ANTICHEAT ANALYSIS, GAMERSCLUB, EMACLAB

EMACLAB (Gamersclub) Anticheat Analysis

Updated March 2026: This article series has been significantly updated with new findings from a much deeper analysis of the driver. Key additions include: detailed function addresses and sizes, the complete IOCTL communication architecture (code 0x1996E494), hardware fingerprinting via TPM/SecureBoot/PCI, aimbot float constant heuristic detection, BigPool scanning for manually-mapped drivers, a full 14-entry certificate blacklist, 11-entry driver blacklist, anti-debug techniques, complete XOR string key pairs, FNV-1a hash values for process/syscall identification, and a comprehensive 145-function reference. The driver has 931 total functions with 145 named with the Emac prefix.

EMACLAB Anticheat is the solution chosen by the famous GamersClub, an Brazilian league platform for the game Counter-Strike: 2. Much people call it GamersClub Anticheat but EMACLAB is a third party company that actually develops and mantain the anticheat. This anticheat (EMACLAB Anticheat) comes back to around 15+ years ago, it was called “GHP (Game Hack Protector)”, as far as i know the owner/coder remains the same to this day, with a few more people of course, but what we’re really interested in is to know what has been improved since the early days.

It’s worth mentioning that this product has gone throught a lot of drama before, there has been (proofless) accusations of infecting cheat developers with RAT (Remote Access Tools a.k.a Trojans) as well as inumerous hackusations from the community against well known platform players, which often gets banned without solid proofs, which comes down to the question: Is the anticheat really being effective? Whilist having so much power in the first place!?

As many questions have been asked over the years and not many answers are known, I will publish here everything I know so that you can form your own opinion :)

Before we go into the main subject, i wanna tell a little bit more about how the anti-cheat is designed.

  • EMAC-Driver-x64.sys - This is the main kernel-mode component, the core functionality is making sure no unauthorized processes reads and manipulate memory of the game, as well as ensuring no unsigned code/images.
  • EMAC-CSGO-x64.dll / EMAC-CS-Client-x64.dll - This is the game component, mainly does some shenanigans in the game engine to make cheating harder. The driver injects this DLL into the game process from kernel mode using NtCreateThreadEx targeting KERNEL32.DLL!LoadLibraryW.
  • EMAC-Client-x86.dll / EMAC-Client-x64.dll - This is the .DLL that get loaded by the GamersClub launcher, it’s used to authenticate the user/machine and communicate back and forth with the other components EMAC-CSGO-x64.dll and EMAC-Driver-x64.sys.

It’s known and publicly stated in the product ToS that they collect machine metadata, take screenshots and actively scans drives/USB devices, among other things, to try detect cheaters.

Key Characteristics

Property Value
Total Functions 931 (145 named with Emac prefix)
Pool Tag EMAC / CAME (0x43414D45)
XOR IAT Key qword_FFFFF801BCFACC40
XOR Opaque Predicate qword_FFFFF801BCFACC38 (generates dead code)
FNV-1a Hash Seed 213573
FNV-1a Multiplier 2438133
Disassembly Engine bitdefender/bddisasm
String Obfuscation JustasMasiulis/xorstr (3 key pairs)
IOCTL Code 0x1996E494 (METHOD_NEITHER, min output 0x180C bytes)
Minifilter Altitude 363570 (FSFilter Activity Monitor)
InfinityHook Markers 0xEAADDEEAADDEADDE / 0xAEADDEEADAEAADDE
Game Process Hashes csgo.exe=0x3105807B, cs2.exe=0x29B90D41

EMAC-Driver-x64.sys

As of the time of writing, we will only talk about the kernel driver, honestly that’s the most interesting part of the anticheat and it’s functionality is mostly unknown, well at least until now :)