|
You last visited: Today at 10:48
Advertisement
How to make a process donīt call TerminateProcess API?
Discussion on How to make a process donīt call TerminateProcess API? within the C/C++ forum part of the Coders Den category.
08/25/2013, 15:48
|
#1
|
elite*gold: 0 
Join Date: Jun 2010
Posts: 15
Received Thanks: 0
|
How to make a process donīt call TerminateProcess API?
Hi people,i have a question.
What can i do to game donīt call API TerminateProcess?
Iīm asking this because i found a way disable xtrap loading,i can load game without it,but,a few minutes later game closes itself,what could i do to avoid it?
I was thinking writing a dll that NOP These calls used by game,BUT,i donīt know how to do it exactly and if it it will work.
|
|
|
|
08/25/2013, 16:17
|
#2
|
elite*gold: 3
Join Date: Dec 2012
Posts: 79
Received Thanks: 9
|
I'm not sure if you even can... Terminateprocess API is a function made to run the game processes, so you can't do anything about it. Tell me if i'm wrong. I'm new at this ****..
|
|
|
|
|
08/25/2013, 16:17
|
#3
|
elite*gold: 966
Join Date: Apr 2010
Posts: 1,104
Received Thanks: 681
|
@scodeih: TerminateProcess is not to 'run' but to 'terminate' the process. So the idea of the thread creator is to avoid calls to TerminateProcess so the process won't close, even if XCrap detected a cheat program.
I don't think it will be enough to just avoid TerminateProcess / ExitProcess as this would be way to easy.
Get the address of the function (Exit- or TerminateProcess) via GetProcAddress & GetModuleHandle or hardcode the address (works fine as afaik kernel32 won't change its base address). Now overwrite the first bytes of the function with a 'ret' statement, so that the function will instantly return instead of doing what it should do. But keep in mind that the winapi uses stdcalls, so the ret statement has to clean up the stack. So you have to write 'ret <size of all function params in bytes>', which would be 'ret 4' for ExitProcess and 'ret 8' for TerminateProcess.
In opcodes these statement would be C2 0400 for 'ret 4' and C2 0800 for 'ret 8'.
Of course you could install a hook at the functions instead of simply overwriting the first bytes but this would be more difficult and can't be done from an external process.
Hope it helps and don't hesitate to PM me if you got a question 
Jeoni
|
|
|
|
|
08/25/2013, 17:14
|
#4
|
elite*gold: 0
Join Date: Jun 2010
Posts: 15
Received Thanks: 0
|
Thanks for the info ^^
Have a nice day.
|
|
|
|
|
08/25/2013, 18:45
|
#5
|
elite*gold: 724
Join Date: Mar 2011
Posts: 10,480
Received Thanks: 3,319
|
Disabling XTrap isn't that easy, the server expects some keep alives packets and if they're not processed & sent after some time (~2 minutes) you'll get a disconnect / ban.
Also there's no point in removing the TerminateProcess function, it's a function that gets called when the server already made his decision about the client..
@Jeoni: Don't know if it's in general but I had to deal with changing kernel32 function addresses recently..
|
|
|
|
|
08/25/2013, 19:08
|
#6
|
elite*gold: 0
Join Date: Jun 2010
Posts: 15
Received Thanks: 0
|
Quote:
Originally Posted by snow911
Disabling XTrap isn't that easy, the server expects some keep alives packets and if they're not processed & sent after some time (~2 minutes) you'll get a disconnect / ban.
Also there's no point in removing the TerminateProcess function, it's a function that gets called when the server already made his decision about the client..
@Jeoni: Don't know if it's in general but I had to deal with changing kernel32 function addresses recently..
|
Hey man,iīm trying this because i have a function which makes my char imortal,(it locks HP,MP,STM)if i run my dll, xtrap detects it on log in screen "abnormal acess memory",but,i have a bypass Xtrap which lets me inject my dll.and i can use it for 1 or 2 minutes and i get kicked of.
the offsets that i have to use in this function i received from a friend that make hacks for priston,but he make his hacks using DELPHI, theses offsets work with Delphi ,(i donīt know why xtrap donīt detect it)but in C++ it gets catched by xtrap,i think maybe i have to inject code before AC loads?
or even if i inject the code before AC loads it will be detected?but how it work with others?And i have other functions on my hack that works normally,teleport,hairstyle,hp,mp,stm regen,but i wanna make that "lock" hp,mp,stm function work .
|
|
|
|
|
08/25/2013, 19:27
|
#7
|
elite*gold: 7110
Join Date: Jun 2009
Posts: 28,904
Received Thanks: 25,394
|
Pointless. You have to fight the origin of that decision, not the symptom.
|
|
|
|
|
08/25/2013, 20:08
|
#8
|
elite*gold: 0
Join Date: Jun 2010
Posts: 15
Received Thanks: 0
|
Quote:
Originally Posted by MrSm!th
Pointless. You have to fight the origin of that decision, not the symptom.
|
Explain it better.
anyway,cool sign.
|
|
|
|
|
08/25/2013, 20:32
|
#9
|
elite*gold: 0
Join Date: Feb 2011
Posts: 1,206
Received Thanks: 736
|
EDIT: just read snows post.
Seems like XTrap is sending heartbeats to the server, since you removed it, they wont be sent.
the server notes this and kicks you - you cant prevent this, however you might be able to fake the heartbeats of xtrap or make your code undetected and let xtrap run normally.
|
|
|
|
|
08/25/2013, 22:17
|
#10
|
elite*gold: 7110
Join Date: Jun 2009
Posts: 28,904
Received Thanks: 25,394
|
Quote:
Originally Posted by Cr4ck3r385
Explain it better.
anyway,cool sign.
|
When TerminateProcess is called the decision to close the game has been made long before.
When you just skip that API function, the game will simply stop working, because it expects the process to be closed.
|
|
|
|
 |
Similar Threads
|
Shaiya Tr Ep 5.2 game.exe Would you make the process of patch
09/24/2012 - Shaiya - 3 Replies
Would you kindly perform this operation? Multi-opening, climb patch, no freeze, though, is sufficient. With love and respect.
Tr server game.exe are attached.
|
Mit Process Explorer /Process Hacker Hs umgehen
05/22/2010 - General Gaming Discussion - 1 Replies
Ich habe hier im Forum gelesen, das man mit Process Explorer bzw. Process Hacker das HS umgehen kann. Leider ist mir irgendwie schleierhaft wie das gehen soll. Vllt erbarmt sich jemand und erklärt es (:, da man den sogenannten Bypasser nur noch las Premium Dings Da bei Upload.to runterladen kann :rolleyes:
|
Call Function in Process from another
09/04/2009 - General Coding - 7 Replies
Hi,
how the topic says i'm wondering if it's possible to call an function from your application(no dll loaded from a loader) via jmp or call?
example:
i have app1 that has a function which opens a messagebox "Hello!". Now i'm tryin to call that function from another application while the app1 is running.
thanks for your advice
|
[Question] how to make the 12sky2 process visible?
07/02/2009 - 12Sky2 - 2 Replies
English: how to make the 12sky2 process visible?
System vists 32bit ultimate
German: wie bekomm ich denn 12sky2 process angezeigt?
i hope someone can help me
ich hoffe jemand kann mir helfen
|
No Kiattach process call found
06/20/2009 - Grand Chase - 5 Replies
kainis nd q magamit ...
bakit ganito nalabas tuwing buksan q un mle ..
nd rin magamit mle .. p2ro nmn kung panu gwin d2 plz ..
thnx 4 advance .. ^^
|
All times are GMT +2. The time now is 10:48.
|
|
