- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 754
- Reaction score
- 457
Anyone currently digging into a custom VGC implementation? I've been grinding on a VGC emulator and hit a massive wall once I reached the client-driver handshake. The game client reaches the lobby perfectly with a fake service, but getting through the gateway is another story.
Current Progress:
The Wall: Ephemeral Attestation Data
When comparing real traffic against emulated requests, there is a ~1KB block of extra data that is definitely coming from the kernel component. Without this ephemeral attestation payload, the gateway rejects the auth requests immediately. Logic points to vgk.sys being the generator here.
The IOCTL Problem
Tried talking to the device directly to pull this data, but it fails every time. Even though CreateFile succeeds, DeviceIoControl returns ACCESS_DENIED regardless of the execution context.
I've tested this from the service context, attempted injection into the legitimate VGC process, and standard elevation. It looks like the Vanguard driver is performing a strict PE signature check on the calling process. If the binary isn't signed by the developer, the driver locks the communication channel.
Has anyone found a clean way to communicate with the driver from a custom binary without triggering the signature validation? Or has anyone mapped the attestation generation logic well enough to replicate it purely in user-mode?
drop your thoughts or crash logs below
Current Progress:
- Pipe server between the game and fake VGC is stable.
- AC server request format and encryption (vg.ac.pvp.net:8443/vanguard/v1/gateway) is fully mapped.
- The server validates and responds correctly to well-formed requests.
The Wall: Ephemeral Attestation Data
When comparing real traffic against emulated requests, there is a ~1KB block of extra data that is definitely coming from the kernel component. Without this ephemeral attestation payload, the gateway rejects the auth requests immediately. Logic points to vgk.sys being the generator here.
The IOCTL Problem
Tried talking to the device directly to pull this data, but it fails every time. Even though CreateFile succeeds, DeviceIoControl returns ACCESS_DENIED regardless of the execution context.
Code:
HANDLE hDevice = CreateFileA("\\\\.\\vgk", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
// Handle opens fine, but IOCTL fails with code 0x5:
BOOL result = DeviceIoControl(hDevice, IOCTL_CODE, in_buffer, in_size, out_buffer, out_size, &returned, NULL);I've tested this from the service context, attempted injection into the legitimate VGC process, and standard elevation. It looks like the Vanguard driver is performing a strict PE signature check on the calling process. If the binary isn't signed by the developer, the driver locks the communication channel.
- The obfuscation in vgk.sys is heavy—lots of control flow flattening and mutation.
- Analysis of the verification routine is a slog without a clean deobfuscator for their specific VM/mutations.
- Alternative approach: Proxying requests by hooking the legitimate VGC service, though this defeats the purpose of a standalone emulator.
Has anyone found a clean way to communicate with the driver from a custom binary without triggering the signature validation? Or has anyone mapped the attestation generation logic well enough to replicate it purely in user-mode?
drop your thoughts or crash logs below
