they also query PC Information from user mode.
they access to many registry folder.
they also perform a memory scan by calling ZwQueryVirtualMemory.
First scan 10 minuts later
Then every five minuts.
On the screen shot below
The Functions of memory scanner.
https://imgbb.com/HV88kXL
Code:
void __thiscall FUN_01167e34(int param_1_00,undefined4 *param_1,int *param_2)
{
undefined4 *puVar1;
int iVar2;
undefined4 *puVar3;
undefined4 ***pppuVar4;
int iVar5;
undefined local_3c [24];
undefined4 ***local_24 [5];
uint local_10;
uint local_c;
local_c = DAT_011f4004 ^ (uint)&stack0xfffffffc;
if (param_1[4] != 0) {
iVar2 = *(int *)(param_1_00 + 0x6b0);
if (iVar2 != 0) {
*(int *)(param_1_00 + 0x90) = iVar2;
*(int *)(param_1_00 + 0x94) = iVar2;
*(int *)(param_1_00 + 0x98) = iVar2;
}
FUN_0116438e(s_User-Agent_011e7bc8,s_EasyAntiCheat_Client_011e7bb0);
FUN_011591ff(s_https://gossip.easyanticheat.net_011e7bd4);
puVar3 = (undefined4 *)FUN_01167f1d(local_3c,&DAT_011e7764,0xb3);
puVar1 = puVar3 + 4;
if (0xf < (uint)puVar3[5]) {
puVar3 = (undefined4 *)*puVar3;
}
FUN_01153bdf(puVar3,*puVar1);
FUN_011539d2();
puVar1 = param_1 + 4;
if (0xf < (uint)param_1[5]) {
param_1 = (undefined4 *)*param_1;
}
FUN_01153bdf(param_1,*puVar1);
iVar2 = *param_2;
iVar5 = 0;
if (iVar2 != param_2[1]) {
iVar5 = iVar2;
}
pppuVar4 = local_24;
if (0xf < local_10) {
pppuVar4 = local_24[0];
}
FUN_011642de(pppuVar4,0x1bb,iVar5,param_2[1] - iVar2,0);
FUN_011539d2();
}
FUN_011dc455();
return;
}
void FUN_01188075(undefined4 param_1,char *param_2,int param_3,undefined4 param_4)
{
char cVar1;
undefined4 uVar2;
char *pcVar3;
undefined local_38 [24];
undefined local_20 [24];
uint local_8;
local_8 = DAT_011f4004 ^ (uint)&stack0xfffffffc;
if (param_3 == 0) goto LAB_0118835f;
switch(param_1) {
case 0:
goto switchD_011880af_caseD_0;
case 1:
FUN_011591ff(s_Easy_Anti-Cheat_Hash_Catalogue_n_011e24b4);
pcVar3 = s_game_error.error_catalogue_not_f_011e8750;
break;
case 2:
FUN_011591ff(s_EAC_index_access_error_011e258c);
pcVar3 = s_game_error.error_catalogue_file_011e8778;
break;
case 3:
FUN_011591ff(s_EAC_index_certificate_revoked_011e2554);
pcVar3 = s_game_error.error_certificate_rev_011e8798;
break;
case 4:
FUN_011591ff(s_Unknown_file_version_011e24e0);
pcVar3 = s_game_error.error_file_version_011e87c0;
break;
case 5:
FUN_011591ff(s_Missing_required_file_011e25a4);
pcVar3 = s_game_error.error_file_not_found_011e87e0;
break;
case 6:
FUN_011591ff(s_Unknown_game_file_011e25bc);
pcVar3 = s_game_error.error_file_forbidden_011e8800;
break;
case 7:
FUN_011591ff(s_Untrusted_system_file_011e2574);
pcVar3 = s_game_error.error_system_version_011e8820;
break;
case 8:
FUN_011591ff(s_Forbidden_module_011e2508);
pcVar3 = s_game_error.error_module_forbidde_011e8840;
break;
case 9:
FUN_011591ff(s_Corrupted_memory_011e251c);
pcVar3 = s_game_error.error_corrupted_memor_011e8864;
break;
case 10:
FUN_011591ff(s_Forbidden_tool_011e24f8);
pcVar3 = s_game_error.error_tool_forbidden_011e8888;
break;
case 0xb:
FUN_011591ff(s_Internal_anti-cheat_error_011e2478);
pcVar3 = s_game_error.error_violation_011e88a8;
break;
case 0xc:
FUN_011591ff(s_Corrupted_packet_flow_011e2460);
pcVar3 = s_game_error.error_corrupted_netwo_011e88c4;
break;
case 0xd:
FUN_011591ff(s_Cannot_run_under_Virtual_Machine_011e2530);
pcVar3 = s_game_error.error_virtual_011e88e8;
break;
case 0xe:
FUN_011591ff(s_Forbidden_system_configuration_011e2494);
pcVar3 = s_game_error.error_system_configur_011e8904;
break;
case 0xf:
FUN_011591ff(s_Could_not_locate_game_executable_011e2424);
pcVar3 = s_game_error.executable_not_hashed_011e892c;
break;
default:
if (param_2 != (char *)0x0) {
pcVar3 = param_2;
do {
cVar1 = *pcVar3;
pcVar3 = pcVar3 + 1;
} while (cVar1 != '\0');
FUN_01157c13(param_2,(int)pcVar3 - (int)(param_2 + 1));
}
param_2 = (char *)0x0;
goto switchD_011880af_caseD_0;
}
FUN_011591ff(pcVar3);
uVar2 = FUN_01164c1d(local_38,local_20);
FUN_01165270(uVar2);
FUN_011539d2();
FUN_011539d2();
switchD_011880af_caseD_0:
FUN_01176fe4(param_4);
if ((param_2 != (char *)0x0) && (*param_2 != '\0')) {
FUN_01177019(param_4);
FUN_01177019(param_4);
FUN_01177019(param_4);
}
LAB_0118835f:
FUN_011dc455();
return;
}
// Maybe not sure something releated to driver comunication
undefined4 * __thiscall FUN_011591ff(undefined4 *param_1_00,char *param_1)
{
char cVar1;
char *pcVar2;
*param_1_00 = 0;
param_1_00[4] = 0;
param_1_00[5] = 0xf;
pcVar2 = param_1;
do {
cVar1 = *pcVar2;
pcVar2 = pcVar2 + 1;
} while (cVar1 != '\0');
FUN_01157c13(param_1,(int)pcVar2 - (int)(param_1 + 1));
return param_1_00;
}
void FUN_011bae20(int param_1,undefined4 param_2,char *param_3)
{
undefined local_44 [24];
undefined4 local_2c;
undefined4 local_28;
uint local_c;
local_c = DAT_011f4004 ^ (uint)&stack0xfffffffc;
if (param_1 == 5) {
param_3 = s_BadAuthentication_011e9738;
LAB_011bae6e:
FUN_011591ff(param_3);
local_28 = 2;
}
else {
if (param_1 != 6) {
if (param_1 != 7) goto LAB_011baeae;
if (0xf < *(uint *)((int)param_3 + 0x14)) {
param_3 = *(char **)param_3;
}
goto LAB_011bae6e;
}
FUN_011591ff(s_AccountBanned_011e974c);
local_28 = 3;
}
local_2c = param_2;
FUN_01153df5(local_44);
FUN_011714b7(&local_2c);
FUN_011539d2();
FUN_011539d2();
LAB_011baeae:
FUN_011dc455();
return;
}
void __thiscall FUN_01170dfd(undefined4 param_1_00,int param_1,undefined4 param_2)
{
int iVar1;
undefined4 *local_10 [3];
if (*(int *)(param_1 + 0x50) == 3) {
FUN_01154024(0x60,param_1_00);
local_10[0][1] = param_2;
*local_10[0] = 1;
iVar1 = *(int *)(param_1 + 0x88);
*(int *)(param_1 + 0x88) = iVar1 + 1;
local_10[0][0x13] = iVar1;
FUN_011498d4(local_10[0] + 3,0);
FUN_011498d4(local_10[0] + 0xb,0);
FUN_01155a38(local_10[0] + 0x14);
FUN_0116a71d(local_10,0);
FUN_0115388b();
}
return;
}
// HeartBeat
uint __thiscall FUN_0116f8d7(undefined4 *param_1_00,int param_1,uint param_2,int param_3)
{
undefined4 *puVar1;
char cVar2;
int iVar3;
uint uVar4;
byte unaff_SI;
char *pcVar5;
undefined4 uStack_1c;
undefined4 uStack_18;
int iStack_14;
(*DAT_011de098)(param_1_00 + 0xd);
FUN_011717ac(&uStack_1c,¶m_2);
if ((*(char *)(iStack_14 + 0xd) == '\0') && (*(uint *)(iStack_14 + 0x10) <= param_2)) {
iVar3 = param_1_00[0xb];
}
else {
iVar3 = param_1_00[0xb];
iStack_14 = iVar3;
}
if ((iStack_14 == iVar3) || (puVar1 = *(undefined4 **)(iStack_14 + 0x14), puVar1[0x13] != param_3)
) goto LAB_0116fa02;
if (param_1 == 0) {
if (puVar1[0x14] == 3) goto LAB_0116fa02;
pcVar5 = s_ChallengeResponseTimeout_011e7ed8;
}
else {
if (param_1 == 1) {
FUN_01170dfd(puVar1,3);
goto LAB_0116fa02;
}
if (param_1 != 2) {
if ((((param_1 == 3) && (*(char *)(param_1_00 + 0x147) == '\0')) && (param_1_00[0x148] == 0))
&& (*(char *)((int)puVar1 + 0x8d) == '\0')) {
FUN_01170dfd(puVar1,6);
*(undefined *)((int)puVar1 + 0x8d) = 1;
param_1_00[0x148] = *puVar1;
}
goto LAB_0116fa02;
}
FUN_01159232();
uStack_1c = *param_1_00;
uStack_18 = 0;
cVar2 = FUN_0116abde();
if (cVar2 < '\x01') goto LAB_0116fa02;
pcVar5 = s_HeartbeatTimeout_011e7ef4;
}
FUN_0117142b(puVar1,pcVar5,1);
LAB_0116fa02:
uVar4 = (*DAT_011de0a0)(param_1_00 + 0xd);
return uVar4 & 0xffffff00 | (uint)unaff_SI;
}
