This is (hopefuly) going to be an easy to understand tutorial,
which will show you, how to bypass the HackShield included in the official DE Client.
Required Tools:
Step 1: Analyzing
Step 2: Unpacking
Step 3: Reversing (The Harder Part)
Step 4: Finished
Note:
Bonus:
Doc by : Elitepvpers Dengan Injin Admin which will show you, how to bypass the HackShield included in the official DE Client.
Code:
Warning!: Clients bypassing HackShield are easily detected by the Server, since HackShield sends security packets to the server every few minutes. If you are going to ByPass HackShield, you should only use test accounts!
Step 1: Analyzing
Quote:
| To get started, we have to analyze the Client first. The best of all free analyzing tools is PEiD. Simply download and unpack it, and drag and drop the Client onto it's GUI. As you can see, the Client is packed by UPX. UPX is nothing else than a simple packer. Since it's a free open-source Tool, you can download it from their sourceforge project site (link posted above) |
Quote:
| UPX is a simple command line based tool. Once you've downloaded and unpacked UPX, you can simply use a batch file, to unpack the Client. The Batch-File could look like this:
Code:
upx -d -o TClient_unpacked.exe TClient.exe (i've attached my batch file to the post) and execute the batch file, to get the unpacked client. copy the "TClient_unpacked.exe" back to the game Dir and go on with the next step. |
Quote:
| To start the reversing, we need a Debugger. Since OllyDbg is free and still one of the best debuggers, i'll use it for this example. 1. Run OllyDbg and drag and drop the "TClient_unpacked.exe" onto it. 2. Open the Executable modules list. 3. Doubleclick the first module, to get into the clients code. 4. Right-Click the code window, and select the "Analyse code" Option.
Code:
once the analyzing is completed, we will have to check, where the HackShiel dll gets loaded. to do that, we'll simply check each single dll, which gets loaded by the LoadLibraryA function. 6. Sort the list by calls, and select one of the LoadLibraryA calls, rightlick and select all of them.
Code:
Now all of those Calls should be red marked. Once that happend, we can run the client using F9. It will break, whenever a dll gets loaded into the client now. So we have to check the upper right box containing the registers to notice, which dll gets loaded.
Code:
Now that we've found the call, which runs the LoadLibraryA function, we will have to trace it back, to the call, which starts the injection, to remove that one. 9. We have to Repeat that, until we get totaly out of that HackShield Code. 10. Once we've reached the top, we can NOP the HackShield Call. 11. Remove the Breakpoints on the LoadLibraryA functions, since we don't need them anymore. 12. Now we reset the Client, and redo the Patch we just did, and run the client, to see if it works. FAIL 
Code:
Looks like there's another protection added to the client. But this time it will be easy to crack it, since we've got a msgbox =) 14. Scroll down to the MessageBoxA function and breakpoint them all. 15. Reset the Client again, to get out of that Error, apply the Patch again (step 12) 16. Run the Client
Code:
Since we've got breakpoints on all MsgBox functions, the Client will break, once we'll get the error message =) 18. Nop out that Error! 19. Remove the Breakpoints from the MessageBoxA functions, since we don't need them anymore (simmilar to Step 11) 20. Reset the client, apply both patches again and run or save the client, since we're done now =) |
Quote:
| if you've done everything correctly, the client should now run through the debugger. |
Quote:
| Bypassing the Hackshield will DC you from Time to Time, since the security packets won't get send to the server. So after all you got a max of 5-10minutes online for reversing the client. |
Quote:
| I'll attach the Normal, Unpacked and Unpacked_Patched client to this Post, as a proof of concept =) |
