IMPORTANT
BE CAREFUL ANALYZING THE MODULES! Their pdb info portion links to a bitly tracker URL! YOU WILL BE TRACKED, ITS SUPER ILLEGAL BUT THEY DON'T CARE!!! By default the symbol server will try to retrieve a valid pdb from the URL.
Introduction
So, you'd like to build a snowman eh? Well, awhile ago I wasted far more time on EAC than I should have. I also told some people I'd eventually release information on it. So, here I am, man of my word.
EasyAntiCheat, or EAC, is a clever ball of hack. It itself, is literally an intrusive hack that attacks other hacks by disabling their entry and monitoring and reporting their activity.
Explanation
Some morons think they've bypassed it with clever little wrapper dll's but that's simply not the case-unknown dll's are piped to the EAC network. There's a whole slew of idiots who start their game without EAC and claim to have bypassed it... But that too, is not the case. EAC behaves like a hack, it requires no effort on the game developer to deploy itself. The details are just too boring for me to cover when I'm in a bad mood like right now, so-expect more information and especially more detail in this post at a later date.
Packers Suck!
Both the team, and in this case. I normally don't do any unpacking and just debug in runtime. I'm far too lazy to figure out this shit... So it took me a while to get to this point - I never debug kernel mode (as I stick in ring3 on principal). I still stick to ring3, and in this case it was for the best... EAC actually will actively keep you away from debugging kernel mode. But as usual this packer isn't even that special-it just took time on my part. I'd actually call this more of a fuzzer. It packs and obfuscates, but not overly so and not too much. It behaves like UPX, which they used once upon a time on the client side of things-but resembles MPRESS at first analysis.
First the pusha, pushf, unpacking- then the pops - which are not revealed until they themselves are unpacked. It's the same behavior of both UPX and MPRESS. But there's often 2 to 5 different paths a static analyzer can take-it looks like they do different things but that's where system knowledge comes into play... The end result is the same regardless of the path taken. In the one I posted here-the net result is always as follows:
Basically, x64 has no pusha, so the registers must be pushed manually, some registers don't actually matter to us: rsp (as by pushing and popping correctly, rsp is restored without popping it back.) To make your own unpacker, it is incredibly easy to use the ua_ functions of ida's python module to make an emulated stepper which acts on the database..
Nitty Gritty
The setup file (which isn't a real setup file) is the executable that contains the EAC Client, it resides at 'C:WindowsSystem32EasyAntiCheat.exe'. This is not to be confused with the initial installer piped with your game itself. It provides a very basic socket based http client to a service supposedly known as 'EAC.' Specifically it makes gets/posts and other discussions a web server.
First, I'll help you stand up your own basis for your own research. So how to start? Well first you need to know where to get files from since the EAC client deletes all the important stuff! To grab any anti-cheat driver and client from EAC utilize your own code with the following format string-
Updated: 21MAY2015
Respective to each system, if you run x64 windows, it uses wow64 and if you run x86 windows it uses win32. The uuid is based on GetSystemTickCount. It's basically random each time the game launches and is used as a session key for both transactions and encyphering via a very simple Mersenne Twister(pseudo-random-number[1 of many seeded based random number generators]) implementations. The seed is based off GetTickCount().
So for game ID's just use my code to find the game you want
There's a few necessary headers too:
'Cache-Control: max-age=0'
'Accept: application/octet-stream'
'Accept-Encoding: identity'
'User-Agent: EasyAntiCheat Client'
Download
EAC_2015MAY06
To do your own research, I've uploaded a packed, copy of the driver. I've included an unpacked version of the current module with an IDC script to fix the import table. The date of this module is 2015MAY06. The game id used was 7dtd, syswow64. (It's the 64 bit build.)
Original Post

__________________

If you don't want to move too much code into r0, you can grant your user-mode handle any access rights you want using something similar to this: https://github.com/DarthTon/Blackbon...nes.c#l146-182

since it sounds like you are limited to user-mode, attach a debugger to services.exe and set a breakpoint on NtLoadDriver (assuming the application does not call NtLoadDriver itself), and scoop it up that way.
Any driver image that is loaded, even one with pageable sections, can be removed from disk afterwards.

you can patch the handle table from usermode or unhook ObRegisterCallbacks hook inside EAC driver.

sounds legit.

it's an alt of 'relentless1', so yeah what did you expect

__________________

You cant bypass it.

EAC is designed mostly for stopping you from using cheats, not detecting them in the way we're used to seeing. If they are indeed using ObRegisterCallbacks (MSDN), and I assume they are if you see no SSDT hooks, here are some ways to defeat it, however, you may still need to enter ring0 to really accomplish this.
1.) You can use ObUnRegisterCallbacks (MSDN) and remove their blocks which will allow you to access the game process, then you need still to concern yourself with how to secure the cheat against its general scan methods.
2.) You can mix together a ring0 and ring3 component of your cheat and have ring0 do all the reading and writing and all other intrusive acts, while the ring3 component simply sends commands, runs algorithms and does any visual drawing.
3.) You can apply the same theory for the ring0 and ring3 suggestion but use your own ObRegisterCallbacks to block all their ring3 scans.
If you intend to this purely from ring3, your only option is blocking their driver from loading and crossing your fingers EAC will play nice. I use the same tactics EAC uses to block handle access in my own cheats, no anti-cheats have detected me because of it and I don't expect them to without trying a little harder. In the end, if you want to cheat in leagues, you need to go into ring0 or you're playing with fire, at least that is how I see it.
You are adorable! Oh my god, my sides, they hurt!

That won't work because they use callbacks to deny RW operations on memory, so the privilege of the handle is irrelevant. You will need to unregister their callbacks or perform RW operations from the kernel.

__________________

this does work as the callback is called at handle creation(opening) time. if you change the access rights of your handle later it will work...
but there is still a chance that EAC enums all handles to the game process and checks them like vac does

__________________

Even if they enumerate handles I don't think its enough of a reason for a ban, you never know what kind of software may of restored handle access.

__________________

Detecting some open handle in random process is one thing. But if handle has higher access rights than your ObCallbacks allow, something is definitely not right.
However process handle table can be safely unlinked from list that is used by kernel for handle enumeration

True story, not unlike Ebola! Jk. But you were instrumental in my education: <3. Your timely reply and awesome information is another reason I am exclusive to these forums. Keep up the good work.

__________________

I feel like I'm intruding on the big boys discussion here, but how would this be accomplished, practically speaking?
I know there are methods to unlink the process from the kernel process list, but it sounds too good to be true that it would be THAT easy to defeat most software level anti cheats.
Your method sounds more robust, but I assume this has to be done from a custom driver?

http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx

That was a lot easier than it sounded, hmm.
Out of curiosity, how do AC's react to encountering a protected process which is known to have an open handle to the game?
The most logical would be to crash the game, yes?
I'm sorry for asking all these questions but I'm kinda new to all this, and I hope you realize your knowledge is gold worth to me and i appreciate it a lot! <3

__________________

I suppose they would react in a manner they see fit ;p
in Windows 8.1 and Windows 10, only ELAM (early launch anti malware) certified code can be run as a protected process, in Vista and 7 any image signed with a private key from a root CA (certificate authority) can be run as a protected process.
ideally an anti-malware service would have periodic handles to every process as it aids to protect the system.
however in Vista and 7, anti-virus vendors didn't make use of the protected process mechanism, and at that time it seemed to be more geared towards DRM, even then it wasn't widely used.
probably the first course of action would be to see if test-signing is enabled, because for 8.1 and 10, it's highly unlikely that someone playing around is ELAM certified, and then go from there.
if the AC has a kernel mode component, then the root of trust for the protected process is already broken, because the driver can access it in any way it wants.

Makes sense.
I was thinking of implementing the same scan of process handles that VAC does and simply crash my cheat if it detects any elevated handle that shouldn't be there.
Anyways, I'll get my driver ready and continue experimenting from there.
As always, thanks mate! <3

__________________

By this logic we'd still be in the dark ages.
It's been bypassed by several coders already.

__________________