Packman is a ring 3 (usermode) anti-tamper security software for League of Legends, developed by Riot Games. Implemented in V8.12 (V8.8 on PBE), it was created to detect and prevent cheat scripters from ruining the integrity of matches. Upon its release, the method virtually eliminated the amount of cheating in League of Legends.[1] Packman's primary objective was to make the game engine binary significantly more difficult to decrypt, a process called obfuscation.
Packman expected an ordinary amount of reverse-engineering for the exploiting of certain vulnerabilities that were to get patched by Riot Games. However, a significant data breach at Riot in 2023[2] resulted in the codebase for Packman being leaked (among other League of Legends code), which in turn meant the quick deciphering of any protections it would provide and thus its immediate obsolescence. Upkeeping a deciphered solution is unsustainable, so Riot would promptly retire Packman and replace it with Riot Vanguard, their proprietary and existing solution that has—most crucially—not been deciphered.[3][4]
Usage[]
Packman uses its own Portable Executable file encryption to protect the game's executable. The protected game loads a so-called stub.dll at startup to decrypt and initialize detections.
Packman employs a multifaceted approach to combat cheating, focusing on encrypting game code, managing dependency loading, thwarting debuggers, and protecting game data. Here's how Packman achieves these objectives:[5]
- Encrypting Game Code: Encrypting the game code makes it challenging for cheaters to analyze and modify the code with traditional methods like debuggers or disassemblers. Packman achieves this by encrypting the relevant sections of the game executable file, specifically focusing on the executable's ".text" section where the actual executable code resides. It also decrypts certain parts only when necessary and during gameplay.
- Managing Dependency Loading: Packman manipulates the way the operating system loads external libraries (dependencies) for the game. Instead of embedding unpacking code within the game itself, it generates an external library for unpacking and modifies the game's import descriptors to list only this library. This ensures that the unpacking library is the only one loaded, allowing Packman to validate dependencies before they are loaded, enhancing security.
- Obstructing Debuggers: Packman includes various anti-debugging techniques to thwart attempts by cheaters to attach debuggers or binary instrumentation tools to the game client while it's running. Random debugger checks are placed throughout the code during the bootstrapping process, and their behavior and appearance is further switched up in different builds. This makes it unviable for cheating software to automate an analysis of the code.
- Obfuscate Game Data: Packman protects game data, such as global variables and class members, from being easily manipulated by cheaters. It blocks common cheating techniques, such as memory searching tools, by ensuring that when values change (e.g. health points), the memory location of the value also changes, making it difficult for cheaters to track specific values. Packman also encrypts the data and introduces variations in encryption to add further complexity and obfuscation.
References
- ↑ Dev: Removing Cheaters from LoL
- ↑ X (Riot Games) — Riot data breach
- ↑ Youtube — Vanguard announcement
- ↑ LeagueOfLegends.com — Dev: Vanguard x LoL
- ↑ Riot's Approach to Anti-Cheat in 2018