Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


About xtrap...

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
listito
Cheater
Reputation: 0

Joined: 31 Dec 2010
Posts: 35

PostPosted: Fri Dec 31, 2010 7:47 pm    Post subject: About xtrap... Reply with quote

Hey gies,

As we know xtrap doesn't operate in kernelmode, so, it can't hook some api's like gameguard, and it's just very limited, my question is, xtrap just looks for menu titles and some stuff in all process inside an infinite loop?

that's kinda ridiculous Shocked

anyone here reversed xtrap and analyzed it's protection behaviour?
Back to top
View user's profile Send private message
Zerith
Master Cheater
Reputation: 1

Joined: 07 Oct 2007
Posts: 468

PostPosted: Sun Jan 02, 2011 6:08 am    Post subject: Reply with quote

Well, you can't tell for sure until you have analyzed it.

But i guess what XTrap does aside from looking up window names and processes, it also scans the game it is protecting for suspicious changes in its memory.
Back to top
View user's profile Send private message MSN Messenger
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sun Jan 02, 2011 3:17 pm    Post subject: Re: About xtrap... Reply with quote

listito wrote:
Hey gies,

As we know xtrap doesn't operate in kernelmode, so, it can't hook some api's like gameguard, and it's just very limited, my question is, xtrap just looks for menu titles and some stuff in all process inside an infinite loop?

that's kinda ridiculous Shocked

anyone here reversed xtrap and analyzed it's protection behaviour?


XTrap does have a kernel mode driver, depending on the revision of it.

If the game is using an old revision of XTrap you can fairly easily remove it from the game. Locate where XTrap's main module is loaded inside the game (they used LoadLibraryA in old versions) and then there is a hash check against the module a few bits later, you can remove the LoadLibrary call and skip the hash check and fake the return and make the game think XTrap loaded which in turn will remove it from the game fully.

But if the game is using an updated revision it may not be as easy.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
listito
Cheater
Reputation: 0

Joined: 31 Dec 2010
Posts: 35

PostPosted: Sun Jan 02, 2011 7:52 pm    Post subject: Reply with quote

i just did it, i removed the call which loads xtrap.dll and xtrap itself, but the shit are the heartbeat packets

so, i've sniffed the packets and realized when xtrap is not loaded it sends wrong packets to server and my conn gets killed Shocked

so, why deactivate xtrap when we can fool it and continue the heartbeat packets as if nothing was changed? Twisted Evil
Back to top
View user's profile Send private message
atom0s
Moderator
Reputation: 198

Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sun Jan 02, 2011 7:58 pm    Post subject: This post has 1 review(s) Reply with quote

listito wrote:
i just did it, i removed the call which loads xtrap.dll and xtrap itself, but the shit are the heartbeat packets

so, i've sniffed the packets and realized when xtrap is not loaded it sends wrong packets to server and my conn gets killed Shocked

so, why deactivate xtrap when we can fool it and continue the heartbeat packets as if nothing was changed? Twisted Evil


Was simply a suggestion depending on the revision being used. In older versions or games that didn't make use of the packet checks, you could just remove Xtrap fully.

If you want to trick it, go for it. The packets probably contain some hashing for code compares and so on so tricking it will involve more then just changing some code or hooking things more then likely.

_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
listito
Cheater
Reputation: 0

Joined: 31 Dec 2010
Posts: 35

PostPosted: Sat Jan 08, 2011 12:08 pm    Post subject: Reply with quote

i have just analyzed it's behavior:

XP 32bits

1 - ssdt and ssdt shadow hooking including ntopenprocess() and NtReadVirtualMemory()
2 - changes one entry in IDT
3 - modifies one indirect call in win32.sys

the funny thing is i can open the process normally with openprocess() and i do get a valid handle but readprocessmemory() returns error even after fixing all hooks(less the hooked call in win32.sys, when i do that, the game quits)


still trying to understand how it blocks openprocess() in win7 x64
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites