4 Attachment(s)
HackShield memory protection bypass
Driver to bypass Hackshield memory protection
with source code
HackShield memory protection works by hooking some functions in kernel space. EagleNT.sys is checking all parameters passed to hooked functions and then it blocks or allows operation. When HS memory unprotector driver is loaded, you can use OpenProcess, WriteProcessMemory and ReadProcessMemory like normal.
How memory protection works?
HackShield is replacing three functions (NtReadVirtualMemory, NtWriteVirtualMemory and NtOpenProcess) to protect game memory.
[Only registered and activated users can see links. Click Here To Register...]
How to bypass memory protection?
It's easy. We should take a look on NtWriteVirtualMemory function.
[Only registered and activated users can see links. Click Here To Register...]
As we can see, they are placing 'call' to EagleNT.sys function (call 0xA4A5C800).
Just go to this function (0xA4A5C800).
[Only registered and activated users can see links. Click Here To Register...]
As we can see, they are using ZwQueryInformationProcess function to translate HANDLE to process id (bad idea btw.). We can hook ZwQueryInformationProcess and if EgaleNt.sys is calling this, we can return 0 (or fake number) as process id. Thats all !
Next we should hook NtOpenProcess with small re-implementation of this function.
This material is for EDUCATIONAL PURPOSES only!
Author: Chris (aka kill1212)
Re: HackShield memory protection bypass
Интересная реализация.
Я пошел по иному пути, это эмуляция ядерных ф-й OpenProcess, ReadProcessMemory, etc...
Re: HackShield memory protection bypass
Great information. I always wanted to know that F2P game security work, this info helps me understand a bit but I am still a little confuse on this stuff but I am here reading every got damn thing I can maybe understand.
Re: HackShield memory protection bypass
sorry, i've got the address but i cant edit it (with MHS) and if i using CE i cant found the address
and just stack to 7FFFFFFF (not FFFFFFFF). i have change search mode in CE 7FFFFFFF to FFFFFFFF i still cant found it