i kinda need help on the bypass...

[fishstick117]

//-----------------------------------------Start HACKSHIELD BYPASS--------------------------------------------
#define HS_JMP 0x4A7372 //As of 24-11 (This Value is also known as the Back addy)
#define HS_JMP2 0x4A736B //As of 24-11

typedef int (__cdecl *HS_GetProcAddress_t)( int hModule, int a2 );
typedef int (__stdcall *HackshieldComm_t )( int, void*, void* );
typedef signed int (__stdcall *KickProc_t)( int a1, int a2, int a3 );

HS_GetProcAddress_t pHS_GetProcAddress = NULL;
HackshieldComm_t pHackshieldComm = NULL;
KickProc_t pKickProc = NULL;

signed int __stdcall new_KickProc( int a1, int a2, int a3 )
{
return 1;
}

int __stdcall new_HackshieldComm( int hsCommCode, void *Param1, void *Param2 )
{
if( hsCommCode == 4 || hsCommCode == 5 || hsCommCode == 13 ) //kill!
{
if( hsCommCode == 4 ) //replace kick proc
{
DWORD *dwParam1 = (DWORD *)Param1;

pKickProc = (KickProc_t)*dwParam1;
*dwParam1 = (DWORD)new_KickProc;
}

int iReturn = pHackshieldComm( hsCommCode, Param1, Param2 );

return 1;
}

int iReturn = pHackshieldComm( hsCommCode, Param1, Param2 );

return iReturn;
}

void HookCommunication( EXCEPTION_POINTERS* pExceptionInfo )
{
DWORD dwEbp = pExceptionInfo->ContextRecord->Ebp;
DWORD dwParam2 = 0;

__asm
{
push eax;
push edx;
mov eax, dwEbp;
mov edx, [eax+0xC];
mov dwParam2, edx;
pop edx;
pop eax;
}

if( dwParam2 == 0xA ) //this is the ordinal of some export...hmm..
{
pHackshieldComm = (HackshieldComm_t)pExceptionInfo->ContextRecord->Eax;
pExceptionInfo->ContextRecord->Eax = (DWORD)new_HackshieldComm;
}

pExceptionInfo->ContextRecord->Eip = HS_JMP2;

return;
}

PVOID pContextHandler = NULL;

LONG WINAPI ***ExceptionHandler( EXCEPTION_POINTERS* pExceptionInfo )
{
if( pExceptionInfo->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP )
{
return EXCEPTION_CONTINUE_SEARCH;
}

if( pExceptionInfo->ExceptionRecord->ExceptionAddress == (PVOID)HS_JMP )
{
HookCommunication( pExceptionInfo );
return EXCEPTION_CONTINUE_EXECUTION;
}

return EXCEPTION_CONTINUE_SEARCH;
}

void InitContextHook()
{
pContextHandler = AddVectoredExceptionHandler( 0x50BE17, ***ExceptionHandler );

CONTEXT Context;
Context.ContextFlags = CONTEXT_DEBUG_REGISTERS;
GetThreadContext(GetCurrentThread(), &Context);
Context.Dr0 = HS_JMP;
Context.Dr7 = (1<<0)|(1<<2)|(1<<4)|(1<<6);
SetThreadContext(GetCurrentThread(), &Context);
}
//-----------------------------------------END HACKSHIELD BYPASS--------------------------------------------

just to try do u think this will work out? cause i kinda left some values out.. if anyone can help me out
just saying this is to clear hackshield just a bypass! to block or as you guys say it bypass it

[Nerrazzuri]

You wrote that yourself? And hackshield uses OpenProcess instead of address if i'm not mistaken.

Code: Select all

[enable]
alloc(mscrc,100)
alloc(hscrc,100)
alloc(dump,8856834)
loadbinary(dump,85.CEM)
label(exitmscrc)
label(mscrcret)
label(hscrcret)

mscrc:
cmp ecx,00401000
jl exitmscrc
cmp ecx,00C73502
jg exitmscrc
sub ecx,00401000
push eax
lea eax,[dump]
add ecx,eax
pop eax
exitmscrc:
movzx ecx,byte ptr [ecx]
mov edx,[ebp+14]
jmp mscrcret 

hscrc:
mov eax,fs:[20]
cmp eax,[esp+0c]
jne hscrcret
mov fs:[34],57
xor eax,eax
ret 000c

hscrcret:
mov edi,edi
push ebp
mov ebp,esp
jmp OpenProcess+5

00A4341C:
jmp mscrc
db 90
mscrcret:

OpenProcess:
jmp hscrc

[disable]
00A4341C:
db 0F B6 09 8B 55 14 
OpenProcess:
db 8B FF 55 8B EC

dealloc(mscrc)
dealloc(hscrc)
 dealloc(dump)

This is the MS HS CRC bypass in gMS.

[fishstick117]

o i though i could kinda change it and use it in msea and not really wrote all myself i kinda took half and make the other half myself

[Nerrazzuri]

So, I don't understand what values you've missed out, make it clear please.