Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    Yepikiyay's Avatar
    Join Date
    Jul 2009
    Gender
    male
    Posts
    320
    Reputation
    10
    Thanks
    35
    My Mood
    Drunk

    Hackshield analysis

    Hack Shield Analysis
    Credits: Me. Please don't use this without my permission.


    Hi there, and welcome to my information dump on Hack Shield, one of the best Anti-Cheat out right now(HAHAH jokes). Today you will essentially learn what Hack Shield is made of, how Hack Shield works, and you will even learn some new bypassing ideas.
    Index
    1. Hack Shield Components
    2. Hack Shield Flow
    3. Bypassing Theory

    1. Hack Shield Components
    Hack Shield consists of:
    1. EhSvc.dll
      • EhSvc is the Hack Shield interface dll
      • It communicates between the game client and Hack Shield
      • It communicates with the Hack Shield driver (EagleNT.sys)
      • It initiates the hack tool detection engine
      • This is usually the only file needed to create a workable bypass
    2. V3Pro32s.dll
      • This is the hacking tool detection interface dll
      • This starts the hacking tool detection engine
      • This is helps the scanning of known hack signatures
      • A very important file. This could interrupt the Hack Shield driver if correctly intercepted
    Code:
    _AhnGetFileEntry    0x1000bb9c    0x0000bb9c    30 (0x1e)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnBootInformation    0x1000b16f    0x0000b16f    1 (0x1)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnCheckBootSector    0x1000b177    0x0000b177    2 (0x2)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnCheckDefaultExtensions    0x1000124a    0x0000124a    3 (0x3)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnCheckFile    0x1000ba5e    0x0000ba5e    4 (0x4)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnCheckMemory    0x1000b160    0x0000b160    5 (0x5)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnCheckProcess    0x1000b79d    0x0000b79d    6 (0x6)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetBootRepairStatus    0x1000b5b9    0x0000b5b9    7 (0x7)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetDefaultExtensions    0x1000126b    0x0000126b    8 (0x8)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetEngineDate    0x100013fd    0x000013fd    9 (0x9)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetEngineDateString    0x1000145c    0x0000145c    10 (0xa)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetEngineDateValue    0x10001449    0x00001449    11 (0xb)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetExtRepairStatus    0x1000b287    0x0000b287    12 (0xc)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetRepairStatus    0x1000b1b4    0x0000b1b4    13 (0xd)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetVersion    0x100014f7    0x000014f7    14 (0xe)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetVirusFileCureData    0x1000120b    0x0000120b    15 (0xf)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetVirusName    0x100010d1    0x000010d1    16 (0x10)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetVirusName32    0x1000108c    0x0000108c    17 (0x11)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetVirusNameStr    0x1000116c    0x0000116c    18 (0x12)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnGetVirusNameStr32    0x100010ab    0x000010ab    19 (0x13)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnInitVaccineEngine    0x1000b600    0x0000b600    20 (0x14)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnRepairBootSector    0x1000b17e    0x0000b17e    21 (0x15)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnRepairFile    0x1000eea0    0x0000eea0    22 (0x16)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnRepairMemory    0x1000b167    0x0000b167    23 (0x17)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnSetDefaultOption    0x1000ba89    0x0000ba89    24 (0x18)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    AhnSetExtensions    0x10001295    0x00001295    25 (0x19)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    PV3CALGetInfoAddr    0x1000a0fe    0x0000a0fe    26 (0x1a)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    V3CALGetInfo    0x1000a0c2    0x0000a0c2    27 (0x1b)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    V3CALGetShowInfo    0x1000a080    0x0000a080    28 (0x1c)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    V3CALGetTotalInfoCount    0x1000a0b9    0x0000a0b9    29 (0x1d)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll
    3N.mhe

    The Heuristic engine file
    Contains the patterns used to search for known hacks

    psapi.dll
    The process status helper dll
    Helps scan process signatures and control process functions
    Code:
    EmptyWorkingSet    0x76a61e20    0x00001e20    1 (0x1)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    EnumDeviceDrivers    0x76a615a3    0x000015a3    2 (0x2)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    EnumPageFilesA    0x76a63b3c    0x00003b3c    3 (0x3)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    EnumPageFilesW    0x76a639cd    0x000039cd    4 (0x4)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    EnumProcesses    0x76a634a9    0x000034a9    6 (0x6)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    EnumProcessModules    0x76a61a8a    0x00001a8a    5 (0x5)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetDeviceDriverBaseNameA    0x76a61748    0x00001748    7 (0x7)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetDeviceDriverBaseNameW    0x76a61823    0x00001823    8 (0x8)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetDeviceDriverFileNameA    0x76a616cd    0x000016cd    9 (0x9)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetDeviceDriverFileNameW    0x76a617c7    0x000017c7    10 (0xa)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetMappedFileNameA    0x76a61945    0x00001945    11 (0xb)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetMappedFileNameW    0x76a6187f    0x0000187f    12 (0xc)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetModuleBaseNameA    0x76a61d2f    0x00001d2f    13 (0xd)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetModuleBaseNameW    0x76a61cb2    0x00001cb2    14 (0xe)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetModuleFileNameExA    0x76a61c4a    0x00001c4a    15 (0xf)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetModuleFileNameExW    0x76a61bcd    0x00001bcd    16 (0x10)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetModuleInformation    0x76a61d97    0x00001d97    17 (0x11)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetPerformanceInfo    0x76a6382d    0x0000382d    18 (0x12)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetProcessImageFileNameA    0x76a637a9    0x000037a9    19 (0x13)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetProcessImageFileNameW    0x76a6371b    0x0000371b    20 (0x14)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetProcessMemoryInfo    0x76a635c2    0x000035c2    21 (0x15)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    GetWsChanges    0x76a636e1    0x000036e1    22 (0x16)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    InitializeProcessForWsWatch    0x76a6369d    0x0000369d    23 (0x17)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    QueryWorkingSet    0x76a61e8b    0x00001e8b    24 (0x18)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    QueryWorkingSetEx    0x76a61ec7    0x00001ec7    25 (0x19)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll
    1. V3Warp(d)(n)s.v3d
    2. The anti-hacking engine pattern file

    • Not to sure exactly what this does, but it reads the 3N.mhe file
    EagleNT.sys

    The Hack Shield kernel driver
    • Performs anti-hacking functions, protects the game client's process, and hooks certain API's, rendering them useless
    • If successfully uninitiated, it could enable the use of many API's and functions such as Read/WriteProcessMemory.

    2. Hack Shield Flow
    Here is a graphical chart explaining how all the components work together:

    Here is a graphical chart explaining how Hack Shield is started:

    **If I were you I would pay attention to those function names!
    3. Bypassing Theory
    So, we got some nice information about Hack Shield. How do we bypass it? I will tell you right now, I'm going to show you some very unconventional and new ideas. Say goodbye to your petty API and ASM bypasses, and say hello to your new best friend: detouring. Before we continue, you should have a strong foundation in detouring. If you don't, I recommend watching this: Created by Camtasia Studio 5


    So what functions do we detour? In reality, you are going to be detouring CallBack. The CallBack function in Hack Shield collects data from the Hack Shield service. The data is usually errors or "Hack Detected" type messages. The goal of course is to stop it from getting the Hack Detected messages, or stop it from alerting the game client that there is a "Hack Detected" message. The first goal is to find the actual name of the function. The next step is to rebuild the params of the function. The next step is to find the address of this function. Then finally you detour it. Here is my example (not working probably):
    Code:
    ////// Declares //////
    #define CallBackAddy 0x0000001
    typedef int ( *PFN_AhnEH_Callback)( long lCode, long lParamSize, void* pParam ); //the name of the function actually is PFN_AhnEH_Callback
    PFN_AhnEH_Callback pAhnEH_Callback; //Defining our function
    //////
    ////// Our new function //////
    int _CallBackThread()
    {
        DWORD dwCode = YOUR_CODE_TO_PASS;
        int myReturn = pAhnEH_Callback(dwCode, 0, NULL);
        return myReturn;
    }
    //////
    ////// Our Detour //////
    pAhnEH_Callback  = (PFN_AhnEH_Callback)DetourFunction( (PBYTE)( Ehsvc + CallBackAddy ), (PBYTE)_CallBackThread()); 
    //////
    OLD SCHOOL BYPASS CODE XD

    This is just pseudo code, but hopefully you get the idea. The hard part is finding the address of the function. There are some function addresses included for Combat Arms, but that's just Combat Arms. I have my way of getting it, but I'm leaving it up to you to figure out how to get the address. I don't want to completely hand feed you a working bypass. There are a couple ways to get it.
    As a conclusion, I just want to say that you need to use your imagination! Find different functions. Find different ways to bypass. Rip Hack Shield apart.

    I Hate You
    Current Status: Online Playing MineCraft

  2. #2
    RedThunder's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Posts
    2,599
    Reputation
    84
    Thanks
    553
    My Mood
    Twisted
    /close

    this is a repost
    TROLL MATH
    14 posts per thread per hour, even at 1 thread an hour in 5 hours, general trolling time, thats 70 posts, and seeing as i try to run it at about 3 threads at a time, then i can make 210 posts in a day which means in 10 days i could be back to where i am if i started a new account, lol so in theory in a month id have 6k posts, in 2 months id have 12k, in 3 months 18k, in 4 months id have 24k and i could have the highest post count on the forum

    14*3*5*10*3*4=highest post count on the forums in 4 months

  3. #3
    Mouzie's Avatar
    Join Date
    Apr 2009
    Gender
    male
    Location
    Saegertown
    Posts
    9,151
    Reputation
    520
    Thanks
    2,036
    My Mood
    Happy
    This is a repost and I already made one.

  4. #4
    Taylor Swift's Avatar
    Join Date
    Aug 2008
    Gender
    male
    Location
    Spangdahlem, Germany
    Posts
    6,384
    Reputation
    357
    Thanks
    635
    My Mood
    Buzzed
    im Sorry what 0_0
    If you need somebody to talk to... click here. This is not a scam, or a joke.
    Help me afford my next tattoo!


    Scammers List:
    1. patti123 - $50.00

  5. #5
    CRUSTY's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    ._.
    Posts
    8,016
    Reputation
    161
    Thanks
    497
    My Mood
    Pensive
    Old is old?

  6. #6
    Taylor Swift's Avatar
    Join Date
    Aug 2008
    Gender
    male
    Location
    Spangdahlem, Germany
    Posts
    6,384
    Reputation
    357
    Thanks
    635
    My Mood
    Buzzed
    I guess So.
    If you need somebody to talk to... click here. This is not a scam, or a joke.
    Help me afford my next tattoo!


    Scammers List:
    1. patti123 - $50.00

  7. #7
    AVGN's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Making America Great Again.
    Posts
    15,451
    Reputation
    1549
    Thanks
    6,234
    yeah let me find the original

    brb



    ^Thanks to RJ^




  8. The Following User Says Thank You to AVGN For This Useful Post:

    CRUSTY (09-22-2010)

  9. #8
    -Simply-Own-'s Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    CA Section
    Posts
    2,228
    Reputation
    11
    Thanks
    233
    My Mood
    Amazed
    Yeah Already Posted .

    Need Help? With Anything? Add Me On Msn.
    simplyown123@hotmail.com



    Made By Me

    -----------------------------------------------------------------


  10. #9
    AVGN's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Making America Great Again.
    Posts
    15,451
    Reputation
    1549
    Thanks
    6,234
    http://www.mpgh.net/forum/207-combat...-analysis.html

    Quote Originally Posted by why06 View Post
    Thanks to: Th4nat0s, DeadlyData, Micheal87, & lolz2much

    This is some basic information about HShield, the way it works, etc. Of course you need to be much more specific to actually do something with this, and I think it might be a little dated, but HS should still be structured the same way. Unfortunately I wasn't able to find Th4nat0s' Hacksheild Analysis, that one is most recent, so if anyone can find it plz tell me or add it to this thread.

    Thanks to headsup for finding the damned thing!





    Hack Shield Analysis

    Hi there, and welcome to my ultimate information dump on Hack Shield, one of the best Anti-Cheat services ever made. Today you will essentially learn what Hack Shield is made of, how Hack Shield works, and you will even learn some new bypassing ideas.



    Index


    Hack Shield Components
    Hack Shield Flow
    Bypassing Theory



    Hack Shield Components



    Hack Shield consists of:





    1) EhSvc.dll:


    EhSvc is the Hack Shield interface dll
    It communicates between the game client and Hack Shield
    It communicates with the Hack Shield driver (EagleNT.sys)
    It initiates the hack tool detection engine
    This is usually the only file needed to create a workable bypass

    Code:
        0x10000000        0 (0x0)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    1    0x1000af00    0x0000af00    1 (0x1)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    10    0x1000ca80    0x0000ca80    10 (0xa)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    12    0x1000ca40    0x0000ca40    12 (0xc)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    13    0x1000ad60    0x0000ad60    13 (0xd)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    14    0x1000c760    0x0000c760    14 (0xe)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    15    0x10009c70    0x00009c70    15 (0xf)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    16    0x1000c7c0    0x0000c7c0    16 (0x10)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    17    0x1000aba0    0x0000aba0    17 (0x11)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    18    0x1000ca60    0x0000ca60    18 (0x12)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    19    0x1000c500    0x0000c500    19 (0x13)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    2    0x1000c980    0x0000c980    2 (0x2)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    20    0x1000cd70    0x0000cd70    20 (0x14)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    21    0x1000d080    0x0000d080    21 (0x15)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    22    0x1000ce70    0x0000ce70    22 (0x16)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    23    0x1000b5f0    0x0000b5f0    23 (0x17)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    24    0x1000b090    0x0000b090    24 (0x18)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    25    0x1000d0b0    0x0000d0b0    25 (0x19)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    26    0x1000ce90    0x0000ce90    26 (0x1a)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    3    0x1000a930    0x0000a930    3 (0x3)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    4    0x1000c630    0x0000c630    4 (0x4)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    5    0x1000a960    0x0000a960    5 (0x5)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    6    0x10008dc0    0x00008dc0    6 (0x6)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    7    0x1000a980    0x0000a980    7 (0x7)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    8    0x1000ca20    0x0000ca20    8 (0x8)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll    
    
    9    0x1000ac80    0x0000ac80    9 (0x9)    EHSvc.dll    C:\Nexon\Combat Arms\HShield\EHSvc.dll


    2) V3Pro32s.dll:


    This is the hacking tool detection interface dll
    This starts the hacking tool detection engine
    This is helps the scanning of known hack signatures
    A very important file. This could interrupt the Hack Shield driver if correctly intercepted



    Code:
    addies for various functions of above dll
    
    _AhnGetFileEntry    0x1000bb9c    0x0000bb9c    30 (0x1e)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnBootInformation    0x1000b16f    0x0000b16f    1 (0x1)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnCheckBootSector    0x1000b177    0x0000b177    2 (0x2)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnCheckDefaultExtensions    0x1000124a    0x0000124a    3 (0x3)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnCheckFile    0x1000ba5e    0x0000ba5e    4 (0x4)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnCheckMemory    0x1000b160    0x0000b160    5 (0x5)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnCheckProcess    0x1000b79d    0x0000b79d    6 (0x6)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetBootRepairStatus    0x1000b5b9    0x0000b5b9    7 (0x7)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetDefaultExtensions    0x1000126b    0x0000126b    8 (0x8)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetEngineDate    0x100013fd    0x000013fd    9 (0x9)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetEngineDateString    0x1000145c    0x0000145c    10 (0xa)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetEngineDateValue    0x10001449    0x00001449    11 (0xb)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetExtRepairStatus    0x1000b287    0x0000b287    12 (0xc)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetRepairStatus    0x1000b1b4    0x0000b1b4    13 (0xd)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetVersion    0x100014f7    0x000014f7    14 (0xe)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetVirusFileCureData    0x1000120b    0x0000120b    15 (0xf)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetVirusName    0x100010d1    0x000010d1    16 (0x10)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetVirusName32    0x1000108c    0x0000108c    17 (0x11)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetVirusNameStr    0x1000116c    0x0000116c    18 (0x12)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnGetVirusNameStr32    0x100010ab    0x000010ab    19 (0x13)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnInitVaccineEngine    0x1000b600    0x0000b600    20 (0x14)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnRepairBootSector    0x1000b17e    0x0000b17e    21 (0x15)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnRepairFile    0x1000eea0    0x0000eea0    22 (0x16)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnRepairMemory    0x1000b167    0x0000b167    23 (0x17)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnSetDefaultOption    0x1000ba89    0x0000ba89    24 (0x18)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    AhnSetExtensions    0x10001295    0x00001295    25 (0x19)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    PV3CALGetInfoAddr    0x1000a0fe    0x0000a0fe    26 (0x1a)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    V3CALGetInfo    0x1000a0c2    0x0000a0c2    27 (0x1b)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    V3CALGetShowInfo    0x1000a080    0x0000a080    28 (0x1c)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll    
    
    V3CALGetTotalInfoCount    0x1000a0b9    0x0000a0b9    29 (0x1d)    v3pro32s.dll    C:\Nexon\Combat Arms\HShield\v3pro32s.dll




    3) 3N.mhe:


    The Heuristic engine file
    Contains the patterns used to search for known hacks

    4) psapi.dll:


    The process status helper dll
    Helps scan process signatures and control process functions

    Code:
    EmptyWorkingSet    0x76a61e20    0x00001e20    1 (0x1)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    EnumDeviceDrivers    0x76a615a3    0x000015a3    2 (0x2)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    EnumPageFilesA    0x76a63b3c    0x00003b3c    3 (0x3)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    EnumPageFilesW    0x76a639cd    0x000039cd    4 (0x4)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    EnumProcesses    0x76a634a9    0x000034a9    6 (0x6)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    EnumProcessModules    0x76a61a8a    0x00001a8a    5 (0x5)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetDeviceDriverBaseNameA    0x76a61748    0x00001748    7 (0x7)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetDeviceDriverBaseNameW    0x76a61823    0x00001823    8 (0x8)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetDeviceDriverFileNameA    0x76a616cd    0x000016cd    9 (0x9)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetDeviceDriverFileNameW    0x76a617c7    0x000017c7    10 (0xa)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetMappedFileNameA    0x76a61945    0x00001945    11 (0xb)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetMappedFileNameW    0x76a6187f    0x0000187f    12 (0xc)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetModuleBaseNameA    0x76a61d2f    0x00001d2f    13 (0xd)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetModuleBaseNameW    0x76a61cb2    0x00001cb2    14 (0xe)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetModuleFileNameExA    0x76a61c4a    0x00001c4a    15 (0xf)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetModuleFileNameExW    0x76a61bcd    0x00001bcd    16 (0x10)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetModuleInformation    0x76a61d97    0x00001d97    17 (0x11)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetPerformanceInfo    0x76a6382d    0x0000382d    18 (0x12)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetProcessImageFileNameA    0x76a637a9    0x000037a9    19 (0x13)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetProcessImageFileNameW    0x76a6371b    0x0000371b    20 (0x14)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetProcessMemoryInfo    0x76a635c2    0x000035c2    21 (0x15)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    GetWsChanges    0x76a636e1    0x000036e1    22 (0x16)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    InitializeProcessForWsWatch    0x76a6369d    0x0000369d    23 (0x17)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    QueryWorkingSet    0x76a61e8b    0x00001e8b    24 (0x18)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll    
    
    QueryWorkingSetEx    0x76a61ec7    0x00001ec7    25 (0x19)    psapi.dll    C:\Nexon\Combat Arms\HShield\psapi.dll


    5) V3Warp(d)(n)s.v3d:


    The anti-hacking engine pattern file
    Not to sure exactly what this does, but it reads the 3N.mhe file

    6) EagleNT.sys:


    The Hack Shield kernel driver
    Performs anti-hacking functions, protects the game client's process, and hooks certain API's, rendering them useless
    If successfully uninitiated, it could enable the use of many API's and functions such as Read/WriteProcessMemory.



    2. Hack Shield Flow



    Here is a graphical chart explaining how all the components work together:







    Here is a graphical chart explaining how Hack Shield is started:









    **If I were you I would pay attention to those function names!







    3. Bypassing Theory



    So, we got some nice information about Hack Shield. How do we bypass it? I will tell you right now, I'm going to show you some very unconventional and new ideas. Say goodbye to your petty API and ASM bypasses, and say hello to your new best friend: detouring. Before we continue, you should have a strong foundation in detouring. If you don't, I recommend watching this.



    So what functions do we detour? In reality, you are going to be detouring CallBack. The CallBack function in Hack Shield collects data from the Hack Shield service. The data is usually errors or "Hack Detected" type messages. The goal of course is to stop it from getting the Hack Detected messages, or stop it from alerting the game client that there is a "Hack Detected" message. The first goal is to find the actual name of the function. The next step is to rebuild the params of the function. The next step is to find the address of this function. Then finally you detour it. Here is my example (not working probably):



    Code:
    ////// Declares //////
    
    #define CallBackAddy 0x0000001
    
    typedef int ( *PFN_AhnEH_Callback)( long lCode, long lParamSize, void* pParam ); //the name of the function actually is PFN_AhnEH_Callback
    
    PFN_AhnEH_Callback pAhnEH_Callback; //Defining our function
    
    //////
    
     
    
    ////// Our new function //////
    
    int _CallBackThread()
    
    {
    
        DWORD dwCode = YOUR_CODE_TO_PASS;
    
        int myReturn = pAhnEH_Callback(dwCode, 0, NULL);
    
        return myReturn;
    
    }
    
    //////
    
    ////// Our Detour //////
    
    pAhnEH_Callback  = (PFN_AhnEH_Callback)DetourFunction( (PBYTE)( Ehsvc + CallBackAddy ), (PBYTE)_CallBackThread()); 
    
    //////


    This is just pseudo code, but hopefully you get the idea. The hard part is finding the address of the function. I have my way of getting it, but I'm leaving it up to you to figure out how to get the address. I don't want to completely hand feed you a working bypass. There are a couple ways to get it.



    As a conclusion, I just want to say that you need to use your imagination! Find different functions. Find different ways to bypass. Rip Hack Shield apart. Keep in mind that you can gain access to hooked functions by stopping the Hack Shield anti-hack service.


    some body should ban this guy for ripping off why06



    ^Thanks to RJ^




  11. The Following 2 Users Say Thank You to AVGN For This Useful Post:

    CRUSTY (09-22-2010),noob555 (08-04-2010)

  12. #10
    Mouzie's Avatar
    Join Date
    Apr 2009
    Gender
    male
    Location
    Saegertown
    Posts
    9,151
    Reputation
    520
    Thanks
    2,036
    My Mood
    Happy
    AVGN, report him to Liz, Dave, or one of the mod. :3

  13. #11
    whatup777's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    CA Source Code Section
    Posts
    4,030
    Reputation
    147
    Thanks
    351
    My Mood
    Dead
    This is Failure.
    Quotes I live by.


    A foolish person learns from his mistakes, I wise person learns from others.
    Quote Originally Posted by AVGN View Post



    mhm

    i live in texas

    i was at the grocery store with my son. He saw a mexican guy, and he said "Look daddy! a mower man!"

    he's 4 yrs old

  14. #12
    Rave.'s Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    Halifax
    Posts
    2,171
    Reputation
    42
    Thanks
    151
    Quote Originally Posted by whatup777 View Post
    This is Failure.
    You're fail.

  15. The Following User Says Thank You to Rave. For This Useful Post:

    Yepikiyay (08-05-2010)

  16. #13
    ChimiBang's Avatar
    Join Date
    Jan 2010
    Gender
    male
    Location
    South California
    Posts
    5,870
    Reputation
    152
    Thanks
    441
    My Mood
    Mellow
    im stupid don't know this -.-


    Multi

  17. #14
    Yepikiyay's Avatar
    Join Date
    Jul 2009
    Gender
    male
    Posts
    320
    Reputation
    10
    Thanks
    35
    My Mood
    Drunk
    Quote Originally Posted by AVGN View Post
    http://www.mpgh.net/forum/207-combat...-analysis.html



    some body should ban this guy for ripping off why06
    wow sorry bud i didnt fucking know

    I Hate You
    Current Status: Online Playing MineCraft

  18. #15
    Brecht Algoet's Avatar
    Join Date
    Jul 2010
    Gender
    male
    Location
    CA General< CA Mods
    Posts
    5,413
    Reputation
    381
    Thanks
    594
    Then clos it when it's a repost.. -_-'

Page 1 of 2 12 LastLast

Similar Threads

  1. [Tutorial] HackShield Bypass.
    By daddyi in forum Combat Arms Hacks & Cheats
    Replies: 41
    Last Post: 07-03-2009, 02:32 PM
  2. HackShield
    By Synns in forum Anti-Cheat
    Replies: 26
    Last Post: 06-07-2009, 11:42 PM
  3. Bypassing hackshield
    By Rickyrudy in forum Combat Arms Hacks & Cheats
    Replies: 63
    Last Post: 10-22-2008, 02:28 PM
  4. [Release] Hackshield Bypass
    By Harold in forum Combat Arms Hacks & Cheats
    Replies: 219
    Last Post: 08-07-2008, 05:20 PM
  5. MPGH Content Analysis
    By arunforce in forum General
    Replies: 26
    Last Post: 04-14-2008, 05:48 PM