View previous topic :: View next topic |
Author |
Message |
listito Cheater Reputation: 0
Joined: 31 Dec 2010 Posts: 35
|
Posted: Fri Dec 31, 2010 7:47 pm Post subject: About xtrap... |
|
|
Hey gies,
As we know xtrap doesn't operate in kernelmode, so, it can't hook some api's like gameguard, and it's just very limited, my question is, xtrap just looks for menu titles and some stuff in all process inside an infinite loop?
that's kinda ridiculous
anyone here reversed xtrap and analyzed it's protection behaviour?
|
|
Back to top |
|
|
Zerith Master Cheater Reputation: 1
Joined: 07 Oct 2007 Posts: 468
|
Posted: Sun Jan 02, 2011 6:08 am Post subject: |
|
|
Well, you can't tell for sure until you have analyzed it.
But i guess what XTrap does aside from looking up window names and processes, it also scans the game it is protecting for suspicious changes in its memory.
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
|
Back to top |
|
|
listito Cheater Reputation: 0
Joined: 31 Dec 2010 Posts: 35
|
Posted: Sun Jan 02, 2011 7:52 pm Post subject: |
|
|
i just did it, i removed the call which loads xtrap.dll and xtrap itself, but the shit are the heartbeat packets
so, i've sniffed the packets and realized when xtrap is not loaded it sends wrong packets to server and my conn gets killed
so, why deactivate xtrap when we can fool it and continue the heartbeat packets as if nothing was changed?
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
|
Back to top |
|
|
listito Cheater Reputation: 0
Joined: 31 Dec 2010 Posts: 35
|
Posted: Sat Jan 08, 2011 12:08 pm Post subject: |
|
|
i have just analyzed it's behavior:
XP 32bits
1 - ssdt and ssdt shadow hooking including ntopenprocess() and NtReadVirtualMemory()
2 - changes one entry in IDT
3 - modifies one indirect call in win32.sys
the funny thing is i can open the process normally with openprocess() and i do get a valid handle but readprocessmemory() returns error even after fixing all hooks(less the hooked call in win32.sys, when i do that, the game quits)
still trying to understand how it blocks openprocess() in win7 x64
|
|
Back to top |
|
|
|