API tools faq
paste
Advertisement
Riremito

HackShield Bypass v5.6.34.449 and v5.7.6.502

Riremito
Sep 6th, 2014
3,971
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 6.63 KB | None | 0 0
raw download clone embed print report
  1. WRYYYYYYYYYYYYYYYYYYYーッ
  2. x64環境でのみきちんと動作します
  3. x86環境で使う場合はMemory Protectionを無効にしないと
  4. OpenProcessをドライバロード後に行うとBSODします
  5. by AIRRIDE (リレミト)
  6. SkypeID:C20400
  7. http://otthts.blog.fc2.com/
  8.  
  9. //v5.6.34.449
  10. DWORD HS_Memory, HS_Memory_Start, HS_Memory_End;
  11. DWORD HSCRC1_Ret, HSCRC2_Ret, HSCRC3_Ret, HSCRC4_Ret;
  12.  
  13. void _declspec(naked) HSCRC1_Hook(){
  14.     _asm{
  15.         cmp ecx,[HS_Memory_Start]
  16.         jb Ending_HSCRC1
  17.         cmp ecx,[HS_Memory_End]
  18.         ja Ending_HSCRC1
  19.         sub ecx,[HS_Memory_Start]
  20.         add ecx,[HS_Memory]
  21. Ending_HSCRC1:
  22.         mov dl,[ecx]
  23.         xor eax,edx
  24.         mov ecx,[ebp+0x10]
  25.         jmp dword ptr [HSCRC1_Ret]
  26.     }
  27. }
  28.  
  29. void _declspec(naked) HSCRC2_Hook(){
  30.     _asm{
  31.         cmp ebx,[HS_Memory_Start]
  32.         jb Ending_HSCRC2
  33.         cmp ebx,[HS_Memory_End]
  34.         ja Ending_HSCRC2
  35.         sub ebx,[HS_Memory_Start]
  36.         add ebx,[HS_Memory]
  37. Ending_HSCRC2:
  38.         add al,[ebx]
  39.         pop ebx
  40.         push edx
  41.         mov dh,-0x78
  42.         jmp dword ptr [HSCRC2_Ret]
  43.     }
  44. }
  45.  
  46. void _declspec(naked) HSCRC3_Hook(){
  47.     _asm{
  48.         cmp edx,[HS_Memory_Start]
  49.         jb Ending_HSCRC3
  50.         cmp edx,[HS_Memory_End]
  51.         ja Ending_HSCRC3
  52.         push edx
  53.         sub edx,[HS_Memory_Start]
  54.         cmp edx,0x902A2 - 0x100
  55.         jb Ending_HSCRC3_2
  56.         cmp edx,0x35DBB9 + 0x100
  57.         ja Ending_HSCRC3_2
  58.         cmp edx,0x902A2 + 0x100
  59.         jb Ending_HSCRC3_1
  60.         cmp edx,0x35DBB9 - 0x100
  61.         ja Ending_HSCRC3_1
  62.         jmp Ending_HSCRC3_2
  63. Ending_HSCRC3_1:
  64.         add edx,[HS_Memory]
  65.         mov edx,[edx]
  66.         mov dword ptr [esp+0x04],edx
  67. Ending_HSCRC3_2:
  68.         pop edx
  69. Ending_HSCRC3:
  70.         jmp dword ptr [HSCRC3_Ret]
  71.     }
  72. }
  73.  
  74. void _declspec(naked) HSCRC4_Hook(){
  75.     _asm{
  76.         push esi
  77.         cmp esi,[Memory_Start]
  78.         jb Ending_
  79.         cmp esi,[Memory_End]
  80.         ja Ending_
  81.         sub esi,[Memory_Start]
  82.         add esi,[Memory]
  83. Ending_:
  84.         lea edi,[ebp-0x1228]
  85.         repe movsd
  86.         pop esi
  87.         jmp dword ptr [HSCRC4_Ret]
  88.     }
  89. }
  90.  
  91. void HSCRC5_TableHack(DWORD dwHSCRC5_Table){
  92.     int i;
  93.     for(i=0; i<3; i++){
  94.         *(DWORD *)(dwHSCRC5_Table + i*8) = ((*(DWORD *)(dwHSCRC5_Table + i*8)^*(DWORD *)(dwHSCRC5_Table + 0x18)) - HS_Memory_Start + HS_Memory)^(*(DWORD *)(dwHSCRC5_Table + 0x18));
  95.     }
  96. }
  97.  
  98. void HackShieldBypass(){
  99.  
  100.     while(!GetModuleHandleA("EHSvc.dll")){
  101.         Sleep(100);
  102.     }
  103.  
  104.     DWORD EHSvc = (DWORD)GetModuleHandleA("EHSvc.dll");
  105.  
  106.     Air::CreateMemoryDump(&HS_Memory, &HS_Memory_Start, &HS_Memory_End, "EHSvc.dll");
  107.    
  108.     Air::WriteJumpAtModule("EHSvc.dll", 0x902A2, (DWORD)HSCRC1_Hook, &HSCRC1_Ret, 2);//HSCRC1
  109.     Air::WriteJumpAtModule("EHSvc.dll", 0x35DBB9, (DWORD)HSCRC2_Hook, &HSCRC2_Ret, 1);//HSCRC2
  110.     Air::WriteJumpAtModule("EHSvc.dll", 0x2578AE, (DWORD)HSCRC3_Hook);//HSCRC3
  111.     HSCRC3_Ret = EHSvc + 0x24FAD3;
  112.     Air::WriteJumpAtModule("EHSvc.dll", 0x38A37, (DWORD)HSCRC4_Hook, &HSCRC4_Ret, 3);//HSCRC4
  113.     HSCRC5_TableHack(EHSvc + 0x153040);
  114.     Air::WriteCodeAtModule("EHSvc.dll", 0x4DB20, "31 C0 C2 04 00");//Process Scanner
  115.     Air::WriteCodeAtModule("EHSvc.dll", 0x548F0, "31 C0 C2 04 00");//Module Scanner
  116.     Air::WriteCodeAtModule("EHSvc.dll", 0x10AE0, "31 C0 C3");//HardwareBreakPoint Detection(Main)
  117.     Air::WriteCodeAtModule("EHSvc.dll", 0xF240, "31 C0 C3");//HardwareBreakPoint Detection2
  118.     Air::WriteCodeAtModule("EHSvc.dll", 0xF430, "31 C0 C3");//HardwareBreakPoint Detection3
  119.     Air::WriteCodeAtModule("EHSvc.dll", 0xFBC0, "31 C0 C2 18 00");//HardwareBreakPoint Detection4
  120.     Air::WriteCodeAtModule("EHSvc.dll", 0x6DCB0, "31 C0 C3");//SoftwareBreakPoint Detection
  121.     Air::WriteCodeAtModule("EHSvc.dll", 0xCA642, "B8 00 00 00 00");//Memory Protection
  122.  
  123. }
  124.  
  125. //v5.7.6.502
  126. DWORD HS_Memory, HS_Memory_Start, HS_Memory_End;
  127. DWORD HSCRC1_Ret, HSCRC2_Ret, HSCRC3_Ret, HSCRC4_Ret;
  128.  
  129. void _declspec(naked) HSCRC1_Hook(){
  130.     _asm{
  131.         cmp ecx,[HS_Memory_Start]
  132.         jb Ending_HSCRC1
  133.         cmp ecx,[HS_Memory_End]
  134.         ja Ending_HSCRC1
  135.         sub ecx,[HS_Memory_Start]
  136.         add ecx,[HS_Memory]
  137. Ending_HSCRC1:
  138.         mov dl,[ecx]
  139.         xor eax,edx
  140.         mov ecx,[ebp+0x10]
  141.         jmp dword ptr [HSCRC1_Ret]
  142.     }
  143. }
  144.  
  145. void _declspec(naked) HSCRC2_Hook(){
  146.     _asm{
  147.         cmp ebx,[HS_Memory_Start]
  148.         jb Ending_HSCRC2
  149.         cmp ebx,[HS_Memory_End]
  150.         ja Ending_HSCRC2
  151.         sub ebx,[HS_Memory_Start]
  152.         add ebx,[HS_Memory]
  153. Ending_HSCRC2:
  154.         add al,[ebx]
  155.         mov ebx,[esp]
  156.         jmp dword ptr [HSCRC2_Ret]
  157.     }
  158. }
  159.  
  160. void _declspec(naked) HSCRC3_Hook(){
  161.     _asm{
  162.         cmp edx,[HS_Memory_Start]
  163.         jb Ending_HSCRC3
  164.         cmp edx,[HS_Memory_End]
  165.         ja Ending_HSCRC3
  166.         push edx
  167.         sub edx,[HS_Memory_Start]
  168.         cmp edx,0x92812 - 0x100
  169.         jb Ending_HSCRC3_2
  170.         cmp edx,0x360040 + 0x100
  171.         ja Ending_HSCRC3_2
  172.         cmp edx,0x92812 + 0x100
  173.         jb Ending_HSCRC3_1
  174.         cmp edx,0x360040 - 0x100
  175.         ja Ending_HSCRC3_1
  176.         jmp Ending_HSCRC3_2
  177. Ending_HSCRC3_1:
  178.         add edx,[HS_Memory]
  179.         mov edx,[edx]
  180.         mov dword ptr [esp+0x04],edx
  181. Ending_HSCRC3_2:
  182.         pop edx
  183. Ending_HSCRC3:
  184.         jmp dword ptr [HSCRC3_Ret]
  185.     }
  186. }
  187.  
  188. void _declspec(naked) HSCRC4_Hook(){
  189.     _asm{
  190.         push esi
  191.         cmp esi,[Memory_Start]
  192.         jb Ending_
  193.         cmp esi,[Memory_End]
  194.         ja Ending_
  195.         sub esi,[Memory_Start]
  196.         add esi,[Memory]
  197. Ending_:
  198.         lea edi,[ebp-0x1228]
  199.         repe movsd
  200.         pop esi
  201.         jmp dword ptr [HSCRC4_Ret]
  202.     }
  203. }
  204.  
  205. void HSCRC5_TableHack(DWORD dwHSCRC5_Table){
  206.     int i;
  207.     for(i=0; i<4; i++){
  208.         *(DWORD *)(dwHSCRC5_Table + i*8) = ((*(DWORD *)(dwHSCRC5_Table + i*8)^*(DWORD *)(dwHSCRC5_Table + 0x24)) - HS_Memory_Start + HS_Memory)^(*(DWORD *)(dwHSCRC5_Table + 0x24));
  209.     }
  210. }
  211.  
  212. void HackShieldBypass(){
  213.  
  214.     while(!GetModuleHandleA("EHSvc.dll")){
  215.         Sleep(100);
  216.     }
  217.  
  218.     DWORD EHSvc = (DWORD)GetModuleHandleA("EHSvc.dll");
  219.  
  220.     Air::CreateMemoryDump(&HS_Memory, &HS_Memory_Start, &HS_Memory_End, "EHSvc.dll");
  221.    
  222.     Air::WriteJumpAtModule("EHSvc.dll", 0x92812, (DWORD)HSCRC1_Hook, &HSCRC1_Ret, 2);//HSCRC1
  223.     Air::WriteJumpAtModule("EHSvc.dll", 0x360040, (DWORD)HSCRC2_Hook, &HSCRC2_Ret);//HSCRC2
  224.     Air::WriteJumpAtModule("EHSvc.dll", 0x26005E+2, (DWORD)HSCRC3_Hook);//HSCRC3
  225.     HSCRC3_Ret = EHSvc + 0x2528EB;
  226.     Air::WriteJumpAtModule("EHSvc.dll", 0x39ED7, (DWORD)HSCRC4_Hook, &HSCRC4_Ret, 3);//HSCRC4
  227.     HSCRC5_TableHack(EHSvc + 0x157048);
  228.     Air::WriteCodeAtModule("EHSvc.dll", 0x4F5B0, "31 C0 C2 04 00");//Process Scanner
  229.     Air::WriteCodeAtModule("EHSvc.dll", 0x56380, "31 C0 C2 04 00");//Module Scanner
  230.     Air::WriteCodeAtModule("EHSvc.dll", 0x10E20, "31 C0 C3");//HardwareBreakPoint Detection(Main)
  231.     Air::WriteCodeAtModule("EHSvc.dll", 0xF550, "31 C0 C3");//HardwareBreakPoint Detection2
  232.     Air::WriteCodeAtModule("EHSvc.dll", 0xF740, "31 C0 C3");//HardwareBreakPoint Detection3
  233.     Air::WriteCodeAtModule("EHSvc.dll", 0xFED0, "31 C0 C2 18 00");//HardwareBreakPoint Detection4
  234.  
  235.     Air::WriteCodeAtModule("EHSvc.dll", 0x70140, "31 C0 C3");//SoftwareBreakPoint Detection
  236.     Air::WriteCodeAtModule("EHSvc.dll", 0xCEB67, "B8 00 00 00 00");//Memory Protection
  237. }
  238.  
  239.  
  240. すまん 同じの2つ今書いてた
  241. 編集しといたですたい
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!