Ideas Anti Detection

[Departure]

Well I was thinking today after seeing a post that someone changed the name of a dll hack to make it undetected(I am still skeptical about this) but was thinking this would be an easy implementation to include in a injector, I was also thinking that adding an overlay to the dll will help make it undetected because its Crc32 hash or any hash for that matter would change, thus if HS do detect by size or hash adding an overlay(pumping random bytes to EOF) would prevent this type of detection and could be easy to implement once again into an Injector. There is one detection i am 80% sure of and this if you have Google Chrome(in my case) with MPGH site up CA crashes, I have tested this more than once and happens every time I have MPGH open in my browser. Anyway I anyone else that knows a bit about HS to post here what else they detect and maybe we can come up with solutions. I will including the above solution into D-Jector which might help with detections.


All ideas and information welcome.....

[freedompeace]

Well I was thinking today after seeing a post that someone changed the name of a dll hack to make it undetected(I am still skeptical about this) but was thinking this would be an easy implementation to include in a injector, I was also thinking that adding an overlay to the dll will help make it undetected because its Crc32 hash or any hash for that matter would change, thus if HS do detect by size or hash adding an overlay(pumping random bytes to EOF) would prevent this type of detection and could be easy to implement once again into an Injector. There is one detection i am 80% sure of and this if you have Google Chrome(in my case) with MPGH site up CA crashes, I have tested this more than once and happens every time I have MPGH open in my browser. Anyway I anyone else that knows a bit about HS to post here what else they detect and maybe we can come up with solutions. I will including the above solution into D-Jector which might help with detections.


All ideas and information welcome.....

Yeah, that works lol. They sometimes do detect filenames + hashes... (I've had that happen to me - renaming / modifying the code (by adding another byte to it) made it "undetected" again)

However.. This usually isn't a problem as you'll need to update every 15 days or so due to the HackShield + combat arms update cycle anyway

[whit]

I think thats what they do when they have a Silient Patch ( or what ever they call it)..
All you have to do is recompile your hack, But then you would have to release again blah blah
So if you make a injector that will change it on injection , Then my friend you could change the world

[Sydney]

Best Way still is Unpack and pack again!

[D-Vid the DBag]

There is one detection i am 80% sure of and this if you have Google Chrome(in my case) with MPGH site up CA crashes, I have tested this more than once and happens every time I have MPGH open in my browser.

That sir, is incorrect.
I don't know how you've managed to stumble across that problem,
but I assure you that is not the case.

I have MPGH open just about ANY time I play CombatArms and I use a google chrome-based browser.
I usually USE Google Chrome, so even then... It doesn't crash. Maybe there's another factor played in the reason why you crash, and it's just a coincidence that it happens while you've got MPGH open.

[whit]

That sir, is incorrect.
I don't know how you've managed to stumble across that problem,
but I assure you that is not the case.

I have MPGH open just about ANY time I play CombatArms and I use a google chrome-based browser.
I usually USE Google Chrome, so even then... It doesn't crash. Maybe there's another factor played in the reason why you crash, and it's just a coincidence that it happens while you've got MPGH open.

Its not totally incorrect..
Google Chromo isa program and when you type mpgh.net that isa String Hackshield in turn scans for that string and you crash

[D-Vid the DBag]

Its not totally incorrect..
Google Chromo isa program and when you type mpgh.net that isa String Hackshield in turn scans for that string and you crash

Okay, lemme rephrase that...
WHEN I HAVE MPGH OPEN in ANY BROWSER, OR ANY HACKSITE OR ANY SITE PERIOD, I HAVE NEVER CRASHED BECAUSE OF IT.

[supercarz1991]

Okay, lemme rephrase that...
WHEN I HAVE MPGH OPEN in ANY BROWSER, OR ANY HACKSITE OR ANY SITE PERIOD, I HAVE NEVER CRASHED BECAUSE OF IT.

I've never crashed with mpgh open either. I do however (rarely) crash some times when I alt tab out

[_Fk127_]

Its not totally incorrect..
Google Chromo isa program and when you type mpgh.net that isa String Hackshield in turn scans for that string and you crash

People should just download the source of GC and obfuscate all the shit

[Departure]

I was thinking along the lines of what Whit said, As its a common method used to scan processes and get the titles of each windows. Anyway besides that implementing these random names and overlay is actually extremely easy to do for an injector, it just a simple matter of making a copy of the original dll make a random string to name it open it as a stream and place some random bytes at EOF(you could do this during the copy process of the original dll) because its at EOF the code never gets executed an its just a an overlay type of thing, As matter of fact we could use the random string that we used for the name of the dll, and use that to append to the EOF which would give us our random bytes or just add that string as a resource string instead of adding to EOF.

[_Fk127_]

I was thinking along the lines of what Whit said, As its a common method used to scan processes and get the titles of each windows. Anyway besides that implementing these random names and overlay is actually extremely easy to do for an injector, it just a simple matter of making a copy of the original dll make a random string to name it open it as a stream and place some random bytes at EOF(you could do this during the copy process of the original dll) because its at EOF the code never gets executed an its just a an overlay type of thing, As matter of fact we could use the random string that we used for the name of the dll, and use that to append to the EOF which would give us our random bytes.

Wow, this is a great idea! I would love to see this in your injector along with the new combo-box i suggested .

[Departure]

Yeap I will adding that today after a few tests have been carried out, for example the injector has an option to close it self after injection, But if we have made a copy of the dll I need the injector to monitor the Engine process so when it closes it will delete the copied dll from HD otherwise we end up with a heap of duplicates with different names, The injector Already Monitors the selected process anyway if it has'nt been set to Auto close... I am thinking to make a temp Directory with a unique name and when the Injector first loads again it can delete this directory(which contains all the copy's of the dlls) thus removing the clutter of multiple dlls. I will think about it later today how to remove copied dlls if Injector is set to close on injection and hopfully come up with a solution that wont clutter the users HD with a heaps of dlls

[Void]

Departure, I've seen your supposedly undetected new method of injecting, and now you're bringing this up.. Kinda useless imo, probably a bit mean but true. HS doesn't give a shit if you inject. They hook the functions they want no one else to hook and check where its returning, if its returning to an unknown module then they detected something.

Srs, they dont care if you inject, Idk if you've noticed, but you can inject a DLL that does nothing and you will never crash.

[Nubzgetkillz]

Departure, I've seen your supposedly undetected new method of injecting, and now you're bringing this up.. Kinda useless imo, probably a bit mean but true. HS doesn't give a shit if you inject. They hook the functions they want no one else to hook and check where its returning, if its returning to an unknown module then they detected something.

Srs, they dont care if you inject, Idk if you've noticed, but you can inject a DLL that does nothing and you will never crash.

This is very true.

@everyone
Unlike other games combat arms would take any injection as long as the .dll is not meant to crash it on purpose.

Like for example, Crossfire detects injections if not hooked/whatever correctly. You inject a hack that has very bad coding or just detected it will crash at start.

lol idk what i am saying! goodbye

[Departure]

Departure, I've seen your supposedly undetected new method of injecting, and now you're bringing this up.. Kinda useless imo, probably a bit mean but true. HS doesn't give a shit if you inject. They hook the functions they want no one else to hook and check where its returning, if its returning to an unknown module then they detected something.

Srs, they dont care if you inject, Idk if you've noticed, but you can inject a DLL that does nothing and you will never crash.

Undetected injection has nothing to with changing the hash or CRC32 of loaded mapped image which is the reason I bring this up in the first place as I hear people saying that they changed the filename of the dll and it was magically undetected( Personally don't believe this) but I can maybe believe that they use some hashing procedure to get a sum of any attached images to its processes, Which also has been said from the replys changing a single byte has helped them make there hacks undetected again, Also makes no logical sense to use packer as the code is unpacked into memory which would make this useless, but yet people still do... So its only common sense they must be scanning and hashing memory if what others say is true.

As for the "Undetectable" injection method, This doesn't mean your hack is undetectable, This only means I use a method which has no documentation of its API in use with creating a remote thread, Which means games that hooks "CreateRemoteThread" API wont detect this method as it doesn't use this API. Also what must be noted is the D-Jector is not tied to only combat arms and therefore adding these option can and will be useful for other games.