Results 1 to 9 of 9
  1. #1
    AeroMan's Avatar
    Join Date
    Dec 2008
    Gender
    male
    Location
    Hell
    Posts
    3,294
    Reputation
    189
    Thanks
    3,049
    My Mood
    Busy

    Post WarRock EHSvc.dll

    Hello,
    I tried today to reverse a bypass for warrock.
    since im coding for warrock a pretty long time


    But now im stuck, i tried to reverse with some help of my friend, but we are both stuck at it,when the hacksheild id loaded warrock starts minimized

    I currently got this code:

    Code:
    DWORD OldProtection; 
    void MEMwrite(void *adr, void *ptr, int size)
    {
    VirtualProtect(adr,size,PAGE_EXECUTE_READWRITE, &OldProtection); 
    memcpy(adr,ptr,size);
    VirtualProtect(adr,size,OldProtection, &OldProtection);
    }
    
    
    void BYPASS(void) 
    {
    long EhSvc = (long)GetModuleHandleA("EhSvc.dll");
    MEMwrite((void *)(EhSvc+0xE3180),(void*)(PBYTE)"\x60\x1D\x00\x10",4); //Anti ASM Scan
    MEMwrite((void *)(EhSvc+0xE3188),(void*)(PBYTE)"\x88\x31\x0E\x10",4);  //CheatEngine
    MEMwrite((void *)(EhSvc+0xE31E8),(void*)(PBYTE)"\x50\x24\x00\x10",4);  //Unhook SSS
    MEMwrite((void *)(EhSvc+0xE3540),(void*)(PBYTE)"\xA0\x36\x0E\x10",4);  //Unhook DIP
    MEMwrite((void *)(EhSvc+0xE3544),(void*)(PBYTE)"\x88\x36\x0E\x10",4);  //Dlljump1
    MEMwrite((void *)(EhSvc+0xE36C8),(void*)(PBYTE)"\x4C\x37\x0E\x10",4);  //Dlljump2
    MEMwrite((void *)(EhSvc+0xE40C4),(void*)(PBYTE)"\x90",1);             //Anti Restore
    MEMwrite((void *)(EhSvc+0xE5D84),(void*)(PBYTE)"\xD0\x1A\x01\x10",4);  // 1
    MEMwrite((void *)(EhSvc+0xE60B0),(void*)(PBYTE)"\x9B\xF0\x20\x10",4);  // 2
    MEMwrite((void *)(EhSvc+0xFB34C),(void*)(PBYTE)"\xD0\x1A\x01\x10",4);  // 3
    MEMwrite((void *)(EhSvc+0xFD02C),(void*)(PBYTE)"\xEC\xCE\x0B\x10",4);  // 4
    MEMwrite((void *)(EhSvc+0xFD030),(void*)(PBYTE)"\x7C\xD0\x0B\x10",4);  // 5
    MEMwrite((void *)(EhSvc+0xFD034),(void*)(PBYTE)"\xFC\xD3\x0B\x10",4);  // 6
    MEMwrite((void *)(EhSvc+0xFD0A8),(void*)(PBYTE)"\x00\xF5\x0B\x10",4);  // 7
    MEMwrite((void *)(EhSvc+0xFDDB0),(void*)(PBYTE)"\xB8\xD9\x0F\x10",4);  // 8
    MEMwrite((void *)(EhSvc+0xFDDB4),(void*)(PBYTE)"\x30\xD9\x0F\x10",4);  // 9
    MEMwrite((void *)(EhSvc+0xFDDB8),(void*)(PBYTE)"\x1C\xE0\x0F\x10",4);  // 10
    MEMwrite((void *)(EhSvc+0xFDDBC),(void*)(PBYTE)"\x3D\xE0\x0F\x10",4);  // 11
    MEMwrite((void *)(EhSvc+0xFDDC0),(void*)(PBYTE)"\x10\xE0\x0F\x10",4);  // 12
    MEMwrite((void *)(EhSvc+0xFDDC4),(void*)(PBYTE)"\x24\xD9\x0F\x10",4);  // 13
    MEMwrite((void *)(EhSvc+0xFDDC8),(void*)(PBYTE)"\x20\xD9\x0F\x10",4);  // 14
    MEMwrite((void *)(EhSvc+0xE2F43),(void*)(PBYTE)"\x90",1);             // 15
    MEMwrite((void *)(EhSvc+0xE3D0B),(void*)(PBYTE)"\x90",1);             // 16
    MEMwrite((void *)(EhSvc+0xED10F),(void*)(PBYTE)"\x90",1);             // 17
    }
    
    void Loop(void) 
    {
    for(;;)
    {
    long EhSvc = (long)GetModuleHandleA("EhSvc.dll");
    if(EhSvc!=0)
    {
    BYPASS(); 
    }
    Sleep(20);
    }
    }

    Can anyone tell me or help me to find where it stucks by HS?
    Help will be credited ofcourse /

    Thanks already.

  2. #2
    sspoke's Avatar
    Join Date
    Feb 2011
    Gender
    male
    Posts
    2
    Reputation
    10
    Thanks
    1
    you forgot

    Code:
    BOOL APIENTRY DllMain( HANDLE hModule, 
                           DWORD  ul_reason_for_call, 
                           LPVOID lpReserved
    					 )
    {
    	switch (ul_reason_for_call)
        {
    		case DLL_PROCESS_ATTACH:
    			CreateThread (NULL, NULL, (LPTHREAD_START_ROUTINE) Loop, NULL, NULL, NULL);
    		case DLL_THREAD_ATTACH:
    		case DLL_PROCESS_DETACH:
    		case DLL_THREAD_DETACH:
    		default:
    			return FALSE;
        }
        return TRUE;
    }
    haha just kidding I want to hack hackshield like you as well.. but I don't even know where to begin can you help me out as well, I'm not trying to hijack your thread here, Just trying to gain some knowledge too.. I'll give you all credits.

  3. #3
    Threadstarter
    Upcoming MPGHiean
    AeroMan's Avatar
    Join Date
    Dec 2008
    Gender
    male
    Location
    Hell
    Posts
    3,294
    Reputation
    189
    Thanks
    3,049
    My Mood
    Busy
    Quote Originally Posted by sspoke View Post
    you forgot

    Code:
    BOOL APIENTRY DllMain( HANDLE hModule, 
                           DWORD  ul_reason_for_call, 
                           LPVOID lpReserved
    					 )
    {
    	switch (ul_reason_for_call)
        {
    		case DLL_PROCESS_ATTACH:
    			CreateThread (NULL, NULL, (LPTHREAD_START_ROUTINE) Loop, NULL, NULL, NULL);
    		case DLL_THREAD_ATTACH:
    		case DLL_PROCESS_DETACH:
    		case DLL_THREAD_DETACH:
    		default:
    			return FALSE;
        }
        return TRUE;
    }
    haha just kidding I want to hack hackshield like you as well.. but I don't even know where to begin can you help me out as well, I'm not trying to hijack your thread here, Just trying to gain some knowledge too.. I'll give you all credits.
    I actually looked for all the next: "off_addy" where all the text was
    like the text "[Succes].." there you can find the OFF addy,im not sure it is the correct one,so thats also why i ask it i cant find the problem

  4. #4
    sspoke's Avatar
    Join Date
    Feb 2011
    Gender
    male
    Posts
    2
    Reputation
    10
    Thanks
    1
    Oh you just have to unpack EhSvc and update the address locations.. I did that and I got a working hackshield bypass haha make me feel so good

    Since I don't support feeding people with complete working bypasses I'll tell you how I did it..

    I used Joker Italy's tutorial on unpacking Themida then I did OllyDump even though the hackshield isn't runnable if OEP from what I learned (EntryPoint) is perfect then addresses will come great.. but the dll won't be runnable.

  5. The Following User Says Thank You to sspoke For This Useful Post:

    AeroMan (02-28-2011)

  6. #5
    Threadstarter
    Upcoming MPGHiean
    AeroMan's Avatar
    Join Date
    Dec 2008
    Gender
    male
    Location
    Hell
    Posts
    3,294
    Reputation
    189
    Thanks
    3,049
    My Mood
    Busy
    Quote Originally Posted by sspoke View Post
    Oh you just have to unpack EhSvc and update the address locations.. I did that and I got a working hackshield bypass haha make me feel so good

    Since I don't support feeding people with complete working bypasses I'll tell you how I did it..

    I used Joker Italy's tutorial on unpacking Themida then I did OllyDump even though the hackshield isn't runnable if OEP from what I learned (EntryPoint) is perfect then addresses will come great.. but the dll won't be runnable.
    Ooh,looks weird.
    Learning asm atm
    hope to fix it soon

  7. #6
    why06's Avatar
    Join Date
    Jul 2009
    Gender
    male
    Location
    IBM
    Posts
    4,304
    Reputation
    170
    Thanks
    2,203
    My Mood
    Flirty
    I wouldn't think you would need that many patches to bypass HS.

    "Every gun that is made, every warship launched, every rocket fired signifies, in the final sense, a theft from those who hunger and are not fed, those who are cold and are not clothed. This world in arms is not spending money alone. It is spending the sweat of its laborers, the genius of its scientists, the hopes of its children. The cost of one modern heavy bomber is this: a modern brick school in more than 30 cities. It is two electric power plants, each serving a town of 60,000 population. It is two fine, fully equipped hospitals. It is some fifty miles of concrete pavement. We pay for a single fighter plane with a half million bushels of wheat. We pay for a single destroyer with new homes that could have housed more than 8,000 people. This is, I repeat, the best way of life to be found on the road the world has been taking. This is not a way of life at all, in any true sense. Under the cloud of threatening war, it is humanity hanging from a cross of iron."
    - Dwight D. Eisenhower

  8. #7
    whit's Avatar
    Join Date
    Jan 2010
    Gender
    male
    Posts
    7,159
    Reputation
    490
    Thanks
    2,253
    Quote Originally Posted by why06 View Post
    I wouldn't think you would need that many patches to bypass HS.
    Ya Dont hes just trying to copy hard public source..
    I heard of just one address can bypass the whole damn thing

  9. #8
    Threadstarter
    Upcoming MPGHiean
    AeroMan's Avatar
    Join Date
    Dec 2008
    Gender
    male
    Location
    Hell
    Posts
    3,294
    Reputation
    189
    Thanks
    3,049
    My Mood
    Busy
    Quote Originally Posted by why06 View Post
    I wouldn't think you would need that many patches to bypass HS.
    OOh,i guess ima learn some asm first /

    Quote Originally Posted by whit View Post


    Ya Dont hes just trying to copy hard public source..
    I heard of just one address can bypass the whole damn thing
    One?
    Sounds a little bit to less
    i Hope your right

  10. #9
    helenakarl's Avatar
    Join Date
    Nov 2011
    Gender
    male
    Posts
    16
    Reputation
    10
    Thanks
    81
    this is warrock ph bypass?