• Amused
  • Angry
  • Annoyed
  • Awesome
  • Bemused
  • Cocky
  • Cool
  • Crazy
  • Crying
  • Down
  • Drunk
  • Embarrased
  • Enraged
  • Friendly
  • Geeky
  • Godly
  • Happy
  • Hateful
  • Hungry
  • Innocent
  • Meh
  • Piratey
  • Poorly
  • Sad
  • Secret
  • Shy
  • Sneaky
  • Tired
  • Wtf
  • At Work
  • CodenzHub
  • Coding
  • Deejaying
  • Donating
  • Drinking
  • Eating
  • Editing
  • Hacking
  • Hate Mailing
  • Jamin'
  • Lagging
  • Live Streaming
  • Lurking
  • No Status
  • Pawning
  • PC Gaming
  • PS Gaming
  • Raging
  • Reversing
  • Sleeping
  • Steam Gaming
  • Trolling
  • TwitchStreamer
  • Vodka!
  • Watching TV/Movie
  • Xbox Gaming
  • Youtuber
  • Zombies
  • Results 1 to 6 of 6
    1. #1
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      Maxcloud's Avatar
      Join Date
      Dec 2012
      Posts
      4
      Thanks (-->)
      3
      Thanks (<--)
      0

      Bypass Loopback Removal

      John Kittz
      Hello, I'm new here and this is my first post. I was referred here by Fleep and his YouTube Channel. I am trying to learn C++
      while coding a simple DLL bypass.

      I have been trying to prevent my target from removing my loopback adaptor. I am only a few days into C++ and
      when I try the code, it relays my custom message of "Failed Virtual Protect". I'm not really sure what I am doing wrong,
      would someone mind giving me a bump in the right direction regarding this problem? I appreciate all the help I can get.

      Thank you.

      Spoiler: Code

      #include "stdafx.h"

      #include <iostream>
      #include <windows.h>
      #include <setupapi.h>

      using namespace std;

      void WINAPI Main()
      {

      HINSTANCE asdf = LoadLibrary(L"setupapi.dll");

      if (asdf == NULL) {
      MessageBoxA(NULL, "There was an error injecting...", NULL, MB_OK);
      } else {

      // We're using this for a debugging feature.
      AllocConsole();

      HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());

      if (hProcess) {

      FARPROC devA = (FARPROC) GetProcAddress(asdf, "SetupDiGetClassDevsExA"); // 0x7554125C

      unsigned long oldProtect;

      if(!VirtualProtectEx(hProcess, devA, sizeof(devA), PAGE_EXECUTE_WRITECOPY, &oldProtect)) {
      cout << "[Virtual-1]: " << GetLastError() << endl;
      return;
      }

      BYTE newAddy[] = {0xC2, 0x1C, 0x00}; // RETN 1C ?

      if (!WriteProcessMemory(hProcess, (BYTE*)devA, &newAddy, sizeof(newAddy), NULL)) {
      cout << "[Write2Memory]: " << GetLastError() << endl;
      return;
      }

      if (!VirtualProtectEx(hProcess, devA, sizeof(devA), PAGE_EXECUTE, &oldProtect)) {
      cout << "[Virtual-2]: " << GetLastError() << endl;
      return;
      }

      MessageBoxA(NULL, "Success!", NULL, MB_OK);
      Sleep(3000);

      } else {
      MessageBoxA(NULL, "The process could not be found.", NULL, MB_OK);
      }
      }
      FreeLibrary(asdf);
      }



      BOOL APIENTRY DllMain( HMODULE hModule,
      DWORD ul_reason_for_call,
      LPVOID lpReserved
      )
      {
      switch (ul_reason_for_call)
      {
      case DLL_PROCESS_ATTACH:
      Main();
      case DLL_THREAD_ATTACH:
      case DLL_THREAD_DETACH:
      case DLL_PROCESS_DETACH:
      break;
      }
      return TRUE;
      }




      December 27th
      UPDATE: I have quickly updated the code and it's displaying the "Success" message now but it still seems to be deleting the loopback adaptor.
      Last edited by Maxcloud; 12-27-2012 at 05:14 AM. Reason: Updated the code.

    2. #2
      Hacker
      Learning to hack games!
       
      Pawning
       
      Fleep's Avatar
      Join Date
      May 2012
      Posts
      626
      Thanks (-->)
      208
      Thanks (<--)
      727
      Originally Posted by Maxcloud

      Hello, I'm new here and this is my first post. I was referred here by Fleep and his YouTube Channel. I am trying to learn C++
      while coding a simple DLL bypass.

      I have been trying to prevent my target from removing my loopback adaptor. I am only a few days into C++ and
      when I try the code, it relays my custom message of "Failed Virtual Protect". I'm not really sure what I am doing wrong,
      would someone mind giving me a bump in the right direction regarding this problem? I appreciate all the help I can get.

      Thank you.

      Spoiler: Code

      #include "stdafx.h"

      #include <iostream>
      #include <windows.h>
      #include <setupapi.h>

      using namespace std;

      void WINAPI Main()
      {

      HINSTANCE asdf = LoadLibrary(L"setupapi.dll");

      if (asdf == NULL) {
      MessageBoxA(NULL, "There was an error injecting...", NULL, MB_OK);
      } else {

      // We're using this for a debugging feature.
      AllocConsole();

      HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());

      if (hProcess) {

      FARPROC devA = (FARPROC) GetProcAddress(asdf, "SetupDiGetClassDevsExA"); // 0x7554125C

      unsigned long oldProtect;

      if(!VirtualProtectEx(hProcess, devA, sizeof(devA), PAGE_EXECUTE_WRITECOPY, &oldProtect)) {
      cout << "[Virtual-1]: " << GetLastError() << endl;
      return;
      }

      BYTE newAddy[] = {0xC2, 0x1C, 0x00}; // RETN 1C ?

      if (!WriteProcessMemory(hProcess, (BYTE*)devA, &newAddy, sizeof(newAddy), NULL)) {
      cout << "[Write2Memory]: " << GetLastError() << endl;
      return;
      }

      if (!VirtualProtectEx(hProcess, devA, sizeof(devA), PAGE_EXECUTE, &oldProtect)) {
      cout << "[Virtual-2]: " << GetLastError() << endl;
      return;
      }

      MessageBoxA(NULL, "Success!", NULL, MB_OK);
      Sleep(3000);

      } else {
      MessageBoxA(NULL, "The process could not be found.", NULL, MB_OK);
      }
      }
      FreeLibrary(asdf);
      }



      BOOL APIENTRY DllMain( HMODULE hModule,
      DWORD ul_reason_for_call,
      LPVOID lpReserved
      )
      {
      switch (ul_reason_for_call)
      {
      case DLL_PROCESS_ATTACH:
      Main();
      case DLL_THREAD_ATTACH:
      case DLL_THREAD_DETACH:
      case DLL_PROCESS_DETACH:
      break;
      }
      return TRUE;
      }




      December 27th
      UPDATE: I have quickly updated the code and it's displaying the "Success" message now but it still seems to be deleting the loopback adaptor.

    3. Thanks Maxcloud thanked for this post
    4. #3
      Nick
      Learning to hack games!
       
      Feeling Normal
       
      ndani14's Avatar
      Join Date
      Aug 2012
      Location
      Australia
      Posts
      53
      Thanks (-->)
      11
      Thanks (<--)
      25
      Hey Maxcloud,

      What do you mean by "loopback adaptor"?

      I can see a few errors in the code.

      I believe you need to use PAGE_EXECUTE_READWRITE, not PAGE_EXECUTE_WRITECOPY.

      Your call to WriteProcessMemory, isn't actually needed if your running in the process, just can write to the address directly. But you can still use it. You will need to fix the address you're copying from (3rd param). It should just be "newAddy" not "&newAddy". "newAddy" is a pointer to the data where as "&newAddy" is a pointer to the pointer of the data.

      You can just call memcpy like this.
      memcpy(devA, newAddy, sizeof(newAddy)); // may need to cast haven't checked
      // also include string.h

      Also another minor thing when you're trying to revert the access rights you should be setting them to what they were not hard coding the PAGE_EXECUTE
      is
      VirtualProtectEx(hProcess, devA, sizeof(devA), PAGE_EXECUTE, &oldProtect)
      should be
      VirtualProtectEx(hProcess, devA, sizeof(devA), oldProtect, &oldProtect)

      Another thing to be careful of, but in this case you're ok. When you call VirtualProtectEx to change the page protection make sure you use the size of the memory you're going to change. If not you may go to write something and get an access violation because the data could be on the edge between two pages.

      VirtualProtectEx(hProcess, devA, sizeof(devA), oldProtect, &oldProtect)
      3rd param should be the size of the data you're going to change. In this case the size of a FARPROC is larger than what you're writing.

      By the way, why are you freeing the library when you're done? It kind of makes the change useless there's something else going on I don't know about?

      Hope this helps with the issue =)

    5. Thanks Crypt, Maxcloud thanked for this post
    6. #4
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      Maxcloud's Avatar
      Join Date
      Dec 2012
      Posts
      4
      Thanks (-->)
      3
      Thanks (<--)
      0
      Quote Originally Posted by ndani14 View Post
      Hey Maxcloud,

      What do you mean by "loopback adaptor"?

      I can see a few errors in the code.

      I believe you need to use PAGE_EXECUTE_READWRITE, not PAGE_EXECUTE_WRITECOPY.

      Your call to WriteProcessMemory, isn't actually needed if your running in the process, just can write to the address directly. But you can still use it. You will need to fix the address you're copying from (3rd param). It should just be "newAddy" not "&newAddy". "newAddy" is a pointer to the data where as "&newAddy" is a pointer to the pointer of the data.

      You can just call memcpy like this.
      memcpy(devA, newAddy, sizeof(newAddy)); // may need to cast haven't checked
      // also include string.h

      Also another minor thing when you're trying to revert the access rights you should be setting them to what they were not hard coding the PAGE_EXECUTE
      is
      VirtualProtectEx(hProcess, devA, sizeof(devA), PAGE_EXECUTE, &oldProtect)
      should be
      VirtualProtectEx(hProcess, devA, sizeof(devA), oldProtect, &oldProtect)

      Another thing to be careful of, but in this case you're ok. When you call VirtualProtectEx to change the page protection make sure you use the size of the memory you're going to change. If not you may go to write something and get an access violation because the data could be on the edge between two pages.

      VirtualProtectEx(hProcess, devA, sizeof(devA), oldProtect, &oldProtect)
      3rd param should be the size of the data you're going to change. In this case the size of a FARPROC is larger than what you're writing.

      By the way, why are you freeing the library when you're done? It kind of makes the change useless there's something else going on I don't know about?

      Hope this helps with the issue =)
      I use a Microsoft Loopback Adapter to trick my target into thinking I am the gaming server and then it connects to my emulated server, but recently they have discovered people doing this and are now deleting the adapter before the game even opens.

      Surprisingly enough, I understand everything you said. I really appreciate the help but unfortunately it didn't solve my problem. I've recently tried using an API monitor to see if I am in fact tackling the correct function, but since the client is packed with Themdia it's difficult to work with. There was someone else that had the idea of creating a dirty patch to SetupDiRemoveDevice to trick it into giving the response that the device was deleted, but again no results.

      I personally think the API is guarded by HackShield so I have decided to take a shot at detouring WS2_32 and it worked for a few versions, but now it's freezing upon connecting. I have included the code, maybe it needs to be improved?

      Code:
      #include "stdafx.h"
      #include "Detours/detours.h"
      
      #include <stdio.h>
      #include <iostream>
      #include <Windows.h>
      #include <ws2tcpip.h>
       
      #pragma comment(lib, "WS2_32")
      #pragma comment(lib, "Detours/detours.lib") 
      
      using namespace std;
      
      typedef int (WINAPI *LocalConnect) (SOCKET, sockaddr_in*, int);
      LocalConnect local_addr;
      
      int WINAPI GetPeerName (SOCKET s, sockaddr_in* sockAddr, int size)
      {
      
      		sockaddr_in* service = (sockaddr_in*)sockAddr;
      	
      		unsigned long address = inet_addr("127.0.0.1");
      
      		memcpy(&service->sin_addr, &address, sizeof(unsigned long));
      
      		return local_addr (s, sockAddr, size);
      }
      
      BOOL APIENTRY DllMain( HMODULE hModule,
                             DWORD  ul_reason_for_call,
                             LPVOID lpReserved
      					 )
      {
      	switch (ul_reason_for_call)
      	{
      	DisableThreadLibraryCalls(hModule);
      	case DLL_PROCESS_ATTACH:
      		AllocConsole();
      		local_addr = (LocalConnect)DetourFunction((PBYTE)GetProcAddress (GetModuleHandleA("ws2_32.dll"), "connect"), (PBYTE)GetPeerName);
      	case DLL_THREAD_ATTACH:
      	case DLL_THREAD_DETACH:
      	case DLL_PROCESS_DETACH:
      		break;
      	}
      	return TRUE;
      }
      Last edited by Maxcloud; 12-30-2012 at 06:49 PM.

    7. #5
      Kim Kong Trasher
      I don't have status.
       
      Raging
       
      c5's Avatar
      Join Date
      Jul 2012
      Location
      Mankei Iland
      Posts
      1,221
      Thanks (-->)
      97
      Thanks (<--)
      491
      hook looks okay from here
      Bypass Loopback Removal

    8. Thanks Maxcloud thanked for this post
    9. #6
      Newbie
      Learning to hack games!
       
      Feeling Normal
       
      Maxcloud's Avatar
      Join Date
      Dec 2012
      Posts
      4
      Thanks (-->)
      3
      Thanks (<--)
      0
      Cheats'n'Trainers
      Quote Originally Posted by c5 View Post
      hook looks okay from here
      Thank you very much.

      This matter has evolved into dealing with HackShield problem, this can be closed. Thank you to everyone!

    Similar Game Hacker Threads

    1. Hackshield Bypass Xtrap bypass
      By [email protected] in forum AntiCheat - AntiDebug
      Replies: 9
      Last Post: 04-30-2016, 09:52 AM
    2. [Help] Vac Bypass
      By bomboa in forum AntiCheat - AntiDebug
      Replies: 5
      Last Post: 09-30-2015, 05:03 PM
    3. Bypass
      By CodeAngel in forum Hacking Help
      Replies: 1
      Last Post: 09-28-2014, 10:40 AM

    Tags for this Thread