Hacksheild Analysis WTF

[why06]

Ok, I've been searching around for quite a while now for this thread and when I finally found it I find it has been deleted. Could anyone give me a good explanation as to one of the most important threads has been utterly deleted from this site?!

https://www.mpgh.net/forum/164-combat...st1067748.html

Too be honest I'm kind of peeved. I can't find it anywhere now. I can't imagine why anyone would delete such an important thread...

[1337_Me]

Maybe so that if it was how to allow hacks to work they didnt want that or something...

so that there would be less people spamming hacks...

maybe..

[why06]

Eh? No. This wasn't that specific, so that anyone could just use it. It was just a write up someone did on Hacksheild, like a little essay that explained how the major parts of it interacted. There wasn't any actual code... Damit I should have saved it when I had the chance, but the other site it was on shutdown and MPGH deleted it >_>...

[headsup]

Why06 here you go, i think this is what you want..

Code:

Hi there, and welcome to my ultimate information dump on Hack Shield, one of the best Anti-Cheat services ever made. Today you will essentially learn what Hack Shield is made of, how Hack Shield works, and you will even learn some new bypassing ideas.

Index
Hack Shield Components
Hack Shield Flow
Bypassing Theory


Hack Shield Components

Hack Shield consists of:


1) EhSvc.dll:
EhSvc is the Hack Shield interface dll
It communicates between the game client and Hack Shield
It communicates with the Hack Shield driver (EagleNT.sys)
It initiates the hack tool detection engine
This is usually the only file needed to create a workable bypass

2) V3Pro32s.dll:
This is the hacking tool detection interface dll
This starts the hacking tool detection engine
This is helps the scanning
of known hack signatures
A very important file. This could interrupt the Hack Shield driver if correctly intercepted

3) 3N.mhe:
The Heuristic engine file
Contains the patterns used to search for known hacks

4) psapi.dll:
The process status helper dll
Helps scan process signatures and control process functions

5) V3Warp(d)(n)s.v3d:
The anti-hacking engine pattern file
Not to sure exactly what this does, but it reads the 3N.mhe file

6) EagleNT.sys:
The Hack Shield kernel driver
Performs anti-hacking functions, protects the game client's process, and hooks certain API's, rendering them useless
If successfully uninitiated, it could enable the use of many API's and functions such as Read/WriteProcessMemory.



	
Code:
	
**If I were you I would pay attention to those function names!



3. Bypassing Theory

So, we got some nice information about Hack Shield. How do we bypass it? I will tell you right now, I'm going to show you some very unconventional and new ideas. Say goodbye to your petty API and ASM bypasses, and say hello to your new best friend: detouring. Before we continue, you should have a strong foundation in detouring. If you don't, I recommend watching this.

So what functions do we detour? In reality, you are going to be detouring CallBack. The CallBack function in Hack Shield collects data from the Hack Shield service. The data is usually errors or "Hack Detected" type messages. The goal of course is to stop it from getting the Hack Detected messages, or stop it from alerting the game client that there is a "Hack Detected" message. The first goal is to find the actual name of the function. The next step is to rebuild the params of the function. The next step is to find the address of this function. Then finally you detour it. Here is my example (not working probably):

Code:
////// Declares //////
#define CallBackAddy 0x0000001
typedef int ( *PFN_AhnEH_Callback)( long lCode, long lParamSize, void* pParam ); //the name of the function actually is PFN_AhnEH_Callback
PFN_AhnEH_Callback pAhnEH_Callback; //Defining our function
//////

////// Our new function //////
int _CallBackThread()
{
DWORD dwCode = YOUR_CODE_TO_PASS;
int myReturn = pAhnEH_Callback(dwCode, 0, NULL);
return myReturn;
}
//////
////// Our Detour //////
pAhnEH_Callback = (PFN_AhnEH_Callback)DetourFunction( (PBYTE)( Ehsvc + CallBackAddy ), (PBYTE)_CallBackThread());
//////
This is just pseudo code, but hopefully you get the idea. The hard part is finding the address of the function. I have my way
of getting it, but I'm leaving it up to you to figure out how to get the address. I don't want to completely hand feed you a working bypass. There are a couple ways to get it.

Thank's me!!

[why06]

Yes! That's it. A million thankyous! Plus rep! Whatever you like!

Also do you have the second part too maybe? o_O

[headsup]

https://www.mpgh.net/forum/197-combat...urce-code.html

[Bombsaway707]

the threads not deleted.... it just doesnt show up but why06 why do u need it?

[why06]

the threads not deleted.... it just doesnt show up but why06 why do u need it?

For my own personal collection ofcourse, but also just to repost it so that other people can use it.

[Bombsaway707]

For my own personal collection ofcourse, but also just to repost it so that other people can use it.

ohh ok i gotcha

[why06]

ohh ok i gotcha

Yep. Now I have the whole thing saved for when I need it. It will save me a lot of time to already have a blueprint of HS so when I learn how to reverse and get my tools together I can just focus on the parts I already know are vulnerable.

[Bombsaway707]

Yep. Now I have the whole thing saved for when I need it. It will save me a lot of time to already have a blueprint of HS so when I learn how to reverse and get my tools together I can just focus on the parts I already know are vulnerable.

Cool! Lol looks like MPGH has a new bypass maker

[headsup]

lol Why06 Why he get banned lol...lol again cuz i'm stoned!!

[User1]

But its outdated isn't it? I coudln't find some of the files it said there...

[why06]

But its outdated isn't it? I coudln't find some of the files it said there...

It shouldn't be... what files?

[riceking]

Let me google that for you

Just what you need.

Read through entire post, yes its oudated