Page 1 of 3 123 LastLast
Results 1 to 10 of 25
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,221
    Thanks
    211
    Thanked 2,224 Times in 289 Posts
    Rep Power
    10

    HackShield memory protection bypass

    Driver to bypass Hackshield memory protection
    with source code

    HackShield memory protection works by hooking some functions in kernel space. EagleNT.sys is checking all parameters passed to hooked functions and then it blocks or allows operation. When HS memory unprotector driver is loaded, you can use OpenProcess, WriteProcessMemory and ReadProcessMemory like normal.

    How memory protection works?
    HackShield is replacing three functions (NtReadVirtualMemory, NtWriteVirtualMemory and NtOpenProcess) to protect game memory.

    Hackshield01.PNG
    How to bypass memory protection?
    It's easy. We should take a look on NtWriteVirtualMemory function.

    Hackshield02.PNG
    As we can see, they are placing 'call' to EagleNT.sys function (call 0xA4A5C800).
    Just go to this function (0xA4A5C800).

    Hackshield03.PNG
    As we can see, they are using ZwQueryInformationProcess function to translate HANDLE to process id (bad idea btw.). We can hook ZwQueryInformationProcess and if EgaleNt.sys is calling this, we can return 0 (or fake number) as process id. Thats all !

    Next we should hook NtOpenProcess with small re-implementation of this function.

    This material is for EDUCATIONAL PURPOSES only!
    Author: Chris (aka kill1212)

    Please register or login to download attachments.

    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. The Following 5 Users Say Thank You to Dwar For This Useful Post:


  3. #2
    ADACH
    ADACH is offline
    Member-in-training ADACH's Avatar
    Join Date
    2010 May
    Posts
    170
    Thanks
    25
    Thanked 168 Times in 46 Posts
    Rep Power
    8

    Re: HackShield memory protection bypass

    Интересная реализация.
    Я пошел по иному пути, это эмуляция ядерных ф-й OpenProcess, ReadProcessMemory, etc...
    Шлите мыло зухелем

  4. #3
    slimj81
    slimj81 is offline
    Guest
    Join Date
    2010 Aug
    Posts
    2
    Thanks
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: HackShield memory protection bypass

    Great information. I always wanted to know that F2P game security work, this info helps me understand a bit but I am still a little confuse on this stuff but I am here reading every got damn thing I can maybe understand.

  5. #4
    mendoz
    mendoz is offline
    Guest
    Join Date
    2010 Aug
    Posts
    3
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: HackShield memory protection bypass

    sorry, i've got the address but i cant edit it (with MHS) and if i using CE i cant found the address
    and just stack to 7FFFFFFF (not FFFFFFFF). i have change search mode in CE 7FFFFFFF to FFFFFFFF i still cant found it

  6. #5
    SaptaAgunk
    SaptaAgunk is offline
    New member SaptaAgunk's Avatar
    Join Date
    2010 Dec
    Posts
    13
    Thanks
    14
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    there is an address that values can not be replaced
    and if it changed then the application or game will crash or terminate

    so ... how to value that we can change without a crash in a game or application is done by hackshield?

  7. #6
    XxN30xX
    XxN30xX is offline
    New member
    Join Date
    2010 Dec
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    How do i use this plz help me

  8. #7
    falc0n
    falc0n is offline
    Member-in-training
    Join Date
    2010 Aug
    Posts
    64
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Nice idea.

  9. #8
    nProtect
    nProtect is offline
    Guest
    Join Date
    2011 Jan
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    what your program name you use in picture?

  10. #9
    beBoss
    beBoss is offline
    New member beBoss's Avatar
    Join Date
    2010 Nov
    Location
    In her heart
    Posts
    9
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    HookShark
    [Please, register to view links]
    Живота е като терена или ставаш силен, блокираш, сваляш и оцеляваш
    или се отказваш, падаш и си заминаваш !


    beBoss™

  11. #10
    nProtect
    nProtect is offline
    Guest
    Join Date
    2011 Jan
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    thanks

    but i got BSOD when try to unload driver
    DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATI ONS

Page 1 of 3 123 LastLast
Visitors found this page by searching for:

bypass hackshield 2011

how to bypass hackshield 2011

sandboxie hackshield

hackshield bypass

bypass hackshield

how to bypass hackshield

hackshield pro bypass 2011eagleNT.sys bypasshackshield memory bypassanti-cheat protection bypassHackshield Bypass Sourcebypass hackshield prohackshield Readprocessmemoryhackshield openprocessBypass readprocessmemoryhackshield pro bypasshackshield bypass 2011hshield bypass 2011hackshield sandboxiehackshield bypass Source codehackshield memory protection bypassreadprocessmemory bypassHack Shield hooking game research hackshield 2011ntreadvirtualmemory hackshield

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •