Alternative to Detected C++ Code?

Cr4ck3r385 · 08/15/2013, 23:58

Hello Guys,i just have a working code that got 'catched' by Xtrap.
When i remove it my dll works good with the others functions,and xtrap fails,but when i try to make this code work(again,because it was working some time ago),xtrap detects it easy!
See the code above :

else if( ( GetAsyncKeyState( VK_ADD ) & 1 ) == 1 )
{
if( GetAsyncKeyState( VK_SHIFT ) & 0x8000 )
{
if( iHairStyle < 12 )
iHairStyle++;
PrintMessageOnChat( "Hairstyle #%d", iHairStyle );
}
else
{
if( iTeleport < TELEPORT_PLACES )
iTeleport++;
PrintMessageOnChat( "%s (%d)", szTeleportLocations[iTeleport], iTeleport );
}
}

else if( ( GetAsyncKeyState( VK_SUBTRACT ) & 1 ) == 1 )
{
if( GetAsyncKeyState( VK_SHIFT ) & 0x8000 )
{
if( iHairStyle > 0 )
iHairStyle--;
PrintMessageOnChat( "Hairstyle #%d", iHairStyle );
}
else
{
if( iTeleport != 0 )
iTeleport--;
PrintMessageOnChat( "%s (%d)",szTeleportLocations[iTeleport], iTeleport );
}
}
else if( ( GetAsyncKeyState( VK_F12 ) & 1 ) == 1 )
{
if( GetAsyncKeyState( VK_SHIFT ) & 0x8000 )
{
PrintMessageOnChat( "Changing hairstyle to #%d", iHairStyle );ChangeHairstyle( iHairStyle );
}
else
{
ChatPrintf( "Teleporting..." );
Teleport( iTeleport );
bValidate = true;
}
}

CAn you help me sending some idea how to make it work in a different way?
Thank you.

Jeoni · 08/16/2013, 01:29

I don't know how XCrap exactly works, but I would recommend you to crypt your strings (simple xor-encryption or something like that) and use function proxyfying to cover winapi calls (in your snippet only GetAsyncKeyState would fit this discription) or any other calls to imported DLL functions.
Proxyfying would look like this for the winapi function OpenProcess:

Code:

typedef HANDLE (WINAPI* __OpenProcess)
	(
	DWORD dwDesiredAccess,
	BOOL bInheritHandle,
	DWORD dwProcessId);

__forceinline HANDLE WINAPI _OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId){return reinterpret_cast<__OpenProcess>(GetProcAddress(GetModuleHandle(/*kernel32.dll*/XorStr(12, 0xA8, 0xC342D44B, 0xC14F9113, 0x8E7BF271).c_str()), /*OpenProcess*/XorStr(11, 0x9A, 0xD569FD79, 0xC667FB70, 0xF762E300).c_str()))(dwDesiredAccess, bInheritHandle, dwProcessId);}

(I used a method called XorStr to decrypt the strings used in GetModuleHandle and GetProcAddress)
Than just call _OpenProcess instead of OpenProcess. This method cover your used functions out of the IAT. Of course, you can cover the calls to GetModuleHandle and GetProcAddress, too, if you want to (just pay attention that you didn't lock yourself in an infinite loop). This is one easy way of this method.
Next thing is that your code contains functions you didn't reveal to us (e.g. ChangeHairStyle, Teleport), which is ok. But I guess you do some memory writing there. Maybe XCrap validates these regions? So if you are standing here now and one second later some kilometers away it's quite obvious, isn't it? Same thing could be with your output to the ingame chat window (?) via PrintMessageOnChat. Maybe only specified functions are allowed print something like that so your call is being detected by that?
Hope that this will help you

Jeoni

Cr4ck3r385 · 08/16/2013, 01:44

Quote:
Originally Posted by Jeoni
I don't know how XCrap exactly works, but I would recommend you to crypt your strings (simple xor-encryption or something like that) and use function proxyfying to cover winapi calls.
Last thing would look like this for the winapi function OpenProcess:
Code:
typedef HANDLE (WINAPI* __OpenProcess)
	(
	DWORD dwDesiredAccess,
	BOOL bInheritHandle,
	DWORD dwProcessId);

__forceinline HANDLE WINAPI _OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId){return reinterpret_cast<__OpenProcess>(GetProcAddress(GetModuleHandle(/*kernel32.dll*/XorStr(12, 0xA8, 0xC342D44B, 0xC14F9113, 0x8E7BF271).c_str()), /*OpenProcess*/XorStr(11, 0x9A, 0xD569FD79, 0xC667FB70, 0xF762E300).c_str()))(dwDesiredAccess, bInheritHandle, dwProcessId);}
(I used a method called XorStr to decrypt the strings used in GetModuleHandle and GetProcAddress)
Than just call _OpenProcess instead of OpenProcess. This method cover your used functions out of the IAT.
Next thing is that your code contains functions you didn't reveal to us (e.g. ChangeHairStyle, Teleport), which is ok. I guess you do some memory writing there. Maybe XCrap validates these regions? So if you are standing here now and one second later some kilometers away it's quite obvious, isn't it? Same thing could be with your output to the ingame chat window (?) via PrintMessageOnChat. Maybe only specified functions are allowed print something like that so your call is being detected by that?
Hope that this will help you
Jeoni

Thank you for your answer,i made my code simpler for you understand,and i enable only "ChangeHairstyle" function this time:

Code:

void HairStAdd()
{
	if( iHairStyle < 12 )
		iHairStyle = iHairStyle + 1;
	PrintMessageOnChat( "Hairstyle #%d", iHairStyle );
}

void HairStSub()
{
	if( iHairStyle > 0 )
		iHairStyle = iHairStyle - 1;
		PrintMessageOnChat( "Hairstyle #%d", iHairStyle );
}

void HairStSet()
{
	PrintMessageOnChat( "Changing hairstyle to #%d", iHairStyle );
	ChangeHairstyle( iHairStyle );
}

if( ( GetAsyncKeyState( VK_MENU) & 0x8000 ) == 0x8000 )
{
	if( GetAsyncKeyState( VK_ADD ) & 1 )
	{
		HairStAdd();
	}
	if( GetAsyncKeyState( VK_SUBTRACT ) & 1 )
	{
		HairStSub();
	}
	if( GetAsyncKeyState( VK_F12) & 1 )
	{
		HairStSet();
	}
}

I have to told you i have a "BugXtrap - Bypass" and i can use everything but only for one minute,and i inject this code and it works,BUT,with the updated XCRAP files,it donpt works.
Also PrintMessageOnChat works great,it isn´t the problem..
i think the problem are the strings,but i coudn´t understand your explanation about "xor-encryption" and "proxyfying".
Maybe isn´t there a simpler way to make it work?
I also was thinking about WriteprocessMemory,but i think it coudn´t be used in this case.

Jeoni · 08/16/2013, 02:17

Well, if ChangeHairstyle is just about changing some address, WPM (+RPM if you need to read one or more pointer(s)) would work, too. But XCrap could have detection methods for this, too, but I don't know.

With string encryption I mean something like this: imagine you have functions encrypt and decrypt. Both taking a string as argument and return the encrypted / decrypted string. Now, in your DLL you have the instruction "PrintMessageOnChat( "Hairstyle #%d", iHairStyle );" and you don't want the string "Hairstyle #%d" to be seen in your DLLs data section. Before you compile your DLL you use your encrypt function (used by an external tool or something) to encrypt this string. Let's say your encrypted string is "ayicxzfgyeawdaop". Then you change your line "PrintMessageOnChat( "Hairstyle #%d", iHairStyle );" to

Code:

PrintMessageOnChat( decrypt("ayicxzfgyeawdaop"), iHairStyle );

Now only the crypted string "ayicxzfgyeawdaop" is stored in your DLL and is decrypted (but not stored somewhere except a temporary heap space or the stack) at runtime in order to pass it to the PrintMessageOnChat function.

Now to the proxy functions. In order to understand it, you have to know how the IAT works:

(reconstructing the IAT is interesting but not necessery for understanding it). Feel free to google it for yourself if something is not clear.
So proxified functions would avoid this system by getting the functionpointer at runtime via GetModuleHandle / GetProcAddress and not via the IAT entry. Even more, the IAT address wouldn't be used but also wouldn't be set (this is normally done at compiletime) as the compiler doesn't know what function you want to execute (as the call destination is dynamically acquired at runtime) and won't write the IAT entry therefore. For more information please refer to the link above and to the msdn sites of GetProcAddress / GetModuleHandle.
Sorry if I confuse you with this. Maybe it's not necessery to get around XCrap but I think it's quite usefull in some cases.

I hope that this is clearer now

Jeoni

Cr4ck3r385 · 08/16/2013, 03:50

Quote:
Originally Posted by Jeoni
Well, if ChangeHairstyle is just about changing some address, WPM (+RPM if you need to read one or more pointer(s)) would work, too. But XCrap could have detection methods for this, too, but I don't know.

With string encryption I mean something like this: imagine you have functions encrypt and decrypt. Both taking a string as argument and return the encrypted / decrypted string. Now, in your DLL you have the instruction "PrintMessageOnChat( "Hairstyle #%d", iHairStyle );" and you don't want the string "Hairstyle #%d" to be seen in your DLLs data section. Before you compile your DLL you use your encrypt function (used by an external tool or something) to encrypt this string. Let's say your encrypted string is "ayicxzfgyeawdaop". Then you change your line "PrintMessageOnChat( "Hairstyle #%d", iHairStyle );" to
Code:
PrintMessageOnChat( decrypt("ayicxzfgyeawdaop"), iHairStyle );
Now only the crypted string "ayicxzfgyeawdaop" is stored in your DLL and is decrypted (but not stored somewhere except a temporary heap space or the stack) at runtime in order to pass it to the PrintMessageOnChat function.

Now to the proxy functions. In order to understand it, you have to know how the IAT works: (reconstructing the IAT is interesting but not necessery for understanding it). Feel free to google it for yourself if something is not clear.
So proxified functions would avoid this system by getting the functionpointer at runtime via GetModuleHandle / GetProcAddress and not via the IAT entry. Even more, the IAT address wouldn't be used but also wouldn't be set (this is normally done at compiletime) as the compiler doesn't know what function you want to execute (as the call destination is dynamically acquired at runtime) and won't write the IAT entry therefore. For more information please refer to the link above and to the msdn sites of GetProcAddress / GetModuleHandle.
Sorry if I confuse you with this. Maybe it's not necessery to get around XCrap but I think it's quite usefull in some cases.

I hope that this is clearer now
Jeoni

Hey man,Thank you a lot for your help..
i discovered the part of the code thats being detected:

Code:

int iHairStyle =0;
typedef int  (*t_HairStyle)     ( int );
t_HairStyle	   ChangeHairstyle        = (t_HairStyle)0x004484C2;

//and using it:

void HairStSet()
{
	PrintMessageOnChat( "Changing hairstyle to #%d", iHairStyle );
	ChangeHairstyle( iHairStyle );// <------ DETECTED CODE
}

I just put //before ChangeHairstyle( iHairStyle )
And the messages "Changing Hairstyle" and Hairstyle#1...#12 were pop normally on chat.
So,i think i have to change a way to acess that adress,without using this :

Code:

typedef int  (*t_HairStyle)     ( int );
t_HairStyle	   ChangeHairstyle        = (t_HairStyle)0x004484C2;
ChangeHairstyle( iHairStyle );

So,what could i do?xD

MrSm!th · 08/16/2013, 07:27

Since you're not modifying anything manually but using one of the game's functions, I would guess that either xtrap checks the callers of that function or your hack is fixed on the server side (maybe the hairstyle is checked on the server now?).

Carnevally · 08/16/2013, 15:19

This method has some fix or antidote against him?

Omdi · 08/20/2013, 23:20

I guess XTrap detects your DLL

Dunno if erasing your entry from the LdrList is XTrap proof, just try it.

Nimbin · 08/21/2013, 14:07

...

Cr4ck3r385 · 08/24/2013, 01:53

Problem solved,Thank you for the tips guys,but i figured a simpler way.

detected code:

Code:

//////////////////////////////////////////////////
typedef int  (*t_HairStyle)  ( int );

t_HairStyle	 ChangeHairstyle = (t_HairStyle)0x004484C2;

ChangeHairstyle( iHairStyle );
//////////////////////////////////////////////////

Working code:

Code:

( ( void (*)( short ) )0x004484C2 )( iHairStyle );

Padmak · 08/24/2013, 03:33

Are you sure that the problem wasn't that short instead of int?
I think it can make a bit of a difference

Padmak