HShield bypass?

[Siebe15]

Hi everybody,

Which programs is required to make a HShield bypass?
And how can I find addresses to bypass it?

Greets.

[RingleRangleRob]

Quote:

Originally Posted by Siebe15

Hi everybody,

Which programs is required to make a HShield bypass?
And how can I find addresses to bypass it?

Greets.

Quote:

Originally Posted by Forbidi

Get HS all those detection functions (heuristic scan, integrity check ...) then Hook CreateThread and compare startaddress with func add in ehsvc.dll and avoid making them, you can hook DeviceIoControl and return true when the control code is 0x80000xxx (don't remember) so the memory won't be hidden.
Otherwise you can make a heartbeat, check servicedispatch function in HS calling convention should be :

PHP Code:

BOOL __stdcall ServiceDispatch(DWORD dwService, LPVOID* lppvParameters, LPDWORD lpdwErrorCode) 


When the first parameter dwService value is 13 and then send a response lppvParameters[0] lppvParameters[1] and lppvParameters[2] the first param is the request, second is lenght, third is the return value, in the end you set the errorcode param to 0 and return to the original func.

"you can hook DeviceIoControl and return true when the control code is 0x80000xxx (don't remember) so the memory won't be hidden."

80000040

use c++ to make it .

[Slicktor]

Quote:

Get HS all those detection functions (heuristic scan, integrity check ...) then Hook CreateThread and compare startaddress with func add in ehsvc.dll and avoid making them

Heartbeat - just saying.
After 31 minutes you will get a crash cause hs got that you faked their threads(hb request, crc).

Quote:

you can hook DeviceIoControl and return true when the control code is 0x80000040 (don't remember) so the memory won't be hidden.

Hf with a bluescreen (EagleXNt).


Instead of doing shit you can simply bypass the crc-check:

Code:

0

You can disable hackshields process-detection with hooking k32enumprocesses (faking processes).

Quote:

BOOL __stdcall ServiceDispatch(DWORD dwService, LPVOID* lppvParameters, LPDWORD lpdwErrorCode)

This is the 10th export.

Quote:

When the first parameter dwService value is 13 and then send a response lppvParameters[0] lppvParameters[1] and lppvParameters[2] the first param is the request, second is lenght, third is the return value, in the end you set the errorcode param to 0 and return to the original func.

Emulating hb is nothing for noobs
Useless.

[RingleRangleRob]

Quote:

Hf with a bluescreen (EagleXNt).

lol nop i don't know what you hook but i can access to memory.

Quote:

Instead of doing **** you can simply bypass the crc-check:

Code:

75 ?? 8B 46 0C 8B 7F 04 83 F8

kk he is a "noob" and he know what means with crc-check xD i think this don't help him o:

Quote:

You can disable hackshields process-detection with hooking k32enumprocesses (faking processes).

It is enought to ret 0C.

[Slicktor]

Quote:

lol nop i don't know what you hook but i can access to memory.

Yea on x64(EagleX64).
If you do that with EagleXNt you will get 2 problems:

1.Bluescreen
2.Automacro detection (NtSendUserInput)

To prevent the first problem you can simply send the stop msg.

Code:

#define IOCTL_KERNEL_MODE_END 0

The second problem is the ssdt-hook on NtSendUserInput it detects all inputs as macros, you can solve by stopping it:

Code:

#define IOCTL_KERNEL_MODE_STUFF_END 0

Quote:

It is enought to ret 0C.

HS will detect it.

[RingleRangleRob]

Quote:

Originally Posted by Slicktor

Yea on x64(EagleX64).
If you do that with EagleXNt you will get 2 problems:

1.Bluescreen
2.Automacro detection (NtSendUserInput)

To prevent the first problem you can simply send the stop msg.

Code:

#define IOCTL_KERNEL_MODE_END 0x80000044

The second problem is the ssdt-hook on NtSendUserInput it detects all inputs as macros, you can solve by stopping it:

Code:

#define IOCTL_KERNEL_MODE_STUFF_END 0x80000084

kk thank you for Informations ...just use 64 bit ^^

Quote:

HS will detect it.

64 Bit not detected. Work without crash ^^ i tried ~30 min.

@topic i think this are enought Informations for a bypass. Have fun and good luck c;

[Desolation64]

Slicktor Erste Bypass War so schön

[Siebe15]

So which programs have you need?

[RingleRangleRob]

Quote:

Originally Posted by Siebe15

So which programs have you need?

I used c++ to make bypass o;

So i recommend c++ to you.

[Siebe15]

Yea but what have I need to get addresses to bypass hshield?

[RingleRangleRob]

Quote:

Originally Posted by Siebe15

Yea but what have I need to get addresses to bypass hshield?

Cheat Engine
c++

[Siebe15]

Not more?

[Omdi]

Quote:

Originally Posted by Siebe15

Not more?

You should have mastered the art of Reverse Engineering

[-Zonda]

Quote:

Originally Posted by Siebe15

Yea but what have I need to get addresses to bypass hshield?

Wtf just did i post xD
Ofc CE & C++ xD

[Siebe15]

Quote:

Originally Posted by Omdihar

You should have mastered the art of Reverse Engineering

Do you have a site where I can learn it?