Method Five Guide

Introduction

Driver loading "Method Five" is for advanced users who are comfortable modifying their BIOS, have a decent amount of patience, and want Speeder to work under VBS/HVCI. Method Five is also notable for not requiring a kernel driver, which can reduce potential detection vectors. It is also highly efficient as all reading/writing can be done entirely in usermode.

One major downside to Method Five is that it does 'not' work with kernel input. For Speeders that require kernel input for some of their features (e.g., aimbotting), you should consider a different method unless you don't care about such features.

At some point during the setup, it is possible you will be unable to boot into Windows, but it is (usually) easy to recover from this, so don't panic. It's important to follow the steps in order and to read carefully.

Explanation

Method Five uses an EFI bootkit to disable signature enforcement for ntosknrl.exe. Because bootkits load before ntoskrnl.exe, and ntosknrl.exe loads before HVCI, this effectively allows you to patch the kernel and circumvent HVCI (as well as Patchguard).

EFI bootkits are actually quite easy to install without Secure Boot. Once you install them as a boot option, they will simply load at boot every time without issue. However, as many games nowadays require Secure Boot, you will need to install the bootkit's certificate into your Secure Boot keys so that the bootkit will load with Secure Boot on. This isn't too challenging as the certificate will already be provided to you, and you simply have to tell the BIOS where it is. Once you install the certificate, you will be able to load the bootkit with Secure Boot enabled.

So far, the setup does not pose any risks. If you fail to set up the bootkit correctly, your computer will simply ignore it and continue to boot into Windows. However, the next part can prevent Windows from booting if something goes wrong.

The next and final step is to patch ntoskrnl.exe. This involves changing the security settings for the file so you can modify it and then clicking "Patch Ntoskrnl" in Launcher. Launcher will create a backup for you so if there is an issue at startup, you can use Windows Command Line to restore the original kernel.

Setup Guide

Installing EFI Bootkit

• 1) Run Launcher. Click on Download Files. Click "Download Bootkit Files." Click OK. If possible, I recommend saving everything on a FAT32-formatted USB drive so you can unplug it and prevent anticheats from ever scanning the bootkit, but I did spend a good amount of time obfuscating and randomizing everyone's bootkit, so if you have to use a regular drive (e.g., C:\), that should be fine.
• 2) One of the downloaded files is BOOTICEx64.exe. Run this. Click on the UEFI tab. Click "Edit boot entries." At the bottom of the new window, click Add. Navigate to one of the other downloaded files, bootx64.efi. (You may rename this to anything you wish if you want your bootkit to have a different name.) Click on bootx64.efi or whatever you renamed it. Click Open. Where it says "Menu title," write in whatever name you want to remember your bootkit by, but also try to make it look legit (e.g., ACER, ASUS, MSI, etc.). Click "Save current boot entry." Click the "Up" button until your bootkit is at the top of the boot list. Click "Save current boot entry" again. Exit the program.
  • If you need to remove the bootkit, just click the "Del" button instead of "Add."
• 3) That's it! Sort of. If you have a cooperative desktop computer, and Secure Boot is OFF, your bootkit should now load. However, as was the case with my laptop, many computers are locked down, and you have to manually enforce the boot order at least once. We also need to install the Secure Boot keys, but we will do this once we know the bootkit is loading properly.
• 4) Click on the Windows start menu. Click on the power button. Hold down shift and click Restart. When your computer restarts, you will be met with a blue Windows screen. Click Troubleshoot. Click "Advanced options." Click "UEFI Firmware Settings." Click Restart. Your computer will now boot into your BIOS.
• 5) Here is where things get harder. Everybody has different motherboards and has different BIOSs. Therefore, I cannot tell you exactly what to click on at this point. What you want to do is find an option for Secure Boot somewhere in the BIOS settings. It is usually located under a tab like "SECURITY." The Secure Boot setting itself is usually very simple. It is either Enabled or Disabled. For now, disable it so we can test the bootkit before installing the Secure Boot keys. We want to ensure that it loads properly without Secure Boot so that if there are issues later, we know the problem is not with the bootkit.
• 6) Once you have disabled Secure Boot, SAVE your settings and restart. Now, if you have a cooperative desktop computer, the bootkit should load. You will see "SPEEDER-ELYSIUM HAS SUCCESSFULLY LOADED" printed five times on your screen during the boot process. However, if you have a locked down laptop like me, you will need to figure out the key to press that allows you to choose the boot order when your laptop first boots. For me, with an MSI laptop, the key was F11. As soon as your laptop turns on, spam the correct key, and a box will pop up, allowing you to choose the boot order. Choose the name of your bootkit you used in step 2. Now, the bootkit should load on your laptop. To figure out what key to press to choose the boot order, ask Google or an AI.
  • Another solution to the laptop lockdown is to use BOOTICE again. Click on the Windows Boot Manager. Uncheck the "Active" checkbox. Click "Save current boot entry." (Don't worry. Windows will still boot.) Again, make sure your bootkit is at the top of the list. Close BOOTICE and restart.
• 7) Now that the bootkit is loading properly, the next step is to install its certificate into your Secure Boot keys so you can turn Secure Boot back on. If you don't care about Secure Boot (many games still don't enforce it), you can skip the "Secure Boot" section.

Installing Secure Boot Keys

Installing your bootkit's certificate into your Secure Boot keys allows your bootkit to load with Secure Boot enabled. If you don't care about this, you can skip this section.

• 1) One of the files you downloaded from the first section is "cert.der." This is the certificate we need to install into your Secure Boot keys. Place it somewhere easily accessible (on the FAT32 USB drive is fine, or somewhere like C:\) and remember its location. Boot back into the BIOS the same way we did in step 4 in the previous section.
• 2) Look for something related to Secure Boot keys. On both my ASUS desktop and MSI laptop, this is under the "BOOT" tab. You may have to press a special key to enter "Advance mode" for this. Click on Secure Boot here, and if you have a cooperative desktop computer, you should see four categories of keys. If you have a locked-down MSI laptop like me, you will need to first press a special key combination before it will allow you to modify your Secure Boot keys. For my MSI laptop, this was ALT + RIGHT CTRL + SHIFT + F2. So, yeah, don't panic if you can't see the keys. Your computer is probably just locked down, and you'll need to figure out how to unlock it (Google or AI).
• 3) The only two key categories we need are KEK and DB. Click on KEK first. Click Append Key. Click "No" to load from external media. Locate cert.der wherever you put it. Click OK. The file format should be "Public Key Certificate." Click OK. If it asks for a GUID, just click whatever one it gives you and click OK. Now, do the same exact thing for the DB key.
• 4) You're all set! You can now enable Secure Boot, and the bootkit should load fine. Remember to spam the key to force the boot order if you have a finicky laptop like mine.

Patching Ntoskrnl

Note that once you patch ntoskrnl.exe, your computer will 'not' boot without the bootkit, so be sure the bootkit is loading correctly. It is possible to restore the original ntoskrnl.exe if something goes wrong, however.

The next and final step is to patch ntoskrnl.exe. Ntoskrnl.exe is always located in your system directory at \Windows\System32\ntoskrnl.exe. Find the file → right click it → click "Properties." Click the "Security" tab → click the "Advanced" button. Where it says "Owner: TrustedInstaller," click "Change." Click the "Advanced" button. Click the "Find Now" button. Find the user account you are currently logged into or just use "Administrators" near the top. (This will change ownership to you so you can modify the security settings.) Click OK. Click OK again. Click Apply. Now, under "Group or user names," click on "Administrators." Click Edit. Click "Administrators" again. Click the checkbox for "Full control." Click Apply. Click OK. You can now modify the ntoskrnl.exe file.

Run Launcher → click Method Five → click Patch Ntoskrnl. Choose an easily accessible folder/driver to store the original/backup ntoskrnl.exe. If your system folder is at C:\Windows\System32, I recommend storing the original ntoskrnl.exe at C:\. This will make it easier to recover the file if there is a problem. You can also store it on a USB drive if you are running your bootkit from a USB drive.

Assuming there are no errors, you can now restart, and your computer will load the patched ntoskrnl.exe. At this point, you are ready to begin using Speeder. Because there is no kernel driver to load, you do 'not' need to load your driver before running Speeder. Simply open Launcher and click Run Speeder.

If Launcher sees that the ntoskrnl.exe in your system folder is patched/untrusted, it will offer to restore the original ntoskrnl.exe. This is highly recommended so anticheats do not see the patched file.

If your config.txt is not set to use Method Five, Launcher will offer to do this for you. This is necessary, or Speeder will attempt to use your kernel driver instead, which will, of course, not work.

Problems

Windows Will Not Boot (Automatic Repair)

If you have patched ntoskrnl.exe and find yourself stuck at Windows' automatic repair, it's usually because the bootkit did not run at boot. You have a few options to resolve this.

• 1) The simplest solution is to get your bootkit to run at boot as it should be. If you are on a laptop, be sure you are pressing the key that allows you to choose boot order when the laptop first restarts. In the Windows repair menu, you can also choose Troubleshoot → Advanced Options → UEFI Firmware Settings → Restart. In your BIOS settings, ensure the boot order has your bootkit listed at the top. The boot order is usually listed in the main menu or under the "BOOT" tab.
• 2) If you really can't get your bootkit to run for some reason, in the Windows' repair menu, choose Troubleshoot → Advanced Options → Command Prompt. Assuming you stored the backup of the original ntoskrnl.exe at C:\, type
  copy c:\ntoskrnl.exe c:\windows\system32\ntoskrnl.exe
  and press enter. When it asks if you want to overwrite, type Yes and press enter. If it cannot find the file, try a different drive letter until it works (e.g., copy d:\ntoskrnl.exe d:\windows\system32\ntoskrnl.exe). On my laptop, even though my system folder is at c:\windows\system32, I have to use d:\ for whatever reason (maybe due to RAID), so don't panic if the drive letter isn't working. Also, if you placed the original ntoskrnl.exe on a USB drive, you will need to use the drive letter for the USB drive (e.g., copy d:\ntoskrnl.exe c:\windows\system32\ntoskrnl.exe). All you are doing is overwriting the patched ntoskrnl.exe with the original. Once you have done this, restart your computer, and it will boot fine.

Computer Freezes During Boot

I have not encountered this, but if there is a problem with the bootkit, the computer will freeze. This is easy to resolve if you placed your bootkit on a FAT32 USB drive. Simply unplug it. However, if your bootkit is located on your main drive, you will need to enter the BIOS and place the Windows Boot Manager above your bootkit in the boot order (usually located in the main menu or under the "BOOT" tab). This will skip your bootkit and allow the computer to boot normally. Let me know if you encounter this issue as I may need to update the bootkit to support your Windows version.