Some hackshield stuff.

**Tekkn0logik** · 09-08-2010

In an effort to get started on a hackshield bypass, I've poked around Engine.exe in ida pro.

I seem to have found the procedure which loads/updates hackshield. If this is the real deal, the majority of their load-time 'hack detection' consists of comparing eax to a bunch of values and if one matches, call a subroutine which does some magic which I don't understand and then returns.

Sooooo, would it be possible to just modify this routine at runtime to just return the success value, whatever it is? If so, it's way too easy... it has to be harder than that.

If this is all info everyone already knows, sorry, although I am a good programmer all of my contributions to mpgh so far have involved easy stuff like pushtoconsole.

To close this post, here's the relevant code. First are the strings used and then the actual code.

Code:

___:00780014 aSIllegalHwid   db '%s | Illegal HWID',0
___:00780028 aSS_15          db '%s | %s',0
___:00780030 a_ahnhs_setuser db '_AhnHS_SetUserId : %s',0
___:00780068 aADebuggingAtte db 'A debugging attempt has occurred. ',0Ah
___:00780068                 db 'The program is shutting down.',0
___:007800B0 aAnErrorHasOccu db 'An error has occurred with HackShield. ',0Ah
___:007800B0                 db 'The program is shutting down.',0
___:007800F8 aMemoryAccessHa db 'Memory access has been detected. ',0Ah
___:007800F8                 db 'The program is shutting down.',0
___:00780138 aAPossibleSpeed db 'A possible Speed Hack has been detected on this PC.',0
___:00780170 aAHackingToolHa db 'A hacking tool has been discovered in the following location'
___:00780170                 db ' so the program has been shut down.',0
___:007801D0 aHackshieldInit db 'Hackshield initialized succeessfully',0
___:007801F8 aFailedTo_ahn_0 db 'Failed to _AhnHS_StartService [%d]',0
___:0078021C aFailedTo_ahnhs db 'Failed to _AhnHS_Initialize [%d]',0
___:00780240 aAnErrorHasOc_0 db 'An error has occurred with the hack prevention function.  (E'
___:00780240                 db 'rror Code = %x)',0Ah
___:00780240                 db 'The program is shutting down.',0
___:007802B0 aTheProgramIsRu db 'The program is running on compatibility mode.  ',0Ah
___:007802B0                 db 'The program is shutting down.',0
___:00780300 aYouNeedAdminis db 'You need Administrative authority to run this.  ',0Ah
___:00780300                 db 'The program is shutting down.',0
___:00780350 aDebuggerActivi db 'Debugger activity has been detected.  ',0Ah
___:00780350                 db 'Close the debugger first, then run the program again.',0
___:007803B0 aAnInvalidFileH db 'An invalid file has been installed.  ',0Ah
___:007803B0                 db 'Please reinstall the file.',0
___:007803F8 aAnotherInstanc db 'Another instance of this game is running.  ',0Ah
___:007803F8                 db 'The program is shutting down.',0
___:00780444 a56272884ac87c6 db '56272884AC87C637CFC4FE56',0
___:00780460 dword_780460    dd 656E6F4Eh            ; DATA XREF: ___:loc_52048Cr
___:00780464 dword_780464    dd 49207C20h            ; DATA XREF: ___:00520492r
___:00780468 dword_780468    dd 67656C6Ch            ; DATA XREF: ___:00520497r
___:0078046C dword_78046C    dd 48206C61h            ; DATA XREF: ___:005204A4r
___:00780470 dword_780470    dd 444957h
___:00780474 dword_780474    dd 656E6F4Eh, 25207C20h, 73h ; DATA XREF: ___:0052047Co
___:00780480 aFailedToConnec db 'Failed to connect hsms [%d]',0 ; DATA XREF: ___:005203FBo
___:0078049C aTryingConnectT db 'trying connect to HSMS IP[%s] VER[%s]',0

___:0051FF20
___:0051FF20 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
___:0051FF20
___:0051FF20 ; Attributes: bp-based frame
___:0051FF20
___:0051FF20 sub_51FF20      proc near               ; DATA XREF: ___:005204E9o
___:0051FF20                                         ; ___:0052052Do ...
___:0051FF20
___:0051FF20 var_420         = dword ptr -420h
___:0051FF20 var_410         = dword ptr -410h
___:0051FF20 var_4           = dword ptr -4
___:0051FF20 arg_0           = dword ptr  8
___:0051FF20
___:0051FF20                 push    ebp
___:0051FF21                 mov     ebp, esp
___:0051FF23                 and     esp, 0FFFFFFF8h
___:0051FF26                 sub     esp, 414h
___:0051FF2C                 mov     eax, dword_7F85B4
___:0051FF31                 xor     eax, esp
___:0051FF33                 mov     [esp+414h+var_4], eax
___:0051FF3A                 push    ebx
___:0051FF3B                 push    esi
___:0051FF3C                 push    edi
___:0051FF3D                 push    400h
___:0051FF42                 lea     eax, [esp+424h+var_410+1]
___:0051FF46                 push    0
___:0051FF48                 push    eax
___:0051FF49                 mov     bl, 1
___:0051FF4B                 mov     byte ptr [esp+42Ch+var_410], 0
___:0051FF50                 call    sub_6F0090
___:0051FF55                 mov     eax, [ebp+arg_0]
___:0051FF58                 add     esp, 0Ch
___:0051FF5B                 cmp     eax, 10501h
___:0051FF60                 jnz     short loc_51FFC6
___:0051FF62                 mov     ecx, 18h
___:0051FF67                 mov     esi, offset aAHackingToolHa ; "A hacking tool has been discovered in t"...
___:0051FF6C                 lea     edi, [esp+420h+var_410]
___:0051FF70
___:0051FF70 loc_51FF70:                             ; CODE XREF: sub_51FF20+DCj
___:0051FF70                                         ; sub_51FF20+10Cj
___:0051FF70                 rep movsd
___:0051FF72
___:0051FF72 loc_51FF72:                             ; CODE XREF: sub_51FF20+17Ej
___:0051FF72                                         ; sub_51FF20+194j
___:0051FF72                 lea     eax, [esp+420h+var_410]
___:0051FF76                 lea     edx, [eax+1]
___:0051FF79                 lea     esp, [esp+0]
___:0051FF80
___:0051FF80 loc_51FF80:                             ; CODE XREF: sub_51FF20+65j
___:0051FF80                 mov     cl, [eax]
___:0051FF82                 inc     eax
___:0051FF83                 test    cl, cl
___:0051FF85                 jnz     short loc_51FF80
___:0051FF87                 sub     eax, edx
___:0051FF89                 push    eax
___:0051FF8A                 lea     ecx, [esp+424h+var_410]
___:0051FF8E                 push    ecx
___:0051FF8F                 mov     ecx, dword_806B14
___:0051FF95                 add     ecx, 0Ch
___:0051FF98                 call    sub_463FB0
___:0051FF9D                 mov     edx, dword_806B14
___:0051FFA3                 mov     byte ptr [edx+8], 1
___:0051FFA7
___:0051FFA7 loc_51FFA7:                             ; CODE XREF: sub_51FF20+167j
___:0051FFA7                 mov     ecx, [esp+420h+var_4]
___:0051FFAE                 pop     edi
___:0051FFAF                 xor     eax, eax
___:0051FFB1                 cmp     bl, 1
___:0051FFB4                 pop     esi
___:0051FFB5                 setnz   al
___:0051FFB8                 pop     ebx
___:0051FFB9                 xor     ecx, esp
___:0051FFBB                 call    sub_6EFAAF
___:0051FFC0                 mov     esp, ebp
___:0051FFC2                 pop     ebp
___:0051FFC3                 retn    0Ch
___:0051FFC6 ; ---------------------------------------------------------------------------
___:0051FFC6
___:0051FFC6 loc_51FFC6:                             ; CODE XREF: sub_51FF20+40j
___:0051FFC6                 cmp     eax, 10101h
___:0051FFCB                 jz      loc_520085
___:0051FFD1                 cmp     eax, 10503h
___:0051FFD6                 jz      loc_520085
___:0051FFDC                 cmp     eax, 10104h
___:0051FFE1                 jz      loc_520085
___:0051FFE7                 cmp     eax, 10303h
___:0051FFEC                 jnz     short loc_520001
___:0051FFEE                 mov     ecx, 0Dh
___:0051FFF3                 mov     esi, offset aAPossibleSpeed ; "A possible Speed Hack has been detected"...
___:0051FFF8                 lea     edi, [esp+420h+var_410]
___:0051FFFC                 jmp     loc_51FF70
___:00520001 ; ---------------------------------------------------------------------------
___:00520001
___:00520001 loc_520001:                             ; CODE XREF: sub_51FF20+CCj
___:00520001                 cmp     eax, 10307h
___:00520006                 jz      loc_5200A3
___:0052000C                 cmp     eax, 10308h
___:00520011                 jz      loc_5200A3
___:00520017                 cmp     eax, 10601h
___:0052001C                 jnz     short loc_520031
___:0052001E                 mov     ecx, 10h
___:00520023                 mov     esi, offset aMemoryAccessHa ; "Memory access has been detected. \nThe p"...
___:00520028                 lea     edi, [esp+420h+var_410]
___:0052002C                 jmp     loc_51FF70
___:00520031 ; ---------------------------------------------------------------------------
___:00520031
___:00520031 loc_520031:                             ; CODE XREF: sub_51FF20+FCj
___:00520031                 cmp     eax, 10102h
___:00520036                 jz      short loc_52008C
___:00520038                 cmp     eax, 10302h
___:0052003D                 jz      short loc_52008C
___:0052003F                 cmp     eax, 10301h
___:00520044                 jz      short loc_52008C
___:00520046                 cmp     eax, 10306h
___:0052004B                 jz      short loc_52008C
___:0052004D                 cmp     eax, 10701h
___:00520052                 jz      short loc_52008C
___:00520054
___:00520054 loc_520054:                             ; DATA XREF: ___:00778928o
___:00520054                 cmp     eax, 10702h
___:00520059                 jz      short loc_52008C
___:0052005B                 cmp     eax, 10703h
___:00520060                 jz      short loc_52008C
___:00520062                 cmp     eax, 10704h
___:00520067                 jz      short loc_52008C
___:00520069                 cmp     eax, 10A01h
___:0052006E                 jz      short loc_52008C
___:00520070                 cmp     eax, 10705h
___:00520075                 jz      short loc_52008C
___:00520077                 cmp     eax, 10706h
___:0052007C                 jz      short loc_52008C
___:0052007E                 cmp     eax, 10001h
___:00520083                 jz      short loc_52008C
___:00520085
___:00520085 loc_520085:                             ; CODE XREF: sub_51FF20+ABj
___:00520085                                         ; sub_51FF20+B6j ...
___:00520085                 xor     bl, bl
___:00520087                 jmp     loc_51FFA7
___:0052008C ; ---------------------------------------------------------------------------
___:0052008C
___:0052008C loc_52008C:                             ; CODE XREF: sub_51FF20+116j
___:0052008C                                         ; sub_51FF20+11Dj ...
___:0052008C                 mov     ecx, 11h
___:00520091                 mov     esi, offset aAnErrorHasOccu ; "An error has occurred with HackShield. "...
___:00520096                 lea     edi, [esp+420h+var_410]
___:0052009A                 rep movsd
___:0052009C                 movsw
___:0052009E                 jmp     loc_51FF72
___:005200A3 ; ---------------------------------------------------------------------------
___:005200A3
___:005200A3 loc_5200A3:                             ; CODE XREF: sub_51FF20+E6j
___:005200A3                                         ; sub_51FF20+F1j
___:005200A3                 mov     ecx, 10h
___:005200A8                 mov     esi, offset aADebuggingAtte ; "A debugging attempt has occurred. \nThe "...
___:005200AD                 lea     edi, [esp+420h+var_410]
___:005200B1                 rep movsd
___:005200B3                 movsb
___:005200B4                 jmp     loc_51FF72
___:005200B4 sub_51FF20      endp
___:005200B4
___:005200B4 ; ---------------------------------------------------------------------------
___:005200B9                 align 10h
___:005200C0 dword_5200C0    dd 0CB8EC81h, 0B4A10000h, 33007F85h, 248489C4h, 0CB4h
___:005200C0                                         ; DATA XREF: ___:0052069Fo
___:005200C0                 dd 0DB335653h, 24BC8B57h, 0CC8h, 6B181D38h, 850F0080h
___:005200C0                 dd 5E1h, 78055868h, 11BAE800h, 0E850FFF4h, 0FFF40F64h
___:005200C0                 dd 3908C483h, 806B141Dh, 68397500h, 12Ch, 0F76C0FE8h, 4C483FFh
___:005200C0                 dd 2174C33Bh, 4C00C7h, 58890078h, 8588804h, 0C7095888h
___:005200C0                 dd 0F2440h, 58890000h, 10588820h, 0EB285888h, 0A3C03302h
___:005200C0                 dd 806B14h, 10468h, 24848D00h, 4C4h, 54E85350h, 90004E13h
___:005200C0                 dd 0C0248C8Dh, 6A000004h, 8DE8515Ch, 83001D07h, 0C33B08C4h
___:005200C0                 dd 0C7840Fh, 58880000h, 0EBC03301h, 24A48D0Bh, 0
___:0052017C                 align 10h
___:00520180
___:00520180 loc_520180:                             ; CODE XREF: ___:00520191j
___:00520180                 mov     cl, [esp+eax+4C0h]
___:00520187                 mov     [esp+eax+8C0h], cl
___:0052018E                 inc     eax
___:0052018F                 cmp     cl, bl
___:00520191                 jnz     short loc_520180
___:00520193                 lea     eax, [esp+8C0h]
___:0052019A                 dec     eax
___:0052019B                 jmp     short loc_5201A0
___:0052019B ; ---------------------------------------------------------------------------
___:0052019D                 align 10h
___:005201A0
___:005201A0 loc_5201A0:                             ; CODE XREF: ___:0052019Bj
___:005201A0                                         ; ___:005201A6j
___:005201A0                 mov     cl, [eax+1]
___:005201A3                 inc     eax
___:005201A4                 cmp     cl, bl
___:005201A6                 jnz     short loc_5201A0
___:005201A8                 mov     edx, dword_78054C
___:005201AE                 mov     ecx, dword_780550
___:005201B4                 mov     [eax], edx
___:005201B6                 mov     dl, byte_780554
___:005201BC                 mov     [eax+4], ecx
___:005201BF                 mov     [eax+8], dl
___:005201C2                 mov     edx, dword_806B14
___:005201C8                 lea     ecx, [esp+4C0h]
___:005201CF                 add     edx, 28h
___:005201D2
___:005201D2 loc_5201D2:                             ; CODE XREF: ___:005201DAj
___:005201D2                 mov     al, [ecx]
___:005201D4                 mov     [edx], al
___:005201D6                 inc     ecx
___:005201D7                 inc     edx
___:005201D8                 cmp     al, bl
___:005201DA                 jnz     short loc_5201D2
___:005201DC                 push    0EA60h
___:005201E1                 push    927C0h
___:005201E6                 lea     eax, [esp+8C8h]
___:005201ED                 push    eax
___:005201EE                 call    sub_72C426
___:005201F3                 mov     esi, eax
___:005201F5                 cmp     esi, ebx
___:005201F7                 jz      short loc_52024F
___:005201F9                 push    offset aHsupdateFailed ; "HSUpdate failed"
___:005201FE                 call    near ptr dword_461080+230h
___:00520203                 push    eax
___:00520204                 call    sub_461060
___:00520209                 push    esi
___:0052020A                 lea     ecx, [esp+3C8h]
___:00520211                 push    offset aFailToUpdatePr ; "Fail to update protection modules! - Er"...
___:00520216                 push    ecx
___:00520217                 call    sub_6F0A3E
___:0052021C                 add     esp, 14h
___:0052021F                 push    10h
___:00520221                 push    offset aCombatarms ; "CombatArms"
___:00520226                 lea     edx, [esp+3C4h]
___:0052022D                 push    edx
___:0052022E                 push    ebx
___:0052022F                 call    near ptr 36006D1h
___:00520234                 nop
___:00520235
___:00520235 loc_520235:                             ; CODE XREF: ___:00520442j
___:00520235                 xor     al, al
___:00520237                 pop     edi
___:00520238                 pop     esi
___:00520239                 pop     ebx
___:0052023A                 mov     ecx, [esp+0CB4h]
___:00520241                 xor     ecx, esp
___:00520243                 call    sub_6EFAAF
___:00520248                 add     esp, 0CB8h
___:0052024E                 retn
___:0052024F ; ---------------------------------------------------------------------------
___:0052024F
___:0052024F loc_52024F:                             ; CODE XREF: ___:005201F7j
___:0052024F                 lea     eax, [esp+4C0h]
___:00520256                 dec     eax
___:00520257
___:00520257 loc_520257:                             ; CODE XREF: ___:0052025Dj
___:00520257                 mov     cl, [eax+1]
___:0052025A                 inc     eax
___:0052025B                 cmp     cl, bl
___:0052025D                 jnz     short loc_520257
___:0052025F                 mov     ecx, dword_7804E4
___:00520265                 mov     edx, dword_7804E8
___:0052026B                 mov     [eax], ecx
___:0052026D                 mov     ecx, dword_7804EC
___:00520273                 mov     [eax+4], edx
___:00520276                 mov     edx, dword_7804F0
___:0052027C                 mov     [eax+8], ecx
___:0052027F                 mov     cx, word_7804F4
___:00520286                 mov     [eax+0Ch], edx
___:00520289                 push    100h
___:0052028E                 lea     edx, [esp+3C1h]
___:00520295                 push    ebx
___:00520296                 push    edx
___:00520297                 mov     [eax+10h], cx
___:0052029B                 call    sub_6F0090
___:005202A0                 mov     eax, dword_7804D4
___:005202A5                 mov     ecx, dword_7804D8
___:005202AB                 mov     edx, dword_7804DC
___:005202B1                 push    30Ch
___:005202B6                 mov     [esp+3D4h], edx
___:005202BD                 mov     [esp+3CCh], eax
___:005202C4                 mov     ax, word_7804E0
___:005202CA                 mov     [esp+3D0h], ecx
___:005202D1                 mov     cl, byte_7804E2
___:005202D7                 lea     edx, [esp+1Ch]
___:005202DB                 push    ebx
___:005202DC                 push    edx
___:005202DD                 mov     [esp+3E0h], ax
___:005202E5                 mov     [esp+3E2h], cl
___:005202EC                 call    sub_6F0090
___:005202F1                 add     esp, 18h
___:005202F4                 xor     eax, eax
___:005202F6                 jmp     short loc_520300
___:005202F6 ; ---------------------------------------------------------------------------
___:005202F8                 align 10h
___:00520300
___:00520300 loc_520300:                             ; CODE XREF: ___:005202F6j
___:00520300                                         ; ___:0052030Ej
___:00520300                 mov     cl, [esp+eax+3BCh]
___:00520307                 mov     [esp+eax+0Ch], cl
___:0052030B                 inc     eax
___:0052030C                 cmp     cl, bl
___:0052030E                 jnz     short loc_520300
___:00520310                 mov     eax, dword ptr aUnknown_0 ; "Unknown"
___:00520315                 mov     ecx, dword ptr aUnknown_0+4
___:0052031B                 push    offset aVer     ; "-Ver"
___:00520320                 push    edi
___:00520321                 mov     [esp+21Ch], eax
___:00520328                 mov     [esp+220h], ecx
___:0052032F                 call    sub_6F5EA0
___:00520334                 mov     esi, eax
___:00520336                 add     esp, 8
___:00520339                 cmp     esi, ebx
___:0052033B                 jz      short loc_5203B3
___:0052033D                 mov     eax, offset aVer ; "-Ver"
___:00520342                 lea     edx, [eax+1]
___:00520345
___:00520345 loc_520345:                             ; CODE XREF: ___:0052034Aj
___:00520345                 mov     cl, [eax]
___:00520347                 inc     eax
___:00520348                 cmp     cl, bl
___:0052034A                 jnz     short loc_520345
___:0052034C                 sub     eax, edx
___:0052034E                 push    103h
___:00520353                 lea     edx, [esp+3C1h]
___:0052035A                 push    ebx
___:0052035B                 push    edx
___:0052035C                 add     esi, eax
___:0052035E                 mov     [esp+3C8h], bl
___:00520365                 call    sub_6F0090
___:0052036A                 mov     al, [esi]
___:0052036C                 add     esp, 0Ch
___:0052036F                 xor     ecx, ecx
___:00520371                 cmp     al, bl
___:00520373                 jz      short loc_520388
___:00520375
___:00520375 loc_520375:                             ; CODE XREF: ___:00520386j
___:00520375                 cmp     al, 20h
___:00520377                 jz      short loc_520388
___:00520379                 inc     esi
___:0052037A                 mov     [esp+ecx+3BCh], al
___:00520381                 mov     al, [esi]
___:00520383                 inc     ecx
___:00520384                 cmp     al, bl
___:00520386                 jnz     short loc_520375
___:00520388
___:00520388 loc_520388:                             ; CODE XREF: ___:00520373j
___:00520388                                         ; ___:00520377j
___:00520388                 cmp     ecx, ebx
___:0052038A                 mov     [esp+ecx+3BCh], bl
___:00520391                 jle     short loc_5203B3
___:00520393                 xor     eax, eax
___:00520395                 jmp     short loc_5203A0
___:00520395 ; ---------------------------------------------------------------------------
___:00520397                 align 10h
___:005203A0
___:005203A0 loc_5203A0:                             ; CODE XREF: ___:00520395j
___:005203A0                                         ; ___:005203B1j
___:005203A0                 mov     cl, [esp+eax+3BCh]
___:005203A7                 mov     [esp+eax+214h], cl
___:005203AE                 inc     eax
___:005203AF                 cmp     cl, bl
___:005203B1                 jnz     short loc_5203A0
___:005203B3
___:005203B3 loc_5203B3:                             ; CODE XREF: ___:0052033Bj
___:005203B3                                         ; ___:00520391j
___:005203B3                 lea     eax, [esp+214h]
___:005203BA                 push    eax
___:005203BB                 lea     ecx, [esp+10h]
___:005203BF                 push    ecx
___:005203C0                 push    offset aTryingConnectT ; "trying connect to HSMS IP[%s] VER[%s]"
___:005203C5                 call    near ptr dword_461080+230h
___:005203CA                 push    eax
___:005203CB                 call    sub_461060
___:005203D0                 add     esp, 10h
___:005203D3                 lea     edx, [esp+4C0h]
___:005203DA                 push    edx
___:005203DB                 sub     esp, 30Ch
___:005203E1                 mov     edi, esp
___:005203E3                 mov     ecx, 0C3h
___:005203E8                 lea     esi, [esp+31Ch]
___:005203EF                 rep movsd
___:005203F1                 call    sub_72A31A
___:005203F6                 cmp     eax, ebx
___:005203F8                 jz      short loc_52040E
___:005203FA                 push    eax
___:005203FB                 push    offset aFailedToConnec ; "Failed to connect hsms [%d]"
___:00520400                 call    near ptr dword_461080+230h
___:00520405                 push    eax
___:00520406                 call    sub_461060
___:0052040B                 add     esp, 0Ch
___:0052040E
___:0052040E loc_52040E:                             ; CODE XREF: ___:005203F8j
___:0052040E                 push    77h
___:00520410                 lea     eax, [esp+349h]
___:00520417                 push    ebx
___:00520418                 push    eax
___:00520419                 mov     [esp+350h], bl
___:00520420                 call    sub_6F0090
___:00520425                 add     esp, 0Ch
___:00520428                 call    sub_461490
___:0052042D                 mov     edx, [eax]
___:0052042F                 mov     edx, [edx+8]
___:00520432                 push    2Ch
___:00520434                 lea     ecx, [esp+31Ch]
___:0052043B                 push    ecx
___:0052043C                 mov     ecx, eax
___:0052043E                 call    edx
___:00520440                 test    al, al
___:00520442                 jz      loc_520235
___:00520448                 call    sub_461490
___:0052044D                 mov     edx, [eax]
___:0052044F                 mov     edx, [edx+4]
___:00520452                 push    2Ch
___:00520454                 lea     ecx, [esp+31Ch]
___:0052045B                 push    ecx
___:0052045C                 mov     ecx, eax
___:0052045E                 call    edx
___:00520460                 cmp     dword ptr [esp+318h], 0FF2F3A99h
___:0052046B                 jnz     short loc_52048C
___:0052046D                 lea     eax, [esp+31Ch]
___:00520474                 push    eax
___:00520475                 lea     ecx, [esp+348h]
___:0052047C                 push    offset dword_780474
___:00520481                 push    ecx
___:00520482                 call    sub_6F0A3E
___:00520487                 add     esp, 0Ch
___:0052048A                 jmp     short loc_5204CB
___:0052048C ; ---------------------------------------------------------------------------
___:0052048C
___:0052048C loc_52048C:                             ; CODE XREF: ___:0052046Bj
___:0052048C                 mov     edx, dword_780460
___:00520492                 mov     eax, dword_780464
___:00520497                 mov     ecx, dword_780468
___:0052049D                 mov     [esp+344h], edx
___:005204A4                 mov     edx, dword_78046C
___:005204AA                 mov     [esp+348h], eax
___:005204B1                 mov     eax, dword_780470
___:005204B6                 mov     [esp+34Ch], ecx
___:005204BD                 mov     [esp+350h], edx
___:005204C4                 mov     [esp+354h], eax
___:005204CB
___:005204CB loc_5204CB:                             ; CODE XREF: ___:0052048Aj
___:005204CB                 lea     ecx, [esp+344h]
___:005204D2                 push    ecx
___:005204D3                 call    sub_72A4EB
___:005204D8                 push    4
___:005204DA                 push    43083DBEh
___:005204DF                 push    offset a56272884ac87c6 ; "56272884AC87C637CFC4FE56"
___:005204E4                 push    26AFh
___:005204E9                 push    offset sub_51FF20
___:005204EE                 lea     edx, [esp+4D4h]
___:005204F5                 push    edx
___:005204F6                 call    sub_729662
___:005204FB                 mov     ecx, dword_806B14
___:00520501                 mov     [ecx+4], eax
___:00520504                 mov     ecx, dword_806B14
___:0052050A                 cmp     dword ptr [ecx+4], 107h
___:00520511                 jnz     short loc_52054E
___:00520513                 call    sub_51FA50
___:00520518                 test    al, al
___:0052051A                 jz      short loc_520548
___:0052051C                 push    4
___:0052051E                 push    43083DBEh
___:00520523                 push    offset a56272884ac87c6 ; "56272884AC87C637CFC4FE56"
___:00520528                 push    26AFh
___:0052052D                 push    offset sub_51FF20
___:00520532                 lea     edx, [esp+4D4h]
___:00520539                 push    edx
___:0052053A                 call    sub_729662
___:0052053F                 mov     ecx, dword_806B14
___:00520545                 mov     [ecx+4], eax
___:00520548
___:00520548 loc_520548:                             ; CODE XREF: ___:0052051Aj
___:00520548                 mov     ecx, dword_806B14
___:0052054E
___:0052054E loc_52054E:                             ; CODE XREF: ___:00520511j
___:0052054E                 mov     eax, [ecx+4]
___:00520551                 cmp     eax, ebx
___:00520553                 jz      loc_520620
___:00520559                 cmp     eax, 103h
___:0052055E                 jnz     short loc_52056D
___:00520560                 push    ebx
___:00520561                 push    offset aCombatarms ; "CombatArms"
___:00520566                 push    offset aAnotherInstanc ; "Another instance of this game is runnin"...
___:0052056B                 jmp     short loc_5205E2
___:0052056D ; ---------------------------------------------------------------------------
___:0052056D
___:0052056D loc_52056D:                             ; CODE XREF: ___:0052055Ej
___:0052056D                 cmp     eax, 101h
___:00520572                 jnz     short loc_520581
___:00520574                 push    ebx
___:00520575                 push    offset aCombatarms ; "CombatArms"
___:0052057A                 push    offset aAnInvalidFileH ; "An invalid file has been installed.  \nP"...
___:0052057F                 jmp     short loc_5205E2
___:00520581 ; ---------------------------------------------------------------------------
___:00520581
___:00520581 loc_520581:                             ; CODE XREF: ___:00520572j
___:00520581                 cmp     eax, 105h
___:00520586                 jnz     short loc_520595
___:00520588                 push    ebx
___:00520589                 push    offset aCombatarms ; "CombatArms"
___:0052058E                 push    offset aDebuggerActivi ; "Debugger activity has been detected.  \n"...
___:00520593                 jmp     short loc_5205E2
___:00520595 ; ---------------------------------------------------------------------------
___:00520595
___:00520595 loc_520595:                             ; CODE XREF: ___:00520586j
___:00520595                 cmp     eax, 107h
___:0052059A                 jnz     short loc_5205A9
___:0052059C                 push    ebx
___:0052059D                 push    offset aCombatarms ; "CombatArms"
___:005205A2                 push    offset aYouNeedAdminis ; "You need Administrative authority to ru"...
___:005205A7                 jmp     short loc_5205E2
___:005205A9 ; ---------------------------------------------------------------------------
___:005205A9
___:005205A9 loc_5205A9:                             ; CODE XREF: ___:0052059Aj
___:005205A9                 cmp     eax, 4
___:005205AC                 jnz     short loc_5205BB
___:005205AE                 push    ebx
___:005205AF                 push    offset aCombatarms ; "CombatArms"
___:005205B4                 push    offset aTheProgramIsRu ; "The program is running on compatibility"...
___:005205B9                 jmp     short loc_5205E2
___:005205BB ; ---------------------------------------------------------------------------
___:005205BB
___:005205BB loc_5205BB:                             ; CODE XREF: ___:005205ACj
___:005205BB                 mov     edx, eax
___:005205BD                 push    edx
___:005205BE                 lea     eax, [esp+3C0h]
___:005205C5                 push    offset aAnErrorHasOc_0 ; "An error has occurred with the hack pre"...
___:005205CA                 push    eax
___:005205CB                 call    near ptr word_A78DCE
___:005205D0                 nop
___:005205D1                 add     esp, 0Ch
___:005205D4                 push    ebx
___:005205D5                 push    offset aCombatarms ; "CombatArms"
___:005205DA                 lea     ecx, [esp+3C4h]
___:005205E1                 push    ecx
___:005205E2
___:005205E2 loc_5205E2:                             ; CODE XREF: ___:0052056Bj
___:005205E2                                         ; ___:0052057Fj ...
___:005205E2                 push    ebx
___:005205E3                 call    near ptr 36006D1h
___:005205E8                 nop
___:005205E9                 mov     edx, dword_806B14
___:005205EF                 mov     eax, [edx+4]
___:005205F2                 push    eax
___:005205F3                 push    offset aFailedTo_ahnhs ; "Failed to _AhnHS_Initialize [%d]"
___:005205F8                 call    near ptr dword_461080+230h
___:005205FD                 push    eax
___:005205FE                 call    sub_461060
___:00520603                 add     esp, 0Ch
___:00520606                 xor     al, al
___:00520608                 pop     edi
___:00520609                 pop     esi
___:0052060A                 pop     ebx
___:0052060B                 mov     ecx, [esp+0CB4h]
___:00520612                 xor     ecx, esp
___:00520614                 call    sub_6EFAAF
___:00520619                 add     esp, 0CB8h
___:0052061F                 retn
___:00520620 ; ---------------------------------------------------------------------------
___:00520620
___:00520620 loc_520620:                             ; CODE XREF: ___:00520553j
___:00520620                 call    sub_7297DC
___:00520625                 mov     ecx, dword_806B14
___:0052062B                 mov     [ecx+4], eax
___:0052062E                 mov     eax, dword_806B14
___:00520633                 cmp     [eax+4], ebx
___:00520636                 jz      short loc_52069A
___:00520638                 mov     edx, [eax+4]
___:0052063B                 push    edx
___:0052063C                 push    offset aFailedTo_ahn_0 ; "Failed to _AhnHS_StartService [%d]"
___:00520641                 call    near ptr dword_461080+230h
___:00520646                 push    eax
___:00520647                 call    sub_461060
___:0052064C                 mov     eax, dword_806B14
___:00520651                 mov     ecx, [eax+4]
___:00520654                 push    ecx
___:00520655                 lea     edx, [esp+3CCh]
___:0052065C                 push    offset aAnErrorHasOc_0 ; "An error has occurred with the hack pre"...
___:00520661                 push    edx
___:00520662                 call    near ptr word_A78DCE
___:00520667                 nop
___:00520668                 add     esp, 18h
___:0052066B                 push    ebx
___:0052066C                 push    offset aCombatarms ; "CombatArms"
___:00520671                 lea     eax, [esp+3C4h]
___:00520678                 push    eax
___:00520679                 push    ebx
___:0052067A                 call    near ptr 36006D1h
___:0052067F                 nop
___:00520680                 xor     al, al
___:00520682                 pop     edi
___:00520683                 pop     esi
___:00520684                 pop     ebx
___:00520685                 mov     ecx, [esp+0CB4h]
___:0052068C                 xor     ecx, esp
___:0052068E                 call    sub_6EFAAF
___:00520693                 add     esp, 0CB8h
___:00520699                 retn
___:0052069A ; ---------------------------------------------------------------------------
___:0052069A
___:0052069A loc_52069A:                             ; CODE XREF: ___:00520636j
___:0052069A                 push    offset sub_51FB00
___:0052069F                 push    offset dword_5200C0
___:005206A4                 push    offset sub_51FF20
___:005206A9                 push    3
___:005206AB                 call    sub_729AA1
___:005206B0                 add     esp, 10h
___:005206B3                 push    offset aHackshieldInit ; "Hackshield initialized succeessfully"
___:005206B8                 mov     byte_806B18, 1
___:005206BF                 call    near ptr dword_461080+230h
___:005206C4                 push    eax
___:005206C5                 call    sub_461060
___:005206CA                 add     esp, 8
___:005206CD                 mov     ecx, [esp+0CC0h]
___:005206D4                 pop     edi
___:005206D5                 pop     esi
___:005206D6                 pop     ebx
___:005206D7                 xor     ecx, esp
___:005206D9                 mov     al, 1
___:005206DB                 call    sub_6EFAAF
___:005206E0                 add     esp, 0CB8h
___:005206E6                 retn
___:005206E6 ; ---------------------------------------------------------------------------
___:005206E7                 align 10h
___:005206F0                 dd offset byte_98EC81
___:005206F4                 dd 0B4A10000h, 33007F85h, 248489C4h, 94h, 946856h, 448D0000h
___:005206F4                 dd 6A0824h, 0E8F18B50h, 1CF978h, 8D0CC483h, 5104244Ch
___:005206F4                 dd 82444C7h, 94h, 0EFF8D3E8h, 7C839002h, 75021424h, 90016A08h
___:005206F4                 dd 62A5A2E8h, 470DE876h, 8B907662h, 98248Ch, 2CA30000h
___:005206F4                 dd 8B00806Bh, 0CC335EC6h, 1CF356E8h, 98C48100h, 0C3000000h
___:005206F4                 dd 98EC81h, 0B4A10000h, 33007F85h, 248489C4h, 94h, 9468h
___:005206F4                 dd 24448D00h, 50006A04h, 1CF90BE8h, 0CC48300h, 51240C8Dh
___:005206F4                 dd 42444C7h, 94h, 0EFF867E8h, 7C839002h, 75021024h, 90016A08h
___:005206F4                 dd 62A5FCE8h, 248C8B76h, 94h, 0F8E8CC33h, 81001CF2h, 98C4h
___:005206F4                 dd 0CCCCC300h

whaddya you guys think?

Tekk

**CodeDemon** · 09-08-2010

interesting. Thanks for sharing. I'm not sure if this has been attempted before, but it seems too easy.

**whit** · 09-08-2010

Nice Find But Looks Too Good Too Be True..

**ppl2pass** · 09-08-2010

I bet you are the next Gordon'

**Crash** · 09-08-2010

I've heard Hackshield has multiple check functions that check check functions.

You need to disable a whole bunch of them.

There might be another way to get past the check functions though you would need to ask some people who know more about HS.

**Tony Stark`** · 09-08-2010

idk where u got this and if u made it probs but i smell a revolition in hacking

**Synns** · 09-08-2010

The problem is being able to modify EhSvc.dll itself without it being detected. There used to be a scanning tool in Engine.exe but they removed it a few patches ago.

**Tekkn0logik** · 09-08-2010

Originally Posted by Tyrannus

The problem is being able to modify EhSvc.dll itself without it being detected.

If this stuff is really applicable, there will be no need to modify any files except Engine.exe itself, and that only at runtime.

**Synns** · 09-08-2010

Originally Posted by Tekkn0logik

If this stuff is really applicable, there will be no need to modify any files except Engine.exe itself, and that only at runtime.

sry. I re-edited my post, 0x51FF20 used to be to detect memory changes in CShell.dll and Engine.exe. They took it out a few patches ago. There are many public hacks out that can modify CShell.dll and Engine.exe without a bypass of some sort so, /

.

**mmbob** · 09-08-2010

I'm fairly sure that HS itself will exit the application too. It doesn't have to return a value, it will just close.

**Tibirius** · 09-08-2010

wont work nexons smarter than this

**Kallisti** · 09-08-2010

Originally Posted by Tibirius

wont work nexons smarter than this

Exactly why people made bypasses before.

**whit** · 09-08-2010

Originally Posted by Tibirius

wont work nexons smarter than this

Actually Nexons Kinda Stupid...Untill Lately When I Think They Hired Sumeone To Find These Hack And Get Them Detected...

Or It Could Of Just Been Everyone Was Using The Same Dam Hook.../

**Kallisti** · 09-08-2010

Originally Posted by whit

Actually Nexons Kinda Stupid...Untill Lately When I Think They Hired Sumeone To Find These Hack And Get Them Detected...

Or It Could Of Just Been Everyone Was Using The Same Dam Hook.../

I'm a nexon spy for them.

**Drake.** · 09-08-2010

Originally Posted by Kallisti

I'm a nexon spy for them.

Facepalm?

msg2short

Thread: Some hackshield stuff.

Thread Tools

Display

Some hackshield stuff.

The Following 2 Users Say Thank You to Tekkn0logik For This Useful Post:

The Following User Says Thank You to Crash For This Useful Post: