XYREX Guard Anticheat - User Guide
Basic Concepts and Operating Principle
The anti-cheat is essentially a sniffer that intercepts and analyzes the game's network packets. Each intercepted packet is parsed into individual commands.
These commands are then analyzed for suspicious activity. If a command is deemed suspicious, the packet containing this command is blocked. Additionally, these commands are used to build a player table — their nicknames, machine IDs, and country tags.
Command Structure
Each command is a tree consisting of key-value pairs. Keys are tokens (magic numbers), while values can be nested trees, other tokens, or simple data types.
Required Command Objects
In general, each command must always have two nested objects:
default_state — contains:
- Sequential command number (the later the command is sent, the higher it is)
sender— client ID. The first player to join will have ID 2, the second — 3, etc. ID 1 is reserved for the host- Time relative to session start
object — contains:
- The main information about the command
How Does a Game Work with Anti-Cheat?
Launch and Player Connection
- Before creating a game lobby, the host launches the anti-cheat on their computer
- After creating the lobby, players join you
- When joining the lobby, the game sends packets to the host containing
CCheckSyncResponseCommandandCAddPlayerCommandcommands
CCheckSyncResponseCommand doesn't contain any notable information, but CAddPlayerCommand contains nicknames, machine ID, and some other information.
CAddPlayerCommand Example
{
CAddPlayerCommand (joins lobby)={
default_state={
tickstamp=5059 // time
istargetasynchronous=False
identity=8 // 8th command sent in order
sender=12 // 12th player in lobby
original_id=8 // 8th command sent in order
}
object={
user=NickAdmnRoot
name=nickadminroot
profile_badge={
profile_pictures=22
profile_backgrounds=2
}
machineid=12 // machine ID. If it matches another player's machine ID -
// this will kick the other player, which is used by many
// cheats to kick hosts or other players
hotjoin=False
chat_user_joined={
id=12
pops_id={
53
102
49
55
52
100
98
100
45
97
49
101
53
45
52
52
55
52
45
97
56
56
54
45
49
54
97
51
48
51
52
48
55
97
50
49
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
}
}
}
}
}
Cheats can modify absolutely any command field, as well as completely prevent commands from being sent. For example:
- You can send 100
CAddPlayerCommandcommands with different machine IDs and nicknames and add 100 players to the lobby - You can corrupt the command structure or not send it at all when joining the lobby, so player can join the lobby as a ghost (ghost is a cheater who doesn't appear in the lobby)
Gameplay
After this, other commands are sent. Each action in the game corresponds to its own command. The anti-cheat performs additional checks based on the contents of various commands to determine their danger level.
Most Common Attacks
Cheat functionality can be very diverse. Here are the most common cheat functions and descriptions of how XYREX Guard detects them.
Crash (Lobby Crash)
Crashes can be triggered in several ways, but the most common is enabling and disabling DLC (CSetDLCsCommand).
Usually, this is preceded by attempts to:
- Start the game (
CStartGameCommand) - Break the autosave (
CAutosave)
All these commands are never sent by regular clients, and therefore they are blocked by default by the anti-cheat and don't require additional analysis.
In the past, there was another way to crash the lobby using a hook of some strange jmp or call to an unclear location (it couldn't be decompiled), but it's unknown whether this method actually works and can cause a crash for the entire lobby.
Country Buffing
CSetCustomDifficultyMultiplier is used to buff countries, it's also blocked by default.
Controlling Other Countries
A whole range of commands contains the target country tag, which makes it easy to understand which country the action is directed at. If this country is not the one the player selected in the lobby — the action will be blocked.
Adding Fake Players, Kicking Host, Kicking Real Players
CAddPlayerCommand can be used for these actions. Therefore, the anti-cheat performs checks on machine_id and sender for this command to match against other players or the host.
Enabling and Disabling AI on Countries
CSetCountryControllerTypeCommand is used to set bots on a country. This is a complex topic because this command is quite often sent by regular players too if your game has broken countries.
Regular players usually only send one Type in the structure, so the anti-cheat can recognize AI activation and block the corresponding command.
Selecting Options in Events
Some cheats use the CSelectEventOptionCommand to repeatedly select options in events that can have serious consequences. For example, JT allows you to obtain production, political power, or research using this command by triggering options from corresponding events. For example:
{
CSelectEventOptionCommand={
default_state={
tickstamp=32767
istargetasynchronous=False
identity=30048
sender=14
original_id=30048
}
object={
id=3777
event={
id=21700045 //event id, can be checked in singleplayer in console using the command: event 21700045
type=50
}
option=0
actor=SOV
scope={
country=SOV
random={
521730878
815718697
}
prev={
country=SOV
random={
521730878
815718697
}
}
}
}
}
}
Other Attacks
The game uses many commands that can theoretically be hooked and used in cheats. To reliably protect against possible problems, there are additional protection methods described below.
Advanced Protection Against Cheaters
For additional security, you can take the following steps:
Before Game Start
- Compare connection counts — compare the number of live connections in the program and the number of players in the lobby
- Keep in mind that one of the players is the host, who doesn't appear in the anti-cheat
- If there's a mismatch, compare players in voice, in-game, and in the program
- If someone joined as a ghost, block them by port or IP
After Game Start
- Enable the "Block New Connections" button
- This will prevent cheaters from joining if they didn't join the lobby before this
Immediately warn players not to switch their network:
- Don't enable VPN
- Don't change providers
- Don't enable mobile internet
If any player changes their port or IP address, they will lose connection.
During Hotjoin and Rehost
- When opening lobby during hotjoin — disable "Block New Connections"
- During rehost — also press the CLEAR button
Result
In this case, a cheater won't be able to join as a ghost — they'll have to actually sit on a country like a regular player and use their Discord account.
If strange events start happening in the game, you can use the log to determine who was doing what at that time, find the cheater, and then ban them in the program and on Discord.