index.xml

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>AVX&#39;s Blog</title>
    <link>/</link>
    <description>Recent content on AVX&#39;s Blog</description>
    <generator>Hugo -- gohugo.io</generator>
    <language>en-us</language>
    <lastBuildDate>Mon, 17 Jul 2023 00:00:00 +0000</lastBuildDate><atom:link href="/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Dethroning the Jungle King: EasyAntiCheat&#39;s Import Protection</title>
      <link>/posts/easyanticheat-import-protection/</link>
      <pubDate>Mon, 17 Jul 2023 00:00:00 +0000</pubDate>
      
      <guid>/posts/easyanticheat-import-protection/</guid>
      <description>Disclaimer The information provided in this document is intended solely for educational and informational purposes. It is not meant to belittle EasyAntiCheat or any individuals involved in its development or implementation. Rather, it aims to shed light on the internal workings of EasyAntiCheat so that consumers can better understand what happens behind the scenes when playing their favorite games. Any opinions expressed herein do not necessarily reflect those of EasyAntiCheat or any other parties mentioned.</description>
      <content>&lt;h1 id=&#34;disclaimer&#34;&gt;Disclaimer&lt;/h1&gt;
&lt;p&gt;The information provided in this document is intended &lt;strong&gt;solely for educational and informational purposes&lt;/strong&gt;. It is &lt;strong&gt;not meant to belittle EasyAntiCheat&lt;/strong&gt; or any individuals involved in its development or implementation. Rather, it aims to shed light on the internal workings of EasyAntiCheat so that consumers can better understand what happens behind the scenes when playing their favorite games. Any opinions expressed herein &lt;strong&gt;do not necessarily reflect those of EasyAntiCheat&lt;/strong&gt; or any other parties mentioned. This document is provided &amp;ldquo;&lt;strong&gt;as is&lt;/strong&gt;&amp;rdquo; without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose. I shall not be liable for any damages whatsoever arising out of or in connection with the use of this document.&lt;/p&gt;
&lt;h1 id=&#34;introduction&#34;&gt;Introduction&lt;/h1&gt;
&lt;p&gt;In the ever-evolving virtual battlegrounds, where the quest for fair play clashes with cunning cheaters, an enigmatic sentinel, EasyAntiCheat, reigns supreme, concealing its guarded export resolving strategies. This gripping journey takes us deep into the heart of its jungle-like defenses, as we endeavor to dethrone the Jungle King, exposing the hidden mechanisms, unlocking the secrets of their superior technology.&lt;/p&gt;
&lt;p&gt;Armed with inquisitiveness and technical prowess, we embark on an enthralling expedition to shed light on the protected imports, unraveling the captivating tale of EasyAntiCheat&amp;rsquo;s silent prowess in safeguarding the integrity of online gaming.&lt;/p&gt;
&lt;h1 id=&#34;before-we-dive-in-getting-the-basics-right&#34;&gt;Before We Dive In: Getting the Basics Right&lt;/h1&gt;
&lt;p&gt;To proceed with the remaining part of the article, I recommend first addressing these topics:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;https://www.youtube.com/watch?v=DRH0oRFwFiM&#34;&gt;Virtualization-Based Obfuscators&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;http://sandsprite.com/CodeStuff/Understanding_imports.html&#34;&gt;Understanding the Import Address Table&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://dev.to/wireless90/exploring-the-export-table-windows-pe-internals-4l47&#34;&gt;Exploring the Export Table&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h1 id=&#34;the-problem&#34;&gt;The Problem&lt;/h1&gt;
&lt;p&gt;Dynamic analysis plays a crucial role in understanding the behavior of code, especially when dealing with reverse engineering. Anticheats, such as EasyAntiCheat, have recognized the importance of this approach and actively develop methods to mitigate against such attacks.&lt;/p&gt;
&lt;p&gt;One of the primary methods for understanding behavior is by observing calls to imported functions. Typically, these functions can be found in the application&amp;rsquo;s IAT, which is resolved during the application&amp;rsquo;s construction phase.&lt;/p&gt;
&lt;p&gt;However, relying on the IAT for security products is considered quite an insecure design. To address this issue, one can reproduce the behavior by manually parsing the EAT and resolving imports themselves, which eliminates the need for using the IAT.&lt;/p&gt;
&lt;p&gt;In the case of EasyAntiCheat, they have implemented this solution by employing a safeguarded virtualized routine, which attempts to securely resolve their needed exports, and also inlining decryption for the callers of the &lt;code&gt;DecryptImport&lt;/code&gt; function.&lt;/p&gt;
&lt;p&gt;Furthermore, on top of the inlined decryption, they are also employing encryption that utilizes a public and private key, with the private key being discarded at runtime.&lt;/p&gt;
&lt;p&gt;With the use of this method, it becomes nearly impossible to recover the aforementioned private key or to overwrite the import with another value.&lt;/p&gt;
&lt;h1 id=&#34;spying-on-the-king-real-world-examples&#34;&gt;Spying on the King: Real World Examples&lt;/h1&gt;
&lt;p&gt;To kick things off, and before approaching the Jungle, let&amp;rsquo;s examine some examples which are used in other applications.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;void&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; VgkExports&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;ExEnumHandleTable(&lt;span style=&#34;color:#66d9ef&#34;&gt;void&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; a1)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v17.m128i_i64[&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;] &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x3DC8C9558A64BA8A&lt;/span&gt;i64;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v18.m128i_i64[&lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;] &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0xD6EBDD7A0CEE792Bu&lt;/span&gt;i64;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v19.m128i_i64[&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;] &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x3DC8C9558A64BA8A&lt;/span&gt;i64;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v18.m128i_i64[&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;] &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0xD6C6BCCF590828A8u&lt;/span&gt;i64;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v1 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; _mm_load_si128(&lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt;v18);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v19.m128i_i64[&lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;] &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0xC7884760EDC680EDu&lt;/span&gt;i64;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v16.m128i_i64[&lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;] &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0xB7A3B00F62AB016Eu&lt;/span&gt;i64;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v16.m128i_i64[&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;] &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0xBAA4DD9B3C644CC6u&lt;/span&gt;i64;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v17.m128i_i64[&lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;] &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0xC7884760EDC68088u&lt;/span&gt;i64;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v2 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt;(&lt;span style=&#34;color:#66d9ef&#34;&gt;__int64&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;**&lt;/span&gt;)a1;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v17 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; _mm_xor_si128(v17, v19);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v16 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; _mm_xor_si128(v1, v16);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  Export &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; FindExport(&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt;v2, v16.m128i_i8, &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;i64, &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;i64);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  &lt;span style=&#34;color:#75715e&#34;&gt;/* redacted code */&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  &lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; Export;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;If you&amp;rsquo;ve ever worked with VGK before, then you&amp;rsquo;ll immediately notice these stubs spread throughout their binary.&lt;/p&gt;
&lt;p&gt;The process is relatively straightforward:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;They start by constructing the string on the stack, applying XOR to obfuscate it, and calling &lt;code&gt;FindExport&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;FindExport&lt;/code&gt; then takes the provided base address as the first argument and locates the EAT from that address.&lt;/li&gt;
&lt;li&gt;Lastly, &lt;code&gt;FindExport&lt;/code&gt; iterates through the EAT and compares the provided name with the names of exports to find a match.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If you need further clarification on this technique, then I recommend exploring Justas Masiulis&amp;rsquo; &lt;a href=&#34;https://github.com/JustasMasiulis/lazy_importer&#34;&gt;Lazy Importer&lt;/a&gt;, which expands on the concept by employing a hash instead of a decryptable string, which improves the level of obfuscation and security.&lt;/p&gt;
&lt;h1 id=&#34;approaching-the-jungle-the-inlined-decryption&#34;&gt;Approaching the Jungle: The Inlined Decryption&lt;/h1&gt;
&lt;p&gt;As we know, EasyAntiCheat takes great pride in protecting against reverse engineering attempts, as can be seen from their new obfuscator.&lt;/p&gt;
&lt;p&gt;So, instead of applying just one layer of encryption to the import addresses, they have opted to add another layer, known as their inlined decryption.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;v16 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; DecryptImport(qword_125B00);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;((&lt;span style=&#34;color:#66d9ef&#34;&gt;void&lt;/span&gt; (&lt;span style=&#34;color:#66d9ef&#34;&gt;__fastcall&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt;)(&lt;span style=&#34;color:#66d9ef&#34;&gt;__int64&lt;/span&gt;))(__ROL8__(v16, &lt;span style=&#34;color:#ae81ff&#34;&gt;29&lt;/span&gt;) &lt;span style=&#34;color:#f92672&#34;&gt;^&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x3A505A07B9BA3B9E&lt;/span&gt;i64))(v15);
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Just as the name suggests, each caller to the &lt;code&gt;DecryptImport&lt;/code&gt; function decrypts the second layer.&lt;/p&gt;
&lt;p&gt;This is quite a play on their part as it makes it rather difficult to hook imports without knowing the decryption algorithm.&lt;/p&gt;
&lt;p&gt;Of course, one can simply just employ an assembly disassembler and automatically resolve the constants used for decryption.&lt;/p&gt;
&lt;p&gt;While this method certainly performs well in most scenarios, it proves to be a great challenge in functions that leverage obfuscation.&lt;/p&gt;
&lt;p&gt;Another feasible approach would be to capture the context after returning to the obfuscated code from &lt;code&gt;DecryptImport&lt;/code&gt; and emulate until the decryption has completed.&lt;/p&gt;
&lt;p&gt;However, where&amp;rsquo;s the fun in doing that?&lt;/p&gt;
&lt;h1 id=&#34;approaching-the-jungle-the-main-decryption&#34;&gt;Approaching the Jungle: The Main Decryption&lt;/h1&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;DecryptImport&lt;/span&gt;( &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; PublicKeys )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; First  &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; DecryptFirst( PublicKeys[ &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt; ] );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; Second &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; DecryptSecond( PublicKeys[ &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; ] ) &lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;&amp;lt;&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;32&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; First &lt;span style=&#34;color:#f92672&#34;&gt;|&lt;/span&gt; Second;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Based on both of these reversed snippets, I can infer what the encryption process may look like:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Iterate and find the export in a driver&amp;rsquo;s EAT.&lt;/li&gt;
&lt;li&gt;Apply the inlined encryption to the result.&lt;/li&gt;
&lt;li&gt;Apply the main encryption to the result.&lt;/li&gt;
&lt;li&gt;Write both public keys to the designated region.&lt;/li&gt;
&lt;/ul&gt;
&lt;h1 id=&#34;entering-the-jungle-setting-the-traps&#34;&gt;Entering the Jungle: Setting the Traps&lt;/h1&gt;
&lt;p&gt;With that out of the way, I started my analysis by setting a write trap on the public keys of a random encrypted import in the &lt;code&gt;.data&lt;/code&gt; section.&lt;/p&gt;
&lt;p&gt;This enabled me to see what I was dealing with and continue reversing from there.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;AddEptHook_Range( EacBase &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x125B00&lt;/span&gt;, EacBase &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x125B08&lt;/span&gt;, HvDebugger&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;HvAccess&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;Write, 
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt;[ ]( HvDebugger&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;HvContext&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; Context, &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; Address, &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt; Pfn ) 
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    WriteLog( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;WriteTrap&amp;#34;&lt;/span&gt;, TraceLoggingHexUInt64( EAC_BASE( Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rip ), &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;RipRva&amp;#34;&lt;/span&gt; ), TraceLoggingHexUInt64( EAC_BASE( Address ), &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;AddrRva&amp;#34;&lt;/span&gt; ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; false;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;} );
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;RipRva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x91FB7E&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;AddrRva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x125B00&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;RipRva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xD1C721&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;AddrRva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x125B08&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;There were two other writes, but these are used (and read) before the export is found, so I didn&amp;rsquo;t mention them here.&lt;/p&gt;
&lt;p&gt;After looking at these addresses, it&amp;rsquo;s pretty obvious that it&amp;rsquo;s coming from a virtualized function, which was my initial anticipation.&lt;/p&gt;
&lt;h1 id=&#34;entering-the-jungle-following-the-river&#34;&gt;Entering the Jungle: Following the River&lt;/h1&gt;
&lt;p&gt;Since I was now analyzing a virtualized routine, specifically a &lt;code&gt;VMWRITE&lt;/code&gt; handler, I figured that I&amp;rsquo;d take a look at the stack as interesting stuff that could be useful to our investigation may be present on it.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; Stack &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; ( &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; )Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rsp;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; ( size_t Idx &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;; Idx &lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;200&lt;/span&gt;; Idx&lt;span style=&#34;color:#f92672&#34;&gt;++&lt;/span&gt; )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; Value &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; Stack[ Idx ];
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( Value &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&amp;amp;&lt;/span&gt; IN_EAC( Value ) )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        WriteLog( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;StackDump&amp;#34;&lt;/span&gt;, TraceLoggingHexUInt64( Idx ), TraceLoggingHexUInt64( EAC_BASE( Value ), &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt; ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x0&amp;#34;&lt;/span&gt;,  &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x125B00&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Trap&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Location&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x23&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x6F4E4&amp;#34;&lt;/span&gt;  }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x24&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x6F4E4&amp;#34;&lt;/span&gt;  }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x25&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x6F598&amp;#34;&lt;/span&gt;  }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x4B&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x66698C&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x4D&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x125B00&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Trap&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Location&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x52&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x18F9E4&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;DriverEntry&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x63&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x18FAC0&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x65&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x18FA80&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x6D&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x74F8E2&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;After quickly looking at the results, I noticed that &lt;code&gt;0x18F9E4&lt;/code&gt; was the &lt;code&gt;DriverEntry&lt;/code&gt; function, and so everything after that could be easily disregarded.&lt;/p&gt;
&lt;p&gt;Another thing that can be disregarded is &lt;code&gt;0x125B00&lt;/code&gt;, which is the address that I set the trap to in the first place.&lt;/p&gt;
&lt;p&gt;After removing duplicates, I was left with the following results:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x23&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x6F4E4&amp;#34;&lt;/span&gt;  }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x25&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x6F598&amp;#34;&lt;/span&gt;  }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x4B&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x66698C&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;__int64&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;__fastcall&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;sub_6F4E4&lt;/span&gt;(&lt;span style=&#34;color:#66d9ef&#34;&gt;unsigned&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;__int64&lt;/span&gt; a1, &lt;span style=&#34;color:#66d9ef&#34;&gt;unsigned&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;__int64&lt;/span&gt; a2, &lt;span style=&#34;color:#66d9ef&#34;&gt;unsigned&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;int&lt;/span&gt; a3)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  &lt;span style=&#34;color:#66d9ef&#34;&gt;unsigned&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;__int64&lt;/span&gt; v3; &lt;span style=&#34;color:#75715e&#34;&gt;// r9
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;  &lt;span style=&#34;color:#66d9ef&#34;&gt;__int64&lt;/span&gt; i; &lt;span style=&#34;color:#75715e&#34;&gt;// r8
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  v3 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; a3;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; ( i &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;i64; a1; v3 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; v3 &lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; (&lt;span style=&#34;color:#66d9ef&#34;&gt;unsigned&lt;/span&gt; __int128)v3 &lt;span style=&#34;color:#f92672&#34;&gt;%&lt;/span&gt; a2 )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  {
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( (a1 &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;) &lt;span style=&#34;color:#f92672&#34;&gt;!=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt; )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;      i &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; (&lt;span style=&#34;color:#66d9ef&#34;&gt;unsigned&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;__int64&lt;/span&gt;)i &lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; (&lt;span style=&#34;color:#66d9ef&#34;&gt;unsigned&lt;/span&gt; __int128)v3 &lt;span style=&#34;color:#f92672&#34;&gt;%&lt;/span&gt; a2;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    a1 &lt;span style=&#34;color:#f92672&#34;&gt;&amp;gt;&amp;gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  &lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; i;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Just from looking at the general structure of this function, it reminded me of the initial &lt;code&gt;DecryptImport&lt;/code&gt; routine which we went over earlier.&lt;/p&gt;
&lt;p&gt;However, it was quite odd that they&amp;rsquo;d be decrypting the imports before they were even written.&lt;/p&gt;
&lt;p&gt;So, judging by the arguments, and after setting a breakpoint and dumping the registers, it became obvious that this routine is actually used to apply the main encryption to each respective import.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rcx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x35375306D545459&amp;#34;&lt;/span&gt;,  &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rdx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x12D8ED6858CD15B7&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;R8&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xA588E17A&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rcx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x1D34200DE5B033A1&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rdx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x237626ED2C9C28F3&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;R8&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x20FAECB8&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rcx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x35375306D545459&amp;#34;&lt;/span&gt;,  &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rdx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x12D8ED6858CD15B7&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;R8&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x63558ACF&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rcx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x1D34200DE5B033A1&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rdx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x237626ED2C9C28F3&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;R8&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xAD8C5A8&amp;#34;&lt;/span&gt;  }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rcx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x35375306D545459&amp;#34;&lt;/span&gt;,  &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rdx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x12D8ED6858CD15B7&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;R8&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x30696C03&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rcx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x1D34200DE5B033A1&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rdx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x237626ED2C9C28F3&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;R8&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x46D4F31E&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rcx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x35375306D545459&amp;#34;&lt;/span&gt;,  &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rdx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x12D8ED6858CD15B7&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;R8&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xCFBFE39F&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rcx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x1D34200DE5B033A1&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rdx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x237626ED2C9C28F3&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;R8&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xBB301A01&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rcx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x35375306D545459&amp;#34;&lt;/span&gt;,  &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rdx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x12D8ED6858CD15B7&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;R8&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xD4D49738&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Yet again, this reminded me of the initial &lt;code&gt;DecryptImport&lt;/code&gt; function, as &lt;code&gt;RDX&lt;/code&gt;, which represents the public key, was exactly the same.&lt;/p&gt;
&lt;p&gt;This function is being called twice, with each public and private key, on the inline encrypted values, which is represented using &lt;code&gt;R8&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The next function on the list, namely &lt;code&gt;0x6F598&lt;/code&gt;, had also piqued my interest during the investigation.&lt;/p&gt;
&lt;p&gt;Much like the previous function, I also dumped the registers and noticed something rather interesting about the registers at hand.&lt;/p&gt;
&lt;p&gt;When I looked at the registers, &lt;code&gt;RCX&lt;/code&gt; was the only interesting one, as it pointed to &lt;code&gt;0x1861D0&lt;/code&gt;, which was an empty region in the &lt;code&gt;.data&lt;/code&gt; section.&lt;/p&gt;
&lt;p&gt;I decided to continue searching for anything else that was interesting and kept this address in mind.&lt;/p&gt;
&lt;p&gt;Lastly, I was left with a &lt;code&gt;VMCALL&lt;/code&gt; handler, which after some quick analysis, didn&amp;rsquo;t turn out useful.&lt;/p&gt;
&lt;h1 id=&#34;entering-the-jungle-the-kings-den&#34;&gt;Entering the Jungle: The King&amp;rsquo;s Den&lt;/h1&gt;
&lt;p&gt;To gather some more information and determine how they were comparing the names, I decided to set a read trap on &lt;code&gt;NtGlobalFlag&lt;/code&gt;&amp;rsquo;s name in &lt;code&gt;ntoskrnl.exe&lt;/code&gt;&amp;rsquo;s EAT, as I already knew that they&amp;rsquo;re using this import.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;AddEptHook( Utils&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;GetExportName( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;NtGlobalFlag&amp;#34;&lt;/span&gt; ), HvDebugger&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;HvAccess&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;Read, 
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt;[ ]( HvDebugger&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;HvContext&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; Context, &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; Address, &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt; Pfn ) 
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    WriteLog( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;ReadTrap&amp;#34;&lt;/span&gt;, TraceLoggingHexUInt64( EAC_BASE( Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rip ), &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt; ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; Stack &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; ( &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; )Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rsp;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; ( size_t Idx &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;; Idx &lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;200&lt;/span&gt;; Idx&lt;span style=&#34;color:#f92672&#34;&gt;++&lt;/span&gt; )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    {
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; Value &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; Stack[ Idx ];
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( Value &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&amp;amp;&lt;/span&gt; IN_EAC( Value ) )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            WriteLog( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;StackDump&amp;#34;&lt;/span&gt;, TraceLoggingHexUInt64( Idx ), TraceLoggingHexUInt64( EAC_BASE( Value ), &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt; ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; false;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;} );
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x2FE234&amp;#34;&lt;/span&gt;               } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Read&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Handler&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x4637B&amp;#34;&lt;/span&gt;                } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;SHA&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Read&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xF&amp;#34;&lt;/span&gt;,  &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x6B09A5&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;SHA&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Caller&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x13&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x463AC&amp;#34;&lt;/span&gt;  } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;SHA&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Function&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x1E&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x125600&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Export&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Keys&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x1F&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x6F584&amp;#34;&lt;/span&gt;  } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Placeholder&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Function&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x3A&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x1861D0&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Chunk&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;in&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;.data&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x3D&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x924C56&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x67&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x66698C&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Useless&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Function&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x69&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x1260F8&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Random&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Export&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x6E&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x18F9E4&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;DriverEntry&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x7F&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x18FAC0&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x81&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x18FA80&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Idx&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x89&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x74F8E2&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;That&amp;rsquo;s exciting to see! They were still relying on their SHA1 algorithm to read and compare the names of exports, which I noticed from the distinct constants that are used in the SHA1 context.&lt;/p&gt;
&lt;p&gt;Since the SHA1 routine was provided with the length, and the initial reading handlers were reading all of the bytes in the name, I came to the conclusion that it was an inlined &lt;code&gt;strlen&lt;/code&gt;, which was virtualized.&lt;/p&gt;
&lt;p&gt;Just like before, I removed the useless entries that are labeled, which left me with a single entry: &lt;code&gt;0x924C56&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;It&amp;rsquo;s also important to note that, yet again, &lt;code&gt;0x1861D0&lt;/code&gt; appears, so I deemed it quite important.&lt;/p&gt;
&lt;p&gt;Now, given that the entry was a &lt;code&gt;VMCALL&lt;/code&gt; instruction, I dumped the destination and registers alike.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;AddEptHook( EacBase &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x924C52&lt;/span&gt;, HvDebugger&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;HvAccess&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;Execute, 
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt;[ ]( HvDebugger&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;HvContext&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; Context, &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; Address, &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt; Pfn ) 
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#75715e&#34;&gt;/*
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;      seg007:0000000000924C4B add rsp, 110h
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;      seg007:0000000000924C52 call qword ptr [rsp+8]
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;      seg007:0000000000924C56 sub rsp, 110h
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;    */&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; Function &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt;( &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; )( Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rsp &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;8&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    WriteLog( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Vmcall&amp;#34;&lt;/span&gt;, TraceLoggingHexUInt64( EAC_BASE( Function ), &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Function&amp;#34;&lt;/span&gt; ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    HvDebugger&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;DumpRegisters( Context );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; false;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;} );
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Function&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x72E98&amp;#34;&lt;/span&gt;                       }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;RCX&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Value&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFF8E8BAE7255E0&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;RDX&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Value&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF80706E00000&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Ntoskrnl&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Base&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Address&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;R8&amp;#34;&lt;/span&gt;,  &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Value&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFF8E8BAE7256C0&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Awesome, this was exactly the function that I was looking for, which I deemed as &lt;code&gt;InitializeImports&lt;/code&gt;!&lt;/p&gt;
&lt;p&gt;This function, in fact, was called for every module that EasyAntiCheat wanted to initialize protected imports for, and was provided with the base address.&lt;/p&gt;
&lt;p&gt;After further analysis, the function&amp;rsquo;s parameters are as follows:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;RCX&lt;/code&gt;: A pointer to both public keys.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;RDX&lt;/code&gt;: The module&amp;rsquo;s base address.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;R8&lt;/code&gt;: A pointer to an integer that was written the number of resolved imports, which was determinated by logging writes, and observing the integer increasing when an import was resolved.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;While this is definitely all useful information, I still had the question: how did they know which imports to find?&lt;/p&gt;
&lt;p&gt;As I mentioned previously, none of the registers contained anything that held this information.&lt;/p&gt;
&lt;p&gt;But then I thought of something: what if they were writing it to &lt;code&gt;0x1861D0&lt;/code&gt;?&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;AddEptHook( EacBase &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x1861D0&lt;/span&gt;, HvDebugger&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;HvAccess&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;Read,
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt;[ ]( HvDebugger&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;HvContext&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; Context, &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; Address, &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt; Pfn )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		WriteLog( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;ReadTrap&amp;#34;&lt;/span&gt;, TraceLoggingString( Symbolize( Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rip ), &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt; ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		&lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; false;	
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;} );
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;EasyAntiCheat_EOS.sys+0x73228&amp;#34;&lt;/span&gt;  } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Sorting&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Function&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;ntoskrnl.exe+0x3D0A9A&amp;#34;&lt;/span&gt;          } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;qsort&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;ntoskrnl.exe+0x3D0AD3&amp;#34;&lt;/span&gt;          } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;qsort&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;EasyAntiCheat_EOS.sys+0x7322B&amp;#34;&lt;/span&gt;  } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Sorting&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Function&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;ntoskrnl.exe+0x3D0A23&amp;#34;&lt;/span&gt;          } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;qsort&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;EasyAntiCheat_EOS.sys+0x21F118&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Reading&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Handler&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;EasyAntiCheat_EOS.sys+0x855527&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Reading&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Handler&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;EasyAntiCheat_EOS.sys+0x425042&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Reading&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Handler&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;EasyAntiCheat_EOS.sys+0x86D2BC&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Reading&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Handler&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Name&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;EasyAntiCheat_EOS.sys+0x425042&amp;#34;&lt;/span&gt; } &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;&amp;lt;--&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Reading&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Handler&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This was quite interesting, as sorting them is definitely smart on their end, as it allows for faster iteration later on.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;AddEptHook( Utils&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;GetExport( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;qsort&amp;#34;&lt;/span&gt; ), HvDebugger&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;HvAccess&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;Execute,
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt;[ ]( HvDebugger&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;HvContext&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; Context, uintptr_t Address, &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt; Pfn )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; ReturnAddress &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt;( &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; )Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rsp;  
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( &lt;span style=&#34;color:#f92672&#34;&gt;!&lt;/span&gt;IN_EAC( ReturnAddress ) )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;      &lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; false;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    Utils&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;DumpArray( &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt;FormatElements, Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Gpr&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;rcx &lt;span style=&#34;color:#75715e&#34;&gt;/* Base of Elements */&lt;/span&gt;, Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Gpr&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;rdx &lt;span style=&#34;color:#75715e&#34;&gt;/* Number of Elements */&lt;/span&gt;, Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Gpr&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;r8 &lt;span style=&#34;color:#75715e&#34;&gt;/* Size of Elements */&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; false;	
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;} );
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Sort&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x6556BC1D6053223C&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;InlinedKey&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x65091738C0592277&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Export&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x1263E8&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Default&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x6F584&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Sort&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x386399B9B0FD723E&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;InlinedKey&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xF26FB57ABCF6FADF&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Export&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x126408&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Default&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x6F584&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;struct&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;ProtectedImportData&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; Sort;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; InlinedKey;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; PublicKeys;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;uint64_t&lt;/span&gt; Default;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;blockquote&gt;
&lt;p&gt;This dump was much larger, but I condensed it for readability.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;My suspicions were correct, as EasyAntiCheat is indeed temporarily storing the import data here, and wiping it after they&amp;rsquo;ve encrypted their imports.&lt;/p&gt;
&lt;p&gt;Another interesting thing is that, if the import couldn&amp;rsquo;t be resolved, they resort to using default values instead, which I noticed after looking at the default values in IDA.&lt;/p&gt;
&lt;p&gt;On a final note, EasyAntiCheat also uses &lt;code&gt;RtlPcToFileHeader&lt;/code&gt;, on itself, to locate the base address for &lt;code&gt;ntoskrnl.exe&lt;/code&gt;. The base address is then encrypted, and stored, within the &lt;code&gt;.data&lt;/code&gt; section, with a boolean to say that it was found.&lt;/p&gt;
&lt;h1 id=&#34;leaving-the-jungle-winning-the-battle&#34;&gt;Leaving the Jungle: Winning the Battle&lt;/h1&gt;
&lt;p&gt;In conclusion, EasyAntiCheat has opted for quite an effective method in dealing with hardening against reverse engineering attempts.&lt;/p&gt;
&lt;p&gt;However, like with anything in this field, it is subject to being analyzed.&lt;/p&gt;
&lt;p&gt;As per usual, I have left an exercise for the reader, which you will quickly notice when attempting to generate decryption stubs for the imports.&lt;/p&gt;
&lt;p&gt;Until next time!&lt;/p&gt;
</content>
    </item>
    
    <item>
      <title>The Unseen Guardian: EasyAntiCheat’s EProcess Emulation</title>
      <link>/posts/easyanticheat-eprocess-emulation/</link>
      <pubDate>Thu, 06 Jul 2023 00:00:00 +0000</pubDate>
      
      <guid>/posts/easyanticheat-eprocess-emulation/</guid>
      <description>Disclaimer The information provided in this document is intended solely for educational and informational purposes. It is not meant to belittle EasyAntiCheat or any individuals involved in its development or implementation. Rather, it aims to shed light on the internal workings of EasyAntiCheat so that consumers can better understand what happens behind the scenes when playing their favorite games. Any opinions expressed herein do not necessarily reflect those of EasyAntiCheat or any other parties mentioned.</description>
      <content>&lt;h1 id=&#34;disclaimer&#34;&gt;Disclaimer&lt;/h1&gt;
&lt;p&gt;The information provided in this document is intended &lt;strong&gt;solely for educational and informational purposes&lt;/strong&gt;. It is &lt;strong&gt;not meant to belittle EasyAntiCheat&lt;/strong&gt; or any individuals involved in its development or implementation. Rather, it aims to shed light on the internal workings of EasyAntiCheat so that consumers can better understand what happens behind the scenes when playing their favorite games. Any opinions expressed herein &lt;strong&gt;do not necessarily reflect those of EasyAntiCheat&lt;/strong&gt; or any other parties mentioned. This document is provided &amp;ldquo;&lt;strong&gt;as is&lt;/strong&gt;&amp;rdquo; without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose. I shall not be liable for any damages whatsoever arising out of or in connection with the use of this document.&lt;/p&gt;
&lt;h1 id=&#34;introduction&#34;&gt;Introduction&lt;/h1&gt;
&lt;p&gt;In a world where virtual battlegrounds have become the arena for fierce competition, cheaters threaten to undermine the very foundations of fair play. But what if the key to safeguarding the integrity of online gaming lies in an elusive strategy, cleverly concealed from prying eyes? Enter EasyAntiCheat, the silent sentinel dedicated to preserving the sanctity of gaming realms.&lt;/p&gt;
&lt;p&gt;As we dive into the depths of this captivating tale, we uncover a hidden gem that unfolds like a thrilling detective novel. Beneath the surface of EasyAntiCheat&amp;rsquo;s armor, a remarkable methodology emerges—one that involves the cunning emulation of &lt;code&gt;NtCreateUserProcess&lt;/code&gt;, subtly controlling the very essence of construction within the gaming universe.&lt;/p&gt;
&lt;h1 id=&#34;before-we-dive-in-getting-the-basics-right&#34;&gt;Before We Dive In: Getting the Basics Right&lt;/h1&gt;
&lt;p&gt;To proceed with the remaining part of the article, I recommend first addressing these topics:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;https://advancedvectorextensions.github.io/posts/easyanticheat-cr3-protection/&#34;&gt;EasyAntiCheat&amp;rsquo;s CR3 Protection&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://www.youtube.com/watch?v=DRH0oRFwFiM&#34;&gt;Virtualization-Based Obfuscators&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/eprocess&#34;&gt;Windows Kernel Opaque Structures&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h1 id=&#34;the-problem&#34;&gt;The Problem&lt;/h1&gt;
&lt;p&gt;In the past, it was possible to register a process creation callback and obtain the game&amp;rsquo;s real &lt;code&gt;CR3&lt;/code&gt; before EasyAntiCheat modified it. However, little did we know that a significant change was about to take place.&lt;/p&gt;
&lt;p&gt;As I was going about my daily routine, a message from my friend popped up on Discord, stating that his cheat was no longer functional. The reason behind this sudden disruption? Registering a process creation callback now yielded an incorrect &lt;code&gt;CR3&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Naturally, I couldn&amp;rsquo;t let this revelation pass without verifying it firsthand. Intrigued and determined, I embarked on a mission to uncover the truth.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/db1KvTC.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;Before diving deep, and to get a rough idea of what they were doing, I installed a hook on &lt;code&gt;PspInsertProcess&lt;/code&gt; to see if the &lt;code&gt;CR3&lt;/code&gt; had been altered. To my surprise, it had been!&lt;/p&gt;
&lt;p&gt;This was quite odd because there were no easy hook points in &lt;code&gt;PspAllocateProcess&lt;/code&gt; without installing a hook that was local to the game&amp;rsquo;s launcher process, which required doing trickery with the &lt;code&gt;PFN&lt;/code&gt;, and is rather a versatile approach.&lt;/p&gt;
&lt;p&gt;But, more importantly, what does this change mean? Well, it simply means that either scanning for the &lt;code&gt;CR3&lt;/code&gt; or decrypting it is now required.&lt;/p&gt;
&lt;h1 id=&#34;the-interrogation-who-dares-touch-the-eprocess&#34;&gt;The Interrogation: Who Dares Touch the EProcess?&lt;/h1&gt;
&lt;p&gt;To initiate my reversing process, I needed to obtain access to the &lt;code&gt;EProcess&lt;/code&gt; allocation before EasyAntiCheat made any modifications to it.&lt;/p&gt;
&lt;p&gt;During my investigation of the &lt;code&gt;PspAllocateProcess&lt;/code&gt; function in search of a convenient hook point, I stumbled upon the &lt;code&gt;PspInitializeProcessLock&lt;/code&gt; function, which proved to be relatively simple to re-implement.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/hYcJUxw.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;While I could&amp;rsquo;ve hooked another function, this function didn&amp;rsquo;t require using a trampoline.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;If we delve deeper into the allocation function, we encounter a function named &lt;code&gt;MmCreateProcessAddressSpace&lt;/code&gt;, which is responsible for writing to the process&amp;rsquo; &lt;code&gt;CR3&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/RMy5hRd.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;So, by understanding where the &lt;code&gt;CR3&lt;/code&gt; is written, we can determine if it is intercepted by EasyAntiCheat, and not written by the original location.&lt;/p&gt;
&lt;p&gt;To accomplish this, I decided to utilize my hypervisor and set an &lt;code&gt;EPT&lt;/code&gt; breakpoint on the page that contained the &lt;code&gt;EProcess&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Considering that the function was likely to be called from within the launcher&amp;rsquo;s context, I simply compared the name to the launcher&amp;rsquo;s name for verification.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/63FIn9n.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;Since the &lt;code&gt;EProcess&lt;/code&gt; might not be allocated on a page boundary, I saved the address and checked if the violation occurred within the specified range.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/KXGFD5c.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x58233A&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rbp&amp;#34;&lt;/span&gt;: &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x4000000853FFF000&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;...Other&lt;/span&gt; &lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;Registers...&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Now, as you can clearly observe, this is precisely where EasyAntiCheat is writing their manipulated &lt;code&gt;CR3&lt;/code&gt; value to the &lt;code&gt;EProcess&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/Mjh781a.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;Unfortunately, but not surprisingly, the routine responsible for writing the &lt;code&gt;CR3&lt;/code&gt; is virtualized.&lt;/p&gt;
&lt;p&gt;Instead of investing time and effort into tracing and lifting the VM, an alternative approach would be to search for other sections of code that are not virtualized.&lt;/p&gt;
&lt;p&gt;However, it&amp;rsquo;s crucial to remember and keep track of the mentioned piece of code, as it holds significance for future stages.&lt;/p&gt;
&lt;h1 id=&#34;the-interrogation-the-search-party&#34;&gt;The Interrogation: The Search Party&lt;/h1&gt;
&lt;p&gt;As we are aware from the previous section, EasyAntiCheat is somehow intercepting the &lt;code&gt;PspAllocateProcess&lt;/code&gt; function and modifying the &lt;code&gt;CR3&lt;/code&gt; very early on in the process.&lt;/p&gt;
&lt;p&gt;Considering this information, it is not far-fetched to speculate that they may also be writing to the other components? To confirm this, I removed the offset check, and logged every write to the &lt;code&gt;EProcess&lt;/code&gt;.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x42106&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Offset&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x5E8&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x42106&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Offset&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x5E0&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x42106&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Offset&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x8A8&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x42106&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Offset&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x8A0&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x42106&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Offset&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x998&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Rva&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x42106&amp;#34;&lt;/span&gt;, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Offset&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x990&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;blockquote&gt;
&lt;p&gt;This log was quite a big bigger, but I stripped it down for clarity&amp;rsquo;s sake.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;After following the Rva, I was introduced with a wonderful looking switch case.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/GmyyqmN.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;Now, when examining this, what does it appear to be? Well, to me, it resembles some kind of function for writing to registers.&lt;/p&gt;
&lt;p&gt;To further validate my suspicions, I logged the return address and proceeded to track its path.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/PSzWLFJ.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/o8kkNha.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;Well, this turned out to be a highly successful endeavor, as upon further exploration of the function, it became apparent that it was in fact a CPU emulator!&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/TZ6Hi7Z.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/GjZfcxD.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;Indeed, now everything falls into place. It appears that they were emulating the &lt;code&gt;EProcess&lt;/code&gt; construction process and manipulating the &lt;code&gt;CR3&lt;/code&gt; write through their emulation engine. This explains how EasyAntiCheat was able to intercept and modify the &lt;code&gt;CR3&lt;/code&gt; value at such an early stage.&lt;/p&gt;
&lt;h1 id=&#34;the-interrogation-the-operator&#34;&gt;The Interrogation: The Operator&lt;/h1&gt;
&lt;p&gt;Driven by my curiosity, I persisted in tracing the return stack as I was eager to uncover the exact workings of this emulation engine, and who dared to operate it.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/f77zXwi.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/STyhKlO.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;I understand that the code may appear obfuscated, but rest assured, it holds valuable significance for our investigation.&lt;/p&gt;
&lt;p&gt;As you may have already deduced, this is, in fact, a handler within their VM, which I have identified as &lt;code&gt;BRANCHCALL&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Let&amp;rsquo;s begin by tracing the branch that is executed when the emulation succeeds, which has the offset &lt;code&gt;0xFFFFFFFFF844BC37&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/Uku8hDb.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;This is known as the dispatcher, which the handler uses to dispatch control flow.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;It seems relatively straightforward. By adding both constants together, we obtain another branch, which leads to an &lt;code&gt;EXIT&lt;/code&gt; handler.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/O6tVajD.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;In the other branch, which is executed when the emulation is not completed, the code continues the loop and proceeds with further emulation.&lt;/p&gt;
&lt;h1 id=&#34;the-interrogation-stealing-the-flow&#34;&gt;The Interrogation: Stealing the Flow&lt;/h1&gt;
&lt;p&gt;To determine the starting and ending points of the emulation process, I referred to my reliable hypervisor and hooked the &lt;code&gt;BRANCHCALL&lt;/code&gt; handler.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/Rs2MYmc.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;These offsets were gathered by inspecting the assembly in the handler, and are relative to the VM.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF80681274376&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF80681274379&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF8068127437E&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF80681274385&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF80681274387&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF80681274389&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF8068127438B&amp;#34;&lt;/span&gt; } 
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF8068127438D&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF8068127438E&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF8068127438F&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF80681274390&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0xFFFFF80681274391&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{ &lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;vRip&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;0x0000000000000000&amp;#34;&lt;/span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;blockquote&gt;
&lt;p&gt;This log was quite a big bigger, but I stripped it down for clarity&amp;rsquo;s sake.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;They were actually emulating even further back than I initially suspected. From analyzing my log, it became apparent that they were emulating &lt;code&gt;NtCreateUserProcess&lt;/code&gt;!&lt;/p&gt;
&lt;p&gt;To halt the emulation engine at the end of the function, they set the return address to &lt;code&gt;NULL&lt;/code&gt;, effectively stopping the emulation process.&lt;/p&gt;
&lt;h1 id=&#34;the-interrogation-the-backbone&#34;&gt;The Interrogation: The Backbone&lt;/h1&gt;
&lt;p&gt;Remember those random function pointers in the emulator&amp;rsquo;s context? Well, they&amp;rsquo;re not so random afterall, and are actually the backbone of this entire process.&lt;/p&gt;
&lt;p&gt;Let&amp;rsquo;s start with analyzing this one, which lives at the top of the emulator&amp;rsquo;s function.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/sLuAswx.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/kveRWUS.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;Well, isn&amp;rsquo;t that something! Now the puzzle is starting to come together, as that particular &lt;code&gt;QWORD&lt;/code&gt; is actually the address of the instruction responsible for writing the &lt;code&gt;CR3&lt;/code&gt; value, which we found in &lt;code&gt;MmCreateProcessAddressSpace&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;To add the final touch, that function is even the virtualized function that performed the write operation on the &lt;code&gt;CR3&lt;/code&gt;, which we traced in the previous sections.&lt;/p&gt;
&lt;p&gt;Even after all of this, the question still remains: are they truly emulating every single call within &lt;code&gt;NtCreateUserProcess&lt;/code&gt;?&lt;/p&gt;
&lt;p&gt;After looking at the rest of the emulator&amp;rsquo;s code, I discovered the section that handles the execution or emulation of subroutines.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/0DabId3.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/3isRzQ3.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;The callback itself is quite straightforward and simply emulates the code if the function leads to &lt;code&gt;MmCreateProcessAddressSpace&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/C8tfwM9.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;h1 id=&#34;conclusion&#34;&gt;Conclusion&lt;/h1&gt;
&lt;p&gt;In conclusion, EasyAntiCheat has opened up a Pandora&amp;rsquo;s box that they cannot close. They have revealed their capabilities, and there is so much more they can unleash.&lt;/p&gt;
&lt;p&gt;I eagerly am waiting to document any future developments that EasyAntiCheat introduces.&lt;/p&gt;
&lt;p&gt;Until the next revelation!&lt;/p&gt;
</content>
    </item>
    
    <item>
      <title>Unleashing the Secrets: EasyAntiCheat’s CR3 Protection</title>
      <link>/posts/easyanticheat-cr3-protection/</link>
      <pubDate>Thu, 13 Apr 2023 00:00:00 +0000</pubDate>
      
      <guid>/posts/easyanticheat-cr3-protection/</guid>
      <description>Disclaimer The information provided in this document is intended solely for educational and informational purposes. It is not meant to belittle EasyAntiCheat or any individuals involved in its development or implementation. Rather, it aims to shed light on the internal workings of EasyAntiCheat so that consumers can better understand what happens behind the scenes when playing their favorite games. Any opinions expressed herein do not necessarily reflect those of EasyAntiCheat or any other parties mentioned.</description>
      <content>&lt;h1 id=&#34;disclaimer&#34;&gt;Disclaimer&lt;/h1&gt;
&lt;p&gt;The information provided in this document is intended &lt;strong&gt;solely for educational and informational purposes&lt;/strong&gt;. It is &lt;strong&gt;not meant to belittle EasyAntiCheat&lt;/strong&gt; or any individuals involved in its development or implementation. Rather, it aims to shed light on the internal workings of EasyAntiCheat so that consumers can better understand what happens behind the scenes when playing their favorite games. Any opinions expressed herein &lt;strong&gt;do not necessarily reflect those of EasyAntiCheat&lt;/strong&gt; or any other parties mentioned. This document is provided &amp;ldquo;&lt;strong&gt;as is&lt;/strong&gt;&amp;rdquo; without warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose. I shall not be liable for any damages whatsoever arising out of or in connection with the use of this document.&lt;/p&gt;
&lt;h1 id=&#34;introduction&#34;&gt;Introduction&lt;/h1&gt;
&lt;p&gt;The world of online gaming has long been plagued by the scourge of cheaters, whose insidious machinations threaten to undermine the very foundations upon which fair play and competition are built. But fear not, for there is a shining beacon of hope in this dark and murky landscape - EasyAntiCheat. Employed by some of the most popular titles on the market today, this cutting-edge software represents a formidable bulwark against those who would seek to gain an unfair advantage through illicit means. But just how does it work? What makes it so effective? And can it truly stand up to the ever-evolving tactics of the cheating underworld? Join us as we delve deep into the heart of this technological marvel and uncover the secrets that make it a force to be reckoned with.&lt;/p&gt;
&lt;h1 id=&#34;before-we-dive-in-getting-the-basics-right&#34;&gt;Before We Dive In: Getting the Basics Right&lt;/h1&gt;
&lt;p&gt;To proceed with the remaining part of the article, I recommend first addressing these topics:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;https://www.triplefault.io/2017/07/introduction-to-ia-32e-hardware-paging.html&#34;&gt;IA-32e Hardware Paging&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://www.triplefault.io/2017/08/exploring-windows-virtual-memory.html&#34;&gt;Windows Virtual Memory Management&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://en.wikipedia.org/wiki/Process_isolation&#34;&gt;Process Isolation&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h1 id=&#34;identifying-the-problem&#34;&gt;Identifying the Problem&lt;/h1&gt;
&lt;p&gt;As any individual who has engaged in cheating will attest, accessing memory is a pivotal aspect of the process. However, with anti-cheat measures operating at the kernel level, cheaters have had to resort to executing at this elevated level as well; the highest level under &lt;code&gt;SMM&lt;/code&gt; and &lt;code&gt;VT-X/AMD-V&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;As anti-cheats have evolved, they have adopted increasingly sophisticated strategies that delve deep into the intricacies of the Windows kernel. Take, for instance, Vanguard, the anti-cheat system used in Valorant. It safeguards critical game regions by utilizing a technique to hook context swaps and creating a whitelist of specific threads that are authorized to access their cloned &lt;code&gt;CR3&lt;/code&gt;; which allows for seamless, yet secure, access to the protected memory.&lt;/p&gt;
&lt;p&gt;Such measures have proven especially effective in thwarting DMA cheats, which leverage an external device to translate virtual memory to its corresponding physical memory mappings and extract data.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;VOID VgkHooks&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;PostSwapContext( PVOID Thread )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	UINT64 ThreadIndex &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	BOOLEAN AllowCr3Write &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; FALSE;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;	&lt;span style=&#34;color:#75715e&#34;&gt;// I have simplified it here, this routine actually decrypts the obfuscated import.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;	&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;	&lt;span style=&#34;color:#66d9ef&#34;&gt;const&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;auto&lt;/span&gt; PsGetThreadProcess &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; Vgk&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;Imports&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;PsGetThreadProcess;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;	&lt;span style=&#34;color:#75715e&#34;&gt;// Ensure that we are swapping a thread associated with Valorant.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;	&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;	&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( __readcr3( ) &lt;span style=&#34;color:#f92672&#34;&gt;==&lt;/span&gt; GuardedRegion.GameCr3 )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( PsGetThreadProcess( Thread ) &lt;span style=&#34;color:#f92672&#34;&gt;==&lt;/span&gt; VgkData&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;ValorantProcess )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			_disable( );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;// Update the pml4s, Windows may have changed it.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			Vgk&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;Setup( GuardedRegion.OriginalPml4s );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			memcpy( GuardedRegion.ClonedPml4s, GuardedRegion.OriginalPml4s, PAGE_SIZE );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;// As the pml4 table has been overwritten, it is necessary for us to reset our pml4e.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			GuardedRegion.ClonedPml4s[ GuardedRegion.AvailablePml4Index ] &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; GuardedRegion.NewPml4e;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;// Has the game surpassed the maximum allowable whitelisted thread count as permitted by VGK?
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( ThreadData.Count &lt;span style=&#34;color:#f92672&#34;&gt;!=&lt;/span&gt; VGK_MAX_THREADS )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( &lt;span style=&#34;color:#f92672&#34;&gt;!&lt;/span&gt;ThreadData.Count )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				WriteCr3:
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;					&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( AllowCr3Write )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;						__writecr3( GuardedRegion.NewCr3 );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;					&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( ShouldFlushTlb )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;						FlushTlb( );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;					_enable( );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;					&lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;				&lt;span style=&#34;color:#75715e&#34;&gt;// If not, enumerate through each whitelisted thread.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;				&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;				&lt;span style=&#34;color:#66d9ef&#34;&gt;while&lt;/span&gt; ( Thread &lt;span style=&#34;color:#f92672&#34;&gt;!=&lt;/span&gt; ThreadData.List[ ThreadIndex ] )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;					&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( ThreadIndex&lt;span style=&#34;color:#f92672&#34;&gt;++&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;&amp;gt;=&lt;/span&gt; ThreadData.Count )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;						&lt;span style=&#34;color:#66d9ef&#34;&gt;goto&lt;/span&gt; WriteCr3;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			AllowWriteCr3 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; TRUE;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			&lt;span style=&#34;color:#66d9ef&#34;&gt;goto&lt;/span&gt; WriteCr3;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt; 	}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;blockquote&gt;
&lt;p&gt;The code that is not relevant to this article has been redacted, and the remaining code has been formatted for improved readability.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;While this is certainly fascinating, the question remains: how does all of this relate to EasyAntiCheat? As it turns out, EasyAntiCheat is also quite adept at detecting and thwarting cheat attempts. In fact, it employs a technique that is similar to the aforementioned Vanguard anti-cheat, albeit one that is more complex in nature.&lt;/p&gt;
&lt;p&gt;However, unlike Vanguard, which utilizes two legitimate address spaces, EasyAntiCheat opts for a different approach - one that involves concealing its original &lt;code&gt;CR3&lt;/code&gt; from any prying eyes. This is an involved and intricate technique, but one that has proven to be quite effective in deterring cheaters.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;It&amp;rsquo;s worth noting that &lt;code&gt;Rust&lt;/code&gt;, the game detailed in this article, incorporates &lt;code&gt;EasyAntiCheat_EOS&lt;/code&gt;. As far as my observation goes, no other EOS-protected game has implemented this particular approach.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h1 id=&#34;explaining-the-problem&#34;&gt;Explaining the Problem&lt;/h1&gt;
&lt;p&gt;In order to provide additional support for the claims we have made, we&amp;rsquo;ll translate Rust&amp;rsquo;s base address to its corresponding physical mapping using the &lt;code&gt;CR3&lt;/code&gt; located in the &lt;code&gt;EProcess::DirectoryTableBase&lt;/code&gt; field. This will provide us with concrete evidence to support our claim, which is a critical step because if the &lt;code&gt;CR3&lt;/code&gt; value is truly invalid, the translation process would fail as it would not be pointing to any legitimate &lt;code&gt;PML4&lt;/code&gt; table.&lt;/p&gt;
&lt;p&gt;To further validate our findings, we&amp;rsquo;ll compare the results obtained through this process with the actual game&amp;rsquo;s fixed &lt;code&gt;CR3&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;To simplify this task, and make the process more efficient, we&amp;rsquo;ll utilize the well-known and widely-used &lt;a href=&#34;https://www.cheatengine.org/&#34;&gt;Cheat Engine&lt;/a&gt; Lua scripting interface.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;I decided to use Cheat Engine because it offers scripting capabilities that can be quickly accessed and modified, rather than having to create a driver for every minor alteration.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-lua&#34; data-lang=&#34;lua&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;local&lt;/span&gt; RustProcess &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; dbk_getPEProcess( RustPid );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;local&lt;/span&gt; RustSectionBaseAddress &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; readQword( RustProcess &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x520&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;local&lt;/span&gt; RustDirectoryTableBase &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; readQword( RustProcess &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x28&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;print( string.format( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;RustSectionBaseAddress -&amp;gt; %X&amp;#34;&lt;/span&gt;, RustSectionBaseAddress ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;print( string.format( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;RustDirectoryTableBase -&amp;gt; %X&amp;#34;&lt;/span&gt;, RustDirectoryTableBase ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;local&lt;/span&gt; RustPhysicalBaseAddress &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; getPhysicalAddressCR3( RustDirectoryTableBase, RustSectionBaseAddress );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;not&lt;/span&gt; RustPhysicalBaseAddress &lt;span style=&#34;color:#66d9ef&#34;&gt;then&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  	print( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Error -&amp;gt; 0&amp;#34;&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;else&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;   	print( string.format( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Success -&amp;gt; %X&amp;#34;&lt;/span&gt;, RustPhysicalBaseAddress ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;end&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;--[[
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;	RustSectionBaseAddress -&amp;gt; 7FF7B4600000 
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;	RustDirectoryTableBase -&amp;gt; 4000000853DFF000 
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;	Error -&amp;gt; 0 
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;--]]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Now, for the corresponding counterpart:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-lua&#34; data-lang=&#34;lua&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;local&lt;/span&gt; RustProcess &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; dbk_getPEProcess( RustPid );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;local&lt;/span&gt; RustSectionBaseAddress &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; readQword( RustProcess &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x520&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;local&lt;/span&gt; RustDirectoryTableBase &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; dbk_getCR3( );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;print( string.format( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;RustSectionBaseAddress -&amp;gt; %X&amp;#34;&lt;/span&gt;, RustSectionBaseAddress ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;print( string.format( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;RustDirectoryTableBase -&amp;gt; %X&amp;#34;&lt;/span&gt;, RustDirectoryTableBase ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;local&lt;/span&gt; RustPhysicalBaseAddress &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; getPhysicalAddressCR3( RustDirectoryTableBase, RustSectionBaseAddress );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;not&lt;/span&gt; RustPhysicalBaseAddress &lt;span style=&#34;color:#66d9ef&#34;&gt;then&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  	print( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Error -&amp;gt; 0&amp;#34;&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;else&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;   	print( string.format( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Success -&amp;gt; %X&amp;#34;&lt;/span&gt;, RustPhysicalBaseAddress ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;end&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;--[[
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;	RustSectionBaseAddress -&amp;gt; 7FF7B4600000 
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;	RustDirectoryTableBase -&amp;gt; 197198000 
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;	Success -&amp;gt; 199CFE000 
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;--]]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;As you can see, the &lt;code&gt;CR3&lt;/code&gt; value &lt;code&gt;4000000853DFF000&lt;/code&gt; appears quite peculiar at first glance. It&amp;rsquo;s pretty obvious that something is amiss even before consulting the manual. To get a better understanding, let&amp;rsquo;s use the programmer&amp;rsquo;s calculator on Windows to examine the toggled bits in the 64-bit integer.&lt;/p&gt;
&lt;p&gt;&lt;img src=&#34;https://i.imgur.com/nzYfRgr.png&#34; alt=&#34;&#34;&gt;&lt;/p&gt;
&lt;p&gt;As observed from the calculator&amp;rsquo;s output, the 63rd bit is set. Armed with this knowledge, we can now refer to the manual to determine if this is a reserved bit that would trigger any sort of exception.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;If an attempt is made to change &lt;code&gt;CR4.PCIDE&lt;/code&gt; from 0 to 1 while &lt;code&gt;CR3[11:0]&lt;/code&gt; ≠ &lt;code&gt;000H&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;If an attempt is made to clear &lt;code&gt;CR0.PG[bit 31]&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;If an attempt is made to write a 1 to any reserved bit in &lt;code&gt;CR4&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;If an attempt is made to write a 1 to any reserved bit in &lt;code&gt;CR8&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;If an attempt is made to write a 1 to any reserved bit in &lt;code&gt;CR3[63:MAXPHYADDR]&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;If an attempt is made to leave IA-32e mode by clearing &lt;code&gt;CR4.PAE[bit 5]&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Since our focus is on a particular control register, namely the third one, we can narrow down the scope of the search to indicate that triggering a &lt;code&gt;#GP(0)&lt;/code&gt; exception would occur only if one tries to write a value of 1 to any reserved bit within &lt;code&gt;CR3[63:MAXPHYADDR]&lt;/code&gt;, which is exactly what we&amp;rsquo;re looking for!&lt;/p&gt;
&lt;p&gt;At this point, you might be wondering why it&amp;rsquo;s not possible to unset those bits to make the &lt;code&gt;CR3&lt;/code&gt; valid. However, the &lt;code&gt;CR3&lt;/code&gt; that&amp;rsquo;s saved within Rust&amp;rsquo;s process is solely intended to trigger an exception and doesn&amp;rsquo;t refer to any &lt;code&gt;PML4s&lt;/code&gt; (without proper decryption). This approach from EasyAntiCheat is quite clever as it compels reverse engineers, such as ourselves, to reverse their driver.&lt;/p&gt;
&lt;h1 id=&#34;connecting-the-dots-the-thread-scheduler&#34;&gt;Connecting the Dots: The Thread Scheduler&lt;/h1&gt;
&lt;p&gt;Now that we have obtained the prerequisite knowledge on the issue at hand, we can start connecting the dots to understand how EasyAntiCheat is exploiting the vulnerability.&lt;/p&gt;
&lt;p&gt;As we already know, EasyAntiCheat forces an exception when the &lt;code&gt;EProcess::DirectoryTableBase&lt;/code&gt; is being written to the &lt;code&gt;CR3&lt;/code&gt; of any active processor. However, this raises the question: how exactly are they are abusing this?&lt;/p&gt;
&lt;p&gt;To answer this question, let&amp;rsquo;s take a closer look at the &lt;code&gt;ntoskrnl!SwapContext&lt;/code&gt; routine, which is responsible for swapping the current core&amp;rsquo;s context to a new thread.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;// The impact of their hook extends beyond this specific routine and encompasses any kernel routine that involves CR3 swapping, such as KiAttachProcess.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;UINT64 ProcessCr3 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; Process&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;DirectoryTableBase;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( ( HvlEnlightenments &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt; ) &lt;span style=&#34;color:#f92672&#34;&gt;!=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt; )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;	&lt;span style=&#34;color:#75715e&#34;&gt;// If HyperV is present, it&amp;#39;ll handle swapping the current core&amp;#39;s CR3.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;	&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;	HvlSwitchVirtualAddressSpace( ProcessCr3 );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;else&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	__writecr3( ProcessCr3 );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( ShouldFlushTlb )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;		&lt;span style=&#34;color:#75715e&#34;&gt;// If possible, flushes the TLB for the current core. 
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;		&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;		&lt;span style=&#34;color:#66d9ef&#34;&gt;auto&lt;/span&gt; Cr4 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; __readcr4( );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;  		Cr4 &lt;span style=&#34;color:#f92672&#34;&gt;^=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x80&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		__writecr4( Cr4 );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		__writecr4( Cr4 &lt;span style=&#34;color:#f92672&#34;&gt;^&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x80&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;blockquote&gt;
&lt;p&gt;The code that is not relevant to this article has been redacted, and the remaining code has been formatted for improved readability.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;By analyzing the code within this routine, we can see that the function proceeds to update the &lt;code&gt;CR3&lt;/code&gt; register to the &lt;code&gt;EProcess::DirectoryTableBase&lt;/code&gt; field using the &lt;code&gt;__writecr3&lt;/code&gt; intrinsic.
It is at this point where EasyAntiCheat is able to exploit the vulnerability. By forcing an exception, and catching it, EasyAntiCheat is able to instrument when a thread is being swapped, and thereby obtain complete and utter control over their game&amp;rsquo;s context-switches (and other whitelisted regions).&lt;/p&gt;
&lt;h1 id=&#34;connecting-the-dots-wresling-the-exception&#34;&gt;Connecting the Dots: Wresling the Exception&lt;/h1&gt;
&lt;p&gt;Following the reverse engineering process, the next step is to locate the location where EasyAntiCheat writes the updated &lt;code&gt;CR3&lt;/code&gt;. Based on our previous findings, this will be found within their exception hook.&lt;/p&gt;
&lt;p&gt;Although there are multiple methods to achieve this, the steps I will take include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Utilizing my &lt;code&gt;VT-X&lt;/code&gt; hypervisor to virtualize all logical processors.&lt;/li&gt;
&lt;li&gt;Installing an image load callback.&lt;/li&gt;
&lt;li&gt;Upon the loading of the &lt;code&gt;EasyAntiCheat_EOS.sys&lt;/code&gt; driver, preserving the driver&amp;rsquo;s details.&lt;/li&gt;
&lt;li&gt;Deferring a task to the subsequent &lt;code&gt;CR3&lt;/code&gt; write, if an attempt is made to write a 1 to any reserved bit in &lt;code&gt;CR3[63:MAXPHYADDR]&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Recording the &lt;code&gt;RVA&lt;/code&gt; using EasyAntiCheat&amp;rsquo;s stored driver information.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Upon completion of the aforementioned steps, and removing duplicates for clarity, the outcomes obtained are:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-json&#34; data-lang=&#34;json&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{&lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Type&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Invalid&amp;#34;&lt;/span&gt;,&lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;RVA&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;ntoskrnl.exe+0x40028F&amp;#34;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{&lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Type&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Valid&amp;#34;&lt;/span&gt;,&lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;RVA&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;EasyAntiCheat_EOS.sys+0x19A20&amp;#34;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{&lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Type&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Invalid&amp;#34;&lt;/span&gt;,&lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;RVA&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;ntoskrnl.exe+0x20C130&amp;#34;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{&lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;Type&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Valid&amp;#34;&lt;/span&gt;,&lt;span style=&#34;color:#f92672&#34;&gt;&amp;#34;RVA&amp;#34;&lt;/span&gt;:&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;EasyAntiCheat_EOS.sys+0x19A20&amp;#34;&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Although it may appear daunting initially, it is not something we have not previously discussed. Let&amp;rsquo;s review it together.&lt;/p&gt;
&lt;p&gt;First, let us direct our attention towards the &lt;code&gt;Invalid&lt;/code&gt; outcomes, which occur when the kernel writes EasyAntiCheat&amp;rsquo;s exception-forced &lt;code&gt;CR3&lt;/code&gt;.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-asm&#34; data-lang=&#34;asm&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;.text:&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;000000000040028&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;F&lt;/span&gt;      &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;F&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;22&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;D9&lt;/span&gt;      &lt;span style=&#34;color:#66d9ef&#34;&gt;mov&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;cr3&lt;/span&gt;, &lt;span style=&#34;color:#66d9ef&#34;&gt;rcx&lt;/span&gt; &lt;span style=&#34;color:#75715e&#34;&gt;; SwapContext
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-asm&#34; data-lang=&#34;asm&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;.text:&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;000000000020&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;C130&lt;/span&gt;      &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;F&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;22&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;DF&lt;/span&gt;      &lt;span style=&#34;color:#66d9ef&#34;&gt;mov&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;cr3&lt;/span&gt;, &lt;span style=&#34;color:#66d9ef&#34;&gt;rdi&lt;/span&gt; &lt;span style=&#34;color:#75715e&#34;&gt;; KiAttachProcess
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;As you can observe, we have previously covered this, it&amp;rsquo;s where the kernel writes Rust&amp;rsquo;s &lt;code&gt;CR3&lt;/code&gt;. Let&amp;rsquo;s now shift our focus towards the juicy &lt;code&gt;Valid&lt;/code&gt; outcomes, where EasyAntiCheat writes the genuine &lt;code&gt;CR3&lt;/code&gt;.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;BOOLEAN EacHooks&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;HandleException( ExceptonData&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; Exception, PCONTEXT Context )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;#define GetFixedCr3( Key ) ((__ROR8__(_byteswap_uint64(Key), 31) &amp;amp; 0xFFFFFFFFF) &amp;lt;&amp;lt; 12)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( Exception&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Code &lt;span style=&#34;color:#f92672&#34;&gt;==&lt;/span&gt; STATUS_PRIVILEGED_INSTRUCTION  )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;		&lt;span style=&#34;color:#75715e&#34;&gt;// --&amp;gt; &amp;#34;mov cr3&amp;#34;, ??
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;		&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;		&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( &lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt;( WORD&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; )Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rip &lt;span style=&#34;color:#f92672&#34;&gt;==&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x220F&lt;/span&gt; )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;// mov cr3, &amp;#34;??&amp;#34; &amp;lt;--
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			BYTE Operand &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt;( BYTE&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; )( Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rip &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;2&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;// Converts the operand to an offset in the context structure, beginning from RAX.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			Operand &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;7&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;// Retrieve the CR3 that was being written from its register.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			UINT64&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; Registers &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt;Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rax;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			UINT64 AttemptedCr3 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; Registers[ Operand ];
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;// This is always computes to the same value, which is the base of their structure&amp;#39;s allocation.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			UINT64 DataOffset &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; InterlockedExchangeAdd64( EAC&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;InitialDataOffset, &lt;span style=&#34;color:#ae81ff&#34;&gt;0x1000000000&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			DataOffset &lt;span style=&#34;color:#f92672&#34;&gt;+=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x1000000000&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			DataOffset &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0xFFFFFFFFF&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			DataOffset &lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;&amp;lt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;12&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;// In their actual code, this uses an address in the stack to perform their calculation against.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			EAC&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;EacData&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; Data &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; ( EAC&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;EacData&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; )( ( &lt;span style=&#34;color:#ae81ff&#34;&gt;0xFFFFull&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;&amp;lt;&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;48&lt;/span&gt; ) &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; DataOffset );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;// Nothing complicated here, just gets the current process.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			PEPROCESS CurrentProcess &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt;( PEPROCESS&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; )( UINT64( KeGetCurrentThread( ) ) &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; EAC&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;ProcessOffset );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;// This isn&amp;#39;t exactly what&amp;#39;s done here, I&amp;#39;ve simplified it.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;			&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( CurrentProcess &lt;span style=&#34;color:#f92672&#34;&gt;!=&lt;/span&gt; Data&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Process )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( AttemptedCr3 &lt;span style=&#34;color:#f92672&#34;&gt;!=&lt;/span&gt; Data&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Cr3 )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;					InterlockedIncrement( Data&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Counter );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;					&lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; FALSE;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				__writecr3( __readcr3( ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rip &lt;span style=&#34;color:#f92672&#34;&gt;+=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;3&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				InterlockedIncrement( Data&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Counter );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				&lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; TRUE;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rip &lt;span style=&#34;color:#f92672&#34;&gt;&amp;gt;=&lt;/span&gt; EAC&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;WhitelistStart &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&amp;amp;&lt;/span&gt; Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rip &lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;&lt;/span&gt; EAC&lt;span style=&#34;color:#f92672&#34;&gt;::&lt;/span&gt;WhitelistEnd )
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;				&lt;span style=&#34;color:#75715e&#34;&gt;// This removes the reserved bits, and fixes the CR3.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;				&lt;span style=&#34;color:#75715e&#34;&gt;// The decryption changes per update, so don&amp;#39;t expect this to remain.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;				&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;				UINT64 FixedCr3 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; AttemptedCr3 &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0xBFFF000000000FFF&lt;/span&gt;;	
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				FixedCr3 &lt;span style=&#34;color:#f92672&#34;&gt;|=&lt;/span&gt; GetFixedCr3( Data&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Key );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				__writecr3( FixedCr3 );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				Context&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Rip &lt;span style=&#34;color:#f92672&#34;&gt;+=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;3&lt;/span&gt;;				
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				InterlockedIncrement( Data&lt;span style=&#34;color:#f92672&#34;&gt;-&amp;gt;&lt;/span&gt;Counter );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;				&lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; TRUE;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;			}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;		}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	&lt;span style=&#34;color:#66d9ef&#34;&gt;return&lt;/span&gt; FALSE;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;blockquote&gt;
&lt;p&gt;The code that is not relevant to this article has been redacted, and the remaining code has been formatted for improved readability.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Although I have improved the code&amp;rsquo;s readability by symbolizing and cleaning it, I will still provide a summary of its behavior:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Verify that the exception resulted from a &lt;code&gt;mov cr3, ??&lt;/code&gt; instruction.&lt;/li&gt;
&lt;li&gt;Extract the instruction&amp;rsquo;s operand and convert it to an index beginning from &lt;code&gt;ZERO/RAX&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Retrieve the value of the &lt;code&gt;CR3&lt;/code&gt; register from the the context structure.&lt;/li&gt;
&lt;li&gt;Compute the address by calculating the offset to the hook&amp;rsquo;s data structure.&lt;/li&gt;
&lt;li&gt;Verify that the exception occurred in Rust&amp;rsquo;s process and check the validity of the &lt;code&gt;CR3&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Verify that the exception occurred within a designated region inside &lt;code&gt;ntoskrnl.exe&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;If all of the above conditions are met, update &lt;code&gt;CR3&lt;/code&gt; and &lt;code&gt;RIP&lt;/code&gt; accordingly.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Awesome! You know the drill by now, let&amp;rsquo;s confirm our reversal by comparing Rust&amp;rsquo;s process with the structure.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-lua&#34; data-lang=&#34;lua&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;local&lt;/span&gt; InitialDataOffset &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; readQword( EacBase &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; EacInitialDataOffset );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;local&lt;/span&gt; DataOffset &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; bAnd( InitialDataOffset, &lt;span style=&#34;color:#ae81ff&#34;&gt;0xFFFFFFFFF&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;DataOffset &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; bShl( DataOffset, &lt;span style=&#34;color:#ae81ff&#34;&gt;12&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;local&lt;/span&gt; Data &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; bOr( bShl( &lt;span style=&#34;color:#ae81ff&#34;&gt;0xFFFF&lt;/span&gt;, &lt;span style=&#34;color:#ae81ff&#34;&gt;48&lt;/span&gt; ), DataOffset );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt; ( readQword( Data &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0xC&lt;/span&gt; ) &lt;span style=&#34;color:#f92672&#34;&gt;==&lt;/span&gt; dbk_getPEProcess( RustPid ) ) &lt;span style=&#34;color:#66d9ef&#34;&gt;then&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	print( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Valid Structure&amp;#34;&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;else&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	print( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Invalid Structure&amp;#34;&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;end&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;--[[
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;	Valid Structure
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;--]]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h1 id=&#34;connecting-the-dots-hal-to-the-rescue&#34;&gt;Connecting the Dots: Hal to the Rescue!&lt;/h1&gt;
&lt;p&gt;Up until now, we have discovered that EasyAntiCheat is somehow able to intercept any exception generated, but we don&amp;rsquo;t know how. So, let&amp;rsquo;s find out!&lt;/p&gt;
&lt;p&gt;While there are multiple approaches to this problem, such as recursing and reversing through every function from the interrupt&amp;rsquo;s routine. I opted for a more suitable method, which involved tracking the return stack directly to the function.&lt;/p&gt;
&lt;p&gt;To achieve this, I set a software breakpoint, &lt;code&gt;INT3&lt;/code&gt;, on their exception dispatcher routine and read the guest&amp;rsquo;s &lt;code&gt;RSP&lt;/code&gt; from the &lt;code&gt;VMCS&lt;/code&gt;. Then, I walked the stack and checked if the code was within a kernel code section.&lt;/p&gt;
&lt;p&gt;After tracing where it led me, I came to the conclusion that EasyAntiCheat was hooking &lt;code&gt;Hal&lt;/code&gt; pointers, as the return address led to the return of a call to a &lt;code&gt;Hal&lt;/code&gt; callback.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;InternalData &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; HalpTimerGetInternalData( Timer );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;Rax &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; ( &lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt;( &lt;span style=&#34;color:#66d9ef&#34;&gt;__int64&lt;/span&gt; ( &lt;span style=&#34;color:#66d9ef&#34;&gt;__fastcall&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;**&lt;/span&gt; )( &lt;span style=&#34;color:#66d9ef&#34;&gt;__int64&lt;/span&gt; ) )( Timer &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x70&lt;/span&gt; ) )( InternalData );
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This can be easily verified this by running this script and observing that all pointers point to EasyAntiCheat&amp;rsquo;s &lt;code&gt;Hal&lt;/code&gt; dispatcher:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-lua&#34; data-lang=&#34;lua&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;local&lt;/span&gt; Timer &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; readPointer( HalpRegisteredTimers );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;while&lt;/span&gt; Timer &lt;span style=&#34;color:#f92672&#34;&gt;~=&lt;/span&gt; HalpRegisteredTimers &lt;span style=&#34;color:#66d9ef&#34;&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;      print( string.format( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Timer %X points to Function %X&amp;#34;&lt;/span&gt;, Timer, readPointer( Timer &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x70&lt;/span&gt; ) ) );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;      Timer &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; readPointer( Timer );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;end&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;Congratulations on making it this far, that&amp;rsquo;s really impressive!&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Now, I have a little brain-teaser for you. Based on the information I&amp;rsquo;ve given you previously, try to figure out how EasyAntiCheat manages its &lt;code&gt;Hal&lt;/code&gt; hooks by reversing their dispatcher.&lt;/p&gt;
&lt;h1 id=&#34;building-the-puzzle-breaking-the-wall&#34;&gt;Building the Puzzle: Breaking the Wall&lt;/h1&gt;
&lt;p&gt;I hope this article has been helpful in showing how anticheats can exploit the kernel to their advantage. However, this is just the beginning, as it&amp;rsquo;s likely that EasyAntiCheat will eventually start hooking syscalls from their driver - Vanguard has been doing it for a while already.&lt;/p&gt;
&lt;p&gt;Furthermore, with EasyAntiCheat&amp;rsquo;s full control of context swaps, they can even implement per-thread hooks that are invisible to external threads. Alternatively, they can create hidden code regions that change on a per-thread basis.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-cpp&#34; data-lang=&#34;cpp&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;// This changes per update, it&amp;#39;s very simple to copy.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;#define DecryptCr3( Cr3 )
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;// We don&amp;#39;t need to increment it, it&amp;#39;s useless.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;UINT64 DataOffset &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; ( InitialDataOffset &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0xFFFFFFFFF&lt;/span&gt; ) &lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;&amp;lt;&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;12&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;UINT64 Data &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt;( UINT64&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; )( ( &lt;span style=&#34;color:#ae81ff&#34;&gt;0xFFFFull&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;&amp;lt;&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;48&lt;/span&gt; ) &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; DataOffset );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;DbgPrint( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;[Eac] Data -&amp;gt; %llx&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;\n&lt;/span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&lt;/span&gt;, Data );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;PEPROCESS RustProcess;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;PsLookupProcessByProcessId( RustPid, &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt;RustProcess );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;UINT64 FakeCr3 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt;( UINT64&lt;span style=&#34;color:#f92672&#34;&gt;*&lt;/span&gt; )( UINT64( RustProcess ) &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0x28&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;UINT64 FixedCr3 &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; DecryptCr3( FakeCr3 &lt;span style=&#34;color:#f92672&#34;&gt;&amp;amp;&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0xBFFF000000000FFF&lt;/span&gt; );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;DbgPrint( &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;[Eac] FixedCr3 -&amp;gt; %llx&lt;/span&gt;&lt;span style=&#34;color:#ae81ff&#34;&gt;\n&lt;/span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&lt;/span&gt;, FixedCr3 );
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;// We don&amp;#39;t want to leak any memory.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;//
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#75715e&#34;&gt;&lt;/span&gt;ObDereferenceObject( RustProcess );
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;</content>
    </item>
    
    <item>
      <title></title>
      <link>/about/</link>
      <pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
      
      <guid>/about/</guid>
      <description>About Me I engage in my research as a hobby, and do not pursue it for monetary gain.
Don&amp;rsquo;t contact me for cheating related inquires, as I will not respond.</description>
      <content>&lt;h1 id=&#34;about-me&#34;&gt;About Me&lt;/h1&gt;
&lt;p&gt;I engage in my research as a hobby, and do not pursue it for monetary gain.&lt;/p&gt;
&lt;p&gt;Don&amp;rsquo;t contact me for cheating related inquires, as I will not respond.&lt;/p&gt;
</content>
    </item>
    
  </channel>
</rss>