How did they patch .NET hacks?

11/02/2013 08:57 _cSharp#1
So I remember a few years back that K2/G1 (not sure what the name was) patched .NET hacks somehow... at least they said they did...

Well, how is that possible, lol? What did they do? I'm sure its still possible to do hacks with C# and other .NET languages...

Mind telling me a few things about that patch and what they did? I couldn't find anything on Google...

Thanks!
11/02/2013 11:49 Tony906#2
they removed external packet reading? D:
11/02/2013 12:16 ~iToXiiC#3
Well is not right, you can yet make hacks in .NET but not easyer as before and you need to work a lot on it
11/02/2013 12:21 Basser#4
Create a proxy in .NET, they couldn't possibly patch that.
You can use it to hack
11/02/2013 12:43 Sleutel#5
They did an update to the client that disabled (some) & detect memory modifications, this is however possible but they detect it.
11/02/2013 14:11 .BlackHat#6
Quote:
Originally Posted by Sleutel View Post
They did an update to the client that disabled (some) & detect memory modifications, this is however possible but they detect it.
AFAIK Hackshield hooked a few functions which .NET calls on memory modification and such. So they detect that easily.
11/02/2013 14:27 +Yazzn#7
In .NET you just called WinAPI's OpenProcess and Read/WriteMemoryProcess functions, but HackShield hooks them (I think they actually hook some underlying functions with their driver, but I'm too lazy to check that out now) and makes them unusable.
11/02/2013 14:42 Raz9r#8
Quote:
Originally Posted by Yazzn (: View Post
In .NET you just called WinAPI's OpenProcess and Read/WriteMemoryProcess functions, but HackShield hooks them (I think they actually hook some underlying functions with their driver, but I'm too lazy to check that out now) and makes them unusable.
Actually it's some SSDT modifications/hooks detecting any call to those function on a system-wide level. The underlying functions are from ntdll.dll.

The way it works:
.NET marshals to Win32 API which calls the underlying NT functions which are hooked by Hackshields driver. There is a nice article about kernel-level SSDT hooks over [Only registered and activated users can see links. Click Here To Register...].
11/02/2013 15:10 _cSharp#9
Okay, can anyone PM me the current base address and coordY offset? I wanna try a function. As far as I could gather from info you supplied, the function should work.

Also, does the HS detect if you are reading the memory of War Rock or is only the memory writting stuff detected? If reading the memory isn't, it would be simple to make a memory aimbot with .NET, I guess?
11/02/2013 16:27 Raz9r#10
It's entirely impossible without applying a driver unhooking the kernel-level SSDT hooks. That's why you'd need to inject a native DLL in the process: You don't really want to do that because it's a fucking mess.

An aimbot from an external program is not just almost impossible to do, but is gonna lag the sh*t out of you. Have fun trying that.