Universal HS bypass (CE/hack tool/hs driver bypass) for all

[Angelique]

Bypass nowadays keep detected easily.

[guyz92]

Works for me.

Check the hook for IsWow64Process, OpenProcess, GetNativeSystemInfo, CreateFileA

misuse 64bit WOW64 mode.
=X

Once anti cheat company got a signed WHQL kernel driver, detecting hack on 64bit will be another problem for us.

[Nerrazzuri]

Picture shows a million words.

NotWorking01.png

Edit: Now it works for me, BUT CRC scripts and debuggers WON`T work. The MSCRC won`t work AT ALL. Sigh~
The bad side of the bypass: I can only use softkeyboard to login. Keyboard is locked on login page and 2nd password enter page.
MSCRC: (CE Auto-Assemble code)

Code: Select all

//MSCRC Bypass
//This script is dynamic, no nid update except if AoB changed.
//Original by Nimo
[Enable]
//MS CRC Bypass 
//CE Assembly Script by nimo1993.
//If you can't execute this script, please press "Memory view"->"View". Check whether "Kernelmode symbols" item is checked.
Alloc(CRCBypass,512)
Alloc(FakeDump,8376320)
Label(MSCRCBypass)
Label(Normal)
Label(MSmemcpy)
Label(SearchAOB)
Label(StartHook)
Label(Title)
Label(FailureMsg)
Label(SuccessMsg)
Label(BackToMSCRC)
RegisterSymbol(MSCRCBypass)
RegisterSymbol(FakeDump)

CreateThread(MSmemcpy)

CRCBypass:
MSCRCBypass:
push eax
lea eax, [ecx]
cmp eax, 00401000
jb Normal
cmp eax, 00D00000
ja Normal
push ebx
mov ebx, FakeDump
sub eax, 00401000
add eax, ebx
movzx ecx, byte ptr [eax]
pop ebx
pop eax
jmp Normal+04

Normal:
pop eax
movzx ecx, byte ptr [ecx]
mov edx, [ebp+14]
jmp [BackToMSCRC]



MSmemcpy:
//Copy Memory
mov edi, FakeDump
mov esi, 00401000
mov ecx, 001FF400
repe movsd

mov eax, 00401000
SearchAOB:
cmp [eax], 8B09B60F
je StartHook
inc eax
cmp eax, 00D00000
jle SearchAOB
push 10 //MB_ICONERROR
push Title
push FailureMsg
push 00
call MessageBoxA
ret
StartHook:
lea ebx, [eax+05] //The Target Address - The Next Address
sub ebx, MSCRCBypass
neg ebx
mov byte ptr [eax], e9 //jmp
mov [eax+01], ebx //Target AOB
mov byte ptr [eax+05], 90 //nop
add eax, 6
mov [BackToMSCRC], eax //Return to the address+6
push 40 //MB_ICONINFORMATION
push Title
push SuccessMsg
push 00
call MessageBoxA
ret

Title:
db 'MS-CRC-Bypass' 00
FailureMsg:
db Anti-MS-CRC-Check Fail!' 00
SuccessMsg:
db 'Anti-MS-CRC-Check Init Successfully!' 00
BackToMSCRC:
dd 0
[Disable] 

Works perfectly fine for me, my MSCRC works good.

Works for me.

Check the hook for IsWow64Process, OpenProcess, GetNativeSystemInfo, CreateFileA

misuse 64bit WOW64 mode.
=X

Once anti cheat company got a signed WHQL kernel driver, detecting hack on 64bit will be another problem for us.

My HSCRC uses 3 of them, IsWow64Process, OpenProcess, GetNativeSystemInfo, but still get crashed. I'm not sure why.

[Raiden]

Picture shows a million words.

NotWorking01.png

Edit: Now it works for me, BUT CRC scripts and debuggers WON`T work. The MSCRC won`t work AT ALL. Sigh~
The bad side of the bypass: I can only use softkeyboard to login. Keyboard is locked on login page and 2nd password enter page.
MSCRC: (CE Auto-Assemble code)

Code: Select all

//MSCRC Bypass
//This script is dynamic, no nid update except if AoB changed.
//Original by Nimo
[Enable]
//MS CRC Bypass 
//CE Assembly Script by nimo1993.
//If you can't execute this script, please press "Memory view"->"View". Check whether "Kernelmode symbols" item is checked.
Alloc(CRCBypass,512)
Alloc(FakeDump,8376320)
Label(MSCRCBypass)
Label(Normal)
Label(MSmemcpy)
Label(SearchAOB)
Label(StartHook)
Label(Title)
Label(FailureMsg)
Label(SuccessMsg)
Label(BackToMSCRC)
RegisterSymbol(MSCRCBypass)
RegisterSymbol(FakeDump)

CreateThread(MSmemcpy)

CRCBypass:
MSCRCBypass:
push eax
lea eax, [ecx]
cmp eax, 00401000
jb Normal
cmp eax, 00D00000
ja Normal
push ebx
mov ebx, FakeDump
sub eax, 00401000
add eax, ebx
movzx ecx, byte ptr [eax]
pop ebx
pop eax
jmp Normal+04

Normal:
pop eax
movzx ecx, byte ptr [ecx]
mov edx, [ebp+14]
jmp [BackToMSCRC]



MSmemcpy:
//Copy Memory
mov edi, FakeDump
mov esi, 00401000
mov ecx, 001FF400
repe movsd

mov eax, 00401000
SearchAOB:
cmp [eax], 8B09B60F
je StartHook
inc eax
cmp eax, 00D00000
jle SearchAOB
push 10 //MB_ICONERROR
push Title
push FailureMsg
push 00
call MessageBoxA
ret
StartHook:
lea ebx, [eax+05] //The Target Address - The Next Address
sub ebx, MSCRCBypass
neg ebx
mov byte ptr [eax], e9 //jmp
mov [eax+01], ebx //Target AOB
mov byte ptr [eax+05], 90 //nop
add eax, 6
mov [BackToMSCRC], eax //Return to the address+6
push 40 //MB_ICONINFORMATION
push Title
push SuccessMsg
push 00
call MessageBoxA
ret

Title:
db 'MS-CRC-Bypass' 00
FailureMsg:
db Anti-MS-CRC-Check Fail!' 00
SuccessMsg:
db 'Anti-MS-CRC-Check Init Successfully!' 00
BackToMSCRC:
dd 0
[Disable] 

Works perfectly fine for me, my MSCRC works good.

Well, My problem is, if I enable MSCRC, maple crashes just like usual. And if I use debug registers(MLE), when the hack is in use(like enable godmode and bang mob or attack with dEM), crash.

The login problem......annoying...since I have to enter 12-word long id and password.......

[Nerrazzuri]

Picture shows a million words.

NotWorking01.png

Edit: Now it works for me, BUT CRC scripts and debuggers WON`T work. The MSCRC won`t work AT ALL. Sigh~
The bad side of the bypass: I can only use softkeyboard to login. Keyboard is locked on login page and 2nd password enter page.
MSCRC: (CE Auto-Assemble code)

Code: Select all

//MSCRC Bypass
//This script is dynamic, no nid update except if AoB changed.
//Original by Nimo
[Enable]
//MS CRC Bypass 
//CE Assembly Script by nimo1993.
//If you can't execute this script, please press "Memory view"->"View". Check whether "Kernelmode symbols" item is checked.
Alloc(CRCBypass,512)
Alloc(FakeDump,8376320)
Label(MSCRCBypass)
Label(Normal)
Label(MSmemcpy)
Label(SearchAOB)
Label(StartHook)
Label(Title)
Label(FailureMsg)
Label(SuccessMsg)
Label(BackToMSCRC)
RegisterSymbol(MSCRCBypass)
RegisterSymbol(FakeDump)

CreateThread(MSmemcpy)

CRCBypass:
MSCRCBypass:
push eax
lea eax, [ecx]
cmp eax, 00401000
jb Normal
cmp eax, 00D00000
ja Normal
push ebx
mov ebx, FakeDump
sub eax, 00401000
add eax, ebx
movzx ecx, byte ptr [eax]
pop ebx
pop eax
jmp Normal+04

Normal:
pop eax
movzx ecx, byte ptr [ecx]
mov edx, [ebp+14]
jmp [BackToMSCRC]



MSmemcpy:
//Copy Memory
mov edi, FakeDump
mov esi, 00401000
mov ecx, 001FF400
repe movsd

mov eax, 00401000
SearchAOB:
cmp [eax], 8B09B60F
je StartHook
inc eax
cmp eax, 00D00000
jle SearchAOB
push 10 //MB_ICONERROR
push Title
push FailureMsg
push 00
call MessageBoxA
ret
StartHook:
lea ebx, [eax+05] //The Target Address - The Next Address
sub ebx, MSCRCBypass
neg ebx
mov byte ptr [eax], e9 //jmp
mov [eax+01], ebx //Target AOB
mov byte ptr [eax+05], 90 //nop
add eax, 6
mov [BackToMSCRC], eax //Return to the address+6
push 40 //MB_ICONINFORMATION
push Title
push SuccessMsg
push 00
call MessageBoxA
ret

Title:
db 'MS-CRC-Bypass' 00
FailureMsg:
db Anti-MS-CRC-Check Fail!' 00
SuccessMsg:
db 'Anti-MS-CRC-Check Init Successfully!' 00
BackToMSCRC:
dd 0
[Disable] 

Works perfectly fine for me, my MSCRC works good.

Well, My problem is, if I enable MSCRC, maple crashes just like usual. And if I use debug registers(MLE), when the hack is in use(like enable godmode and bang mob or attack with dEM), crash.

The login problem......annoying...since I have to enter 12-word long id and password.......

Nothing on top happens to me, I am hacking like normal right now.

Here is a picture of me using Pvac

[guyz92]

The last hit i gonna give.

Use CE 6.0 with VEH debugging using the 64bit exec. It will bypass all those craps.

[PIEzLOVERS]

Still Not responding @.@

[xiangloong]

Whoa..a few pros in xemectrum found out the solution of it.
@Raiden
I think 64 bit OS is working.

[Nerrazzuri]

Nah, it just some modification of the MSCRC. Since you guys have the HSCRC, try to get what accessing the random address. And you'll get the MSCRC routine.

[xiangloong]

Too bad i sucks in all these?