HackShield Bypass v5.7.20.616 JMS

1. /*
2.     HackShield Bypass for v5.7.20.616 JMS v342.1
3.     by Riremito (AIRRIDE)
4. */
5. #include"HackShield.h"
6. #include"MapleStory.h"
7. #include"gui.h"
8.  
9.  
10. DWORD EHSvc_MemoryDump, EHSvc_Start, EHSvc_End;
11.  
12. DWORD HSCRC1_Ret, HSCRC2_Ret, HSCRC3_Ret, HSCRC4_Ret, HSCRC_Client_Ret;
13.  
14. void _declspec(naked) HSCRC1_Hook(){
15.     _asm{
16.         cmp ecx,[EHSvc_Start]
17.         jb Ending_HSCRC1
18.         cmp ecx,[EHSvc_End]
19.         ja Ending_HSCRC1
20.         sub ecx,[EHSvc_Start]
21.         add ecx,[EHSvc_MemoryDump]
22. Ending_HSCRC1:
23.         mov dl,[ecx]
24.         xor eax,edx
25.         mov ecx,[ebp+0x10]
26.         jmp dword ptr [HSCRC1_Ret]
27.     }
28. }
29.  
30. void _declspec(naked) HSCRC2_Hook(){
31.     _asm{
32.         cmp ebx,[EHSvc_Start]
33.         jb Ending_HSCRC2
34.         cmp ebx,[EHSvc_End]
35.         ja Ending_HSCRC2
36.         sub ebx,[EHSvc_Start]
37.         add ebx,[EHSvc_MemoryDump]
38. Ending_HSCRC2:
39.         add al,[ebx]
40.         pop ebx
41.         push 0x00007827
42.         jmp dword ptr [HSCRC2_Ret]
43.     }
44. }
45.  
46. void _declspec(naked) HSCRC3_Hook(){
47.     _asm{
48.         cmp edi,[EHSvc_Start]
49.         jb Ending_HSCRC3
50.         cmp edi,[EHSvc_End]
51.         ja Ending_HSCRC3
52.         push eax
53.         mov eax,edi
54.         sub eax,[EHSvc_Start]
55.         cmp eax,0x100000
56.         jb Ending_HSCRC3_2
57.         /*cmp eax,0x9C852 - 0x10
58.         jb Ending_HSCRC3_1
59.         cmp eax,0x9C852 + 0x10
60.         jb Ending_HSCRC3_2
61.         */
62.         cmp eax,0x4AAE69 - 0x10
63.         jb Ending_HSCRC3_1
64.         cmp eax,0x4AAE69 + 0x10
65.         ja Ending_HSCRC3_1
66. Ending_HSCRC3_2:
67.         sub edi,[EHSvc_Start]
68.         add edi,[EHSvc_MemoryDump]
69. Ending_HSCRC3_1:
70.         pop eax
71. Ending_HSCRC3:
72.         mov edi,[edi]
73.         movzx edx,word ptr [edx]
74.         jmp dword ptr [HSCRC3_Ret]
75.     }
76. }
77.  
78. void _declspec(naked) HSCRC4_Hook(){
79.     _asm{
80.         cmp esi,[EHSvc_Start]
81.         jb Ending_HSCRC4
82.         cmp esi,[EHSvc_End]
83.         ja Ending_HSCRC4
84.         push eax
85.         mov eax,esi
86.         sub eax,[EHSvc_Start]
87.         cmp eax,0x100000
88.         jb Ending_HSCRC4_2
89.         /*
90.         cmp eax,0x9C852 - 0x10
91.         jb Ending_HSCRC4_1
92.         cmp eax,0x9C852 + 0x10
93.         jb Ending_HSCRC4_2
94.         */
95.         cmp eax,0x4AAE69 - 0x10
96.         jb Ending_HSCRC4_1
97.         cmp eax,0x4AAE69 + 0x10
98.         ja Ending_HSCRC4_1
99. Ending_HSCRC4_2:
100.         sub esi,[EHSvc_Start]
101.         add esi,[EHSvc_MemoryDump]
102. Ending_HSCRC4_1:
103.         pop eax
104. Ending_HSCRC4:
105.         mov esi,[esi]
106.         add [edi],esi
107.         pushfd
108.         jmp dword ptr [HSCRC4_Ret]
109.     }
110. }
111.  
112.  
113. void _declspec(naked) HSCRC_Client_Hook(){
114.     _asm{
115.         push esi
116.         cmp esi,[Memory_Start]
117.         jb Ending_
118.         cmp esi,[Memory_End]
119.         ja Ending_
120.         sub esi,[Memory_Start]
121.         add esi,[Memory]
122. Ending_:
123.         lea edi,[ebp-0x1228]
124.         repe movsd
125.         pop esi
126.         jmp dword ptr [HSCRC_Client_Ret]
127.     }
128. }
129.  
130. void _declspec(naked) HSCRC_Dynamic1_Hook(){
131.     _asm{
132.         //+0x186
133.         xor ebx,ebx
134.         push eax
135.         mov eax,ecx
136.         cmp eax,[EHSvc_Start]
137.         jb HDH1_End
138.         cmp eax,[EHSvc_End]
139.         ja HDH1_End
140.         sub eax,[EHSvc_Start]
141.         add eax,[EHSvc_MemoryDump]
142. HDH1_End:
143.         mov bl,[eax]
144.         pop eax
145.         xor edx,ebx
146.         ret
147.     }
148. }
149.  
150. void _declspec(naked) HSCRC_Dynamic2_Hook(){
151.     _asm{
152.         //+0x15A
153.         push ecx
154.         mov ecx,eax
155.         cmp ecx,[EHSvc_Start]
156.         jb HDH2_End
157.         cmp ecx,[EHSvc_End]
158.         ja HDH2_End
159.         sub ecx,[EHSvc_Start]
160.         add ecx,[EHSvc_MemoryDump]
161. HDH2_End:
162.         mov dl,[ecx]
163.         pop ecx
164.         add [ebp-0x28],edx
165.         ret
166.     }
167. }
168.  
169. void _declspec(naked) HSCRC_Dynamic3_Hook(){
170.     _asm{
171.         //+0x15A
172.         push ecx
173.         mov ecx,eax
174.         cmp ecx,[EHSvc_Start]
175.         jb HDH3_End
176.         cmp ecx,[EHSvc_End]
177.         ja HDH3_End
178.         sub ecx,[EHSvc_Start]
179.         add ecx,[EHSvc_MemoryDump]
180. HDH3_End:
181.         mov dl,[ecx]
182.         pop ecx
183.         add dword ptr [ebp-0x24],edx
184.         ret
185.     }
186. }
187.  
188. void _declspec(naked) HSCRC_Dynamic4_Hook(){
189.     _asm{
190.         push ecx
191.         mov ecx,eax
192.         cmp ecx,[EHSvc_Start]
193.         jb HDH4_End
194.         cmp ecx,[EHSvc_End]
195.         ja HDH4_End
196.         sub ecx,[EHSvc_Start]
197.         add ecx,[EHSvc_MemoryDump]
198. HDH4_End:
199.         mov dl,[ecx]
200.         pop ecx
201.         xor dword ptr [ebp-0x24],edx
202.         ret
203.     }
204. }
205.  
206.  
207. void _declspec(naked) Hidden_Call_Hook(){
208.     _asm{
209.         pop eax
210.         popfd
211.         push eax
212.         mov eax,[esp+0x04]
213.         cmp dword ptr [eax+0x33],0x0FFFFFFF
214.         je Justin
215.         cmp dword ptr [eax+0x3F],0xF88B0A74
216.         je Bieber
217.         cmp dword ptr [eax+0x32],0x83AB3FD1
218.         je Taylor
219.         jmp HCH_Ending
220. Justin:
221.         /*
222.         mov byte ptr [eax+0x60],0xEB//short jmp
223.         mov byte ptr [eax+0x88],0xEB//short jmp
224.         mov byte ptr [eax+0xB0],0xEB//short jmp
225.         mov byte ptr [eax+0xD8],0xEB//short jmp
226.         mov byte ptr [eax+0x100],0xEB//short jmp
227.         mov word ptr [eax+0x135],0x9090//nop
228.         mov byte ptr [eax+0x139],0xEB//short jmp
229.         */
230.         mov byte ptr [eax+0x186],0xE8//call
231.         push ebx
232.         mov ebx,HSCRC_Dynamic1_Hook
233.         mov dword ptr [eax+0x187],ebx
234.         pop ebx
235.         sub dword ptr [eax+0x187],eax
236.         sub dword ptr [eax+0x187],0x186
237.         sub dword ptr [eax+0x187],0x05
238.         mov byte ptr [eax+0x18B],0x90
239.         jmp HCH_Ending
240. Bieber:
241.         /*
242.         mov byte ptr [eax+0x55],0xEB//short jmp
243.         mov byte ptr [eax+0x7C],0xEB//short jmp
244.         mov byte ptr [eax+0xA4],0xEB//short jmp
245.         mov byte ptr [eax+0xCC],0xEB//short jmp
246.         mov byte ptr [eax+0xF3],0xEB//short jmp
247.         mov word ptr [eax+0x120],0x9090//nop
248.         mov byte ptr [eax+0x125],0xEB//short jmp
249.         */
250.         mov byte ptr [eax+0x15A],0xE8//call
251.         push ebx
252.         mov ebx,HSCRC_Dynamic2_Hook
253.         mov dword ptr [eax+0x15B],ebx
254.         pop ebx
255.         sub dword ptr [eax+0x15B],eax
256.         sub dword ptr [eax+0x15B],0x15A
257.         sub dword ptr [eax+0x15B],0x05
258.         jmp HCH_Ending
259. Taylor:
260.         mov byte ptr [eax+0x169],0xE8//call
261.         push ebx
262.         mov ebx,HSCRC_Dynamic3_Hook
263.         mov dword ptr [eax+0x16A],ebx
264.         pop ebx
265.         sub dword ptr [eax+0x16A],eax
266.         sub dword ptr [eax+0x16A],0x169
267.         sub dword ptr [eax+0x16A],0x05
268.         mov byte ptr [eax+0x176],0xE8//call
269.         push ebx
270.         mov ebx,HSCRC_Dynamic4_Hook
271.         mov dword ptr [eax+0x177],ebx
272.         pop ebx
273.         sub dword ptr [eax+0x177],eax
274.         sub dword ptr [eax+0x177],0x176
275.         sub dword ptr [eax+0x177],0x05
276.         jmp HCH_Ending
277. HCH_Ending:
278.         pop eax
279.         ret 0x0000
280.     }
281. }
282.  
283.  
284. void HackShieldBypass(){
285.     char TargetLibFileName[] = "HShield/EHSvc.dll";
286.     HMODULE hDLL = LoadLibraryA(TargetLibFileName);
287.  
288.     if(hDLL){
289.         AW.AddFormatString(EDIT_LOG, "%sは%dに読み込まれました\r\n", TargetLibFileName, hDLL);
290.     }
291.     else{
292.         AW.AddFormatString(EDIT_LOG, "%sの読み込みに失敗しました\r\n", TargetLibFileName);
293.         return;
294.     }
295.  
296.     AirMemory EHSvc;
297.  
298.     EHSvc.Init("EHSvc.dll");
299.     EHSvc.CreateMemoryDump();
300.     EHSvc.GetDumpInfo(&EHSvc_Start, &EHSvc_End, &EHSvc_MemoryDump);
301.     AW.AddFormatString(EDIT_LOG, "メモリダンプを%dに生成しました\r\n", EHSvc_MemoryDump);
302.  
303.     EHSvc.WriteHook(0x9C852, JMP, HSCRC1_Hook, &HSCRC1_Ret, 2);//HSCRC1
304.     EHSvc.WriteHook(0x4AAE69, JMP, HSCRC2_Hook, &HSCRC2_Ret, 3);//HSCRC2
305.    
306.     EHSvc.WriteHook(0x26F0C7, JMP, HSCRC3_Hook, &HSCRC3_Ret);//HSCRC3
307.     EHSvc.WriteHook(0x36FB0C, JMP, HSCRC4_Hook, &HSCRC4_Ret);//HSCRC4
308.     EHSvc.MemoryWriter(0x31FE71, "39 C0");//HSCRC5
309.  
310.     EHSvc.WriteHook(0x41617, JMP, HSCRC_Client_Hook, &HSCRC_Client_Ret, 3);//HSCRC_Client
311.  
312.     //HSCRC5_Dynamic
313.     DWORD HiddenCall;
314.     do{
315.         HiddenCall = EHSvc.AobScan("58 9D C2 00 00");
316.         if(HiddenCall){
317.             EHSvc.WriteHook(HiddenCall, JMP, Hidden_Call_Hook);
318.         }
319.     }while(HiddenCall);
320.    
321.    
322.     EHSvc.MemoryWriter(0x579B0, "31 C0 C2 04 00");//Process Scanner
323.     EHSvc.MemoryWriter(0x5E670, "31 C0 C2 04 00");//Module Scanner
324.    
325.     EHSvc.MemoryWriter(0x11C00, "31 C0 C3");//HardwareBreakPoint Detection(Main)
326.     EHSvc.MemoryWriter(0x101C0, "31 C0 C3");//HardwareBreakPoint Detection2
327.     EHSvc.MemoryWriter(0x103B0, "31 C0 C3");//HardwareBreakPoint Detection3
328.     EHSvc.MemoryWriter(0x10B70, "31 C0 C2 18 00");//HardwareBreakPoint Detection4
329.    
330.     EHSvc.MemoryWriter(0x788F0, "31 C0 C3");//SoftwareBreakPoint Detection
331.    
332.     EHSvc.MemoryWriter(0xDBF9D, "B8 00 00 00 00");//Memory Protection
333.    
334.     AW.AddString(EDIT_LOG, "HackShield 回避コードを書き込みました\r\n");
335. }