Suppressing EasyAntiCheat Windows Enumeration

Common deterrents for anticheat software usually incorporates some sort of window enumeration of all your currently running processes to scan for names of blacklisted programs - commonly CheatEngine. The easiest approach to counter this type of scan is to simply hex-edit your blacklisted program and rename it. In this case, I decided to dig a little deeper because the game uses a .NET executable which is easily accessible using dotPeek. Here is what it looks like if you have CheatEngine open and try to run the game:

Looking into that .NET executable you can easily spot the message box being used to display these types of messages:

MessageBox.Show(string.Format("Rust Launcher Error: {0} - {1}", (object) eventArgs.Status, (object) eventArgs.Message));

LoadCompletedEventArgs (eventArgs) is being passed from a dll (another .NET assembly) from the same directory called "EasyAntiCheat.Client.dll". In this dll is a C# file called "Loader.cs" which takes care of shutting down the game on start-up.

NativeModule.Initialize(this.loadInfo.GetRealm(false), new NativeModule.MessageEventHandler(this.OnMessage), (byte[])null);

Above is the anti-cheat initialization which instantiates the MessageEventHandler callback, and on this callback is where the anticheat says CheatEngine is running. This is where the reversing journey really begins but shortly ends for me because the dll which sends messages over that callback (EasyAntiCheat_x64.dll) is not .NET - so actually disassembling would be a time investment. Instead, the error message and subsequent game shutdown can be prevented by simply removing the message check.

Above is a picture of CheatEngine being attached to Rust with EAC running. While attempting to connect to a server, there's heartbeat which runs some sort of integrity check. The heartbeat runs at a rate which is somewhat predictable, so I was able to time it just in time to connect to a server - however not long enough to do anything.