they also query PC Information from user mode.
they access to many registry folder.
they also perform a memory scan by calling ZwQueryVirtualMemory.
First scan 10 minuts later
Then every five minuts.
On the screen shot below
The Functions of memory scanner.
https://imgbb.com/HV88kXL
Code:
void __thiscall FUN_01167e34(int param_1_00,undefined4 *param_1,int *param_2) { undefined4 *puVar1; int iVar2; undefined4 *puVar3; undefined4 ***pppuVar4; int iVar5; undefined local_3c [24]; undefined4 ***local_24 [5]; uint local_10; uint local_c; local_c = DAT_011f4004 ^ (uint)&stack0xfffffffc; if (param_1[4] != 0) { iVar2 = *(int *)(param_1_00 + 0x6b0); if (iVar2 != 0) { *(int *)(param_1_00 + 0x90) = iVar2; *(int *)(param_1_00 + 0x94) = iVar2; *(int *)(param_1_00 + 0x98) = iVar2; } FUN_0116438e(s_User-Agent_011e7bc8,s_EasyAntiCheat_Client_011e7bb0); FUN_011591ff(s_https://gossip.easyanticheat.net_011e7bd4); puVar3 = (undefined4 *)FUN_01167f1d(local_3c,&DAT_011e7764,0xb3); puVar1 = puVar3 + 4; if (0xf < (uint)puVar3[5]) { puVar3 = (undefined4 *)*puVar3; } FUN_01153bdf(puVar3,*puVar1); FUN_011539d2(); puVar1 = param_1 + 4; if (0xf < (uint)param_1[5]) { param_1 = (undefined4 *)*param_1; } FUN_01153bdf(param_1,*puVar1); iVar2 = *param_2; iVar5 = 0; if (iVar2 != param_2[1]) { iVar5 = iVar2; } pppuVar4 = local_24; if (0xf < local_10) { pppuVar4 = local_24[0]; } FUN_011642de(pppuVar4,0x1bb,iVar5,param_2[1] - iVar2,0); FUN_011539d2(); } FUN_011dc455(); return; } void FUN_01188075(undefined4 param_1,char *param_2,int param_3,undefined4 param_4) { char cVar1; undefined4 uVar2; char *pcVar3; undefined local_38 [24]; undefined local_20 [24]; uint local_8; local_8 = DAT_011f4004 ^ (uint)&stack0xfffffffc; if (param_3 == 0) goto LAB_0118835f; switch(param_1) { case 0: goto switchD_011880af_caseD_0; case 1: FUN_011591ff(s_Easy_Anti-Cheat_Hash_Catalogue_n_011e24b4); pcVar3 = s_game_error.error_catalogue_not_f_011e8750; break; case 2: FUN_011591ff(s_EAC_index_access_error_011e258c); pcVar3 = s_game_error.error_catalogue_file_011e8778; break; case 3: FUN_011591ff(s_EAC_index_certificate_revoked_011e2554); pcVar3 = s_game_error.error_certificate_rev_011e8798; break; case 4: FUN_011591ff(s_Unknown_file_version_011e24e0); pcVar3 = s_game_error.error_file_version_011e87c0; break; case 5: FUN_011591ff(s_Missing_required_file_011e25a4); pcVar3 = s_game_error.error_file_not_found_011e87e0; break; case 6: FUN_011591ff(s_Unknown_game_file_011e25bc); pcVar3 = s_game_error.error_file_forbidden_011e8800; break; case 7: FUN_011591ff(s_Untrusted_system_file_011e2574); pcVar3 = s_game_error.error_system_version_011e8820; break; case 8: FUN_011591ff(s_Forbidden_module_011e2508); pcVar3 = s_game_error.error_module_forbidde_011e8840; break; case 9: FUN_011591ff(s_Corrupted_memory_011e251c); pcVar3 = s_game_error.error_corrupted_memor_011e8864; break; case 10: FUN_011591ff(s_Forbidden_tool_011e24f8); pcVar3 = s_game_error.error_tool_forbidden_011e8888; break; case 0xb: FUN_011591ff(s_Internal_anti-cheat_error_011e2478); pcVar3 = s_game_error.error_violation_011e88a8; break; case 0xc: FUN_011591ff(s_Corrupted_packet_flow_011e2460); pcVar3 = s_game_error.error_corrupted_netwo_011e88c4; break; case 0xd: FUN_011591ff(s_Cannot_run_under_Virtual_Machine_011e2530); pcVar3 = s_game_error.error_virtual_011e88e8; break; case 0xe: FUN_011591ff(s_Forbidden_system_configuration_011e2494); pcVar3 = s_game_error.error_system_configur_011e8904; break; case 0xf: FUN_011591ff(s_Could_not_locate_game_executable_011e2424); pcVar3 = s_game_error.executable_not_hashed_011e892c; break; default: if (param_2 != (char *)0x0) { pcVar3 = param_2; do { cVar1 = *pcVar3; pcVar3 = pcVar3 + 1; } while (cVar1 != '\0'); FUN_01157c13(param_2,(int)pcVar3 - (int)(param_2 + 1)); } param_2 = (char *)0x0; goto switchD_011880af_caseD_0; } FUN_011591ff(pcVar3); uVar2 = FUN_01164c1d(local_38,local_20); FUN_01165270(uVar2); FUN_011539d2(); FUN_011539d2(); switchD_011880af_caseD_0: FUN_01176fe4(param_4); if ((param_2 != (char *)0x0) && (*param_2 != '\0')) { FUN_01177019(param_4); FUN_01177019(param_4); FUN_01177019(param_4); } LAB_0118835f: FUN_011dc455(); return; } // Maybe not sure something releated to driver comunication undefined4 * __thiscall FUN_011591ff(undefined4 *param_1_00,char *param_1) { char cVar1; char *pcVar2; *param_1_00 = 0; param_1_00[4] = 0; param_1_00[5] = 0xf; pcVar2 = param_1; do { cVar1 = *pcVar2; pcVar2 = pcVar2 + 1; } while (cVar1 != '\0'); FUN_01157c13(param_1,(int)pcVar2 - (int)(param_1 + 1)); return param_1_00; } void FUN_011bae20(int param_1,undefined4 param_2,char *param_3) { undefined local_44 [24]; undefined4 local_2c; undefined4 local_28; uint local_c; local_c = DAT_011f4004 ^ (uint)&stack0xfffffffc; if (param_1 == 5) { param_3 = s_BadAuthentication_011e9738; LAB_011bae6e: FUN_011591ff(param_3); local_28 = 2; } else { if (param_1 != 6) { if (param_1 != 7) goto LAB_011baeae; if (0xf < *(uint *)((int)param_3 + 0x14)) { param_3 = *(char **)param_3; } goto LAB_011bae6e; } FUN_011591ff(s_AccountBanned_011e974c); local_28 = 3; } local_2c = param_2; FUN_01153df5(local_44); FUN_011714b7(&local_2c); FUN_011539d2(); FUN_011539d2(); LAB_011baeae: FUN_011dc455(); return; } void __thiscall FUN_01170dfd(undefined4 param_1_00,int param_1,undefined4 param_2) { int iVar1; undefined4 *local_10 [3]; if (*(int *)(param_1 + 0x50) == 3) { FUN_01154024(0x60,param_1_00); local_10[0][1] = param_2; *local_10[0] = 1; iVar1 = *(int *)(param_1 + 0x88); *(int *)(param_1 + 0x88) = iVar1 + 1; local_10[0][0x13] = iVar1; FUN_011498d4(local_10[0] + 3,0); FUN_011498d4(local_10[0] + 0xb,0); FUN_01155a38(local_10[0] + 0x14); FUN_0116a71d(local_10,0); FUN_0115388b(); } return; } // HeartBeat uint __thiscall FUN_0116f8d7(undefined4 *param_1_00,int param_1,uint param_2,int param_3) { undefined4 *puVar1; char cVar2; int iVar3; uint uVar4; byte unaff_SI; char *pcVar5; undefined4 uStack_1c; undefined4 uStack_18; int iStack_14; (*DAT_011de098)(param_1_00 + 0xd); FUN_011717ac(&uStack_1c,¶m_2); if ((*(char *)(iStack_14 + 0xd) == '\0') && (*(uint *)(iStack_14 + 0x10) <= param_2)) { iVar3 = param_1_00[0xb]; } else { iVar3 = param_1_00[0xb]; iStack_14 = iVar3; } if ((iStack_14 == iVar3) || (puVar1 = *(undefined4 **)(iStack_14 + 0x14), puVar1[0x13] != param_3) ) goto LAB_0116fa02; if (param_1 == 0) { if (puVar1[0x14] == 3) goto LAB_0116fa02; pcVar5 = s_ChallengeResponseTimeout_011e7ed8; } else { if (param_1 == 1) { FUN_01170dfd(puVar1,3); goto LAB_0116fa02; } if (param_1 != 2) { if ((((param_1 == 3) && (*(char *)(param_1_00 + 0x147) == '\0')) && (param_1_00[0x148] == 0)) && (*(char *)((int)puVar1 + 0x8d) == '\0')) { FUN_01170dfd(puVar1,6); *(undefined *)((int)puVar1 + 0x8d) = 1; param_1_00[0x148] = *puVar1; } goto LAB_0116fa02; } FUN_01159232(); uStack_1c = *param_1_00; uStack_18 = 0; cVar2 = FUN_0116abde(); if (cVar2 < '\x01') goto LAB_0116fa02; pcVar5 = s_HeartbeatTimeout_011e7ef4; } FUN_0117142b(puVar1,pcVar5,1); LAB_0116fa02: uVar4 = (*DAT_011de0a0)(param_1_00 + 0xd); return uVar4 & 0xffffff00 | (uint)unaff_SI; }