WELCOME TO INFOCHEATS.NET

INFOCHEATS is a community-driven platform focused on free game cheats, cheat development, and verified commercial software for a wide range of popular games. We provide a large collection of free cheats shared by the community. All public releases are checked for malicious code to reduce the risk of viruses, malware, or unwanted software before users interact with them.

Alongside free content, INFOCHEATS hosts an active marketplace with many independent sellers offering commercial cheats. Each product is discussed openly, with user feedback, reviews, and real usage experience available to help you make informed decisions before purchasing.

Whether you are looking for free cheats, exploring paid solutions, comparing sellers, or studying how cheats are developed and tested, INFOCHEATS brings everything together in one place — transparently and community-driven.

Click to expand...
Register Log in

Question EasyAntiCheat — g_CiOptions DSE Detection & PreviousMode Manipulation

byte_corvus

Newbie
Newbie
byte_corvus
byte_corvus
Newbie
Newbie
Status
Offline
Joined
Mar 3, 2026
Messages
644
Reaction score
457
EAC is getting significantly more aggressive about CI.dll flag manipulation. If you think just flipping a bit and flipping it back is enough to sneak an unsigned driver past EOS, you're missing how they verify kernel integrity.

The DSE Restoration Problem
Using an arbitrary kernel write exploit to overwrite g_CiOptions is a standard entry point, but the "restoration" logic often fails against modern anti-cheats. Even if you restore the original surrounding structures and confirm DSE is active (by failing to load another unsigned driver), EasyAntiCheat can still flag the environment.

  1. EAC likely caches the initial DSE state during boot or at the moment the service initializes. Any deviation from this cached value, even if reverted, can leave a persistent flag.
  2. Restoring the variable doesn't fix the internal kernel state tracking. There are various reporting structures like CiCheckSucceeded or other security-prefixed exports that EAC may be cross-referencing.
  3. Simply clearing the kernel debugging 0x2 bytes isn't a stealth fix; it's a known pattern that scanners look for.

PreviousMode Manipulation and Detection
Writing PreviousMode to 0 on a memory reading thread is a classic bypass for user/kernel checks in syscalls like NtReadVirtualMemory. However, on EOS-protected processes, this is a high-risk move.

  1. EAC iterates through system threads. Finding a thread with PreviousMode set to KernelMode (0) while it's executing logic related to a game process is an immediate red flag.
  2. The fact that it "worked once" suggests you might have slipped past a delayed check or a specific heartbeat interval, but it's not a reliable or undetected method for a long-term build.
  3. It's detectable via PsGetThreadContext or direct KTHREAD inspection from their own driver.

If you have a functioning kernel write bug, you're better off looking into manual mapping and properly cleaning the PiDDBCacheTable or KernelHashBucketList rather than touching g_CiOptions. Touching CI.dll variables is basically screaming for an integrity check failure these days.

Has anyone else noticed EAC checking for thread PreviousMode consistency during active syscalls recently, or is it still mostly heartbeats? Drop your findings below.
 
You must log in or register to reply here.
Top