WELCOME TO INFOCHEATS.NET

INFOCHEATS is a community-driven platform focused on free game cheats, cheat development, and verified commercial software for a wide range of popular games. We provide a large collection of free cheats shared by the community. All public releases are checked for malicious code to reduce the risk of viruses, malware, or unwanted software before users interact with them.

Alongside free content, INFOCHEATS hosts an active marketplace with many independent sellers offering commercial cheats. Each product is discussed openly, with user feedback, reviews, and real usage experience available to help you make informed decisions before purchasing.

Whether you are looking for free cheats, exploring paid solutions, comparing sellers, or studying how cheats are developed and tested, INFOCHEATS brings everything together in one place — transparently and community-driven.

Click to expand...
Register Log in

Guide [Source] TPM HWID Bypass — Kernel-Level EK/AIK Hash Spoofing

byte_corvus

Newbie
Newbie
byte_corvus
byte_corvus
Newbie
Newbie
Status
Offline
Joined
Mar 3, 2026
Messages
598
Reaction score
7
Getting clapped by Vanguard or Ricochet because of your TPM serials? Most public spoofers only touch the registry, which is a one-way ticket to a delay ban. If you are serious about bypassing HWID bans, you need to go deeper into the kernel layer where the actual drivers store their state.

How Anti-Cheats Sniff Your TPM
Modern ACs don't just ask nicely for your serials. They use multiple vectors to ensure they are flagging the right hardware:
  1. TBS API (TbsiGetDeviceInfo) calling into tbs.sys and tpm.sys.
  2. WMI queries via the Win32_Tpm provider.
  3. Direct registry checks under the TPM\\WMI keys for EndorsementKeyHash and WindowsAIKHash.

The No-Hook Approach
Instead of placing noisy hooks on TbsiGetDeviceInfo which can be scanned, this method involves scanning the device extensions of tpm.sys, tbs.sys, and ACPI. By locating the original EK (Endorsement Key) hash in memory and replacing every instance with random bytes, you effectively neutralize the hardware's identity at the source.

Code: 
//  Anti-cheats query TPM via:
//    - TBS API (TbsiGetDeviceInfo) → tbs.sys → tpm.sys
//    - WMI Win32_Tpm → tpm.sys WMI provider
//    - Registry TPM\WMI → EndorsementKeyHash, WindowsAIKHash
// approach:
//    1. Read original EK hash from registry
//    2. Scan tpm.sys + tbs.sys + ACPI device extensions for the hash
//    3. Replace all instances with random bytes
//    4. Update registry WMI values (backup layer)
 
 
void SpoofTpm()
{
    // Read original TPM EK hash from registry
    UCHAR origEkHash[32] = {};
    ULONG ekLen = 0;
    UCHAR spfEkHash[32];
    for (int i = 0; i < 32; i++) spfEkHash[i] = RandByte();
 
    RegGetBin(L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet"
        L"\\Services\\TPM\\WMI", L"EndorsementKeyHash",
        origEkHash, sizeof(origEkHash), &ekLen);
 
    // ── Kernel Layer: Scan TPM driver extensions ──────────────────────
    if (ekLen >= 20) // SHA-1 (20) or SHA-256 (32)
    {
        const WCHAR* tpmDrivers[] = {
            L"\\Driver\\TPM",
            L"\\Driver\\tbs",
            L"\\Driver\\ACPI",   // TPM2.0 ACPI-enumerated
        };
 
        for (ULONG d = 0; d < ARRAYSIZE(tpmDrivers); d++)
        {
            UNICODE_STRING name; RtlInitUnicodeString(&name, tpmDrivers[d]);
            PDRIVER_OBJECT drv = nullptr;
            if (!NT_SUCCESS(ObReferenceObjectByName(&name, OBJ_CASE_INSENSITIVE,
                nullptr, 0, *IoDriverObjectType, KernelMode, nullptr, (PVOID*)&drv)))
                continue;
 
            PDEVICE_OBJECT dev = drv->DeviceObject;
            while (dev) {
                if (!MmIsAddressValid(dev)) break;
                if (dev->DeviceExtension && MmIsAddressValid(dev->DeviceExtension))
                    MemReplace(dev->DeviceExtension, 0x3000,
                        origEkHash, ekLen, spfEkHash, ekLen);
 
                PDEVICE_OBJECT lower = IoGetLowerDeviceObject(dev);
                ULONG depth = 0;
                while (lower && depth < 8) {
                    if (!MmIsAddressValid(lower)) break;
                    if (lower->DeviceExtension && MmIsAddressValid(lower->DeviceExtension))
                        MemReplace(lower->DeviceExtension, 0x3000,
                            origEkHash, ekLen, spfEkHash, ekLen);
                    PDEVICE_OBJECT next = IoGetLowerDeviceObject(lower);
                    ObDereferenceObject(lower);
                    lower = next; depth++;
                }
                if (lower) ObDereferenceObject(lower);
                dev = dev->NextDevice;
            }
            ObDereferenceObject(drv);
        }
    }
 
    // ── Registry Layer ───────────────────────────────────────────────
    const WCHAR* wmi = L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI";
    RegSetBin(wmi, L"EndorsementKeyHash", spfEkHash, 32);
 
    UCHAR spfAik[32]; for (int i = 0; i < 32; i++) spfAik[i] = RandByte();
    RegSetBin(wmi, L"WindowsAIKHash", spfAik, 32);
    RegSetDw(wmi, L"ManufacturerId", RandDword());
    RegSetDw(wmi, L"ManufacturerVersion", RandDword() & 0xFFFF);
}

Important Notes for Implementation
Scanning device extensions is safer than a direct hook, but remember that some anti-cheats might cache the TPM identity early in the boot process. You should ideally run this from a boot driver or early-entry mapper to ensure the spoofed values are the only ones the AC ever sees.

Don't forget to also clear your PermanentIdentifier and other WMI artifacts that might persist. This snippet covers the core EK/AIK logic, but a full bypass requires a clean environment—disable Secure Boot and clear your NVRAM variables if you've been flagged before.

Anyone tested this on the latest Vanguard build? Drop your crash logs if the memory scan fails on specific ACPI versions.
 
You must log in or register to reply here.
Top