Get a demo
Engineering December 5, 2024 8 min read

How We Built Live Patching for Games

When a new cheat drops in the wild, every minute counts. Traditional anti-cheat updates require a full game patch — a process that can take days or weeks between discovery and deployment. We built Sentinel's live patching system to compress that timeline to minutes.

This post explains the architecture behind our live patching system, the trade-offs we made, and the engineering challenges we solved along the way.

The Problem with Traditional Anti-Cheat Updates

Most anti-cheat solutions follow a predictable cycle:

  1. A new cheat is discovered in the wild
  2. Security team analyzes the cheat binary
  3. Engineers write detection signatures
  4. QA tests the update for false positives
  5. The patch goes through the game's normal release pipeline
  6. Players download an update

This process can take anywhere from a few days to several weeks. During that time, the cheat is active and damaging the player experience.

Our Approach: In-Memory Hot-Patching

Instead of shipping new binaries, we apply patches directly to the running process. Here's how it works:

1. Analysis with Cortex

When our team (or a customer's security team) obtains a cheat binary, they load it into Cortex. The analyzer uses Capstone to disassemble the binary and identify:

  • Hook targets (functions the cheat modifies)
  • Injection methods
  • Unique byte patterns for detection

2. Patch Generation

Cortex generates a JSON patch that describes the fix. A patch might include:

  • Byte patterns to detect modified code
  • Original bytes to restore
  • Detection signatures for the cheat DLL

3. Cryptographic Signing

Every patch is signed with our private key. The SDK verifies signatures before applying any patch, preventing malicious actors from pushing fake updates.

4. Cloud Distribution

Patches are uploaded to our CDN and propagated globally within seconds. The SDK polls for updates and downloads new patches as they become available.

5. In-Process Application

The SDK applies patches using standard Windows APIs. We use careful synchronization to ensure patches are applied safely without crashing the game.

Performance Considerations

A key constraint was performance. Games run at 60+ FPS, and every millisecond matters. Our target was <0.01ms per integrity check.

We achieved this through:

  • Lazy checking: Not every function is checked every frame
  • Background threads: Checks run on a separate thread pool
  • Batched verification: Multiple regions are checked in a single pass
  • Caching: Known-good states are cached to avoid redundant work

What's Next

We're continuing to improve the system with faster patch propagation, better heuristics for unknown cheats, and improved integration with popular game engines.

If you're interested in protecting your game with live patching, get in touch — we'd love to show you a demo.

Related Posts

Research Nov 28, 2024

Tracing VMProtect: A Practical Walkthrough

Read more →
Best Practices Nov 15, 2024

Game Security Metrics Every Studio Should Track

Read more →