EQU8 is a relatively new kernel anticheat used on several games, developed by a company named Int3 Software that has been around since 2016.
I have already did a bypass for a game called Diabotical with this anticheat, you can find the bypass on my github, but this time i wanted to do a usermode bypass on their most popular protected game, Totally Accurate Battlegrounds.
At start i wanted to hijack a legit dll that is legitly load by the game and replace it by my cheat, my target was InControlNative.dll the first attempt was not really good the dll loaded successfully but, the player cannot move.
Why ? because this dll serve to keyboard input, so i found another great idea to counter this, loading the original dll, grabbing export address and making fake export function in my cheat with the same name as the original dll and "redirecting" the call on the original dll.
This method worked perfectly well, i could move the player normally and injecting my cheat but there is a catch, EQU8 as a protection for protecting game resources.
EQU8 as a file called equ8.db this file is a digitally signed catalog over protected files, so if you change a protected files you will have an anticheat error when your gonna join an online game.
Yeah i could find where the verification was made and patching it, but i didn't because this shit is time consuming and debugging unity game are pain in the ass.
Abusing lsass.exe
Why patching and do all the reversing shit when you can just abuse lsass privilege ?
After my little failure with the first method i checked all the handle opened to TotallyAccurateBattlegrounds.exe with ProcessHacker, and i saw that csrss.exe and lsass.exe have opened handle to TotallyAccurateBattlegrounds.exe with PROCESS_VM_OPERATION Access.
So i've had a little idea why not injecting a dll into lsass.exe, hijacking the handle and injecting the cheat into TotallyAccurateBattlegrounds.exe.
So i wrote a little piece a code for "bruteforcing" all handles and checking with GetProcessId() and, it sucessfully worked, i can get the handle but i was not sure if this handle was enough privileged for injecting a dll so i tested something.
I tried to just open an handle with OpenProcess() with PROCESS_ALL_ACCESS and tried to see if the handle was opened with all access with ProcessHacker and it was :)
So now that i have all the power on TotallyAccurateBattlegrounds.exe i can inject my cheat very easly, that was not really hard to do an simple LoadLibrary injector as a POC.
You can find the code of the injector on the BlueBox github.
Now you have all the keys to make your own l33t cheat for TABG in usermode.
