Cheat Engine with EAC - anti cheat

[3qalves3]

Anyone know a method to use 100% of cheat engine in games which use EAC anti cheat?

[aSwedishMagyar]

For Hero Siege all you have to do is run the executable from the main directory.

[3qalves3]

The main problem is my char and items are saved on steam cloud, when i run the executable direcly i cant load my chars
For some reason i can use Cheat engine only for scan, edit memory, acess what write/read but i cant inject a code
it's annoying since a guy ansxx updated your table in Hero Siege post and i cant use it on single player with EAC
I compare the instructions and bytes and all are the same. Nothing has change in the region where he inject the code, but the EAC is blocking it in someway

[SunBeam]

From what I'm reading, the game can be run without EAC directly from the executable, but you probably miss an argument or something that initializes Steam. That's all. And since you've tried a or b, you're not very convinced you've tried "everything"... Please try harder.

EDIT: You owe me 6$, as I had to buy the game to demonstrate the below

The method below is NOT A BYPASS FOR ONLINE PLAY! It's aimed at just disabling EAC for SINGLE PLAYER PURPOSES!

1) Download [Link]. Click the big green button. At the time of the post, the snapshot I'm looking at is snapshot_2022-09-25_14-55.zip.

2) Extract the content of the release folder in the ZIP to a folder of your choice on disk (e.g.: D:\x64dbg).





3) Run x96dbg.exe and click Yes, No, Yes:



4) Go to game folder (e.g.: G:\SteamLibrary\steamapps\common\HeroSiege\bin). Right-click start_protected_game.exe and 'Debug with x64dbg'. You will see this:



5) Click 'Symbols', then check the list on the left-side. Right-click 'start_protected_game.exe' and 'Follow in Disassembler' (or press Enter key after you've clicked on the line with 'start_protected_game.exe'):



5) Ctrl+G > :$1A9F8. Then press F2. It should now look like this:



6) Press Shift+F9 keys twice. You should now be at the breakpoint:



7) You now want to double-click on EAX register in the right tree and change it from value 3 to value 2:



You will now see the JMP branch has changed and flow will execute the function immediately beneath the JMP.

8) Press Shift+F9 3 times and you'll see EAC erroring. Wait 3-5s more and you'll see the EAC window dying, 'start_protected_game.exe process terminating in x64dbg and the game window showing up

What the above accomplishes is to force EAC to run the "I can't connect to download server" branch. Which is == if no connection, then run the game





BR,
Sun

[SunBeam]

I did a bit of research, looking for some examples of proxy DLLs -- namely the ones 'start_protected_game.exe' imports -- and found this:

[Link]

[Link]

So I said "let's give it a go".

Download the latest release:



Then from the ZIP extract to game folder (e.g.: G:\SteamLibrary\steamapps\common\HeroSiege\bin) the following:

• Koaloader-v2.4.0.zip\msimg32-32\msimg32.dll

• Koaloader-v2.4.0.zip\Koaloader.json

Why? Because our exe imports 'msimg32.dll'. So we'll use this as our automatic loader



Now open Koaloader.json and paste this in:

Code: Select all

{
  "logging": false,
  "targets": [
    "start_protected_game.exe"
  ],
  "modules": [
    {
      "path": "Lyptus32.dll"
    }
  ]
}

Now, we want to bring in the x86 library that will DO THE PATCHING, called Lyptus. Which can be found in same user's repository, here:

[Link]

Download the latest release:



Extract 'Lyptus32.dll' and 'Lyptus.json' to game folder. Open the .json file and paste this in (overwrite everything):

Code: Select all

{
  "logging": true,
  "patches": [
    {
      "name": "Patch #1 (force leap to CreateProcess)",
      "pattern": "0FB680????????FF2485????????FFB6????????8B86",
      "offset": 0,
      "replacement": "31C09090909090",
      "enabled": true,
      "required": false
    },
    {
      "name": "Patch #2 (force leap to ExitProcess(0))",
      "pattern": "80BE????????000F85????????8B86????????8BB6????????6A3089",
      "offset": 0,
      "replacement": "6A00E8322E0400",
      "enabled": true,
      "required": false
    }	
  ]
}

What the above does is to patch that EAX to 0 (I did some more testing and found 0 to be a more appealing value), then, once the CreateProcess is run, to immediately jump to ExitProcess with arg 0. This will kill 'start_protected_game.exe'.

So now, when you start the game from Steam, you'll see the EAC launcher for 0.5-1s, then, like earlier, in 2-3s time the game window will show up

There you have it, a loader+patcher and I didn't have to code anything this time around

Note that if the game updates, so will 'start_protected_game.exe' file. Meaning the patches above have to be recalculated based on the new file. They can easily be fixed, unless the EAC devs change the exe code radically. You've been warned.

P.S.: The loader/patcher author has some other NICE stuff in his repositories. Be sure to check it out

[3qalves3]

ohh fk very nice jobb =D

Please let me know what method do you prefer i pay you 6$ for the cost of the game

[Csimbi]

P.S.: The loader/patcher author has some other NICE stuff in his repositories. Be sure to check it out

Nice, indeed!
Good find!

[SunBeam]

ohh fk very nice jobb =D

Please let me know what method do you prefer i pay you 6$ for the cost of the game

I was joking, man I did end-up playing a bit of it, so we're good. Looks like a Diablo 2 replica, if you ask me (it's true I've not done any reading about it, so that's that).

P.S.: The loader/patcher author has some other NICE stuff in his repositories. Be sure to check it out

Nice, indeed!
Good find!

Yeah, found it funny that there are a shitload of tools out there no one knows about and I just happened to stumble across one. A mighty good one, actually. The same user has done a LOT of work for store clients (Steam, EGS, Ubisoft) and unlocking DLCs, paid content, etc. Emulators. Each tool in his github repos has a link to a release topic @ cs.rin.ru. Go to those topics, if you're curious or have the time to and witness his greatness

[3qalves3]

ohh fk very nice jobb =D

Please let me know what method do you prefer i pay you 6$ for the cost of the game

I was joking, man I did end-up playing a bit of it, so we're good. Looks like a Diablo 2 replica, if you ask me (it's true I've not done any reading about it, so that's that).

Btw, have you ever tried hack the hero siege with EAC enable?
Actually, not fully hack, just make a pointer for baseEquip address?
Do you think it would be possible?

[SunBeam]

Hi. No. And please stop asking for ways to bypass EAC in MP. Thanks.

[3qalves3]

Hi. No. And please stop asking for ways to bypass EAC in MP. Thanks.

Ok , sorry thank you

[SunBeam]

Hi. No. And please stop asking for ways to bypass EAC in MP. Thanks.

Ok , sorry thank you

viewtopic.php?f=4&t=20

Alright. Now you know. Cheers.

[3qalves3]

totally understood

i havent read that post until now =D

[Mefetran]

It doesn't work anymore. Both methods. Or I'm really dumb. Dunno

[SunBeam]

It doesn't work anymore. Both methods. Or I'm really dumb. Dunno

That's why I wrote some big ass red text so you see it Good luck fixing it; I doubt the devs changed anything in the whole framework...