Avarixzen | Security Programming, and Advice (Protect your games!)

Status
Open for contracts and discussion

CONTACT
Ava.gg#7103 - Discord

Portfolio Introduction

Throughout developer forums sits hundreds of portfolios for services ranging from Graphic Artists, Programmers, Animators, Sound Design, and many more. However, one area seems to always be lacking and that is what the portfolio here aims to offer.

It is shocking to me how many games today that reach such status as the front page still lack very basic security knowledge and it shows in the types of malicious scripts for their games. Ranging from Apocalypse Rising 2’s unprotected humanoids from lack of understanding to Rogue Lineage’s bewildering attempts to detect things many of the malicious tools patched upwards of a year ago.

In the past I’ve developed a youtube tutorial series to help developers understand their games better and how to protect them against the growing community of exploiters. I’ve been offered positions in games such as Vesteria, Dungeon Quest, and many others. Including a plethora of lesser known games that haven’t had the success of the aforementioned.

Who are you?
Admittedly, yet not surprisingly; I’ve previously been part of the exploiting community, and have been developing scripts for the thick end of five years. Over the time I’ve been a part of the malicious side of the constant struggle against exploitation I’ve discovered things many developers tend to really misunderstand. I firmly believe a developer whom has never experienced this side of the back and forth has massive areas lacking in their understanding of how much power exploiters have, and what you can actually use in your arsenal to combat these people.

I’ve bypassed countless methods of preventing exploitation on almost any front-page game you can list, excluding very few. This experience in bypassing these methods have of course always left me wondering how developers could’ve prevented what I did to bypass. And in some cases, the answer is that its just impossible to prevent such exploitation as metamethod abusing and so on. However, this isn’t always the case I see games daily that could easily patch up a lot of their public exploits that are present for their games; but for one reason or another they don’t. And usually that reason? Lack of knowledge. Games should start hiring someone specifically for developing measures to prevent and slow-down exploits.

What can you offer me as a developer?
I’ve worked with a wide range of developers, varying in knowledge based around exploitation of the client, and I’ve offered services similar to those listed below.

• A full review of a games security with a report
  In the past developers have asked me to provide a full documented report of all the vulnerabilities that are currently public for their game, as well as documentation on vulnerabilities that could potentially arise for their game - with a conclusive page of suggested patches for all of theses. This usually follows a quick review I run over their game to see if the services are really required - and has previously been a 1-time en devour with a single payment for the document.

• Full-time Employment with developer
  I’ve previously declined these form of contracts, however I am open to these from this point onward. A full-time contact would consist of access to some form of test-branch for the game, with me developing full-time towards the anti-cheat and countermeasures to stop exploitation of the game. These contracts (unlike others) do require a large degree of trust.

• Singular review, and patches
  Finally, if developers ask and I have the time; I may be willing to look over the game for free to determine if there are any immediate flaws within the game. If none are found the developer forks nothing out, and all is good. Otherwise a contact can be negotiated.

I also want to make this clear - as some developers may rightfully be skeptical about my services. Don’t be shy and just message me on discord, ask me any questions you need - and do any vetting you need to do of my services. I take no offense to developers being skeptical of what I’m offering, or my experience involed.

How deep are your checks really?
I want to clear up any confusion or criticism that my services are a surface-level basic ‘humanoid’ exploitation check, and so on. Cause they’re not. My checks include;

• Full metamethods, namecall, exploitation patches. Based around making games more secure on the server-side to prevent such methods being useful or bypassed.
• Full experimentation with custom ‘exploit only’ functions such as hookfunc, getconnections, nilinstances, decompiling, and so on. To make your game as secure as it can possibly be in regards to these functions.
• Non-patchable server-side solutions. As well as the possibility (if requested) for solid hard to bypass client-based anti-cheats on top. Which are easily updated and include many measures to make it as difficult and as slow as possible to bypass them.
• 99% Patch rate of any PUBLIC exploit floating for your games, and a solid hit to most other methods (private included)
• For less experienced developers, installation of custom-modules that prevent things such as noclipping, speedhacking, flying on the server-side.

Prices and contracts
Fully negotiated. If you have questions, you have a custom contract; or absolutely anything. Then just contact me and ask, there is no such thing as a stupid question that you can throw at me - so don’t be shy and throw me a DM. My response times are usually pretty solid within reason. (UK TIMEZONE)

Just to confirm, you’re doing your work for free?

[OUDATED] - I no longer work for free

I can confirm if contacted - and agreed. I will do work for free, yes.

• Only smaller projects
• No cost - and script/system is given entirely to the contractor exclusively
• At the start of a project I will give say if I’m certain or not I can complete it fully to the standards advertised to me

I just don’t see a point. What are your profits when you work for free?

Experience, and a portfolio of work.

Since I’m limiting this to jobs I find interest in - it’s something to soak my free-time doing since I find programming fun. All of my previous work (or most of it) has been doing back-end scripting and is really hard to throw into a portfolio. Even though I don’t exclusively decline such jobs in this portfolio - I just want to build something nice.

Regardless - this is not an alternative for a paid programmer. I will not be doing huge long-winded and multi-week contracts and such.

Hey I sent a Friend Request! @cxuu

When I just started Scripting I did the same it was valuable learning experience.

While this isn’t necessarily a requirement, I feel as if your clients should post about their experience working alongside you. This will not only interest more developers, studios in your service yet it’ll also diminish any potential trust issues users could potentially have.

Would this policy apply to projects that are “Similar yet different”? After the commission is complete, would you still be held accountable for maintaining the script so errors or bugs are kept to a minimum?

While experience is great to have, my personal experience with voluntary work/free commissions hasn’t been the best in the past.

I’ve experienced the following while using a similar service:

• Unprofessional behavior.
• Unproductive
• Non transparent on issues preventing them from working.
• Not willing to make modifications or correct the errors.
• Taking up to weeks, months for a response.

Despite my negative experience with free services in the past, I believe @cxuu is worth the potential risks listed above. If your commission request has been accepted consider yourself lucky since I doubt this service will remain free permanently.

You make some pretty good points in your post. I would like to directly respond to your past experience with such services.

• Unprofessional Behavior
  Having worked in a professional environment whilst doing a Bachelors Honors in Games Design & Animation I can assure you that I hold professional standards with my clients. However, I would like to stress that I’m only as professional as the client - if a client is very informal and slack with communications, I usually imitate the same behavior as to keep the communcation flowing.

• Unproductive
  Well, this in essence is the nature of free services. You’re not going to achieve the same form of productiveness you will from an outstanding paid individual. As they have a lot of incentive and obligations to finish their project in a productive manner. And this is the reason I have said that I will only accept projects I am interested in. Because this is how I personally find myself being productive.

• Non transparency
  I do feel some personal issues developers have - are subject to privacy and with a free developer they are not as obligated to contact you - even though this is true, I personally hold a view-point that if a developer invests time into hiring me for a project, for free - they are putting time and trust into me that the task will be completed. I respect this and don’t want to ruin any of my reputation before it has even began, so I plan to see all my projects that I accept all the way through.

Once more, this is the reason I heavily curate and ask questions before starting a project, not only to gauge the difficulty but for me to personally get a feel for if this is a project I’m willing to complete in a timely manner for the developer.

• Not willing to make modifications
  This is something I’m personally mixed on - if someone hires me to make something for them and they stress that they are happy with the outcome - I will assume this project is finished and avert my attention elsewhere, if they are to come to me weeks or months down the line with change requests, I would personally feel I had the right to decline those unless they were major bugs.

In essence what I’m saying is, I’m willing to fix bugs and mistakes I have put on the projects in the future - but as far as major modifications or design changes go, they must be given to me when I’m turning the project in or within a week or so of having it.

• Taking weeks or months for a response
  This is just a straight up no for me, I will always reply within a minimum of 24 hours to anybody I’m working with.

A new project has been added for those curious.

This among four other projects have been completed for individuals. I am still open for (free) commissions so feel free to contact me and such.

As promised, this portfolio has been updated.

I will no longer be offering free work and have decided to go with my specialty of security.

Would this be a fixed payment rate or would it vary per assignment(s) given? Would I pay based on time invested or x amount of vulnerabilities identified?

If no vulnerabilities are found would I be charged?

Updated with some information for questions such as yours.

I hope you find this helpful to your quarry.

This portfolio has been entirely revamped and re-opened.

Client based anti cheat? A security specialist recommending such a controversial idea? What makes yours stand out and “hard to bypass” compared to others?

You dont need to divulge trade secrets, but I’m having trouble discerning how effective it would actually be against anyone more advanced than script kiddies.

Are you detecting if the local script still exists? Are you placing anti decompile methods into the local script? Are you inserting the anti cheat in an important local script that is preferable not to delete?

As mentioned the notion of a client based anti-cheat is never preferable to a well-built server-sided model. However - there are situations where developers insist on having some form of client-based solution to at least actively patch some forms of exploits.

Obviously methods such as the ones you listed are going to be bypassed by people with levels of experience but they are a drop in the bucket compared to the majority of your malicious user-base.

As well as the possibility (if requested) for solid hard to bypass client-based anti-cheats on top.

As you can see I didn’t, and wont ever attempt to claim client-sided anti-cheats are unbypassable - including mine. But there are various methods that can really hinder the development of publicly released cheats for your game that will infact only be effective on the client.

I personally believe that client-sided anti-exploit methods (as an additive to a strong server-side) can be very effective in keeping public cheats that the overwhelming majority of your playerbase will be using - from working on your game for long periods, allowing you to roll out bans.

But I should really reiterate this is only under request of the developer - and every developer I’ve worked with have been told in detail the various cons of using client-sided detection. But that does not mean they cannot be effective when implemented well with some really strong methods.

From my experience in that side of the community in which exploits are developed - experienced scripters or people who are not ‘script kiddies / potential contributes’ are very few and far between. I could probably count on two hands the amount of people who actually know anything about bypassing more in-depth methods that I know in those communities.

I understand some developers are against half-measures which is essentially what client-based anti-cheats are. (Such as anti-decompile, cause any anti-decompile will be patched by developers such as 3ds in a heartbeat when reported) But - flexibility is what I’m going for, I’m happy to implement methods for those developers who want them. And those who don’t? That’s wonderful, client-sided anti-cheats are an additive thing I do - not my core service.

Very well replied. This has certainly showed me, and I believe anyone who reads it that you are up to snuff.

Good Luck on your endeavors!