Chess playing software detection--speculation: how do they detectprograms on your local machine?

[raylopez99]

As anybody who plays chess online knows, on occasion a chess playing
site like the one PlayChess by Chessbase will say "Player XYZ detected
using chess playing software--their account has been deleted".

Also when recently the Topolov-Anand match was played, the Bulgarian
servers stated (when I was checking out the live match): "Warning:
Chessbase detected!". Apparently they were upset that Chessbase
software was being used to analyze the match, which they wanted
exclusive live rights to (they have sense sued Chessbase).

Speculation: how do they do that? How to they detect software
remotely--isn't this a security breach?

Some theories:

1) They have some software that can check out what programs are
running in your memory, and:
(a) this software is bundled with the chess interface used by online
chess playing programs, or
(b) this is a Java applet that runs under any browser

If 1)(b), isn't this something an anti-virus program would catch?
Maybe not.

2) They are faking it: they simply analyze some games played by
suspected cheaters--maybe people reported by opponents who are
suspicious --and if enough of the game show that nearly all moves were
the 'recommended' moves played by typical chess playing software like
Rybka or Fritz, then the accounts are deleted. In the case of the
Bulgarian servers--since the organizers of this match were upset with
Chessbase before the match because Chessbase stated they were going to
rebroadcast the moves--which BTW I don't think Chessbase has legal
rights to--the Bulgarian organizers simply added a message "Warning:
Chessbase detected!" just to show anybody they were upset with
Chessbase, to scare them, since most serious chess players use
Chessbase. In other words, it was a fake message that everybody saw,
even those not using Chessbase software.


RL

 

[David H. Lipman]

From: "raylopez99" <[email protected]>

| As anybody who plays chess online knows, on occasion a chess playing
| site like the one PlayChess by Chessbase will say "Player XYZ detected
| using chess playing software--their account has been deleted".

| Also when recently the Topolov-Anand match was played, the Bulgarian
| servers stated (when I was checking out the live match): "Warning:
| Chessbase detected!". Apparently they were upset that Chessbase
| software was being used to analyze the match, which they wanted
| exclusive live rights to (they have sense sued Chessbase).

| Speculation: how do they do that? How to they detect software
| remotely--isn't this a security breach?

| Some theories:

| 1) They have some software that can check out what programs are
| running in your memory, and:
| (a) this software is bundled with the chess interface used by online
| chess playing programs, or
| (b) this is a Java applet that runs under any browser

| If 1)(b), isn't this something an anti-virus program would catch?
| Maybe not.

| 2) They are faking it: they simply analyze some games played by
| suspected cheaters--maybe people reported by opponents who are
| suspicious --and if enough of the game show that nearly all moves were
| the 'recommended' moves played by typical chess playing software like
| Rybka or Fritz, then the accounts are deleted. In the case of the
| Bulgarian servers--since the organizers of this match were upset with
| Chessbase before the match because Chessbase stated they were going to
| rebroadcast the moves--which BTW I don't think Chessbase has legal
| rights to--the Bulgarian organizers simply added a message "Warning:
| Chessbase detected!" just to show anybody they were upset with
| Chessbase, to scare them, since most serious chess players use
| Chessbase. In other words, it was a fake message that everybody saw,
| even those not using Chessbase software.

Huh ?

 

[FromTheRafters]

As anybody who plays chess online knows, on occasion a chess playing
site like the one PlayChess by Chessbase will say "Player XYZ detected
using chess playing software--their account has been deleted".

Also when recently the Topolov-Anand match was played, the Bulgarian
servers stated (when I was checking out the live match): "Warning:
Chessbase detected!". Apparently they were upset that Chessbase
software was being used to analyze the match, which they wanted
exclusive live rights to (they have sense sued Chessbase).

Speculation: how do they do that? How to they detect software
remotely--isn't this a security breach?

Some theories:

1) They have some software that can check out what programs are
running in your memory, and:
(a) this software is bundled with the chess interface used by online
chess playing programs, or
(b) this is a Java applet that runs under any browser

If 1)(b), isn't this something an anti-virus program would catch?
Maybe not.

2) They are faking it: they simply analyze some games played by
suspected cheaters--maybe people reported by opponents who are
suspicious --and if enough of the game show that nearly all moves were
the 'recommended' moves played by typical chess playing software like
Rybka or Fritz, then the accounts are deleted. In the case of the
Bulgarian servers--since the organizers of this match were upset with
Chessbase before the match because Chessbase stated they were going to
rebroadcast the moves--which BTW I don't think Chessbase has legal
rights to--the Bulgarian organizers simply added a message "Warning:
Chessbase detected!" just to show anybody they were upset with
Chessbase, to scare them, since most serious chess players use
Chessbase. In other words, it was a fake message that everybody saw,
even those not using Chessbase software.

http://support.chess.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=711

"How does Chess.com detect cheating?
One part of our analysis involves comparing human moves to computer moves
and looking at statistical significance. The other parts are not public
knowledge. We will never disclose our exact methods for catching cheaters
(to prevent cheaters from adapting their methods), but it involves both
cutting-edge technology and human judgment."

See also:

http://www.chessclub.com/help/Speedtrap

"The methods we use are confidential, because describing them in detail
would allow cheaters to cheat more intelligently. However, we can clear up
some common misconceptions by listing some things that do NOT cause us to
put someone on the computer list:"

I suspect they all will have similar 'explanations' on their respective
sites.

....shouldn't that be Ruy Lopez? ) I used that name when installing Vista
because of the chess piece icon displayed during the process, and I never
use my real name on any of my computers.

 

[Jackie]

[snip]

I doubt this belongs in the C# group or AV group. Probably not chess
either. More like software security or something, I think.

I have some ideas on how they do this and how they do it in any other
online game. I won't go into the details on exactly how you can do the
same or how you can defeat it.

Speculation: how do they do that? How to they detect software
remotely--isn't this a security breach?

You have two choices, at least: Take a risk or not play it.
There's no way to to detect such things remotely without the local
machine sending some data first that allows the remote machine to detect
it. Internal data of the game could be changed by the analyzer one way
or another (you don't see this anywhere on the outside), and the game
can either detect it locally or send a hash of or chunk of the data for
verification.

Some theories:

1) They have some software that can check out what programs are
running in your memory, and:

Either that or what I mentioned earlier. These are the simplest methods
I can think of at the moment at least.

(a) this software is bundled with the chess interface used by online
chess playing programs, or

Sure, it could be either bundled with it, integrated into the main
application (game) or it is downloaded from somewhere after
installation. Maybe I misunderstood?

(b) this is a Java applet that runs under any browser

If so, it can of course check its internal data and let the server know
either if something is suspicious, or simply let the server decide if it
looks suspicious. I doubt it would be allowed to check what other
applications are running and read from their memory if it's a Java
applet, since that sounds very dangerous. But it's an IE or Firefox
plugin.. Yes, I think that would be possible. Just like the Flash
plugin. You may know it has been vulnerable for exploitation.

If 1)(b), isn't this something an anti-virus program would catch?
Maybe not.

They can't magically know what kind of application it is and decide that
it is something that should be "caught". If it should block Java applets
by default, they should of course let you decide whether to run it or
not. Or if it has the same kind of feature I have in Outpost Firewall
Pro ("Host protection"), it will catch attempts to access other
processes (for example reading memory from them).

2) They are faking it: they simply analyze some games played by
suspected cheaters--maybe people reported by opponents who are
suspicious --and if enough of the game show that nearly all moves were
the 'recommended' moves played by typical chess playing software like
Rybka or Fritz, then the accounts are deleted. In the case of the
Bulgarian servers--since the organizers of this match were upset with
Chessbase before the match because Chessbase stated they were going to
rebroadcast the moves--which BTW I don't think Chessbase has legal
rights to--the Bulgarian organizers simply added a message "Warning:
Chessbase detected!" just to show anybody they were upset with
Chessbase, to scare them, since most serious chess players use
Chessbase. In other words, it was a fake message that everybody saw,
even those not using Chessbase software.

I think that would be a complex to do anyways, so I doubt it. But of
course they can if if they want to.

RL

Cheat detection methods do it one way or another with some variations,
but I believe it's basically the same thing (of course, some are better
than others).
I have not tried to give you very informational technical details on
this. Just enough, I hope.

 

[David H. Lipman]

From: "Jackie" <[email protected]>

[snip]

| I doubt this belongs in the C# group or AV group. Probably not chess
| either. More like software security or something, I think.

+1

 

[raylopez99]

...shouldn't that be Ruy Lopez? ) I used that name when installing Vista
because of the chess piece icon displayed during the process, and I never
use my real name on any of my computers.

Very clever. And thanks for the links with explanations...those chess
programmers are always on the cutting edge!

Ray "Ruy" Lopez

 

[raylopez99]

[snip]

I doubt this belongs in the C# group or AV group. Probably not chess
either. More like software security or something, I think.

Feel free to cross-post it there then.

I have some ideas on how they do this and how they do it in any other
online game. I won't go into the details on exactly how you can do the
same or how you can defeat it.

Hell why not? I guess you might be giving away company secrets?

You have two choices, at least: Take a risk or not play it.
There's no way to to detect such things remotely without the local
machine sending some data first that allows the remote machine to detect
it. Internal data of the game could be changed by the analyzer one way
or another (you don't see this anywhere on the outside), and the game
can either detect it locally or send a hash of or chunk of the data for
verification.

Well of course I assume the local machine sends data.

Either that or what I mentioned earlier. These are the simplest methods
I can think of at the moment at least.

I have a feeling this is not so simple...

If so, it can of course check its internal data and let the server know
either if something is suspicious, or simply let the server decide if it
looks suspicious. I doubt it would be allowed to check what other
applications are running and read from their memory if it's a Java
applet, since that sounds very dangerous. But it's an IE or Firefox
plugin.. Yes, I think that would be possible. Just like the Flash
plugin. You may know it has been vulnerable for exploitation.

A plugin to check memory, to see if chess playing software resides in
said memory? Dangerous sounding.


Well this turns out to be one way--but not the only way--cheating is
detected according to the poster FromTheRafters.

Cheat detection methods do it one way or another with some variations,
but I believe it's basically the same thing (of course, some are better
than others).
I have not tried to give you very informational technical details on
this. Just enough, I hope.

Not enough I pray. But don't give away the kimono and compromise the
internet just to satisfy my curiosity.

Thanks,

Ray

 

[Arne Vajhøj]

As anybody who plays chess online knows, on occasion a chess playing
site like the one PlayChess by Chessbase will say "Player XYZ detected
using chess playing software--their account has been deleted".

Also when recently the Topolov-Anand match was played, the Bulgarian
servers stated (when I was checking out the live match): "Warning:
Chessbase detected!". Apparently they were upset that Chessbase
software was being used to analyze the match, which they wanted
exclusive live rights to (they have sense sued Chessbase).

Speculation: how do they do that? How to they detect software
remotely--isn't this a security breach?

Some theories:

1) They have some software that can check out what programs are
running in your memory, and:
(a) this software is bundled with the chess interface used by online
chess playing programs, or
(b) this is a Java applet that runs under any browser

If 1)(b), isn't this something an anti-virus program would catch?
Maybe not.

2) They are faking it: they simply analyze some games played by
suspected cheaters--maybe people reported by opponents who are
suspicious --and if enough of the game show that nearly all moves were
the 'recommended' moves played by typical chess playing software like
Rybka or Fritz, then the accounts are deleted. In the case of the
Bulgarian servers--since the organizers of this match were upset with
Chessbase before the match because Chessbase stated they were going to
rebroadcast the moves--which BTW I don't think Chessbase has legal
rights to--the Bulgarian organizers simply added a message "Warning:
Chessbase detected!" just to show anybody they were upset with
Chessbase, to scare them, since most serious chess players use
Chessbase. In other words, it was a fake message that everybody saw,
even those not using Chessbase software.

I think it must be 1a.

An unsigned Java applet can not go outside the sandbox and
a signed Java applet will prompt for additional access.

Arne

 

[Jackie]

http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html

I had a look here just now to figure out exactly what a Java applet is
allowed to do.

AWTPermission > readDisplayPixels
Screenshots to detect the analyzer.

FilePermission
Search for known "bad applications" in the file system to see if they
are installed.

RuntimePermission > setContextClassLoader
I am not sure exactly which system they are talking about here. But if
it is kind of the same as the SetThreadContext API on Windows, and in
addition the code is somehow injected into the remote process (which I
doubt), this is one way to take complete control over that process (read
from its memory and send something back to the chess applet?).

RuntimePermission > writeFileDescriptor
"may allow malicous code to plant viruses" (and other things)

RuntimePermission > loadLibrary.{library name}
"Java security architecture is not designed to and does not prevent
malicious behavior at the level of native code"

Well, this would be very dangerous and would allow anything to be done
in the OS as far as permissions allow it. Even outside the sandbox.

 

[Jackie]

Well, this would be very dangerous and would allow anything to be done
in the OS as far as permissions allow it. Even outside the sandbox.

But of course not without you letting it do that first.

 

[Jackie]

Feel free to cross-post it there then.

I would just assume you would take on that responsibility.

Hell why not? I guess you might be giving away company secrets?

Not worried about giving away "secrets", I just don't know what people
would do with that information once they know the details. I don't
support cheating in online games. If you take a look at MSDN, you can
look through APIs, read what they do and then form your own ideas on
what you can use them for. If you want to dig into their chess software
to figure out their protection, I suggest first learning some basics of
x86/x64 assembly and then using a debugger to begin. I like OllyDbg.

Well of course I assume the local machine sends data.

If I didn't explain it well enough without giving you *C# code* that
either detects these analyzers for *chess games*, or a way to bypass *AV
software* so that you can use them, I am not sure exactly how to answer.

I have a feeling this is not so simple...

Okay.

A plugin to check memory, to see if chess playing software resides in
said memory? Dangerous sounding.

I think they would have access to the system. Checking for example
window titles or checking each process' memory to see if it matches
known "bad applications". Maybe checking the file system with Flash or
Java if they have enough permissions, or taking screen shots. You can
see my other post about Java permissions at least.

 

[Arne Vajhøj]

http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html

I had a look here just now to figure out exactly what a Java applet is
allowed to do.

AWTPermission > readDisplayPixels
Screenshots to detect the analyzer.

FilePermission
Search for known "bad applications" in the file system to see if they
are installed.

RuntimePermission > setContextClassLoader
I am not sure exactly which system they are talking about here. But if
it is kind of the same as the SetThreadContext API on Windows, and in
addition the code is somehow injected into the remote process (which I
doubt), this is one way to take complete control over that process (read
from its memory and send something back to the chess applet?).

RuntimePermission > writeFileDescriptor
"may allow malicous code to plant viruses" (and other things)

RuntimePermission > loadLibrary.{library name}
"Java security architecture is not designed to and does not prevent
malicious behavior at the level of native code"

Well, this would be very dangerous and would allow anything to be done
in the OS as far as permissions allow it. Even outside the sandbox.

I am not quite sure that I understand your point.

Java operates with many permissions.

Some of them gives access to critical things.

So if a Java applet asks if you want to give it privs,
then you should only allow it if you are very confident
about the source of the code.

No surprise in that.

Arne

 

[Jackie]

I am not quite sure that I understand your point.

Well, Mr. Ray may want to know details like these to figure out if it is
even possible for a Java applet to read memory from other processes and
how likely it is. See it for himself and think about it on his own, and
not just take whatever we say as truth. One must figure it out one way
or another, and this is one way to know if it is possible or if you can
scratch Java applets completely from the list.