Proof of Play
Summary
In the 96 hours before a $10M esports final, a Windows kernel sleuth must unite rival anti‑cheat teams to expose “ghost” cheaters running below the OS—while proving fairness can be enforced without turning PCs into surveillance machines. The clock’s ticking, the clean‑looking champion might be a mirage, and the fix could save the season—or light it on fire.
2027’s premier esports season implodes when “ghost” cheaters slide under every defense—hypervisor cloaks, DMA FPGAs masquerading as USB, SSD firmware that outlives wipes—while pristine TPM proofs lull servers into trust. After an aggressive allowlist update bricks fan utilities and ignites the rootkit debate, a top contender reads clean yet moves like a machine. Sponsors waver, an anti-rootkit bill sharpens its teeth, and the highlight reels won’t stop. Enter Adrian “s4dbrd,” a meticulous Windows internals researcher whose blog posts taught both sides of the arms race. He’s drafted to fix the mess he helped shape—on one condition: whatever ships must protect fair play without turning PCs into surveillance boxes.
Adrian forges an uneasy coalition from warring camps—Riot’s boot-start hardliners, Epic’s Secure Boot/TPM pragmatists, FACEIT’s telemetry monks, plus independent reversers and hardware realists. Their moonshot, Project Sentinel, fuses attestation with behavior: per‑match TPM attestations of a known‑good driver set, raw HID input stamped at microsecond resolution, server‑side transformers trained to recognize human motor signatures, and Ulf Friske’s left‑field gambit—fingerprinting PCIe impostors by their power and thermal noise under load. Meanwhile, cheat syndicates pivot to BYOVD payloads wrapped in RGB tools and mint “clean” proofs through compromised signing chains. In a story told through commit diffs, Slack fragments, redacted MSRC notes, and sideline broadcast chatter, CI pipelines become chase scenes and a design doc becomes a smoking gun.
With a $10M championship in days and a hostile Hill hearing queued up, Adrian uncovers a subtle PCR manipulation that props up the laundered attestations. Now the clock is brutal: quarantine drifted measurements without bricking half the scene, backstop calls with explainable telemetry, and quietly migrate stage PCs to a semi‑cloud, read‑only image—without burning an innocent star on air or detonating a new privacy firestorm. Rooted in real primitives and real politics, this techno‑thriller asks whether trust can be engineered—and explained—in time: can a fractured coalition catch ghosts beneath the kernel and restore legitimacy without becoming the very rootkit their critics fear?
Inspired by: How kernel anti-cheats work - https://s4dbrd.github.io/posts/how-kernel-anti-cheats-work/