- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 170
- Reaction score
- 7
Boys, tired of seeing your main accounts getting flagged because of shitty TPM serial leaks? I’ve been digging into the kernel-mode side of things, specifically how EAC and BE pull hardware identifiers through the TPM stack. If you are still relying on basic user-mode spoofers, you are just waiting for a perma ban.
Found a way to properly handle the dispatch swap for TPM.SYS. The goal here is to intercept the IOCTLs before they hit the real driver, allowing you to feed the AC randomized attestation data, spoofed timing, and fake RSA keys without triggering a mismatch.
Technical Breakdown:
This approach hooks the driver dispatch to ensure every critical command is sanitized.
Implementation Notes:
I left the specific serial generation logic out of this snippet because everyone’s requirements are different, and if you aren't calculating your own UUIDs/Serials properly, a clean TPM dispatch won't save you.
Disclaimer: This is meant for those running their own kernel drivers. You will need to handle UEFI mapping or deep-dive into AZZURE/TPM.sys interaction if you want to be truly undetected on modern titles like Ricochet or Valorant. This setup works for EAC/BE, but test on an alt first. Don't go crying when you get a manual ban because your loader is detected or your driver is mapped incorrectly.
Anyone else currently experimenting with custom TPM dispatch hooks? What are you guys using for your primary RNG seed generation to keep the PCR values consistent across reboots? Let's see who has managed to keep a clean HWID for more than a month with this.
Found a way to properly handle the dispatch swap for TPM.SYS. The goal here is to intercept the IOCTLs before they hit the real driver, allowing you to feed the AC randomized attestation data, spoofed timing, and fake RSA keys without triggering a mismatch.
Technical Breakdown:
This approach hooks the driver dispatch to ensure every critical command is sanitized.
- TPM_CC_ReadPublic: Replaces the RSA key with a generated seed, ensuring your hardware identity stays static for your session but remains "clean" to the AC.
- TPM_CC_GetRandom / TPM_CC_NV_Read: Uses a custom RNG based on your hardware seed to prevent predictable response patterns.
- TPM_CC_Quote: The most critical part for attestation. This randomizes the attestation data and signature so the remote heartbeat doesn't catch you spoofing.
- TPM_CC_ReadClock: Spoofs timing data, preventing those "impossible" system time flags.
Code:
// Core Dispatch Hooking Logic
static NTSTATUS Dispatch ( PDEVICE_OBJECT device , PIRP irp )
{
const PIO_STACK_LOCATION ioc = IoGetCurrentIrpStackLocation ( irp );
if ( ioc->MajorFunction == IRP_MJ_DEVICE_CONTROL &&
ioc->Parameters.DeviceIoControl.IoControlCode == IOCTL_TPM_SUBMIT_COMMAND )
{
// Intercept and redirect to custom handlers
// Logic branches based on command code (ReadPublic, Quote, etc.)
}
return originalDispatch ( device , irp );
}Implementation Notes:
I left the specific serial generation logic out of this snippet because everyone’s requirements are different, and if you aren't calculating your own UUIDs/Serials properly, a clean TPM dispatch won't save you.
Disclaimer: This is meant for those running their own kernel drivers. You will need to handle UEFI mapping or deep-dive into AZZURE/TPM.sys interaction if you want to be truly undetected on modern titles like Ricochet or Valorant. This setup works for EAC/BE, but test on an alt first. Don't go crying when you get a manual ban because your loader is detected or your driver is mapped incorrectly.
Anyone else currently experimenting with custom TPM dispatch hooks? What are you guys using for your primary RNG seed generation to keep the PCR values consistent across reboots? Let's see who has managed to keep a clean HWID for more than a month with this.
