Hackshield Bypass

[drlunar]

I've been working on a full blown hackshield bypass for a few days now and I'm having trouble understanding what to do exactly. At first I tried a trial and error of nulling random Eagle.sys functions;

** ** ** ** ** ** ** ** //ZwAllocateVirtualMemory

** ** ** ** ** ** ** ** //NtQueryInformationProcess

** ** ** ** ** ** ** ** //NTWriteVirtualMemory

** ** ** ** ** ** ** ** //ZwReadVirtualMemory

** ** ** ** ** ** ** ** //ZwTerminateProcess

** ** ** ** ** ** ** ** //ZwProtectVirtualMemory

** ** ** ** ** ** ** ** //ZwTerminateThread

Etc.

My results were that when I NOP'd then in certain orders and groups I'd get general HS errors such as;

Cannot Update Hackshield
Cannot Execute Hackshield
Cannot Terminate Hackshield

I then went on to try and detour the system functions with what little knowledge I had at the time and it resulted in the client instantly crashing. After some more research I understood that the Eagle.sys functions were called by EHSVC ( I already knew of it but didn't put to much mind to it ), ultimately causing them to function as such. My current question standing is :

What should I detour? Which EHSVC function's correspond to what? Is there a analysis of them anywhere?

IE ;

jg EHSvc.dll+E879D
EHSvc.dll+E87BF

I know those jump to certain addresses but what am I supposed to do with what? The game I'm working with has a fairly simple HS so I can read the clients memory flawlessly.

PS : I've tried having HS simply not run with the client but after a minute or so I'm kicked from the server ( disconnected ), I've tried searching for the command/function causing that but my results were nothing. I've also tried just going for a CRC bypass but I again don't understand what to modify or how to even find the CRC addresses.

[Pitcher]

LLearn C++

[drlunar]

LLearn C++

I know and understand C++... I'm asking for advice on how to bypass hackshield.

[Pitcher]

I know and understand C++... I'm asking for advice on how to bypass hackshield.

s




learn asm

[drlunar]

Seriously dude? Stop spamming stupid sh*t.

[drlunar]

Anyone know how I could dump EHSVC on a 64 bit system?[COLOR="Silver"]

[drlunar]

Ok so here's an update, I finally bypassed HS and this is my source :

Code:

//======================================================================================//
//================================ Hackshield Addys ====================================//
//======================================================================================//

#define EhsvcSelfCrC	        0x00F36109FC
#define Detection	        0x00097D0
#define HSAntiCrash		0x00F35D455E
#define AsmDetection	        0x00EFFFFFFE
#define NanoCheck1 	        0x00344EE
#define NanoCheck2	        0x00F35D1B2F
#define NanoCheck3		0x00F35D3A2B
//#define HackMalfunction1 0x0043EE3D
//#define HackMalfunction2 0x0068D605

//======================================================================================//
//=================================== Bypass Function ==================================//
//======================================================================================//
INT BypassMain() {
//New Method
DWORD dwEhSvc;
do{
dwEhSvc = (DWORD)GetModuleHandleA("EhSvc.dll");
Sleep(100);
}while(!dwEhSvc);
MEMwrite((VOID*)(dwEhSvc+NanoCheck1),(PBYTE)"\xB8\x01\x00\x00\x00\xC3",6); //EHSVC NANO CHECK
MEMwrite((VOID*)(dwEhSvc+NanoCheck2),(PBYTE)"\xB8\x01\x00\x00\x00\xC3",6); //EHSVC NANO CHECK
MEMwrite((VOID*)(dwEhSvc+NanoCheck3),(PBYTE)"\xB8\x01\x00\x00\x00\xC3",6); //EHSVC NANO CHECK
MEMwrite((VOID*)(dwEhSvc+EhsvcSelfCrC),(PBYTE)"\xC2\x04\x00",3); // CRC CHECK
MEMwrite((VOID*)(dwEhSvc+Detection),(PBYTE)"\x90\x90",2); // ASM DETECTION CHECK
MEMwrite((VOID*)(dwEhSvc+AsmDetection),(PBYTE)"\x90\x90",2); // ASM DETECTION CHECK
MEMwrite((VOID*)(dwEhSvc+HSAntiCrash),(PBYTE)"\x90\x90",2); // ANTI CRASH
//MEMwrite((VOID*)0x0043EE40,(PBYTE)"\x90\x90",2); // MALFUNCTION2
//MEMwrite((VOID*)(HackMalfunction1),(PBYTE)"\x7F\x34\x50\x68\x68\xD5\x68\x00\xEB\xA4\x56\x68\xA0\xD5\x68\x00",16) ; // MALFUNCTION1
return (1);
}

Thats what I have right now, but everytime I boot the client it initializes and I get

Hacking Protection Has Some Malfunctions ( Code: 10703 )
Program Will Be Terminated

Am I missing anything? I did use a public EHSVC logger to get my addies, but thats only because I understand how to extract specific addresses from the module itself. I dumped it, but seeing as to it can't possible attach to load-dll, I can't do aything in olly. If anyone can help explain how I'd be grateful, the dumped EHSVC can be downloaded here : https://min.us/mbcBIpnqTx