- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 723
- Reaction score
- 457
Anyone currently digging into the physical memory layer for Rust? I've been seeing a lot of people pivoting to DMA setups — PCIe cards like the Screamer or Riptide — to keep their host machines clean of suspicious drivers. EAC is getting more aggressive with stack walking and system thread checks, so working from a second PC is the logical move. However, using DMA for a simple ESP is one thing; using it as a primary dumper for a game as obfuscated as Rust is a different beast entirely.
The Core Concept: Hardware vs. Software Dumping
The principle of DMA dumping is straightforward: your hardware card requests read/write access to physical memory addresses via the PCIe bus, bypassing the CPU and OS kernel entirely. Since EAC resides in Ring 0, it struggles to see these requests if your firmware is properly spoofed.
Technical Breakdown of the Dilemma:
Safety First:
Don't assume DMA makes you invincible. Even if you aren't running drivers on your host, EAC can detect:
— Suspicious PCIe devices (ensure you have custom firmware).
— Memory modifications (don't perform WPM unless you know what you're doing).
— Abnormal hardware configurations.
Has anyone here found a efficient way to resolve method pointers through DMA without the scan taking 10 minutes? I'm looking to optimize my offset fetcher without resorting to an internal stub.
The Core Concept: Hardware vs. Software Dumping
The principle of DMA dumping is straightforward: your hardware card requests read/write access to physical memory addresses via the PCIe bus, bypassing the CPU and OS kernel entirely. Since EAC resides in Ring 0, it struggles to see these requests if your firmware is properly spoofed.
Technical Breakdown of the Dilemma:
- The physical memory map — To dump anything, you first need to translate Virtual Addresses (VA) to Physical Addresses (PA). In Rust, you're looking for the GameAssembly.dll base and the Unity Player. If you don't have a solid library for directory table base (CR3) translation, your dumper will just return garbage.
- Decryption Functions — This is where it gets tricky. Rust uses heavy obfuscation for its offsets. Usually, these are resolved at runtime via specific methods. While you can read the encrypted bytes over DMA, resolving the actual logic often requires emulating the decryption function or having a signature scanner that can find the specific ASM pattern of the Decrypt function itself.
- Performance Bottlenecks — External dumping over DMA is significantly slower than internal. If you're trying to dump the entire 100MB+ GameAssembly.dll to disk for analysis in IDA, be prepared for a wait, depending on your card's read speed.
It is absolutely feasible to dump Rust via DMA, but you're not going to find a "one-click" tool that does it perfectly for free. Most people use customized versions of PCILEECH or specialized libraries that handle the CR3 translation.
To get those base offsets and decryption keys, you'll need:
— Functional physical memory search (sigscanning over PCIe).
— A way to handle the GameAssembly.dll obfuscation (usually by finding the static pointers that lead to the decryption tables).
— A clear understanding of the Unity engine's memory layout (Class —> Static Fields —> Instance).
To get those base offsets and decryption keys, you'll need:
— Functional physical memory search (sigscanning over PCIe).
— A way to handle the GameAssembly.dll obfuscation (usually by finding the static pointers that lead to the decryption tables).
— A clear understanding of the Unity engine's memory layout (Class —> Static Fields —> Instance).
Safety First:
Don't assume DMA makes you invincible. Even if you aren't running drivers on your host, EAC can detect:
— Suspicious PCIe devices (ensure you have custom firmware).
— Memory modifications (don't perform WPM unless you know what you're doing).
— Abnormal hardware configurations.
Has anyone here found a efficient way to resolve method pointers through DMA without the scan taking 10 minutes? I'm looking to optimize my offset fetcher without resorting to an internal stub.
