Results 1 to 4 of 4
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    Hackshield Bypass Source

    Hackshield Bypass Source

    I dunno for which version of HS this bypass is suitable, but this source appeared recently. Credit: RCD

     OldProtection DWORD; 
    MEMwrite void (void * adr, void * ptr, int size)
    (
    VirtualProtect (adr, size, PAGE_EXECUTE_READWRITE, & OldProtection);
    memcpy (adr, ptr, size);
    VirtualProtect (adr, size, OldProtection, & OldProtection);
    )

    void NewDetourhs (long Address, int Size, int Size2)
    (
    Long EhSvc = (long) GetModuleHandleA ("EhSvc.dll");
    OldProtect DWORD;
    VirtualProtect ((void *) (EhSvc + Address), Size, PAGE_EX ECUTE_READWRITE, & OldProtect);
    * (DWORD *) (EhSvc + Address) = Size2;
    / / * (Int *) (EhSvc + Address) = Size;
    )


    CopyModules void (void)
    (

    Long EhSvc = (long) GetModuleHandleA ("EhSvc.dll");

    / / Self CRC checks
    MEMwrite ((void *) (EhSvc x0FF28 +0), (void *) (PBYTE) " xB8 x01 x00 x00 x00", 5);

    / / Anti-asm game client scans
    MEMwrite ((void *) (EhSvc x1BC28 +0), (void *) (PBYTE) " x90 x90", 2);

    // Unhook dip & sss 8
    MEMwrite ((void *) (EhSvc x650A5 +0), (void *) (PBYTE) " xEB", 1);
    MEMwrite ((void *) (EhSvc x650CF +0), (void *) (PBYTE) " xEB", 1);

    / / Etc code to check jump
    MEMwrite ((void *) (EhSvc +0 x66931), (void *) (PBYTE) " xEB", 1);
    MEMwrite ((void *) (EhSvc x66B79 +0), (void *) (PBYTE) " xEB", 1);

    / / Anti restore page
    MEMwrite ((void *) (EhSvc x5F80E +0), (void *) (PBYTE) " xEB", 1);
    MEMwrite ((void *) (EhSvc x5F784 +0), (the void *) (PBYTE) " xEB ", 1);

    / / Processscan, play eagle-detect process callbacks, for cheat engine
    MEMwrite ((void *) (EhSvc x54A14 +0), (void *) (PBYTE) " xE9 x7E x0A x00 x00", 5);

    / / Nano-detect objects
    MEMwrite ((void *) (EhSvc x2411B +0), (void *) (PBYTE) " xEB", 1);
    MEMwrite ((void *) (EhSvc +0 x24265), (void *) (PBYTE) " xEB", 1);
    MEMwrite ((void *) (EhSvc x2435F +0), (void *) (PBYTE) " X31", 1);
    MEMwrite ((void *) (EhSvc +0 x22556), (void *) (PBYTE) " X31", 1);
    MEMwrite ((void *) (EhSvc +0 x26171), (void *) (PBYTE) " X31", 1);
    MEMwrite ((void *) (EhSvc +0 x25618), (void *) (PBYTE) " xEB", 1);
    MEMwrite ((void *) (EhSvc x2572C +0), (void *) (PBYTE) " xEB", 1);
    MEMwrite ((void *) (EhSvc x25ADB +0), (void *) (PBYTE) " xEB", 1);

    int EhPtr = 0x0D0F40;
    NewDetourhs ((EhPtr-0x44), 0x8, 4);
    NewDetourhs ((EhPtr-0x40), 0x8, 4);
    NewDetourhs ((EhPtr-0x20), 0x8, 4);

    NewDetourhs (0x0D13F8, 0x8, 4);
    NewDetourhs (0x0CD5F8, 0x8, 4);
    NewDetourhs (0x0C7570, 0x8, 4);
    NewDetourhs (0x0C7754, 0x8, 4);
    NewDetourhs (0x0CED40, 0x8, 4);
    NewDetourhs (0x0C7739, 0x8, 4);
    NewDetourhs (0x0D2E08, 0x8, 4);
    NewDetourhs (0x0C7758, 0x8, 4);
    NewDetourhs (0x0C62F8, 0x8, 4);
    NewDetourhs (0x0C7715, 0x8, 4);
    NewDetourhs (0x0D0F40, 0x8, 4);
    NewDetourhs (0x0C7719, 0x8, 4);
    NewDetourhs (0x0D2E40, 0x8, 4);
    NewDetourhs (0x0C62F8, 0x8, 4);
    NewDetourhs (0x0CD8FC, 0x8, 4);
    NewDetourhs (0x0CD5F8, 0x8, 4);
    NewDetourhs (0x0D3DF1, 0x8, 4);


    )
    void loop (void)
    (
    for (;;)
    (
    Long EhSvc = (long) GetModuleHandleA ("EhSvc.dll");
    if (EhSvc! = 0)
    (
    CopyModules ();
    )
    Sleep (20);
    )
    )


    Then create a function to call the Anti-HS:
    CreateThread (NULL, NULL, (LPTHREAD_START_ROUTINE) Loop, NULL, NULL, NULL);

    After that compile
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. The Following 3 Users Say Thank You to Dwar For This Useful Post:


  3. #2
    bumble_be
    bumble_be is offline
    Guest
    Join Date
    2010 Sep
    Posts
    1
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0

    Re: Hackshield Bypass Source

    woww greats to RCD from my country INDONESIA

  4. #3
    Daniel
    Daniel is offline
    Guest
    Join Date
    2010 Oct
    Posts
    2
    Thanks Thanks Given 
    2
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0

    Re: Hackshield Bypass Source

    Hi,Dwar,may i ask you some questions about hackshield?
    i analyse this game protect system for a long time, now, i write a driver to by bypass it's kernel dective,i change system debug port and detour the inline hooks about 8 nt core functions,such as KiAttachProcess,i have been bypass it successfully,but when i attach game with ollydbg,i can't F7 or F8,hs show a message about "speed ..." message,then process terminated.it's ring3 check afflict me for a long time.

    so,how can i debug it normally?
    and will you share some experience about how to debug with me?expect for your response.
    thank you verymuch!

    ----Daniel

  5. #4
    ZeusAFK
    ZeusAFK is offline
    Guest
    Join Date
    2012 Oct
    Posts
    2
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    I tested this code and dont work for actual hs
    Code:
    // dllmain.cpp : Defines the entry point for the DLL application.
    #include "stdafx.h"
    #include <Windows.h>
    #include <stdio.h>
    #include <iostream>
    #include <stdlib.h>
    #include <fstream>
    #include <strsafe.h>
    
    using namespace std;
    
    DWORD OldProtection; 
    DWORD ProcessID;
    
    void MEMwrite (void *adr, void *ptr, int size) 
    {
    	VirtualProtect (adr, size, PAGE_EXECUTE_READWRITE, & OldProtection); 
    	memcpy (adr, ptr, size); 
    	VirtualProtect (adr, size, OldProtection, & OldProtection); 
    } 
    
    void NewDetourhs (long Address, int Size, int Size2) 
    {
    	DWORD EhSvc = (DWORD)GetModuleHandle("ehsvc.dll"); 
    	DWORD OldProtect; 
    	VirtualProtect ((void *) (EhSvc + Address), Size, PAGE_EXECUTE_READWRITE, & OldProtect); 
    	*(DWORD*)(EhSvc + Address) = Size2; 
    	*(int*)(EhSvc + Address) = Size;
    }
    
    void CopyModules(void) 
    {
    	DWORD EhSvc = (DWORD)GetModuleHandle("ehsvc.dll"); 
    	// Self CRC checks 
    	MEMwrite ((void*)(EhSvc + 0x0FF28), (void *) (PBYTE) "\xB8\x01\x00\x00\x00", 5); 
    	
    	// Anti-asm game client scans 
    	MEMwrite ((void*)(EhSvc + 0x1BC28), (void *) (PBYTE) "\x90\x90", 2);
    
    	// Unhook dip & sss 8 
    	MEMwrite ((void*)(EhSvc + 0x650A5), (void *) (PBYTE) "\xEB", 1);
    	MEMwrite ((void*)(EhSvc + 0x650CF), (void *) (PBYTE) "\xEB", 1);
    
    	// Etc code to check jump 
    	MEMwrite ((void*)(EhSvc + 0x66931), (void *) (PBYTE) "\xEB", 1);
    	MEMwrite ((void*)(EhSvc + 0x66B79), (void *) (PBYTE) "\xEB", 1);
    
    	// Anti restore page 
    	MEMwrite ((void*)(EhSvc + 0x5F80E), (void *) (PBYTE) "\xEB", 1);
    	MEMwrite ((void*)(EhSvc + 0x5F784), (void *) (PBYTE) "\xEB ", 1);
    
    	// Processscan, play eagle-detect process callbacks, for cheat engine 
    	MEMwrite ((void*)(EhSvc + 0x54A14), (void *) (PBYTE) "\xE9\x7E\x0A\x00\x00", 5);
    
    	// Nano-detect objects 
    	MEMwrite ((void*)(EhSvc + 0x2411B), (void *) (PBYTE) "\xEB", 1);
    	MEMwrite ((void*)(EhSvc + 0x24265), (void *) (PBYTE) "\xEB", 1);
    	MEMwrite ((void*)(EhSvc + 0x2435F), (void *) (PBYTE) "\X31", 1);
    	MEMwrite ((void*)(EhSvc + 0x22556), (void *) (PBYTE) "\X31", 1);
    	MEMwrite ((void*)(EhSvc + 0x26171), (void *) (PBYTE) "\X31", 1);
    	MEMwrite ((void*)(EhSvc + 0x25618), (void *) (PBYTE) "\xEB", 1);
    	MEMwrite ((void*)(EhSvc + 0x2572C), (void *) (PBYTE) "\xEB", 1);
    	MEMwrite ((void*)(EhSvc + 0x25ADB), (void *) (PBYTE) "\xEB", 1);
    
    	int EhPtr = 0x0D0F40; 
    
    	NewDetourhs ((EhPtr-0x44), 0x8, 4);
    	NewDetourhs ((EhPtr-0x40), 0x8, 4);
    	NewDetourhs ((EhPtr-0x20), 0x8, 4);
    	NewDetourhs (0x0D13F8, 0x8, 4);
    	NewDetourhs (0x0CD5F8, 0x8, 4);
    	NewDetourhs (0x0C7570, 0x8, 4);
    	NewDetourhs (0x0C7754, 0x8, 4);
    	NewDetourhs (0x0CED40, 0x8, 4);
    	NewDetourhs (0x0C7739, 0x8, 4);
    	NewDetourhs (0x0D2E08, 0x8, 4);
    	NewDetourhs (0x0C7758, 0x8, 4);
    	NewDetourhs (0x0C62F8, 0x8, 4);
    	NewDetourhs (0x0C7715, 0x8, 4);
    	NewDetourhs (0x0D0F40, 0x8, 4);
    	NewDetourhs (0x0C7719, 0x8, 4);
    	NewDetourhs (0x0D2E40, 0x8, 4);
    	NewDetourhs (0x0C62F8, 0x8, 4);
    	NewDetourhs (0x0CD8FC, 0x8, 4);
    	NewDetourhs (0x0CD5F8, 0x8, 4);
    	NewDetourhs (0x0D3DF1, 0x8, 4);
    }
    
    void HackShield_Bypass(void) 
    {
    	while(1) 
    	{
    		DWORD EhSvc = (DWORD)GetModuleHandle("ehsvc.dll"); 
    		if (EhSvc) 
    		{ 
    			CopyModules(); 
    			break;
    		}
    		Sleep(20); 
    	} 
    } 
    
    BOOL APIENTRY DllMain( HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
    {
    	switch (ul_reason_for_call)
    	{
    	case DLL_PROCESS_ATTACH:
    		AllocConsole();
    		AttachConsole(GetCurrentProcessId());
    		freopen("CON","w",stdout);
    		CreateThread(0, 0, (LPTHREAD_START_ROUTINE)HackShield_Bypass, 0, 0, 0);
    	case DLL_THREAD_ATTACH:
    	case DLL_THREAD_DETACH:
    	case DLL_PROCESS_DETACH:
    		break;
    	}
    	return TRUE;
    }

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •