Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh

    Ideas Anti Detection

    Well I was thinking today after seeing a post that someone changed the name of a dll hack to make it undetected(I am still skeptical about this) but was thinking this would be an easy implementation to include in a injector, I was also thinking that adding an overlay to the dll will help make it undetected because its Crc32 hash or any hash for that matter would change, thus if HS do detect by size or hash adding an overlay(pumping random bytes to EOF) would prevent this type of detection and could be easy to implement once again into an Injector. There is one detection i am 80% sure of and this if you have Google Chrome(in my case) with MPGH site up CA crashes, I have tested this more than once and happens every time I have MPGH open in my browser. Anyway I anyone else that knows a bit about HS to post here what else they detect and maybe we can come up with solutions. I will including the above solution into D-Jector which might help with detections.


    All ideas and information welcome.....

  2. #2
    freedompeace's Avatar
    Join Date
    Jul 2010
    Gender
    female
    Posts
    3,035
    Reputation
    340
    Thanks
    2,784
    My Mood
    Sad
    Quote Originally Posted by Departure View Post
    Well I was thinking today after seeing a post that someone changed the name of a dll hack to make it undetected(I am still skeptical about this) but was thinking this would be an easy implementation to include in a injector, I was also thinking that adding an overlay to the dll will help make it undetected because its Crc32 hash or any hash for that matter would change, thus if HS do detect by size or hash adding an overlay(pumping random bytes to EOF) would prevent this type of detection and could be easy to implement once again into an Injector. There is one detection i am 80% sure of and this if you have Google Chrome(in my case) with MPGH site up CA crashes, I have tested this more than once and happens every time I have MPGH open in my browser. Anyway I anyone else that knows a bit about HS to post here what else they detect and maybe we can come up with solutions. I will including the above solution into D-Jector which might help with detections.


    All ideas and information welcome.....
    Yeah, that works lol. They sometimes do detect filenames + hashes... (I've had that happen to me - renaming / modifying the code (by adding another byte to it) made it "undetected" again)

    However.. This usually isn't a problem as you'll need to update every 15 days or so due to the HackShield + combat arms update cycle anyway

  3. #3
    whit's Avatar
    Join Date
    Jan 2010
    Gender
    male
    Posts
    7,170
    Reputation
    490
    Thanks
    2,252
    I think thats what they do when they have a Silient Patch ( or what ever they call it)..
    All you have to do is recompile your hack, But then you would have to release again blah blah
    So if you make a injector that will change it on injection , Then my friend you could change the world

  4. The Following User Says Thank You to whit For This Useful Post:

    NOOBJr (02-21-2011)

  5. #4
    Sydney's Avatar
    Join Date
    Mar 2010
    Gender
    male
    Location
    Germany...
    Posts
    1,358
    Reputation
    37
    Thanks
    1,144
    My Mood
    Amused
    Best Way still is Unpack and pack again!

    Thanks Cosmos


  6. #5
    D-Vid the DBag's Avatar
    Join Date
    Jan 2011
    Gender
    male
    Posts
    146
    Reputation
    10
    Thanks
    13
    My Mood
    Lurking
    Quote Originally Posted by Departure View Post
    There is one detection i am 80% sure of and this if you have Google Chrome(in my case) with MPGH site up CA crashes, I have tested this more than once and happens every time I have MPGH open in my browser.
    That sir, is incorrect.
    I don't know how you've managed to stumble across that problem,
    but I assure you that is not the case.

    I have MPGH open just about ANY time I play CombatArms and I use a google chrome-based browser.
    I usually USE Google Chrome, so even then... It doesn't crash. Maybe there's another factor played in the reason why you crash, and it's just a coincidence that it happens while you've got MPGH open.


  7. #6
    whit's Avatar
    Join Date
    Jan 2010
    Gender
    male
    Posts
    7,170
    Reputation
    490
    Thanks
    2,252
    Quote Originally Posted by D-Vid the DBag View Post


    That sir, is incorrect.
    I don't know how you've managed to stumble across that problem,
    but I assure you that is not the case.

    I have MPGH open just about ANY time I play CombatArms and I use a google chrome-based browser.
    I usually USE Google Chrome, so even then... It doesn't crash. Maybe there's another factor played in the reason why you crash, and it's just a coincidence that it happens while you've got MPGH open.
    Its not totally incorrect..
    Google Chromo isa program and when you type mpgh.net that isa String Hackshield in turn scans for that string and you crash

  8. The Following User Says Thank You to whit For This Useful Post:

    Departure (02-21-2011)

  9. #7
    D-Vid the DBag's Avatar
    Join Date
    Jan 2011
    Gender
    male
    Posts
    146
    Reputation
    10
    Thanks
    13
    My Mood
    Lurking
    Quote Originally Posted by whit View Post


    Its not totally incorrect..
    Google Chromo isa program and when you type mpgh.net that isa String Hackshield in turn scans for that string and you crash
    Okay, lemme rephrase that...
    WHEN I HAVE MPGH OPEN in ANY BROWSER, OR ANY HACKSITE OR ANY SITE PERIOD, I HAVE NEVER CRASHED BECAUSE OF IT.


  10. #8
    supercarz1991's Avatar
    Join Date
    Jul 2010
    Gender
    male
    Location
    North of Hell, South of Heaven
    Posts
    6,067
    Reputation
    323
    Thanks
    3,320
    My Mood
    Doh
    Quote Originally Posted by D-Vid the DBag View Post


    Okay, lemme rephrase that...
    WHEN I HAVE MPGH OPEN in ANY BROWSER, OR ANY HACKSITE OR ANY SITE PERIOD, I HAVE NEVER CRASHED BECAUSE OF IT.
    I've never crashed with mpgh open either. I do however (rarely) crash some times when I alt tab out

  11. #9
    _Fk127_'s Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    724
    Reputation
    16
    Thanks
    208
    My Mood
    Bitchy
    Quote Originally Posted by whit View Post


    Its not totally incorrect..
    Google Chromo isa program and when you type mpgh.net that isa String Hackshield in turn scans for that string and you crash
    People should just download the source of GC and obfuscate all the shit



    Put this image in your signature if you support HTML5 development!

  12. #10
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    I was thinking along the lines of what Whit said, As its a common method used to scan processes and get the titles of each windows. Anyway besides that implementing these random names and overlay is actually extremely easy to do for an injector, it just a simple matter of making a copy of the original dll make a random string to name it open it as a stream and place some random bytes at EOF(you could do this during the copy process of the original dll) because its at EOF the code never gets executed an its just a an overlay type of thing, As matter of fact we could use the random string that we used for the name of the dll, and use that to append to the EOF which would give us our random bytes or just add that string as a resource string instead of adding to EOF.
    Last edited by Departure; 02-21-2011 at 08:01 PM.

  13. #11
    _Fk127_'s Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    724
    Reputation
    16
    Thanks
    208
    My Mood
    Bitchy
    Quote Originally Posted by Departure View Post
    I was thinking along the lines of what Whit said, As its a common method used to scan processes and get the titles of each windows. Anyway besides that implementing these random names and overlay is actually extremely easy to do for an injector, it just a simple matter of making a copy of the original dll make a random string to name it open it as a stream and place some random bytes at EOF(you could do this during the copy process of the original dll) because its at EOF the code never gets executed an its just a an overlay type of thing, As matter of fact we could use the random string that we used for the name of the dll, and use that to append to the EOF which would give us our random bytes.
    Wow, this is a great idea! I would love to see this in your injector along with the new combo-box i suggested .



    Put this image in your signature if you support HTML5 development!

  14. #12
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    Yeap I will adding that today after a few tests have been carried out, for example the injector has an option to close it self after injection, But if we have made a copy of the dll I need the injector to monitor the Engine process so when it closes it will delete the copied dll from HD otherwise we end up with a heap of duplicates with different names, The injector Already Monitors the selected process anyway if it has'nt been set to Auto close... I am thinking to make a temp Directory with a unique name and when the Injector first loads again it can delete this directory(which contains all the copy's of the dlls) thus removing the clutter of multiple dlls. I will think about it later today how to remove copied dlls if Injector is set to close on injection and hopfully come up with a solution that wont clutter the users HD with a heaps of dlls

  15. #13
    Void's Avatar
    Join Date
    Sep 2009
    Gender
    male
    Location
    Inline.
    Posts
    3,193
    Reputation
    205
    Thanks
    1,438
    My Mood
    Mellow
    Departure, I've seen your supposedly undetected new method of injecting, and now you're bringing this up.. Kinda useless imo, probably a bit mean but true. HS doesn't give a shit if you inject. They hook the functions they want no one else to hook and check where its returning, if its returning to an unknown module then they detected something.

    Srs, they dont care if you inject, Idk if you've noticed, but you can inject a DLL that does nothing and you will never crash.

  16. #14
    Nubzgetkillz's Avatar
    Join Date
    Sep 2010
    Gender
    male
    Location
    hacktown
    Posts
    838
    Reputation
    13
    Thanks
    411
    My Mood
    Amazed
    Quote Originally Posted by Void View Post
    Departure, I've seen your supposedly undetected new method of injecting, and now you're bringing this up.. Kinda useless imo, probably a bit mean but true. HS doesn't give a shit if you inject. They hook the functions they want no one else to hook and check where its returning, if its returning to an unknown module then they detected something.

    Srs, they dont care if you inject, Idk if you've noticed, but you can inject a DLL that does nothing and you will never crash.
    This is very true.

    @everyone
    Unlike other games combat arms would take any injection as long as the .dll is not meant to crash it on purpose.

    Like for example, Crossfire detects injections if not hooked/whatever correctly. You inject a hack that has very bad coding or just detected it will crash at start.

    lol idk what i am saying! goodbye

    Member since September 25, 2010

    Current Objectives:
    • Graduate college with a degree in Computer Science
    • Find a decent job in the Computer Science Field
    • Learn more programming languages

    Looking for Elo Boosting Job - League of Legends
    Looking for Bronze -> Gold Jobs


    Skype: whatthedream

  17. #15
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    Quote Originally Posted by Void View Post
    Departure, I've seen your supposedly undetected new method of injecting, and now you're bringing this up.. Kinda useless imo, probably a bit mean but true. HS doesn't give a shit if you inject. They hook the functions they want no one else to hook and check where its returning, if its returning to an unknown module then they detected something.

    Srs, they dont care if you inject, Idk if you've noticed, but you can inject a DLL that does nothing and you will never crash.
    Undetected injection has nothing to with changing the hash or CRC32 of loaded mapped image which is the reason I bring this up in the first place as I hear people saying that they changed the filename of the dll and it was magically undetected( Personally don't believe this) but I can maybe believe that they use some hashing procedure to get a sum of any attached images to its processes, Which also has been said from the replys changing a single byte has helped them make there hacks undetected again, Also makes no logical sense to use packer as the code is unpacked into memory which would make this useless, but yet people still do... So its only common sense they must be scanning and hashing memory if what others say is true.

    As for the "Undetectable" injection method, This doesn't mean your hack is undetectable, This only means I use a method which has no documentation of its API in use with creating a remote thread, Which means games that hooks "CreateRemoteThread" API wont detect this method as it doesn't use this API. Also what must be noted is the D-Jector is not tied to only combat arms and therefore adding these option can and will be useful for other games.

Page 1 of 2 12 LastLast