMW was a modded client of Call of Duty, and unfortunately, it was very poorly made. The client was plagued with bugs, vulnerabilities within multiple parts of the code, especially in the networking, suffered from terrible performance issues, and, most significantly, the game was loaded into memory as a dynamic library. This meant that I had no source code to work with, making it a complex and delicate task to hook into game functions and interact with them. Every modification or feature required analyzing and hooking the game’s functions without breaking anything in the process, which was challenging given how fragile the client was.
Monitoring and analyzing the process memory was another enormous hurdle. Since the game was poorly optimized and loaded a ton of libraries dynamically, nothing was documented. This dynamic nature made the memory complex and ever-changing. I had to manually map out the memory, analyze patterns, and develop a custom memory analysis algorithm specifically tailored to this game binary. The goal was to detect anomalies, such as injected code or newly allocated memory regions that could signal cheating attempts. Given the lack of documentation, this process was extremely time-consuming, requiring deep analysis and a lot of trial and error.
Another significant challenge was operational security (opsec). There were numerous people involved in the project, and internal drama and trust issues made it clear to me that I had to safeguard my work. I made the decision to only partially upload the anti-cheat source code, keeping critical parts of it off the shared GitLab repository to prevent potential leaks or unauthorized access. For example, many of the detection modules were only stored in my own development environment, and the custom backend communication protocol I developed was never shared with the wider team. As an anti-cheat developer, it’s crucial to ensure that sensitive parts of the system remain secure and don’t fall into the wrong hands, which could ultimately lead to bypasses or exploits being developed.
Maintaining good opsec is vital in anti-cheat development. Exposing too much of the code, especially within a project where multiple people have access, can lead to leaks or reverse-engineering attempts that compromise the entire system. By carefully managing what was shared and what remained private, I was able to mitigate some of these risks and keep the core mechanisms of my anti-cheat protected.
Final Word
While the journey of creating a usermode and server-side anti-cheat for HorizonMW was challenging and at times frustrating, it was also an invaluable learning experience. From navigating the complexities of a poorly made game client with no source code to ensuring the integrity of game memory and backend communications, I faced a wide range of technical hurdles. The process taught me not only how to approach cheat prevention in a usermode environment but also the importance of operational security in a project with multiple stakeholders.
Unfortunately, despite the progress I made, the anti-cheat will never see a public release. The HorizonMW project didn’t grow enough to make it worth the time and effort I had invested. It’s always disappointing when a project with so much potential fades out, but my goal was always to gain experience and improve my skills. And in that sense, this project was a success.
While I may not have been able to stop every cheater, I’m proud of the solutions I developed and the knowledge I gained along the way. This project has reinforced my passion for cybersecurity and anti-cheat development, and it will serve as a stepping stone for future endeavors.
Special thanks to:
- Patoke, for reversing the game and sharingme his cod engine knowledge
- CNR, Mental support
- Edgy, for being the most active lad i have ever seen, hope you dont burn out :3
- Swifty, for picking me up and giving me the opportunity to learn & test my skills
Creating a robust usermode anti-cheat for the HorizonMW project has been one of the most challenging yet rewarding experiences I've undertaken. Without kernel access, the task became exponentially more complex, as many conventional cheat detection mechanisms rely heavily on low-level privileges to scan and monitor system memory, hooks, and other hidden activities. Operating purely in usermode, I had to develop innovative strategies to ensure the integrity of the game environment, all while maintaining performance and avoiding conflicts with legitimate applications.
One of my primary goals was to ensure the integrity of not only the game’s memory and files but also the communication between the client and backend servers. This was crucial because any vulnerabilities in these areas could allow cheaters to exploit the system undetected. I focused on secure memory validation, file verification, and encrypted communication channels to build a comprehensive defense against external tampering and therefore prevent cheating in the first place. With serversided heuristic and behavioral detections I aimed to retrospectivly detect cheaters, which isn't as satisfying.
Unfortunately, despite all the work and learning I poured into this project, the anti-cheat will never see a public release. HorizonMW didn’t gain enough players, and I eventually had to quit the project as it wasn't worth the time invested. Ultimately, my goal was to gain experience in building advanced usermode security, and while I achieved that, the project's unfortunate end meant my anti-cheat remains an unrealized solution. (Quick note: The team @ HMW is amazing, i wish em all the best)
The Plan To Prevent Cheating
The core idea behind my approach was to prevent cheating as effectively as possible and, when cheating did occur, detect behavior in such a detailed and informative way that manual reviews and report analysis would lead to accurate bans. Prevention formed the foundation of the system, and I built a comprehensive backend to handle everything from user authentication to cheat detection management. A major element of this backend was sophisticated hardware identifier tracking and file-based tracking mechanisms, which made it more difficult for players to bypass detection through hardware changes or file tampering. Additionally, I implemented a report and detection management system that enabled easy handling of player reports and automated detection alerts, streamlining the review process for administrators.
The goal was to prevent cheating at the source by ensuring the integrity of game files, memory, and communication with the backend servers. Prevention was the top priority, even though achieving it in usermode presents significant challenges. In usermode, cheats can easily bypass basic detection methods using kernel-mode drivers, which operate at a much lower level, making it difficult for usermode anti-cheats to intervene. The key, therefore, wasn’t to block every sophisticated kernel cheat, but to make it as frustrating as possible for cheaters to reverse-engineer game structures and avoid the simplest forms of cheating, such as external memory reads or basic internal hacks.
To combat these simpler cheating methods, I hooked functions like LoadLibrary and scanned memory regions for new allocations, detecting any injected or loaded libraries. The integrity of these libraries was then verified using signature checks and hash comparisons against a known whitelist of allowed libraries. Any unauthorized or malicious libraries were either blocked outright or flagged for manual review. In addition to these measures, I collected and analyzed heuristic data to detect ban evaders, identify cheat overlays that used specific window properties (e.g., "topmost" or "layered" flags), and monitored critical memory regions and functions for manipulations, such as user command manipulations, which could be exploited to override player input data like angles and movements.
One key focus of my anti-cheat system was server-side data gathering and analysis, which became essential for detecting cheating behaviors post-exploitation. By analyzing player data, I was able to compute various statistics and angles to identify malicious behavior. For example, after a damage or kill event was triggered, I calculated the attacking player’s angles and verified whether their weapon was actually aimed at the target. This analysis had to account for different weapons and situations, so that false positives, such as kills by grenade or killstreaks, wouldn't trigger the detection systems.
Ensuring the accuracy and relevance of the collected data was paramount. This allowed for smooth manual reviews and reliable automated detections based on the server-side data. The result was a system where rage hacking or obvious cheating became nearly impossible, even when using advanced cheating methods. However, detecting "legit cheats" that utilized kernel-mode access to read memory remained a more difficult challenge. While these cheats were harder to detect due to the lack of kernel access in the anti-cheat, they were also not the priority for this specific game. Catching those would have required kernel-level anti-cheat mechanisms or, alternatively, would rely on manual reviews and player reports which would luckily be very efficient in an average 120 Player environement.
The Challenges I encountered
One of the biggest challenges I faced during the development of the anti-cheat was the nature of the game itself. HorizonMW was a modded client of Call of Duty, and unfortunately, it was very poorly made. The client was plagued with bugs, vulnerabilities within multiple parts of the code, especially in the networking, suffered from terrible performance issues, and, most significantly, the game was loaded into memory as a dynamic library. This meant that I had no source code to work with, making it a complex and delicate task to hook into game functions and interact with them. Every modification or feature required analyzing and hooking the game’s functions without breaking anything in the process, which was challenging given how fragile the client was.
Monitoring and analyzing the process memory was another enormous hurdle. Since the game was poorly optimized and loaded a ton of libraries dynamically, nothing was documented. This dynamic nature made the memory complex and ever-changing. I had to manually map out the memory, analyze patterns, and develop a custom memory analysis algorithm specifically tailored to this game binary. The goal was to detect anomalies, such as injected code or newly allocated memory regions that could signal cheating attempts. Given the lack of documentation, this process was extremely time-consuming, requiring deep analysis and a lot of trial and error.
Another significant challenge was operational security (opsec). There were numerous people involved in the project, and internal drama and trust issues made it clear to me that I had to safeguard my work. I made the decision to only partially upload the anti-cheat source code, keeping critical parts of it off the shared GitLab repository to prevent potential leaks or unauthorized access. For example, many of the detection modules were only stored in my own development environment, and the custom backend communication protocol I developed was never shared with the wider team. As an anti-cheat developer, it’s crucial to ensure that sensitive parts of the system remain secure and don’t fall into the wrong hands, which could ultimately lead to bypasses or exploits being developed.
Maintaining good opsec is vital in anti-cheat development. Exposing too much of the code, especially within a project where multiple people have access, can lead to leaks or reverse-engineering attempts that compromise the entire system. By carefully managing what was shared and what remained private, I was able to mitigate some of these risks and keep the core mechanisms of my anti-cheat protected.
Final Word
While the journey of creating a usermode and server-side anti-cheat for HorizonMW was challenging and at times frustrating, it was also an invaluable learning experience. From navigating the complexities of a poorly made game client with no source code to ensuring the integrity of game memory and backend communications, I faced a wide range of technical hurdles. The process taught me not only how to approach cheat prevention in a usermode environment but also the importance of operational security in a project with multiple stakeholders.
Unfortunately, despite the progress I made, the anti-cheat will never see a public release. The HorizonMW project didn’t grow enough to make it worth the time and effort I had invested. It’s always disappointing when a project with so much potential fades out, but my goal was always to gain experience and improve my skills. And in that sense, this project was a success.
While I may not have been able to stop every cheater, I’m proud of the solutions I developed and the knowledge I gained along the way. This project has reinforced my passion for cybersecurity and anti-cheat development, and it will serve as a stepping stone for future endeavors.
Special thanks to:
- Patoke, for reversing the game and sharingme his cod engine knowledge
- CNR, Mental support
- Edgy, for being the most active lad i have ever seen, hope you dont burn out :3
- Swifty, for picking me up and giving me the opportunity to learn & test my skills
