I did not make this at all. This is "so be it" source code for a bypass.
After he stoped hacking CA he released it publicly.
This will take some editing to get this working.
So coders feel free to take your shot
Code:
#define HS_JMP 0x63B31D
#define HS_JMP2 0x63B323
typedef int (__cdecl *HS_GetProcAddress_t)( int hModule, int a2 );
typedef int (__stdcall *HackshieldComm_t )( int, void*, void* );
typedef signed int (__stdcall *KickProc_t)( int a1, int a2, int a3 );
HS_GetProcAddress_t pHS_GetProcAddress = NULL;
HackshieldComm_t pHackshieldComm = NULL;
KickProc_t pKickProc = NULL;
signed int __stdcall new_KickProc( int a1, int a2, int a3 )
{
return 1;
}
int __stdcall new_HackshieldComm( int hsCommCode, void *Param1, void *Param2 )
{
if( hsCommCode == 4 || hsCommCode == 5 || hsCommCode == 13 ) //kill!
{
if( hsCommCode == 4 ) //replace kick proc
{
DWORD *dwParam1 = (DWORD *)Param1;
pKickProc = (KickProc_t)*dwParam1;
*dwParam1 = (DWORD)new_KickProc;
}
int iReturn = pHackshieldComm( hsCommCode, Param1, Param2 );
return 1;
}
int iReturn = pHackshieldComm( hsCommCode, Param1, Param2 );
return iReturn;
}
void HookCommunication( EXCEPTION_POINTERS* pExceptionInfo )
{
DWORD dwEbp = pExceptionInfo->ContextRecord->Ebp;
DWORD dwParam2 = 0;
__asm
{
push eax;
push edx;
mov eax, dwEbp;
mov edx, [eax+0xC];
mov dwParam2, edx;
pop edx;
pop eax;
}
if( dwParam2 == 0xA ) //this is the ordinal of some export...hmm..
{
pHackshieldComm = (HackshieldComm_t)pExceptionInfo->ContextRecord->Eax;
pExceptionInfo->ContextRecord->Eax = (DWORD)new_HackshieldComm;
}
pExceptionInfo->ContextRecord->Eip = HS_JMP2;
return;
}
PVOID pContextHandler = NULL;
LONG WINAPI ***ExceptionHandler( EXCEPTION_POINTERS* pExceptionInfo )
{
if( pExceptionInfo->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP )
{
return EXCEPTION_CONTINUE_SEARCH;
}
if( pExceptionInfo->ExceptionRecord->ExceptionAddress == (PVOID)HS_JMP )
{
HookCommunication( pExceptionInfo );
return EXCEPTION_CONTINUE_EXECUTION;
}
return EXCEPTION_CONTINUE_SEARCH;
}
void InitContextHook()
{
pContextHandler = AddVectoredExceptionHandler( 0x50BE17, ***ExceptionHandler );
CONTEXT Context;
Contex*****ntextFlags = CONTEXT_DEBUG_REGISTERS;
GetThreadContext(GetCurrentThread(), &Context);
Context.Dr0 = HS_JMP;
Context.Dr7 = (1<<0)|(1<<2)|(1<<4)|(1<<6);
SetThreadContext(GetCurrentThread(), &Context);
}
Also here is a simple tut for this i found by novasynth.
Have fun...
C+ is for .dll programming, and C++ is for application programming. This is in C+ format, therefore it is a Dynamic Link Library (.dll file for short). If you have a proper compiler, basically all you need to do is compile this script into a main .dll file, and then save it. Afterwards, you can inject the .dll file into combat arms or such and such and you should be able to attach a cheat engine or something to hack away at the same, finding proper hex addresses and compiling scripts. Most of the hacks now-a-days are just C+ scripts made with cheat engine, compiled with another program (god knows what) and then injected into the game as a .dll file. its the simplest and most effective way to hack these games now. ITs not that hard really, all you need to do is understand it
^^Not sure how much that helped.
But take a stab at it.
__________________________________________________ ____________________________
Hack Shield Analysis
Credits: Tension from mpgh and Th4natoS from elite hacks, also lolz for the addies he got
Soryy for leaving this out
Hi there, and welcome to my ultimate information dump on Hack Shield, one of the best Anti-Cheat services ever made. Today you will essentially learn what Hack Shield is made of, how Hack Shield works, and you will even learn some new bypassing ideas.
Index
- Hack Shield Components
- Hack Shield Flow
- Bypassing Theory
Hack Shield Components
Hack Shield consists of:
1) EhSvc.dll:
- EhSvc is the Hack Shield interface dll
- It communicates between the game client and Hack Shield
- It communicates with the Hack Shield driver (EagleNT.sys)
- It initiates the hack tool detection engine
- This is usually the only file needed to create a workable bypass
Code:
0x10000000 0 (0x0) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
1 0x1000af00 0x0000af00 1 (0x1) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
10 0x1000ca80 0x0000ca80 10 (0xa) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
12 0x1000ca40 0x0000ca40 12 (0xc) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
13 0x1000ad60 0x0000ad60 13 (0xd) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
14 0x1000c760 0x0000c760 14 (0xe) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
15 0x10009c70 0x00009c70 15 (0xf) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
16 0x1000c7c0 0x0000c7c0 16 (0x10) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
17 0x1000aba0 0x0000aba0 17 (0x11) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
18 0x1000ca60 0x0000ca60 18 (0x12) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
19 0x1000c500 0x0000c500 19 (0x13) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
2 0x1000c980 0x0000c980 2 (0x2) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
20 0x1000cd70 0x0000cd70 20 (0x14) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
21 0x1000d080 0x0000d080 21 (0x15) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
22 0x1000ce70 0x0000ce70 22 (0x16) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
23 0x1000b5f0 0x0000b5f0 23 (0x17) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
24 0x1000b090 0x0000b090 24 (0x18) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
25 0x1000d0b0 0x0000d0b0 25 (0x19) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
26 0x1000ce90 0x0000ce90 26 (0x1a) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
3 0x1000a930 0x0000a930 3 (0x3) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
4 0x1000c630 0x0000c630 4 (0x4) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
5 0x1000a960 0x0000a960 5 (0x5) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
6 0x10008dc0 0x00008dc0 6 (0x6) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
7 0x1000a980 0x0000a980 7 (0x7) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
8 0x1000ca20 0x0000ca20 8 (0x8) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
9 0x1000ac80 0x0000ac80 9 (0x9) EHSvc.dll C:\Nexon\Combat Arms\HShield\EHSvc.dll
2) V3Pro32s.dll:
- This is the hacking tool detection interface dll
- This starts the hacking tool detection engine
- This is helps the scanning of known hack signatures
- A very important file. This could interrupt the Hack Shield driver if correctly intercepted
Code:
addies for various functions of above dll
_AhnGetFileEntry 0x1000bb9c 0x0000bb9c 30 (0x1e) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnBootInformation 0x1000b16f 0x0000b16f 1 (0x1) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnCheckBootSector 0x1000b177 0x0000b177 2 (0x2) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnCheckDefaultExtensions 0x1000124a 0x0000124a 3 (0x3) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnCheckFile 0x1000ba5e 0x0000ba5e 4 (0x4) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnCheckMemory 0x1000b160 0x0000b160 5 (0x5) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnCheckProcess 0x1000b79d 0x0000b79d 6 (0x6) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetBootRepairStatus 0x1000b5b9 0x0000b5b9 7 (0x7) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetDefaultExtensions 0x1000126b 0x0000126b 8 (0x8) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetEngineDate 0x100013fd 0x000013fd 9 (0x9) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetEngineDateString 0x1000145c 0x0000145c 10 (0xa) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetEngineDateValue 0x10001449 0x00001449 11 (0xb) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetExtRepairStatus 0x1000b287 0x0000b287 12 (0xc) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetRepairStatus 0x1000b1b4 0x0000b1b4 13 (0xd) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetVersion 0x100014f7 0x000014f7 14 (0xe) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetVirusFileCureData 0x1000120b 0x0000120b 15 (0xf) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetVirusName 0x100010d1 0x000010d1 16 (0x10) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetVirusName32 0x1000108c 0x0000108c 17 (0x11) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetVirusNameStr 0x1000116c 0x0000116c 18 (0x12) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnGetVirusNameStr32 0x100010ab 0x000010ab 19 (0x13) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnInitVaccineEngine 0x1000b600 0x0000b600 20 (0x14) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnRepairBootSector 0x1000b17e 0x0000b17e 21 (0x15) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnRepairFile 0x1000eea0 0x0000eea0 22 (0x16) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnRepairMemory 0x1000b167 0x0000b167 23 (0x17) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnSetDefaultOption 0x1000ba89 0x0000ba89 24 (0x18) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
AhnSetExtensions 0x10001295 0x00001295 25 (0x19) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
PV3CALGetInfoAddr 0x1000a0fe 0x0000a0fe 26 (0x1a) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
V3CALGetInfo 0x1000a0c2 0x0000a0c2 27 (0x1b) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
V3CALGetShowInfo 0x1000a080 0x0000a080 28 (0x1c) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
V3CALGetTotalInfoCount 0x1000a0b9 0x0000a0b9 29 (0x1d) v3pro32s.dll C:\Nexon\Combat Arms\HShield\v3pro32s.dll
3) 3N.mhe:
- The Heuristic engine file
- Contains the patterns used to search for known hacks
4) psapi.dll:
- The process status helper dll
- Helps scan process signatures and control process functions
Code:
EmptyWorkingSet 0x76a61e20 0x00001e20 1 (0x1) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
EnumDeviceDrivers 0x76a615a3 0x000015a3 2 (0x2) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
EnumPageFilesA 0x76a63b3c 0x00003b3c 3 (0x3) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
EnumPageFilesW 0x76a639cd 0x000039cd 4 (0x4) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
EnumProcesses 0x76a634a9 0x000034a9 6 (0x6) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
EnumProcessModules 0x76a61a8a 0x00001a8a 5 (0x5) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetDeviceDriverBaseNameA 0x76a61748 0x00001748 7 (0x7) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetDeviceDriverBaseNameW 0x76a61823 0x00001823 8 (0x8) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetDeviceDriverFileNameA 0x76a616cd 0x000016cd 9 (0x9) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetDeviceDriverFileNameW 0x76a617c7 0x000017c7 10 (0xa) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetMappedFileNameA 0x76a61945 0x00001945 11 (0xb) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetMappedFileNameW 0x76a6187f 0x0000187f 12 (0xc) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetModuleBaseNameA 0x76a61d2f 0x00001d2f 13 (0xd) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetModuleBaseNameW 0x76a61cb2 0x00001cb2 14 (0xe) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetModuleFileNameExA 0x76a61c4a 0x00001c4a 15 (0xf) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetModuleFileNameExW 0x76a61bcd 0x00001bcd 16 (0x10) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetModuleInformation 0x76a61d97 0x00001d97 17 (0x11) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetPerformanceInfo 0x76a6382d 0x0000382d 18 (0x12) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetProcessImageFileNameA 0x76a637a9 0x000037a9 19 (0x13) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetProcessImageFileNameW 0x76a6371b 0x0000371b 20 (0x14) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetProcessMemoryInfo 0x76a635c2 0x000035c2 21 (0x15) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
GetWsChanges 0x76a636e1 0x000036e1 22 (0x16) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
InitializeProcessForWsWatch 0x76a6369d 0x0000369d 23 (0x17) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
QueryWorkingSet 0x76a61e8b 0x00001e8b 24 (0x18) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
QueryWorkingSetEx 0x76a61ec7 0x00001ec7 25 (0x19) psapi.dll C:\Nexon\Combat Arms\HShield\psapi.dll
5) V3Warp(d)(n)s.v3d:
- The anti-hacking engine pattern file
- Not to sure exactly what this does, but it reads the 3N.mhe file
6) EagleNT.sys:
- The Hack Shield kernel driver
- Performs anti-hacking functions, protects the game client's process, and hooks certain API's, rendering them useless
- If successfully uninitiated, it could enable the use of many API's and functions such as Read/WriteProcessMemory.
2. Hack Shield Flow
Here is a graphical chart explaining how all the components work together:
[IMG]https://i254.photobucke*****m/albums/hh113/McElf223/structure.jpg[/IMG]
Here is a graphical chart explaining how Hack Shield is started:
[IMG]https://i254.photobucke*****m/albums/hh113/McElf223/hs_pc.jpg[/IMG]
**If I were you I would pay attention to those function names!
3. Bypassing Theory
So, we got some nice information about Hack Shield. How do we bypass it? I will tell you right now, I'm going to show you some very unconventional and new ideas. Say goodbye to your petty API and ASM bypasses, and say hello to your new best friend: detouring. Before we continue, you should have a strong foundation in detouring. If you don't, I recommend watching this.
So what functions do we detour? In reality, you are going to be detouring CallBack. The CallBack function in Hack Shield collects data from the Hack Shield service. The data is usually errors or "Hack Detected" type messages. The goal of course is to stop it from getting the Hack Detected messages, or stop it from alerting the game client that there is a "Hack Detected" message. The first goal is to find the actual name of the function. The next step is to rebuild the params of the function. The next step is to find the address of this function. Then finally you detour it. Here is my example (not working probably):
Code:
////// Declares //////
#define CallBackAddy 0x0000001
typedef int ( *PFN_AhnEH_Callback)( long lCode, long lParamSize, void* pParam ); //the name of the function actually is PFN_AhnEH_Callback
PFN_AhnEH_Callback pAhnEH_Callback; //Defining our function
//////
////// Our new function //////
int _CallBackThread()
{
DWORD dwCode = YOUR_CODE_TO_PASS;
int myReturn = pAhnEH_Callback(dwCode, 0, NULL);
return myReturn;
}
//////
////// Our Detour //////
pAhnEH_Callback = (PFN_AhnEH_Callback)DetourFunction( (PBYTE)( Ehsvc + CallBackAddy ), (PBYTE)_CallBackThread());
//////
This is just pseudo code, but hopefully you get the idea. The hard part is finding the address of the function. I have my way of getting it, but I'm leaving it up to you to figure out how to get the address. I don't want to completely hand feed you a working bypass. There are a couple ways to get it.
As a conclusion, I just want to say that you need to use your imagination! Find different functions. Find different ways to bypass. Rip Hack Shield apart. Keep in mind that you can gain access to hooked functions by stopping the Hack Shield anti-hack service.