RO2 Hackshield Bypass

[ibrahim2my]

Does "Detour" mean anything to you guys ? apparently this seems to be the method that people are using but arn't really sharing

[Boudal]

Quote:

i heard someone can use bypass without dc by making a Hackshield Emulator .. can someone make it one and test it?? maybe it works

hackshield emulation seems possible to bypassing hackshield without dc. but it's difficult to do.

Quote:

Does "Detour" mean anything to you guys ? apparently this seems to be the method that people are using but arn't really sharing

Detours is a library for instrumenting arbitrary Win32 functions Windows-compatible processors. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.

Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.

anyone have tested detour (trampoline) method?

[pusoys]

Quote:

Originally Posted by Boudal

hackshield emulation seems possible to bypassing hackshield without dc. but it's difficult to do.


Detours is a library for instrumenting arbitrary Win32 functions Windows-compatible processors. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments (called payloads) to any Win32 binary.

Detours preserves the un-instrumented target function (callable through a trampoline) as a subroutine for use by the instrumentation. Our trampoline design enables a large class of innovative extensions to existing binary software.

anyone have tested detour (trampoline) method?

At least quote the source...

[Boudal]

detour method is working !!

[signas2012]

Quote:

Originally Posted by Boudal

detour method is working !!

Can you pm me how to do it?

[vandersucks]

pls share

[boching]

/// 2 inline asm patches

__declspec (naked) void HS_PATCH_1()
{
__asm{
inc eax
add [esi+ecx-7Fh], bh
inc byte ptr [eax]
add [eax+3067D00h], dl
xor eax, dword_1002FD44
push 36h
lea edi, [ebp-122Ch]
retn
}
}
__declspec (naked) void HS_PATCH_2()
{
__asm{
inc eax
add [esi+ecx-7Fh], bh
inc byte ptr [eax]
add [eax+3067D00h], dl
xor eax, dword_1002FD44
mov eax, ecx
mov edx, ecx
add eax, esi
retn
}
}

__declspec (naked) void sub_hs_detect_sumthin( )
{
char time;
time = Get_Time(2);//format = 2 ( "[%H:%M:%S]" )
AddLog("%s - HackShield Detect Something...\n",time);
}

//sub to get ehsvc handle
int Get_Handle()
{
int result;
result = GetModuleHandleA("EhSvc.dll");
EhSvc = result;
return result;
}


void Detour_Hs()
{
Sleep(1000);
char time = Get_Time(2); //, 2 = "[%H:%M:%S]"
AddLog("%s - Detouring HackShield->", current_time);
int v2 = sub_1001883C( 0x900000 );
sub_10016A80(v2, 0x401000, 0x900000 );//bit complicated
dword_1002FD44 -= 0x401000;

while ( !EhSvc )
{
EhSvc = GetModuleHandleA("EhSvc.dll");
Sleep(100);
}
//
DWORD HS1 = FindPattern(EhSvc,0x90000,(PBYTE)"\x74\x06\x83\x7D \x0C\x00\x75\x0F\x6A\x57", "xxxxxxxxxx");
DWORD HS2 = FindPattern(EhSvc, 0x90000,(PBYTE)"\x8D\xBD\xD4\xED\xFF\xFF\xF3\xA5\x 8B\x53\x0A\x89\x95\xD0\xED\xFF\xFF\x33\xC0\x66\x8B \x43\x08", "xxxxxxxxxxxxxxxxxxxxxxx");
DWORD HS3 = FindPattern(EhSvc,0x90000,(PBYTE)"\x74\x09\xC7\x45 \xFC\x00\xEB\x07\xC7\x45\xFC", "xxxxxxxxxxxxxx");
DWORD HS4 = FindPattern(EhSvc,0x90000,(PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");
DWORD HS5 = FindPattern(HS4 + 0x0A, 0x40000,(PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");

DWORD dword_1002BF4C = (0x74);
DWORD dword_1002BF50 = (0x8D,0xBD,0xD4,0xED,0xFF,0xFF);
DWORD dword_1002BF58 = (0x74);
DWORD dword_1002BF5C = (0x8B,0xC1,0x8B,0xD1,0x03,0xC6);

if ( compare(HS1 , &dword_1002BF4C, 1) //compare DWORD1,DWORD2,lenght
|| compare(HS2 , dword_1002BF50, 6)
|| compare(HS3 , &dword_1002BF58, 1)
|| compare(HS5 , dword_1002BF5C, 6) )
{
AddLog("Error, HackShield module changed!");
sub_10017150(1);//this is callind sub that is calling another sub that kill warrock
}

DWORD bit_1 = ( 0xEB ); // (JMP SHORT)
DWORD bit_2 = ( 0xE8,0x00,0x90 );//call something
DWORD bit_3 = ( 0xE9,0x00,0x90 );//jmp somewhere
DWORD bit_4 = ( 0x4F, 0x4B, 0x21, 0x0A );

sub_1000C4C8((PBYTE)HS1,0x90, 1);
sub_1000C514((PBYTE)HS2,(PBYTE)HS_Patch_1,0xEB, 1);
sub_1000C4C8((PBYTE)HS3,(PBYTE)bit_1, 1);
sub_1000C514((PBYTE)HS5,(PBYTE)HS_Patch_2, bit_2, 6);
sub_1000C514((PBYTE)0x681240, (PBYTE)sub_hs_detect_sumthin , bit_3 , 6);
AddLog((const char *)bit_4 );//hmm confusing

time1 = Get_Time(2);//format = 2 ( "[%H:%M:%S]" )
AddLog("%s - Checking Dll->",time1);

int check = sub_10017024(10);//compare if (10 > 0xFFFFFFE0 )return 0;

if ( check )
v12 = sub_10010960();
else
v12 = 0;
sub_10010BCF(dword_1002FBDC);
AddLog("OK!\n");
}

 

[rogexx14]

Yea Please Teach us..

[ibrahim2my]

Quote:

Originally Posted by boching

/// 2 inline asm patches

__declspec (naked) void HS_PATCH_1()
{
__asm{
inc eax
add [esi+ecx-7Fh], bh
inc byte ptr [eax]
add [eax+3067D00h], dl
xor eax, dword_1002FD44
push 36h
lea edi, [ebp-122Ch]
retn
}
}
__declspec (naked) void HS_PATCH_2()
{
__asm{
inc eax
add [esi+ecx-7Fh], bh
inc byte ptr [eax]
add [eax+3067D00h], dl
xor eax, dword_1002FD44
mov eax, ecx
mov edx, ecx
add eax, esi
retn
}
}

__declspec (naked) void sub_hs_detect_sumthin( )
{
char time;
time = Get_Time(2);//format = 2 ( "[%H:%M:%S]" )
AddLog("%s - HackShield Detect Something...\n",time);
}

//sub to get ehsvc handle
int Get_Handle()
{
int result;
result = GetModuleHandleA("EhSvc.dll");
EhSvc = result;
return result;
}


void Detour_Hs()
{
Sleep(1000);
char time = Get_Time(2); //, 2 = "[%H:%M:%S]"
AddLog("%s - Detouring HackShield->", current_time);
int v2 = sub_1001883C( 0x900000 );
sub_10016A80(v2, 0x401000, 0x900000 );//bit complicated
dword_1002FD44 -= 0x401000;

while ( !EhSvc )
{
EhSvc = GetModuleHandleA("EhSvc.dll");
Sleep(100);
}
//
DWORD HS1 = FindPattern(EhSvc,0x90000,(PBYTE)"\x74\x06\x83\x7D \x0C\x00\x75\x0F\x6A\x57", "xxxxxxxxxx");
DWORD HS2 = FindPattern(EhSvc, 0x90000,(PBYTE)"\x8D\xBD\xD4\xED\xFF\xFF\xF3\xA5\x 8B\x53\x0A\x89\x95\xD0\xED\xFF\xFF\x33\xC0\x66\x8B \x43\x08", "xxxxxxxxxxxxxxxxxxxxxxx");
DWORD HS3 = FindPattern(EhSvc,0x90000,(PBYTE)"\x74\x09\xC7\x45 \xFC\x00\xEB\x07\xC7\x45\xFC", "xxxxxxxxxxxxxx");
DWORD HS4 = FindPattern(EhSvc,0x90000,(PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");
DWORD HS5 = FindPattern(HS4 + 0x0A, 0x40000,(PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");

DWORD dword_1002BF4C = (0x74);
DWORD dword_1002BF50 = (0x8D,0xBD,0xD4,0xED,0xFF,0xFF);
DWORD dword_1002BF58 = (0x74);
DWORD dword_1002BF5C = (0x8B,0xC1,0x8B,0xD1,0x03,0xC6);

if ( compare(HS1 , &dword_1002BF4C, 1) //compare DWORD1,DWORD2,lenght
|| compare(HS2 , dword_1002BF50, 6)
|| compare(HS3 , &dword_1002BF58, 1)
|| compare(HS5 , dword_1002BF5C, 6) )
{
AddLog("Error, HackShield module changed!");
sub_10017150(1);//this is callind sub that is calling another sub that kill warrock
}

DWORD bit_1 = ( 0xEB ); // (JMP SHORT)
DWORD bit_2 = ( 0xE8,0x00,0x90 );//call something
DWORD bit_3 = ( 0xE9,0x00,0x90 );//jmp somewhere
DWORD bit_4 = ( 0x4F, 0x4B, 0x21, 0x0A );

sub_1000C4C8((PBYTE)HS1,0x90, 1);
sub_1000C514((PBYTE)HS2,(PBYTE)HS_Patch_1,0xEB, 1);
sub_1000C4C8((PBYTE)HS3,(PBYTE)bit_1, 1);
sub_1000C514((PBYTE)HS5,(PBYTE)HS_Patch_2, bit_2, 6);
sub_1000C514((PBYTE)0x681240, (PBYTE)sub_hs_detect_sumthin , bit_3 , 6);
AddLog((const char *)bit_4 );//hmm confusing

time1 = Get_Time(2);//format = 2 ( "[%H:%M:%S]" )
AddLog("%s - Checking Dll->",time1);

int check = sub_10017024(10);//compare if (10 > 0xFFFFFFE0 )return 0;

if ( check )
v12 = sub_10010960();
else
v12 = 0;
sub_10010BCF(dword_1002FBDC);
AddLog("OK!\n");
}

 

I'm sorry but i have no idea what so ever how to use this, where to use this and how to operate, mind teaching us as if you were teaching a cave man, will be really grateful

[signas2012]

mmm, if I'm not wrong, you need visual studio + detour library but I'm bot sure if I have to copy and paste this code or open Rag2.exe and modify it.

[xang27]

Teach us please. .

Just want HS for farming.

[Boudal]

Quote:

Originally Posted by boching

/// 2 inline asm patches

__declspec (naked) void HS_PATCH_1()
{
__asm{
inc eax
add [esi+ecx-7Fh], bh
inc byte ptr [eax]
add [eax+3067D00h], dl
xor eax, dword_1002FD44
push 36h
lea edi, [ebp-122Ch]
retn
}
}
__declspec (naked) void HS_PATCH_2()
{
__asm{
inc eax
add [esi+ecx-7Fh], bh
inc byte ptr [eax]
add [eax+3067D00h], dl
xor eax, dword_1002FD44
mov eax, ecx
mov edx, ecx
add eax, esi
retn
}
}

__declspec (naked) void sub_hs_detect_sumthin( )
{
char time;
time = Get_Time(2);//format = 2 ( "[%H:%M:%S]" )
AddLog("%s - HackShield Detect Something...\n",time);
}

//sub to get ehsvc handle
int Get_Handle()
{
int result;
result = GetModuleHandleA("EhSvc.dll");
EhSvc = result;
return result;
}


void Detour_Hs()
{
Sleep(1000);
char time = Get_Time(2); //, 2 = "[%H:%M:%S]"
AddLog("%s - Detouring HackShield->", current_time);
int v2 = sub_1001883C( 0x900000 );
sub_10016A80(v2, 0x401000, 0x900000 );//bit complicated
dword_1002FD44 -= 0x401000;

while ( !EhSvc )
{
EhSvc = GetModuleHandleA("EhSvc.dll");
Sleep(100);
}
//
DWORD HS1 = FindPattern(EhSvc,0x90000,(PBYTE)"\x74\x06\x83\x7D \x0C\x00\x75\x0F\x6A\x57", "xxxxxxxxxx");
DWORD HS2 = FindPattern(EhSvc, 0x90000,(PBYTE)"\x8D\xBD\xD4\xED\xFF\xFF\xF3\xA5\x 8B\x53\x0A\x89\x95\xD0\xED\xFF\xFF\x33\xC0\x66\x8B \x43\x08", "xxxxxxxxxxxxxxxxxxxxxxx");
DWORD HS3 = FindPattern(EhSvc,0x90000,(PBYTE)"\x74\x09\xC7\x45 \xFC\x00\xEB\x07\xC7\x45\xFC", "xxxxxxxxxxxxxx");
DWORD HS4 = FindPattern(EhSvc,0x90000,(PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");
DWORD HS5 = FindPattern(HS4 + 0x0A, 0x40000,(PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");

DWORD dword_1002BF4C = (0x74);
DWORD dword_1002BF50 = (0x8D,0xBD,0xD4,0xED,0xFF,0xFF);
DWORD dword_1002BF58 = (0x74);
DWORD dword_1002BF5C = (0x8B,0xC1,0x8B,0xD1,0x03,0xC6);

if ( compare(HS1 , &dword_1002BF4C, 1) //compare DWORD1,DWORD2,lenght
|| compare(HS2 , dword_1002BF50, 6)
|| compare(HS3 , &dword_1002BF58, 1)
|| compare(HS5 , dword_1002BF5C, 6) )
{
AddLog("Error, HackShield module changed!");
sub_10017150(1);//this is callind sub that is calling another sub that kill warrock
}

DWORD bit_1 = ( 0xEB ); // (JMP SHORT)
DWORD bit_2 = ( 0xE8,0x00,0x90 );//call something
DWORD bit_3 = ( 0xE9,0x00,0x90 );//jmp somewhere
DWORD bit_4 = ( 0x4F, 0x4B, 0x21, 0x0A );

sub_1000C4C8((PBYTE)HS1,0x90, 1);
sub_1000C514((PBYTE)HS2,(PBYTE)HS_Patch_1,0xEB, 1);
sub_1000C4C8((PBYTE)HS3,(PBYTE)bit_1, 1);
sub_1000C514((PBYTE)HS5,(PBYTE)HS_Patch_2, bit_2, 6);
sub_1000C514((PBYTE)0x681240, (PBYTE)sub_hs_detect_sumthin , bit_3 , 6);
AddLog((const char *)bit_4 );//hmm confusing

time1 = Get_Time(2);//format = 2 ( "[%H:%M:%S]" )
AddLog("%s - Checking Dll->",time1);

int check = sub_10017024(10);//compare if (10 > 0xFFFFFFE0 )return 0;

if ( check )
v12 = sub_10010960();
else
v12 = 0;
sub_10010BCF(dword_1002FBDC);
AddLog("OK!\n");
}

 

that's not how to do it
it'll make you either bluescreen or not responding

[bagtitako]

Quote:

Originally Posted by trym300

trampoline method is the best shot maybe. my head hurts already haha. nevertheless there is a bypass somewhere but trust me they wont post it either show it due to abuse of bypassing and the probability of fixing. (Control Bussiness) thats what they say!

trying to reverse engineer problem is that there is maint always meaning not everything is stable.

thanks for saying that method it work a wonder! guys just watch youtube and guides on internet it took me 4 days to learn it...

pretty rough though. sorry but most members who know to do it wont post the last product like the Rag.exe or somewhat. because GM of AS are trolling in this forum since its known through out

[jaahc]

Please send the hack to me

[ibrahim2my]

And me aswell