Methods Reduce Being Detected

[[MPGH]Flengo]

Well I'm just looking for some help. My hack currently works. Mostly simple features. All my strings are encrypted, but I'm crashing in about 2 minutes into a game.

Its being detected by HS. I'm crashing with the Ending Banner showing at the end.

Anyone have suggestions to help? Would be appreciated

Thanks.

EDIT: I'm pretty sure its my memory editing function. Any ideas would be nice.

[Saltine]

Research polymorphic techniques utilized by viruses to "morph" the program at run time, rendering it impossible to detect by signature. Also, PEB hiding is another technique you should research. Shoot me a PM if you have any questions!
Edit: Off topic- I like the UI :P

[[MPGH]Flengo]

Research polymorphic techniques utilized by viruses to "morph" the program at run time, rendering it impossible to detect by signature. Also, PEB hiding is another technique you should research. Shoot me a PM if you have any questions!
Edit: Off topic- I like the UI :P

PEB Hiding is something I looked into. Still crashing. ALL of my strings are encrypted.

[GodDamnFrank]

Its your memory edit function. Engine nametags suck anyways and the only good memory hacks are super bullets and weapon range. Find a better function.

[[MPGH]Flengo]

Its your memory edit function. Engine nametags suck anyways and the only good memory hacks are super bullets and weapon range. Find a better function.

I tried editing it up. Still failing.

[Saltine]

Did you test the hack with all the functionality commented out, but the menu still left? This would tell you if it happened to be the detours or your rendering.

[matypatty]

hide module and polymorphic, look in my base for an example. could also be detours.

[[MPGH]Flengo]

Did you test the hack with all the functionality commented out, but the menu still left? This would tell you if it happened to be the detours or your rendering.

Yes I tried that. I tried someone's working detours, still working on their PUB.

hide module and polymorphic, look in my base for an example. could also be detours.

I looked into your base, tried.

Code:

#include <Windows.h>
#include "Base.h"
#include "Poly.h"

void EraseHeaders(HINSTANCE hModule)
{
	PIMAGE_DOS_HEADER pDoH; 
	PIMAGE_NT_HEADERS pNtH;
	DWORD i, ersize, protect;

	if (!hModule) return;
	
	// well just to make clear what we doing
	pDoH = (PIMAGE_DOS_HEADER)(hModule);

	pNtH = (PIMAGE_NT_HEADERS)((LONG)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew);

	ersize = sizeof(IMAGE_DOS_HEADER);
	if ( VirtualProtect(pDoH, ersize, PAGE_READWRITE, &protect) )
	{
		for ( i=0; i < ersize; i++ )
				*(BYTE*)((BYTE*)pDoH + i) = 0;
	}

	ersize = sizeof(IMAGE_NT_HEADERS);
	if ( pNtH && VirtualProtect(pNtH, ersize, PAGE_READWRITE, &protect) )
	{
		for ( i=0; i < ersize; i++ )
				*(BYTE*)((BYTE*)pNtH + i) = 0;
	}
	return;
}

void HideModule(HINSTANCE hModule)
{
	DWORD dwPEB_LDR_DATA = 0;
	_asm
	{
		pushad;
		pushfd;
		mov eax, fs:[30h]           
		mov eax, [eax+0Ch]          
		mov dwPEB_LDR_DATA, eax		

			mov esi, [eax+0Ch]			
		mov edx, [eax+10h]			

LoopInLoadOrderModuleList: 
		lodsd		            
			mov esi, eax			
			mov ecx, [eax+18h]		
		cmp ecx, hModule		
			jne SkipA				
			mov ebx, [eax]		
		mov ecx, [eax+4]	
		mov [ecx], ebx		
			mov [ebx+4], ecx	
			jmp InMemoryOrderModuleList  
SkipA:
		cmp edx, esi       
			jne LoopInLoadOrderModuleList 

InMemoryOrderModuleList:
		mov eax, dwPEB_LDR_DATA	
			mov esi, [eax+14h]   
		mov edx, [eax+18h]  

LoopInMemoryOrderModuleList: 
		lodsd
			mov esi, eax
			mov ecx, [eax+10h]
		cmp ecx, hModule
			jne SkipB
			mov ebx, [eax] 
		mov ecx, [eax+4]
		mov [ecx], ebx
			mov [ebx+4], ecx
			jmp InInitializationOrderModuleList
SkipB:
		cmp edx, esi
			jne LoopInMemoryOrderModuleList

InInitializationOrderModuleList:
		mov eax, dwPEB_LDR_DATA 
			mov esi, [eax+1Ch]	    
		mov edx, [eax+20h]	    

LoopInInitializationOrderModuleList: 
		lodsd
			mov esi, eax		
			mov ecx, [eax+08h]
		cmp ecx, hModule		
			jne SkipC
			mov ebx, [eax] 
		mov ecx, [eax+4]
		mov [ecx], ebx
			mov [ebx+4], ecx
			jmp Finished
SkipC:
		cmp edx, esi
			jne LoopInInitializationOrderModuleList

Finished:
		popfd;
		popad;
	}
}

unsigned char APIENTRY DllMain( HMODULE hModule,
					   DWORD  ul_reason_for_call,
					   LPVOID lpReserved
					 )
{

	if(ul_reason_for_call == DLL_PROCESS_ATTACH)
	{
		EraseHeaders(hModule);
		HideModule(hModule);
		Poly.DestroyAndMorphSection( hModule, ".init" );

		CreateThread(0, 0, CBase::MainThread, 0, 0, 0);
		//CreateThread(0, 0, CBase::DIPHook, 0, 0, 0);
	}

	return TRUE;
}

#pragma code_seg()

[matypatty]

Yes I tried that. I tried someone's working detours, still working on their PUB.



I looked into your base, tried.

Code:

#include <Windows.h>
#include "Base.h"
#include "Poly.h"

void EraseHeaders(HINSTANCE hModule)
{
	PIMAGE_DOS_HEADER pDoH; 
	PIMAGE_NT_HEADERS pNtH;
	DWORD i, ersize, protect;

	if (!hModule) return;
	
	// well just to make clear what we doing
	pDoH = (PIMAGE_DOS_HEADER)(hModule);

	pNtH = (PIMAGE_NT_HEADERS)((LONG)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew);

	ersize = sizeof(IMAGE_DOS_HEADER);
	if ( VirtualProtect(pDoH, ersize, PAGE_READWRITE, &protect) )
	{
		for ( i=0; i < ersize; i++ )
				*(BYTE*)((BYTE*)pDoH + i) = 0;
	}

	ersize = sizeof(IMAGE_NT_HEADERS);
	if ( pNtH && VirtualProtect(pNtH, ersize, PAGE_READWRITE, &protect) )
	{
		for ( i=0; i < ersize; i++ )
				*(BYTE*)((BYTE*)pNtH + i) = 0;
	}
	return;
}

void HideModule(HINSTANCE hModule)
{
	DWORD dwPEB_LDR_DATA = 0;
	_asm
	{
		pushad;
		pushfd;
		mov eax, fs:[30h]           
		mov eax, [eax+0Ch]          
		mov dwPEB_LDR_DATA, eax		

			mov esi, [eax+0Ch]			
		mov edx, [eax+10h]			

LoopInLoadOrderModuleList: 
		lodsd		            
			mov esi, eax			
			mov ecx, [eax+18h]		
		cmp ecx, hModule		
			jne SkipA				
			mov ebx, [eax]		
		mov ecx, [eax+4]	
		mov [ecx], ebx		
			mov [ebx+4], ecx	
			jmp InMemoryOrderModuleList  
SkipA:
		cmp edx, esi       
			jne LoopInLoadOrderModuleList 

InMemoryOrderModuleList:
		mov eax, dwPEB_LDR_DATA	
			mov esi, [eax+14h]   
		mov edx, [eax+18h]  

LoopInMemoryOrderModuleList: 
		lodsd
			mov esi, eax
			mov ecx, [eax+10h]
		cmp ecx, hModule
			jne SkipB
			mov ebx, [eax] 
		mov ecx, [eax+4]
		mov [ecx], ebx
			mov [ebx+4], ecx
			jmp InInitializationOrderModuleList
SkipB:
		cmp edx, esi
			jne LoopInMemoryOrderModuleList

InInitializationOrderModuleList:
		mov eax, dwPEB_LDR_DATA 
			mov esi, [eax+1Ch]	    
		mov edx, [eax+20h]	    

LoopInInitializationOrderModuleList: 
		lodsd
			mov esi, eax		
			mov ecx, [eax+08h]
		cmp ecx, hModule		
			jne SkipC
			mov ebx, [eax] 
		mov ecx, [eax+4]
		mov [ecx], ebx
			mov [ebx+4], ecx
			jmp Finished
SkipC:
		cmp edx, esi
			jne LoopInInitializationOrderModuleList

Finished:
		popfd;
		popad;
	}
}

unsigned char APIENTRY DllMain( HMODULE hModule,
					   DWORD  ul_reason_for_call,
					   LPVOID lpReserved
					 )
{

	if(ul_reason_for_call == DLL_PROCESS_ATTACH)
	{
		EraseHeaders(hModule);
		HideModule(hModule);
		Poly.DestroyAndMorphSection( hModule, ".init" );

		CreateThread(0, 0, CBase::MainThread, 0, 0, 0);
		//CreateThread(0, 0, CBase::DIPHook, 0, 0, 0);
	}

	return TRUE;
}

#pragma code_seg()

where did you start the code segment?

[[MPGH]Flengo]

where did you start the code segment?

Oh sorry. I just noticed that was there, shouldn't be there. Just ignore that I removed it.

[matypatty]

you need to start and end the code segment, then destroy and morph it

[[MPGH]Flengo]

you need to start and end the code segment, then destroy and morph it

Just tried that. Still crashed.