Ahnlab Hackshield

Posted By admin  On 15.09.21

In this series i will keep sharing some of the hackshield sdk info a reverser should know before laying his hand over hackshield. It will be a long series.

DISCLAIMER : I & ANY OTHER 3RD PARTY ARE NOT AFFILIATED ANYWAY WITH AHN LAB ,INC. YOU ARE ONLY ALLOWED TO UTILIZE THE KNOWLEDGE IN A WAY THAT WONT HARM/INVALIDATES ANY COMPANY POLICY AND IN EVENT OF ANY LOSS YOU AND ONLY YOU WILL BE THE ONE TO BE BLAMED.

AhnLab MDS (Malware Defense System) is a network sandbox based APT (Advanced Persistent Threat) protection solution that combines on-premise and cloud-based analytics to defeat advanced targeted threats anywhere across the organization. HackShield is a security program designed by Ahnlab, a security software developer based in South Korea. The program is presently used by hundreds of games around the world. It was created to prevent potential unauthorized access to online user profiles. HackShield is a collection of anti-hack toolkits developed for MMOs.

Why this disclaimer, Ahn Lab doesn’t allow anyone except their clients to peek into their protection features and other details. But we are doing it only for learning process right?

Ahnlab hackshield metin2

Features of HackShield Pro:

Memory-access block
“Blocks memory access through Windows API (OpenProcess, Read/WriteProcessMemory and etc.). It protects memory in kernel level to block hack attacks that manipulate executable codes or return values.” This thing a bitch, patches critical kernel apis to stop peeking inside the game client

Speed Hack block:
Speed Hack is a program that controls time to arbitrarily speed game up or slow game down by using the Windows time functions or timer processing microprocessor. To block Speed Hack, HackShield frequently monitors the difference between the system time and logical time of the operating system in the microprocessor level. If the difference exceeds a certain value, this could be considered as a speed hack.Note that the detection speed could differ according to the user system, operating system or game type.

Ahnlab hackshield pro

Enhanced auto-mouse detection *
Detects auto-mouse to prevent server overload and arbitrary control of the game. A new feature of detecting auto-mouse that runs as a hardware such as USB, has been added to HackShield 2.0 as well as automouse that runs as a program.

File manipulation detection
Checks the integrity of HackShield files when HackShield is initialized and/or when a game is running to make sure the files are the ones initially distributed. It also detects if the files have been modified or if the file names have been changed.In simpler words client crc checks

Ahnlab Hackshield

Ahnlab Hackshield Pro

Debugging detection
Detects all debugging tracing to prevent games from being debugged. If any debugger, such as SoftICE, is detected when initializing HackShield, then HackShield returns an error to block it.

Signature-based detection
Provides signatures-based detection. If a hacking tool is detected using a predefined signature, an error message with the path of the program is displayed.

Server-side detection *
Interoperates with the server to monitor manipulation of executable files and memory in real time and check HackShield operation status. In HackShield Pro, it was inconvenient to manage the file/memory CRC of the client in the server. So, a new Artificial Intelligence (AI) feature that automatically manages the file/memory CRC in the server has been added to HackShield 2.0.

Ahnlab Hackshield Metin2

Data file/message encryption
Encrypts important data files and messages sent and received between the server and the client, to secure data even when they are exposed.

Memory heuristic detection *
Memory heuristic detection has been added: it identifies the characteristics of hacking tools in the memory to counter new hack attacks in which no signature exists yet. When a hacking tool is detected by the memory heuristic detection engine, an error message “Unknown: error code” will be displayed.

HackShield update *
When HackShield update is available, it is updated through the HackShield Update server.

Ahnlab Hackshield

Hackshield

HackShield hacking monitoring system *
Monitors hack attacks and errors occurred in the game client in real time. You can access the HackShield hacking monitoring system through the web, and generate various reports.

* features are either enhanced from previous generation or newly added

Client File Types

Ahnlab Hackshield

There are other files which come with the sdk but those are for server only and doesnt required

next i will keep describing hackshield driver exceptions which can occur during startup

HackShield Driver Error
[ErrorCode: 0x00000102] Failed to initialize HackShield driver
Symptoms
1. An error message (Error Code: 0x00000102) occurs, and the game does not run.
Cause
 An error occurred when the HackShield driver is initialized.
 There could be a program that might prevent the driver from being initialized

Solution
1. It could be a temporary error, restart the game.
2. There could be a program that might prevent the driver from being initialized. Restart the computer
and then run the game again.
If the error persists after following the above procedure, perform the step below:
 Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00000108] Failed to initialize HackShield module
Symptoms
1. An error message (Error Code:0x00000108) occurs, and the game does not run.
Cause
 An error occurred as HackShield is not compatible with Symantec’s EndPoint Protection.
 This error does not occur in EndPoint Protection version released from 2010.
Solution
 Visit Symantec website, and download the latest EndPoint Protection and reinstall it
If the error persists after following the above procedure, perform the step below:
 Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].

[ErrorCode: 0x00000203 – 4] Failed to start HackShield driver
Symptoms
1. An error message (Error Code: 0x00000203 or 0x00000204) occurs, and the game does not run.
Cause
 An error occurred when the HackShield driver is loaded.
 There could be a program that might prevent the HackShield driver from being loaded.
Solution
1. It could be a temporary error, restart the game.
2. There could be a program that might prevent the driver from being initialized. Restart the computer
and then run the game again

If the error persists after following the above procedure, perform the step below:
 Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00010301] Hooking Detection
Symptoms
1. An error message (Error Code: 0x00010301) occurs, and the game is terminated.
Cause
 Hooking has been detected in a system file or HackShield file.
 There could be a conflict with a program installed on your PC.
 (HackShield 5.3.7.1 version may detect steam programs.)
Solution
A. Terminate the Steam program. Or, remove the program.
If hacking attacks keep on being detected after following the above procedure, perform the step below:
 Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00010302] Failed to load HackShield driver
Symptoms
1. An error message (Error Code: 0x00010302) occurs, and the game is terminated.
Cause
 The HackShield driver has not been properly loaded.
 There could be a program that might prevent the HackShield driver from being loaded.
Solution
1. It could be a temporary error, restart the game.
2. There could be a program that might prevent the driver from being initialized. Restart the computer
and then run the game again.
If the error persists after following the above procedure, perform the step below:
 Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].

[ErrorCode: 0x00000203 – 4] Failed to start HackShield driver
Symptoms
1. An error message (Error Code: 0x00000203 or 0x00000204) occurs, and the game does not run.
Cause
 An error occurred when the HackShield driver is loaded.
 There could be a program that might prevent the HackShield driver from being loaded.
Solution
1. It could be a temporary error, restart the game.
2. There could be a program that might prevent the driver from being initialized. Restart the computer and then run the game again.

If the error persists after following the above procedure, perform the step below:
 Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00010301] Hooking Detection
Symptoms
1. An error message (Error Code: 0x00010301) occurs, and the game is terminated.
Cause
 Hooking has been detected in a system file or HackShield file.
 There could be a conflict with a program installed on your PC.
 (HackShield 5.3.7.1 version may detect steam programs.)
Solution
A. Terminate the Steam program. Or, remove the program.
If hacking attacks keep on being detected after following the above procedure, perform the step below:
 Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00010302] Failed to load HackShield driver
Symptoms
1. An error message (Error Code: 0x00010302) occurs, and the game is terminated.
Cause
 The HackShield driver has not been properly loaded.
 There could be a program that might prevent the HackShield driver from being loaded.
Solution
1. It could be a temporary error, restart the game.
2. There could be a program that might prevent the driver from being initialized. Restart the computer and then run the game again.
If the error persists after following the above procedure, perform the step below:
 Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].

Pro

[ErrorCode: 0x00000004] Application compatibility error when initializing HackShield
Symptoms
1. An error message (Error Code: 0x00000004) occurs, and the game is terminated.
Cause
 The game client has been executed in Windows Compatibility Mode.
Solution
2. Right-click on the game icon, and select Properties.
3. Select the Compatibiltiy tab as the picture below.
4. Check whether compatibility mode is enabled. Disable it.
If the error persists after following the above procedure, perform the step below:
 Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].

This is the possible external HS errors which can occur and will be visible to the end user, on next part we will focus on internal exceptions that can occur during gameplay