pith. sign in

arxiv: 2603.04261 · v2 · pith:JIMNYMDBnew · submitted 2026-03-04 · 💻 cs.CR

Statistical Effort Modelling of Game Resource Localisation Attacks

Alessandro Sanna , Waldo Verstraete , Leonardo Regano , Davide Maiorca , Bjorn De Sutter This is my paper

Pith reviewed 2026-05-21 12:34 UTC · model grok-4.3

classification 💻 cs.CR
keywords MATE attackssoftware protectioneffort modelinggame resource localisationreverse engineeringstatistical modelsgame cheatsobfuscation
0
0 comments X

The pith

An automatable method yields statistical models of the effort needed for game resource localisation attacks on protected software.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper fully instantiates a method to build statistical models of attacker effort for game resource localisation, a key step in creating cheats for protected games. Previous research relied on small-scale human studies that don't scale well, so this approach aims to provide quantitative data more efficiently. The authors detail the instantiation for two game examples and find that the models support decisions on which protections to apply. If the models hold, software protection users gain a practical tool to predict attack costs without extensive human testing. This shifts evaluation from subjective experiments to data-driven statistical analysis.

Core claim

The central claim is that the proposed method for obtaining statistical effort models can be instantiated in detail for human-interactive game resource localisation attacks, with results from two use cases confirming its feasibility and utility for decision support in software protection.

What carries the argument

The full instantiation of the automatable statistical effort modelling method, which breaks down attacks into measurable steps and fits models to effort data.

Load-bearing premise

That the derived statistical models accurately capture and predict the real-world effort required for humans to perform these interactive attacks.

What would settle it

An experiment where human attackers perform the resource localisation on the two games and the observed efforts are compared to the model's predictions for accuracy.

Figures

Figures reproduced from arXiv: 2603.04261 by Alessandro Sanna, Bjorn De Sutter, Davide Maiorca, Leonardo Regano, Waldo Verstraete.

Figure 1
Figure 1. Figure 1: The simulation method of the game resource localisation attack. The defender needs to invest [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Hasse diagram for the partially ordered set of pruning logics used in the experimental evaluation [PITH_FULL_IMAGE:figures/full_fig_p016_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Outcomes of six targeted pruning logics in greedy attack strategies on unobfuscated versions [PITH_FULL_IMAGE:figures/full_fig_p018_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Outcomes of six targeted pruning logics applied greedily on RNC-protected games. (a)–(f) [PITH_FULL_IMAGE:figures/full_fig_p019_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Outcomes of two related pruning logics applied greedily on two versions of the games. (a)–(d) [PITH_FULL_IMAGE:figures/full_fig_p020_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Outcomes of six pruning logics, each applied greedily to the game version protected with [PITH_FULL_IMAGE:figures/full_fig_p021_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Outcomes of the change/no change attack logic applied to AssaultCube protected with six [PITH_FULL_IMAGE:figures/full_fig_p022_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Outcomes of different relevant attack strategies applied to SuperTux protected with two [PITH_FULL_IMAGE:figures/full_fig_p033_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: The distribution of the time taken by each attack simulation for the different attack strategies [PITH_FULL_IMAGE:figures/full_fig_p034_9.png] view at source ↗
read the original abstract

Evidence on the effectiveness of Man-At-The-End (MATE) software protections, such as code obfuscation, has mainly come from limited empirical research. Recently, however, an automatable method was proposed to obtain statistical models of the required effort to attack (protected) software. The proposed method was sketched for a number of attack strategies but not instantiated, evaluated, or validated for those that require human interaction with the attacked software. In this paper, we present a full instantiation of the method to obtain statistical effort models for game resource localisation attacks, which represent a major step towards creating game cheats, a prime example of MATE attacks. We discuss in detail all relevant aspects of our instantiation and the results obtained for two game use cases. Our results confirm the feasibility of the proposed method and its utility for decision support for users of software protection tools. These results open up a new avenue for obtaining models of the impact of software protections on reverse engineering attacks, which will scale much better than empirical research involving human participants.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 2 minor

Summary. The manuscript instantiates a previously sketched automatable method for deriving statistical effort models of game resource localisation attacks (a key step in creating game cheats as MATE attacks on protected software). It applies the method in full detail to two concrete game use cases, covering attack strategy decomposition, parameterisation, model fitting, and reports results that confirm feasibility and utility for decision support in software protection tool selection.

Significance. If the instantiation and derived models hold, the work supplies a scalable, automatable route to quantitative effort estimates for human-interactive reverse-engineering attacks, addressing the scalability limits of prior empirical studies with human participants. The paper ships a complete technical instantiation with usable outputs for two cases and thereby strengthens the foundation for statistical modeling of MATE protection impact.

minor comments (2)
  1. The abstract states that results 'confirm the feasibility ... and its utility' yet does not preview any quantitative metrics (e.g., model fit statistics, effort estimates, or validation error); a brief summary sentence in the abstract would improve accessibility.
  2. Section 5 (or equivalent results section) should explicitly state whether the fitted statistical models were validated on held-out attack traces or only on the same data used for parameterisation; a short paragraph on this point would remove any residual ambiguity about independence.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the positive summary, significance assessment, and recommendation of minor revision. Our manuscript provides a full instantiation of the previously sketched automatable method for statistical effort models of game resource localisation attacks, with detailed application to two concrete use cases including strategy decomposition, parameterisation, model fitting, and results confirming feasibility and utility for MATE attack analysis and software protection decisions. As no specific major comments are listed in the report, we have no individual points to address.

Circularity Check

0 steps flagged

No significant circularity in derivation chain

full rationale

The paper presents a full instantiation of a previously proposed automatable method for deriving statistical effort models, applied specifically to game resource localisation attacks on two concrete use cases. It supplies technical details on attack strategy decomposition, parameterisation, and model fitting, then reports feasibility and decision-support utility. No load-bearing step reduces by the paper's own equations or self-citation to its inputs by construction; the central claim rests on the completeness of the instantiation and the resulting outputs rather than on re-deriving or fitting the underlying method itself. The work is therefore self-contained against external benchmarks for its stated purpose.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review yields no explicit free parameters, axioms, or invented entities; full manuscript would be required to enumerate statistical fitting choices or modeling assumptions.

pith-pipeline@v0.9.0 · 5712 in / 907 out tokens · 38117 ms · 2026-05-21T12:34:22.365439+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

35 extracted references · 35 canonical work pages

  1. [1]

    Nethammer: Inducing rowhammer faults through network requests

    Abrath, B., Coppens, B., Nevolin, I., De Sutter, B.: Resilient self-debugging software protection. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroSPW). pp. 606–615. IEEE Computer Society (2020). https://doi.org/10.1109/EuroSPW51379.2020.00088

    work page doi:10.1109/eurospw51379.2020.00088 2020

  2. [2]

    In: Proc

    Abrath, B., Coppens, B., Volckaert, S., Wijnant, J., De Sutter, B.: Tightly-coupled self-debugging software protection. In: Proc. of the 6th Workshop on Software Secu- rity, Protection, and Reverse Engineering. pp. 7:1–7:10. SSPREW ’16, ACM (2016). https://doi.org/10.1145/3015135.3015142

    work page doi:10.1145/3015135.3015142 2016

  3. [3]

    In: Proc

    Anckaert, B., Madou, M., De Sutter, B., De Bus, B., De Bosschere, K., Preneel, B.: Program obfuscation: a quantitative approach. In: Proc. ACM Workshop on Quality of protection. pp. 15–20 (2007). https://doi.org/10.1145/1314257.1314263 26

    work page doi:10.1145/1314257.1314263 2007

  4. [4]

    Computers & Security132, 103321 (2023)

    Basile, C., De Sutter, B., Canavese, D., Regano, L., Coppens, B.: De- sign, implementation, and automation of a risk management approach for man-at-the-end software protection. Computers & Security132, 103321 (2023). https://doi.org/https://doi.org/10.1016/j.cose.2023.103321

    work page doi:10.1016/j.cose.2023.103321 2023

  5. [5]

    Cannell, J.: Obfuscation: Malware’s best friend (March 2013),http: //blog.malwarebytes.org/intelligence/2013/03/obfuscation-malwares- best-friend/

    work page 2013

  6. [6]

    No Starch Press (2016)

    Cano, N.: Game hacking: developing autonomous bots for online games. No Starch Press (2016)

    work page 2016

  7. [7]

    In: IEEE 17th International Conference on Program Comprehension (ICPC)

    Ceccato, M., Di Penta, M., Nagra, J., Falcarin, P., Ricca, F., Torchiano, M., Tonella, P.: The effectiveness of source code obfuscation: An experimental assessment. In: IEEE 17th International Conference on Program Comprehension (ICPC). pp. 178– 187 (May 2009). https://doi.org/10.1109/ICPC.2009.5090041

    work page doi:10.1109/icpc.2009.5090041 2009

  8. [8]

    In: Proc

    Ceccato, M., Tonella, P., Basile, C., Coppens, B., De Sutter, B., Falcarin, P., Torchi- ano, M.: How professional hackers understand protected code while performing at- tack tasks. In: Proc. ICPC (2017). https://doi.org/10.1109/ICPC.2017.2

    work page doi:10.1109/icpc.2017.2 2017

  9. [9]

    Empirical Software Engineering (EMSE)24, 240–286 (2019)

    Ceccato, M., Tonella, P., Basile, C., Falcarin, P., Torchiano, M., Coppens, B., De Sutter, B.: Understanding the behaviour of hackers while performing attack tasks in a professional setting and in a public challenge. Empirical Software Engineering (EMSE)24, 240–286 (2019). https://doi.org/10.1007/s10664-018-9625-6

    work page doi:10.1007/s10664-018-9625-6 2019

  10. [10]

    Cheat Engine (2024),https://www.cheatengine.org/

    work page 2024

  11. [11]

    Christian Collberg: The Tigress C obfuscator (2025),https://tigress.wtf/

    work page 2025

  12. [12]

    Collberg, C., Thomborson, C., Low, D.: Ataxonomyofobfuscatingtransformations. Tech. Rep. 148, University of Auckland (07 1997)

    work page 1997

  13. [13]

    https://doi.org/10.4230/DagRep.9.8.1

    De Sutter, B., Collberg, C., Preda, M.D., Wyseur, B.: Software Protection Decision SupportandEvaluationMethodologies(DagstuhlSeminar19331).DagstuhlReports 9(8), 1–25 (2019). https://doi.org/10.4230/DagRep.9.8.1

    work page doi:10.4230/dagrep.9.8.1 2019

  14. [14]

    ACM Comput

    De Sutter, B., Schrittwieser, S., Coppens, B., Kochberger, P.: Evaluation method- ologies in software protection research. ACM Comput. Surv.57(4) (Dec 2024). https://doi.org/10.1145/3702314

    work page doi:10.1145/3702314 2024

  15. [15]

    In: 2015 IEEE/ACM 1st International Workshop on Software Pro- tection

    Demissie, B.F., Ceccato, M., Tiella, R.: Assessment of data obfuscation with residue number coding. In: 2015 IEEE/ACM 1st International Workshop on Software Pro- tection. pp. 38–44 (2015). https://doi.org/10.1109/SPRO.2015.15

    work page doi:10.1109/spro.2015.15 2015

  16. [16]

    In: Proc

    Faingnaert, T., Zhang, T., Van Iseghem, W., Everaert, G., Coppens, B., Collberg, C., De Sutter, B.: Tools and models for software reverse engineering research. In: Proc. CheckMATE Workshop. p. 44–58 (2024). https://doi.org/10.1145/3689934.3690817 27

    work page doi:10.1145/3689934.3690817 2024

  17. [17]

    SIGPLAN Not.24(1), 112–123 (Nov 1988)

    Feldman, S.I., Brown, C.B.: Igor: a system for program debugging via reversible execution. SIGPLAN Not.24(1), 112–123 (Nov 1988). https://doi.org/10.1145/69215.69226

    work page doi:10.1145/69215.69226 1988

  18. [18]

    Journal of Systems and Software162, 110492 (2020)

    Fellin, R., Ceccato, M.: Experimental assessment of XOR-masking data obfuscation based on k-clique opaque constants. Journal of Systems and Software162, 110492 (2020). https://doi.org/10.1016/j.jss.2019.110492

    work page doi:10.1016/j.jss.2019.110492 2020

  19. [19]

    Electronic Computers, IRE Transactions onEC-8(2), 140–147 (June 1959)

    Garner, H.L.: The residue number system. Electronic Computers, IRE Transactions onEC-8(2), 140–147 (June 1959). https://doi.org/10.1109/TEC.1959.5219515

    work page doi:10.1109/tec.1959.5219515 1959

  20. [20]

    https://doi.org/10.1007/3-540- 45619-8_3

    Goto, H., Mambo, M., Matsumura, K., Shizuya, H.: An approach to the objective and quantitative evaluation of tamper-resistant software. In: Third Int. Workshop on Information Security. pp. 82–96. Springer (2000). https://doi.org/10.1007/3-540- 44456-4_7

    work page doi:10.1007/3-540- 2000

  21. [21]

    Elsevier Science Inc

    Halstead, M.H.: Elements of Software Science (Operating and programming systems series). Elsevier Science Inc. (1977)

    work page 1977

  22. [22]

    Hex-Rays: IDA Pro.https://hex-rays.com/ida-pro(2025)

    work page 2025

  23. [23]

    Josefsson, S.: Rfc 4648 - the base16, base32, and base64 data encodings (October 2006),http://tools.ietf.org/html/rfc4648

    work page 2006

  24. [24]

    IEEE Transactions on software Engineering SE-2(4), 308–320 (1976)

    McCabe, T.J.: A complexity measure. IEEE Transactions on software Engineering SE-2(4), 308–320 (1976). https://doi.org/10.1109/TSE.1976.233837

    work page doi:10.1109/tse.1976.233837 1976

  25. [25]

    Pearson Education (2009)

    Nagra, J., Collberg, C.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Pearson Education (2009)

    work page 2009

  26. [26]

    National Security Agency: Ghidra (2025),https://ghidra-sre.org/

    work page 2025

  27. [27]

    Scanmem (2024),https://github.com/scanmem/scanmem

    work page 2024

  28. [28]

    Surv.49(1) (apr 2016)

    Schrittwieser, S., Katzenbeisser, S., Kinder, J., Merzdovnik, G., Weippl, E.: Protect- ing software through obfuscation: Can it keep pace with progress in code analysis? ACM Comput. Surv.49(1) (apr 2016). https://doi.org/10.1145/2886012

    work page doi:10.1145/2886012 2016

  29. [29]

    Computers & Security25(3), 221–228 (2006)

    Sutherland, I., Kalb, G.E., Blyth, A., Mulley, G.: An empirical examination of the reverse engineering process for binary files. Computers & Security25(3), 221–228 (2006). https://doi.org/10.1016/j.cose.2005.11.002

    work page doi:10.1016/j.cose.2005.11.002 2006

  30. [30]

    In: 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)

    Talukder, M., Islam, S., Falcarin, P.: Analysis of obfuscated code with program slicing. In: 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). pp. 1–7. IEEE (Jun 2019). https://doi.org/10.1109/cybersecpods.2019.8885094

    work page doi:10.1109/cybersecpods.2019.8885094 2019

  31. [31]

    International Journal of Security & Its Applications 7(2) (2013) 28

    Visaggio, C.A., Pagin, G.A., Canfora, G.: An empirical study of metric-based meth- ods to detect obfuscated code. International Journal of Security & Its Applications 7(2) (2013) 28

    work page 2013

  32. [32]

    In: Proceedings of the 2016 ACM Workshop on Software PROtection

    Viticchié, A., Basile, C., Avancini, A., Ceccato, M., Abrath, B., Coppens, B.: Reac- tive attestation: Automatic detection and reaction to software tampering attacks. In: Proceedings of the 2016 ACM Workshop on Software PROtection. p. 73–84. SPRO ’16, ACM (2016). https://doi.org/10.1145/2995306.2995315

    work page doi:10.1145/2995306.2995315 2016

  33. [33]

    Viticchié, A., Regano, L., Basile, C., Torchiano, M., Ceccato, M., Tonella, P.: Empirical assessment of the effort needed to attack programs protected with client/server code splitting. Empir. Softw. Eng.25(1), 1–48 (2020). https://doi.org/10.1007/s10664-019-09738-1

    work page doi:10.1007/s10664-019-09738-1 2020

  34. [34]

    In: Int’l Working Conf

    Viticchié, A., Regano, L., Torchiano, M., Basile, C., Ceccato, M., Tonella, P., Tiella, R.: Assessment of source code obfuscation techniques. In: Int’l Working Conf. Source Code Analysis and Manipulation (SCAM). pp. 11–20. IEEE (2016). https://doi.org/10.1109/SCAM.2016.17

    work page doi:10.1109/scam.2016.17 2016

  35. [35]

    In: The IASTED International Conference on Communication, Network and Information Security, CNIS

    Zhu, W., Thomborson, C.: A provable scheme for homomorphic obfuscation in software security. In: The IASTED International Conference on Communication, Network and Information Security, CNIS. vol. Vol. 5. (2005) 29 Appendices A. Experiment Encoding Details Table 3: Overview of the parameters of the encodings used in the experiments Parameters Encoding Supe...

    work page 2005