UnKnoWnCheaTs - Multiplayer Game Hacks and Cheats> Anti-Cheat Software & Programming> Anti-Cheat Bypass
[Information] Easy Anti Cheat
sponsored advertisement
Thread Tools
Easy Anti Cheat
1st October 2014, 11:24 AM
#1
A Legend
Posts: 268
Level up: 46%, 757 Points needed
Easy Anti Cheat
IMPORTANT BE CAREFUL ANALYZING THE MODULES! Their pdb info portion links to a bitly tracker URL! YOU WILL BE TRACKED, ITS SUPER ILLEGAL BUT THEY DON'T CARE!!! By default the symbol server will try to retrieve a valid pdb from the URL. Introduction So, you'd like to build a snowman eh? Well, awhile ago I wasted far more time on EAC than I should have. I also told some people I'd eventually release information on it. So, here I am, man of my word. EasyAntiCheat, or EAC, is a clever ball of hack. It itself, is literally an intrusive hack that attacks other hacks by disabling their entry and monitoring and reporting their activity. Explanation Some morons think they've bypassed it with clever little wrapper dll's but that's simply not the case-unknown dll's are piped to the EAC network. There's a whole slew of idiots who start their game without EAC and claim to have bypassed it... But that too, is not the case. EAC behaves like a hack, it requires no effort on the game developer to deploy itself. The details are just too boring for me to cover when I'm in a bad mood like right now, so-expect more information and especially more detail in this post at a later date. Packers Suck! Both the team, and in this case. I normally don't do any unpacking and just debug in runtime. I'm far too lazy to figure out this shit... So it took me a while to get to this point - I never debug kernel mode (as I stick in ring3 on principal). I still stick to ring3, and in this case it was for the best... EAC actually will actively keep you away from debugging kernel mode. But as usual this packer isn't even that special-it just took time on my part. I'd actually call this more of a fuzzer. It packs and obfuscates, but not overly so and not too much. It behaves like UPX, which they used once upon a time on the client side of things-but resembles MPRESS at first analysis. First the pusha, pushf, unpacking- then the pops - which are not revealed until they themselves are unpacked. It's the same behavior of both UPX and MPRESS. But there's often 2 to 5 different paths a static analyzer can take-it looks like they do different things but that's where system knowledge comes into play... The end result is the same regardless of the path taken. In the one I posted here-the net result is always as follows: Basically, x64 has no pusha, so the registers must be pushed manually, some registers don't actually matter to us: rsp (as by pushing and popping correctly, rsp is restored without popping it back.) To make your own unpacker, it is incredibly easy to use the ua_ functions of ida's python module to make an emulated stepper which acts on the database.. Nitty Gritty The setup file (which isn't a real setup file) is the executable that contains the EAC Client, it resides at 'C:WindowsSystem32EasyAntiCheat.exe'. This is not to be confused with the initial installer piped with your game itself. It provides a very basic socket based http client to a service supposedly known as 'EAC.' Specifically it makes gets/posts and other discussions a web server. First, I'll help you stand up your own basis for your own research. So how to start? Well first you need to know where to get files from since the EAC client deletes all the important stuff! To grab any anti-cheat driver and client from EAC utilize your own code with the following format string- Updated: 21MAY2015 Respective to each system, if you run x64 windows, it uses wow64 and if you run x86 windows it uses win32. The uuid is based on GetSystemTickCount. It's basically random each time the game launches and is used as a session key for both transactions and encyphering via a very simple Mersenne Twister(pseudo-random-number[1 of many seeded based random number generators]) implementations. The seed is based off GetTickCount(). So for game ID's just use my code to find the game you want There's a few necessary headers too: 'Cache-Control: max-age=0' 'Accept: application/octet-stream' 'Accept-Encoding: identity' 'User-Agent: EasyAntiCheat Client' Download EAC_2015MAY06 To do your own research, I've uploaded a packed, copy of the driver. I've included an unpacked version of the current module with an IDC script to fix the import table. The date of this module is 2015MAY06. The game id used was 7dtd, syswow64. (It's the 64 bit build.) Original Post
So, I spent like 6 hours today reverse engineering Easy Anti Cheat (EAC) since it magically appeared with RUST/7DTD some time ago and frankly... Screw this anti-cheat. Never agreed to any disclaimer but it just hops away and installs its driver anyway! I'm rage-faced at this stupid little application, after unpacking this crap UPX stuff at: C:WindowsSysWOW64EasyAntiCheat.exe And the files in the common folder from steam, it ends up these are just ridiculously nonsensical service loaders for starting their craptastic driver. Hurray for chasing an imaginary rabit. So little information gleamed from these... PS. Killing the 'exe' that starts with the game is frivolous. I popped it into a debugger after the game is started and used Intel's PIN tools on all 'allocated' memory that was not belonging to 'known' dll's (basically, the executable itself). And no matter what I did (save exiting the game) there was no code to be executed, not even when handshaking with EAC servers. Hours of my life I won't get back... So, what's going on with this stupid driver... Honestly I haven't gotten very far because I've become MAD BRO. The driver claims to be loaded from: C:Windowssystem32EasyAntiCheat.exe Mmk, wrong? Windows claims and says it is, registry says it is, but it's not. However that may be, it is ninja-vanished if you look for it. So I said screw it, and wrote a quick little tool that polls the loaded MemoryMappedFile's from Winblows and dumped the one's with an associated PID of EasyAntiCheat/the game/and the service. Finally getting somewhere. This driver is ugly as sin. I CBF to reverse its communication protocol... But long story short its a filter driver that does some trivial scanning, mostly just blocking HANDLE's and known cheating drivers such as CheatEngine. The handle's are just stripped of their access rights... I don't see any SSDT patching or anything obscene. NTDLL is intact, hasn't been hijacked afaik. I can't see a way around the filter driver in userland and I refuse to kernel-up my hacks because of these malware-artists. Mostly because I make a lot of mistakes since I do crap like CALL NULL in codepage 0x23 to swap the processor to x86 (from x64) and vice versa CALL NULL in cp 0x33 to x64 with some dirttyyy stack aligning... Things that like that and some really crappy thrown together code intended to 'just make it fucking work' don't play well in driver-realms. So, there's my info, anyone got anything to add? Any suggestions? Should I chill bro and just fucking write a driver to subvert EAC? Or has someone already done this and can save me the potential crash-fuckery?
__________________
The growth of understanding can only truly begin when you embrace the concept that finality is a delusion and still progress effectively without becoming entangled in the illusory concepts that preclude.
Last edited by sh!ft; 21st May 2015 at 03:57 PM.Reason: Update!
sh!ft is offline
1st October 2014, 02:19 PM
#2
(╯°□°)╯︵ ┻━┻
Posts: 466
Level up: 40%, 2,233 Points needed
If you don't want to move too much code into r0, you can grant your user-mode handle any access rights you want using something similar to this: https://github.com/DarthTon/Blackbon...nes.c#l146-182
DarthTon is online now
1st October 2014, 02:20 PM
#3
h4x0!2
Location: kvm
Reputation: 5757 Rep Power: 137
Level up: 9%, 1,193 Points needed
since it sounds like you are limited to user-mode, attach a debugger to services.exe and set a breakpoint on NtLoadDriver (assuming the application does not call NtLoadDriver itself), and scoop it up that way. Any driver image that is loaded, even one with pageable sections, can be removed from disk afterwards.
sitnspinlock is offline
4th October 2014, 04:25 PM
#4
Ban reason: Custom / undisclosed
Posts: 1
you can patch the handle table from usermode or unhook ObRegisterCallbacks hook inside EAC driver.
0x1 is offline
4th October 2014, 08:53 PM
#5
h4x0!2
Location: kvm
Reputation: 5757 Rep Power: 137
Level up: 9%, 1,193 Points needed
Originally Posted by 0x1
sounds legit.
sitnspinlock is offline
4th October 2014, 08:56 PM
#6
Retired Administrator
Posts: 14,776
Level up: 22%, 253,117 Points needed
Originally Posted by sitnspinlock
it's an alt of 'relentless1', so yeah what did you expect
__________________
learn_more is offline
6th October 2014, 09:04 PM
#7
n00bie
Posts: 10
Level up: 75%, 181 Points needed
You cant bypass it.
Seank is offline
7th October 2014, 06:30 AM
#8
UnKnoWnCheaTeR
Location: United States
Reputation: 12736 Rep Power: 176
Level up: 8%, 1,575 Points needed
EAC is designed mostly for stopping you from using cheats, not detecting them in the way we're used to seeing. If they are indeed using ObRegisterCallbacks (MSDN), and I assume they are if you see no SSDT hooks, here are some ways to defeat it, however, you may still need to enter ring0 to really accomplish this. 1.) You can use ObUnRegisterCallbacks (MSDN) and remove their blocks which will allow you to access the game process, then you need still to concern yourself with how to secure the cheat against its general scan methods. 2.) You can mix together a ring0 and ring3 component of your cheat and have ring0 do all the reading and writing and all other intrusive acts, while the ring3 component simply sends commands, runs algorithms and does any visual drawing. 3.) You can apply the same theory for the ring0 and ring3 suggestion but use your own ObRegisterCallbacks to block all their ring3 scans. If you intend to this purely from ring3, your only option is blocking their driver from loading and crossing your fingers EAC will play nice. I use the same tactics EAC uses to block handle access in my own cheats, no anti-cheats have detected me because of it and I don't expect them to without trying a little harder. In the end, if you want to cheat in leagues, you need to go into ring0 or you're playing with fire, at least that is how I see it.
Originally Posted by Seank
You are adorable! Oh my god, my sides, they hurt!
Last edited by lordtristan; 7th October 2014 at 07:30 AM.
lordtristan is offline
7th October 2014, 09:07 PM
#9
Master Contributor
Posts: 1,043
Level up: 96%, 79 Points needed
Originally Posted by DarthTon
If you don't want to move too much code into r0, you can grant your user-mode handle any access rights you want using something similar to this: https://github.com/DarthTon/Blackbon...nes.c#l146-182
That won't work because they use callbacks to deny RW operations on memory, so the privilege of the handle is irrelevant. You will need to unregister their callbacks or perform RW operations from the kernel.
__________________
Last edited by Forza; 7th October 2014 at 09:43 PM.
Forza is offline
7th October 2014, 09:43 PM
#10
Broblem?
Posts: 376
Originally Posted by Forza
That won't work because they use ObRegisterCallbacks to deny RW operations on memory, so the privilege of the handle is irrelevant. You will need to unregister their callbacks or perform RW operations from the kernel.
this does work as the callback is called at handle creation(opening) time. if you change the access rights of your handle later it will work... but there is still a chance that EAC enums all handles to the game process and checks them like vac does
__________________
InUrFace is offline
8th October 2014, 01:33 AM
#11
UnKnoWnCheaTeR
Location: United States
Reputation: 12736 Rep Power: 176
Level up: 8%, 1,575 Points needed
Originally Posted by InUrFace
this does work as the callback is called at handle creation(opening) time. if you change the access rights of your handle later it will work... but there is still a chance that EAC enums all handles to the game process and checks them like vac does
Even if they enumerate handles I don't think its enough of a reason for a ban, you never know what kind of software may of restored handle access.
lordtristan is offline
8th October 2014, 07:54 AM
#12
Broblem?
Posts: 376
__________________
InUrFace is offline
8th October 2014, 09:05 AM
#13
(╯°□°)╯︵ ┻━┻
Posts: 466
Level up: 40%, 2,233 Points needed
Even if they enumerate handles I don't think its enough of a reason for a ban, you never know what kind of software may of restored handle access.
Detecting some open handle in random process is one thing. But if handle has higher access rights than your ObCallbacks allow, something is definitely not right. However process handle table can be safely unlinked from list that is used by kernel for handle enumeration
DarthTon is online now
8th October 2014, 06:44 PM
#14
A Legend
Join Date: Jun 2013
Reputation: 7294 Rep Power: 155
Level up: 46%, 757 Points needed
Originally Posted by DarthTon
Detecting some open handle in random process is one thing. But if handle has higher access rights than your ObCallbacks allow, something is definitely not right. However process handle table can be safely unlinked from list that is used by kernel for handle enumeration
True story, not unlike Ebola! Jk. But you were instrumental in my education: <3. Your timely reply and awesome information is another reason I am exclusive to these forums. Keep up the good work.
__________________
The growth of understanding can only truly begin when you embrace the concept that finality is a delusion and still progress effectively without becoming entangled in the illusory concepts that preclude.
sh!ft is offline
10th October 2014, 10:13 AM
#15
n00bie
Location: Sweden
Reputation: 10 Rep Power: 113
Originally Posted by lordtristan
I use the same tactics EAC uses to block handle access in my own cheats
I feel like I'm intruding on the big boys discussion here, but how would this be accomplished, practically speaking? I know there are methods to unlink the process from the kernel process list, but it sounds too good to be true that it would be THAT easy to defeat most software level anti cheats. Your method sounds more robust, but I assume this has to be done from a custom driver?
snufkin is offline
10th October 2014, 02:10 PM
#16
h4x0!2
Location: kvm
Reputation: 5757 Rep Power: 137
Level up: 9%, 1,193 Points needed
Originally Posted by snufkin
I feel like I'm intruding on the big boys discussion here, but how would this be accomplished, practically speaking? I know there are methods to unlink the process from the kernel process list, but it sounds too good to be true that it would be THAT easy to defeat most software level anti cheats. Your method sounds more robust, but I assume this has to be done from a custom driver?
That was a lot easier than it sounded, hmm. Out of curiosity, how do AC's react to encountering a protected process which is known to have an open handle to the game? The most logical would be to crash the game, yes? I'm sorry for asking all these questions but I'm kinda new to all this, and I hope you realize your knowledge is gold worth to me and i appreciate it a lot! <3
__________________
snufkin is offline
11th October 2014, 06:01 PM
#18
h4x0!2
Location: kvm
Reputation: 5757 Rep Power: 137
Level up: 9%, 1,193 Points needed
Originally Posted by snufkin
That was a lot easier than it sounded, hmm. Out of curiosity, how do AC's react to encountering a protected process which is known to have an open handle to the game? The most logical would be to crash the game, yes? I'm sorry for asking all these questions but I'm kinda new to all this, and I hope you realize your knowledge is gold worth to me and i appreciate it a lot! <3
I suppose they would react in a manner they see fit ;p in Windows 8.1 and Windows 10, only ELAM (early launch anti malware) certified code can be run as a protected process, in Vista and 7 any image signed with a private key from a root CA (certificate authority) can be run as a protected process. ideally an anti-malware service would have periodic handles to every process as it aids to protect the system. however in Vista and 7, anti-virus vendors didn't make use of the protected process mechanism, and at that time it seemed to be more geared towards DRM, even then it wasn't widely used. probably the first course of action would be to see if test-signing is enabled, because for 8.1 and 10, it's highly unlikely that someone playing around is ELAM certified, and then go from there. if the AC has a kernel mode component, then the root of trust for the protected process is already broken, because the driver can access it in any way it wants.
sitnspinlock is offline
11th October 2014, 09:05 PM
#19
n00bie
Location: Sweden
Reputation: 10 Rep Power: 113
Originally Posted by sitnspinlock
I suppose they would react in a manner they see fit ;p in Windows 8.1 and Windows 10, only ELAM (early launch anti malware) certified code can be run as a protected process, in Vista and 7 any image signed with a private key from a root CA (certificate authority) can be run as a protected process. ideally an anti-malware service would have periodic handles to every process as it aids to protect the system. however in Vista and 7, anti-virus vendors didn't make use of the protected process mechanism, and at that time it seemed to be more geared towards DRM, even then it wasn't widely used. probably the first course of action would be to see if test-signing is enabled, because for 8.1 and 10, it's highly unlikely that someone playing around is ELAM certified, and then go from there. if the AC has a kernel mode component, then the root of trust for the protected process is already broken, because the driver can access it in any way it wants.
Makes sense. I was thinking of implementing the same scan of process handles that VAC does and simply crash my cheat if it detects any elevated handle that shouldn't be there. Anyways, I'll get my driver ready and continue experimenting from there. As always, thanks mate! <3
__________________
snufkin is offline
20th October 2014, 08:30 AM
#20
PhD in Lewd
Posts: 1,036
Level up: 47%, 862 Points needed
Originally Posted by Seank
By this logic we'd still be in the dark ages. It's been bypassed by several coders already.
__________________
Haruhi is offline
Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
[Release] [BETA]Anti Anti-Cheat Code
B1313
Payday 2
115
24th March 2015 07:54 PM
[Coding] Anti-anti cheat code problem
Volphix
Payday 2
1
2nd July 2014 07:21 AM
[Question] Need simple and easy to cheat
Zhoulinzhi
Call of Duty: Ghosts
3
4th February 2014 06:59 AM
HOW TO CHEAT CITY LIFE RPG2 MONEY:D IN 7 EASY STEPS
micklemick
ARMA 2
1
16th January 2013 06:33 AM
When I Host People Cheat I Need A Anti Cheat Program
darkrath
Renegade
7
6th December 2004 11:23 AM
Tags
anti, cheat, easy
«Previous Thread Next Thread»
All times are GMT. The time now is 01:54 PM.
The Best Software For Interior Design
What Is The Best Software
Aug 25, 2015 Minecraft Vanish Hack. TU54 SECRET USES For Curse Of Vanishing! - Minecraft TU54 Xbox 360/One/PS3/PS4/WiiU.