- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 706
- Reaction score
- 457
FiveM is still aggressively hunting for identifiers, but it's nothing a clean driver-level block can't handle. This project, MatrixSpoofer, is an open-source base designed to bypass the standard HWID ban flags by nuking the paths FiveM uses to fingerprint your machine. It's essentially a playground for anyone looking into syscall hooking and identifier masking.
The FiveM Fingerprint Strategy
FiveM traditionally pulls data from three main vectors to cage your hardware:
Implementation: Spoofing Extended Attributes
Instead of just blocking NtQueryEaFile, the project walks the FILE_FULL_EA_INFORMATION linked list and randomizes the buffer using an xorshift-based pseudorandom generator. This ensures that every time they try to read your disk metadata, they get a handful of garbage bytes instead of your real traces.
This is a solid base, but if you're lazy, don't just paste it and expect a permanent bypass. Use it to learn how they're tracking you and expand on the masking.
Anyone tested this on the latest build yet?
You cant view this link please login.
The FiveM Fingerprint Strategy
FiveM traditionally pulls data from three main vectors to cage your hardware:
- NVIDIA Interfaces: They scan the kernel driver (nvlddmkm.sys) and user-mode libs (nvapi64.dll, nvml.dll). They are looking for that specific UUID you see in nvidia-smi. If you're running AMD, this part isn't your problem.
- clipc.dll (Licensing Platform): Located in System32, this is Microsoft's Client Licensing Platform Client. It mixes multiple hardware IDs into a unique device serial. MatrixSpoofer just blocks the handle entirely—no data, no ban.
- NtQueryEaFile: They query Extended Attributes via NTFS metadata to grab disk serials and volume IDs. This is where the real work happens.
Implementation: Spoofing Extended Attributes
Instead of just blocking NtQueryEaFile, the project walks the FILE_FULL_EA_INFORMATION linked list and randomizes the buffer using an xorshift-based pseudorandom generator. This ensures that every time they try to read your disk metadata, they get a handful of garbage bytes instead of your real traces.
Code:
void FakeEaBuffer(const PVOID buffer, const ULONG length, const ULONG64 seed)
{
auto entry = static_cast<PFILE_FULL_EA_INFORMATION>(buffer);
ULONG offset = 0;
ULONG64 entrySeed = seed;
while (offset < length)
{
if (entry->EaValueLength > 0)
{
const PCHAR valuePtr = entry->EaName + entry->EaNameLength + 1;
for (USHORT i = 0; i < entry->EaValueLength; i++)
{
entrySeed ^= (entrySeed << 13);
entrySeed ^= (entrySeed >> 7);
entrySeed ^= (entrySeed << 17);
valuePtr[i] = static_cast<UCHAR>(entrySeed & 0xFF);
}
}
if (entry->NextEntryOffset == 0)
break;
offset += entry->NextEntryOffset;
entry = reinterpret_cast<PFILE_FULL_EA_INFORMATION>(
static_cast<PUCHAR>(buffer) + offset);
}
}- The seed for the spoofing logic is derived from a hash of the file handle, providing consistent fake data for specific files.
- The driver base uses syscall hooking to intercept calls. Check the headers if you plan on modifying the hook logic.
- Ensure your build environment handles kernel-mode projects correctly before trying to compile the driver.
- Noad Link: You cant view this link please login.
This is a solid base, but if you're lazy, don't just paste it and expect a permanent bypass. Use it to learn how they're tracking you and expand on the masking.
Anyone tested this on the latest build yet?
