Main.cpp
Código PHP:
#include
#include
#include
#include
#include
#include
#include "Hider.h"
#pragma comment(lib, "Wininet.lib")
#pragma warning(disable : 4018 4102)
void CopyCode(PDWORD target, PDWORD newfunc)
{
DWORD Jmpto=(DWORD)(newfunc)-(DWORD)target-5;
DWORD a;
VirtualProtect(target, 8, PAGE_EXECUTE_READWRITE, &a);
*(PBYTE)(target)=0xE9;
*(PDWORD)((DWORD)(target)+1)=Jmpto;
VirtualProtect(target, 8, a, &a);
}
class CHSBypass
{
public:
char _0x0000[168];
DWORD dwES;
char _0x00AC[156];
DWORD dwDIP;
};
HMODULE hGfxDx = LoadLibrary("i3GfxDx.dll");
DWORD WINAPI HookUndetect5(LPVOID Param)
{
if (hGfxDx > 0)
{
DWORD tmp1 = (DWORD)GetProcAddress(hGfxDx, "?g_pRenderContext@@3PAVi3RenderContext@@A");
DWORD tmp2 = 0;
while(!pGDevice)
{
if(IsBadReadPtr((PDWORD)tmp1,4)==NULL)tmp2 = *(PDWORD)((DWORD)(tmp1))+ 0x5380; // ?EndRender@i3RenderContext@@QAEXXZ
if(IsBadReadPtr((PDWORD)tmp2,4)==NULL)
{
DWORD OldProtect;
VirtualProtect((void*)(tmp2), 4, PAGE_EXECUTE_READWRITE, &OldProtect);
memcpy(&pGDevice, (void *)tmp2, 4);
VirtualProtect((void*)(tmp2), 4, OldProtect, NULL);
}
}
DWORD *g_pDevice = (DWORD*)pGDevice;
g_pDevice = (DWORD*)g_pDevice[0];
while(!pDevice)pDevice = (LPDIRECT3DDEVICE9)(DWORD*)g_pDevice;
*(PDWORD)&oEndScene = g_pDevice[42];
*(PDWORD)&oDrawIndexedPrimitive = g_pDevice[82];
CopyCode((PDWORD)(g_pDevice[1] - 5), (PDWORD)(g_pDevice[4] - 5));
CopyCode((PDWORD)(g_pDevice[2] - 5), (PDWORD)(g_pDevice[5] - 5));
CopyCode((PDWORD)(g_pDevice[3] - 5), (PDWORD)(g_pDevice[6] - 5));
CopyCode((PDWORD)(g_pDevice[4] - 5), (PDWORD)hkEndScene);
CopyCode((PDWORD)(g_pDevice[5] - 5), (PDWORD)hkDrawIndexedPrimitive);
while(1)
{
DWORD dwEhsvc = (DWORD)GetModuleHandleA("EhSvc.dll") + 0x126F64 + 0x7B; //1008EBA1 . 68 646F1210 PUSH ehsvc.10126F64 ; ASCII " Exception Raised (Error : 0x%x)"
CHSBypass *CHS = *(CHSBypass**)dwEhsvc;
g_pDevice[42] = (DWORD)g_pDevice[1] - 5;
g_pDevice[82] = (DWORD)g_pDevice[2] - 5;
CHS->dwES = g_pDevice[42];
CHS->dwDIP = g_pDevice[82];
Sleep(1000);
}
}
return 0;
}
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved){
if(dwReason == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls(hModule);
HideModule(hModule);//hide module and prevent detection from hackshield
EraseHeaders(hModule);//erase header to dispatch any header like function in building from hackshield
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)HookUndetect5, NULL, NULL, NULL);
}
return TRUE;
}
Hider.h
Código PHP:
void HideModule(HINSTANCE hModule)
{
DWORD dwPEB_LDR_DATA = 0;
_asm
{
pushad;
pushfd;
mov eax, fs:[30h]
mov eax, [eax+0Ch]
mov dwPEB_LDR_DATA, eax
InLoadOrderModuleList:
mov esi, [eax+0Ch]
mov edx, [eax+10h]
LoopInLoadOrderModuleList:
lodsd
mov esi, eax
mov ecx, [eax+18h]
cmp ecx, hModule
jne SkipA
mov ebx, [eax]
mov ecx, [eax+4]
mov [ecx], ebx
mov [ebx+4], ecx
jmp InMemoryOrderModuleList
SkipA:
cmp edx, esi
jne LoopInLoadOrderModuleList
InMemoryOrderModuleList:
mov eax, dwPEB_LDR_DATA
mov esi, [eax+14h]
mov edx, [eax+18h]
LoopInMemoryOrderModuleList:
lodsd
mov esi, eax
mov ecx, [eax+10h]
cmp ecx, hModule
jne SkipB
mov ebx, [eax]
mov ecx, [eax+4]
mov [ecx], ebx
mov [ebx+4], ecx
jmp InInitializationOrderModuleList
SkipB:
cmp edx, esi
jne LoopInMemoryOrderModuleList
InInitializationOrderModuleList:
mov eax, dwPEB_LDR_DATA
mov esi, [eax+1Ch]
mov edx, [eax+20h]
LoopInInitializationOrderModuleList:
lodsd
mov esi, eax
mov ecx, [eax+08h]
cmp ecx, hModule
jne SkipC
mov ebx, [eax]
mov ecx, [eax+4]
mov [ecx], ebx
mov [ebx+4], ecx
jmp Finished
SkipC:
cmp edx, esi
jne LoopInInitializationOrderModuleList
Finished:
popfd;
popad;
}
}
void EraseHeaders(HINSTANCE hModule)
{
/*
* just a func to erase headers by Croner.
* keep in mind you wont be able to load
* any resources after you erase headers.
*/
PIMAGE_DOS_HEADER pDoH;
PIMAGE_NT_HEADERS pNtH;
DWORD i, ersize, protect;
if (!hModule) return;
// well just to make clear what we doing
pDoH = (PIMAGE_DOS_HEADER)(hModule);
pNtH = (PIMAGE_NT_HEADERS)((LONG)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew);
ersize = sizeof(IMAGE_DOS_HEADER);
if ( VirtualProtect(pDoH, ersize, PAGE_READWRITE, &protect) )
{
for ( i=0; i < ersize; i++ )
*(BYTE*)((BYTE*)pDoH + i) = 0;
}
ersize = sizeof(IMAGE_NT_HEADERS);
if ( pNtH && VirtualProtect(pNtH, ersize, PAGE_READWRITE, &protect) )
{
for ( i=0; i < ersize; i++ )
*(BYTE*)((BYTE*)pNtH + i) = 0;
}
return;
}
Code :
Código PHP:
Well, i dont know how to make this simple to read, sorry for bad english.
but please read my explanation from this hackshield bug
the first bug is this :
EraseHeaders(hModule);//erase header to dispatch any header like function in building from hackshield
this is a function to make that DOS Header and NT Header that explain "This is an module" erased from PB Memory
not much that
HideModule(hModule);//hide module and prevent detection from hackshield
Thats make our module get hidden from module listing, i dont have idea why can be like that, after i inject it and openmy dll name in CheatEngine, for example :
FahmyXFiles.dll
that CE cannot detect it! And from that we can conclude that this function make the module handler of our dll not readed as module,
thats make undetected from hackshield
now the second bug in EhSvc Module,
/*
DWORD tmp1 = (DWORD)GetProcAddress(hGfxDx, "?g_pRenderContext@@3PAVi3RenderContext@@A");
DWORD tmp2 = 0;
while(!pGDevice)
{
if(IsBadReadPtr((PDWORD)tmp1,4)==NULL)tmp2 = *(PDWORD)((DWORD)(tmp1))+ 0x5380; // ?EndRender@i3RenderContext@@QAEXXZ
if(IsBadReadPtr((PDWORD)tmp2,4)==NULL)
{
DWORD OldProtect;
VirtualProtect((void*)(tmp2), 4, PAGE_EXECUTE_READWRITE, &OldProtect);
memcpy(&pGDevice, (void *)tmp2, 4);
VirtualProtect((void*)(tmp2), 4, OldProtect, NULL);
}
}
*/
as you see, this is a code replace from the IAT hooking, or can i say that in IAT hooking the code like this :
/*
DWORD VTable[3] = {0};
while(GetModuleHandle(hD3D) == 0){
Sleep(100);
}
IATInstalattion(VTable);//Searching VTable
HOOK(EndScene,VTable[**]);//Hook End Scene
Creditos
Jackal
&
B0L4D0_MC
Código PHP:
#include
#include
#include
#include
#include
#include
#include "Hider.h"
#pragma comment(lib, "Wininet.lib")
#pragma warning(disable : 4018 4102)
void CopyCode(PDWORD target, PDWORD newfunc)
{
DWORD Jmpto=(DWORD)(newfunc)-(DWORD)target-5;
DWORD a;
VirtualProtect(target, 8, PAGE_EXECUTE_READWRITE, &a);
*(PBYTE)(target)=0xE9;
*(PDWORD)((DWORD)(target)+1)=Jmpto;
VirtualProtect(target, 8, a, &a);
}
class CHSBypass
{
public:
char _0x0000[168];
DWORD dwES;
char _0x00AC[156];
DWORD dwDIP;
};
HMODULE hGfxDx = LoadLibrary("i3GfxDx.dll");
DWORD WINAPI HookUndetect5(LPVOID Param)
{
if (hGfxDx > 0)
{
DWORD tmp1 = (DWORD)GetProcAddress(hGfxDx, "?g_pRenderContext@@3PAVi3RenderContext@@A");
DWORD tmp2 = 0;
while(!pGDevice)
{
if(IsBadReadPtr((PDWORD)tmp1,4)==NULL)tmp2 = *(PDWORD)((DWORD)(tmp1))+ 0x5380; // ?EndRender@i3RenderContext@@QAEXXZ
if(IsBadReadPtr((PDWORD)tmp2,4)==NULL)
{
DWORD OldProtect;
VirtualProtect((void*)(tmp2), 4, PAGE_EXECUTE_READWRITE, &OldProtect);
memcpy(&pGDevice, (void *)tmp2, 4);
VirtualProtect((void*)(tmp2), 4, OldProtect, NULL);
}
}
DWORD *g_pDevice = (DWORD*)pGDevice;
g_pDevice = (DWORD*)g_pDevice[0];
while(!pDevice)pDevice = (LPDIRECT3DDEVICE9)(DWORD*)g_pDevice;
*(PDWORD)&oEndScene = g_pDevice[42];
*(PDWORD)&oDrawIndexedPrimitive = g_pDevice[82];
CopyCode((PDWORD)(g_pDevice[1] - 5), (PDWORD)(g_pDevice[4] - 5));
CopyCode((PDWORD)(g_pDevice[2] - 5), (PDWORD)(g_pDevice[5] - 5));
CopyCode((PDWORD)(g_pDevice[3] - 5), (PDWORD)(g_pDevice[6] - 5));
CopyCode((PDWORD)(g_pDevice[4] - 5), (PDWORD)hkEndScene);
CopyCode((PDWORD)(g_pDevice[5] - 5), (PDWORD)hkDrawIndexedPrimitive);
while(1)
{
DWORD dwEhsvc = (DWORD)GetModuleHandleA("EhSvc.dll") + 0x126F64 + 0x7B; //1008EBA1 . 68 646F1210 PUSH ehsvc.10126F64 ; ASCII " Exception Raised (Error : 0x%x)"
CHSBypass *CHS = *(CHSBypass**)dwEhsvc;
g_pDevice[42] = (DWORD)g_pDevice[1] - 5;
g_pDevice[82] = (DWORD)g_pDevice[2] - 5;
CHS->dwES = g_pDevice[42];
CHS->dwDIP = g_pDevice[82];
Sleep(1000);
}
}
return 0;
}
BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved){
if(dwReason == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls(hModule);
HideModule(hModule);//hide module and prevent detection from hackshield
EraseHeaders(hModule);//erase header to dispatch any header like function in building from hackshield
CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)HookUndetect5, NULL, NULL, NULL);
}
return TRUE;
}
Hider.h
Código PHP:
void HideModule(HINSTANCE hModule)
{
DWORD dwPEB_LDR_DATA = 0;
_asm
{
pushad;
pushfd;
mov eax, fs:[30h]
mov eax, [eax+0Ch]
mov dwPEB_LDR_DATA, eax
InLoadOrderModuleList:
mov esi, [eax+0Ch]
mov edx, [eax+10h]
LoopInLoadOrderModuleList:
lodsd
mov esi, eax
mov ecx, [eax+18h]
cmp ecx, hModule
jne SkipA
mov ebx, [eax]
mov ecx, [eax+4]
mov [ecx], ebx
mov [ebx+4], ecx
jmp InMemoryOrderModuleList
SkipA:
cmp edx, esi
jne LoopInLoadOrderModuleList
InMemoryOrderModuleList:
mov eax, dwPEB_LDR_DATA
mov esi, [eax+14h]
mov edx, [eax+18h]
LoopInMemoryOrderModuleList:
lodsd
mov esi, eax
mov ecx, [eax+10h]
cmp ecx, hModule
jne SkipB
mov ebx, [eax]
mov ecx, [eax+4]
mov [ecx], ebx
mov [ebx+4], ecx
jmp InInitializationOrderModuleList
SkipB:
cmp edx, esi
jne LoopInMemoryOrderModuleList
InInitializationOrderModuleList:
mov eax, dwPEB_LDR_DATA
mov esi, [eax+1Ch]
mov edx, [eax+20h]
LoopInInitializationOrderModuleList:
lodsd
mov esi, eax
mov ecx, [eax+08h]
cmp ecx, hModule
jne SkipC
mov ebx, [eax]
mov ecx, [eax+4]
mov [ecx], ebx
mov [ebx+4], ecx
jmp Finished
SkipC:
cmp edx, esi
jne LoopInInitializationOrderModuleList
Finished:
popfd;
popad;
}
}
void EraseHeaders(HINSTANCE hModule)
{
/*
* just a func to erase headers by Croner.
* keep in mind you wont be able to load
* any resources after you erase headers.
*/
PIMAGE_DOS_HEADER pDoH;
PIMAGE_NT_HEADERS pNtH;
DWORD i, ersize, protect;
if (!hModule) return;
// well just to make clear what we doing
pDoH = (PIMAGE_DOS_HEADER)(hModule);
pNtH = (PIMAGE_NT_HEADERS)((LONG)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew);
ersize = sizeof(IMAGE_DOS_HEADER);
if ( VirtualProtect(pDoH, ersize, PAGE_READWRITE, &protect) )
{
for ( i=0; i < ersize; i++ )
*(BYTE*)((BYTE*)pDoH + i) = 0;
}
ersize = sizeof(IMAGE_NT_HEADERS);
if ( pNtH && VirtualProtect(pNtH, ersize, PAGE_READWRITE, &protect) )
{
for ( i=0; i < ersize; i++ )
*(BYTE*)((BYTE*)pNtH + i) = 0;
}
return;
}
Code :
Código PHP:
Well, i dont know how to make this simple to read, sorry for bad english.
but please read my explanation from this hackshield bug
the first bug is this :
EraseHeaders(hModule);//erase header to dispatch any header like function in building from hackshield
this is a function to make that DOS Header and NT Header that explain "This is an module" erased from PB Memory
not much that
HideModule(hModule);//hide module and prevent detection from hackshield
Thats make our module get hidden from module listing, i dont have idea why can be like that, after i inject it and openmy dll name in CheatEngine, for example :
FahmyXFiles.dll
that CE cannot detect it! And from that we can conclude that this function make the module handler of our dll not readed as module,
thats make undetected from hackshield
now the second bug in EhSvc Module,
/*
DWORD tmp1 = (DWORD)GetProcAddress(hGfxDx, "?g_pRenderContext@@3PAVi3RenderContext@@A");
DWORD tmp2 = 0;
while(!pGDevice)
{
if(IsBadReadPtr((PDWORD)tmp1,4)==NULL)tmp2 = *(PDWORD)((DWORD)(tmp1))+ 0x5380; // ?EndRender@i3RenderContext@@QAEXXZ
if(IsBadReadPtr((PDWORD)tmp2,4)==NULL)
{
DWORD OldProtect;
VirtualProtect((void*)(tmp2), 4, PAGE_EXECUTE_READWRITE, &OldProtect);
memcpy(&pGDevice, (void *)tmp2, 4);
VirtualProtect((void*)(tmp2), 4, OldProtect, NULL);
}
}
*/
as you see, this is a code replace from the IAT hooking, or can i say that in IAT hooking the code like this :
/*
DWORD VTable[3] = {0};
while(GetModuleHandle(hD3D) == 0){
Sleep(100);
}
IATInstalattion(VTable);//Searching VTable
HOOK(EndScene,VTable[**]);//Hook End Scene
Creditos
Jackal
&
B0L4D0_MC