Page 1 of 2 12 LastLast
Results 1 to 10 of 20
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    HackShield Analysis

    HackShield overview

    AhnLab HackShield For Online Game has numerous industry leading security features like Executable File Encryption, but lacks the 'hardware' banning system of industry rival PunkBuster. HackShield runs as a rootkit and installs its device driver when the game utilizing HackShield is installed. On later operating systems such as Windows 7, it blocks the use of compatibility mode and other features as part of anti-cheat detection.

    • Detect and terminate running hacking tools
    • Prevent packets modification
    • Memory modification prevention, anti-hooking, anti auto mouse/clicks etc.


    Real-time decryption of the executable program
    HackShield provides real-time decryption of the encrypted program. It directly load into memory encrypted executable file and decrypt them.

    Linked server to prevent hacking
    HackShield is sensitive to operating conditions. The game client may “ask” the server a special question and if you come out the incorrect answer protected program will be terminated.

    Signature based detection of hacking tools
    HackShield uses anti-virus technology for blocking known hacking tools or possible hacking tools, or just any other app that looks like hacking tools.

    Memory modification and auto mouse/click tools
    HackShield prevent any memory manipulation and can block auto click utilities, even if it only additional buttons and scripts that comes with some mouse
    HackShield block the access at the kernel level




    Block hooking and messages sending

    Checksum checking

    Preventing speed hack
    Calculating time differences between client and server clock

    Debugging block

    Data encryption

    Signatures base updating



    Hack Shield Components

    Hack Shield consists of:
    EhSvc.dll
    • EhSvc is the Hack Shield interface dll
    • It communicates between the game client and Hack Shield
    • It communicates with the Hack Shield driver (EagleNT.sys)
    • It initiates the hack tool detection engine
    • This is usually the only file needed to create a workable bypass

    V3Pro32s.dll
    • This is the hacking tool detection interface dll
    • This starts the hacking tool detection engine
    • This is helps the scanning of known hack signatures
    • A very important file. This could interrupt the Hack Shield driver if correctly intercepted

    ”Function list”


    3N.mhe
    • The Heuristic engine file
    • Contains the patterns used to search for known hacks

    psapi.dll
    Process Status API
    The process status application programming interface (PSAPI) is a helper library that makes it easier for you to obtain information about processes and device drivers.
    The process status API (PSAPI) provides sets of functions for retrieving the following information:
    • Process Information
    • Module Information
    • Device Driver Information
    • Process Memory Usage Information
    • Working Set Information
    • Memory-Mapped File Information

    The following topics list the PSAPI functions and structures:

    ”Function list”


    V3Warp(d)(n)s.v3d
    • The anti-hacking engine pattern file
    • Not to sure exactly what this does, but it reads the 3N.mhe file

    EagleNT.sys
    • The Hack Shield kernel driver
    • Performs anti-hacking functions, protects the game client's process, and hooks certain API's, rendering them useless
    • If successfully uninitiated, it could enable the use of many API's and functions such as Read/WriteProcessMemory.


    2. Hack Shield Flow

    Here is a graphical chart explaining how all the components work together:

    Here is a graphical chart explaining how Hack Shield is started:

    3. Bypassing Theory

    So, we got some nice information about Hack Shield. How do we bypass it? I will tell you right now, I'm going to show you some very unconventional and new ideas. Say goodbye to your petty API and ASM bypasses, and say hello to your new best friend: detouring. Before we continue, you should have a strong foundation in detouring. If you don't, I recommend watching this.

    So what functions do we detour? In reality, you are going to be detouring CallBack. The CallBack function in Hack Shield collects data from the Hack Shield service. The data is usually errors or "Hack Detected" type messages. The goal of course is to stop it from getting the Hack Detected messages, or stop it from alerting the game client that there is a "Hack Detected" message. The first goal is to find the actual name of the function. The next step is to rebuild the params of the function. The next step is to find the address of this function. Then finally you detour it. Here is my example (not working probably):
    Code:
     ////// Declares //////
    #define CallBackAddy 0x0000001
    typedef int ( *PFN_AhnEH_Callback)( long lCode, long lParamSize, void* pParam ); //the name of the function actually is PFN_AhnEH_Callback
    PFN_AhnEH_Callback pAhnEH_Callback; //Defining our function
    //////
    
    ////// Our new function //////
    int _CallBackThread()
    {
    	DWORD dwCode = YOUR_CODE_TO_PASS;
    	int myReturn = pAhnEH_Callback(dwCode, 0, NULL);
    	return myReturn;
    }
    //////
    ////// Our Detour //////
    pAhnEH_Callback  = (PFN_AhnEH_Callback)DetourFunction( (PBYTE)( Ehsvc + CallBackAddy ), (PBYTE)_CallBackThread()); 
    //////
    This is just pseudo code, but hopefully you get the idea. The hard part is finding the address of the function. There are some function addresses included for Combat Arms, but that's just Combat Arms. I have my way of getting it, but I'm leaving it up to you to figure out how to get the address. I don't want to completely hand feed you a working bypass. There are a couple ways to get it.
    Credits: Dwar; part 2-3 of this tutorial was written by Th4natoS (ThaNatoS)
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. The Following 2 Users Say Thank You to Dwar For This Useful Post:


  3. #2
    Daniel
    Daniel is offline
    Guest
    Join Date
    2010 Oct
    Posts
    2
    Thanks Thanks Given 
    2
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0

    Re: HackShield Analysis

    Good job,but i can't see the image..

    and how to debug it?when i attach with ollydbg,computer will be reset -_-!

  4. #3
    Noblesse
    Noblesse is offline
    Guest Noblesse's Avatar
    Join Date
    2010 Dec
    Location
    Here.
    Posts
    1
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    I'm very interested in writing my own bypass for hackshield, but there is a problem.
    I never wrote my own DLL, I've done some basic programs we made in school in Dev-C++ and atm I'm doing stuff in C# (like calculators, SQL stuff, etc).
    I'm realy interested in your bypass theory, it sounds like a permament bypass to me (oh well, nothing is permament, but this one can hold on much longer).
    I know that it COULD be easier to unpack the gameclient and remove the "a hack found" message in the client (wondering if this is still possible, I read that somewhere, anyway), but yeah.

    I would be really happy if you could explain it a little bit more, your bypass theory.
    Thanks in advance


    -Noblesse

  5. #4
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    Noblesse
    Bypassing HS isn't easiest thing (if you talk about "I want run this game with HS in background, but with possibility to use game memory etc"), 'coz this protection uses driver and you should operate in ring0.
    More suitable way - wipe out HS from game client (prevent loading etc) and make emulator due to the fact that the HS has a feedback with server (you need packet emulator)
    "a hack found" message in the client
    this message comes from HS, not from client
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  6. #5
    SaptaAgunk
    SaptaAgunk is offline
    New member SaptaAgunk's Avatar
    Join Date
    2010 Dec
    Posts
    13
    Thanks Thanks Given 
    14
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    so .

    if Hack Shield Update every day
    how to bypass ??

    Thanks before

  7. #6
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    Quote Originally Posted by SaptaAgunk View Post
    if Hack Shield Update every day
    It's can't be true. They can daily update "forbidden" app pattern but not engine or execution algorithm inside chosen client
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  8. #7
    SaptaAgunk
    SaptaAgunk is offline
    New member SaptaAgunk's Avatar
    Join Date
    2010 Dec
    Posts
    13
    Thanks Thanks Given 
    14
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Quote Originally Posted by Dwar View Post
    It's can't be true. They can daily update "forbidden" app pattern but not engine or execution algorithm inside chosen client
    ?
    why not possible?
    in my country even hackshield updated every day by the game master.
    because every day is also some cheaters cheat to update its

    so .. :
    - The Game Master>> Updating HackShield>> For the cheat detection
    - The Cheater>> Updating Cheat>> For the avoidance of detection (Undetect)

    then the battle is between the cheaters with the game master ^ _ ^

    sorry if I'm wrong
    I was a newbie and need guidance

    Thanks ...

  9. #8
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    Quote Originally Posted by SaptaAgunk View Post
    The Game Master>> Updating HackShield>> For the cheat detection
    Yeah, as was saying, updating daily "forbidden" app pattern but not HS engine. HS act like an antivirus
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  10. #9
    gosicks
    gosicks is offline
    New member
    Join Date
    2010 Oct
    Posts
    31
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    dwar, is true hackshield detect the sig packer???
    i make some dll hack and undetected by HS
    but...if i am pack / protect my dll hack that my dll hack detected....

    any solution for this?? i was try a lot Packer/Protector and virtualizer...and hackshield was detect it...

  11. #10
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    Quote Originally Posted by gosicks View Post
    detect the sig packer
    True
    Quote Originally Posted by gosicks View Post
    and hackshield was detect it
    Try to create your own protection (packer)
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •