EAC bypassing and Survivor game

Hello.
Does anyone have any method to bypass EAC so you'll be able to play as survivor/killer (as killer without dropping survivors from the lobby).
Do we need to make some precise blocking (no full incoming/outcoming block)?

Thank you

Why do you need to bypass EAC?

Answer is simple: to speedhack a little bit

So noone have some hints about this? May be blocking some ports instead of full blocking the incoming/outcoming traffic?

Code:

/* EasyAntiCheat exploit for Paladins By Omdihar */ #include <Windows.h> #include <string> #include <process.h> bool DataCompare(const unsigned char* OpCodes, const unsigned char* Mask, const char* StrMask); unsigned long FindPattern(unsigned long StartAddress, unsigned long CodeLen, unsigned char* Mask, char* StrMask, unsigned short ignore); using loadgamewitheac_type = int(__thiscall*)(DWORD*, LPCWSTR, int, char, DWORD*, LPHANDLE); loadgamewitheac_type loadgamewitheac_orig = nullptr; using closehandle_type = BOOL(WINAPI*)(HANDLE); closehandle_type closehandle_orig = nullptr; HANDLE PaladinsThreadHandle = nullptr; HANDLE PaladinsHandle = nullptr; //Hook Functions BOOL WINAPI closehandle_hook(HANDLE handle) { static int count = 0; if (count == 1) PaladinsHandle = handle; ++count; return true; } int __fastcall loadgamewitheac_hook(DWORD *_this, void *edx, LPCWSTR application_name, int a3, char a4, DWORD *process_id_out, LPHANDLE target_handle) { //Hook CloseHandle first and remove it after EAC loading closehandle_orig = (closehandle_type)DetourFunction((PBYTE)CloseHandle, (PBYTE)closehandle_hook); auto ret = loadgamewitheac_orig(_this, application_name, a3, a4, process_id_out, target_handle); DetourRemove((PBYTE)closehandle_orig, (PBYTE)closehandle_hook); //PaladinsHandle access rights == PROCESS_ALL_ACCESS. INJECT CODE HERE /*DetourContinueProcessWithDllW(PaladinsHandle, L"your_dll_to_inject.dll");*/ return ret; } //Threads Function void __cdecl main_thread(void*) { HMODULE eac_module = nullptr; while (eac_module == nullptr) { eac_module = GetModuleHandleW(L"EasyAntiCheat_x86.dll"); Sleep(10); } //B8 ?? ?? ?? ?? E8 ?? ?? ?? ?? 81 EC 9C 02 00 00 auto loadeac_addr = FindPattern((DWORD)eac_module, 0xFFFFF, (BYTE*)"\xB8\x00\x00\x00\x00\xE8\x00\x00\x00\x00\x81\xEC\x9C\x02\x00", "x????x????xxxxxx", 0); if (loadeac_addr == 0) { MessageBoxW(nullptr, L"EasyAntiCheat signature broken", L"Bypass Error", MB_TOPMOST); ExitProcess(-1); } loadgamewitheac_orig = (loadgamewitheac_type)DetourFunction((PBYTE)loadeac_addr, (PBYTE)loadgamewitheac_hook); if (loadgamewitheac_orig == nullptr) { MessageBoxW(nullptr, L"EasyAntiCheat signature broken (2)", L"Exploit Error", MB_TOPMOST); ExitProcess(-1); } } BOOL WINAPI DllMain(_In_ void* _DllHandle, _In_ unsigned long _Reason, _In_opt_ void* _Reserved) { if (_Reason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls((HMODULE)_DllHandle); _beginthread(main_thread, 0, nullptr); } return true; } bool DataCompare(const BYTE* OpCodes, const BYTE* Mask, const char* StrMask) { while (*StrMask) { if (*StrMask == 'x' && *OpCodes != *Mask) return false; ++StrMask; ++OpCodes; ++Mask; } return true; } DWORD FindPattern(DWORD StartAddress, DWORD CodeLen, BYTE* Mask, char* StrMask, unsigned short ignore) { unsigned short Ign = 0; DWORD i = 0; while (Ign <= ignore) { if (DataCompare((BYTE*)(StartAddress + i++), Mask, StrMask)) ++Ign; else if (i >= CodeLen) return 0; } return StartAddress + i - 1; }

Credits to Omdihar.
Made for Paladins but works for other EAC games aswell
Edit: Just gonna elaborate on the bypass.
Obviously this is for x86 of easyanticheat, but if you analyze first the x86 version and then the x64 version, it should be pretty clear what function to sig

Chams with this bypass

Originally Posted by Azuki

I suppose this are not public chams, otherwise it could be detected? Have you ever tried something like createremotethread + loadlibrary injection because i will try it when i have time to use it when i want to write something internal cause know i have everything externally without putting module into process.

Originally Posted by morritz

I suppose this are not public chams, otherwise it could be detected? Have you ever tried something like createremotethread + loadlibrary injection because i will try it when i have time to use it when i want to write something internal cause know i have everything externally without putting module into process.

yes private chams - undetected.
and I'm pretty sure createremotethread with loadlibrary doesnt work anymore.

Originally Posted by Azuki

yes private chams - undetected.
and I'm pretty sure createremotethread with loadlibrary doesnt work anymore.

Does chams require some pointers or pattern scan? Because now i have wallhack by using game glow function for killer entity and survivor but i cant find it for objects like hooks , chests , genz.

Originally Posted by morritz

Does chams require some pointers or pattern scan? Because now i have wallhack by using game glow function for killer entity and survivor but i cant find it for objects like hooks , chests , genz.

nope, hook drawmodel and then iterate through the model indexes

I've found a few cool functions in the binary of DBD, namely these:
\x40\x57\x48\x83\xEC\x50\x48\x8B\xF9\x48\x8B\x0D\x 00\x00\x00\x00 xxxxxxxxxxxx????
\x40\x56\x48\x83\xEC\x50\x48\x8B\xF1 xxxxxxxxx

The first one seems to load the actual easyanticheat_x64.dll and the second one the eac_server.dll

I haven't done much practical research on it because I don't wanna get my main banned, but I'm pretty sure if you recreate the api calls to eac from those function and then just return -1, you could launch the game without eac

EAC bypassing and Survivor game

Post a Reply

Similar Threads

Tags for this Thread