ReverseSec Logo ReverseSec

Small research team where we like to break into security.

Tricking Easy Anti-Cheat into Protecting Any Application

idkhidden | October 28, 2024

Introduction: Hiding Behind the Shield

Easy Anti-Cheat (EAC) is a popular anti-cheat used in many multiplayer games to stop cheaters. It runs with high permissions to watch the game and block cheats. This article is about a big flaw we found in EAC. It lets an attacker use EAC to protect any program they want, even malware. The trick is very simple and doesn't need any complex code.

Discovery

We started by looking at how an EAC-protected game starts up. Usually, a launcher (`EasyAntiCheat_launcher.exe`) starts the anti-cheat service and then runs the game itself. The launcher is supposed to check that the game executable is the real, signed one before protecting it. But we found that the EAC launcher wasn't properly checking the certificate of the game it was launching.

Exploit

Because it doesn't validate the certificate, EAC can't be sure it's launching the right game. Here's how to exploit it:

First, we navigate to the game directory of an EAC-protected game (e.g., Fortnite). Next, we delete the `Certificates` folder within the `EasyAntiCheat` directory. This step prevents the launcher from using it certificate, forcing a less secure validation path. Finally, we replace the legitimate game executable (e.g., `FortniteClient-Win64-Shipping.exe`) with any other application, such as `notepad.exe` or, more maliciously, a custom-coded program. The replacement binary must have the exact same name as the original.

When you run the normal EAC launcher, it starts without any errors. But instead of the game, it launches your swapped program and gives it full EAC protection. This means your app is now protected by a strong anti-cheat, which makes it much harder for anyone to analyze or reverse engineer.

Proof of Concept (PoC)

Conclusion and Impact

This flaw means a anti-cheat can be used for attacks. A malware creator could use this trick to hide their virus with EAC's protection, making it much harder for antivirus programs and researchers to find. We reported this to Epic Games, and they said it was a "duplicate report" from 2023, but the bug still wasn't fixed when we found it.