HShield bypass?

Page 1 of 2 1 2
11/13/2014 20:54 Siebe15#1
Hi everybody,

Which programs is required to make a HShield bypass?
And how can I find addresses to bypass it?

Greets.
11/13/2014 21:49 RingleRangleRob#2
Quote:
Originally Posted by Siebe15 View Post
Hi everybody,

Which programs is required to make a HShield bypass?
And how can I find addresses to bypass it?

Greets.
Quote:
Originally Posted by Forbidi View Post
Get HS all those detection functions (heuristic scan, integrity check ...) then Hook CreateThread and compare startaddress with func add in ehsvc.dll and avoid making them, you can hook DeviceIoControl and return true when the control code is 0x80000xxx (don't remember) so the memory won't be hidden.
Otherwise you can make a heartbeat, check servicedispatch function in HS calling convention should be :
PHP Code:
BOOL __stdcall ServiceDispatch(DWORD dwServiceLPVOIDlppvParametersLPDWORD lpdwErrorCode
When the first parameter dwService value is 13 and then send a response lppvParameters[0] lppvParameters[1] and lppvParameters[2] the first param is the request, second is lenght, third is the return value, in the end you set the errorcode param to 0 and return to the original func.
"you can hook DeviceIoControl and return true when the control code is 0x80000xxx (don't remember) so the memory won't be hidden."

80000040

use c++ to make it .
11/13/2014 22:31 Slicktor#3
Quote:
Get HS all those detection functions (heuristic scan, integrity check ...) then Hook CreateThread and compare startaddress with func add in ehsvc.dll and avoid making them
Heartbeat - just saying.
After 31 minutes you will get a crash cause hs got that you faked their threads(hb request, crc).

Quote:
you can hook DeviceIoControl and return true when the control code is 0x80000040 (don't remember) so the memory won't be hidden.
Hf with a bluescreen (EagleXNt).


Instead of doing shit you can simply bypass the crc-check:
Code:
0
You can disable hackshields process-detection with hooking k32enumprocesses (faking processes).

Quote:
BOOL __stdcall ServiceDispatch(DWORD dwService, LPVOID* lppvParameters, LPDWORD lpdwErrorCode)
This is the 10th export.

Quote:
When the first parameter dwService value is 13 and then send a response lppvParameters[0] lppvParameters[1] and lppvParameters[2] the first param is the request, second is lenght, third is the return value, in the end you set the errorcode param to 0 and return to the original func.
Emulating hb is nothing for noobs :confused:
Useless.
11/13/2014 22:39 RingleRangleRob#4
Quote:

Hf with a bluescreen (EagleXNt).
lol nop i don't know what you hook but i can access to memory.

Quote:
Instead of doing shit you can simply bypass the crc-check:
Code:
75 ?? 8B 46 0C 8B 7F 04 83 F8
kk he is a "noob" and he know what means with crc-check xD i think this don't help him o:

Quote:
You can disable hackshields process-detection with hooking k32enumprocesses (faking processes).
It is enought to ret 0C.
11/13/2014 22:54 Slicktor#5
Quote:
lol nop i don't know what you hook but i can access to memory.
Yea on x64(EagleX64).
If you do that with EagleXNt you will get 2 problems:

1.Bluescreen
2.Automacro detection (NtSendUserInput)

To prevent the first problem you can simply send the stop msg.
Code:
#define IOCTL_KERNEL_MODE_END 0
The second problem is the ssdt-hook on NtSendUserInput it detects all inputs as macros, you can solve by stopping it:
Code:
#define IOCTL_KERNEL_MODE_STUFF_END 0

Quote:
It is enought to ret 0C.
HS will detect it.
11/13/2014 23:02 RingleRangleRob#6
Quote:
Originally Posted by Slicktor View Post
Yea on x64(EagleX64).
If you do that with EagleXNt you will get 2 problems:

1.Bluescreen
2.Automacro detection (NtSendUserInput)

To prevent the first problem you can simply send the stop msg.
Code:
#define IOCTL_KERNEL_MODE_END 0x80000044
The second problem is the ssdt-hook on NtSendUserInput it detects all inputs as macros, you can solve by stopping it:
Code:
#define IOCTL_KERNEL_MODE_STUFF_END 0x80000084
kk thank you for Informations ...just use 64 bit ^^
Quote:
HS will detect it.
64 Bit not detected. Work without crash ^^ i tried ~30 min.

@topic i think this are enought Informations for a bypass. Have fun and good luck c;
11/13/2014 23:08 Desolation64#7
Slicktor Erste Bypass War so schön :)
11/14/2014 15:48 Siebe15#8
So which programs have you need?
11/14/2014 15:54 RingleRangleRob#9
Quote:
Originally Posted by Siebe15 View Post
So which programs have you need?
I used c++ to make bypass o;

So i recommend c++ to you.
11/14/2014 16:48 Siebe15#10
Yea but what have I need to get addresses to bypass hshield?
11/14/2014 16:57 RingleRangleRob#11
Quote:
Originally Posted by Siebe15 View Post
Yea but what have I need to get addresses to bypass hshield?
Cheat Engine
c++
11/14/2014 17:02 Siebe15#12
Not more?
11/14/2014 19:04 Omdi#13
Quote:
Originally Posted by Siebe15 View Post
Not more?
You should have mastered the art of Reverse Engineering :)
11/14/2014 20:58 -Zonda#14
Quote:
Originally Posted by Siebe15 View Post
Yea but what have I need to get addresses to bypass hshield?
Wtf just did i post xD
Ofc CE & C++ xD
11/14/2014 21:56 Siebe15#15
Quote:
Originally Posted by Omdihar View Post
You should have mastered the art of Reverse Engineering :)
Do you have a site where I can learn it? :handsdown:
Page 1 of 2 1 2