XTrap Bypass

01/30/2017 12:43 Hate123#1
Hi guys!
So I've been working on trying to disable XTrap on Steam.

Being a person that's still learning how to Reverse Engineer I'm having some troubles.

What I've done so far in order to disable xtrap was to find where LoadLibrary loaded XTrapVa.dll, I then managed to find every place that either referenced XTrapVa.dll or in one case where they put it together from individual letters, and disabled that.

Once Engine couldn't load XTrapVa.dll I found the function (that I think) initializes XTrap and nopped that out.

At this point XTrap no longer runs, the dll is not loaded at least.

At this point I noticed that Steam would close the game (or the api to be precise) because SteamAppId was not being set in an enviroment variable, so i did that. And Steam stopped closing the game.

However, once the game starts up it immediately closes!
I'm having trouble figuring out why, so I wondered if anyone else has any tips on how I can disable it?

My code so far is the following:

Code:
		SetEnvironmentVariable("SteamAppId", "475100");

		// Working Disable Load
		BYTE Replace = 0x54;
		MemcpyEx(0x008BA7F2, (DWORD)&Replace, 1);
		MemcpyEx(0x00815A8A, (DWORD)&Replace, 1);

		//00815E3A   - len 16
		const char* replace1 = "\x8B\x16\x8B\xCE\xEB\x0A\x30\x5F\x5E\x33\xC0\x5B\x8B\xE5\x5D\xC3";
		MemcpyEx(0x00815E3A, (DWORD)replace1, 16);

		//00815E4A   - len 16
		const char* replace2 = "\xB9\x18\x00\x00\x00\x8D\xB5\x20\xFC\xFF\xFF\xBF\x50\x5E\x9C\x00";
		MemcpyEx(0x00815E4A, (DWORD)replace2, 16);

		//const char* ReplaceLine = "\xEB\x06\x90\x90\x90\x83\xC4\x08\xFF\x15\x04\x16\x82\x00\x0F\xB6";
		const char* ReplaceLine = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
		MemcpyEx(0x00776ED2, (DWORD)ReplaceLine, 17 );
Excuse the mess, at this point I'm less concerned about it being beautiful, and more just tampering around trying to learn :).

Thanks!
01/30/2017 14:27 pamz12#2
you dont really need to "bypass" xtrap, use different hook, detours are detected i think
01/30/2017 14:34 Hate123#3
Quote:
Originally Posted by pamz12 View Post
you dont really need to "bypass" xtrap, use different hook, detours are detected i think
Hmm, alright. But I noticed that whenever I try to make a proxy dll it will always detect them. I only tried about 3-4 of them.

Injecting the DLL itself wasn't possible either as they seem to detect that.

I'll try using a couple other dll's to see if I can make a proxy dll that isn't detected.
So far the following that I've tried were detected:

winmm.dll
psapi.dll
ws2_32.dll
version.dll
d3dx9_29.dll
dsound.dll

I'll see if another one could sneak by undetected.

Edit: I tried msimg32.dll as well and it immediately detects it :/.
01/31/2017 01:41 katze123#4
Quote:
Originally Posted by Hate123 View Post
Hmm, alright. But I noticed that whenever I try to make a proxy dll it will always detect them. I only tried about 3-4 of them.

Injecting the DLL itself wasn't possible either as they seem to detect that.

I'll try using a couple other dll's to see if I can make a proxy dll that isn't detected.
So far the following that I've tried were detected:

winmm.dll
psapi.dll
ws2_32.dll
version.dll
d3dx9_29.dll
dsound.dll

I'll see if another one could sneak by undetected.

Edit: I tried msimg32.dll as well and it immediately detects it :/.
They are Monitoring the threads. The DLL injection is not detected, the thread Creation is
01/31/2017 22:35 Staviko#5
I am not sure engine.exe /xTrap is sending message OK to server each X time .
packet length 133 byte .

But anyway for sure there is some check for like :

if(!isDLL_Loaded(XTrapVa.dll){
system.exit(0);
}

if i was xTrap/engine I would use this on my main load function when its finished :

EnumProcessModules

if there is no check like this so they are really dump .
02/02/2017 01:17 Staviko#6
1-00416936___004b9894/008b9894
NtTerminateProcess