From 2f1c76b7f93efb1b13a18b48fffbe213ef91dba1 Mon Sep 17 00:00:00 2001
From: TheRogueArchivist <24215969+TheRogueArchivist@users.noreply.github.com>
Date: Fri, 2 Aug 2024 10:34:43 -0600
Subject: [PATCH] Add EA Anti Cheat detection (#314)
* Add EA Anti Cheat detection
* Make a check more exact
---
BinaryObjectScanner/Protection/EAAntiCheat.cs | 88 +++++++++++++++++++
README.md | 1 +
2 files changed, 89 insertions(+)
create mode 100644 BinaryObjectScanner/Protection/EAAntiCheat.cs
diff --git a/BinaryObjectScanner/Protection/EAAntiCheat.cs b/BinaryObjectScanner/Protection/EAAntiCheat.cs
new file mode 100644
index 00000000..d6e4dbd1
--- /dev/null
+++ b/BinaryObjectScanner/Protection/EAAntiCheat.cs
@@ -0,0 +1,88 @@
+#if NET40_OR_GREATER || NETCOREAPP
+using System.Collections.Concurrent;
+#endif
+using System.Collections.Generic;
+using BinaryObjectScanner.Interfaces;
+using SabreTools.Matching;
+using SabreTools.Serialization.Wrappers;
+
+namespace BinaryObjectScanner.Protection
+{
+ ///
+ /// EA Anti Cheat is a kernel-level anti-cheat developed and used by EA. (https://www.ea.com/security/news/eaac-deep-dive).
+ /// List of games that contain EA Anti Cheat on Steam: https://steamdb.info/tech/AntiCheat/EA_AntiCheat/
+ ///
+ /// An EasyAntiCheat installer is present in the file "EAAntiCheat.Installer.Tool.exe" found in "Plants vs. Zombies: Battle for Neighborville" (Steam Depot 1262241, Manifest 8124759833120741594).
+ /// This could indicate that EasyAntiCheat is directly integrated into EA Anti Cheat.
+ ///
+ /// The internal name appears to be "skyfall", as this is the Internal Name set to several EA Anti Cheat files, and the string "C:\dev\gitlab-runner\builds\r5uPUG7E\0\anticheat\skyfall\Build\Retail\EAAntiCheat.Installer.pdb" is present in "EAAntiCheat.Installer.Tool.exe".
+ ///
+ public class EAAntiCheat : IPathCheck, IPortableExecutableCheck
+ {
+ // TODO: Add support for detecting older versions, especially versions made before Easy Anti-Cheat was purchased by Epic Games.
+ ///
+ public string? CheckPortableExecutable(string file, PortableExecutable pex, bool includeDebug)
+ {
+ // Get the sections from the executable, if possible
+ var sections = pex.Model.SectionTable;
+ if (sections == null)
+ return null;
+
+ var name = pex.FileDescription;
+ // Found in "EAAntiCheat.GameServiceLauncher.exe" and "EAAntiCheat.Installer.exe" in "Plants vs. Zombies: Battle for Neighborville" (Steam Depot 1262241, Manifest 8124759833120741594).
+ if (!string.IsNullOrEmpty(name) && name!.Contains("EA Anticheat"))
+ return "EA Anti Cheat";
+
+ name = pex.ProductName;
+ // Found in "EAAntiCheat.GameServiceLauncher.exe" and "EAAntiCheat.Installer.exe" in "Plants vs. Zombies: Battle for Neighborville" (Steam Depot 1262241, Manifest 8124759833120741594).
+ if (!string.IsNullOrEmpty(name) && name!.Contains("EA Anticheat"))
+ return "EA Anti Cheat";
+
+ name = pex.InternalName;
+ // Found in "EAAntiCheat.GameServiceLauncher.exe" and "EAAntiCheat.Installer.exe" in "Plants vs. Zombies: Battle for Neighborville" (Steam Depot 1262241, Manifest 8124759833120741594).
+ if (!string.IsNullOrEmpty(name) && name!.Equals("skyfall"))
+ return "EA Anti Cheat";
+
+ // TODO: Add check for "EA SPEAR AntiCheat Engineering" in ASN.1 certificate data. Found in files "EAAntiCheat.GameServiceLauncher.dll", "EAAntiCheat.GameServiceLauncher.exe", "EAAntiCheat.Installer.exe", and "preloader_l.dll".
+ return null;
+ }
+
+ ///
+#if NET20 || NET35
+ public Queue CheckDirectoryPath(string path, IEnumerable? files)
+#else
+ public ConcurrentQueue CheckDirectoryPath(string path, IEnumerable? files)
+#endif
+ {
+ var matchers = new List
+ {
+ // Found in "Plants vs. Zombies: Battle for Neighborville" (Steam Depot 1262241, Manifest 8124759833120741594).
+ new(new FilePathMatch("EAAntiCheat.cfg"), "EA Anti Cheat"),
+ new(new FilePathMatch("EAAntiCheat.GameServiceLauncher.dll"), "EA Anti Cheat"),
+ new(new FilePathMatch("EAAntiCheat.GameServiceLauncher.exe"), "EA Anti Cheat"),
+ new(new FilePathMatch("EAAntiCheat.splash.png"), "EA Anti Cheat"),
+ new(new FilePathMatch("EAAntiCheat.Installer.exe"), "EA Anti Cheat"),
+ new(new FilePathMatch("EAAntiCheat.Installer.Tool.exe"), "EA Anti Cheat"),
+ };
+
+ return MatchUtil.GetAllMatches(files, matchers, any: true);
+ }
+
+ ///
+ public string? CheckFilePath(string path)
+ {
+ var matchers = new List
+ {
+ // Found in "Plants vs. Zombies: Battle for Neighborville" (Steam Depot 1262241, Manifest 8124759833120741594).
+ new(new FilePathMatch("EAAntiCheat.cfg"), "EA Anti Cheat"),
+ new(new FilePathMatch("EAAntiCheat.GameServiceLauncher.dll"), "EA Anti Cheat"),
+ new(new FilePathMatch("EAAntiCheat.GameServiceLauncher.exe"), "EA Anti Cheat"),
+ new(new FilePathMatch("EAAntiCheat.splash.png"), "EA Anti Cheat"),
+ new(new FilePathMatch("EAAntiCheat.Installer.exe"), "EA Anti Cheat"),
+ new(new FilePathMatch("EAAntiCheat.Installer.Tool.exe"), "EA Anti Cheat"),
+ };
+
+ return MatchUtil.GetFirstMatch(path, matchers, any: true);
+ }
+ }
+}
diff --git a/README.md b/README.md
index 7a0c93c0..2369b1ab 100644
--- a/README.md
+++ b/README.md
@@ -82,6 +82,7 @@ Below is a list of protections detected by BinaryObjectScanner. The two columns
| DiscGuard | True | True | Partially unconfirmed² |
| DVD-Movie-PROTECT | False | True | Unconfirmed¹ |
| DVD Crypt | False | True | Unconfirmed¹ |
+| EA Anti Cheat | True | True | |
| EA Protections | True | False | Including EA CDKey and EA DRM. |
| Easy Anti-Cheat | True | True | |
| Engine32 | True | False | |