regarding Xtrap

Ask questions about cheating in any games you would like. Does not need to pertain to MicroMacro.
Post Reply
Message
Author
shurg_kalthalis
Posts: 4
Joined: Sat Jun 13, 2009 1:13 am

regarding Xtrap

#1 Post by shurg_kalthalis » Sun Jun 14, 2009 1:44 am

okay now I'm teaching myself this as I go along so I'm probably making noob mistakes....

okay I'm working on trying to bypass xtrap on a game I'm playing. Mainly just cause I want to be able to multiclient and maybe use a mining bot I had for it.
Now the problem is when I load the game, if I do it with a debugger attached, themida picks it up. Now I researched online how to bypass the themida detection and got that problem solved. Now the problem is that I can't find where the xtrap insertion is cause the second I run the process thru debug, xtrap finds it and closes the debugger AND the game....

Now I could just ask someone to make it but I'd rather learn for myself so that I'm not classed a leecher (cause I've done some things with games that didn't have any protection)

when I debug xtrap.xt, I just get dumped into a spot that says nt.dll debug insertion point....

any help would be appreciated,

unfortunately I cant' find no tutorials ANYWHERE that I can even reference dealing with GG or xtrap....(course I might not have searched smartly either if thats the case I claim ignorance and stupidity on that and take all flames)

I was looking at the no gg patch for shaiya hoping to find something to reference but came to a stumbling block when I couldn't read the upatch file....

again any help would be appreciated, and to those that help me, I'm more than willing to share the fruits of anything I develop with them for free as a thank you.

User avatar
Administrator
Site Admin
Posts: 5306
Joined: Sat Jan 05, 2008 4:21 pm

Re: regarding Xtrap

#2 Post by Administrator » Sun Jun 14, 2009 2:45 am

You don't need to run the game in the debugger to remove XTrap. First, is the game packed or unpacked (or do you even know how to tell)? If it is unpacked, then that is step 1. Next, try deleting/renaming all of the XTrap related files so that when you start the game, it will hopefully give you some sort of error message. You can then search for all referenced text strings, and find a rough location of where the checks are being done. Just manipulate the JMP/JNZ/JNE/whatever else to your favor. Export your changes, and test.

shurg_kalthalis
Posts: 4
Joined: Sat Jun 13, 2009 1:13 am

Re: regarding Xtrap

#3 Post by shurg_kalthalis » Sun Jun 14, 2009 5:18 am

Administrator wrote:You don't need to run the game in the debugger to remove XTrap. First, is the game packed or unpacked (or do you even know how to tell)? If it is unpacked, then that is step 1. Next, try deleting/renaming all of the XTrap related files so that when you start the game, it will hopefully give you some sort of error message. You can then search for all referenced text strings, and find a rough location of where the checks are being done. Just manipulate the JMP/JNZ/JNE/whatever else to your favor. Export your changes, and test.
ty for the pointers, I'll look into the game unpacking (I very much doubt its upacked, its still in its installed form, so I'll just admit I have no idea how to even tell). as I said before I used to do stuff with old style online games, ones I could just simply hook into and do my business.

shurg_kalthalis
Posts: 4
Joined: Sat Jun 13, 2009 1:13 am

Re: regarding Xtrap

#4 Post by shurg_kalthalis » Sun Jun 14, 2009 5:47 am

meh just realized what time it was....
I start unpacking the .exe but when I do Themida chokes and gives me an internal exception Address: 0xa5ef86

the client is protected by Themida 1.9.xx-2.x.x.x

any pointers? (I looked up some themida unpackers and it seems that none of them want to work..... I did find a nice semi walkthru how to do it with a script and ollydb but wasn't sure if maybe you had some resources you could share)

User avatar
Administrator
Site Admin
Posts: 5306
Joined: Sat Jan 05, 2008 4:21 pm

Re: regarding Xtrap

#5 Post by Administrator » Sun Jun 14, 2009 6:00 am

When you load the game (not run, just open) in your debugger, it should (typically) tell you that the program is packed if it is. Under a 64 bit OS using OllyDbg, I notice I need to manually select the proper thread from the thread list and then analyze (CTRL+A) it before it would say if it is packed or not.

Either way, it doesn't mater if it tells you this or not. You can usually tell just from how the code looks. Packed code doesn't make any logical sense. You'll see a lot of nonsensical commands. Under Olly, you will often see "char 'a' char 'b' etc." type comments after analyzing. You'll also notice a lot of unrecognized commands.


Here's an example of a packed executable:

Code: Select all

007BC000     5B             DB 5B                                    ;  CHAR '['
007BC001     66             DB 66                                    ;  CHAR 'f'
007BC002     FE             DB FE
007BC003     FF             DB FF
007BC004     04104000       DD Prototyp.00401004
007BC008     03             DB 03
007BC009   . 07             DB 07
007BC00A   . 42 6F 6F 6C 65>ASCII "Boolean"
007BC011     01             DB 01
007BC012     00             DB 00
007BC013   . 092A           OR DWORD PTR DS:[EDX],EBP
007BC015   . 05 46B3DFDE    ADD EAX,DEDFB346
007BC01A   . FF61 6C        JMP DWORD PTR DS:[ECX+6C]
007BC01D     73             DB 73                                    ;  CHAR 's'
007BC01E     65             DB 65                                    ;  CHAR 'e'
007BC01F   . 04             DB 04
007BC020   . 54 72 75 65    ASCII "True"
007BC024     8D             DB 8D
007BC025     1B             DB 1B
007BC026     2C             DB 2C                                    ;  CHAR ','
007BC027     22             DB 22                                    ;  CHAR '"'
And an excerpt from a healthy, unpacked executable:

Code: Select all

005DF587  |> 3D 20523136    CMP EAX,36315220
005DF58C  |. 74 64          JE SHORT game.005DF5F2
005DF58E  |. 3D 47524742    CMP EAX,42475247
005DF593  |. 74 44          JE SHORT game.005DF5D9
005DF595  |. 3D 52474247    CMP EAX,47424752
005DF59A  |. 74 24          JE SHORT game.005DF5C0
005DF59C  |. 3D 55595659    CMP EAX,59565955
005DF5A1  |. 0F85 86000000  JNZ game.005DF62D
005DF5A7  |. 68 B0000000    PUSH 0B0
005DF5AC  |. E8 610BFDFF    CALL game.005B0112
005DF5B1  |. 85C0           TEST EAX,EAX
005DF5B3  |. 59             POP ECX
005DF5B4  |. 74 57          JE SHORT game.005DF60D
005DF5B6  |. 57             PUSH EDI                                 ; /Arg1
005DF5B7  |. 8BC8           MOV ECX,EAX                              ; |
005DF5B9  |. E8 C5F7FFFF    CALL game.005DED83                       ; \game.005DED83

As you examine more executables packed with different tools, you'll understand what to look for better. As for your second question about Themida, the short answer is to not do it. Start small. Look at cracking HackShield (incredibly easy), then GameGuard (moderate; still easy) first. Both of these can be cracked in (literally) minutes when you know what you're looking for, but I would strongly suggest doing it the long way and understanding the thought process involved in finding what you're looking for first.

Themida is a "good" packer that is difficult and time consuming to break, but not impossible by any means. It is often avoided for several reasons (not cheap; people dislike it's root-kit-like status; etc.), so you don't come across it all too often. You can find a lot of good information on it here.

Is the game you're targeting packed with Themida, or just XTrap?

shurg_kalthalis
Posts: 4
Joined: Sat Jun 13, 2009 1:13 am

Re: regarding Xtrap

#6 Post by shurg_kalthalis » Sun Jun 14, 2009 6:08 am

Administrator wrote: Is the game you're targeting packed with Themida, or just XTrap?
the game itself is packed with themida (I'll pm you the game name cause I don't wish to put it out there right now and get swarmed with ppl begging for leech stuff)

User avatar
Administrator
Site Admin
Posts: 5306
Joined: Sat Jan 05, 2008 4:21 pm

Re: regarding Xtrap

#7 Post by Administrator » Sun Jun 14, 2009 6:25 am

I see. Often, the games themselves are not packed with Themida. Your best bet is to continue searching for tools and articles geared towards the exact version of Themida that game was packed with. It might also help to know how that game implements it's use of Themida (yes, there are different types).

I would recommend checking Game Deception out and seeing if you can find any help from the users there. Many of them are far more knowledgeable about reverse engineering than I am and would be able to lead you to the right sources.

User avatar
3cmSailorfuku
Posts: 354
Joined: Mon Jan 21, 2008 6:25 pm

Re: regarding Xtrap

#8 Post by 3cmSailorfuku » Sun Jun 14, 2009 8:52 am

shurg_kalthalis wrote:I don't wish to put it out there right now and get swarmed with ppl begging for leech stuff)
lol @ begging people for stuff that doesn't exist. Disabling Xtrap can be done in multiple ways, but it really depends on how its integrated into the game.
To comprehend what is going on you have to know in C++ how the Kernel level mechanism works. For example when iGunz still existed, it was possible naming your application or debugger just Explorer.exe to completly bypass everything, even IsDebuggerPreset (Funny enough that noone realized this after like 2 years, they were so BUSY trying to remove xtrap lol). In Hero Online (and various other games with xtrap) it was also possible protecting the Kernel Functions that would block Xtrap itself, aslong Xtrap initiated AFTER the actual game execution. In Maple Story they actually detoured the functions (Because DeviceIOControl was still working?) to make the trampoline which made it work again.

But nowadays Xtrap is a little bit more smarter where you can't use these simple methods, it also might have a CRC check so you have to fix this too. Or it can only authenticate the client if the xtrap routine is still intact. There are many factors that a tutorial couldn't cover, instead you have to understand yourself how it works because then you will understand where you have to intervene to make your changes.

Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests