[Release]: Hackshield bypass.

Quote:

Originally Posted by Layka0

of coz u can doubt ,
but myself i have same problems connecting and playing russian server with original exe and with fixed exe.

russian sever is just sucking all the way ,ive tried playing there, i have 26 lvl SH
and i cant play ther even with orig exe same shit happens DC - unable to connect etc

ill repeat myself its just a server, offsets working pretty nice,

logic tells me you have connection problems (bad routing for example) AND protection issues, and i have protection issues only. :)

anyway, i changed j(n)z at these locations (as you can see it's 0x90 bytes away from english version.. if i remember correctly):
384402
3845B2
3bb800

nops placed here:
386B27

and there is a cycle with peekmessage(), which in some case goes to checking again:
38488f

could you upload original russian requiem.exe here please, cause I can't.

have anyone tried MzBot (v2) API? did it work? i am unable to make it work.
by MzBot v2 they mean proof of concept code, that supposedly bypasses NtUserSendInput hook
the code of dll is this:

Code:

.386
.model flat, stdcall
option casemap:none

include windows.inc
include kernel32.inc
includelib kernel32.lib


.DATA
	varSSID		dd 0
	sDeviceName	db 92, 92, 46, 92, 116, 111, 66, 122, 77, 0 ; //./toBzM
	buffDrvOutput	dq 0

.CODE
start:
LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
	mov varSSID, 0
	.if reason == DLL_PROCESS_ATTACH
	
	.elseif reason == DLL_PROCESS_DETACH
	
	.elseif reason == DLL_THREAD_ATTACH
	
	.elseif reason == DLL_THREAD_DETACH
	
	.endif
	
	mov eax, 1
	ret

LibMain endp

InitMzBot proc
	; Open File it
	push 0
	push 0
	push 3 ; OPEN_EXISTING
	push 0
	push 3 ; FILE_SHARE_READ | FILE_SHARE_WRITE,
	push 0C0000000h ; GENERIC_READ | GENERIC_WRITE
	push OFFSET sDeviceName
	call CreateFile
	cmp eax, 0FFFFFFFFh ; INVALID_HANDLE_VALUE
	jne ContactDriver1
	
	; Oh sh*t? A funny error occurred!
	mov eax, -1
	ret
ContactDriver1:
	; So we got it?
	push eax ; Backup the handle as usual
	
	; Time to IOCTL it!
	push 0 ; Reserve 4 byte for the OutputSize
	mov ebx, esp ; Yes, I have a habit of using random registers.. erm... not eax and not ecx...
	
	; Call IOCTL
	push 0
	push ebx
	push 8 ; QWord, remember?
	push OFFSET buffDrvOutput; The content?
	push 0 ; No, there is ~~
	push 0 ; no input data!
	push 0A9002A40h ; #define IOCTL_GET_STARTING_SERVICEID		CTL_CODE(0xA900, 0x0A90, METHOD_BUFFERED, FILE_ANY_ACCESS)
	push eax
	call DeviceIoControl
	cmp eax, 0
	jne ContactDriver2
	
	; Screw it, another error!
	add esp, 4 ; Clean off the OutputSize as well!
	call CloseHandle ; Backup.. backup...
	mov eax, -2
	ret
	
ContactDriver2:
	add esp, 4
	call CloseHandle
	mov eax, OFFSET buffDrvOutput ; **** it! Who cares if it is a QWord or DWord?! As far as I see, it won't be zero
	mov eax, [eax]
	add eax, 01000h
	mov varSSID, eax ; Set varSSID as well...
	ret
InitMzBot endp

AltSendInput proc
	mov eax, varSSID
	cmp eax, 0
	je Alt_SendInput_Err
	call IntCallGate
	
	ret 0Ch

Alt_SendInput_Err:
	mov eax, -1
	ret 0Ch
	
IntCallGate:
	; Erm.. no, they won't be dumb enough to detect this!
	mov edx, esp
	db 00Fh
	db 034h ; Yeah, sysenter
	ret
AltSendInput endp

end start

I fail to get results with this code even with no hooks on NtUserSendInput. I've tried myself - no result. Found a C++ wrap for the dll:

Code:

#ifndef MZBOT2_DLL_VERSION_HEADER
#define MZBOT2_DLL_VERSION_HEADER

#include <windows.h>

unsigned int MzBot_Init() {
	HMODULE m = LoadLibrary( "amz.dll" );
	if ( !m ) {
		return -3;
	}
	unsigned long addr = (unsigned long) GetProcAddress( m, "InitMzBot" );
	if ( !addr ) {
		return -4;
	}
	__asm {
		mov eax, addr
		call addr
		mov addr, eax
	}
	return addr;
};

unsigned int MzBot_SendInput( UINT nInputs, LPINPUT pInputs, int cbSize )
{
	HMODULE m = LoadLibrary( "amz.dll" );
	unsigned long addr = (unsigned long) GetProcAddress( m, "AltSendInput" );
	__asm {
		mov eax, addr
		push cbSize
		push pInputs
		push nInputs
		call addr
		mov addr, eax
	}
	return addr;	
};

#endif //#ifndef MZBOT2_DLL_VERSION_HEADER

and again, no result.

well, the error occures during init. return val is -1, so CreateFile isn't working well. who remembers what can be \\.\toBzM? like mailslot, but it's not... stream?