Jump to content
Welcome, Guest
Existing user? Sign In

Sign In



Sign Up
The MatriX
  • Welcome To Ghbsys
  • CS GO Streaming Version is released. Have fun streaming while cheating!
  • Have a Payment Issue? Send us a Support ticket.
  • Make a thread if you need support or join our discord for live support.
  • Have Suggestions? Make a thread and you'll earn Ghbsys Points for implemented suggestions.
  • Join our discord to stay well connected! Don't forget to integrate your discord to the site
  • Welcome to [GHB] - GAmEhAcKbAsTaRdS Forum

    Welcome to [GHB] - GAmEhAcKbAsTaRdS Forum, like most online communities you must register to view or post in our community, but don't worry this is a simple free process that requires minimal information for you to signup. Be apart of [GHB] - GAmEhAcKbAsTaRdS Forum by signing in or creating an account.
    • Start new topics and reply to others
    • Subscribe to topics and forums to get email updates
    • Get your own profile page and make new friends
    • Send personal messages to other members.

    Hackshield Analyzes


     Share

    Recommended Posts

    Hack Shield Analysis

     

     

     

    Credits: Big fucking credits to Token. Written by Th4natoS. Please don't use this without my permission.

     

    Thanks : lolz2much for the function addresses, Token for the pictures

     

    Hi there, and welcome to my information dump on Hack Shield, one of the best Anti-Cheat out right now. Today you will essentially learn what Hack Shield is made of, how Hack Shield works, and you will even learn some new bypassing ideas.

     

    Index

    1. Hack Shield Components
    2. Hack Shield Flow
    3. Bypassing Theory

     

    1. Hack Shield Components

     

    Hack Shield consists of:

     

    1. EhSvc.dll
      • EhSvc is the Hack Shield interface dll
      • It communicates between the game client and Hack Shield
      • It communicates with the Hack Shield driver (EagleNT.sys)
      • It initiates the hack tool detection engine
      • This is usually the only file needed to create a workable bypass

    [*]V3Pro32s.dll

    • This is the hacking tool detection interface dll
    • This starts the hacking tool detection engine
    • This is helps the scanning of known hack signatures
    • A very important file. This could interrupt the Hack Shield driver if correctly intercepted

    _AhnGetFileEntry	0x1000bb9c	0x0000bb9c	30 (0x1e)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnBootInformation	0x1000b16f	0x0000b16f	1 (0x1)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnCheckBootSector	0x1000b177	0x0000b177	2 (0x2)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnCheckDefaultExtensions	0x1000124a	0x0000124a	3 (0x3)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnCheckFile	0x1000ba5e	0x0000ba5e	4 (0x4)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnCheckMemory	0x1000b160	0x0000b160	5 (0x5)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnCheckProcess	0x1000b79d	0x0000b79d	6 (0x6)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetBootRepairStatus	0x1000b5b9	0x0000b5b9	7 (0x7)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetDefaultExtensions	0x1000126b	0x0000126b	8 (0x8)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetEngineDate	0x100013fd	0x000013fd	9 (0x9)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetEngineDateString	0x1000145c	0x0000145c	10 (0xa)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetEngineDateValue	0x10001449	0x00001449	11 (0xb)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetExtRepairStatus	0x1000b287	0x0000b287	12 (0xc)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetRepairStatus	0x1000b1b4	0x0000b1b4	13 (0xd)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetVersion	0x100014f7	0x000014f7	14 (0xe)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetVirusFileCureData	0x1000120b	0x0000120b	15 (0xf)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetVirusName	0x100010d1	0x000010d1	16 (0x10)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetVirusName32	0x1000108c	0x0000108c	17 (0x11)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetVirusNameStr	0x1000116c	0x0000116c	18 (0x12)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnGetVirusNameStr32	0x100010ab	0x000010ab	19 (0x13)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnInitVaccineEngine	0x1000b600	0x0000b600	20 (0x14)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnRepairBootSector	0x1000b17e	0x0000b17e	21 (0x15)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnRepairFile	0x1000eea0	0x0000eea0	22 (0x16)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnRepairMemory	0x1000b167	0x0000b167	23 (0x17)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnSetDefaultOption	0x1000ba89	0x0000ba89	24 (0x18)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    AhnSetExtensions	0x10001295	0x00001295	25 (0x19)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    PV3CALGetInfoAddr	0x1000a0fe	0x0000a0fe	26 (0x1a)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    V3CALGetInfo	0x1000a0c2	0x0000a0c2	27 (0x1b)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    V3CALGetShowInfo	0x1000a080	0x0000a080	28 (0x1c)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll	
    V3CALGetTotalInfoCount	0x1000a0b9	0x0000a0b9	29 (0x1d)	v3pro32s.dll	C:\Nexon\Combat Arms\HShield\v3pro32s.dll

    [*]3N.mhe

    • The Heuristic engine file
    • Contains the patterns used to search for known hacks

    [*]psapi.dll

    • The process status helper dll
    • Helps scan process signatures and control process functions

    EmptyWorkingSet	0x76a61e20	0x00001e20	1 (0x1)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    EnumDeviceDrivers	0x76a615a3	0x000015a3	2 (0x2)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    EnumPageFilesA	0x76a63b3c	0x00003b3c	3 (0x3)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    EnumPageFilesW	0x76a639cd	0x000039cd	4 (0x4)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    EnumProcesses	0x76a634a9	0x000034a9	6 (0x6)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    EnumProcessModules	0x76a61a8a	0x00001a8a	5 (0x5)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetDeviceDriverBaseNameA	0x76a61748	0x00001748	7 (0x7)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetDeviceDriverBaseNameW	0x76a61823	0x00001823	8 (0x8)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetDeviceDriverFileNameA	0x76a616cd	0x000016cd	9 (0x9)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetDeviceDriverFileNameW	0x76a617c7	0x000017c7	10 (0xa)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetMappedFileNameA	0x76a61945	0x00001945	11 (0xb)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetMappedFileNameW	0x76a6187f	0x0000187f	12 (0xc)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetModuleBaseNameA	0x76a61d2f	0x00001d2f	13 (0xd)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetModuleBaseNameW	0x76a61cb2	0x00001cb2	14 (0xe)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetModuleFileNameExA	0x76a61c4a	0x00001c4a	15 (0xf)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetModuleFileNameExW	0x76a61bcd	0x00001bcd	16 (0x10)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetModuleInformation	0x76a61d97	0x00001d97	17 (0x11)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetPerformanceInfo	0x76a6382d	0x0000382d	18 (0x12)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetProcessImageFileNameA	0x76a637a9	0x000037a9	19 (0x13)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetProcessImageFileNameW	0x76a6371b	0x0000371b	20 (0x14)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetProcessMemoryInfo	0x76a635c2	0x000035c2	21 (0x15)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    GetWsChanges	0x76a636e1	0x000036e1	22 (0x16)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    InitializeProcessForWsWatch	0x76a6369d	0x0000369d	23 (0x17)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    QueryWorkingSet	0x76a61e8b	0x00001e8b	24 (0x18)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll	
    QueryWorkingSetEx	0x76a61ec7	0x00001ec7	25 (0x19)	psapi.dll	C:\Nexon\Combat Arms\HShield\psapi.dll

    [*]V3Warp(d)(n)s.v3d

    • The anti-hacking engine pattern file
    • Not to sure exactly what this does, but it reads the 3N.mhe file

    [*]EagleNT.sys

    • The Hack Shield kernel driver
    • Performs anti-hacking functions, protects the game client's process, and hooks certain API's, rendering them useless
    • If successfully uninitiated, it could enable the use of many API's and functions such as Read/WriteProcessMemory.

     

    2. Hack Shield Flow

     

    Here is a graphical chart explaining how all the components work together:

    structure.jpg

     

    Here is a graphical chart explaining how Hack Shield is started:

    hs_pc.jpg

    **If I were you I would pay attention to those function names!

     

    3. Bypassing Theory

     

    So, we got some nice information about Hack Shield. How do we bypass it? I will tell you right now, I'm going to show you some very unconventional and new ideas. Say goodbye to your petty API and ASM bypasses, and say hello to your new best friend: detouring. Before we continue, you should have a strong foundation in detouring. If you don't, I recommend watching this.

     

    So what functions do we detour? In reality, you are going to be detouring CallBack. The CallBack function in Hack Shield collects data from the Hack Shield service. The data is usually errors or "Hack Detected" type messages. The goal of course is to stop it from getting the Hack Detected messages, or stop it from alerting the game client that there is a "Hack Detected" message. The first goal is to find the actual name of the function. The next step is to rebuild the params of the function. The next step is to find the address of this function. Then finally you detour it. Here is my example (not working probably):

    ////// Declares //////
    #define CallBackAddy 0x0000001
    typedef int ( *PFN_AhnEH_Callback)( long lCode, long lParamSize, void* pParam ); //the name of the function actually is PFN_AhnEH_Callback
    PFN_AhnEH_Callback pAhnEH_Callback; //Defining our function
    //////
    
    ////// Our new function //////
    int _CallBackThread()
    {
    DWORD dwCode = YOUR_CODE_TO_PASS;
    int myReturn = pAhnEH_Callback(dwCode, 0, NULL);
    return myReturn;
    }
    //////
    ////// Our Detour //////
    pAhnEH_Callback  = (PFN_AhnEH_Callback)DetourFunction( (PBYTE)( Ehsvc + CallBackAddy ), (PBYTE)_CallBackThread()); 
    //////

     

    This is just pseudo code, but hopefully you get the idea. The hard part is finding the address of the function. There are some function addresses included for Combat Arms, but that's just Combat Arms. I have my way of getting it, but I'm leaving it up to you to figure out how to get the address. I don't want to completely hand feed you a working bypass. There are a couple ways to get it.

     

    As a conclusion, I just want to say that you need to use your imagination! Find different functions. Find different ways to bypass. Rip Hack Shield apart.

     

     

     

    Best Methode O.o

    Edited by BlackDog™
    Link to comment
    Share on other sites

    this is leeched from th4natos on gamedeception...

     

    -warned

    Link to comment
    Share on other sites

    • 4 weeks later...
    • 2 weeks later...
    • 2 months later...

    ok its just analysis,

     

    there much more to it on recent hackshield updates for various game clients with lisence of any verison of hackshield.

     

    umm also this leech from my site xD GD topic had some stuff not added O.o

     

    if anyone want information on how they using virus engine scan field, i can give you detailed report on it i have done after few weeks/

    Link to comment
    Share on other sites

    • 1 month later...
    • 2 months later...
    • 5 months later...
    • 2 weeks later...
    • 1 month later...
    Guest
    This topic is now closed to further replies.
     Share

    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...