Bypassing hackshield

[Rickyrudy]

Credits to DeadlyData of ************* forums.
Learning experience.

No questions will be answered by me this is just a cp and i say its rather simple >.>

Reason for writing this/Why I bypass it the way I do:
First my reason for writing this is the anti-cheat is really shitty and so far there has been no real documentation on it released online that I've found, besides my own.

Secondly the reason I bypass it the way I do, Is it's the easiest way I or any one else with less experience can.

A couple days to a week or so ago I hardly understood what a hook or detour would really do nor did I understand how system drivers worked... I've always been more of a web based person as far as security.

Any way to continue for some of you guys, I'm sure you could simply unload the driver and recreate the heart beat of the anti-cheat so that hack shield is just simply no longer resident on your system.

That how ever isn't my way around it I've found several and will explain the ways I've taken so far below.

How hack shield works(From my view):
So far the way I see hack shield works(And try not to bash me if I say something incorrectly just correct it)...

Your game client will load upon your game client loading it will load a external library which is usually hack shield's interface dll "EhSvc.dll".

From this point I wasn't able to do much analysis my self on account of "EhSvc.dll" was packed with themida in my game target.

From here though "EhSvc.dll" will continue by loading several other things one of those things being the system driver "EagleNT.sys".

EagleNT.sys creates several SSDT hooks preventing a user from using things like WriteProcessMemory() or ReadProcessMemory() on the target game it's protecting.

How ever there are memory searching utilities out there like cheat engine that are open source and people decide to modify these using different calls to avoid the hooks.

When using one of these you will how ever still get detected if you manage to get around the SSDT hooks.

The detection is passed either from the driver or the dll into the game's main exe from there the game will give you the message like "Illegal Memory Access Detected".

So bassicly it's a system driver and a dll interacting with each other thats pretty much how it works to sum it up things are also passed and controlled by the game as far as detection goes though.

Bypassing it(My way):
Since things are just passed through the games exe I usually just unpack the games exe(Usually hack shield targets come packed with "UPX" - Of all things).

Open the games unpacked exe in IDA find the string which I received - E.X. "Illegal Memory Access Detected".

And head above the the string to the main jump that pretty much goes through all of the different detection messages.

It's usually always a JG once this is nopped it no longer shows the detection messages nor attempts to close your game if detected...

More in depth with the method below.

Bypassing (More In depth/Tutorial):
Start by going through the string table in IDA until you see the "detected" string that was in the message box.

https://www.thedefaced.org/DD/hshield/memoryaccess.PNG

From there double click on it...

https://www.thedefaced.org/DD/hshield/memoryaccess2.png

Then go to the reference of it (The push of the offset):


https://www.thedefaced.org/DD/hshield/memoryaccess3.PNG

Go to the reference of the push... which is a jmp.


https://www.thedefaced.org/DD/hshield/memoryaccess4.PNG

Go to the reference of that jmp which is another jmp just a jump if greater...


https://www.thedefaced.org/DD/hshield/memoryaccess5.PNG

And last the reference to that JG(Jump if greater) is where you set your 2 byte nop... bypassing the detection completely.


https://www.thedefaced.org/DD/hshield/memoryaccess6.PNG

Yeah it's completely played out this way for every game it's in... so this will work on most games using hack shield.

Hope this helps some of you guys...

[Rickyrudy]

i suggest ya'll manually unpack >.> better learning experience there won't always be a program to do the work for you.

[*Marneus901*]

i suggest ya'll manually unpack >.> better learning experience there won't always be a program to do the work for you.

Your talking to leechers. No use in telling them that stuff.

[minorutono]

dammit wrong thread.
I meant to post in
https://www.mpgh.net/forum/3-general/...us_laszlo.html
It'll be there in a second..


Anyways to make this a NON spam post now (sorry i fckd up) I'll respond to Ploxide.

I attempted this and got to last step ^_^. I fuxxed up the last step i guess, but i got close, and it is a good learning experience, so i suggest all you peoples try it.

[ploxide]

I would suggest unexperienced members should not attempt this because you'll more and likely fuck up your game because you have no clue what your doing. I myself did not attempt this project because i don't feel experienced enough to try this if you feel the same i suggest you just wait in tell a newer version of MHS comes out or work on a UCE or search around on google for a UCE but have fun :P

[Rickyrudy]

Don't discourage them are you trying to make them leechers for life?
Its easy to back up the ca folder.

[Windshadow]

Don't discourage them are you trying to make them leechers for life?
Its easy to back up the ca folder.

All you need to do is backup your Engine.exe.

Is not that hard xD.

[CyberStriker]

I would suggest unexperienced members should not attempt this because you'll more and likely fuck up your game because you have no clue what your doing. I myself did not attempt this project because i don't feel experienced enough to try this if you feel the same i suggest you just wait in tell a newer version of MHS comes out or work on a UCE or search around on google for a UCE but have fun :P

I did this easily no prob, and I'm very unexpreinced.

[gudsoldier]

Man if he can do this I should be able to.. Why the hell can`t I get the friggin`thing in IDA Advanced.... I`ve searched the file one code at a time.

[nbr1dan]

Its simple guys!
I wont tell you everything but i will tell you if you do a search in the hex strings for EHSvc.dll find what accesses that file then NOP it 2 bytes and there you have it.

[zyllion]

Hi all im new here.
Have tryd this way now 10 times but no luck, maby can someone help me bypass this file.
(Its not to Combat Arms)
**********: Easy Filehosting

[Shark]

Way to go on advertising!!!
Anyways, good luck with this, for you who can't figure this out and think that it is useful.

[stryk-9]

Forget about it.... GTFO now. lol

[masterall555]

Forget about it.... GTFO now. lol

rofl? you gtfo, u bump old shit from months ago
dun revive old shit

[SEGnosis]

rofl? you gtfo, u bump old shit from months ago
dun revive old shit

Well If ppl arent suppose to revive ppl by bumping

then how will i help

YOW MOMAH

_ i hope u get this joke_

[KyleForrest]

I really don't think this will ever be usefull because alot of hacks come with bypasses.