Bypass Ahnlab HACKSHIELD

[almich159]

Hello wise guys

Because thread:
https://www.mpgh.net/forum/366-projec...ackshield.html
is closed, i must open new one.

Time is goin on and the HackShiled made some upgrades.
Using advices from thread above, step by step (WinXP 32bit) cannot bypass HackShiled any more. HackShiled refresh hooks on keyboard and mouse after cca 10 seconds also openning AntiRootkit.exe or KernelDetective.exe cause sometimes alert "DETECT_GAME_HACK".

During experiments with both utilities and trying disable HackShiled tentacles i put HackShiled to state look like bypassed.
AntiRootkit.exe Ring0 Hooks still have Hooks on Keyboard and mouse, but Hackshiled not blocked input from extarnal programs, also message "DETECT_GAME_HACK" was not appear. So, must exist way how to bypass it. Unfortunatelly repeat that solution is out of my ability now.

So please, if somebody know solution how to bypass HackShiled or find new solution, poste it here, or give valuable link.
I would like to use special keyboard and mouse buttons also macros, and this piece of crap software try command me what I can do with my own computer.
I think, any good writen online game with external server does not need such a "anti hackshiled" to persecute its gamers.

[[MPGH]Time]

[notice]Thread Moved[/notice]

I don't think there is any bypass available as of now but ill let this be open for a while . In case lannyboy has something to offer.

[lannyboy]

well, i am using bypassing hackshield technology to make project blackout works. but different games have different hackshield offsets to patch. it is better you get a proper method to bypass.



---------- Post added at 10:44 PM ---------- Previous post was at 10:42 PM ----------

btw, hackshield SSTD inline hook can be easily unhooked just make a driver and overwrite the offset that they hooked at. but don't play with driver if you don't know anything. you may destroy you pc. BSOD, scary?

---------- Post added at 11:07 PM ---------- Previous post was at 10:44 PM ----------

in case you want to play with driver, this is the current project blackout hackshield's SSDT inline hook offsets that i found:

Code:

#define ZwSetContextThread	  0x805D2C45
#define ZwWriteVirtualMemory	  0x805B43DC
#define ZwSetLtdEntries		  0x805D482C
#define NtDeviceIoControlFile	  0x8057928E
#define ZwGetContextThread1	  0x805D2A64
#define NtOpenProcess		  0x805CB461
#define KeUnstackDetachProcess    0x804F8A3E
#define ZwWriteFileGather	  0x8058085A
#define ZwProtectVirtualMemory    0x805B842E
#define ZwQueryPerformanceCounter 0x80617F9D
#define NtClose			  0x805BC551
#define ZwReadVirtualMemory       0x805B42D2
#define ZwGetContextThread2	  0x805D2A35

[almich159]

Hello and thanks for response

Mayby it is like lannyboy said "just make a driver and overwrite the offset that they hooked at". Have the ability to do that, I will made it. Long time ago I played with assembler and CPU Z80, so I understand a little bit the mechanisms of memory adress, but don´t know many other thinks to do this kind of task.

The game I would like free from HackShiled is Metin2. Here is listed some SSDT informations.

[XueTr][SSDT]: 4
Index; Fun Name; Current Entry; Hook; Original Entry; Module[*]122; NtOpenProcess; 0x8204E0A8->0xEEB9D160; inline hook; 0x805719AC;C:\WINDOWS\system32\drivers\EagleXNt.sy s[*]137; NtProtectVirtualMemory; 0x822D64C0->0xEEB9C970; inline hook; 0x80571E96; C:\WINDOWS\system32\drivers\EagleXNt.sys[*]186; NtReadVirtualMemory; 0x82128F20->0xEEB9D450; inline hook; 0x8057E4B8; C:\WINDOWS\system32\drivers\EagleXNt.sys[*]277; NtWriteVirtualMemory ; 0x82056618->0xEEB9D5C0; inline hook; 0x8057E60A; C:\WINDOWS\system32\drivers\EagleXNt.sys

On another computer the Index is same and second value of Current Entry is also same.
When wipe this hooks, they are restored some second after.


Probably another way how to bypass HackShield is:
When the game started by open Metin2.exe
At first time patcher is run, it update game and replace files with bad CRC
It also update and repair HackShiled
Then it run program ./hshield/hsupdate.exe
And hsupdate.exe made check and run HackShiled, then it return somethink like "OK" signal back to game and the game started.

Game can by started by command "start metin2client.bin" which bypass update and run ./hshield/hsupdate.exe
If I rename for example calc.exe and put it as hsupdate.exe to hshield folder, game start calculator instead real hsupdate.exe
But game end with message HACK_SHIELD_UPDATE_ERROR
So my speculation is, that Metin2 and HackShiled are very separated programs.
metin2client.bin run /hshield/hsupdate.exe and expect some returned value that everythink is OK.

Have utility to monitoring comunication between ./hshield/hsupdate.exe and metin2client.bin, probably I can make own application that only return value "everythink is ok", and finaly the game start withnout HackShiled.

In that case Metin2 can be started under unprivileged user account and any other fucking rootkit cannot fuck my virgin system.

Which application can be used to monitoring communication between programs?

[lannyboy]

Hello and thanks for response

Mayby it is like lannyboy said "just make a driver and overwrite the offset that they hooked at". Have the ability to do that, I will made it. Long time ago I played with assembler and CPU Z80, so I understand a little bit the mechanisms of memory adress, but don´t know many other thinks to do this kind of task.

The game I would like free from HackShiled is Metin2. Here is listed some SSDT informations.

[XueTr][SSDT]: 4
Index; Fun Name; Current Entry; Hook; Original Entry; Module[*]122; NtOpenProcess; 0x8204E0A8->0xEEB9D160; inline hook; 0x805719AC;C:\WINDOWS\system32\drivers\EagleXNt.sy s[*]137; NtProtectVirtualMemory; 0x822D64C0->0xEEB9C970; inline hook; 0x80571E96; C:\WINDOWS\system32\drivers\EagleXNt.sys[*]186; NtReadVirtualMemory; 0x82128F20->0xEEB9D450; inline hook; 0x8057E4B8; C:\WINDOWS\system32\drivers\EagleXNt.sys[*]277; NtWriteVirtualMemory ; 0x82056618->0xEEB9D5C0; inline hook; 0x8057E60A; C:\WINDOWS\system32\drivers\EagleXNt.sys

On another computer the Index is same and second value of Current Entry is also same.
When wipe this hooks, they are restored some second after.


Probably another way how to bypass HackShield is:
When the game started by open Metin2.exe
At first time patcher is run, it update game and replace files with bad CRC
It also update and repair HackShiled
Then it run program ./hshield/hsupdate.exe
And hsupdate.exe made check and run HackShiled, then it return somethink like "OK" signal back to game and the game started.

Game can by started by command "start metin2client.bin" which bypass update and run ./hshield/hsupdate.exe
If I rename for example calc.exe and put it as hsupdate.exe to hshield folder, game start calculator instead real hsupdate.exe
But game end with message HACK_SHIELD_UPDATE_ERROR
So my speculation is, that Metin2 and HackShiled are very separated programs.
metin2client.bin run /hshield/hsupdate.exe and expect some returned value that everythink is OK.

Have utility to monitoring comunication between ./hshield/hsupdate.exe and metin2client.bin, probably I can make own application that only return value "everythink is ok", and finaly the game start withnout HackShiled.

In that case Metin2 can be started under unprivileged user account and any other fucking rootkit cannot fuck my virgin system.

Which application can be used to monitoring communication between programs?

i don't play metin2, so i do not know much of the game. well, you must know one thing. even you can run without hackshield, but metin2 itself has a checking method communicating to hackshield method(s). it will send hackshield for acknowledgement to make sure hackshield is always running. it will check for a preset interval timer (probably every 1 min?). if it doesn't get what hackshield reply, it will probably just boot you out with error message. not only metin2, but all games with anti-cheat program have this method to get acknowledge contact with their own anti-cheat program.

you must know what has it done inside (its architecture) the anti-cheat program before you really try on something. otherwise, you could only wasting your time. like i mentioned up there. disable the hackshield crcselfcheck, then only change the hackshield behaviours. it will become pointless if you never disable those checking and try your stuffs on it.

now does this make sense for you?

[almich159]

Yes thanks.

Must say that few weeks ago was bypassing HackShiled very easy.
Just run metin by comand "start metin2client.bin" under unprivileged user.
Nothin else. HackShiled was not started and game work fine.

Disassemble program and understand it on assembler level is out of my possibilities now. So all I can try is to putting system to state when HackShiled is out of function.
Once a time it happend, but I can't reproduce unfortunately.

I feel that bypassing HackShil will by very easy, just to KNOW HOW.

[lannyboy]

Yes thanks.

Must say that few weeks ago was bypassing HackShiled very easy.
Just run metin by comand "start metin2client.bin" under unprivileged user.
Nothin else. HackShiled was not started and game work fine.

Disassemble program and understand it on assembler level is out of my possibilities now. So all I can try is to putting system to state when HackShiled is out of function.
Once a time it happend, but I can't reproduce unfortunately.

I feel that bypassing HackShil will by very easy, just to KNOW HOW.

few weeks ago able to bypass by this method? serious??? this "game<->anti-cheat" bi-communication checking existed very early ago. so, if you skip the anti-cheat program without altering the check method in that game, you will get booted!

[almich159]

Truly this bypassed HackShiled.

Using that command was official advice from game masters, for reason that HackShiled made problems. I don't use any hack which nonstandartly manipulate with game, I only use the keyboard and mouse macros for special keys, so maby there was another level of check which I don´t touch.
This bypass is still function with game client 2 months old. But into game was added some new thinks and playing with old client cause game crash very often.

Metin2 have fixed keys for all game actions, like movement and using thinks. Very stupid cause for basic actions you must also use SHIFT CTRL and ALT shifters. So all I need is using my keyboard and mouse with my layout which is much more user friendly.

[GERMANY132816]

hahahaha xDDDDDD


Hackshield: GameHack detected

[almich159]

haha?
Still working with OLD CLIENT.