Anticheat Update Tracking

Summary

A few years ago when I was into reverse engineering and binary analysis (and game modding), I did a lot of research into anticheats work. I was curious about tracking their updates, since that would allow me to:Know when a new version is releasedUnderstand what changes were madeUse older versions for research purposesSo I ended up researching different ways on how to track updates of various anticheats. Some of them are already very well documented, while others haven't been explored much. This post will summarize my findings and outline how they work.EasyAntiCheatEasyAntiCheat is widely recognized as one of the most advanced anticheats, and is used in many popular games like Rust, Fortnite, Apex Legends, and more.Prior to the acquisition by Epic Games, EAC was using their own CDN to distribute updates: https://download.eac-cdn.com/api/v1/games/{game_id}/client/{system}/download/?uuid=1239688.game_id: unique identifier for each game (e.g. 154 for Apex Legends)system: target platform/system (e.g. wow64_win64, mac64, linux32_64).After the acquisition, they switched to the EpicGames CDN, which has a slightly different URL structure: https://modules-cdn.eac-prod.on.epicgames.com/modules/{product_id}/{deployment_id}/{system}. The parameters to this URL are completely different:product_id: unique identifier for each game (e.g. 429c2212ad284866aee071454c2125b5 for Rust)deployment_id: unique identifier for each deployment (e.g. 76796531e86443548754600511f42e9e for Rust). This doesn't change when an update is released and is used to identify different game versions.system: same as in the old CDNAfter downloading the module for a game, we'll have a file which contains data with a very high entropy which is the first indication that it is encrypted or compressed:$ bat encrypted.bin | ent Entropy = 7.989390 bits per byte. Looking at the data, we also can't really identify any patterns or strings. However, across versions the header seems to always stay the same (a7 ed): Very in...