Rockstar’s Secret Technological Protection Measures: Real Time Memory Analysis and Telemetrics

“GTA V Core includes two cheat detection and anti-cheat computer programs named “Real Time Memory Analysis” (RTMA) and “Telemetry”, which operate with Rockstar’s computer servers.”

‘Statement of Claim’, Submission in Take-Two Interactive Software Inc v Anderson, NSD1751/2018, 26 September 2018, [14].

Circumvention of Technological Protection Measures
(an extract from the affidavit of Christopher Anderson).
  1. The (AC) TPMs used by the applicant in the GTA V software are not novel, and in the absence of an authoritative description by the applicants and given paragraph 42 – 43 of their claim regarding what I “ought reasonably to have known”, it does not seem unreasonable for me to outline my understanding of their general operation and the interaction (if any) that Infamous had with each.
  2. The taxonomy of technological protection measures is somewhat malleable, and it is not my intent to assert the technological protection measures described in paragraphs 72.1 and 72.2 below are necessarily AC TPMs and TPMs (respectively) if the applicant’s opine otherwise.
  3. My descriptions of the various elements of what the applicants claim as TPM and AC TPM does not constitute an admittance that any elements so described were employed for the purpose of copyright protection and are therefore TPM or AC TPM in the legal sense.

    72.1. GTA V – Piracy prevention—AC TPM
    (a) Before playing GTA V in any fashion, the user must supply (either from a document within the physically purchased game, or its electronic equivalent if purchased online) a license key embodying proof of legitimate purchase. This token of purchase is then attached to a “Rockstar Socialclub” (“Socialclub”) account, in a fashion similar in concept to that employed by many online services when linking a mobile phone number to a user’s account.

The user is then required to identify and authenticate themselves through this Socialclub account each time they wish to play the game. Identification and authentication are achieved by confirming the email address and password which are associated with said Socialclub account, in a process that is so familiar to anyone of this age that I need not belabour this explanation.
(b) The process described in the above paragraph is so ubiquitous amongst producers of computer software as to embody the concept of AC TPM to enforce licensing in that industry.
(c) The efficacy of such an AC TPM as described is almost as low as it is ubiquitous, as GTA V in its single-player mode of operation does not strictly require any ongoing communication or actual information exchange with Rockstar’s electronic services (though such communication does occur), modified versions of the game (“cracked” copies, in the vernacular of underground software piracy) that do not require the user to authenticate themselves to play the game, therefore negating the requirement for purchase.
(d) The situation described in the paragraph above wherein access control has been circumvented is also of such prevalence in the computer software industry as to be both a textbook description of “software piracy” and “circumvention of an access control technological protection measure.
(e) Infamous did not circumvent this process. Infamous did not negate the requirement of a user to possess an authentic and valid license key or otherwise enable or encourage software piracy.

72.2. GTA V – Strengthening piracy prevention—TPM
(a) For the AC TPM described in 72.1(a) above to have any value, it must itself be protected by one or more TPMs. Rockstar relies on “ProtectIT” and “TransformIT” by American company “Arxan Technologies” (known as “Digital Ai” since 2020) who specialise in DRM and TPM technology. These products are extremely effective at protecting software from unauthorised modifications and preventing reverse engineering of key areas of software. From a technical perspective, they use several techniques including:
i. automatically injecting the software with self-protective mechanisms (“guards”) that make it difficult to tamper with the software and to maliciously modify it; and
ii. keep portions of the software encrypted when not being actively used; and
iii. obfuscate portions of the software to make them difficult to understand (analogous to what contract lawyers do to the English language).
(b) These products are also used by other big-budget gaming software including “Call of Duty 4” by Activision, and by other software for purposes other than acting as a TPM. However, the above paragraph is a reasonable description of how TPM is commonly implemented by the software industry, though the specific products and techniques may vary.
(c) Infamous did not interfere or circumvent any measures such as those described in paragraph 72.2(a) above. Infamous did not negate the requirement of a user to possess an authentic and valid license key or otherwise enable or encourage software piracy.

72.3. GTA V’s Online Mode
(a) In addition to all the technical protections described in paragraph 70 above, playing the Online Mode of GTA V involves – at least conceptually – additional TPMs and AC TPMs (here-in called “The Online AC TMP”), as well as various measures to detect cheating (commonly referred to as “anti-cheat”). The methodology and technology involved with anti-cheat are similar and, in some cases, ostensibly identical to the technologies associated with TPM as described in paragraph 72.2(a) above.

72.4. GTA V’s Online Mode – AC TPM
(a) The role of The Online AC TMP is to ensure enforcement of decisions made by Rockstar (embodied by programs running on computers controlled by the applicants, and by individual human operators in their employee) as to whether users are permitted access to the service provided by GTA V’s Online Mode.
(b) In terms of technical implementation, the AC TPM described herein could be considered:
i. a part of; or
ii. to share many parts with; or
iii. to be another facet of; or
iv. to be another mode of operation of
the AC TPM described in paragraph 72.1(a) above.
(c) In contrast to the mode of operation attributed to the AC TPM described in paragraph 72.1(a) above, The Online AC TMP is closer to what we might consider a standard AC TPM such as would control access to services such as Netflix or other online services with dynamic content.
(d) The key distinction between this mode of operation, and the AC TPM described in paragraph 72.1(a) above being that GTA V’s Online Mode is an online service being continually provided via the Internet (you cannot play GTA V’s Online Mode without continuous internet access), whereas GTA V’s Story Mode can be played without internet access other than that required to establish and periodically re-authenticate your credentials.
(e) Infamous did not interfere or circumvent any of the measures described in paragraphs 72.4(b) – (d) above.
(f) Infamous did not encourage or allow users to access GTA V’s Online Mode if such access had been rescinded by Rockstar.
(g) Infamous did not circumvent any access control mechanism comprising an AC TPM, or any other access control mechanism.

72.5. GTA V’s Online Mode – Anti Cheat
(a) A user who is caught cheating faces the possibility of temporary or permanent loss of access to GTA V’s Online Mode.
(b) Various “anti-cheat” mechanisms are utilised by GTA V’s Online Mode to collect information that aid in assessing the probability that a user is cheating. The applicants have cited Telemetry and RTMA as the relevant mechanisms.

72.6. GTA V’s Online Mode – Anti Cheat (Telemetry)
(a) The usage of the term “telemetry” is comparable to other common forms of telemetry such as may be found in a Formula 1 racing vehicle or modern passenger airline, in that it consists of a constant stream detailing every piece of measurable information.

(b) There are presently more than 400 different types of telemetric information collected by GTA V’s Online Mode.
(c) It is my considered technical opinion that it is unlikely that more than around 20 (or 5 percent) of these are actively employed as “anti-cheat” mechanisms, and almost inconceivable that more than 40 (or 10 percent) were so employed.
(d) Infamous interfered with less than 10 (or 2.5%) of the 400 types of telemetry used by GTA V’s Online Mode. That – in conjunction with the applicants claim they were unable to detect Infamous – is the basis for paragraph 72.6(c) above.

72.7. GTA V’s Online Mode – Anti Cheat (Real Time Memory Analysis)
(a) Real Time Memory Analysis (“RTMA”) is a method by which the presence or absence of certain distinctive sequences of characters (“phrases”) are present at specific locations. A reasonable non-technological analogy would be the act of determining if a bible were of a particular translation by comparing words 17 to 26 in the 3rd book to see if they matched a certain phrase.

(b) This technique is used both to check a handful (usually around 4 at any given time) of locations within the GTA V executable currently running from memory, generally to confirm that no tampering has occurred.

(c) The same technique is also used to check all memory accessible to GTA V – including the contents of programs other than those licensed by the applicants – for phrases known to be associated with specific mod menus such as Infamous. These phrases are obtained by the applicants by reverse engineering and/or copying small sequences (or phrases) sufficient to uniquely identify the mod menu.

(d) Positive identification of a known mod-menu does not necessarily result in the user running such software having their GTA V Online Service suspended. In the period surrounding and following the legal action taken against other persons associated with Infamous, it was observed that at least 1 other mod menu that did not block the RTMA phrases used to identify it, did not have its users banned despite being easily identifiable by the applicant for several months.

(e) From 3:40am 22 March 2018 AEDT to 1:29am 31 March 2018 AEDT – 9 days – an error in the applicant’s usage of RTMA caused every legitimate user who played GTA V’s Online Mode during that time to be mistakenly identified as running software which had tampered with a section of memory associated with GTA V commonly modified by cheating users. While this did cause a not unsubstantial number of people to have their access to GTA V’s Online Mode suspended, the number of people affected was small enough that it took 9 days for the applicants to recognise that this was a legitimate error on their part. If RTMA was indeed used to automatically suspend access to GTA V’s Online Mode, then there would simply have been no online players left, a situation which would not have gone unnoticed for 9 days.

(f) From approximately 1 January 2018, Infamous did interfere with the RTMA process as to do otherwise would have jeopardised the ability of Infamous to function. We did so only to prevent GTA V’s Online Mode from reading the contents of memory created by and containing the intellectual property of, Infamous.

Take-Two Interactive Software Inc v Christopher Anderson