This study addresses the lack of quantifiable and scalable modeling approaches for estimating cracking effort in Man-At-The-End (MATE) attacks that require human interaction, such as game asset localization attacks. It introduces, for the first time, a statistical effort modeling methodology tailored to such scenarios, proposing an automated framework that integrates automated data collection, attack strategy feature extraction, and empirical analysis. The approach is validated through two real-world game case studies, where high-predictive-validity effort models are successfully constructed, demonstrating both feasibility and practical utility. This work establishes a novel, scalable, and quantitative paradigm for evaluating software protection mechanisms, offering significant advantages over traditional assessment methods that rely on manual expertise and subjective judgment.

Evidence on the effectiveness of Man-At-The-End (MATE) software protections, such as code obfuscation, has mainly come from limited empirical research. Recently, however, an automatable method was proposed to obtain statistical models of the required effort to attack (protected) software. The proposed method was sketched for a number of attack strategies but not instantiated, evaluated, or validated for those that require human interaction with the attacked software. In this paper, we present a full instantiation of the method to obtain statistical effort models for game resource localisation attacks, which represent a major step towards creating game cheats, a prime example of MATE attacks. We discuss in detail all relevant aspects of our instantiation and the results obtained for two game use cases. Our results confirm the feasibility of the proposed method and its utility for decision support for users of software protection tools. These results open up a new avenue for obtaining models of the impact of software protections on reverse engineering attacks, which will scale much better than empirical research involving human participants.