Why06 here you go, i think this is what you want..
Hi there, and welcome to my ultimate information dump on Hack Shield, one of the best Anti-Cheat services ever made. Today you will essentially learn what Hack Shield is made of, how Hack Shield works, and you will even learn some new bypassing ideas.
Hack Shield Components
Hack Shield Flow
Hack Shield Components
Hack Shield consists of:
EhSvc is the Hack Shield interface dll
It communicates between the game client and Hack Shield
It communicates with the Hack Shield driver (EagleNT.sys)
It initiates the hack tool detection engine
This is usually the only file needed to create a workable bypass
This is the hacking tool detection interface dll
This starts the hacking tool detection engine
This is helps the scanning
of known hack signatures
A very important file. This could interrupt the Hack Shield driver if correctly intercepted
The Heuristic engine file
Contains the patterns used to search for known hacks
The process status helper dll
Helps scan process signatures and control process functions
The anti-hacking engine pattern file
Not to sure exactly what this does, but it reads the 3N.mhe file
The Hack Shield kernel driver
Performs anti-hacking functions, protects the game client's process, and hooks certain API's, rendering them useless
If successfully uninitiated, it could enable the use of many API's and functions such as Read/WriteProcessMemory.
**If I were you I would pay attention to those function names!
3. Bypassing Theory
So, we got some nice information about Hack Shield. How do we bypass it? I will tell you right now, I'm going to show you some very unconventional and new ideas. Say goodbye to your petty API and ASM bypasses, and say hello to your new best friend: detouring. Before we continue, you should have a strong foundation in detouring. If you don't, I recommend watching this.
So what functions do we detour? In reality, you are going to be detouring CallBack. The CallBack function in Hack Shield collects data from the Hack Shield service. The data is usually errors or "Hack Detected" type messages. The goal of course is to stop it from getting the Hack Detected messages, or stop it from alerting the game client that there is a "Hack Detected" message. The first goal is to find the actual name of the function. The next step is to rebuild the params of the function. The next step is to find the address of this function. Then finally you detour it. Here is my example (not working probably):
////// Declares //////
#define CallBackAddy 0x0000001
typedef int ( *PFN_AhnEH_Callback)( long lCode, long lParamSize, void* pParam ); //the name of the function actually is PFN_AhnEH_Callback
PFN_AhnEH_Callback pAhnEH_Callback; //Defining our function
////// Our new function //////
DWORD dwCode = YOUR_CODE_TO_PASS;
int myReturn = pAhnEH_Callback(dwCode, 0, NULL);
////// Our Detour //////
pAhnEH_Callback = (PFN_AhnEH_Callback)DetourFunction( (PBYTE)( Ehsvc + CallBackAddy ), (PBYTE)_CallBackThread());
This is just pseudo code, but hopefully you get the idea. The hard part is finding the address of the function. I have my way
of getting it, but I'm leaving it up to you to figure out how to get the address. I don't want to completely hand feed you a working bypass. There are a couple ways to get it.