Guide Hackshield Anticheat Bypass Information

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,539
78,998
2,312
Game Name
N/A
Anticheat
HackShield
How long you been coding/hacking?
N/A
Coding Language
N/A
Anyone else can share some info on HackShield? Specifically what it's like in the past few years...

Before you focus on Hackshield you must understand the basics of Anticheat Guide - How to Get Started with AntiCheat Bypass

Here's what I dug up so far (keep in mind lots of this info is old, but is useful for research):

Hackshield has been around since 2005, made by AhnLab Inc. It's used on lots of MMOs, many Nexon and NCSoft games. Interestingly enough AhnLab makes antivirus software also. It is a kernel mode anticheat but has been bypassed many times in the past, meaning it must not be too difficult.

Hackshield source code
The Hackshield source code was leaked around 2010, if you are real good at DuckDuckGoing you can find it, very interesting read but not too useful as it's probably got a lot of updates, but it's the only anticheat source code I know about. Thank you @timb3r for mentioning it. I found it online @ HackShieldR.5.6.6.1(build235).zip

Detections:
Uses signature detection to detect hacking programs such as cheat engine, injectors etc...
There is a kind of heartbeat, where the server and client talk continuously and monitor for changes
Blocks hooking and sending messages to window
Blocks debuggers

Games that use It:
Combat Arms
PointBlank
??

There is an excellent writeup on the older version @ HackShield Analysis - Anti-Cheat Systems - Games Research Community

Here's a relatively new bypass on GitHub that is very nice
VirtualPuppet/HackShield-bypass


Recent Bypasses from AIRRIDE for v5.6.34.449, v5.7.6.502 & v5.7.20.616
https://guidedhacking.com/threads/hackshield-anticheat-bypass-information.10899/post-86254


First bypass I found from a few years ago:

C++:
__declspec (naked) void HS_PATCH_1()
{
    __asm {
        inc     eax
        add[esi + ecx - 7Fh], bh
        inc     byte ptr[eax]
        add[eax + 3067D00h], dl
        xor     eax, dword_1002FD44
        push     36h
        lea     edi, [ebp - 122Ch]
        retn
    }
}
__declspec (naked) void HS_PATCH_2()
{
    __asm {
        inc     eax
        add[esi + ecx - 7Fh], bh
        inc     byte ptr[eax]
        add[eax + 3067D00h], dl
        xor     eax, dword_1002FD44
        mov     eax, ecx
        mov     edx, ecx
        add     eax, esi
        retn
    }
}

__declspec (naked) void sub_hs_detect_sumthin()
{
    char time;
    time = Get_Time(2);//format = 2  ( "[%H:%M:%S]" )
    AddLog("%s - HackShield Detect Something...\n", time);
}

//sub to get ehsvc handle
int Get_Handle()
{
    int result;
    result = GetModuleHandleA("EhSvc.dll");
    EhSvc = result;
    return result;
}

void Detour_Hs()
{
    Sleep(1000);
    char time = Get_Time(2); //, 2 = "[%H:%M:%S]"
    AddLog("%s - Detouring HackShield->", current_time);
    int v2 = sub_1001883C(0x900000);
    sub_10016A80(v2, 0x401000, 0x900000);//bit complicated
    dword_1002FD44 -= 0x401000;

    while (!EhSvc)
    {
        EhSvc = GetModuleHandleA("EhSvc.dll");
        Sleep(100);
    }
    //
    DWORD HS1 = FindPattern(EhSvc, 0x90000, (PBYTE)"\x74\x06\x83\x7D\x0C\x00\x75\x0F\x6A\x57", "xxxxxxxxxx");
    DWORD HS2 = FindPattern(EhSvc, 0x90000, (PBYTE)"\x8D\xBD\xD4\xED\xFF\xFF\xF3\xA5\x8B\x53\x0A\x89\x95\xD0\xED\xFF\xFF\x33\xC0\x66\x8B\x43\x08", "xxxxxxxxxxxxxxxxxxxxxxx");
    DWORD HS3 = FindPattern(EhSvc, 0x90000, (PBYTE)"\x74\x09\xC7\x45\xFC\x00\xEB\x07\xC7\x45\xFC", "xxxxxxxxxxxxxx");
    DWORD HS4 = FindPattern(EhSvc, 0x90000, (PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");
    DWORD HS5 = FindPattern(HS4 + 0x0A, 0x40000, (PBYTE)" \x8B\xC1\x8B\xD1\x03\xC6\x3B\xFE\x76\x08", "xxxxxxxxxx");

    DWORD dword_1002BF4C = (0x74);
    DWORD dword_1002BF50 = (0x8D, 0xBD, 0xD4, 0xED, 0xFF, 0xFF);
    DWORD dword_1002BF58 = (0x74);
    DWORD dword_1002BF5C = (0x8B, 0xC1, 0x8B, 0xD1, 0x03, 0xC6);

    if (compare(HS1, &dword_1002BF4C, 1) //compare DWORD1,DWORD2,lenght
        || compare(HS2, dword_1002BF50, 6)
        || compare(HS3, &dword_1002BF58, 1)
        || compare(HS5, dword_1002BF5C, 6))
    {
        AddLog("Error, HackShield module changed!");
        sub_10017150(1);//this is callind sub that is calling another sub that kill warrock
    }

    DWORD bit_1 = (0xEB); // (JMP SHORT)
    DWORD bit_2 = (0xE8, 0x00, 0x90);//call  something
    DWORD bit_3 = (0xE9, 0x00, 0x90);//jmp somewhere
    DWORD bit_4 = (0x4F, 0x4B, 0x21, 0x0A);

    sub_1000C4C8((PBYTE)HS1, 0x90, 1);
    sub_1000C514((PBYTE)HS2, (PBYTE)HS_Patch_1, 0xEB, 1);
    sub_1000C4C8((PBYTE)HS3, (PBYTE)bit_1, 1);
    sub_1000C514((PBYTE)HS5, (PBYTE)HS_Patch_2, bit_2, 6);
    sub_1000C514((PBYTE)0x681240, (PBYTE)sub_hs_detect_sumthin, bit_3, 6);
    AddLog((const char *)bit_4);//hmm confusing

    time1 = Get_Time(2);//format = 2  ( "[%H:%M:%S]" )
    AddLog("%s - Checking Dll->", time1);

    int check = sub_10017024(10);//compare if (10 > 0xFFFFFFE0 )return 0;

    if (check)
        v12 = sub_10010960();
    else
        v12 = 0;
    sub_10010BCF(dword_1002FBDC);
    AddLog("OK!\n");
}
Another bypass from a few years ago Author: Mafia67

C++:
BOOL WriteMemory (VOID *lpMem, VOID *lpSrc, DWORD len)
{
  DWORD lpflOldProtect, flNewProtect = PAGE_READWRITE;
  unsigned char *pDst = (unsigned char *)lpMem,
  *pSrc = (unsigned char *)lpSrc;
  if (VirtualProtect(lpMem,len,flNewProtect,&lpflOldProtect))
  {
              while(len-- >0) *pDst++ = *pSrc++;
              VirtualProtect(lpMem,len, lpflOldProtect,&lpflOldProtect);
              FlushInstructionCache(GetCurrentProcess(), lpMem, len);
              return 1;
  }
  return 0;
}

void HSBypass (void)
{
    DWORD dwEHSVC = 0;
    do
    {
        dwEHSVC = (DWORD)GetModuleHandle("EhSvc.dll");
        Sleep(250);
    }while(!dwEHSVC);

        WriteMemory((LPVOID)(dwEHSVC + 0x003D67F), (LPVOID)"\x03\xD2", 2);
        WriteMemory((LPVOID)(dwEHSVC + 0x003F77D), (LPVOID)"\xB8\x00\x00\x00\x00", 5);
        WriteMemory((LPVOID)(dwEHSVC + 0x000A1A0), (LPVOID)"\xC2\x04\x00", 3);
        WriteMemory((LPVOID)(dwEHSVC + 0x0085B43), (LPVOID)"\xC3", 1);
        WriteMemory((LPVOID)(dwEHSVC + 0x000A238), (LPVOID)"\x74", 1);
    WriteMemory((LPVOID)(dwEHSVC + 0x008523E), (LPVOID)"\xC2\x04\x00", 3);
    WriteMemory((LPVOID)(dwEHSVC + 0x00A5EBA), (LPVOID)"\xD2", 1);
}
Xtrap Bypass Author: Slicktor

C++:
#include "Bypass.h"

DWORD WINAPI InitializeXTrapBypass() {

    DWORD nBase;
    while(1)
    {

        nBase = (DWORD)GetModuleHandleA("XTrapVa.dll");

        if(nBase){
        Sleep(500);
        BYPASS bypass;
        bypass.Driver64();
        bypass.ProcessDetection();
        break;
        }

    }
    return 0;

}

BOOL WINAPI DllMain ( HMODULE hDll, DWORD dwReason, LPVOID lpReserved )
{
    DisableThreadLibraryCalls(hDll);
    if( dwReason == DLL_PROCESS_ATTACH)

    {

          _beginthread((void(*)(void*))InitializeXTrapBypass,sizeof(&InitializeXTrapBypass),0);
    }


    return TRUE;
}

//main.cpp

#include <Windows.h>
#include <tlhelp32.h>
#include <process.h>
#include <wchar.h>

class BYPASS
{

public:
int BYPASS::ProcessDetection();
int BYPASS::Driver64();
};
int BYPASS::ProcessDetection()
{

    DWORD K32EnumAddr = (DWORD)GetProcAddress(LoadLibraryA("Kernel32.dll"),"K32EnumProcesses");
    //DWORD EnumAddr = (DWORD)GetProcAddress(LoadLibraryA("Psapi.dll"),"EnumProcesses");
    DWORD old;
    VirtualProtect((LPVOID)K32EnumAddr,sizeof(K32EnumAddr),PAGE_EXECUTE_READWRITE,&old);
    //VirtualProtect((LPVOID)EnumAddr,sizeof(EnumAddr),PAGE_EXECUTE_READWRITE,&old);
    memcpy((LPVOID)K32EnumAddr,(LPVOID)"\xC2\x0C\x00",3);
    //memcpy((LPVOID)EnumAddr,(LPVOID)"\xC2\x0C\x00",3);
    return 0;
}

int BYPASS::Driver64()
{

    wmemcpy((wchar_t*)0x405D0C24,(const wchar_t*)"X6va01",6);
    return 0;
}
Another bypass source code:
C++:
DWORD XTrapDriver = 0x40A20840;

int ThreadDetection()
{
    DWORD oldprotect = 0;
    DWORD K32EnumAddr = (DWORD)GetProcAddress(LoadLibraryA("Kernel32.dll"), "K32EnumProcesses");
    VirtualProtect((LPVOID)K32EnumAddr, sizeof(K32EnumAddr), PAGE_EXECUTE_READWRITE, &oldprotect);
    memcpy((LPVOID)K32EnumAddr, (LPVOID)"\xEB\xFE", 2);
    return 0;
}

void Bypass(void*)
{
    while (1)
    {
      DWORD XTrap = (DWORD)GetModuleHandle("XTrapVa.dll");  // get XTrap base address
      HMODULE hwd = GetModuleHandle(TEXT("XTrapVa.dll"));
        if (hwd)// wait XTrapVa.dll
        {
            Sleep(500);
            sHook = (xHook)DetourFunction((PBYTE)XTrapDriver, (PBYTE)Hook);// Hook
            wmemcpy((wchar_t*)sHook, L"X6va02", 6);
            ThreadDetection(); // Call ThreadDetection
            MessageBoxA(NULL, "XTrap Bypass Successful", "Notice", MB_ICONINFORMATION);
            break;
        }
    }
}

BOOL __stdcall Hook() // Hook
{
    return TRUE;
}


BOOL APIENTRY DllMain(HMODULE hModule,DWORD  ul_reason_for_call,LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Bypass, 0, 0, 0);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
 
Last edited:
  • Love
  • Like
Reactions: Kreeps and XdarionX
Dec 19, 2019
1
2
0
Hackshield has been around since 2005, made by AhnLab Inc. It's used on lots of MMOs, many Nexon and NCSoft games. Interestingly enough AhnLab makes antivirus software also. It is a kernel mode anticheat but has been bypassed many times in the past, meaning it must not be too difficult.
Sorry for bumping an old thread but is there any chance you still have ahnlab anticheat source code ? i can not find it at all.
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,539
78,998
2,312
Sorry for bumping an old thread but is there any chance you still have ahnlab anticheat source code ? i can not find it at all.
I can check when I get home i may still have it
 

NewUser1

Full Member
Dec 23, 2019
8
128
0
Sorry for bumping an old thread but is there any chance you still have ahnlab anticheat source code ? i can not find it at all.
HS Bypass by memory edits:
HackShield Bypass v5.6.34.449 and v5.7.6.502 : [C++] HackShield Bypass v5.6.34.449 and v5.7.6.502 - Pastebin.com
HackShield Bypass v5.7.20.616 : [C++] HackShield Bypass v5.7.20.616 JMS - Pastebin.com

HackShield Bypass v5.6.34.449 and v5.7.6.502
C++:
WRYYYYYYYYYYYYYYYYYYYーッ
x64環境でのみきちんと動作します
x86環境で使う場合はMemory Protectionを無効にしないと
OpenProcessをドライバロード後に行うとBSODします
by AIRRIDE (リレミト)
SkypeID:C20400
http://otthts.blog.fc2.com/

//v5.6.34.449
DWORD HS_Memory, HS_Memory_Start, HS_Memory_End;
DWORD HSCRC1_Ret, HSCRC2_Ret, HSCRC3_Ret, HSCRC4_Ret;

void _declspec(naked) HSCRC1_Hook(){
    _asm{
        cmp ecx,[HS_Memory_Start]
        jb Ending_HSCRC1
        cmp ecx,[HS_Memory_End]
        ja Ending_HSCRC1
        sub ecx,[HS_Memory_Start]
        add ecx,[HS_Memory]
Ending_HSCRC1:
        mov dl,[ecx]
        xor eax,edx
        mov ecx,[ebp+0x10]
        jmp dword ptr [HSCRC1_Ret]
    }
}

void _declspec(naked) HSCRC2_Hook(){
    _asm{
        cmp ebx,[HS_Memory_Start]
        jb Ending_HSCRC2
        cmp ebx,[HS_Memory_End]
        ja Ending_HSCRC2
        sub ebx,[HS_Memory_Start]
        add ebx,[HS_Memory]
Ending_HSCRC2:
        add al,[ebx]
        pop ebx
        push edx
        mov dh,-0x78
        jmp dword ptr [HSCRC2_Ret]
    }
}

void _declspec(naked) HSCRC3_Hook(){
    _asm{
        cmp edx,[HS_Memory_Start]
        jb Ending_HSCRC3
        cmp edx,[HS_Memory_End]
        ja Ending_HSCRC3
        push edx
        sub edx,[HS_Memory_Start]
        cmp edx,0x902A2 - 0x100
        jb Ending_HSCRC3_2
        cmp edx,0x35DBB9 + 0x100
        ja Ending_HSCRC3_2
        cmp edx,0x902A2 + 0x100
        jb Ending_HSCRC3_1
        cmp edx,0x35DBB9 - 0x100
        ja Ending_HSCRC3_1
        jmp Ending_HSCRC3_2
Ending_HSCRC3_1:
        add edx,[HS_Memory]
        mov edx,[edx]
        mov dword ptr [esp+0x04],edx
Ending_HSCRC3_2:
        pop edx
Ending_HSCRC3:
        jmp dword ptr [HSCRC3_Ret]
    }
}

void _declspec(naked) HSCRC4_Hook(){
    _asm{
        push esi
        cmp esi,[Memory_Start]
        jb Ending_
        cmp esi,[Memory_End]
        ja Ending_
        sub esi,[Memory_Start]
        add esi,[Memory]
Ending_:
        lea edi,[ebp-0x1228]
        repe movsd
        pop esi
        jmp dword ptr [HSCRC4_Ret]
    }
}

void HSCRC5_TableHack(DWORD dwHSCRC5_Table){
    int i;
    for(i=0; i<3; i++){
        *(DWORD *)(dwHSCRC5_Table + i*8) = ((*(DWORD *)(dwHSCRC5_Table + i*8)^*(DWORD *)(dwHSCRC5_Table + 0x18)) - HS_Memory_Start + HS_Memory)^(*(DWORD *)(dwHSCRC5_Table + 0x18));
    }
}

void HackShieldBypass(){

    while(!GetModuleHandleA("EHSvc.dll")){
        Sleep(100);
    }

    DWORD EHSvc = (DWORD)GetModuleHandleA("EHSvc.dll");

    Air::CreateMemoryDump(&HS_Memory, &HS_Memory_Start, &HS_Memory_End, "EHSvc.dll");
   
    Air::WriteJumpAtModule("EHSvc.dll", 0x902A2, (DWORD)HSCRC1_Hook, &HSCRC1_Ret, 2);//HSCRC1
    Air::WriteJumpAtModule("EHSvc.dll", 0x35DBB9, (DWORD)HSCRC2_Hook, &HSCRC2_Ret, 1);//HSCRC2
    Air::WriteJumpAtModule("EHSvc.dll", 0x2578AE, (DWORD)HSCRC3_Hook);//HSCRC3
    HSCRC3_Ret = EHSvc + 0x24FAD3;
    Air::WriteJumpAtModule("EHSvc.dll", 0x38A37, (DWORD)HSCRC4_Hook, &HSCRC4_Ret, 3);//HSCRC4
    HSCRC5_TableHack(EHSvc + 0x153040);
    Air::WriteCodeAtModule("EHSvc.dll", 0x4DB20, "31 C0 C2 04 00");//Process Scanner
    Air::WriteCodeAtModule("EHSvc.dll", 0x548F0, "31 C0 C2 04 00");//Module Scanner
    Air::WriteCodeAtModule("EHSvc.dll", 0x10AE0, "31 C0 C3");//HardwareBreakPoint Detection(Main)
    Air::WriteCodeAtModule("EHSvc.dll", 0xF240, "31 C0 C3");//HardwareBreakPoint Detection2
    Air::WriteCodeAtModule("EHSvc.dll", 0xF430, "31 C0 C3");//HardwareBreakPoint Detection3
    Air::WriteCodeAtModule("EHSvc.dll", 0xFBC0, "31 C0 C2 18 00");//HardwareBreakPoint Detection4
    Air::WriteCodeAtModule("EHSvc.dll", 0x6DCB0, "31 C0 C3");//SoftwareBreakPoint Detection
    Air::WriteCodeAtModule("EHSvc.dll", 0xCA642, "B8 00 00 00 00");//Memory Protection

}

//v5.7.6.502
DWORD HS_Memory, HS_Memory_Start, HS_Memory_End;
DWORD HSCRC1_Ret, HSCRC2_Ret, HSCRC3_Ret, HSCRC4_Ret;

void _declspec(naked) HSCRC1_Hook(){
    _asm{
        cmp ecx,[HS_Memory_Start]
        jb Ending_HSCRC1
        cmp ecx,[HS_Memory_End]
        ja Ending_HSCRC1
        sub ecx,[HS_Memory_Start]
        add ecx,[HS_Memory]
Ending_HSCRC1:
        mov dl,[ecx]
        xor eax,edx
        mov ecx,[ebp+0x10]
        jmp dword ptr [HSCRC1_Ret]
    }
}

void _declspec(naked) HSCRC2_Hook(){
    _asm{
        cmp ebx,[HS_Memory_Start]
        jb Ending_HSCRC2
        cmp ebx,[HS_Memory_End]
        ja Ending_HSCRC2
        sub ebx,[HS_Memory_Start]
        add ebx,[HS_Memory]
Ending_HSCRC2:
        add al,[ebx]
        mov ebx,[esp]
        jmp dword ptr [HSCRC2_Ret]
    }
}

void _declspec(naked) HSCRC3_Hook(){
    _asm{
        cmp edx,[HS_Memory_Start]
        jb Ending_HSCRC3
        cmp edx,[HS_Memory_End]
        ja Ending_HSCRC3
        push edx
        sub edx,[HS_Memory_Start]
        cmp edx,0x92812 - 0x100
        jb Ending_HSCRC3_2
        cmp edx,0x360040 + 0x100
        ja Ending_HSCRC3_2
        cmp edx,0x92812 + 0x100
        jb Ending_HSCRC3_1
        cmp edx,0x360040 - 0x100
        ja Ending_HSCRC3_1
        jmp Ending_HSCRC3_2
Ending_HSCRC3_1:
        add edx,[HS_Memory]
        mov edx,[edx]
        mov dword ptr [esp+0x04],edx
Ending_HSCRC3_2:
        pop edx
Ending_HSCRC3:
        jmp dword ptr [HSCRC3_Ret]
    }
}

void _declspec(naked) HSCRC4_Hook(){
    _asm{
        push esi
        cmp esi,[Memory_Start]
        jb Ending_
        cmp esi,[Memory_End]
        ja Ending_
        sub esi,[Memory_Start]
        add esi,[Memory]
Ending_:
        lea edi,[ebp-0x1228]
        repe movsd
        pop esi
        jmp dword ptr [HSCRC4_Ret]
    }
}

void HSCRC5_TableHack(DWORD dwHSCRC5_Table){
    int i;
    for(i=0; i<4; i++){
        *(DWORD *)(dwHSCRC5_Table + i*8) = ((*(DWORD *)(dwHSCRC5_Table + i*8)^*(DWORD *)(dwHSCRC5_Table + 0x24)) - HS_Memory_Start + HS_Memory)^(*(DWORD *)(dwHSCRC5_Table + 0x24));
    }
}

void HackShieldBypass(){

    while(!GetModuleHandleA("EHSvc.dll")){
        Sleep(100);
    }

    DWORD EHSvc = (DWORD)GetModuleHandleA("EHSvc.dll");

    Air::CreateMemoryDump(&HS_Memory, &HS_Memory_Start, &HS_Memory_End, "EHSvc.dll");
   
    Air::WriteJumpAtModule("EHSvc.dll", 0x92812, (DWORD)HSCRC1_Hook, &HSCRC1_Ret, 2);//HSCRC1
    Air::WriteJumpAtModule("EHSvc.dll", 0x360040, (DWORD)HSCRC2_Hook, &HSCRC2_Ret);//HSCRC2
    Air::WriteJumpAtModule("EHSvc.dll", 0x26005E+2, (DWORD)HSCRC3_Hook);//HSCRC3
    HSCRC3_Ret = EHSvc + 0x2528EB;
    Air::WriteJumpAtModule("EHSvc.dll", 0x39ED7, (DWORD)HSCRC4_Hook, &HSCRC4_Ret, 3);//HSCRC4
    HSCRC5_TableHack(EHSvc + 0x157048);
    Air::WriteCodeAtModule("EHSvc.dll", 0x4F5B0, "31 C0 C2 04 00");//Process Scanner
    Air::WriteCodeAtModule("EHSvc.dll", 0x56380, "31 C0 C2 04 00");//Module Scanner
    Air::WriteCodeAtModule("EHSvc.dll", 0x10E20, "31 C0 C3");//HardwareBreakPoint Detection(Main)
    Air::WriteCodeAtModule("EHSvc.dll", 0xF550, "31 C0 C3");//HardwareBreakPoint Detection2
    Air::WriteCodeAtModule("EHSvc.dll", 0xF740, "31 C0 C3");//HardwareBreakPoint Detection3
    Air::WriteCodeAtModule("EHSvc.dll", 0xFED0, "31 C0 C2 18 00");//HardwareBreakPoint Detection4

    Air::WriteCodeAtModule("EHSvc.dll", 0x70140, "31 C0 C3");//SoftwareBreakPoint Detection
    Air::WriteCodeAtModule("EHSvc.dll", 0xCEB67, "B8 00 00 00 00");//Memory Protection
}
すまん 同じの2つ今書いてた
編集しといたですたい
HackShield Bypass v5.7.20.616
C++:
/*
    HackShield Bypass for v5.7.20.616 JMS v342.1
    by Riremito (AIRRIDE)
*/
#include"HackShield.h"
#include"MapleStory.h"
#include"gui.h"


DWORD EHSvc_MemoryDump, EHSvc_Start, EHSvc_End;

DWORD HSCRC1_Ret, HSCRC2_Ret, HSCRC3_Ret, HSCRC4_Ret, HSCRC_Client_Ret;

void _declspec(naked) HSCRC1_Hook(){
    _asm{
        cmp ecx,[EHSvc_Start]
        jb Ending_HSCRC1
        cmp ecx,[EHSvc_End]
        ja Ending_HSCRC1
        sub ecx,[EHSvc_Start]
        add ecx,[EHSvc_MemoryDump]
Ending_HSCRC1:
        mov dl,[ecx]
        xor eax,edx
        mov ecx,[ebp+0x10]
        jmp dword ptr [HSCRC1_Ret]
    }
}

void _declspec(naked) HSCRC2_Hook(){
    _asm{
        cmp ebx,[EHSvc_Start]
        jb Ending_HSCRC2
        cmp ebx,[EHSvc_End]
        ja Ending_HSCRC2
        sub ebx,[EHSvc_Start]
        add ebx,[EHSvc_MemoryDump]
Ending_HSCRC2:
        add al,[ebx]
        pop ebx
        push 0x00007827
        jmp dword ptr [HSCRC2_Ret]
    }
}

void _declspec(naked) HSCRC3_Hook(){
    _asm{
        cmp edi,[EHSvc_Start]
        jb Ending_HSCRC3
        cmp edi,[EHSvc_End]
        ja Ending_HSCRC3
        push eax
        mov eax,edi
        sub eax,[EHSvc_Start]
        cmp eax,0x100000
        jb Ending_HSCRC3_2
        /*cmp eax,0x9C852 - 0x10
        jb Ending_HSCRC3_1
        cmp eax,0x9C852 + 0x10
        jb Ending_HSCRC3_2
        */
        cmp eax,0x4AAE69 - 0x10
        jb Ending_HSCRC3_1
        cmp eax,0x4AAE69 + 0x10
        ja Ending_HSCRC3_1
Ending_HSCRC3_2:
        sub edi,[EHSvc_Start]
        add edi,[EHSvc_MemoryDump]
Ending_HSCRC3_1:
        pop eax
Ending_HSCRC3:
        mov edi,[edi]
        movzx edx,word ptr [edx]
        jmp dword ptr [HSCRC3_Ret]
    }
}

void _declspec(naked) HSCRC4_Hook(){
    _asm{
        cmp esi,[EHSvc_Start]
        jb Ending_HSCRC4
        cmp esi,[EHSvc_End]
        ja Ending_HSCRC4
        push eax
        mov eax,esi
        sub eax,[EHSvc_Start]
        cmp eax,0x100000
        jb Ending_HSCRC4_2
        /*
        cmp eax,0x9C852 - 0x10
        jb Ending_HSCRC4_1
        cmp eax,0x9C852 + 0x10
        jb Ending_HSCRC4_2
        */
        cmp eax,0x4AAE69 - 0x10
        jb Ending_HSCRC4_1
        cmp eax,0x4AAE69 + 0x10
        ja Ending_HSCRC4_1
Ending_HSCRC4_2:
        sub esi,[EHSvc_Start]
        add esi,[EHSvc_MemoryDump]
Ending_HSCRC4_1:
        pop eax
Ending_HSCRC4:
        mov esi,[esi]
        add [edi],esi
        pushfd
        jmp dword ptr [HSCRC4_Ret]
    }
}


void _declspec(naked) HSCRC_Client_Hook(){
    _asm{
        push esi
        cmp esi,[Memory_Start]
        jb Ending_
        cmp esi,[Memory_End]
        ja Ending_
        sub esi,[Memory_Start]
        add esi,[Memory]
Ending_:
        lea edi,[ebp-0x1228]
        repe movsd
        pop esi
        jmp dword ptr [HSCRC_Client_Ret]
    }
}

void _declspec(naked) HSCRC_Dynamic1_Hook(){
    _asm{
        //+0x186
        xor ebx,ebx
        push eax
        mov eax,ecx
        cmp eax,[EHSvc_Start]
        jb HDH1_End
        cmp eax,[EHSvc_End]
        ja HDH1_End
        sub eax,[EHSvc_Start]
        add eax,[EHSvc_MemoryDump]
HDH1_End:
        mov bl,[eax]
        pop eax
        xor edx,ebx
        ret
    }
}

void _declspec(naked) HSCRC_Dynamic2_Hook(){
    _asm{
        //+0x15A
        push ecx
        mov ecx,eax
        cmp ecx,[EHSvc_Start]
        jb HDH2_End
        cmp ecx,[EHSvc_End]
        ja HDH2_End
        sub ecx,[EHSvc_Start]
        add ecx,[EHSvc_MemoryDump]
HDH2_End:
        mov dl,[ecx]
        pop ecx
        add [ebp-0x28],edx
        ret
    }
}

void _declspec(naked) HSCRC_Dynamic3_Hook(){
    _asm{
        //+0x15A
        push ecx
        mov ecx,eax
        cmp ecx,[EHSvc_Start]
        jb HDH3_End
        cmp ecx,[EHSvc_End]
        ja HDH3_End
        sub ecx,[EHSvc_Start]
        add ecx,[EHSvc_MemoryDump]
HDH3_End:
        mov dl,[ecx]
        pop ecx
        add dword ptr [ebp-0x24],edx
        ret
    }
}

void _declspec(naked) HSCRC_Dynamic4_Hook(){
    _asm{
        push ecx
        mov ecx,eax
        cmp ecx,[EHSvc_Start]
        jb HDH4_End
        cmp ecx,[EHSvc_End]
        ja HDH4_End
        sub ecx,[EHSvc_Start]
        add ecx,[EHSvc_MemoryDump]
HDH4_End:
        mov dl,[ecx]
        pop ecx
        xor dword ptr [ebp-0x24],edx
        ret
    }
}


void _declspec(naked) Hidden_Call_Hook(){
    _asm{
        pop eax
        popfd
        push eax
        mov eax,[esp+0x04]
        cmp dword ptr [eax+0x33],0x0FFFFFFF
        je Justin
        cmp dword ptr [eax+0x3F],0xF88B0A74
        je Bieber
        cmp dword ptr [eax+0x32],0x83AB3FD1
        je Taylor
        jmp HCH_Ending
Justin:
        /*
        mov byte ptr [eax+0x60],0xEB//short jmp
        mov byte ptr [eax+0x88],0xEB//short jmp
        mov byte ptr [eax+0xB0],0xEB//short jmp
        mov byte ptr [eax+0xD8],0xEB//short jmp
        mov byte ptr [eax+0x100],0xEB//short jmp
        mov word ptr [eax+0x135],0x9090//nop
        mov byte ptr [eax+0x139],0xEB//short jmp
        */
        mov byte ptr [eax+0x186],0xE8//call
        push ebx
        mov ebx,HSCRC_Dynamic1_Hook
        mov dword ptr [eax+0x187],ebx
        pop ebx
        sub dword ptr [eax+0x187],eax
        sub dword ptr [eax+0x187],0x186
        sub dword ptr [eax+0x187],0x05
        mov byte ptr [eax+0x18B],0x90
        jmp HCH_Ending
Bieber:
        /*
        mov byte ptr [eax+0x55],0xEB//short jmp
        mov byte ptr [eax+0x7C],0xEB//short jmp
        mov byte ptr [eax+0xA4],0xEB//short jmp
        mov byte ptr [eax+0xCC],0xEB//short jmp
        mov byte ptr [eax+0xF3],0xEB//short jmp
        mov word ptr [eax+0x120],0x9090//nop
        mov byte ptr [eax+0x125],0xEB//short jmp
        */
        mov byte ptr [eax+0x15A],0xE8//call
        push ebx
        mov ebx,HSCRC_Dynamic2_Hook
        mov dword ptr [eax+0x15B],ebx
        pop ebx
        sub dword ptr [eax+0x15B],eax
        sub dword ptr [eax+0x15B],0x15A
        sub dword ptr [eax+0x15B],0x05
        jmp HCH_Ending
Taylor:
        mov byte ptr [eax+0x169],0xE8//call
        push ebx
        mov ebx,HSCRC_Dynamic3_Hook
        mov dword ptr [eax+0x16A],ebx
        pop ebx
        sub dword ptr [eax+0x16A],eax
        sub dword ptr [eax+0x16A],0x169
        sub dword ptr [eax+0x16A],0x05
        mov byte ptr [eax+0x176],0xE8//call
        push ebx
        mov ebx,HSCRC_Dynamic4_Hook
        mov dword ptr [eax+0x177],ebx
        pop ebx
        sub dword ptr [eax+0x177],eax
        sub dword ptr [eax+0x177],0x176
        sub dword ptr [eax+0x177],0x05
        jmp HCH_Ending
HCH_Ending:
        pop eax
        ret 0x0000
    }
}


void HackShieldBypass(){
    char TargetLibFileName[] = "HShield/EHSvc.dll";
    HMODULE hDLL = LoadLibraryA(TargetLibFileName);

    if(hDLL){
        AW.AddFormatString(EDIT_LOG, "%sは%dに読み込まれました\r\n", TargetLibFileName, hDLL);
    }
    else{
        AW.AddFormatString(EDIT_LOG, "%sの読み込みに失敗しました\r\n", TargetLibFileName);
        return;
    }

    AirMemory EHSvc;

    EHSvc.Init("EHSvc.dll");
    EHSvc.CreateMemoryDump();
    EHSvc.GetDumpInfo(&EHSvc_Start, &EHSvc_End, &EHSvc_MemoryDump);
    AW.AddFormatString(EDIT_LOG, "メモリダンプを%dに生成しました\r\n", EHSvc_MemoryDump);

    EHSvc.WriteHook(0x9C852, JMP, HSCRC1_Hook, &HSCRC1_Ret, 2);//HSCRC1
    EHSvc.WriteHook(0x4AAE69, JMP, HSCRC2_Hook, &HSCRC2_Ret, 3);//HSCRC2
   
    EHSvc.WriteHook(0x26F0C7, JMP, HSCRC3_Hook, &HSCRC3_Ret);//HSCRC3
    EHSvc.WriteHook(0x36FB0C, JMP, HSCRC4_Hook, &HSCRC4_Ret);//HSCRC4
    EHSvc.MemoryWriter(0x31FE71, "39 C0");//HSCRC5

    EHSvc.WriteHook(0x41617, JMP, HSCRC_Client_Hook, &HSCRC_Client_Ret, 3);//HSCRC_Client

    //HSCRC5_Dynamic
    DWORD HiddenCall;
    do{
        HiddenCall = EHSvc.AobScan("58 9D C2 00 00");
        if(HiddenCall){
            EHSvc.WriteHook(HiddenCall, JMP, Hidden_Call_Hook);
        }
    }while(HiddenCall);
   
   
    EHSvc.MemoryWriter(0x579B0, "31 C0 C2 04 00");//Process Scanner
    EHSvc.MemoryWriter(0x5E670, "31 C0 C2 04 00");//Module Scanner
   
    EHSvc.MemoryWriter(0x11C00, "31 C0 C3");//HardwareBreakPoint Detection(Main)
    EHSvc.MemoryWriter(0x101C0, "31 C0 C3");//HardwareBreakPoint Detection2
    EHSvc.MemoryWriter(0x103B0, "31 C0 C3");//HardwareBreakPoint Detection3
    EHSvc.MemoryWriter(0x10B70, "31 C0 C2 18 00");//HardwareBreakPoint Detection4
   
    EHSvc.MemoryWriter(0x788F0, "31 C0 C3");//SoftwareBreakPoint Detection
   
    EHSvc.MemoryWriter(0xDBF9D, "B8 00 00 00 00");//Memory Protection
   
    AW.AddString(EDIT_LOG, "HackShield 回避コードを書き込みました\r\n");
}
 
Last edited by a moderator:
  • Like
Reactions: XdarionX and Rake
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts