Warzone’s RICOCHET Anti-Cheat Kernel Level Driver Is In the Hands of Cheat Developers

Updated On:

October 14, 2021

Doug Dagnabbit

Doug Dagnabbit


Share on twitter
Share on facebook
Share on reddit

Table of Contents

October 14, 2021

by MavriqGG

Updated for clarity & Activision’s response on 10/15/2021 at 4:48PM EST

The Official Call of Duty Twitter Account Responds

The official Call of Duty twitter account has responded with an update on RICOCHET. They mention how the AC is currently being tested and this includes testing of the kernel-level driver, which includes distribution of the driver to 3rd parties to ensure compatibility. The mention of the driver being a pre-release version, would back-up why cheat developers were labeling it as “barebones”. 

This doesn’t confirm nor deny the “Decoy Theory”, mentioned below in this article. Of course this is speculation, but it’s possible that while the file is legitimately from Activision, that the leak occurred via one of these 3rd parties. It’s important to mention that the server-sided upgrades mentioned in the tweet will play a very large role towards combating cheaters at release and in the future.

The COD Twitter account ends their thread with a statement of confidence.

Call of Duty’s RICOCHET Anti-Cheat Kernel Level Driver Is In Cheat Providers Hands

Earlier today, rumors of RICOCHET’s kernel-level driver being leaked made their way to Twitter and cheat forums everywhere. Although, at the time there was no evidence of whether or not these users were lying. Suspicions of the leak as shown below.

MWZ has received proof, via anonymous sources, that the files made available in relation to RICOCHET, are real. How this leak managed to occur is still unknown at this time.

UPDATE: The files which were previously restricted to private groups and access have made their way to a public cheat forum.

We’ve reached out to Activision for comment on this story and we’ll be sure to update when possible.

Are these files real?

After seeing proof of the source code being scrubbed through in action, we believe it is. Numerous sources with deep level background in the cheating scene have also been sent the same evidence and can confirm it IS REAL. The driver’s digital signature points to this being, at the very least, from Activision.

Trojan Horse Theory

There’s also the possibility this was a controlled “leak” done with a decoy file to throw cheat providers off and get them working to exploit vulnerabilities that don’t exist. Although this situation is different, developers in the past for example, have included decoy files to misdirect data miners. According to sources, this driver seems quite “barebones” to them and out-of-date. The current reverse engineering of the driver, which can be found on Github (not linking for copyright reasons), seems to be rudimentary. Making use of basic PE info, Windbg kd output and Windbg basic `u` output on dispatch entries. The headline “Cheaters reverse engineering RICOCHET Ant-cheat” is quite hyperbolic.  

According to file properties it was signed Sept. 30, but the certificate seems to be revoked. This has stoked concerns among cheat providers that this driver is out-of-date and may’ve been put out on purpose. With the new RICOCHET team being made up of individuals from different sectors all with cyber security experience, this isn’t outside the realm of possibility. 

What does this mean for RICOCHET? Is This a Real Problem?

While this is a problem, this isn’t the end. RICOCHET is supposed to be a product that changes and evolves with time. Kernel-level anti-cheats are the bare minimum to fight cheaters, especially when compared to the rest of the AC industry. Easy Anti-Cheat, PunkBuster, BattlEye, nProtect GameGuard, Xigncode3, and EQU8 all have drivers that run at kernel level. Having the driver out in the wild, with proper reverse engineering, is like having the notes while taking the test.

The file seems to be a couple weeks old and we don’t know what updates have been made or will be made in time for launch. As RICOCHET has not been officially released, cheat providers can only exploit the current version of the leaked driver.

Despite this file leak, the back-end improvements mentioned, such as data analysis backed by machine learning, can go a long way towards finding those who use cheats. While we don’t know what data points the RICOCHET team may monitor. Everything from simple HS% to reaction time, is on the table.

Keep it locked to ModernWarzone.com for all your Call of Duty news.

Drop some knowledge 💣

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our YouTube channel to get the most exclusive COD leaks.