hari ini saya akan share base Aimbot
Well, i dont know how to make this simple to read, sorry for bad english. but please read my explanation from this hackshield bug the first bug is this : EraseHeaders(hModule);//erase header to dispatch any header like function in building from hackshield this is a function to make that DOS Header and NT Header that explain "This is an module" erased from PB Memory not much that HideModule(hModule);//hide module and prevent detection from hackshield Thats make our module get hidden from module listing, i dont have idea why can be like that, after i inject it and openmy dll name in CheatEngine, for example : FahmyXFiles.dll that CE cannot detect it! And from that we can conclude that this function make the module handler of our dll not readed as module, thats make undetected from hackshield now the second bug in EhSvc Module, /* DWORD tmp1 = (DWORD)GetProcAddress(hGfxDx, "?g_pRenderContext@@3PAVi3RenderContext@@A"); DWORD tmp2 = 0; while(!pGDevice) { if(IsBadReadPtr((PDWORD)tmp1,4)==NULL)tmp2 = *(PDWORD)((DWORD)(tmp1))+ 0x5380; // ?EndRender@i3RenderContext@@QAEXXZ if(IsBadReadPtr((PDWORD)tmp2,4)==NULL) { DWORD OldProtect; VirtualProtect((void*)(tmp2), 4, PAGE_EXECUTE_READWRITE, &OldProtect); memcpy(&pGDevice, (void *)tmp2, 4); VirtualProtect((void*)(tmp2), 4, OldProtect, NULL); } } */ as you see, this is a code replace from the IAT hooking, or can i say that in IAT hooking the code like this : /* DWORD VTable[3] = {0}; while(GetModuleHandle(hD3D) == 0){ Sleep(100); } IATInstalattion(VTable);//Searching VTable HOOK(EndScene,VTable[ES]);//Hook End Scene while(!npDevice) { Sleep(50);// Unhook when we get valid npDevice } UNHOOK(EndScene,VTable[ES]); */ yet, now we dont use that because Hackshield detect any hooking, but now they discovered that your Game store device in pointer of g_pRenderContext What to do fixing it? You can't fix it, even changing the game pointer offset, that can be searched again. How to fix this D3D Hook? Its the work of AhnLab Developers. I'll explain the next : /* DWORD *g_pDevice = (DWORD*)pGDevice; g_pDevice = (DWORD*)g_pDevice[0]; while(!pDevice)pDevice = (LPDIRECT3DDEVICE9)(DWORD*)g_pDevice; *(PDWORD)&oEndScene = g_pDevice[42]; *(PDWORD)&oDrawIndexedPrimitive = g_pDevice[82]; CopyCode((PDWORD)(g_pDevice[1] - 5), (PDWORD)(g_pDevice[4] - 5)); CopyCode((PDWORD)(g_pDevice[2] - 5), (PDWORD)(g_pDevice[5] - 5)); CopyCode((PDWORD)(g_pDevice[3] - 5), (PDWORD)(g_pDevice[6] - 5)); CopyCode((PDWORD)(g_pDevice[4] - 5), (PDWORD)hkEndScene); CopyCode((PDWORD)(g_pDevice[5] - 5), (PDWORD)hkDrawIndexedPrimitive); */ after get the game device, we make Jumping from g_pDevice or array 1 of D3D9Table (maybe AddRef) for EndScene, and g_pDevice or array 2 of D3D9 Table for hkDrawIndexed Primitive Just like this /* (Our EndScene) -> Array Table 4 -> Array Table 1 (Our DrawIndexedPrimitive) -> Array Table 5 -> Array Table 2 */ Copy COde is just and linker "->" to another array table How to fix it? Its work of AhnLab Developers. Suggestion : After creating the Device for PB : Example : /* pD3D->CreateDevice(D3DADAPTER_DEFAULT,D3DDEVTYPE_HAL,hWnd,D3DCREATE_SOFTWARE_VERTEXPROCESSING,&d3dpp,&pd3dDevice); */ copy array table of D3D And make that verify in array 42 and 82 code example : /* DWORD VTable[3] = {0}; void Create Device() { //create device pD3D->CreateDevice(D3DADAPTER_DEFAULT,D3DDEVTYPE_HAL,hWnd,D3DCREATE_SOFTWARE_VERTEXPROCESSING,&d3dpp,&pd3dDevice); DWORD* pVTable = (DWORD*)pd3dDevice; pVTable = (DWORD*)pVTable[0]; VTable[0] = pVTable[42]; // copy original endscene code VTable[1] = pVTable[82];// copy original DIP code // } */ make that thread to verify endscene and DIP in game device /* void ThreadVerifyEx(){ while(1) { // get you table pointer of game device if(GameDevice->Table[42] != VTable[0] || GameDevice->Table[82] != VTable[1]) { // Hack detected } Sleep(1); } } */ for another bug like/* while(1) { DWORD dwEhsvc = (DWORD)GetModuleHandleA("EhSvc.dll") + 0x123DE8; CHSBypass *CHS = *(CHSBypass**)dwEhsvc; g_pDevice[42] = (DWORD)g_pDevice[1] - 5; g_pDevice[82] = (DWORD)g_pDevice[2] - 5; CHS->dwES = g_pDevice[42]; CHS->dwDIP = g_pDevice[82]; Sleep(1000); } */ its really a work for AhnHS Developer, because thats make the offset jumping undetected, and i dont know why. And finally, i wanna share this, AimLock Source Code; Like i say, i make a AimBot Source code, but its leaked again, so i decide to give this to you /* float MouseDeltaX, MouseDeltaY = 0; //======================= AimLock SOurce Code ===============================// void DoAimbot (LPDIRECT3DDEVICE9 pDevice) { if(!cRenderContext)return;//back when rcontext is null //========================= Deklarasikan data2 yang perlu di cari =================================// DWORD ModuleHandle = (DWORD)GetModuleHandleA(PointBlankSTR); unsigned long BasePlayer_A = *(DWORD*)(ModuleHandle + BasePlayerA); int ScreenCenterX = (g_ViewPort.Width /2.0f); // get screen centre int ScreenCenterY = (g_ViewPort.Height /2.0f); if(ESP.AimLock) { //=========================== Aimbot ==================================// int AimSlot = AutomaticTarget_Screen(); //get priority target, player that alive, nearest, and visible if(AimSlot != GPT_FAIL) { D3DXVECTOR3 OnWorld,OnScreen; int BoneIndexSelector = 0; switch(ESP.AimTarget) { case 0: BoneIndexSelector = 7; break; case 1: BoneIndexSelector = 5; break; } if(GetUserBone(OnWorld,BoneIndexSelector,AimSlot)){ //get user bone vector, i think all of you know it if(WorldToScreen(OnWorld,OnScreen,pDevice))// World To Screen { AimEnable = true; // Enable the aimlock int LocalX = OnScreen.x; //Define that player on screen int LocalY = OnScreen.y; if(LocalX == ScreenCenterX && LocalY == ScreenCenterY) // if the screen center is player target { MouseDeltaX = 0; // make mouse delta is NULL MouseDeltaY = 0; } else { // if not then MouseDeltaX = LocalX - ScreenCenterX; // Mouse delta X is LocalX - ScreenCenterX MouseDeltaY = LocalY - ScreenCenterY; } } else { AimEnable = false;//Disable the aimlock } } else { AimEnable = false;//Disable the aimlock } } else { AimEnable = false;//Disable the aimlock } } else { AimEnable = false;//Disable the aimlock } //================= End of Aimbot ==================================// } */ So, why i'am saying this is a bug? You can see Mouse Delta X and Mouse Delta Y Its totally messed code : /* _declspec(naked)void MyDeltaX() { _asm{ cmp [AimEnable],1 jne Normal fld dword ptr [MouseDeltaX] jmp Return Normal: fld dword ptr [ecx + 0x2C] Return: ret } } _declspec(naked)void MyDeltaY() { _asm{ cmp [AimEnable],1 jne Normal fld dword ptr [MouseDeltaY] jmp Return Normal: fld dword ptr [ecx + 0x30] Return: ret } } */ now, the ending of this : /* void HookAimLock() { DWORD dwI3Input = (DWORD)GetModuleHandleA("i3inputdx.dll"); CopyCode((PDWORD)(dwI3Input + 0x2280), (PDWORD)MyDeltaX); CopyCode((PDWORD)(dwI3Input + 0x2290), (PDWORD)MyDeltaY); } */ how to fix? Suggestion : Code : /* Code : i3viewer::updateinput + 0x6A add this in that jump after load DeltaX and DeltaY to memory class i3InputMouse; class i3InputMouse { public: char _0x0000[24]; float PosX; //0x0018 float PosY; //0x001C float PosZ; //0x0020 char _0x0024[8]; float DeltaX; //0x002C float DeltaY; //0x0030 float DeltaZ; //0x0034 }; void GameEngine_UpdateInput() { // float DeltaX = i3inputmouse->GetDeltaX(); float DeltaY = i3inputmouse->GetDeltaY(); DWORD FInput = *(DWORD*)(BasePlayerA - 0x44); i3InputMouse *cInputMouse = (i3InputMouse*)*(DWORD*)(FInput + 0x3CC);// i think you know this, if(cInputMouse->DeltaX != DeltaX || cInputMouse->DeltaY !=DeltaY) { //AimLock detected } // } */ why iam suggesting that? because : 1. AimLock is modify data loaded by making jump changing fld dword ptr [ecx + 0x2C] to fld dword ptr [MouseDeltaX] for loading the fake delta X and Y so, just make compare of DeltaX and Loaded DeltaX to verify that is correct delta, if not, then mark as detect game hack
Hider.h
void HideModule(HINSTANCE hModule) { DWORD dwPEB_LDR_DATA = 0; _asm { pushad; pushfd; mov eax, fs:[30h] mov eax, [eax+0Ch] mov dwPEB_LDR_DATA, eax InLoadOrderModuleList: mov esi, [eax+0Ch] mov edx, [eax+10h] LoopInLoadOrderModuleList: lodsd mov esi, eax mov ecx, [eax+18h] cmp ecx, hModule jne SkipA mov ebx, [eax] mov ecx, [eax+4] mov [ecx], ebx mov [ebx+4], ecx jmp InMemoryOrderModuleList SkipA: cmp edx, esi jne LoopInLoadOrderModuleList InMemoryOrderModuleList: mov eax, dwPEB_LDR_DATA mov esi, [eax+14h] mov edx, [eax+18h] LoopInMemoryOrderModuleList: lodsd mov esi, eax mov ecx, [eax+10h] cmp ecx, hModule jne SkipB mov ebx, [eax] mov ecx, [eax+4] mov [ecx], ebx mov [ebx+4], ecx jmp InInitializationOrderModuleList SkipB: cmp edx, esi jne LoopInMemoryOrderModuleList InInitializationOrderModuleList: mov eax, dwPEB_LDR_DATA mov esi, [eax+1Ch] mov edx, [eax+20h] LoopInInitializationOrderModuleList: lodsd mov esi, eax mov ecx, [eax+08h] cmp ecx, hModule jne SkipC mov ebx, [eax] mov ecx, [eax+4] mov [ecx], ebx mov [ebx+4], ecx jmp Finished SkipC: cmp edx, esi jne LoopInInitializationOrderModuleList Finished: popfd; popad; } } void EraseHeaders(HINSTANCE hModule) { /* * just a func to erase headers by Croner. * keep in mind you wont be able to load * any resources after you erase headers. */ PIMAGE_DOS_HEADER pDoH; PIMAGE_NT_HEADERS pNtH; DWORD i, ersize, protect; if (!hModule) return; // well just to make clear what we doing pDoH = (PIMAGE_DOS_HEADER)(hModule); pNtH = (PIMAGE_NT_HEADERS)((LONG)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew); ersize = sizeof(IMAGE_DOS_HEADER); if ( VirtualProtect(pDoH, ersize, PAGE_READWRITE, &protect) ) { for ( i=0; i < ersize; i++ ) *(BYTE*)((BYTE*)pDoH + i) = 0; } ersize = sizeof(IMAGE_NT_HEADERS); if ( pNtH && VirtualProtect(pNtH, ersize, PAGE_READWRITE, &protect) ) { for ( i=0; i < ersize; i++ ) *(BYTE*)((BYTE*)pNtH + i) = 0; } return; }
Main.cpp
#include <windows.h> #include <iostream> #include <wininet.h> #include <stdexcept> #include <fstream> #include <sstream> #include "Hider.h" #pragma comment(lib, "Wininet.lib") #pragma warning(disable : 4018 4102) void CopyCode(PDWORD target, PDWORD newfunc) { DWORD Jmpto=(DWORD)(newfunc)-(DWORD)target-5; DWORD a; VirtualProtect(target, 8, PAGE_EXECUTE_READWRITE, &a); *(PBYTE)(target)=0xE9; *(PDWORD)((DWORD)(target)+1)=Jmpto; VirtualProtect(target, 8, a, &a); } class CHSBypass { public: char _0x0000[168]; DWORD dwES; char _0x00AC[156]; DWORD dwDIP; }; HMODULE hGfxDx = LoadLibrary("i3GfxDx.dll"); DWORD WINAPI HookUndetect5(LPVOID Param) { if (hGfxDx > 0) { DWORD tmp1 = (DWORD)GetProcAddress(hGfxDx, "?g_pRenderContext@@3PAVi3RenderContext@@A"); DWORD tmp2 = 0; while(!pGDevice) { if(IsBadReadPtr((PDWORD)tmp1,4)==NULL)tmp2 = *(PDWORD)((DWORD)(tmp1))+ 0x5380; // ?EndRender@i3RenderContext@@QAEXXZ if(IsBadReadPtr((PDWORD)tmp2,4)==NULL) { DWORD OldProtect; VirtualProtect((void*)(tmp2), 4, PAGE_EXECUTE_READWRITE, &OldProtect); memcpy(&pGDevice, (void *)tmp2, 4); VirtualProtect((void*)(tmp2), 4, OldProtect, NULL); } } DWORD *g_pDevice = (DWORD*)pGDevice; g_pDevice = (DWORD*)g_pDevice[0]; while(!pDevice)pDevice = (LPDIRECT3DDEVICE9)(DWORD*)g_pDevice; *(PDWORD)&oEndScene = g_pDevice[42]; *(PDWORD)&oDrawIndexedPrimitive = g_pDevice[82]; CopyCode((PDWORD)(g_pDevice[1] - 5), (PDWORD)(g_pDevice[4] - 5)); CopyCode((PDWORD)(g_pDevice[2] - 5), (PDWORD)(g_pDevice[5] - 5)); CopyCode((PDWORD)(g_pDevice[3] - 5), (PDWORD)(g_pDevice[6] - 5)); CopyCode((PDWORD)(g_pDevice[4] - 5), (PDWORD)hkEndScene); CopyCode((PDWORD)(g_pDevice[5] - 5), (PDWORD)hkDrawIndexedPrimitive); while(1) { DWORD dwEhsvc = (DWORD)GetModuleHandleA("EhSvc.dll") + 0x126F64 + 0x7B; //1008EBA1 . 68 646F1210 PUSH ehsvc.10126F64 ; ASCII " Exception Raised (Error : 0x%x)" CHSBypass *CHS = *(CHSBypass**)dwEhsvc; g_pDevice[42] = (DWORD)g_pDevice[1] - 5; g_pDevice[82] = (DWORD)g_pDevice[2] - 5; CHS->dwES = g_pDevice[42]; CHS->dwDIP = g_pDevice[82]; Sleep(1000); } } return 0; } BOOL WINAPI DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpvReserved){ if(dwReason == DLL_PROCESS_ATTACH) { DisableThreadLibraryCalls(hModule); HideModule(hModule);//hide module and prevent detection from hackshield EraseHeaders(hModule);//erase header to dispatch any header like function in building from hackshield CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)HookUndetect5, NULL, NULL, NULL); } return TRUE; }
0 komentar:
Posting Komentar