Tricking Easy Anti-Cheat into Protecting Any Application
Introduction
In this write-up, I’ll walk you through how I stumbled upon a critical vulnerability in Easy Anti-Cheat that makes it possible for any application to enjoy the cozy warmth of EAC protection—no questions asked. Spoiler alert: it’s ridiculously simple.
Discovery
Like most stories of unintentional chaos, this started with sheer curiosity. I was exploring the EAC launcher, trying to understand how it ticks. My question was innocent enough: How hard could it be to protect my own app with EAC?
I dug into the launcher, reverse-engineering my way through its logic. After a solid day of fiddling, I noticed something strange—or rather, something absent: there were no proper certificate checks in place. This was a bit like walking into a vault and realizing the lock was made of cardboard.
Naturally, I decided to poke the bear. What would happen if I just… removed the certificate from the EAC certificate folder? Would it throw a tantrum? Would it scream at me? Nope. It didn’t care.
Exploit
Armed with this newfound lack of security, I decided to go all in. First, I removed the original game executable and replaced it with my own application. Specifically, I was messing with Fortnite at the time, so I renamed my app to FortniteClient-Win64-Shipping.exe.
Now, here’s the wild part: since the EAC launcher module doesn’t validate certificates, I completely removed the certificates from the folder. But wait, there’s more. I matched the settings.json file with the original configuration for the game.
After matching it to look like this:
{
"title": "Fortnite",
"executable": "FortniteClient-Win64-Shipping.exe",
"productid": "prod-fn",
"sandboxid": "fn",
"deploymentid": "62a9473a2dca46b29ccf17577fcf42d7",
"requested_splash": "EasyAntiCheat/SplashScreen.png",
"wait_for_game_process_exit": "false",
"hide_bootstrapper": "false",
"hide_gui": "false"
}
I launched the EAC launcher. Lo and behold, my application was running under the full protection of Easy Anti-Cheat like it was Fortnite itself. Bravo, me.
Proof of Concept (PoC)
Impact
Now, let’s talk about why this is actually serious and not just some coding shenanigan:
Unauthorized Access: Attackers could use this method to make EAC protect unauthorized applications, potentially accessing restricted resources in the process.
Malware Disguises: This vulnerability could let malicious software masquerade as legitimate game clients, risking system compromise.
Conclusion
After stumbling upon this vulnerability, I did the responsible thing and reported it to Epic Games. Their response? “Duplicate report.” Apparently, someone had raised a similar issue back in 2023. Fun fact: it still hasn’t been fixed.
So, here we are. A vulnerability that lets you trick EAC into protecting anything with the same effort it takes to rename a file.
Thanks for reading this (hopefully entertaining) write-up! And remember, this is for educational purposes only—don’t go causing chaos.