How to Bypass EasyAntiCheat

Publicado por luchin On martes, 7 de septiembre de 2010 0 comentarios

In this short tutorial i will show you how to bypass newest version of EasyAntiCheat.

There were a lot of rumors saying that this software is a beast, many Europeans league believe this and replaced their current anticheats with EasyAntiCheat.
I must say i was one of the people who believe in that story so i always kept in my mind that bypassing EAC3 is a big task and delayed the project until i found enough time.
I did only investigate parts which were critical for my software, there might be some other detections/scramblers which i didn't describe.

Here we go:

EasyAntiCheat is a software which is designed to catch cheaters or prevent them from using their cheats.

I heard from some people that EasyAntiCheat has an admin panel where an anticheat admin has to add cheat (dll?) hash to database,
then EasyAntiCheat is able to detect (its some sort of memory scan, i didn't investigate this as its not my problem). They are doing this on daily basics, adding public
and private cheats which they purchase. If your software is out of their reach, you are safe for this type of scan.

EasyAntiCheat is able to take screenshots of your game play, in past versions they combined glReadPixels ( for hl1 games ) and BitBlt. I won't discuss how to bypass this, because you should already know it.

They also hook glDisable and check return address, this is a weak way of detecting wallTool Fix for this is really simple, just call your driver function glDisable directly, without using Opengl32.dll wrapper.

Once you are in the game process, and you have engine access you will try to render your ESP. This might surprise you but your ESP will be floating around and it won't render in the place where it should. Its because EasyAntiCheat obfuscate ref_params structure, which is used by your custom WorldToScreen / pEngine->pTriAPI->WorldToScreen (correct me if im wrong).
This is nothing new or revolutionary, anticheats like 175PT already used it a while ago ( http://www.gamerztools.net/foros/sho...4993#post14993 ).

In the following DIASM we can see how they obfuscate ref_params structure:


Código PHP:
0C166BB0    893D 74451B0C   MOV     DWORD PTR DS:[C1B4574], EDI
0C166BB6    8BC7            MOV     EAXEDI
0C166BB8    83E8 04         SUB     EAX4
0C166BBB    50              PUSH    EAX
0C166BBC    F3:A5           REP     MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI] 0C166BBE    60              PUSHAD
0C166BBF    9C              PUSHFD
0C166BC0    B9 08000000     MOV     ECX8
0C166BC5    8B35 74451B0C   MOV     ESIDWORD PTR DS:[C1B4574]                            ; hw.0512DA64
0C166BCB    BF 10471B0C     MOV     EDI0C1B4710
0C166BD0    F3:A5           REP     MOVS DWORD PTR ES:[EDI], DWORD PTR DS:[ESI] 0C166BD2    E8 D0D60100     CALL    0C1842A7
0C166BD7    99              CDQ
0C166BD8    B9 FF000000     MOV     ECX0FF
0C166BDD    F7F9            IDIV    ECX
0C166BDF    A1 74451B0C     MOV     EAXDWORD PTR DS:[C1B4574] 0C166BE4    0FB6D2          MOVZX   EDXDL
0C166BE7    69D2 01010101   IMUL    EDXEDX1010101
0C166BED    8910            MOV     DWORD PTR DS:[EAX], EDX
0C166BEF    8950 04         MOV     DWORD PTR DS:[EAX+4], EDX
0C166BF2    8950 08         MOV     DWORD PTR DS:[EAX+8], EDX
0C166BF5    8950 0C         MOV     DWORD PTR DS:[EAX+C], EDX
0C166BF8    8950 10         MOV     DWORD PTR DS:[EAX+10], EDX
0C166BFB    8950 14         MOV     DWORD PTR DS:[EAX+14], EDX
0C166BFE    8950 18         MOV     DWORD PTR DS:[EAX+18], EDX
0C166C01    8950 1C         MOV     DWORD PTR DS:[EAX+1C], EDX
0C166C04    9D              POPFD
0C166C05    61              POPAD 





And this is how ref_params structure looks like:


Código PHP:
typedef struct ref_params_s {
    float    vieworg[3];
    float    viewangles[3];
    float    forward[3];
    float    right[3];
    float   up[3];
    float    frametime;
    float    time;
    int    intermission;
    int    paused;
    int    spectator;
    int    onground;
    int    waterlevel;
    float    simvel[3];
    float    simorg[3];
    float    viewheight[3];
    float    idealpitch;
    float    cl_viewangles[3];
    int    health;
    float    crosshairangle[3];
    float    viewsize;
    float    punchangle[3];
    int    maxclients;
    int    viewentity;
    int    playernum;
    int    max_entities;
    int    demoplayback;
    int    hardware;
    int    smoothing;
    struct usercmd_s *cmd;
    struct movevars_s *movevars;
    int    viewport[4];
    int    nextView;
    int    onlyClientDraw;










Both refdef->vieworg and refdef->viewangles are used by WorldToScreen functions. There are many ways of bypassing this, but non-invasive one is to use
your custom WolrdToScreen and provide it a different source for your view Origin and Angles. Another way is to restore your refdef structure basing on what you seen above ( DIASM ).

- Fix refdef problem
- Bypass Screenshots
- Hide well your dll or don't share it with multiple people
- Profit???

Conclusion:

EasyAntiCheat may sound advance from what people say, but once you get it on your hand it isn't any harder than other nowadays anticheat tools. I don't know
if this is the reason why they called it Easy. I must say right now its the best anticheat in Europe, but sXe injected and ESEA are still doing their job much better. This is probably the reason why xliqz^ ( old cheat coder, former EAC developer ) is trying to be a friend of Jaguar ( main ESEA AC Developer ).

If anyone else has some other useful information about EAC fell free to share it in this thread.

Credits by Organner

Publicado por luchin en 21:11

0 comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)
Twitter Delicious Facebook Digg Stumbleupon Favorites More