Ahnlab Hackshield
In this series i will keep sharing some of the hackshield sdk info a reverser should know before laying his hand over hackshield. It will be a long series.
DISCLAIMER : I & ANY OTHER 3RD PARTY ARE NOT AFFILIATED ANYWAY WITH AHN LAB ,INC. YOU ARE ONLY ALLOWED TO UTILIZE THE KNOWLEDGE IN A WAY THAT WONT HARM/INVALIDATES ANY COMPANY POLICY AND IN EVENT OF ANY LOSS YOU AND ONLY YOU WILL BE THE ONE TO BE BLAMED.
AhnLab MDS (Malware Defense System) is a network sandbox based APT (Advanced Persistent Threat) protection solution that combines on-premise and cloud-based analytics to defeat advanced targeted threats anywhere across the organization. HackShield is a security program designed by Ahnlab, a security software developer based in South Korea. The program is presently used by hundreds of games around the world. It was created to prevent potential unauthorized access to online user profiles. HackShield is a collection of anti-hack toolkits developed for MMOs.
Why this disclaimer, Ahn Lab doesn’t allow anyone except their clients to peek into their protection features and other details. But we are doing it only for learning process right?
Features of HackShield Pro:
Memory-access block
“Blocks memory access through Windows API (OpenProcess, Read/WriteProcessMemory and etc.). It protects memory in kernel level to block hack attacks that manipulate executable codes or return values.” This thing a bitch, patches critical kernel apis to stop peeking inside the game client
Speed Hack block:
Speed Hack is a program that controls time to arbitrarily speed game up or slow game down by using the Windows time functions or timer processing microprocessor. To block Speed Hack, HackShield frequently monitors the difference between the system time and logical time of the operating system in the microprocessor level. If the difference exceeds a certain value, this could be considered as a speed hack.Note that the detection speed could differ according to the user system, operating system or game type.
Enhanced auto-mouse detection *
Detects auto-mouse to prevent server overload and arbitrary control of the game. A new feature of detecting auto-mouse that runs as a hardware such as USB, has been added to HackShield 2.0 as well as automouse that runs as a program.
File manipulation detection
Checks the integrity of HackShield files when HackShield is initialized and/or when a game is running to make sure the files are the ones initially distributed. It also detects if the files have been modified or if the file names have been changed.In simpler words client crc checks
Ahnlab Hackshield Pro
Debugging detection
Detects all debugging tracing to prevent games from being debugged. If any debugger, such as SoftICE, is detected when initializing HackShield, then HackShield returns an error to block it.
Signature-based detection
Provides signatures-based detection. If a hacking tool is detected using a predefined signature, an error message with the path of the program is displayed.
Server-side detection *
Interoperates with the server to monitor manipulation of executable files and memory in real time and check HackShield operation status. In HackShield Pro, it was inconvenient to manage the file/memory CRC of the client in the server. So, a new Artificial Intelligence (AI) feature that automatically manages the file/memory CRC in the server has been added to HackShield 2.0.
Ahnlab Hackshield Metin2
Data file/message encryption
Encrypts important data files and messages sent and received between the server and the client, to secure data even when they are exposed.
Memory heuristic detection *
Memory heuristic detection has been added: it identifies the characteristics of hacking tools in the memory to counter new hack attacks in which no signature exists yet. When a hacking tool is detected by the memory heuristic detection engine, an error message “Unknown: error code” will be displayed.
HackShield update *
When HackShield update is available, it is updated through the HackShield Update server.
Ahnlab Hackshield
HackShield hacking monitoring system *
Monitors hack attacks and errors occurred in the game client in real time. You can access the HackShield hacking monitoring system through the web, and generate various reports.
* features are either enhanced from previous generation or newly added
Client File Types
Ahnlab Hackshield
There are other files which come with the sdk but those are for server only and doesnt required
next i will keep describing hackshield driver exceptions which can occur during startup
HackShield Driver Error
[ErrorCode: 0x00000102] Failed to initialize HackShield driver
Symptoms
1. An error message (Error Code: 0x00000102) occurs, and the game does not run.
Cause
An error occurred when the HackShield driver is initialized.
There could be a program that might prevent the driver from being initialized
Solution
1. It could be a temporary error, restart the game.
2. There could be a program that might prevent the driver from being initialized. Restart the computer
and then run the game again.
If the error persists after following the above procedure, perform the step below:
Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00000108] Failed to initialize HackShield module
Symptoms
1. An error message (Error Code:0x00000108) occurs, and the game does not run.
Cause
An error occurred as HackShield is not compatible with Symantec’s EndPoint Protection.
This error does not occur in EndPoint Protection version released from 2010.
Solution
Visit Symantec website, and download the latest EndPoint Protection and reinstall it
If the error persists after following the above procedure, perform the step below:
Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00000203 – 4] Failed to start HackShield driver
Symptoms
1. An error message (Error Code: 0x00000203 or 0x00000204) occurs, and the game does not run.
Cause
An error occurred when the HackShield driver is loaded.
There could be a program that might prevent the HackShield driver from being loaded.
Solution
1. It could be a temporary error, restart the game.
2. There could be a program that might prevent the driver from being initialized. Restart the computer
and then run the game again
If the error persists after following the above procedure, perform the step below:
Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00010301] Hooking Detection
Symptoms
1. An error message (Error Code: 0x00010301) occurs, and the game is terminated.
Cause
Hooking has been detected in a system file or HackShield file.
There could be a conflict with a program installed on your PC.
(HackShield 5.3.7.1 version may detect steam programs.)
Solution
A. Terminate the Steam program. Or, remove the program.
If hacking attacks keep on being detected after following the above procedure, perform the step below:
Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00010302] Failed to load HackShield driver
Symptoms
1. An error message (Error Code: 0x00010302) occurs, and the game is terminated.
Cause
The HackShield driver has not been properly loaded.
There could be a program that might prevent the HackShield driver from being loaded.
Solution
1. It could be a temporary error, restart the game.
2. There could be a program that might prevent the driver from being initialized. Restart the computer
and then run the game again.
If the error persists after following the above procedure, perform the step below:
Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00000203 – 4] Failed to start HackShield driver
Symptoms
1. An error message (Error Code: 0x00000203 or 0x00000204) occurs, and the game does not run.
Cause
An error occurred when the HackShield driver is loaded.
There could be a program that might prevent the HackShield driver from being loaded.
Solution
1. It could be a temporary error, restart the game.
2. There could be a program that might prevent the driver from being initialized. Restart the computer and then run the game again.
If the error persists after following the above procedure, perform the step below:
Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00010301] Hooking Detection
Symptoms
1. An error message (Error Code: 0x00010301) occurs, and the game is terminated.
Cause
Hooking has been detected in a system file or HackShield file.
There could be a conflict with a program installed on your PC.
(HackShield 5.3.7.1 version may detect steam programs.)
Solution
A. Terminate the Steam program. Or, remove the program.
If hacking attacks keep on being detected after following the above procedure, perform the step below:
Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00010302] Failed to load HackShield driver
Symptoms
1. An error message (Error Code: 0x00010302) occurs, and the game is terminated.
Cause
The HackShield driver has not been properly loaded.
There could be a program that might prevent the HackShield driver from being loaded.
Solution
1. It could be a temporary error, restart the game.
2. There could be a program that might prevent the driver from being initialized. Restart the computer and then run the game again.
If the error persists after following the above procedure, perform the step below:
Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
[ErrorCode: 0x00000004] Application compatibility error when initializing HackShield
Symptoms
1. An error message (Error Code: 0x00000004) occurs, and the game is terminated.
Cause
The game client has been executed in Windows Compatibility Mode.
Solution
2. Right-click on the game icon, and select Properties.
3. Select the Compatibiltiy tab as the picture below.
4. Check whether compatibility mode is enabled. Disable it.
If the error persists after following the above procedure, perform the step below:
Get information on the system in which the error occurred and send the log file to AhnLab. For details, refer to [4. Error Information Collection Method > Collecting and analyzing error information using AhnReport > Collecting HackShield log].
This is the possible external HS errors which can occur and will be visible to the end user, on next part we will focus on internal exceptions that can occur during gameplay