Hackshield Bypass (worked 3 months ago)

**supercarz1991** · 11-16-2011

i have this in an old VIP base of mine, it worked 3 months ago, so i'm betting it would still work if updated!

this is just the header file because thats all i can find now >.>

hsmethod.h

Code:

#pragma warning(disable:4102)

;char* Choke(const char* plaintext)
{
int len = strlen(plaintext);
char* cyphertext = new char[len+1];
for(int i=0 ; i<len ; ++i)
{
cyphertext[i] = plaintext[i] - 22 - 8 - 11 - 9 - 2012;
}
cyphertext[len] = 0; 
return cyphertext;
}

HINSTANCE lGetModuleHandle(CHAR *szModule)
{
HINSTANCE hModule = NULL;
if(!(hModule = GetModuleHandle(szModule)) )
{
hModule = LoadLibrary(szModule);
}return hModule;
}

BOOL Memcpy1(VOID *lpMem,VOID *lpSrc,DWORD len)
{
DWORD lpflOldProtect, flNewProtect = PAGE_READWRITE;
unsigned char *pDst = (unsigned char *)lpMem, 
*pSrc = (unsigned char *)lpSrc;
if (VirtualProtect(lpMem,len,flNewProtect,&lpflOldProtect))
{
while(len-- > 0) *pDst++ = *pSrc++;
return 0;
}
return 1;
}


void HideModule(HINSTANCE hModule)
{
	DWORD dwPEB_LDR_DATA = 0;
	_asm
	{
		pushad;
		pushfd;
		mov eax, fs:[30h]// PEB
		mov eax, [eax+0Ch]// PEB->ProcessModuleInfo
		mov dwPEB_LDR_DATA, eax// Save ProcessModuleInfo

InLoadOrderModuleList:
		mov esi, [eax+0Ch]// ProcessModuleInfo->InLoadOrderModuleList[FORWARD]
		mov edx, [eax+10h]// ProcessModuleInfo->InLoadOrderModuleList[BACKWARD]

		LoopInLoadOrderModuleList: 
		    lodsd//  Load First Module
			mov esi, eax//  ESI points to Next Module
			mov ecx, [eax+18h]//  LDR_MODULE->BaseAddress
			cmp ecx, hModule//  Is it Our Module ?
			jne SkipA//  If Not, Next Please (@f jumps to nearest Unamed Lable @@:)
		    	mov ebx, [eax]//  [FORWARD] Module 
		    	mov ecx, [eax+4]//  [BACKWARD] Module
		    	mov [ecx], ebx//  Previous Module's [FORWARD] Notation, Points to us, Replace it with, Module++
		    	mov [ebx+4], ecx//  Next Modules, [BACKWARD] Notation, Points to us, Replace it with, Module--
			jmp InMemoryOrderModuleList//  Hidden, so Move onto Next Set
		SkipA:
			cmp edx, esi//  Reached End of Modules ?
			jne LoopInLoadOrderModuleList//  If Not, Re Loop

InMemoryOrderModuleList:
		mov eax, dwPEB_LDR_DATA//  PEB->ProcessModuleInfo
		mov esi, [eax+14h]// ProcessModuleInfo->InMemoryOrderModuleList[START]
		mov edx, [eax+18h]//  ProcessModuleInfo->InMemoryOrderModuleList[FINISH]

		LoopInMemoryOrderModuleList: 
			lodsd
			mov esi, eax
			mov ecx, [eax+10h]
			cmp ecx, hModule
			jne SkipB
				mov ebx, [eax] 
				mov ecx, [eax+4]
				mov [ecx], ebx
				mov [ebx+4], ecx
				jmp InInitializationOrderModuleList
		SkipB:
			cmp edx, esi
			jne LoopInMemoryOrderModuleList

InInitializationOrderModuleList:
		mov eax, dwPEB_LDR_DATA//  PEB->ProcessModuleInfo
		mov esi, [eax+1Ch]//  ProcessModuleInfo->InInitializationOrderModuleList[START]
		mov edx, [eax+20h]//  ProcessModuleInfo->InInitializationOrderModuleList[FINISH]

		LoopInInitializationOrderModuleList: 
			lodsd
			mov esi, eax		
			mov ecx, [eax+08h]
			cmp ecx, hModule		
			jne SkipC
				mov ebx, [eax] 
				mov ecx, [eax+4]
				mov [ecx], ebx
				mov [ebx+4], ecx
				jmp Finished
		SkipC:
			cmp edx, esi
			jne LoopInInitializationOrderModuleList

		Finished:
			popfd;
			popad;

	}

}

DWORD OldProtection;
void MEMwrite(void *adr, void *ptr, int size)
{
    VirtualProtect(adr,size,PAGE_EXECUTE_READWRITE, &OldProtection);
    memcpy(adr,ptr,size);
    VirtualProtect(adr,size,OldProtection, &OldProtection);
}


void DirectxBypass (void)
{

DWORD EhSvc = (long)GetModuleHandleA("EHSvc.dll");

MEMwrite((void *)(EhSvc+0x1006102F),(void *)(PBYTE)"\xB8\x01\x00\x00\x00\xC3",6);//SelfCrC
MEMwrite((void *)(EhSvc+0x1005FEFF),(void *)(PBYTE)"\xB8\x01\x00\x00\x00\xC3",6);//SelfCrC
MEMwrite((void *)(EhSvc+0x1002E2AA),(void *)(PBYTE)"\x90\xE9",2);//SelfCrC

MEMwrite((void *)(EhSvc+0x1001FB8C),(void *)(PBYTE)"\x90\x90",2);//AntiAsm
MEMwrite((void *)(EhSvc+0x1001FC4C),(void *)(PBYTE)"\x90\x90",2);//AntiAsm

MEMwrite((void *)(EhSvc+0x1006E56E),(void *)(PBYTE)"\xEB",1);//hook
MEMwrite((void *)(EhSvc+0x1006E598),(void *)(PBYTE)"\xEB",1);//hook

MEMwrite((void *)(EhSvc+0x1002C4CE),(void *)(PBYTE)"\x33",1);//main detection
MEMwrite((void *)(EhSvc+0x1002C98F),(void *)(PBYTE)"\x33",1);//main detection

MEMwrite((void *)(EhSvc+0x1006FD57),(void *)(PBYTE)"\xEB",1);//DllJmp

MEMwrite((void *)(EhSvc+0x10068C93),(void *)(PBYTE)"\xEB",1);//AntiRestore
MEMwrite((void *)(EhSvc+0x10068C09),(void *)(PBYTE)"\xEB",1);//AntiRestore

MEMwrite((void *)(EhSvc+0x10029B0B),(void *)(PBYTE)"\xEB",1);//NanoJmp
MEMwrite((void *)(EhSvc+0x10029C55),(void *)(PBYTE)"\xEB",1);//NanoJmp
MEMwrite((void *)(EhSvc+0x10029D4F),(void *)(PBYTE)"\x31",1);//NanoJmp
MEMwrite((void *)(EhSvc+0x10027EAF),(void *)(PBYTE)"\x31",1);//NanoJmp
MEMwrite((void *)(EhSvc+0x1002BCB1),(void *)(PBYTE)"\x31",1);//NanoJmp
MEMwrite((void *)(EhSvc+0x1002B098),(void *)(PBYTE)"\xEB",1);//NanoJmp
MEMwrite((void *)(EhSvc+0x1002B1AC),(void *)(PBYTE)"\xEB",1);//NanoJmp
MEMwrite((void *)(EhSvc+0x1002E2AA),(void *)(PBYTE)"\x31",1);//NanoJmp
MEMwrite((void *)(EhSvc+0x1002C588),(void *)(PBYTE)"\xB8\x00\x00\x00\x00\x90",6);//NanoJmp
MEMwrite((void *)(EhSvc+0x10075880),(void *)(PBYTE)"\x90\x90\x90\x90\x90",5);//NanoJmp

}

void DirectX(void)
{
for(;;)
{
DWORD EhSvc = (long)GetModuleHandleA("EHSvc.dll"); 
if(EhSvc!=0)
{
DirectxBypass();
}
Sleep(20);
}
}


char *EHSv = "sv„q<rzz";//visto 

char  *UB1	=	Choke("CSAFT");// HS1
char  *UB2	=	Choke("?S?AQ");//HS8
char  *UB3	=	Choke("DQETF");//Anti1
char  *UB4	=	Choke("DQF@@");//anti2
char  *UB5	=	Choke("DRTRE");// HS1
char  *UB6	=	Choke("DDTAA");//HS8
char  *UB7	=	Choke("@?OC?");//Anti1
char  *UB8	=	Choke("COP@>");//anti2       //<----------CHEATENGINE
char  *UB9	=	Choke("COOSB");// HS1
char  *UB10	=	Choke("@F@@E");//HS8
char  *UB11	=	Choke("@O?FR");//Anti1
char  *UB12	=	Choke("@frtP");//anti2
char  *UB13	=	Choke("@F?BC");// HS1
char  *UB14	=	Choke("@QEGO");//HS8
char  *UB15	=	Choke("@OBCC");//Anti1
char  *UB16	=	Choke("@GCFF");//anti2
char  *UB17	=	Choke("DDTQG");// HS1
char  *UB18	=	Choke("@F@AT");//HS8

//Address
DWORD Addy1;
DWORD Addy2;
DWORD Addy3;
DWORD Addy4;
DWORD Addy5;
DWORD Addy6;
DWORD Addy7;
DWORD Addy8;
DWORD Addy9;
DWORD Addy10;
DWORD Addy11;
DWORD Addy12;
DWORD Addy13;
DWORD Addy14;
DWORD Addy15;
DWORD Addy16;
DWORD Addy17;
DWORD Addy18;
DWORD Addy19;
DWORD Addy20;

void HSADDIES ( void )
{
	sscanf(UB1,"%X", &Addy1);
	sscanf(UB2,"%X", &Addy2);
	sscanf(UB3,"%X", &Addy3);
	sscanf(UB4,"%X", &Addy4);
	sscanf(UB5,"%X", &Addy5);
	sscanf(UB6,"%X", &Addy6);
	sscanf(UB7,"%X", &Addy7);
	sscanf(UB8,"%X", &Addy8);//<----------CHEATENGINE
	sscanf(UB9,"%X", &Addy9);
	sscanf(UB10,"%X", &Addy10);
	sscanf(UB11,"%X", &Addy11);
	sscanf(UB12,"%X", &Addy12);
	sscanf(UB13,"%X", &Addy13);
	sscanf(UB14,"%X", &Addy14);
	sscanf(UB15,"%X", &Addy15);
	sscanf(UB16,"%X", &Addy16);
	sscanf(UB17,"%X", &Addy17);
	sscanf(UB18,"%X", &Addy18);
}

void LOL()
{

static char patch_oneretn[]=   "\xb8\x01\x00\x00\x00\xc3";
static char patch_moveax[]=    "\x90\xb8\x00\x00\x00\x00";
static char patch_jmpout[]=    "\xe9\x7e\x0a\x00\x00";
static char patch_dblnop[]=    "\x90\x90";
static char patch_nopjmp[]=    "\x90\xE9";
static char patch_cmpebp[]=    "\x3b\xed";
static char patch_cmpebx[]=    "\x3b\xdb";
static char patch_testeax[]=   "\x85\xc0";
static char patch_jmpshort[]=  "\xeb";

while (true) 
{
DWORD EhSvc=(DWORD)GetModuleHandleA("ehsvc.dll");
Memcpy1((LPBYTE)(EhSvc+Addy1),(PBYTE)patch_oneretn,6);
Memcpy1((LPBYTE)(EhSvc+Addy2),(PBYTE)patch_dblnop,2);
Memcpy1((LPBYTE)(EhSvc+Addy3),(PBYTE)patch_jmpshort,1);
Memcpy1((LPBYTE)(EhSvc+Addy4),(PBYTE)patch_jmpshort,1); 
Memcpy1((LPBYTE)(EhSvc+Addy5),(PBYTE)patch_jmpshort,1); 
Memcpy1((LPBYTE)(EhSvc+Addy6),(PBYTE)patch_jmpshort,1);
Memcpy1((LPBYTE)(EhSvc+Addy7),(PBYTE)patch_cmpebp,2);
Memcpy1((LPBYTE)(EhSvc+Addy8),(PBYTE)patch_jmpout,5);
Memcpy1((LPBYTE)(EhSvc+Addy9),(PBYTE)patch_jmpout,5);
Memcpy1((LPBYTE)(EhSvc+Addy10),(PBYTE)patch_testeax,2);
Memcpy1((LPBYTE)(EhSvc+Addy11),(PBYTE)patch_testeax,2);
Memcpy1((LPBYTE)(EhSvc+Addy12),(PBYTE)patch_jmpshort,1);
Memcpy1((LPBYTE)(EhSvc+Addy13),(PBYTE)patch_jmpshort,1);
Memcpy1((LPBYTE)(EhSvc+Addy14),(PBYTE)patch_nopjmp,2);
Memcpy1((LPBYTE)(EhSvc+Addy15),(PBYTE)patch_moveax,6);
Memcpy1((LPBYTE)(EhSvc+Addy16),(PBYTE)patch_cmpebx,2);
Memcpy1((LPBYTE)(EhSvc+Addy17),(PBYTE)patch_jmpshort,1); 
Memcpy1((LPBYTE)(EhSvc+Addy18),(PBYTE)patch_jmpshort,1);
Sleep(200);
}
}

there is your example, now go to town and have fun with CE (if your not lazy and update it...lol)

**TokolocoSK** · 11-17-2011

Originally Posted by luizimloko

boatos que esse bypass é de 5 anos atras

It's because it was made for WarRock Actually, the HS Can it be more outdated.

Thread: Hackshield Bypass (worked 3 months ago)

Thread Tools

Display

Hackshield Bypass (worked 3 months ago)

The Following 2 Users Say Thank You to supercarz1991 For This Useful Post:

Similar Threads

HackShield Bypass by Ultimate_Coder(Working 8/4/10)

Wall hack from 2 months ago still works!

IFIND THIS HACK! MONTHS AGO! BUT ITS WORK TO NOW!!!:P

Working Hackshield Bypass

HackShield Bypass Dont Work