Author Topic: Ways to Get Around Hradba #138  (Read 943 times)

0 Members and 1 Guest are viewing this topic.

mesengr

  • Relentless Teamkiller
  • **
  • Posts: 51
    • View Profile
Ways to Get Around Hradba #138
« on: October 20, 2007, 09:12:56 am »
Over a year ago, Subsky posted about a few ways to get around Hradba #138:

There are a few ways to bypass HRADBA's memory scanning (eg. kicks for #138); directly patch the memory scanning detection algorithm it uses to aways say 'Status: OK'... or implement some kind of memory hiding element in your own custom built trainer (it's called 'rootkit' technology- read about it briefly here).

I'm currently implementing a user-mode version of a very new memory hiding method called Shadow Walking- which can be read about here.  When done correctly- all trainers, new and old will not be detected.

@Subsky (or anyone else working on this): Just out of curiosity, have you implemented the Shadow Walking yet?

My real question is: how do you find that "Status: OK" part of memory of the detection algorithm? So far, I have discovered that this algorithm is written into memory some time AFTER you join the server. I have not been able to find the instruction that gives the OK. Any hints on how to find it? Am I supposed to patch the Hradba DLL file?

Subsky

  • Insane Joker
  • ****
  • Posts: 504
  • Subskii
    • View Profile
Re: Ways to Get Around Hradba #138
« Reply #1 on: October 20, 2007, 11:08:10 am »
You're asking really good questions lately :icon_thumbsup.

Defeating HRADBA code #138 requires a bit of thought.

First of all- you need to use a hex editor or similar to force game.dll to load a copy of HRADBA.DLL on disk from somewhere other than inside the HRADBA.CBF file (so you can modify it later).  It's very easy- just look for the call to LoadLibrary("hradba\actual\hradba.dll") and change it so that the string points to where you put a copy of this HRADBA.DLL file on disk.

Next- it makes sense that in order to detect a change in GAME.DLL or LOGS.DLL code (what #138 flags)- HRADBA, or some other DLL would need to scan it.

So- find the address of an instruction that will get you kicked when you change it, change it (e.g. nop out the bullet decrement code)- and then set a hardware READ breakpoint on this address.

Now go run around in a HB enabled server- and wait till you get kicked.  Straight before- you'll get a hit a HW read breakpoint coming from a function in HRADBA.DLL.

Using IDA pro- find this function and reverse the first few parameters + the code near where the breakpoint was hit.  NOTE: You MUST understand what the portable executable file format is and how it works to do this well.

An In-Depth Look into the Win32 Portable Executable File Format
An In-Depth Look into the Win32 Portable Executable File Format, Part 2.

Now- you can use a portable executable viewer/modifying like Yoda's awesome LordPE to fool HRADBA- using the knowledged you can from reversing the code scanning algorithm in HB.

I couple of important things- if you change code in HRADBA.DLL (which you will need to)- you'll then get kicked for #28 (HB is hacked).  Use the same technique above to find out what code/DLL in tern scans HRADBA.DLL aswell- and do all the steps above for it too.

I have proof of concept (hacked GAME.DLL, LOGS.DLL, HRADBA.DLL files) I can send to you- but it would be great to see you have a go.  You learn a lot more by trying things yourself and asking more questions; and the end result is more satisfying when you finally get there  :icon_thumbsup.

Subsky

  • Insane Joker
  • ****
  • Posts: 504
  • Subskii
    • View Profile
Re: Ways to Get Around Hradba #138
« Reply #2 on: October 20, 2007, 11:12:27 am »
A big hint- you have to make a copy of the .text section's (code) in the files using LordPE.

You then adjust a certain PE field in the files to point to the copied section of code. (Use your reversing skills to figure out which one).

That way the copied/fake .TEXT (code) section is scanned... and nothing ever gets detected  :icon_laugh.

Subsky

mesengr

  • Relentless Teamkiller
  • **
  • Posts: 51
    • View Profile
Re: Ways to Get Around Hradba #138
« Reply #3 on: November 11, 2007, 01:13:57 am »
Progress is slow (I'm only working on this one day per week) but I'm still moving forwards. I've found the functions, now I have to figure out what to do with them.

Is it possible to do accomplish these things without actually patching the DLL files? That is, would it still work the same if I poke the proper code into the proper addresses once they get loaded into memory? I realize I would have to re-locate and re-poke the hradba.dll code every time I join a server, but that's not a big deal.

I am still a beginner at reverse-engineering, so I am stuck at a few points. For example, I have found the function that scans the game.dll code. I have stepped through the code (in the module hradba.dll) to see the sequence of jumps if the game.dll code was not modified. Based on that, I tried forcing-jumps/nop'ng the appropriate conditional jumps. So far, this does not work -- #138 still gets detected. Is this the wrong approach to modifying the function?
« Last Edit: November 11, 2007, 09:49:07 am by mesengr »

Subsky

  • Insane Joker
  • ****
  • Posts: 504
  • Subskii
    • View Profile
Re: Ways to Get Around Hradba #138
« Reply #4 on: November 12, 2007, 12:34:27 pm »
Is it possible to do accomplish these things without actually patching the DLL files? That is, would it still work the same if I poke the proper code into the proper addresses once they get loaded into memory? I realize I would have to re-locate and re-poke the hradba.dll code every time I join a server, but that's not a big deal.

Well, yeah- but it's not as easy as poking a few codes here and there, because HRADBA scans game.dll and logs.dll, and game.dll scans HRADBA.dll.  You'd want to detour hook the function that scans the code section- and doing this requires you inject your hook .dll into the program each time on start-up (which becomes a bit of a pain after a while).

I am still a beginner at reverse-engineering, so I am stuck at a few points. For example, I have found the function that scans the game.dll code. I have stepped through the code (in the module hradba.dll) to see the sequence of jumps if the game.dll code was not modified. Based on that, I tried forcing-jumps/nop'ng the appropriate conditional jumps. So far, this does not work -- #138 still gets detected. Is this the wrong approach to modifying the function?

You can't just nop out/force jumps- because game.dll's code is scanned- and a hash of it is sent off to the server when it requests it, for comparison.  You need to fool the algorithm into scanning a copy of the fake section.

If you want to improve your reversing skills- get Hacker Disassembling Uncovered .  It's a fantastic read- & me bypassing HB was a direct result of reading this book. :D.

Subskii