| View previous topic :: View next topic |
| Author |
Message |
Xoujiro
Advanced Cheater
![]() Reputation: 0
Joined: 20 Mar 2006
Posts: 86
|
 Posted: Fri Aug 15, 2008 4:30 am Post subject: C++ Bypassing |
 |
|
I have a few questions to bypass XTRAP, im still new to this...and ive encountered a few problems...
1. When i use the OpenProcess function, XTRAP detects it somehow and sends an error closing my game. How can i bypass this?
2.Does hooks made by anti-cheat send error, or just render my function useless?
3.How can i stop my game from launching xtrap, i know you have to use olly, but what next?
4.What is the difference between NtOpenProcess and OpenProcess?
5.I need some examples of System Service Descriptor Hook functions.
Thanks to all who help...
|
|
| Back to top |
|
 |
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Fri Aug 15, 2008 4:58 am Post subject: |
|
|
1) OpenProcess could be being hooked in which case if it is a usermode hook, an easy way to bypass it is to trampoline past the hook. Otherwise, you can make the call to OpenProcess before XTrap loads up. The method I am using to be able to still use OpenProcess even though it is hooked (in a GameGuard protected game) is to find PID before GameGuard even loads up by walking taking snapshots of the active processes and iterating through them till I get a ExeFile match. Then I read off the PID and make the call as soon as that happens.
2) Depends how the hook is installed. Some hooks will disconnect the game if it detects your call and others can just silently block your function.
3) Find where XTrap's process is being created and block that call. You will probably need to unpack the game for easier analysis of the client though. There are also likely to be checks for whether XTrap was loaded properly so you need to analyse those checks and spoof/deal with them.
4) NtOpenProcess is the kernel/native corresponding API to OpenProcess. OpenProcess calls NtOpenProcess within its function. Unforunately native APIs are nowhere near as well documented by Microsoft as the general usermode ones. If you need some help getting material about those, give me a shout, I know where I would look for more documentation.
5) Sorry can't help you there 
|
|
| Back to top |
|
|
Xoujiro
Advanced Cheater
![]() Reputation: 0
Joined: 20 Mar 2006
Posts: 86
|
| Posted: Fri Aug 15, 2008 5:09 am Post subject: |
|
|
| Slugsnack wrote: | 1) OpenProcess could be being hooked in which case if it is a usermode hook, an easy way to bypass it is to trampoline past the hook. Otherwise, you can make the call to OpenProcess before XTrap loads up. The method I am using to be able to still use OpenProcess even though it is hooked (in a GameGuard protected game) is to find PID before GameGuard even loads up by walking taking snapshots of the active processes and iterating through them till I get a ExeFile match. Then I read off the PID and make the call as soon as that happens.
2) Depends how the hook is installed. Some hooks will disconnect the game if it detects your call and others can just silently block your function.
3) Find where XTrap's process is being created and block that call. You will probably need to unpack the game for easier analysis of the client though. There are also likely to be checks for whether XTrap was loaded properly so you need to analyse those checks and spoof/deal with them.
4) NtOpenProcess is the kernel/native corresponding API to OpenProcess. OpenProcess calls NtOpenProcess within its function. Unforunately native APIs are nowhere near as well documented by Microsoft as the general usermode ones. If you need some help getting material about those, give me a shout, I know where I would look for more documentation.
5) Sorry can't help you there |
I found out that NtOpenProcess is hooked by a .sys file that deletes itself upon game exit lol,
i know there are checksum checks for xtrap is running, if i attached to my game using olly, and ctrl+g and search for CreateProcess(or something), is it where xtrap is loaded,
and "calling OpenProcess before xtrap loads" does this mean that u open the process before xtrap loads? but i think it checks to see if my trainer is attached to xtrap , and i want to find out how to bypass other functions not only OpenProcess, ill try to read up trampolining,
thanks for fast reply
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Fri Aug 15, 2008 5:23 am Post subject: |
|
|
Not sure you will be able to find all intermodular calls just with Ctrl-G. Chances are, if it is packed, Olly will not be too much help telling you where the call is made. Also bear in mind that it is not always as simple as just a call to CreateProcess. For example, the program could use GetModuleHandle/LoadLibrary and GetProcAddress and I'm not 100% sure whether Olly would still be able to see that as a call to CreateProcess. In fact, a simple, 1 byte trampoline would even fool Olly I'm pretty sure so you might have to do a bit more investigating if it is not clear on first glance.
Read documentation of OpenProcess + CreateProcess, they're not the same 
Dependent on what other functions you want to bypass, you may have to use other methods. Trampolining will only work on usermode hooks (unless you code a driver for kernel-access). Also I expect even functions are hooked even deeper such as KiAttachProcess, etc. so you will need to do a bit more analysis of XTrap's hooks.
Here is the generel concept of a trampoline. This will work if the protection system is hooking by overwriting a small number of bytes in the function with a near jump to its own function. So when the hooked API is used, the protection system's function is called and checks for example, is the handle specified for ReadProcessMemory the game I am protecting ?! If yes, then it will tell you to fuck off. If not, it will let you pass.
So after we obtain the real address of the original API function, we find out what bytes were overwritten (it is good to do this dynamically rather than hardcode a stack frame setup like a lot of people do since the first bytes are not always those). Also bear in mind that it could well be that it is not just the first 5 bytes which are hooked, this is just how GameGuard does it.
Anyway, we copy those overwritten bytes to our own function then call that function. Within this newly defined function, you need to do a JMP to real API address + number of hooked bytes. This means you are able to execute the overwritten bytes as well as jump over the hook. This will work only on functions hooked in usermode with the method I have outlined above. Remember that this is only how GameGuard's hooks work ! XTrap may well be very different but this is (I believe) the most common method of hooking.
|
|
| Back to top |
|
|
Xoujiro
Advanced Cheater
![]() Reputation: 0
Joined: 20 Mar 2006
Posts: 86
|
| Posted: Fri Aug 15, 2008 5:32 am Post subject: |
|
|
| Slugsnack wrote: | Not sure you will be able to find all intermodular calls just with Ctrl-G. Chances are, if it is packed, Olly will not be too much help telling you where the call is made. Also bear in mind that it is not always as simple as just a call to CreateProcess. For example, the program could use GetModuleHandle/LoadLibrary and GetProcAddress and I'm not 100% sure whether Olly would still be able to see that as a call to CreateProcess. In fact, a simple, 1 byte trampoline would even fool Olly I'm pretty sure so you might have to do a bit more investigating if it is not clear on first glance.
Read documentation of OpenProcess + CreateProcess, they're not the same
Dependent on what other functions you want to bypass, you may have to use other methods. Trampolining will only work on usermode hooks (unless you code a driver for kernel-access). Also I expect even functions are hooked even deeper such as KiAttachProcess, etc. so you will need to do a bit more analysis of XTrap's hooks.
Here is the generel concept of a trampoline. This will work if the protection system is hooking by overwriting a small number of bytes in the function with a near jump to its own function. So when the hooked API is used, the protection system's function is called and checks for example, is the handle specified for ReadProcessMemory the game I am protecting ?! If yes, then it will tell you to fuck off. If not, it will let you pass.
So after we obtain the real address of the original API function, we find out what bytes were overwritten (it is good to do this dynamically rather than hardcode a stack frame setup like a lot of people do since the first bytes are not always those). Also bear in mind that it could well be that it is not just the first 5 bytes which are hooked, this is just how GameGuard does it.
Anyway, we copy those overwritten bytes to our own function then call that function. Within this newly defined function, you need to do a JMP to real API address + number of hooked bytes. This means you are able to execute the overwritten bytes as well as jump over the hook. This will work only on functions hooked in usermode with the method I have outlined above. Remember that this is only how GameGuard's hooks work ! XTrap may well be very different but this is (I believe) the most common method of hooking. |
So its like
Original OpenProcess ->changed by xtrap to prevent us from using it
and we have to
Original OpenProcess -> changed by xtrap - > changed by our function to the original one
ok how do i get the real address of OpenProcess?
|
|
| Back to top |
|
|
Renkokuken
GO Moderator
![]() Reputation: 4
Joined: 22 Oct 2006
Posts: 3249
|
| Posted: Fri Aug 15, 2008 5:52 am Post subject: |
|
|
May I ask what game this is for?
As for the address of OpenProcess, call GetProcAddress.
|
|
| Back to top |
|
|
Xoujiro
Advanced Cheater
![]() Reputation: 0
Joined: 20 Mar 2006
Posts: 86
|
| Posted: Fri Aug 15, 2008 5:54 am Post subject: |
|
|
| Renkokuken wrote: | May I ask what game this is for?
As for the address of OpenProcess, call GetProcAddress. |
Its for WolfTeam, thanks for your link.
|
|
| Back to top |
|
|
Slugsnack
Grandmaster Cheater Supreme
![]() Reputation: 71
Joined: 24 Jan 2007
Posts: 1857
|
| Posted: Fri Aug 15, 2008 6:41 am Post subject: |
|
|
| If GetProcAddress happens to be hooked, next easiest way of getting the current address of an API is importing it with your module then reading it off the IAT or directly read it from the DLL's EAT.
|
|
| Back to top |
|
|
Xoujiro
Advanced Cheater
![]() Reputation: 0
Joined: 20 Mar 2006
Posts: 86
|
| Posted: Fri Aug 15, 2008 9:38 am Post subject: |
|
|
| Quote: |
DWORD OpenProcessAddy;
OpenProcessAddy = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "OpenProcess");
cout << "OpenProcess : " << OpenProcessAddy << endl;
|
I ran this in a trainer without xtrap and i got 2088886393 as a value lol.... what should i change the dword into?
|
|
| Back to top |
|
|
Zand
Master Cheater
![]() Reputation: 0
Joined: 21 Jul 2006
Posts: 424
|
| Posted: Fri Aug 15, 2008 10:50 am Post subject: |
|
|
| That's probably correct. You don't change that.
|
|
| Back to top |
|
|
Xoujiro
Advanced Cheater
![]() Reputation: 0
Joined: 20 Mar 2006
Posts: 86
|
| Posted: Fri Aug 15, 2008 6:12 pm Post subject: |
|
|
| So...how do i change it into an address?
|
|
| Back to top |
|
|
Renkokuken
GO Moderator
![]() Reputation: 4
Joined: 22 Oct 2006
Posts: 3249
|
| Posted: Fri Aug 15, 2008 6:16 pm Post subject: |
|
|
| Xoujiro wrote: | | So...how do i change it into an address? |
You're displaying it as an integer, convert it to hexadecimal.
|
|
| Back to top |
|
|
Xoujiro
Advanced Cheater
![]() Reputation: 0
Joined: 20 Mar 2006
Posts: 86
|
| Posted: Fri Aug 15, 2008 6:43 pm Post subject: |
|
|
ok, thanks, can i use olly to check which bytes are overwritten?
|
|
| Back to top |
|
|
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Fri Aug 15, 2008 6:47 pm Post subject: |
|
|
| Xoujiro wrote: |
ok, thanks, can i use olly to check which bytes are overwritten? |
XTrap will detect a barebones Olly.
_________________
|
|
| Back to top |
|
|
Xoujiro
Advanced Cheater
![]() Reputation: 0
Joined: 20 Mar 2006
Posts: 86
|
| Posted: Fri Aug 15, 2008 6:58 pm Post subject: |
|
|
| sponge wrote: | | Xoujiro wrote: |
ok, thanks, can i use olly to check which bytes are overwritten? |
XTrap will detect a barebones Olly. |
I have plugin so i am able to attach to WolfTeam
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
