Ir a contenido

PURCHASE MEMBERSHIP AT A 25% DISCOUNT Apply here

GET 1 MONTH OF MEMBERSHIP BY CHOOSING THE NEW NAME OF OUR COMPANY! Apply here


Photo

HS4L- Tutorial Trainer/Ingame


      
HS4L- Tutorial Trainer/Ingame TvOTohoHS4L- Tutorial Trainer/Ingame TvOToho
HS4L- Tutorial Trainer/Ingame

alexmen10
#1

alexmen10
  • alexmen10
  • administrator
  • Status :
    HS4L Team
  • Mensajes :
    418
  • Reputación :
    257
  • Points :
    23
  • Registrado :
    2012-09-08
Hola, estoy de nuevo aquí, hace mucho tiempo, decidido actualizar el tema de "Trainers/Ingames"

Empezamos con evadir servicios, como OpenServiceW, StartServiceW, principalmente estos drivers, están protegiendo la memoria, NtOpenProcess, NtQueryVirtualMemory, NtReadVirtualMemory.


Explico mejor como funciona esto, el OpenService identifica si StartService, coloca los servicios en Start y Stopped, si es Start retorna al OpenService ejecuta la función. Principalmente vamos atacar al OpenService es la peor vulnerabilidad que tiene. xD

Aquí dejare un ejemplo de impedir al OpenService no identifique el "xhunter.sys" si esta Stopped o Start, con esta funciona lo identificara como Stopped, no ejecutara nada.
Code:
#include <ButtonConstants.au3>
#include <GUIConstantsEx.au3>
#include <WindowsConstants.au3>
#include "NomadMemory.au3"
#Include <WinAPI.au3>


;Bypass Memory
Global $Address1 = _WinAPI_GetProcAddress(_WinAPI_LoadLibrary("ADVAPI32.dll"),"OpenServiceW")
Do
Sleep(10)
Until  ProcessExists("S4Client.exe") ;Proceso es visible
MsgBox(0,"HS4L","Bypass Address: " & $Address1,2) ;Cierra en 2 segundos
_MemoryWrite($Address1,_MemoryOpen(ProcessExists("S4Client.exe")),"0xB801000000C20C00","byte[8]")

Esto es opcional si quieren añadir una GUI después. Pero recomiendo empezar de cero.
Code:
#Region ### START Koda GUI section ### Form=
$Form1 = GUICreate("Form1", 181, 94, 225, 175)
$Checkbox1 = GUICtrlCreateCheckbox("Reverse jump", 40, 16, 137, 17)
$Checkbox2 = GUICtrlCreateCheckbox("Read value jump", 40, 40, 129, 17)
GUISetState(@SW_SHOW)
#EndRegion ### END Koda GUI section ###

While 1
$nMsg = GUIGetMsg()
Switch $nMsg
Case $GUI_EVENT_CLOSE
Exit
Case $Checkbox1
if (GUICtrlRead($Checkbox1) = 1) Then ;Write Memory
HS4LMemory("S4Client.exe",0x210603,"0x6A00","BYTE[2]") ;S4Client.exe+210603
else
HS4LMemory("S4Client.exe",0x210603,"0x6A02","BYTE[2]") ;S4Client.exe+210603
EndIf

Case $Checkbox2

if (GUICtrlRead($Checkbox2) =  1) then ;Write Memory
MsgBox(0,"",Hex(HS4LMemoryRead("S4Client.exe",0x210603,"BYTE[2]"))) ;S4Client.exe+210603
EndIf
EndSwitch
WEnd

Funciones:
Code:
Func HS4LMemory($ProcName,$Address,$value,$Type)
Local $OPEN = _MemoryOpen(ProcessExists($ProcName))
Local $HS4LMemoryAddress="0x"&hex(_MemoryModuleGetBaseAddress(ProcessExists($ProcName), $ProcName)+$Address) ; Base: "S4Client.exe"
_MemoryWrite($HS4LMemoryAddress,$OPEN, $value ,$Type)
EndFunc

Func HS4LMemoryRead($ProcName,$Address,$Type)
Local $OPEN = _MemoryOpen(ProcessExists($ProcName))
Local $HS4LMemoryAddress="0x"&hex(_MemoryModuleGetBaseAddress(ProcessExists($ProcName), $ProcName)+0x210603) ; Base: "S4Client.exe"
Local $read = _MemoryRead($HS4LMemoryAddress,$OPEN,$Type)
return $read
EndFunc


Func _MemoryOpen($iv_Pid, $iv_DesiredAccess = 0x1F0FFF, $iv_InheritHandle = 1)

 If Not ProcessExists($iv_Pid) Then
 SetError(1)
 Return 0
 EndIf

 Local $ah_Handle[2] = [DllOpen('kernel32.dll')]

 If @error Then
 SetError(2)
 Return 0
 EndIf

 Local $av_OpenProcess = DllCall($ah_Handle[0], 'int', 'OpenProcess', 'int', $iv_DesiredAccess, 'int', $iv_InheritHandle, 'int', $iv_Pid)

 If @error Then
 DllClose($ah_Handle[0])
 SetError(3)
 Return 0
 EndIf

 $ah_Handle[1] = $av_OpenProcess[0]

 Return $ah_Handle

EndFunc   ;==>_MemoryOpen

;==================================================================================
; Function:   _MemoryRead($iv_Address, $ah_Handle[, $sv_Type])
; Description:    Reads the value located in the memory address specified.
; Parameter(s):  $iv_Address - The memory address you want to read from. It must
;                          be in hex format (0x00000000).
;               $ah_Handle - An array containing the Dll handle and the handle
;                         of the open process as returned by _MemoryOpen().
;               $sv_Type - (optional) The "Type" of value you intend to read.
;                        This is set to 'dword'(32bit(4byte) signed integer)
;                        by default.  See the help file for DllStructCreate
;                        for all types.  An example: If you want to read a
;                        word that is 15 characters in length, you would use
;                        'char[16]' since a 'char' is 8 bits (1 byte) in size.
; Return Value(s):  On Success - Returns the value located at the specified address.
;               On Failure - Returns 0
;               @Error - 0 = No error.
;                      1 = Invalid $ah_Handle.
;                      2 = $sv_Type was not a string.
;                      3 = $sv_Type is an unknown data type.
;                      4 = Failed to allocate the memory needed for the DllStructure.
;                      5 = Error allocating memory for $sv_Type.
;                      6 = Failed to read from the specified process.
; Author(s):        Nomad
; Note(s):      Values returned are in Decimal format, unless specified as a
;               'char' type, then they are returned in ASCII format.  Also note
;               that size ('char[size]') for all 'char' types should be 1
;               greater than the actual size.
;==================================================================================
Func _MemoryRead($iv_Address, $ah_Handle, $sv_Type = 'dword')

 If Not IsArray($ah_Handle) Then
 SetError(1)
 Return 0
 EndIf

 Local $v_Buffer = DllStructCreate($sv_Type)

 If @error Then
 SetError(@error + 1)
 Return 0
 EndIf

 DllCall($ah_Handle[0], 'int', 'ReadProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')

 If Not @error Then
 Local $v_Value = DllStructGetData($v_Buffer, 1)
 Return $v_Value
 Else
 SetError(6)
 Return 0
 EndIf

EndFunc   ;==>_MemoryRead

;==================================================================================
; Function:   _MemoryWrite($iv_Address, $ah_Handle, $v_Data[, $sv_Type])
; Description:    Writes data to the specified memory address.
; Parameter(s):  $iv_Address - The memory address which you want to write to.
;                          It must be in hex format (0x00000000).
;               $ah_Handle - An array containing the Dll handle and the handle
;                         of the open process as returned by _MemoryOpen().
;               $v_Data - The data to be written.
;               $sv_Type - (optional) The "Type" of value you intend to write.
;                        This is set to 'dword'(32bit(4byte) signed integer)
;                        by default.  See the help file for DllStructCreate
;                        for all types.  An example: If you want to write a
;                        word that is 15 characters in length, you would use
;                        'char[16]' since a 'char' is 8 bits (1 byte) in size.
; Return Value(s):  On Success - Returns 1
;               On Failure - Returns 0
;               @Error - 0 = No error.
;                      1 = Invalid $ah_Handle.
;                      2 = $sv_Type was not a string.
;                      3 = $sv_Type is an unknown data type.
;                      4 = Failed to allocate the memory needed for the DllStructure.
;                      5 = Error allocating memory for $sv_Type.
;                      6 = $v_Data is not in the proper format to be used with the
;                         "Type" selected for $sv_Type, or it is out of range.
;                      7 = Failed to write to the specified process.
; Author(s):        Nomad
; Note(s):      Values sent must be in Decimal format, unless specified as a
;               'char' type, then they must be in ASCII format.  Also note
;               that size ('char[size]') for all 'char' types should be 1
;               greater than the actual size.
;==================================================================================
Func _MemoryWrite($iv_Address, $ah_Handle, $v_Data, $sv_Type = 'dword')

 If Not IsArray($ah_Handle) Then
 SetError(1)
 Return 0
 EndIf

 Local $v_Buffer = DllStructCreate($sv_Type)

 If @error Then
 SetError(@error + 1)
 Return 0
 Else
 DllStructSetData($v_Buffer, 1, $v_Data)
 If @error Then
 SetError(6)
 Return 0
 EndIf
 EndIf

 DllCall($ah_Handle[0], 'int', 'WriteProcessMemory', 'int', $ah_Handle[1], 'int', $iv_Address, 'ptr', DllStructGetPtr($v_Buffer), 'int', DllStructGetSize($v_Buffer), 'int', '')

 If Not @error Then
 Return 1
 Else
 SetError(7)
 Return 0
 EndIf
EndFunc   ;==>_MemoryWrite

Attachments
[HS4L]-Source xigncode.zip You don't have permission to download attachments.(6 Kb) Downloaded 22 times

Konejo Weed
#2

Konejo Weed
  • Konejo Weed
  • moderator
  • Mensajes :
    639
  • Reputación :
    90
  • Points :
    2
  • Registrado :
    2014-05-25
He estado mirando y... Cuando inicio s4 con el hack terminado y todo me salta un tio con una lupa y me dice: eh! programa sospechoso nigga!

En el OpenServiceW usando mov eax,00000001 y debajo REC 000C no funciona... Tengo que desactivar los demás servicios o en teoría con el OpenServiceW ya debería funcionar?

OS: W7 x64Bits

      

Create an account or log in to leave a reply

You need to be a member in order to leave a reply.

Create an account

Join our community by creating a new account. It's easy!


Create a new account

Log in

Already have an account? No problem, log in here.


Log in
You cannot reply to topics in this forum
Staff online
Sponsors
  •  TOTAL POSTS
  •  TOTAL MEMBERS
  •  NEWEST MEMBER