|
You last visited: Today at 16:53
Advertisement
RO2 Hackshield Bypass
Discussion on RO2 Hackshield Bypass within the RO Exploits, Hacks, Bots & Guides forum part of the Ragnarok Online category.
03/21/2013, 08:21
|
#211
|
elite*gold: 0 
Join Date: Feb 2013
Posts: 15
Received Thanks: 2
|
Does "Detour" mean anything to you guys ? apparently this seems to be the method that people are using but arn't really sharing
|
|
|
|
03/21/2013, 11:49
|
#212
|
elite*gold: 0
Join Date: Mar 2013
Posts: 25
Received Thanks: 6
|
Quote:
|
i heard someone can use bypass without dc by making a Hackshield Emulator .. can someone make it one and test it?? maybe it works
|
hackshield emulation seems possible to bypassing hackshield without dc. but it's difficult to do.
Quote:
|
Does "Detour" mean anything to you guys ? apparently this seems to be the method that people are using but arn't really sharing
|
Detours is a library for instrumenting arbitrary Win32 functions Windows-compatible processors. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.
Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.
anyone have tested detour (trampoline) method?
|
|
|
|
|
03/21/2013, 22:00
|
#213
|
elite*gold: 0
Join Date: Nov 2008
Posts: 10
Received Thanks: 0
|
Quote:
Originally Posted by Boudal
hackshield emulation seems possible to bypassing hackshield without dc. but it's difficult to do.
Detours is a library for instrumenting arbitrary Win32 functions Windows-compatible processors. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.
Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.
anyone have tested detour (trampoline) method?
|
At least quote the source...
|
|
|
|
|
03/22/2013, 19:24
|
#214
|
elite*gold: 0
Join Date: Mar 2013
Posts: 25
Received Thanks: 6
|
detour method is working !!
|
|
|
|
|
03/22/2013, 21:13
|
#215
|
elite*gold: 0
Join Date: Feb 2013
Posts: 33
Received Thanks: 1
|
Quote:
Originally Posted by Boudal
detour method is working !!
|
Can you pm me how to do it?
|
|
|
|
|
03/23/2013, 07:58
|
#216
|
elite*gold: 0
Join Date: Jul 2009
Posts: 10
Received Thanks: 0
|
pls share
|
|
|
|
|
03/23/2013, 14:53
|
#217
|
elite*gold: 0
Join Date: Apr 2008
Posts: 24
Received Thanks: 2
|
/// 2 inline asm patches
__declspec (naked) void HS_PATCH_1()
{
__asm{
inc eax
add [esi+ecx-7Fh], bh
inc byte ptr [eax]
add [eax+3067D00h], dl
xor eax, dword_1002FD44
push 36h
lea edi, [ebp-122Ch]
retn
}
}
__declspec (naked) void HS_PATCH_2()
{
__asm{
inc eax
add [esi+ecx-7Fh], bh
inc byte ptr [eax]
add [eax+3067D00h], dl
xor eax, dword_1002FD44
mov eax, ecx
mov edx, ecx
add eax, esi
retn
}
}
__declspec (naked) void sub_hs_detect_sumthin( )
{
char time;
time = Get_Time(2);//format = 2 ( "[%H:%M:%S]" )
AddLog("%s - HackShield Detect Something...\n",time);
}
//sub to get ehsvc handle
int Get_Handle()
{
int result;
result = GetModuleHandleA("EhSvc.dll");
EhSvc = result;
return result;
}
void Detour_Hs()
{
Sleep(1000);
char time = Get_Time(2); //, 2 = "[%H:%M:%S]"
AddLog("%s - Detouring HackShield->", current_time);
int v2 = sub_1001883C( 0x900000 );
sub_10016A80(v2, 0x401000, 0x900000 );//bit complicated
dword_1002FD44 -= 0x401000;
while ( !EhSvc )
{
EhSvc = GetModuleHandleA("EhSvc.dll");
Sleep(100);
}
//
DWORD HS1 = FindPattern(EhSvc,0x90000,(PBYTE)"\x74\x06\x83\x7D \x0C\x00\x75\x0F\x6A\x57", "xxxxxxxxxx");
DWORD HS2 = FindPattern(EhSvc, 0x90000,(PBYTE)"\x8D\xBD\xD4\xED\xFF\xFF\xF3\xA5\x 8B\x53\x0A\x89\x95\xD0\xED\xFF\xFF\x33\xC0\x66\x8B \x43\x08", "xxxxxxxxxxxxxxxxxxxxxxx");
DWORD HS3 = FindPattern(EhSvc,0x90000,(PBYTE)"\x74\x09\xC7\x45 \xFC\x00\xEB\x07\xC7\x45\xFC", "xxxxxxxxxxxxxx");
DWORD HS4 = FindPattern(EhSvc,0x90000,(PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");
DWORD HS5 = FindPattern(HS4 + 0x0A, 0x40000,(PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");
DWORD dword_1002BF4C = (0x74);
DWORD dword_1002BF50 = (0x8D,0xBD,0xD4,0xED,0xFF,0xFF);
DWORD dword_1002BF58 = (0x74);
DWORD dword_1002BF5C = (0x8B,0xC1,0x8B,0xD1,0x03,0xC6);
if ( compare(HS1 , &dword_1002BF4C, 1) //compare DWORD1,DWORD2,lenght
|| compare(HS2 , dword_1002BF50, 6)
|| compare(HS3 , &dword_1002BF58, 1)
|| compare(HS5 , dword_1002BF5C, 6) )
{
AddLog("Error, HackShield module changed!");
sub_10017150(1);//this is callind sub that is calling another sub that kill warrock
}
DWORD bit_1 = ( 0xEB ); // (JMP SHORT)
DWORD bit_2 = ( 0xE8,0x00,0x90 );//call something
DWORD bit_3 = ( 0xE9,0x00,0x90 );//jmp somewhere
DWORD bit_4 = ( 0x4F, 0x4B, 0x21, 0x0A );
sub_1000C4C8((PBYTE)HS1,0x90, 1);
sub_1000C514((PBYTE)HS2,(PBYTE)HS_Patch_1,0xEB, 1);
sub_1000C4C8((PBYTE)HS3,(PBYTE)bit_1, 1);
sub_1000C514((PBYTE)HS5,(PBYTE)HS_Patch_2, bit_2, 6);
sub_1000C514((PBYTE)0x681240, (PBYTE)sub_hs_detect_sumthin , bit_3 , 6);
AddLog((const char *)bit_4 );//hmm confusing
time1 = Get_Time(2);//format = 2 ( "[%H:%M:%S]" )
AddLog("%s - Checking Dll->",time1);
int check = sub_10017024(10);//compare if (10 > 0xFFFFFFE0 )return 0;
if ( check )
v12 = sub_10010960();
else
v12 = 0;
sub_10010BCF(dword_1002FBDC);
AddLog("OK!\n");
}
|
|
|
|
|
03/23/2013, 15:28
|
#218
|
elite*gold: 0
Join Date: May 2009
Posts: 10
Received Thanks: 1
|
Yea Please Teach us..
|
|
|
|
|
03/23/2013, 15:41
|
#219
|
elite*gold: 0
Join Date: Feb 2013
Posts: 15
Received Thanks: 2
|
Quote:
Originally Posted by boching
/// 2 inline asm patches
__declspec (naked) void HS_PATCH_1()
{
__asm{
inc eax
add [esi+ecx-7Fh], bh
inc byte ptr [eax]
add [eax+3067D00h], dl
xor eax, dword_1002FD44
push 36h
lea edi, [ebp-122Ch]
retn
}
}
__declspec (naked) void HS_PATCH_2()
{
__asm{
inc eax
add [esi+ecx-7Fh], bh
inc byte ptr [eax]
add [eax+3067D00h], dl
xor eax, dword_1002FD44
mov eax, ecx
mov edx, ecx
add eax, esi
retn
}
}
__declspec (naked) void sub_hs_detect_sumthin( )
{
char time;
time = Get_Time(2);//format = 2 ( "[%H:%M:%S]" )
AddLog("%s - HackShield Detect Something...\n",time);
}
//sub to get ehsvc handle
int Get_Handle()
{
int result;
result = GetModuleHandleA("EhSvc.dll");
EhSvc = result;
return result;
}
void Detour_Hs()
{
Sleep(1000);
char time = Get_Time(2); //, 2 = "[%H:%M:%S]"
AddLog("%s - Detouring HackShield->", current_time);
int v2 = sub_1001883C( 0x900000 );
sub_10016A80(v2, 0x401000, 0x900000 );//bit complicated
dword_1002FD44 -= 0x401000;
while ( !EhSvc )
{
EhSvc = GetModuleHandleA("EhSvc.dll");
Sleep(100);
}
//
DWORD HS1 = FindPattern(EhSvc,0x90000,(PBYTE)"\x74\x06\x83\x7D \x0C\x00\x75\x0F\x6A\x57", "xxxxxxxxxx");
DWORD HS2 = FindPattern(EhSvc, 0x90000,(PBYTE)"\x8D\xBD\xD4\xED\xFF\xFF\xF3\xA5\x 8B\x53\x0A\x89\x95\xD0\xED\xFF\xFF\x33\xC0\x66\x8B \x43\x08", "xxxxxxxxxxxxxxxxxxxxxxx");
DWORD HS3 = FindPattern(EhSvc,0x90000,(PBYTE)"\x74\x09\xC7\x45 \xFC\x00\xEB\x07\xC7\x45\xFC", "xxxxxxxxxxxxxx");
DWORD HS4 = FindPattern(EhSvc,0x90000,(PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");
DWORD HS5 = FindPattern(HS4 + 0x0A, 0x40000,(PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");
DWORD dword_1002BF4C = (0x74);
DWORD dword_1002BF50 = (0x8D,0xBD,0xD4,0xED,0xFF,0xFF);
DWORD dword_1002BF58 = (0x74);
DWORD dword_1002BF5C = (0x8B,0xC1,0x8B,0xD1,0x03,0xC6);
if ( compare(HS1 , &dword_1002BF4C, 1) //compare DWORD1,DWORD2,lenght
|| compare(HS2 , dword_1002BF50, 6)
|| compare(HS3 , &dword_1002BF58, 1)
|| compare(HS5 , dword_1002BF5C, 6) )
{
AddLog("Error, HackShield module changed!");
sub_10017150(1);//this is callind sub that is calling another sub that kill warrock
}
DWORD bit_1 = ( 0xEB ); // (JMP SHORT)
DWORD bit_2 = ( 0xE8,0x00,0x90 );//call something
DWORD bit_3 = ( 0xE9,0x00,0x90 );//jmp somewhere
DWORD bit_4 = ( 0x4F, 0x4B, 0x21, 0x0A );
sub_1000C4C8((PBYTE)HS1,0x90, 1);
sub_1000C514((PBYTE)HS2,(PBYTE)HS_Patch_1,0xEB, 1);
sub_1000C4C8((PBYTE)HS3,(PBYTE)bit_1, 1);
sub_1000C514((PBYTE)HS5,(PBYTE)HS_Patch_2, bit_2, 6);
sub_1000C514((PBYTE)0x681240, (PBYTE)sub_hs_detect_sumthin , bit_3 , 6);
AddLog((const char *)bit_4 );//hmm confusing
time1 = Get_Time(2);//format = 2 ( "[%H:%M:%S]" )
AddLog("%s - Checking Dll->",time1);
int check = sub_10017024(10);//compare if (10 > 0xFFFFFFE0 )return 0;
if ( check )
v12 = sub_10010960();
else
v12 = 0;
sub_10010BCF(dword_1002FBDC);
AddLog("OK!\n");
}
|
I'm sorry but i have no idea what so ever how to use this, where to use this and how to operate, mind teaching us as if you were teaching a cave man, will be really grateful
|
|
|
|
|
03/23/2013, 16:05
|
#220
|
elite*gold: 0
Join Date: Feb 2013
Posts: 33
Received Thanks: 1
|
mmm, if I'm not wrong, you need visual studio + detour library but I'm bot sure if I have to copy and paste this code or open Rag2.exe and modify it.
|
|
|
|
|
03/23/2013, 16:55
|
#221
|
elite*gold: 0
Join Date: Mar 2013
Posts: 13
Received Thanks: 2
|
Teach us please. .
Just want HS for farming. 
|
|
|
|
|
03/24/2013, 00:32
|
#222
|
elite*gold: 0
Join Date: Mar 2013
Posts: 25
Received Thanks: 6
|
Quote:
Originally Posted by boching
/// 2 inline asm patches
__declspec (naked) void HS_PATCH_1()
{
__asm{
inc eax
add [esi+ecx-7Fh], bh
inc byte ptr [eax]
add [eax+3067D00h], dl
xor eax, dword_1002FD44
push 36h
lea edi, [ebp-122Ch]
retn
}
}
__declspec (naked) void HS_PATCH_2()
{
__asm{
inc eax
add [esi+ecx-7Fh], bh
inc byte ptr [eax]
add [eax+3067D00h], dl
xor eax, dword_1002FD44
mov eax, ecx
mov edx, ecx
add eax, esi
retn
}
}
__declspec (naked) void sub_hs_detect_sumthin( )
{
char time;
time = Get_Time(2);//format = 2 ( "[%H:%M:%S]" )
AddLog("%s - HackShield Detect Something...\n",time);
}
//sub to get ehsvc handle
int Get_Handle()
{
int result;
result = GetModuleHandleA("EhSvc.dll");
EhSvc = result;
return result;
}
void Detour_Hs()
{
Sleep(1000);
char time = Get_Time(2); //, 2 = "[%H:%M:%S]"
AddLog("%s - Detouring HackShield->", current_time);
int v2 = sub_1001883C( 0x900000 );
sub_10016A80(v2, 0x401000, 0x900000 );//bit complicated
dword_1002FD44 -= 0x401000;
while ( !EhSvc )
{
EhSvc = GetModuleHandleA("EhSvc.dll");
Sleep(100);
}
//
DWORD HS1 = FindPattern(EhSvc,0x90000,(PBYTE)"\x74\x06\x83\x7D \x0C\x00\x75\x0F\x6A\x57", "xxxxxxxxxx");
DWORD HS2 = FindPattern(EhSvc, 0x90000,(PBYTE)"\x8D\xBD\xD4\xED\xFF\xFF\xF3\xA5\x 8B\x53\x0A\x89\x95\xD0\xED\xFF\xFF\x33\xC0\x66\x8B \x43\x08", "xxxxxxxxxxxxxxxxxxxxxxx");
DWORD HS3 = FindPattern(EhSvc,0x90000,(PBYTE)"\x74\x09\xC7\x45 \xFC\x00\xEB\x07\xC7\x45\xFC", "xxxxxxxxxxxxxx");
DWORD HS4 = FindPattern(EhSvc,0x90000,(PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");
DWORD HS5 = FindPattern(HS4 + 0x0A, 0x40000,(PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");
DWORD dword_1002BF4C = (0x74);
DWORD dword_1002BF50 = (0x8D,0xBD,0xD4,0xED,0xFF,0xFF);
DWORD dword_1002BF58 = (0x74);
DWORD dword_1002BF5C = (0x8B,0xC1,0x8B,0xD1,0x03,0xC6);
if ( compare(HS1 , &dword_1002BF4C, 1) //compare DWORD1,DWORD2,lenght
|| compare(HS2 , dword_1002BF50, 6)
|| compare(HS3 , &dword_1002BF58, 1)
|| compare(HS5 , dword_1002BF5C, 6) )
{
AddLog("Error, HackShield module changed!");
sub_10017150(1);//this is callind sub that is calling another sub that kill warrock
}
DWORD bit_1 = ( 0xEB ); // (JMP SHORT)
DWORD bit_2 = ( 0xE8,0x00,0x90 );//call something
DWORD bit_3 = ( 0xE9,0x00,0x90 );//jmp somewhere
DWORD bit_4 = ( 0x4F, 0x4B, 0x21, 0x0A );
sub_1000C4C8((PBYTE)HS1,0x90, 1);
sub_1000C514((PBYTE)HS2,(PBYTE)HS_Patch_1,0xEB, 1);
sub_1000C4C8((PBYTE)HS3,(PBYTE)bit_1, 1);
sub_1000C514((PBYTE)HS5,(PBYTE)HS_Patch_2, bit_2, 6);
sub_1000C514((PBYTE)0x681240, (PBYTE)sub_hs_detect_sumthin , bit_3 , 6);
AddLog((const char *)bit_4 );//hmm confusing
time1 = Get_Time(2);//format = 2 ( "[%H:%M:%S]" )
AddLog("%s - Checking Dll->",time1);
int check = sub_10017024(10);//compare if (10 > 0xFFFFFFE0 )return 0;
if ( check )
v12 = sub_10010960();
else
v12 = 0;
sub_10010BCF(dword_1002FBDC);
AddLog("OK!\n");
}
|
that's not how to do it
it'll make you either bluescreen or not responding 
|
|
|
|
|
03/24/2013, 01:06
|
#223
|
elite*gold: 0
Join Date: Mar 2013
Posts: 5
Received Thanks: 0
|
Quote:
Originally Posted by trym300
trampoline method is the best shot maybe. my head hurts already haha. nevertheless there is a bypass somewhere but trust me they wont post it either show it due to abuse of bypassing and the probability of fixing. (Control Bussiness) thats what they say!
trying to reverse engineer problem is that there is maint always meaning not everything is stable.
|
thanks for saying that method it work a wonder! guys just watch youtube and guides on internet it took me 4 days to learn it...
pretty rough though. sorry but most members who know to do it wont post the last product like the Rag.exe or somewhat. because GM of AS are trolling in this forum since its known through out
|
|
|
|
|
03/24/2013, 06:00
|
#224
|
elite*gold: 0
Join Date: Apr 2012
Posts: 3
Received Thanks: 0
|
Please send the hack to me
|
|
|
|
|
03/24/2013, 07:04
|
#225
|
elite*gold: 0
Join Date: Feb 2013
Posts: 15
Received Thanks: 2
|
And me aswell
|
|
|
|
 |
|
Similar Threads
|
Hackshield Bypass help ?
09/10/2011 - Florensia - 2 Replies
Hello there
I'm looking for someone who know how to hack florensia hackshield.
But ... i wan't see it on a video...
If you can post a video how to bypass hackshield... i will MUCH thank you ...
( FLOPI Pixel bot doesn't working for me ... i did everything in README )
|
Bypass D3D Hackshield
12/26/2010 - WarRock - 1 Replies
Hello everyone, I expose my problem quickly
Lately I know 'who have upgraded the hackshiel then all the old hack with bypass does not act anymore, just that it is time for my hack I can not find one and I'm losing all VIP users.
There would be someone that I can pass a kindly updated, what replaces it with my old one?
I am willing to give something in return, they are pennies or something interesting.
P.s. I also accept in private.
Sorry for my bad english.
|
Some one pls tell me how to bypass hackshield in RF POA
05/14/2010 - RF Online - 6 Replies
Teach me pls how to by pass hackshield in RF POA....
btw i have tried to change EhSvc.dll to psapi.dll
but when i want to run my RF..must DL again...
any who know new versi of WPE???
share pls :p
|
[EMS] HackShield & MS CRC Bypass.
03/23/2010 - MapleStory - 18 Replies
MS CRC Bypass:
Alloc(NewMemory, 4194304)
Alloc(CRCCave, 128)
Alloc(CopyMemory, 128)
CreateThread(CopyMemory)
Label(End)
00485A1C:
|
[Hackshield]Bypass the new protection hackshield
01/25/2010 - Silkroad Online - 2 Replies
Today i was so mad from agbot so i found the loader lite 3...
so i tried to connect with him to ibot (port : 16000) and failed cuz of the hackshield .... so i tried to rename the "hackshield" file dictory and it was full of success ... but i dont know .. should i get banned for it? (i bought silks)
if no ill post here the download and guide...
Thank's alot : Kobbi :)
|
All times are GMT +1. The time now is 16:53.
|
|
