Guide Valorant Vanguard Anticheat Bypass

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,061
78,998
2,370
Game Name
Valorant
Anticheat
Vanguard
How long you been coding/hacking?
7 years
Coding Language
C++
Riot has taken a big shot at the competitive CSGO community by releasing Valorant, a game that:
  • is better than CSGO
  • is 8 years newer
  • has better graphics
  • features more complex combat mechanics
  • retains the same basic gameplay elements that made CSGO successful
But it's biggest selling point is it's extreme stance on cheating. They are seeking to upend the competitive FPS genre by providing the first real "secure" gaming experience.

Game: Valorant
Company: Riot
Anticheat: Vanguard
Engine: Unreal Engine 4

Vanguard Anticheat

Vanguard is one of only a few kernel anticheats that runs at boot, joining the ranks of ESEA and FaceIt. What does this mean?

Before you can load any other drivers, before you log into Windows, Vanguard is already running. What does this mean for cheaters?

EAC and Battleye for example, are not running at boot. To bypass them, you manually map your driver before the anticheat loads. So, load your driver, then load the game with the anticheat services set to "manual load" in services.msc. It's a race to load first, if you can load first, you can hide from the anticheats. This is the majority of the reason why these anticheats are "easily" bypassed.

With Vanguard, which is already running, when you map your cheat driver, it can detect it and prevent you from hacking the game or result in a ban.

Riot is serious about cheating

Besides the fact that Vanguard anticheat runs at boot, Riot is taking cheating VERY seriously, they have hired smart people to develop the anticheat and are working very hard to prevent cheating.

Riot has a bug bounty program on HackerOne offering up to $100,000 for finding vulnerabilities in Vanguard

Vanguard Bounty Opportunity
Alongside our new game VALORANT, we have deployed our new anti-cheat solution Vanguard that leverages a kernel driver to combat cheaters more effectively. To reinforce our commitment to our players' security, we are offering special bounties for up to $100,000 for high quality reports that demonstrate practical exploits leveraging the Vanguard kernel driver.

1599532825136.png


This proves how serious they are, no other anticheat even comes close to this and in general, this has to be one of the top paying bounty programs of all time.

Vanguard is officially the hardest anticheat to bypass for these reasons. If you're not Double XL 1337 don't even bother thinking about this game.

Bootkit Outrage

People who don't understand the history of anticheat vs cheaters or simply don't know wtf they're talking about have made a big stink about Vanguard.

EAC and Battleye run when you login to your PC, unless you set it to "manual on demand" in services.msc, anticheats have been doing that for 10 years. Vanguard runs at boot. So if you're angry about Vanguard running at boot but you don't disable the other anticheats in services.msc then you should stfu.

A Riot employee responded to some of this outrage on Reddit (dogshit website btw):

Yes we run a driver at system startup, it doesn't scan anything (unless the game is running), it's designed to take up as few system resources as possible and it doesn't communicate to our servers. You can remove it at anytime.

Vanguard contains a driver component called vgk.sys (similar to other anti-cheat systems), it's the reason why a reboot is required after installing. Vanguard doesn't consider the computer trusted unless the Vanguard driver is loaded at system startup (this part is less common for anti-cheat systems).

This is good for stopping cheaters because a common way to bypass anti-cheat systems is to load cheats before the anti-cheat system starts and either modify system components to contain the cheat or to have the cheat tamper with the anti-cheat system as it loads. Running the driver at system startup time makes this significantly more difficult.

We've tried to be very careful with the security of the driver. We've had multiple external security research teams review it for flaws (we don't want to accidentally decrease the security of the computer like other anti-cheat drivers have done in the past). We're also following a least-privilege approach to the driver where the driver component does as little as possible preferring to let the non-driver component do the majority of work (also the non-driver component doesn't run unless the game is running).

The Vanguard driver does not collect or send any information about your computer back to us. Any cheat detection scans will be run by the non-driver component only when the game is running.

The Vanguard driver can be uninstalled at any time (it'll be "Riot Vanguard" in Add/Remove programs) and the driver component does not collect any information from your computer or communicate over the network at all.

We think this is an important tool in our fight against cheaters but the important part is that we're here so that players can have a good experience with Valorant and if our security tools do more harm than good we will remove them (and try something else). For now we think a run-at-boot time driver is the right choice.
The good folks at secret.club took the initiative to address the outrage in this article: Why anti-cheat software utilize kernel drivers

Disabling Vanguard

Since the outrage, Vanguard has been updated, it now displays a tray icon and you can disable it. But once you disable it, your computer is put in a "untrusted mode" and you can no longer play the game. You will have to reboot in order re-enable it to play the game.

Vanguard Bypass

Surprise! There is no bypass, nor am I interesting in hosting any on GH. I actually commend Riot for being the first company to actually give a shit. I haven't really played multiplayer games for 10+ years because cheating has really gotten out of control (partially my fault lul). In the past 7 years I have only actually cheated online in 1 game, like most people on this forum we do this for the fun of the challenge.

If you want to learn how to bypass Vanguard Anticheat you will want to become adept at reverse engineering and bypassing EAC and Battleye first. If you can't bypass these, you def are not bypassing Vanguard.

If you want to learn how to bypass kernel anticheat in general you can learn quite a lot with our resources

Can you get your driver to load and start messing with the game? Yes you can, but you have a 95% chance of getting banned. If you're messing around in the kernel, they have probably identified you and it's only a matter of time until they get you.


Vanguard Modules
vgc.exe - usermode service
vgk.sys - kernel driver
vgrl.dll - Vanguard launcher library
vgray.exe - tray icon

You can download them here: hxxps://riot-client.secure.dyn.riotcdn.net/channels/public/rccontent/vanguard/1.0.3.7/setup.exe

Vanguard Features

In our EAC thread we have a list of features that EAC has:

  • Block all interaction with game process
  • Block creation of process handles
  • Scan for hidden processes & modules
  • Scan for known suspicious DLL modules
  • Scan for known suspicious drivers
  • Get a list of all open handles
  • Scan for disks & devices
  • Log all loaded drivers
  • Gather HWID information
  • Detect debuggers
  • Find manually mapped drivers
  • Detect manually mapped driver traces
  • check for kernel patches
  • Find handles to physical memory
  • detect modules using VirtualProtect
  • dumps suspect strings from regions not backed by actual modules
  • scans for possible syscall stubs in regions that are not backed by modules (edited)
  • does window enumeration to detect suspect overlays
  • enumerates suspect shared memory sections
  • Detect hooks
  • Checks all services
  • Scan all threads & system threads
  • Stack walking
  • Detection of manually mapped modules
  • Turla Driver Loader detection
  • Hypervisor & VM detection
  • DbgUiRemoteBreakin patch
  • PsGetProcessDebugPort
  • Set HideFromDebugger flag manually
  • Reads DR6 and DR7
  • Instrumentation callbacks

You can basically guarantee that Vanguard does 50% of this.

Vanguard scans all your hardware devices, to prevent DMA (direct memory access) devices such as PCIe Screamer. These devices are popular for professional gamers whose careers depend on not getting caught cheating.

Vanguard uses virtualization

All the binaries are heavily obfuscated, I'm too dumb to make much sense of any of them.

But I did see the only thing that wasn't obfuscated was these strings:

  • \Device\ATSZIO
  • \Device\genericdrv
  • \DosDevices\AIDA64Driver
  • \DosDevices\ALSysIO
  • \DosDevices\AsUpdateio
  • \DosDevices\Asusgio
  • \DosDevices\BS_Def
  • \DosDevices\CITMDRV
  • \DosDevices\EneTechIo
  • \DosDevices\GLCKIo2
  • \DosDevices\Global\CPUZ
  • \DosDevices\HOSTNT
  • \DosDevices\NTIOLib
  • \DosDevices\NVFLASH
  • \DosDevices\RTCore
  • \DosDevices\SE64
  • \DosDevices\WinIoB
  • \DosDevices\WinRing0\DosDevices\ZemanaAntiMalware
  • \DosDevices\driveragent%d
  • \DosDevices\inpout

1599538190673.png

They are vulnerable drivers that an anticheat would want to block, I don't know why these strings weren't obfuscated tho

Valorant Cheats

Color Pixel Aimbots & No Recoil Macros, that's about all that is available but seems like everyone gets banned for using them.

Random

The PDB path in the Vanguard files is: hxxps://imgur.com/a/PiWvsB0 which is this image:

It also includes an invite to apply for a job if you're a talented reverse engineer.


Interesting ordinals:
1599535945782.png

:FeelsGoodMan::trollface::lol:

"Egg" lmao
1599537801294.png


I suppose this is an easter egg but I couldn't figure it out :( Sorry boys no juicy Vanguard Bypass
 
Last edited:
  • Like
Reactions: XdarionX and Kix

eth0

Dank Tier Donator
Full Member
Mar 16, 2020
43
748
0
So I haven't been following much of the said title, but yesterday i opened twitch and saw that the new project of Riot, called Valorant now has 1.5M viewers, and this is still in closed phase. Can't wait to see people reversing this game and making some supah l337 hax for it, what's your opinion on that ?
 

Disterso

Dank Tier Donator
Apr 17, 2018
3
1,238
0
People made hacks for it before the beta was even released on April 7th. Crazy shit lol
 
  • Wow
Reactions: obdr

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,294
37,938
269
im interested in the pro scene that'll come from it

vanguard definitely neat though
 
  • Like
Reactions: Nomade

obdr

Meme Tier VIP
Sep 22, 2019
148
4,918
17
I remember having seen from YT videos that they're claiming that their anti-cheat is awesome and will instantly ban hackers and end the match.
Can't wait to see people reversing this game and making some supah l337 hax for it, what's your opinion on that ?
Me neither, let's see what the game hacking people are going to come up with.
 

eth0

Dank Tier Donator
Full Member
Mar 16, 2020
43
748
0
I remember having seen from YT videos that they're claiming that their anti-cheat is awesome and will instantly ban hackers and end the match.
LOL what ??? Back in 2016 when i was active in the scripting scene, i pretty much knew that they were fighting 24/7 to improve their anti-cheat, usually happens on ban waves, now seeing them so confident with that makes no sense to me, because they cannot fix a shit lately in League of Legends. Their match history is under "maintenance" for over 2 weeks now. Not to mention their mode called "clash" was a complete failure, they were constantly having issues with it, kept removing it, re-adding it and that for few months. I kind of believe they made a mistake with pushing so much projects at once, Legends of Runterra(replacing Hearthstone), porting TFT to mobile as well as their core game LoL.
 

badAtReversing

Dank Tier Donator
Apr 5, 2020
2
228
0
Been playing it for a few days now - it's pretty fun. Haven't dared to try and mess with it yet; maybe after it comes out of closed beta.

Re: Anti-Cheat
I'm not sure if any of you are familiar with Overwatch; but, my understanding is that (allegedly) one of the components of their AC is performance analytics. I.E. - The system records how accurate you are, how much damage you do, how many times you die, how many enemies you damage, where on the enemy player's body you are hitting, etc. They then use this to perform analytics and determine if you're over-performing.

We can do all kinds of fun things with this data.

If we want to be lazy, we can set a fixed threshold for some values and flag games where players exceed those thresholds. E.G. 95% Accuracy, 1000 Damage, 100% Headshots, etc.
Code:
if (acccuracy > accuracyThreshold){
banPlayer();
}

If we want to make it a bit more unique to every player, we can do "anomaly detection", assuming that these values present a normal distribution.

First, we need to find out what is the "range" of "normal" performance for a player.
Code:
func stdDev (lastTenGames){
    accuracySum = 0
    accuracyMean = 0
    accuracyVariationSum = 0
    accuracyVariation = 0
    
    //Calculate Sum
    for everyGame in lastTenGames{
        accuracySum += everyGame.accuracy
    }
    //Calculate Mean
    accuracyMean = (accuracySum / lastTenGames.length)
    
    //Calculate Variation
    for everyGame in lastTenGames{
        accDiff = everyGame.accuracy - accuracyMean
        accuracyVariationSum += (accDiff * accDiff)
    }
    accuracyVariation = (accuracyVariationSum / lastTenGames.length)
    
    //Calculate Std Dev
    stdDev = sqrt(accuracyVariation)
    
    return stdDev
}
Then, we can find out how far outside of that range the player's current performance was.
Code:
func isAnomaly(currentAccuraccy){
    currentDeviation = currentAccuracy - accuracyMean
    zScore = currentDeviation / stdDev(lastTenGames)
    
    //99.7% of all Values are <= 3x Std. Dev.
    if (zScore > 3){
        banPlayer()
    }   
}
I'm certainly oversimplifying; but, that's the gist of it.

ANYWAY, it's always puzzled me as to why more games don't use "passive" detection methods like this. Sure, you might get some false positives and you probably can't just go off of this calculation alone; but, they help build a really strong tool-set for identifying blatant cheaters. It wouldn't surprise me if Riot has something similar implemented as, at least to me, this seems like the logical next step in anti-cheat detection.
 

Akaion

Wizard
Meme Tier VIP
Trump Tier Donator
Oct 13, 2018
230
7,948
14
Been playing it for a few days now - it's pretty fun. Haven't dared to try and mess with it yet; maybe after it comes out of closed beta.

Re: Anti-Cheat
I'm not sure if any of you are familiar with Overwatch; but, my understanding is that (allegedly) one of the components of their AC is performance analytics. I.E. - The system records how accurate you are, how much damage you do, how many times you die, how many enemies you damage, where on the enemy player's body you are hitting, etc. They then use this to perform analytics and determine if you're over-performing.

We can do all kinds of fun things with this data.

If we want to be lazy, we can set a fixed threshold for some values and flag games where players exceed those thresholds. E.G. 95% Accuracy, 1000 Damage, 100% Headshots, etc.
Code:
if (acccuracy > accuracyThreshold){
banPlayer();
}

If we want to make it a bit more unique to every player, we can do "anomaly detection", assuming that these values present a normal distribution.

First, we need to find out what is the "range" of "normal" performance for a player.
Code:
func stdDev (lastTenGames){
    accuracySum = 0
    accuracyMean = 0
    accuracyVariationSum = 0
    accuracyVariation = 0
   
    //Calculate Sum
    for everyGame in lastTenGames{
        accuracySum += everyGame.accuracy
    }
    //Calculate Mean
    accuracyMean = (accuracySum / lastTenGames.length)
   
    //Calculate Variation
    for everyGame in lastTenGames{
        accDiff = everyGame.accuracy - accuracyMean
        accuracyVariationSum += (accDiff * accDiff)
    }
    accuracyVariation = (accuracyVariationSum / lastTenGames.length)
   
    //Calculate Std Dev
    stdDev = sqrt(accuracyVariation)
   
    return stdDev
}
Then, we can find out how far outside of that range the player's current performance was.
Code:
func isAnomaly(currentAccuraccy){
    currentDeviation = currentAccuracy - accuracyMean
    zScore = currentDeviation / stdDev(lastTenGames)
   
    //99.7% of all Values are <= 3x Std. Dev.
    if (zScore > 3){
        banPlayer()
    }  
}
I'm certainly oversimplifying; but, that's the gist of it.

ANYWAY, it's always puzzled me as to why more games don't use "passive" detection methods like this. Sure, you might get some false positives and you probably can't just go off of this calculation alone; but, they help build a really strong tool-set for identifying blatant cheaters. It wouldn't surprise me if Riot has something similar implemented as, at least to me, this seems like the logical next step in anti-cheat detection.
Friends with a few AC devs at various companies and something that a lot of them are doing or starting to do is a mix of the following

- Model player input against a normal distribution (a lot of ways of doing this, quite good at catching shitty bots / hacks)
- Run suspect player (suspect determine by stuff mentioned above) inputs against pre trained models to look for anomalies / inhuman movements (models trained on real players)

So while it may be possible to get away with cheating in the short as you obviously can't patch all loop holes, good AC's will probably eventually flag you as suspect and run you against their in house models, which is quite likely to indicate that you are in fact cheating.
 

Kekz

Maybe Pasting
Dank Tier Donator
Nobleman
Jan 10, 2020
137
3,668
12
They all do this, you can go to services.msc and set it to manual if you only want them to load when you start the game in most cases
I don't think that will work with Vanguard though?
"Vanguard doesn't consider the computer trusted unless the Vanguard driver is loaded at system startup (this part is less common for anti-cheat systems). "
But then I don't know anything about Anticheats, so you're probably right.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,061
78,998
2,370
I don't think that will work with Vanguard though?
"Vanguard doesn't consider the computer trusted unless the Vanguard driver is loaded at system startup (this part is less common for anti-cheat systems). "
Interesting yeah that's different
 
  • Like
Reactions: Kekz

Rake

Cesspool Admin
Administrator
Jan 21, 2014
12,061
78,998
2,370
good prices, I bet someone gets a LPE within a few months
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,294
37,938
269
riots got good history of paying out from what i hear, you can make some good cash money if you find something worth it
 

Delet3d

"Unable to find specified file."
Trump Tier Donator
Apr 12, 2020
3
328
0
They did this to reduce their chance of getting caught with their dick in their hands when some hacker found a way to hide a crypto miner in everyone's computer from the beloved vgk.sys :fleep:
 
Last edited:
  • Haha
Reactions: Jayne1 and XdarionX

XdarionX

Dying Light Hacker
Dank Tier VIP
Dank Tier Donator
Mar 30, 2018
844
23,408
113
The Vanguard driver can be uninstalled at any time (it'll be "Riot Vanguard" in Add/Remove programs) and the driver component does not collect any information from your computer or communicate over the network at all.
can someone explain me how will than they ban you if they do not communicate with server ? meaning that they do not take hwid ? what a joke!
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods