>[Guide] Tips for trying to avoid simple HackShield detection

>

[Guide] Tips for trying to avoid simple HackShield detection

As of recently, Hackshield has been detecting a lot of tools. While there are many ways for this to be done, Hackshield currently uses very simple methods for Silkroad. This could change at any time, but for now they seem to be using a really simple protection mode. In this guide, I will go over two approaches that can help, but are not permanent solutions to avoiding Hackshield detection in the most commonly used and detected tools.

ResHack:

Quote:

Resource HackerTM is a freeware utility to view, modify, rename, add, delete and extract resources in 32bit Windows executables and resource files (*.res). It incorporates an internal resource script compiler and decompiler and works on Win95, Win98, WinME, WinNT, Win2000 and WinXP operating systems.

Download: ResHack Version 3.4.0 (< 1mb)

We will be using ResHack to change the titles of any GUI related stuff without having to recompile the tool. While being able to recompile a tool can offer more protection through code change, not all tools have source code available. Here is a step by step pictorial guide of modifying an existing tool to help avoid detection:

1. Download and Extract Reshack

2. Run “ResHacker.exe”

3. Select File->Open and choose the tool. In this case, I will use my edxSilkroadLoader5.

4. Expand the “Dialog” section until you get to the “1033” resource and select it. Some tools might have many dialogs, so you will want to perform the following steps for all of them.

5. As seen in the first screenshot above, there will be a CAPTION field that contains the window’s title. Simple change the text between the quotes. As you do so, the Compile Script button becomes enabled since you made changes. In this case, I will make it have a blank title.

6. Now hit “Compile Script” to apply your changes. You will notice the dialog title changes in the second window as seen in the second screenshot from Step 4.

7. Now click File->Save. The changes are written to the exe file. If you check the source folder, you will see ResHack makes a convenient backup copy for you!

At this point, we will now be able to defeat any simple window caption checks Hackshield might perform. Likewise, you can change other GUI elements as needed to get around any other checking that might be done. For really simple tools, this is all that is needed to get around Hackshield closing applications at startup.

However, there is more detection that goes on than just this! After approximately 10 minutes, HackShield performs some more complex checking of running processes that will trigger a client disconnect upon detection. Using ResHack is not enough to get around this. That brings us to our next program…

Safengine:

Quote:

Safengine provides a powerful virtual machine to protect your applications against reverse engineering or unwanted modifications. The protector will convert your sensitive code (in x86 assembly) into a random instruction set which can only be executed by the virtual machine interpreter embedded into your application after protection. These virtual machines are very unique, fully randomized and heavily obfuscated.

Download: Safengine Demo (21mb)

We will be using Safengine to protect our tools from any unwanted analysis by Hackshield. NOTE: I only choose to use Safengine because it offers enough features in their demo mode that make it practical to write a guide about. You can use a wide variety of other protectors as well. Safengine Demo locks the protected exe to the computer that generated it, so you cannot share protected EXEs.

1. Download and Extract Safengine.

2. Run “Safengine.exe”. It may take a minute or so to load.

3. Click on “Browse…” and select the tool you wish to protect. For this example, I will continue to use my edxSilkroadLoader5. Make sure to select the EXE that was modified earlier using ResHack!

4. Now, we will set some simple options to help protect the exe. The key features to have if you are using another protector is Resource Protection, API obfuscation, and any dynamic/metamorphic code generation.

Expand the “Protection Options” field. Add checks to the following options:
* Protection Options -> Import Protection -> Fill Original IAT Trunk
* Protection Options -> Import Protection -> Hash API Names
* Protection Options -> Resource Protection -> Anti Dump
* Protection Options -> Metamorphic Code Generation

5. Click “Protect” and wait for the operation to complete. Click “Exit” and “No” to close the program.

6. You will see a new EXE in the source folder with a suffix of “_se”. This is the newly protected file. Copy this file to a new folder and rename it to the original name.

7. Perform these steps for all EXE/DLL files required. Since I am using edxSilkroadLoader5.exe, I will also need to protect edxSilkroadDll5.dll.

8. Run the tools to make sure they still work! Some protectors cause certain programs to crash with some options, so it’s a little trial and error here to find a nice configuration set to help protect the tools.

IMPORTANT NOTE: At the time of writing this guide, Windows Update seems to have broken their Hardware ID generation, so the EXEs generated don’t seem to work. I’m sure they will get this taken care of soon. Having used this protector for a few days already on KSRO/ISRO without getting detected with HackShield, it is still worth writing about because it’s such a nice protector. (Fixed 16/8/2010)

Themida also works really well it seems, but their trial mode only lasts 20 minutes, so it’d not work out well for most things. I’ll be looking for more alternatives in the mean time as well, but since I was having so much success with Safengine, it is unfortunate the demo mode seems broken now.

Other Points of Interest

* Don’t forget to change EXE/DLL names! This is really simple detection that most people know of, but it still can be efficient for people who don’t take the time to do so.

* Commonly used data files by the program could be theoretically detected. For example, if HackShield were to check the user data folder for the edxSilkroadLoader5.ini, it’d be able to detect the tool when it was opened if it set a global hook on enough API functions. While I don’t think any protection uses this scheme, it’s something else that you can change to help avoid it.

* Commonly used ports, mutexs, pipes, or any other unique identifying handles can give away a tool as well. While the detection of a tool solely based on these methods is rather sketchy, there is nothing stopping them from simply not letting the client run if a certain port was open and in use. I’ve actually had HackShield connect to my proxy before this way!

* Any exe changes put you at detection risk. While it seems HackShield does not do anything with clients that have memory modified, they could easily detect this and D/C users over time. When this method is done, there is not much that can be done using these approaches and a bypass is required for sure.

Conclusion:

These methods are not 100% ways to avoid getting caught using tools. However, you can use them to help try for the time being. The less public a tool is that is protected, the lesser chance there is of HackShield getting the information from Joymax to block it. I just wanted to throw out some ideas and suggestions for people to try because this is “all you can do” without having a HackShield bypass to get around detection. Good luck!