Guide Anticheat Faceit Bypass

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

I'm not your friend
Administrator
Jan 21, 2014
12,495
78,998
2,417
Game Name
CSGO
Anticheat
Faceit
How long you been coding/hacking?
7 years
Coding Language
C++
Faceit is currently the most popular pugging website for a good reason. It has a good ranking system in which players quickly can get to a rank where they can play against opponents of similar skill. Not only is it a ranked league, Faceit also has an impressive anticheat which is honestly the main selling point. You could play Faceit for years and never play with a cheater. Or maybe you will but you probably wouldn't notice, even if you bypass the anticheat, if you rage you're gonna get reported and banned.

Faceit has the second best anticheat, ESEA is better.

As described on their site:

State of the art client side cheat detection combined with a unique server side analysis which improves detections as volume increases. Combination of several behavioral systems allows for continuous analysis of new cheats and automated update of cheat detection library. By relying on detections that are typical of today's client-side anti-cheats, we strive to improve our players’ experience and add another layer of protection to FACEIT. We have built the client using by combining all information we gather from different sources: the clientside & serverside anticheat along with the FBI system). This means our Data Science team can process and analyse all this data in real-time to keep improving and automating cheating detections. This is a long-term effort which we believe will eventually lead to detections that would not be possible with an approach limited to client-side detections.

What they ban for:
  • Cheats/Hacks (including skin changers, cheat loaders/drivers)
  • External scripting/macros designed to gain an advantage over other players (e.g. No recoil script, ...)
  • Use of any exploits to bypass the Anti-Cheat protection
  • Use of any (game) exploits to gain an unfair advantage (e.g. removing textures to see through walls, removing smoke grenades, ...)
  • Attempts to debug or modify the FACEIT Anti-Cheat
  • Running game inside a Virtual Machine
  • Usage of any methods/software to evade previous bans

Faceit is a kernel anticheat

First off Faceit is a kernel anticheat like EAC and BE, so you need to have your own kernel driver in order to bypass it, and you need to be experienced with everything in this thread: Guide - How to Bypass Kernel Anticheat & Develop Drivers

Faceit Anticheat Loads at Boot

Faceit is one of only a few kernel anticheats that runs at boot, it was one of the first to do so, along with ESEA and now Vanguard.

Before you can load any other drivers, before you log into Windows, Vanguard is already running. What does this mean for cheaters?

EAC and Battleye for example, are not running at boot. To bypass them, you manually map your driver before the anticheat loads. So, load your driver, then load the game with the anticheat services set to "manual load" in services.msc. It's a race to load first, if you can load first, you can hide from the anticheats. This is the majority of the reason why these anticheats are "easily" bypassed.

With FaceIt, when you map your cheat driver, it can detect it and prevent you from even running the game or result in a ban.

Some people get outraged at anticheats running at boot, in most cases there isn't much to worry about. This outrage has been discussed as it relates to Vanguard anticheat which also runs at boot here: Why anti-cheat software utilize kernel drivers

Faceit Bypass

With that information out of the way, you may be asking yourself if bypassing Faceit is even possible. Well, yes it is but it is very difficult. I would recommend, reverse engineering and bypassing Battleye first, then EAC. If you can manually reverse engineer and bypass both of those, then you are in a good position to begin working on a Faceit Bypass.

Several Faceit bypasses are using a DMA (Direct Memory Access) Device, something like Screamer M2 which allows you directly access the memory. In this manner you are running at the hardware level, below even the kernel. In this way, you bypass many detection methods. But these devices can still be detected, they often use default identifiers which make them easy to find. It's not enough just to plug one of these devices in, you also need to have reversed Faceit so you know what they're looking for and how to hide from it or patch it.

You can read more about DMA on ESEA's blog: hxxps://blog.esea.net/esea-hardware-cheats/

Here is a common setup to see player locations on a phone using a DMA device
1599693635421.png


The process is described as such: a cheater would have two PCs - one running the game and another running their attack. The PC being used to play would have a DMA (Direct Memory Access) device plugged into it. The DMA Device, PC used to play and attack PC would be connected by a USB cable.

The attack PC would then gather data and memory from the PC used to play and be able to send that information via a Raspberry Pi device which would in-turn send the in-game player locations of the enemy team to an attackers mobile.

Learn more about CSGO DMA hacks slack69/csgo-dma-overlay

Do you have to use a DMA?

No. There are still ways to bypass the anticheat, but without knowing exactly how the anticheat works you will have a hard time doing anything. If you read our kernel guide, you will know that vulnerable drivers are the best way to get into kernel. Most kernel anticheats will detect these well known vulnerable drivers.

You would need to get creative to create a Faceit bypass there is nothing you can download that is a fool proof bypass. You might be able to read and write to game memory, but you will probably get flagged and banned later, especially if you distribute the hack.

Using Vulnerable Drivers
Read: Guide - Vulnerable Kernel Drivers For Exploitation

Using a publicly known driver will get you banned immediately. Using an unknown driver, that you find yourself will allow you to get into kernel while playing the game. You might be able to read and write to game memory, but you will probably get flagged and banned later, especially if you distribute the hack. Faceit is scanning your computer for these types of things and sending the information back to their servers. Again, you have to reverse it yourself to bypass their detections.

FaceIt Detection Methods
Some of this information is old, but it's a start

This was posted by zwknby48520 in 2018
faceit set callbacks:
1599694883535.png

loadimage + minifilter (block dll injection/log driver/dll/image load event)
createprocess(Log process create event)
createthread(Log CreateRemoteThread/any thread event)
1599694901763.png

use wh_mouse_ll and wh_keyboard_ll two low level mouse hooks to detect mouse_event etc...
they can unload had exploit drivers like cpuz141 ,speedfan etc by check DeviceName.

There is a second UC thread from LordTristan from 2016 here: https://www.unkn0wnch3ats.me/forum/anti-cheat-bypass/196539-faceit-client.html

How to reverse engineer Faceit
Use a kernel driver to dump their driver and the game, then statically analyze it. Do this on a different PC if possible.

Cheats that may Bypass Faceit
Color Aimbots, Recoil Macros
Download - Aimbot Color C++ Based Black Color

Good Information from @Daax
post 1 & post 2


Additional Faceit Resources
 
Last edited:
  • Like
Reactions: XdarionX

Prux

Trump Tier Donator
Nobleman
Apr 21, 2018
53
1,393
2
I am making this thread to ask if anybody on this forum has valuable information about the faceit client sided anti cheat. I appreciate every information you can give me.
I am doing this, because i actually wanted to make a cheat that is working on faceit. Since a working faceit cheat is somewhat rare i wanted to do an actual faceit cheat. Also just to be clear, i am not making this thread, because i am already lost nor i Do not Know what to do. I just want infos :p

I hope you guys can help me out
 
Oct 17, 2019
1
2
0
Hi guys,
just want to get a little guidance to get this driver working with FaceIt AC

It's really benign stuff, it's just creating mouse acceleration profiles
From what i understood it makes possible to change kernel components,
modifiying the input from the mouse and making it possible to tweak those variables.
https://www.oblita.com/interception.html
The problem is, it's not a signed driver.

It's working fine within CS:GO VAC servers, esea also has no issue with it
But FaceIt AC is blocking this driver, assuming it could be used to cheat


Right now two solutions exist to use this driver for mouse acceleration :

by Povohat/Kovaak Interaccel :
http://mouseaccel.blogspot.com/2015/12/new-method-for-mouse-acceleration.html

and by Bologna/Custom curve :
https://mouseacceleration.com/home.html

Files are here :
https://github.com/KovaaK/InterAccel


I've tried creating the same features using "enhanced pointer precision"
and tweaking the variables in the registry but it's not precise enough and unreliable


So I'm looking for a way to load it and hide it from FaceIt AC
Do you think it's a viable option ?

The Interception API provides interface with kernel-mode components. So if i'm able to modify these components
without having this driver installed, maybe it could work too
Would you try do it another way ?

many thanks
 

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
768
24,668
47
Based on what they wrote on the website it's sig scanning mixed with maybe behavior analysis. Don't use anything existing write your own code and you'll be fine.

I was just changing the viewangles + recoil control with low fov and smooth settings and some other stuff to keep it legit, basically kinda unnoticeable.
  • State of the art client side cheat detection combined with a unique server side analysis which improves detections as volume increases.
  • Combination of several behavioral systems allows for continuous analysis of new cheats and automated update of cheat detection library.
Apparently not.
 

cqnsta

Full Member
Jan 27, 2020
8
104
0
So recently I tried hacking into faceit and so I did it for a few games. I played on around 30 games till gettin the first ban with a simple driver using PsSetLoadImageNotifyRoutine, which I believe is a kinda big detection vector, first games to get the module address since I didn't knew anything bout any other method then after 10 gamesthen switched to PEB parsing, but still IOCTL communication. Played like this for 30 games after gettin a ban. In my usermode I was just changing the viewangles + recoil control with low fov and smooth settings and some other stuff to keep it legit, basically kinda unnoticeable.

Now I modified my driver, using socket communication, loading it with kdmapper, cleaning PIDDB table and MmUnloadedDrivers in my usermode ( don't know if this are applying so well cuz faceit driver is loaded at startup but always cleaned them before faceit client starts ) and played 1 game then after around 24h I've got banned, I'm pretty sure is not a HWID since it's a different computer with the windows just installed and don't know if it's the driver or the usermode. I saw that maybe changing view angles is detected but how did I do around 30 games with that and RCS, can't figure it out.

I posted here maybe you'll have some opinions about it.
 
Last edited by a moderator:

Daax

Nobleman
Feb 15, 2020
16
793
2
So recently I tried hacking into faceit and so I did it for a few games. I played on around 30 games till gettin the first ban with a simple driver using PsSetLoadImageNotifyRoutine, which I believe is a kinda big detection vector, first games to get the module address since I didn't knew anything bout any other method then after 10 gamesthen switched to PEB parsing, but still IOCTL communication. Played like this for 30 games after gettin a ban. In my usermode I was just changing the viewangles + recoil control with low fov and smooth settings and some other stuff to keep it legit, basically kinda unnoticeable.

Now I modified my driver, using socket communication, loading it with kdmapper, cleaning PIDDB table and MmUnloadedDrivers in my usermode ( don't know if this are applying so well cuz faceit driver is loaded at startup but always cleaned them before faceit client starts ) and played 1 game then after around 24h I've got banned, I'm pretty sure is not a HWID since it's a different computer with the windows just installed and don't know if it's the driver or the usermode. I saw that maybe changing view angles is detected but how did I do around 30 games with that and RCS, can't figure it out.

I posted here maybe you'll have some opinions about it.
The SLI callback will be a problem if you have one registered and it's not backed by a valid driver. Unsigned code, without modification to the driver object flags, can't register notification routines. If there is one present, and it's associated with an unsigned module then you're gonna get your cheeks clapped. You could insert it into the PsLoadedModuleAvlTree and PsLoadedModuleList with MiProcessLoaderEntry, but that's no good as most anti-cheats have SeImageVerificationCallbacks installed; they'll grab signature info (or lack thereof) when you load. It's really frustrating that some believe IOCTL communication is the issue. It's usually what you're modifying to achieve this IOCTL communication (e.g. overwriting some valid drivers IOCTL handler pointer). Other notes: you can get module base addresses of system DLLs by opening a section to the \KnownDlls\<module>.dll, query section info, get section base address. PEB parsing is not necessary.

I'm going to be straight with you, this is a very lackluster attempt at FaceIT. It wouldn't get around BE or EAC which are much less robust than FaceIT. The fact that you're using anecdotes to support the reasoning for the switch of communication between user and kernel components and other guesses tell me you're basing this off third-party "research".

None of what you're doing is going to help. All of the "techniques" you've used are outdated. It's your entire project that is the problem. Contrary to the information you might find on UC there are also more caches that previously loaded driver information is stored in. Not to mention they check things server-side as @timb3r stated. You need to stop relying on old sources of information and find relevant, and current information if you want to cheat on FaceIT. By that I mean: do your own research.

No shame in trying old methods, but don't be surprised when they don't work.
 
Last edited:

cqnsta

Full Member
Jan 27, 2020
8
104
0
The SLI callback will be a problem if you have one registered and it's not backed by a valid driver. Unsigned code, without modification to the driver object flags, can't register notification routines. If there is one present, and it's associated with an unsigned module then you're gonna get your cheeks clapped. You could insert it into the PsLoadedModuleAvlTree and PsLoadedModuleList with MiProcessLoaderEntry, but that's no good as most anti-cheats have SeImageVerificationCallbacks installed; they'll grab signature info (or lack thereof) when you load. It's really frustrating that some believe IOCTL communication is the issue. It's usually what you're modifying to achieve this IOCTL communication (e.g. overwriting some valid drivers IOCTL handler pointer). Other notes: you can get module base addresses of system DLLs by opening a section to the \KnownDlls\<module>.dll, query section info, get section base address. PEB parsing is not necessary.

I'm going to be straight with you, this is a very lackluster attempt at FaceIT. It wouldn't get around BE or EAC which are much less robust than FaceIT. The fact that you're using anecdotes to support the reasoning for the switch of communication between user and kernel components and other guesses tell me you're basing this off third-party "research".

None of what you're doing is going to help. All of the "techniques" you've used are outdated. It's your entire project that is the problem. Contrary to the information you might find on UC there are also more caches that previously loaded driver information is stored in. Not to mention they check things server-side as @timb3r stated. You need to stop relying on old sources of information and find relevant, and current information if you want to cheat on FaceIT. By that I mean: do your own research.

No shame in trying old methods, but don't be surprised when they don't work.
Thank you, to be honest I did not want this stuff to work, I'm not into this for such a long time and I still got a lot to learn and if I could've bypassed it now it would be pretty sad since anyone could've done it, all the "techniques" I used are basically listed public by other hackers, u just have to figure out how to do that, I don't believe IOCTL communication was the issue, but creating a new device is which I used to do IOCTLs.

Anyway, you are are right, I haven't done my own research and that's basically the hardest part and really want to improve at that but for now I really don't know how, I recently bought Windows Internals and I'm going for more books about reverse engineering. If you got some tips on how to really practice this, I'll be really greatful.

And one more question, the socket communication is it okay to go on with since I'm not creating any sys threads/handles, anything
 
  • Like
Reactions: Daax

Daax

Nobleman
Feb 15, 2020
16
793
2
Thank you, to be honest I did not want this stuff to work, I'm not into this for such a long time and I still got a lot to learn and if I could've bypassed it now it would be pretty sad since anyone could've done it, all the "techniques" I used are basically listed public by other hackers, u just have to figure out how to do that, I don't believe IOCTL communication was the issue, but creating a new device is which I used to do IOCTLs.

Anyway, you are are right, I haven't done my own research and that's basically the hardest part and really want to improve at that but for now I really don't know how, I recently bought Windows Internals and I'm going for more books about reverse engineering. If you got some tips on how to really practice this, I'll be really greatful.

And one more question, the socket communication is it okay to go on with since I'm not creating any sys threads/handles, anything
Yeah, I wasn't intending to make it sound like I thought you were an idiot (I don't think that). I just wanted to point out that it wasn't worth wasting your time on outdated methods. And my rant about IOCTLs stems from my deep-seated frustration with a different community and the perpetuation of incorrect information. Anyways...

Socket communication is perfectly fine just rather time-consuming to setup. At least the way I'm thinking with the low-level socket API in kernel. Starting research I'd suggest determining what is commonly used or could be used for detection. (Common things to check, APIs that could be used like WmiQueryxxx, NtDeviceIoControlFile, NtQuerySection, RtlWalkFrameChain, ExAllocatePoolWithTag, etc) A lot will be manual analysis, but you can use Unicorn PE Emulator for binary instrumentation. You can register certain API to be emulated and watch what gets passed through, etc. Finding all dynamically acquired routines via MmGetSystemRoutineAddress, and looking for manual export walking would be a good start. You can also perform IAT hooks in the kernel on the FACEIT driver (they probably check, but you're banned already so why not look.) I'm of course the living meme of hypervisors, but I highly recommend it for anti-cheat research. It's incredibly valuable and useful for understanding behavior in areas that are virtualized/obfuscated by VMProtect.

I've not touched FACEIT in years, but I know that they're quite advanced from what I hear through the grapevine. That's all anecdotal though, and of course, I still recommend you look into it yourself. You might just come up with information that isn't public and be able to contribute more to the league cheating scene.

Best of luck, mate.
 

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
768
24,668
47
And my rant about IOCTLs stems from my deep-seated frustration with a different community and the perpetuation of incorrect information. Anyways...
 

cobb

Dank Tier Donator
Jul 25, 2020
5
222
0
its the new method to bypass all these new anticheats , how they do it ?


have seen guys creating an OS to inject before booting ,is it he only method ?


thanks for all replys
 

Not2EXceL

The rust BC is trash...wait no im a shit dev
Fleep Tier Donator
Dank Tier Donator
Nobleman
Jan 20, 2013
135
1,743
3
Lol @ creating an OS to load a cheat. Was it an EFI shell?

Just a few options
efi manual mapping of driver
own your own EV cert
type -1 hv
dma
or the best one...actually bypass the ac
 
  • Like
Reactions: obdr

Ahegao

Possibly a weeb
Dank Tier Donator
Full Member
Nobleman
Jul 9, 2020
108
3,353
1
its the new method to bypass all these new anticheats , how they do it ?


have seen guys creating an OS to inject before booting ,is it he only method ?


thanks for all replys
What you are talking about is a "bootkit" which is a EFI application that disables patch guard and driver sign enforcement.

Mattiwatti/EfiGuard like this for example

It loads before windows is executed like a proxy loader for the windows OS
 

ZleMyzteX

I have no idea what I'm doing
Trump Tier Donator
Dank Tier Donator
Full Member
Nobleman
Mar 10, 2020
82
1,953
0
I was using a cheat that was "creating" a secondary OS to boot everytime you wanted to play with the cheat in csgo - too bad they got detected even though they used some shit like that. I guess there are better methods out there.
 

cobb

Dank Tier Donator
Jul 25, 2020
5
222
0
What you are talking about is a "bootkit" which is a EFI application that disables patch guard and driver sign enforcement.

Mattiwatti/EfiGuard like this for example

It loads before windows is executed like a proxy loader for the windows OS
Thanks men

I was using a cheat that was "creating" a secondary OS to boot everytime you wanted to play with the cheat in csgo - too bad they got detected even though they used some shit like that. I guess there are better methods out there.
Some guys are using this atm for esea
 

ZleMyzteX

I have no idea what I'm doing
Trump Tier Donator
Dank Tier Donator
Full Member
Nobleman
Mar 10, 2020
82
1,953
0
Some guys are using this atm for esea
probably a good method for that - I still don't understand how something that complex could be detected by VAC, but yeah.
 

Ahegao

Possibly a weeb
Dank Tier Donator
Full Member
Nobleman
Jul 9, 2020
108
3,353
1
probably a good method for that - I still don't understand how something that complex could be detected by VAC, but yeah.
Because its not the cheat being detected its the player and how they use the cheat
 
  • Like
Reactions: Naayeon

cobb

Dank Tier Donator
Jul 25, 2020
5
222
0
Because its not the cheat being detected its the player and how they use the cheat
VACnet (overwatch) and VAC (vac2vac3) are completly diferent

vacnet dont detect cheats at all so we dont care
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods