How to bypass EAC EAAC Javelin anti-cheat?
Bypassing EAC is not the easiest task. If you want to remain undetected for a long time, you first need to hide the cheat software's process and its threads at the kernel level. EAC essentially brute-forces thread PIDs by iterating through a large list of threads, and if any thread does not have a visible process associated with it, it will most likely trigger a red flag or, in the worst case, a game ban. Once the process is successfully hidden from EAC, even blacklisted programs will work.
Private EAC/EAAC bypass user-mode and kernel source code: https://overlayhack.com/eac-eaac-anti-cheat-bypass/1038
A hidden process implementation (undetectable by EAC/BattlEye/EAAC): https://overlayhack.com/eac-eaac-anti-cheat-bypass/1040
EA started using its own anti-cheat EAAC on 10th Oct 2023 in BF2042. Similarly to EAC's hidden system threads. EAAC creates one and spoof the start address. The only way to find a hidden system thread is to use the kernel thread notify callbacks or by stackwalking each system thread. When you stalkwalk system threads, you just check is there a frame that points to their kernel driver memory range.
Code integrity checks in the anti-cheat that attempts to detect any tampering in the kernel are in EAAC are somewhat equal to EAC. If it detects any tampering. The anti-cheat will terminate the game process and the following popup will appear:
489:225
Their anti-cheat also pools a DPC whose deferred routine points to their kernel driver text section. Pointers to deferred routines in the DPC pool are obfuscated in the kernel. It is worth noting that the DPC is in the text section of the driver. Any tampering can be easily detected unless you disable their checks. The less you disable anti-cheats code integrity checks (self-defense), the better.
1039:274
Once EAAC driver has been initialized. The anti-cheat also blocks any new driver from loading that use ("Nt"ZwLoadDriver) kernel API using a clever method. Code injection will neither work because of a mitigation flags that prevents dynamic code injection (manually mapped DLL's) from loading. The result is 0xC0000604 (STATUS_DYNAMIC_CODE_BLOCKED) if you try to allocate executable memory or alter memory protection from RW to RWX. This is a built-in security feature in the kernel.
More about flags: https://www.unknowncheats.me/forum/3540472-post31.html
To overcome the issue without triggering their integrity checks. You'll need to allocate a RW section and copy the payload. Enable execution via a PTE and it will execute even though the section was allocated RW. If it's a large page (more than 4096 bytes), then you must use the PDE instead.
It's also worth mentioning that after you've hijacked a thread, that thread executes code outside of modules (non backed) and this is going to get you either flagged or banned after the anti-cheat stackwalk threads. An additional anti-cheat evasion techniques are required. To keep the author's private bypass undetectable in EAC and EAAC. I leave that as an exercise for the reader. The article is to be updated...
The trick is to allocate executable memory (RWX) in the context of a process thread. That eliminates the need to disable mitigation flags that may trigger anti-cheat's integrity checks. The very same method enables you to create a new dedicated thread but that thread is still executing non backed dynamic code. You'll need to DKOM your newly created thread. The DKOM method the author uses is private and bypasses EAC as well. It's worth to mention that most of DKOM's are subject to PatchGuard bug check but there is a working solution to bypass PatchGuard at runtime for the latest versions of windows https://overlayhack.com/patchguard-bypass.
EAC / EAAC
The author did not found any inline hooks in the text section but I did not checked the IAT pointers yet.
The lab was performed on Windows 10 Pro 22H2 Build: 19045.3324
CREDITS: IChooseYou vmcall
Private EAC/EAAC bypass user-mode and kernel source code: https://overlayhack.com/eac-eaac-anti-cheat-bypass/1038
A hidden process implementation (undetectable by EAC/BattlEye/EAAC): https://overlayhack.com/eac-eaac-anti-cheat-bypass/1040
EA started using its own anti-cheat EAAC on 10th Oct 2023 in BF2042. Similarly to EAC's hidden system threads. EAAC creates one and spoof the start address. The only way to find a hidden system thread is to use the kernel thread notify callbacks or by stackwalking each system thread. When you stalkwalk system threads, you just check is there a frame that points to their kernel driver memory range.
[!] EAAC system thread: pId: 4 tId: 32596 PETHREAD: 0xFFFFDE8E47CB90C0 start address: 0xFFFFF8046639F430 0xFFFFF8046639F430
Code integrity checks in the anti-cheat that attempts to detect any tampering in the kernel are in EAAC are somewhat equal to EAC. If it detects any tampering. The anti-cheat will terminate the game process and the following popup will appear:
489:225
Their anti-cheat also pools a DPC whose deferred routine points to their kernel driver text section. Pointers to deferred routines in the DPC pool are obfuscated in the kernel. It is worth noting that the DPC is in the text section of the driver. Any tampering can be easily detected unless you disable their checks. The less you disable anti-cheats code integrity checks (self-defense), the better.
1039:274
Once EAAC driver has been initialized. The anti-cheat also blocks any new driver from loading that use ("Nt"ZwLoadDriver) kernel API using a clever method. Code injection will neither work because of a mitigation flags that prevents dynamic code injection (manually mapped DLL's) from loading. The result is 0xC0000604 (STATUS_DYNAMIC_CODE_BLOCKED) if you try to allocate executable memory or alter memory protection from RW to RWX. This is a built-in security feature in the kernel.
More about flags: https://www.unknowncheats.me/forum/3540472-post31.html
To overcome the issue without triggering their integrity checks. You'll need to allocate a RW section and copy the payload. Enable execution via a PTE and it will execute even though the section was allocated RW. If it's a large page (more than 4096 bytes), then you must use the PDE instead.
EAC bypass RtlCreateUserThread
How to bypass EAC's thread creation checks? Both anti-cheats "blocks" any newly created thread outside the protected process. One anti-cheat bypassing technique is to hijack an existing thread. If you hijack the wrong thread, or if there is an error in the shellcode, the game process will crash.It's also worth mentioning that after you've hijacked a thread, that thread executes code outside of modules (non backed) and this is going to get you either flagged or banned after the anti-cheat stackwalk threads. An additional anti-cheat evasion techniques are required. To keep the author's private bypass undetectable in EAC and EAAC. I leave that as an exercise for the reader. The article is to be updated...
The trick is to allocate executable memory (RWX) in the context of a process thread. That eliminates the need to disable mitigation flags that may trigger anti-cheat's integrity checks. The very same method enables you to create a new dedicated thread but that thread is still executing non backed dynamic code. You'll need to DKOM your newly created thread. The DKOM method the author uses is private and bypasses EAC as well. It's worth to mention that most of DKOM's are subject to PatchGuard bug check but there is a working solution to bypass PatchGuard at runtime for the latest versions of windows https://overlayhack.com/patchguard-bypass.
EAC / EAAC
There is a hook on kernel32.dll!BaseThreadInitThunk, ntdll.dll!RtlUserThreadStart, ntdll.dll!KiUserApcDispatch and ntdll.dll!RtlCreateUserThread
The author did not found any inline hooks in the text section but I did not checked the IAT pointers yet.
The lab was performed on Windows 10 Pro 22H2 Build: 19045.3324
CREDITS: IChooseYou vmcall
| #1038 Title: Private EAC bypass source code Administrator |
05/19/2026 20:16 - 38 days 16 hours 43 minutes #1038 |
Source code for private EAC bypass: Features as follows:
Supported versions: Windows 10 22H2 and Windows 11 24H2/25H2
- A manually mapped kernel driver
- A high-performance UM-KM IPC for external hacks (Reads physical memory)
- A hidden system thread
- Undetectable dedicated screenshot proof topmost overlay (WS_EX_TOPMOST). Provided your private hack is using a DLL. There is a 3-liner bypass for user-mode (UM).
[+] SECURE BOOT (SB)
$4,999 USD in BTC as an upfront payment. The project is available immediately. The bypass works also on EAC/BattlEye/EAAC. The listed bypasses have been undetected since 2021 on EAC/BE, so at least (5) years at the time of posting.
It is also possible to load an unsigned driver into the kernel even with test mode disabled (DSE ON), containing an nt!_DRIVER_OBJECT for kernel-level anti-cheat vendor testing to determine whether it performs any unauthorized operations.
A hidden process implementation: https://overlayhack.com/eac-eaac-anti-cheat-bypass/1040
Supported versions: Windows 10 22H2 and Windows 11 24H2/25H2
- A manually mapped kernel driver
- A high-performance UM-KM IPC for external hacks (Reads physical memory)
- A hidden system thread
- Undetectable dedicated screenshot proof topmost overlay (WS_EX_TOPMOST). Provided your private hack is using a DLL. There is a 3-liner bypass for user-mode (UM).
[+] SECURE BOOT (SB)
$4,999 USD in BTC as an upfront payment. The project is available immediately. The bypass works also on EAC/BattlEye/EAAC. The listed bypasses have been undetected since 2021 on EAC/BE, so at least (5) years at the time of posting.
It is also possible to load an unsigned driver into the kernel even with test mode disabled (DSE ON), containing an nt!_DRIVER_OBJECT for kernel-level anti-cheat vendor testing to determine whether it performs any unauthorized operations.
A hidden process implementation: https://overlayhack.com/eac-eaac-anti-cheat-bypass/1040
| #1040 Title: A process hidden by the kernel (PatchGuard compatible) as of 06/2026 Administrator |
06/23/2026 17:13 - 3 days 19 hours 46 minutes #1040 |
1.
void UnlinkPsActiveProcessListEx(PWCH processName)
Hides the process and its threads from kernel-level anti-cheat. This is a newer version of it that is PatchGuard-compatible. Compatibility tested with Windows 10 Pro 22H2 and Windows 11 Pro 25H2 versions.
A hidden process is detected by EAC if you don't hide the process threads properly. Unlinking the threads from the thread list is not enough; it has to be done in a more sophisticated way.
Bypasses all kernel-level anti-cheat systems (EAC//EAAC/BattlEye) hidden process checks as of 06/2026. Verified using the HiddenProcess.h implementation based on reversing EAC.
Includes dedicated undetected (WS_EX_TOPMOST | WS_EX_LAYERED | WS_EX_COMPOSITED | WS_EX_TRANSPARENT) overlay without hooks.
These two things need to be in place if you intend to deliver a truly undetectable P2C. When the process is hidden in this way, the anti-cheat cannot dump it, nor can it send it to their servers for analysis.
PoC: https://overlayhack.com/UNIT-123-PART-6/UNIT-123-PART-6_player.html
This bypass costs 4,999 USD in BTC and requires signing a software agreement by email.
Post a comment
