EAC in Rust - Rydersel/StudyOnAnticheats GitHub Wiki

Hi world,

Intro:

Currently, there is a lot of confusion and false information about how the Easy Anti Cheat system works in relation to Rust. I hope through this guide to compile relevant information along with my own findings to create a definitive guide. I will be starting by mainly focussing on EAC's implementation in Rust specifically since I have the most personal experience with it but if this piece gets enough traction I will branch out into other games.

What is EAC:

EAC or Easy Anti Cheat is a kernel-based anti-cheat owned by Epic Games. It is employed in a variety of well-known games including Fortnite, Smite, Apex Legends, and of course Rust. Unlike anti-cheats like Valve's VAC while EAC is running users are unable to inject into games processes or attach any sort of debugger. Because the anti-cheat is running on a kernel-level it is able to detect a massive amount of potential modifications and exploitation being applied to said game.

EAC's implementation in Rust:

Each game that uses EAC uses a slightly different version of the anti-cheat which is modified to the developer's specific needs. This also means that if an exploit or 0day is found in one game EAC builds it won't affect the dozens of other games using this system. Though for obvious reasons Facepunch discloses as little information as possible on how they are implementing EAC into rust, through dumps and other various leaks throughout the years we are able to get a rough idea of how said system works. The following information below is based on community dumps and leaks and cannot be proved 100% accurate.

On startup, EAC does several basic checks which are pretty much standard on any anti-cheat. These include checking if the application is running in a Virtual Machine, Checking internal application integrity, and checking for blacklisted modules, hooks. After this EAC moves to a semi-passive state where it will begin to actively monitor not only the game's process but your computer as a whole.

Listed below are modules that are known to be blacklisted by EAC:

Dumper.dll, Glob.dll, mswsock.dll, perl512.dll, vmclientcore.dll, vmwarewui.dll, virtualbox.dll, qtcorevbox4.dll, vboxvmm.dll, netredirect.dll, atmfd.dll, cdd.dll, dpdd.dll, vga.dll, workerdd.dll, msvbvm60.dll

(Credit for Above list: Rake)

Delayed Bans:

EAC implements a similar system to other Anti-Cheats through scheduling bans for future dates. This is done so that cheat creators/users are unable to find what specifically is detected with their program. The time between when your account is marked to be banned and the time when your account is actually banned can be anywhere from 3 days to 3 weeks(the average times is around a week)

Source: Facepunch's Site

HWID blacklisting/banning in Rust:

One of EAC's most well-known and most controversial features is its ability to not just ban a user's account but the actual hardware on their machine. This was created specifically for free games like Fortnite to prevent cheaters from infinitely creating new accounts. With this system said cheater in theory would have to buy a completely new computer in order to cheat again. Notice I said in theory though, as, with any type of Anti-Cheat, people will find a bypass. Cheaters began using programs to spoof their hardware's information (commonly referred to as the hardware's ID, HWID for short). Facepunch responded fast though upgrading their EAC to be able to detect most of the methods the HWID spoofers of the time were using and banning these users. Thus began the cat and mouse race of a new method of spoofing being discovered and EAC eventually patching it. This brings us to today where finding a truly undetected spoofer is quite rare and even the spoofers that are truly undetected end up getting detected every couple of weeks.

When does a user get HWID banned:

EAC does not always HWID ban a user, A user is HWID banned after 2-5 regular bans on the same HWID. This number can be higher or lower but the average is around 2-5.

What Hardware is EAC Logging:

People are always debating what piece of hardware EAC is logging, the truth is it's not which piece, it's which pieces. Though not certain it is widely agreed that EAC logs and saves your storage device's serials (HDD or SSD). Less known though but prooved through code dumps is that EAC also logs and saves users mac addresses, WMI, Registry, System Manufacturer, BIOS Version, BIOS Vendor, ComputerHardwareId, DriverDesc, and more. Though many of these can be changed with very little effort the idea is redundancy. All EAC needs is a couple of these values to match a blacklisted value for your account to be flagged.

Myths:

[EAC logs your GPU and CPU seriels]

Considering the massive amount of known values EAC checks it is inevitable that there is false information circulating around. One of these is that EAC logs your graphic card and CPU's serial numbers. Though there is no evidence saying this is untrue there is also no evidence anywhere proving or even supporting this claim.

[You can request to have your info removed from EAC's database due to GDPR laws]

This is just incorrect, I have seen a lot of people claiming this method to work or claiming to have done this method themselves. This method consists of contacting EAC's support to request they remove your personal information from their databases on the grounds of the policies set in place by the General Data Protection Regulation. There are a couple of reasons this will not work.

1. No policies set in place by GDPR address most of the info EAC collects.
2. When launching up Rust for the first time you agree to have this data collected from you.
3. The people who work at EAC and Facepunch are not stupid.

[EAC IP Bans]

EAC does not IP ban at the moment due to the fact that many people's IP changes weekly or monthly (dynamic IP). Specific Rust servers on the other hand do IP ban users but this is not very effective due to the mass amount of VPNs that exist.

Using Geforce Now:

One known bypass to EAC's HWID ban system is using Nvidia's cloud gaming service. Since you are streaming the game from a different computer EAC is unable to match you with a blacklisted HWID. Since EAC and Facepunch specifically would lose a lot of users by banning the use of Geforce Now completely it is still safe to use. This method does have cons though with the main one being that unless you have great internet you will have a pretty crappy time.

EAC Integrity Checks:

One of EAC's tools to prevent the modification of its process is through periodic integrity checks. Though nearly every modern application uses some type of integrity checking system EAC does it a bit differently.

EAC's Integrity Check Function:

Eac's Integrity Function has been exposed numerous times through code dumps but is heavily obfuscated.

Obfusicated Function:

mov [rsp+arg_8], rbx ror r9w, 2 lea r9, ds:588F66C5h[rdx*4] sar r9d, cl bts r9, 1Fh mov [rsp+arg_10], rbp lea r9, ds:0FFFFFFFFC17008A9h[rsi*2] sbb r9d, 2003FCE1h shrd r9w, cx, cl shl r9w, cl mov [rsp+arg_18], rsi cmc mov r9, cs:EasyAntiCheatBase

Deobfusicated EAC Integrity Check (C++) Credit: Deobfusicated by iPower with help from Capstone

`

bool check_driver_integrity()
{

    if ( !peac_base || !eac_size || !peac_driver_copy_base || !peac_copy_nt_headers )
        return false;

    bool not_modified = true;

    const auto  num_sections     = peac_copy_nt_headers->FileHeader.NumberOfSections;
    const auto* psection_headers = IMAGE_FIRST_SECTION( peac_copy_nt_headers );

    // Loop through all sections from EasyAntiCheat.sys
    for ( WORD i = 0; i < num_sections; ++i )
    {
        const auto characteristics = psection_headers[ i ].Characteristics;

        // Ignore paged sections
        if ( psection_headers[ i ].SizeOfRawData != 0 && READABLE_NOT_PAGED_SECTION( characteristics ) )
        {
            // Skip .rdata and writable sections
            if ( !WRITABLE_SECTION( characteristics ) && ( *reinterpret_cast< ULONG* >( psection_headers[ i ].Name ) != 'adr.' ) )
            {
                auto psection      = reinterpret_cast< const void* >( peac_base + psection_headers[ i ].VirtualAddress );
                auto psection_copy = reinterpret_cast< const void* >( peac_driver_copy_base + psection_headers[ i ].VirtualAddress );

                const auto virtual_size = psection_headers[ i ].VirtualSize & 0xFFFFFFF0;

                // Compare the original section with its copy
                if ( memcmp( psection, psection_copy, virtual_size ) != 0 )
                {
                    // Uh oh
                    not_modified = false;
                    break;
                }
            }
        }
    }

    return not_modified;
}

` The takeaway from the above code is that EAC allocates to a pool before making a copy of itself. It then compares the bytes of EAC.sys with the bytes from the version on your machine.

HWID Registry Key Locations:

HKEY_LOCAL_MACHINE\Hardware\Description\System\CentralProcessor\0

HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Computer\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SystemInformation

Computer\HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS

Computer\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate

Registry\Machine\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001

Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows Activation Technologies\AdminObject\Store