hmm ineresting
Well, here is an idea that is working for me. This idea just came to me, I like to play around and try new things, even when I use to be a black hat, so when I spread my coded trojans around I would always encrypt them with my own crypter that I made in C#.
Step 1: Obfuscate your DLL, or encrypt it or change values . (I just changed a few values, here is how I did it.)
Step 2: Download gimp photo editor
Step 3: Name your D3D hack "gimp.dll"
Step 4: GO BACK TO YOUR DLL IN C++, NOW, RENAME VALUES TO GIMP VALUES. LIKE GIMP, CONTRAST etc.. values that gimp uses.
Step 5: Go in windows guest mode.
Step 6: Inject your hack
Step 7: Hack.
So the key things are: rename your hack gimp.dll, obfuscate it and change the strings, chars, DWORDS, HWNDS to stuff like "gimp", "contrast", "color"
, "gradient"
Rename your hack gimp.dll
MAKE SURE GIMP IS OPEN. (photo editor)
MAKE SURE YOUR IN GUEST MODE.
Profit.
My bypass was patched, I did this and now its working. (You need the source of your bypass, not just the file)
Last edited by scriptkiddy; 10-07-2009 at 10:28 AM.
hmm ineresting
wtf r u talking about???
scriptkiddy you confuse me greatly. You seem like you know a lot, but it's... idk how to put this. Bits and pieces all over the place so it's really hard for me to get any idea about you :/
K questions:
1. Where did you get source for a bypass?
2. How would renaming it to GIMP stuff help. I'm confused. The names of variables are arbitrary, it all gets destroyed when it's assembled. Right?
3. You use to be a black hat hacker? Like what? Please explain...
4. A bunch of other questions that I'm not really sure how to ask... o_O
im not an expert or anything, but it looks like it wouldnt reassamble correctly
https://joelself.myminicity.com
Please click that its like a habbo
[IMG]https://i463.photobucke*****m/albums/qq360/j0elself/joke0.jpg[/IMG]
I see how this could work, but wouldn't changing the names in the script cause bugs when you try to compile?
also changing names or binary value would leave some logical gates open or closed and not work
Mr.Anderson.................
Nope.
Definitely nope. Haha logical gates... that's one thing to call a boolean. Maybe people would actually think I'm smart if I started calling every variable neat names. o_O.... hmmm...must give this a try sometime.Originally Posted by linuxandmegasrulz
All I really want to know is which one of the things he did is absolutely necessary. and right now I think it's something to do with gimp.dll, but idk. I do believe doing only one of those things are really necessary.
I need more information on:
1. How the bypass was made
2. The importance of gimp
3. How the bypass was tested.
.... to come up with a verdict.
Last edited by why06jz; 10-07-2009 at 04:59 PM.
1. I made it.
2. Not true, depends on the language in which it was coded in. For example, C# is totally visible and can easily be disassembled with a net reflector. Assuming a hack-shield works the same as a virus scanner, it would pick up certain hex values in the program and mark those as malware. For example, if a virus scanner finds "stub" in its hex value, it is marked as a virus.
Encrypting and decrypting is extremely important too, I use to do it all the time, extremely helpful.
As you know, sometimes DLL's and executable files are detected, because of their icons and file names. Changing this is helpful, same with changing assembly information.
3. Malicious files, rats, activeX startup, trojans, keyloggers. I never really infected anybody with my files. I just tested them on my own virtual machine. ActiveX startup, and runPE injection.
If you encrypt a DLL, or any executable file, it will be much harder for any software to detect it.
For EXE files, you would pack its data into a stub file, encrypt it with RC4, and blowfish, or some more advanced methods. You would then make it run in memory, so it would be virtually undetectable (Never tested this on hack shields)
For DLL files, you would basically do the same as an EXE file, but of course, it would be very different.
In other situations, if you download a file named Gimp.exe, then you run a virus named Gimp.exe, assuming the hack shield detects a file the same way that the virus scanner does, it would get confused, and sometimes (if it is a crappy scanner) it would be less detectable.
If you scan something on a virus scanner, and it is 23/23, by simply changing the icon, changing strings, assembly information, and other small things, it will drop to 15/23 easily. Of course, this is what an encrypter does (basically, it takes the file info and stores it into the stub, encrypts the data, then decrypts it and runs it in memory)
Also, this next part has nothing to do with game hacking but:
As my experience as a black hat, never download anything you are unsure of. Even if its 0/41. It can easily be encrypted, or even remade so that it is FUD.
Don't always trust something because the virus scanner says it is safe. Bypassing scanners is a very easy task.
Good luck guys, hopefully my advice can help people in security, and in game hacking
Last edited by scriptkiddy; 10-07-2009 at 09:22 PM.
Well your first response already got my respect, but the later ones only helped to humble me further. You seem to know a lot about reversing. I know in languages that use a runtime enviroment such as Java with JVM and C# with CLR, that the bytecode for that runtime is apparently very easy to reverse... though I have had no experience doing so. I'm still learning ASM.
Also so let me get this straight. The gimp.exe is running at the same time as the gimp.dll ... So the scanner might get confused when it locates the gimp.dll?
Also did you code the bypass in C#? since you were talking about how the variable names still exist in the byte code?
1. Not really, I can't actually prove it, but I find that renaming things to processes that you already have open always help me. I can't actually prove that it will confuse the scanner, but it may reduce the change of detection if a bug occurs.
2. Yeah, I am good at C#, but learning C++ so I can be even better.
soz i am not really getting what u guys are trying too say