[TUT] CA bypass

[scimmyboy]

Alright so you want to bypass Hackshield. So rename your HShield folder to something like zzzHshield, in this case I rename it to zzzHshield. Now that the Hackshield files can't be found by the game, they won't be able to be loaded. But now when you run the game you will get an error saying that the protection modules failed to update. We need to get rid of this error. Now the engine for combat arms is packed with upx, but when trying to use the standard unpacker upx provides, it gives an error saying that can't unpack. So the tool I used was PE explorer. Just open engine.exe with PE explorer and then save it as something other then the original. I will refer to it as zzzEngine.exe. (At this point I renamed my original engine to OriginalEngine.exe and zzzEngine to Engine.exe). Now load up the unpacked engine into ollydbg. The string we will be searching for is "Fail to update". The result should be Reason why you get Fail to update means You are not using a bypass,either its out of date.
Code:

00505EF1 . 68 A8C06600 PUSH Engine.0066C0A8

; |format = "Fail to update protection modules! - ErrorCode [0x%08X]"

Basically we want this box not to pop up. Scrolling up a bit you see
Code:

00505EEA . 74 2F JE SHORT

Engine.00505F1B

Which makes the message box pop up. Changeing the JE to JNZ though will prevent it from popping up!

So now get your favorite hex editor (I use ollydbg) and search for 74 2F and change it to 75 2F and save the result. Now fireup combat arms. AH! An invalid file has been installed. Once again same method, lets search. The result of your search

should be
Code:

00505FF0 . 68 28C06600 PUSH Engine.0066C028 ; |Text = "An invalid file has been

installed.
Please reinstall the file."

Once again same method will be used, find the JE and change it to JNZ. The offset is 00505FE0 . 74 22 JE SHORT Engine.00506004. Now try running again. Compatibility mode!?! Once again

search, & result
Code:

0050600B . 68 D8BF6600 PUSH Engine.0066BFD8 ; |Text = "The program is

running on compatibility mode.
The program is shutting down."

Once again JE to JNZ. This is the offset 00505FDB

. 74 42 JE SHORT Engine.0050601F. JE TO JNZ TIME! Now run once again. Another instance is running (liars). Now I'm going to save us a lot of time and just tell you everything to nop because you end up going through this process like 10

times.
Code:

00505FDB . 74 42 JE SHORT Engine.0050601F
00505FD9 7F 5F JG SHORT Engine.0050603A
00505FD9 7F 5F JG SHORT Engine.0050603A
0050603F . 74 4B JE SHORT Engine.0050608C
00506044 . 74 2E JE SHORT Engine.00506074
005060BA . 74 2E JE SHORT Engine.005060EA
00505FCE . 0F84 D0000000 JE Engine.005060A4

IT starts up now! But now it says that the file is corrupt. Now searching for this string will be futile because its somehow hidden. So the next best thing is to get the crc32 of the first file and subsitute it for the modified version so that the game thinks were using an unmodified version. Using PEiD and the crc32 plugin you can see the original crc32 is BBAF654E, Now change the crc32 of the modified engine to that. Now hopefully if you've done everything right, you will be able to start combat arms without hacksheild starting

Tools used:
OllyDbg 1.10
PE Explorer
Download PE Explorer/Editor application, DLL Viewer, EXE Ressource Editor and Disassembler, Borland Delphi EXE Editor.


If this helped, dont forget to thank me!

[CoMPMStR]

lol this will just make most people scratch their head in wonder. Even if you follow the steps here, replacing the addresses as necessary, you won't be able to bypass HS anyway. If it was possible it would've been done already...

[radnomguywfq3]

I think they added it the correct way this time, thus even if you did have the new addresses for those functions hooked or those opcodes changed it still wouldn't work. So don't try it.

[penguinzrock]

Also HackShield initializes Direct3D for Combat Arms now. So getting rid of it wouldn't let Combat Arms start. This tut is outdated and reposted.

[magesoja10]

Didn't work :S