Author: alanlei.
Date: 27/07/2014
If you have any problems,please feel free to contact me.
my skype id: alanlei
//callback 1
Ehsvc.dll+9DDBD
//55 8B EC 83 EC 28 53 56 57 89 4D D8 E9
new:(void *)"\xC3", 1);
Find:
0x%x,0x%x *** (In a call)
[%08x] [%s]
%d [%s]
Fail For Retrieving Current File Pos
//callback 2
Ehsvc.dll+B0C8
//75 15 55 E8 ?? ?? ?? ?? 83 C4 04 33 C0 5F 5E
old:(void *)"\x74\x15", 2);
new:db 90 90
Find:GetTcpTable
1 %d
2 %d
%s
%s *** (向下找1個空跳轉,即到達)
%ld
%ld
%d\n
//Nanoscan 1
Ehsvc.dll+C1DB1
new:(void *)"\x03\xD2", 2);
Find:
OpenProcess
SeDebugPrivilege
%02X
%s\r\n *** (向下ret x5,找紅字大舊野x5,入第一層call)
(到左第一層call,找紅字大舊野x5,入第二層call)
(找add eax,eax,即到達)
//Nanoscan 2
Ehsvc.dll+BE6A2
(void *)"\xB0\x00\x00\x00\x00", 5);
Find:
OpenProcess
SeDebugPrivilege
%02X
%s\r\n *** (向下ret x5,找紅字大舊野x5,入第一層call,即到達)
//Self CRC
Ehsvc.dll+9CF4C
(void *)"\xC2\x04\x00", 3);
Find:
(向下找重複function)
push ebp
mov ebp,esp
call xxx
call xxx
pop ebp
retn
(向下ret x5-6,即到達)
(注意變化一定有2組)
push ebp
mov ebp,esp
sub esp,0x8
push ebx
push esi
push edi
mov dword ptr xxx
jmp xxx
%%%02x
%%%02x
%c ***
0x%x,0x%x
[%08x] [%s]
%d [%s]
Fail For Retrieving Current File Pos
//Detection
Ehsvc.dll+B030
//83 EC 08 53 55 56 57 89 4C 24 10 8B 41 0C 83 F8 0A 0F 8D
new:(void *)"\xC2\x04\x00", 3);
Find:GetTcpTable
1 %d
2 %d
%s
%s *** (向下找超短opcode,即到達)
mov ecx,xxx
jmp xxx
//Assembly
Ehsvc.dll+39B7D
//75 40 8B 46 0C 8B 7F 04 83 F8 01 53 75 0C
db 90 90
Find:
\StringFileInfo\%04hX%04hX\FileVersion
...
FFFF *** (向上找超上計算)
(向上找一個短opcode)
call xxx
mov eax,xxx
retn
(找75 40,即到達)
FFFF
(%d)
(%d)
(%d)
(%d)
//Anticrash
Ehsvc.dll+4B63E
//85 C0 74 0A 83 7D E0 02 0F 8F E3 00 00 00
db 90 90
Find:
\StringFileInfo\%04hX%04hX\FileVersion
...
SeDebugPrivilege *** (向下找一個短opcode)
iretd
pop ebx
pop edx
lea,dword ptr xxx
out 0xD1,al
mov ch,0x67
retn
jmp xxx
(找紅字大舊野x2,係第3大舊野上面call,入第一層call)
(找test eax,eax x2,即到達)
SeDebugPrivilege
3n.mhe
//Nanocheck 1
Ehsvc.dll+4B5D0
db 90 90 90 90 90 90
Find:
\StringFileInfo\%04hX%04hX\FileVersion
...
SeDebugPrivilege *** (向下找一個短opcode)
iretd
pop ebx
pop edx
lea,dword ptr xxx
out 0xD1,al
mov ch,0x67
retn
jmp xxx
(找紅字大舊野x2,係第3大舊野上面call,入第一層call)
(找je第一跳轉位置,即到達)
SeDebugPrivilege
3n.mhe
//Nanocheck 2
Ehsvc.dll+48361
db 90 90 90 90 90 90
Find:
\StringFileInfo\%04hX%04hX\FileVersion
...
SeDebugPrivilege
SeDebugPrivilege *** (向下ret x8,找紅字大舊野x3,入第一層call)
(找je第二跳轉位置,即到達)
3n.mhe
//Nanocheck 3
Ehsvc.dll+4AA7F
db 90 90
Find:
anticrash開始找紅字大舊野x4 中間,入第一層call
向下找重複opcode
jnz xxx
mov esi,xxx
向下找ret 下面第一個跳轉位置,即到達
2014年7月26日 星期六
HackShield Bypass (EhSvc.dll version 5.7.6.502) for trgame
//2014.7.27 Ehsvc.dll 5.6.7.237 (trgame)
Ehsvc.dll+9DDBD //callback 1 db c3
Ehsvc.dll+B0C8 //callback 2 db 74 15
Ehsvc.dll+C1DB1 //Nanoscan 1 db 03 d2
Ehsvc.dll+BE6A2 //Nanoscan 2 db b0 00 00 00 00
Ehsvc.dll+9CF4C //Self CRC db c2 04 00
Ehsvc.dll+B030 //Detection db c2 04 00
Ehsvc.dll+39B7D //Assembly db 90 90
Ehsvc.dll+4B63E //Anticrash db 90 90
Ehsvc.dll+4B5D0 //Nanocheck 1 db 90 90 90 90 90 90
Ehsvc.dll+48361 //Nanocheck 2 db 90 90 90 90 90 90
Ehsvc.dll+4AA7F //Nanocheck 3 db 90 90
The HackShield CRC bypass is updated by me. If there are any mistakes,please tell me ;)
Ehsvc.dll+9DDBD //callback 1 db c3
Ehsvc.dll+B0C8 //callback 2 db 74 15
Ehsvc.dll+C1DB1 //Nanoscan 1 db 03 d2
Ehsvc.dll+BE6A2 //Nanoscan 2 db b0 00 00 00 00
Ehsvc.dll+9CF4C //Self CRC db c2 04 00
Ehsvc.dll+B030 //Detection db c2 04 00
Ehsvc.dll+39B7D //Assembly db 90 90
Ehsvc.dll+4B63E //Anticrash db 90 90
Ehsvc.dll+4B5D0 //Nanocheck 1 db 90 90 90 90 90 90
Ehsvc.dll+48361 //Nanocheck 2 db 90 90 90 90 90 90
Ehsvc.dll+4AA7F //Nanocheck 3 db 90 90
The HackShield CRC bypass is updated by me. If there are any mistakes,please tell me ;)
訂閱:
文章 (Atom)