The anti-cheat in Garry’s Mod resides entirely in client.dll. It all begins in CGarrysMod::LevelInit(). Given a random 1 in 100 chance and that the user is not in singleplayer, the anti-cheat will engage after 30 to 360 seconds. However, if g_bHighPriBigEye is true, there is a 1 in 3 chance the anti-cheat will engage after 20 to 60 seconds. g_bHighPriBigEye is set to true in the Lua function Surface.CreateFont() if the argument new_font_name matches the pattern /shm.n.+/. This targets a private cheat for Garry’s Mod  known as SethHack, since  it creates a font called “shmenufont”. 

The second part of the anti-cheat resides in CGarrysMod::PaintVGUIOverlay(), which calls a function every frame that will calls the main anti-cheat routine under the following conditions:

  1. The time set in LevelInit() has passed.
  2. The user is not in the menu.
  3. The user is not in singleplayer.
  4. The user is not in the Sandbox gamemode.
  5. The main routine hasn’t been executed before.

        The main routine of the anti-cheat assembles a payload and sends it over insecure HTTP as application/x-www-form-urlencoded to http://api.garrysmod.com/stats/001/ (obfuscated using ROT13 in the executable). The payload consists of:

  1. The API version.
  2. A chunk of data consisting of the user’s process list (and their loaded modules) encoded in JSON and the game’s console log, obfuscated using a cipher mostly equivalent to XORing with 0x40.
  3. The user’s 64-bit Steam ID.
  4. A screenshot of the game, compressed with JPEG, encoded in Base64.

Certain processes will be excluded from the process list if their executable names match one of the following:

tsvncache.exe

spotify.exe

tortoiseproc.exe

skype.exe

rundll32.exe

system

mspdbsrv.exe

devenv.exe

googlecrashhandler64.exe

googlecrashhandler.exe

fraps64.dat

presentationfontcache.exe

ccc.exe

wmpnetwk.exe

mom.exe

adobearm.exe

jusched.exe

dropbox.exe

spotifywebhelper.exe

msseces.exe

puush.exe

fraps.exe

explorer.exe

taskeng.exe

dwm.exe

searchindexer.exe

wlidsvcmM.exe

mdnsresponder.exe

spoolsv.exe

conhost.exe

nvvsvc.exe

nvxdsync.exe

atieclxx.exe

winlogon.exe

atiesrxx.exe

lsm.exe

lsass.exe

services.exe

csrss.exe

wininit.exe

smss.exe

[system process]

svchost.exe

chrome.exe

        From this analysis, we can conclude that this is literally the most retarded shit ever. The fact that it has caught SethHack users is fucking hilarious. Why?

  1. You can block the HTTP request (so easy even Garry could do it, maybe) and absolutely nothing will happen.
  2. You can hide processes from the process list scan by simply renaming them to something from the whitelist (a.k.a. Garry’s process list).
  3. It primarily targets SethHack. It’s just a matter of time before someone less retarded than Seth, Avaster, or Flapadar starts selling a private cheat.
  4. Because of the use of URL and Base64 encoding, the payload ends up being unnecessarily huge. Like, 1.6 times larger than it should be. Garry doesn’t know how to send binary data over HTTP it seems.
  5. The payload is not authenticated, unless it’s done out-of-band from the HTTP request. Massive abuse potential, and no way of validating the data.
  6. BONUS! Garry doesn’t know what the XOR operator is either, so he ends up implementing his cipher using conditionals and arithmetic.