- Game Name
- N/A
- Anticheat
- XTrap
- How long you been coding/hacking?
- 5 Years
- Coding Language
- C++ masterrace
Introduction - What Is XTrap
X-Trap is an anti-cheating program created and maintained by WiseLogic, used in almost all CrossFire versions to prevent players from using hacking tools.
Like anti-virus programs, X-Trap is launched along with CrossFire and continue manipulating memories while CF is running to detect suspicious processes that try to interact with crossfire.exe. If something goes wrong, X-Trap will close CrossFire and give out an error message, telling players the possible reasons and general suggestions to fix it. Accessing process viewers, like Task Manager, is also counted as suspicious activities (This is X-Trap's self-defense module to avoid being "killed").
Though not as effective as many people think, X-Trap is actually better at detecting and blocking hack tools, some that GameGuard can't detect which was the previous anti-cheat program for CrossFire. Naturally, hack tools are updated faster than X-Trap because hackers are everywhere, and they have more resources and have more time, while WiseLogic must work on updating their X-Trap for every publisher, so X-Trap often falls behind when coming to updates. However, X-Trap is still a necessary tool to help protecting CF against popular and public hacks, which many people may use for free.
XTrap has many false positives, it will block anything that tries to touch the game process including Process Explorer and other tools.
XTrap Source Code
The XTrap Source code was leaked in 2012 and can be found in the attachments below
XTrap Bypass
Before you try to bypass XTrap you need to learn about anticheat:
https://guidedhacking.com/threads/how-to-get-started-with-anticheat-bypass.9882/
S4League Old Outdated Bypass
available in the attachments
Various Bypasses
Bypass 1
Bypass 2
Bypass 3
Driver Anti Xtrap by Firefox
XTrap Bypass Source v2 By Akira
Xtrap Bypass Author: Slicktor
main.cpp
main.h
Others
https://github.com/sup817ch/BypassXTrap
X-Trap is an anti-cheating program created and maintained by WiseLogic, used in almost all CrossFire versions to prevent players from using hacking tools.
Like anti-virus programs, X-Trap is launched along with CrossFire and continue manipulating memories while CF is running to detect suspicious processes that try to interact with crossfire.exe. If something goes wrong, X-Trap will close CrossFire and give out an error message, telling players the possible reasons and general suggestions to fix it. Accessing process viewers, like Task Manager, is also counted as suspicious activities (This is X-Trap's self-defense module to avoid being "killed").
Though not as effective as many people think, X-Trap is actually better at detecting and blocking hack tools, some that GameGuard can't detect which was the previous anti-cheat program for CrossFire. Naturally, hack tools are updated faster than X-Trap because hackers are everywhere, and they have more resources and have more time, while WiseLogic must work on updating their X-Trap for every publisher, so X-Trap often falls behind when coming to updates. However, X-Trap is still a necessary tool to help protecting CF against popular and public hacks, which many people may use for free.
- To date, CF China, CF North America, CF Brazil and CF Japan does not use X-Trap. CF Japan utilizes Game Guard, CrossFire North America, CF Brazil and CF Español use XIGNCODE3 while CF China has its own anti-cheating program called Tencent Protect, which works similar to GameGuard, but acts much more effective, due to in-game file checking. This process requires powerful computers however, so players with decent PCs may have to wait a bit long before the game is loaded.
- In January 2017, CF Brazil changed their anti-cheat from X-Trap to XignCode.
- In March 2017, CF Español changed their anti-cheat from X-Trap to XignCode.
- X-Trap can only be run on a computer's administrator account, so it is not possible to play CrossFire in Guest accounts or Standard users' accounts.
- Recent patches in CF Vietnam has X-Trap blacklisted almost all of the auto-clicker programs. This is done to counter event farming, as lots of people have been using auto-clickers to hang in room during events that requires playing a certain amount of times to receive prizes.
- In Feb 2020, CF Philippines changed their anti-cheat from X-Trap to XignCode.
XTrap has many false positives, it will block anything that tries to touch the game process including Process Explorer and other tools.
XTrap Source Code
The XTrap Source code was leaked in 2012 and can be found in the attachments below
XTrap Bypass
Before you try to bypass XTrap you need to learn about anticheat:
https://guidedhacking.com/threads/how-to-get-started-with-anticheat-bypass.9882/
S4League Old Outdated Bypass
available in the attachments
Various Bypasses
Bypass 1
C++:
DWORD XTrapDriver = 0x40A20840;
int ThreadDetection()
{
DWORD oldprotect = 0;
DWORD K32EnumAddr = (DWORD)GetProcAddress(LoadLibraryA("Kernel32.dll"), "K32EnumProcesses");
VirtualProtect((LPVOID)K32EnumAddr, sizeof(K32EnumAddr), PAGE_EXECUTE_READWRITE, &oldprotect);
memcpy((LPVOID)K32EnumAddr, (LPVOID)"\xEB\xFE", 2);
return 0;
}
void Bypass(void*)
{
while (1)
{
DWORD XTrap = (DWORD)GetModuleHandle("XTrapVa.dll"); // get XTrap base address
HMODULE hwd = GetModuleHandle(TEXT("XTrapVa.dll"));
if (hwd)// wait XTrapVa.dll
{
Sleep(500);
sHook = (xHook)DetourFunction((PBYTE)XTrapDriver, (PBYTE)Hook);// Hook
wmemcpy((wchar_t*)sHook, L"X6va02", 6);
ThreadDetection(); // Call ThreadDetection
MessageBoxA(NULL, "XTrap Bypass Successful", "Notice", MB_ICONINFORMATION);
break;
}
}
}
BOOL __stdcall Hook() // Hook
{
return TRUE;
}
BOOL APIENTRY DllMain(HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)Bypass, 0, 0, 0);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Code:
Module Hook
#Region "Access"
'Setting some privileges.
Const PROCESS_ALL_ACCESS = &H1F0FF
Public Enum ThreadAccess As Integer
TERMINATE = (&H1)
SUSPEND_RESUME = (&H2)
GET_CONTEXT = (&H8)
SET_CONTEXT = (&H10)
SET_INFORMATION = (&H20)
QUERY_INFORMATION = (&H40)
SET_THREAD_TOKEN = (&H80)
IMPERSONATE = (&H100)
DIRECT_IMPERSONATION = (&H200)
End Enum
#End Region
#Region "Functions"
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Integer, ByVal dwProcessId As Integer) As Integer
'Functions that will allow us to write/read process memory.
Public Declare Function WriteProcessMemory1 Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByRef lpBuffer As Integer, ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Integer
Public Declare Function ReadProcessMemory1 Lib "kernel32" Alias "ReadProcessMemory" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByRef lpBuffer As Integer, ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Integer
'Functions to suspend/resume the process.
Public Declare Function OpenThread Lib "kernel32.dll" (ByVal dwDesiredAccess As ThreadAccess, ByVal bInheritHandle As Boolean, ByVal dwThreadId As UInteger) As IntPtr
Public Declare Function SuspendThread Lib "kernel32.dll" (ByVal hThread As IntPtr) As UInteger
Public Declare Function ResumeThread Lib "kernel32.dll" (ByVal hThread As IntPtr) As UInteger
Public Declare Function CloseHandle Lib "kernel32.dll" (ByVal hHandle As IntPtr) As Boolean
#End Region
#Region "Suspend/Resume"
'Some functions that allow us to suspend/resume the process.
Public Function SuspendProcess(ByVal nProcess As System.Diagnostics.Process)
For Each t As ProcessThread In nProcess.Threads
Dim th As IntPtr
th = OpenThread(ThreadAccess.SUSPEND_RESUME, False, t.Id)
If th <> IntPtr.Zero Then
SuspendThread(th)
CloseHandle(th)
End If
Next
End Function
Public Function ResumeProcess(ByVal nProcess As System.Diagnostics.Process)
For Each t As ProcessThread In nProcess.Threads
Dim th As IntPtr
th = OpenThread(ThreadAccess.SUSPEND_RESUME, False, t.Id)
If th <> IntPtr.Zero Then
ResumeThread(th)
CloseHandle(th)
End If
Next
End Function
#End Region
#Region "Memory"
Public Function GetMemoryAddress(ByVal nProcess As String, ByVal nBaseAddress As Integer, ByVal nOffsets As Integer(), ByVal nLevel As Integer, Optional ByVal nSize As Integer = 4) As Integer
Dim nAddress As Integer = nBaseAddress
For i As Integer = 1 To nLevel
nAddress = ReadInteger(nProcess, nAddress, nSize) + nOffsets(i - 1)
Next
Return nAddress
End Function
Public Function ReadInteger(ByVal nProcess As String, ByVal nAddress As Integer, Optional ByVal nSize As Integer = 4) As Integer
If nProcess.EndsWith(".exe") Then
nProcess = nProcess.Replace(".exe", Nothing)
End If
Dim ProcessHandle As Process() = Process.GetProcessesByName(nProcess)
If Not ProcessHandle.Count = 1 Then
Exit Function
End If
Dim hProcess As IntPtr = OpenProcess(PROCESS_ALL_ACCESS, 0, ProcessHandle(0).Id)
If hProcess = IntPtr.Zero Then
Exit Function
End If
Dim hAddress As Integer
Dim vBuffer As Integer
hAddress = nAddress
ReadProcessMemory1(hProcess, hAddress, vBuffer, nSize, 0)
Return vBuffer
End Function
Public Function DefineBytes(ByVal nProcess As String, ByVal nAddress As Integer, ByVal nValue As String)
If nProcess.EndsWith(".exe") Then
nProcess = nProcess.Replace(".exe", Nothing)
End If
If nValue.Contains(" ") Then
nValue = nValue.Replace(" ", Nothing)
End If
Dim ProcessHandle As Process() = Process.GetProcessesByName(nProcess)
If ProcessHandle.Length = 0 Then
Exit Function
End If
Dim hProcess As IntPtr = OpenProcess(PROCESS_ALL_ACCESS, 0, ProcessHandle(0).Id)
If hProcess = IntPtr.Zero Then
Exit Function
End If
Dim C As Integer
Dim B As Integer
Dim D As Integer
Dim V As Byte
B = 0
D = 1
For C = 1 To Math****und((Len(nValue) / 2))
V = Val("&H" & Mid$(nValue, D, 2))
Call WriteProcessMemory1(hProcess, nAddress + B, V, 1, 0&)
B = B + 1
D = D + 2
Next C
End Function
#End Region
#Region "Message(s)"
'Some defines.
Dim Credits As String = ("This bypass was created by Papulatus, happy hacking! ^^") REM: You could just leech this bypass, but I would appreciate it if you credit me :).
Dim Bit32 As String = ("This bypass doesn't support 32-Bit!") REM: Disappoint some 32-Bit users.
Dim SearchFailed As String = ("Couldn't find the MicroVolts directory, please put this application in the 'Bin' folder of MicroVolts!") REM: Message to display if we couldn't find the MicroVolts directory.
#End Region
#Region "Required addresses"
'The addresses we'll need to bypass XTrap.
Dim GetProcAddress As Integer
Dim ReadProcessMemory As Integer
Dim XTrapDriver As Integer
#End Region
#Region "Timer(s)"
Dim MainTMR As New System.Timers.Timer REM: Timer to do some important stuff.
#End Region
#Region "Main" REM: Our main.
Sub Main()
'Timer settings:
MainTMR.AutoReset = True
MainTMR.Interval = 1
AddHandler MainTMR.Elapsed, AddressOf MainTMR_Tick
If Environment.Is64BitOperatin****tem = False Then REM: Detect 32-Bit users.
Console.WriteLine(Bit32)
Else
If My.Computer.FileSystem.CurrentDirectory.Contains("\MicroVolts\Bin") Then REM: Check if the application is in the 'Bin' folder of MicroVolts.
Console.WriteLine(Credits)
My.Computer.FileSystem.CurrentDirectory = My.Computer.FileSystem.CurrentDirectory.Replace("\Bin", Nothing) REM: Set current directory.
Process.Start("Bin\MicroVolts.exe")
MainTMR.Start()
Else
If My.Computer.FileSystem.DirectoryExists("C:\Program Files\MicroVolts\") Then
Console.WriteLine(Credits)
My.Computer.FileSystem.CurrentDirectory = ("C:\Program Files\MicroVolts\") REM: Set current directory.
Process.Start("Bin\MicroVolts.exe")
MainTMR.Start()
ElseIf My.Computer.FileSystem.DirectoryExists("C:\Program Files (x86)\MicroVolts\") Then
Console.WriteLine(Credits)
My.Computer.FileSystem.CurrentDirectory = ("C:\Program Files (x86)\MicroVolts\") REM: Set current directory.
Process.Start("Bin\MicroVolts.exe")
MainTMR.Start()
ElseIf My.Computer.FileSystem.DirectoryExists("C:\Archivos de Programa\MicroVolts\") Then
Console.WriteLine(Credits)
My.Computer.FileSystem.CurrentDirectory = ("C:\Archivos de Programa\MicroVolts\") REM: Set current directory.
Process.Start("Bin\MicroVolts.exe")
MainTMR.Start()
ElseIf My.Computer.FileSystem.DirectoryExists("C:\Archivos de Programa (x86)\MicroVolts\") Then
Console.WriteLine(Credits)
My.Computer.FileSystem.CurrentDirectory = ("C:\Archivos de Programa (x86)\MicroVolts\") REM: Set current directory.
Process.Start("Bin\MicroVolts.exe")
MainTMR.Start()
ElseIf My.Computer.FileSystem.DirectoryExists("C:\MicroVolts\") Then
Console.WriteLine(Credits)
My.Computer.FileSystem.CurrentDirectory = ("C:\MicroVolts\") REM: Set current directory.
Process.Start("Bin\MicroVolts.exe")
MainTMR.Start()
ElseIf My.Computer.FileSystem.DirectoryExists("D:\MicroVolts\") Then
Console.WriteLine(Credits)
My.Computer.FileSystem.CurrentDirectory = ("D:\MicroVolts\") REM: Set current directory.
Process.Start("Bin\MicroVolts.exe")
MainTMR.Start()
ElseIf My.Computer.FileSystem.DirectoryExists("D:\Program Files\MicroVolts\") Then
Console.WriteLine(Credits)
My.Computer.FileSystem.CurrentDirectory = ("D:\Program Files\MicroVolts\") REM: Set current directory.
Process.Start("Bin\MicroVolts.exe")
MainTMR.Start()
ElseIf My.Computer.FileSystem.DirectoryExists("D:\Program Files (x86)\MicroVolts\") Then
Console.WriteLine(Credits)
My.Computer.FileSystem.CurrentDirectory = ("D:\Program Files (x86)\MicroVolts\") REM: Set current directory.
Process.Start("Bin\MicroVolts.exe")
MainTMR.Start()
ElseIf My.Computer.FileSystem.DirectoryExists("D:\Archivos de Programa\MicroVolts\") Then
Console.WriteLine(Credits)
My.Computer.FileSystem.CurrentDirectory = ("D:\Archivos de Programa\MicroVolts\") REM: Set current directory.
Process.Start("Bin\MicroVolts.exe")
MainTMR.Start()
ElseIf My.Computer.FileSystem.DirectoryExists("D:\Archivos de Programa (x86)\MicroVolts\") Then
Console.WriteLine(Credits)
My.Computer.FileSystem.CurrentDirectory = ("D:\Archivos de Programa (x86)\MicroVolts\") REM: Set current directory.
Process.Start("Bin\MicroVolts.exe")
MainTMR.Start()
Else
Console.WriteLine(SearchFailed)
End If
End If
End If
Do Until Console.Title = (Nothing) REM: A simple infinite loop to keep the console stay open.
Console.ReadKey()
Loop
End Sub
Private Sub MainTMR_Tick(ByVal sender As Object, ByVal e As System.Timers.ElapsedEventArgs)
Dim MV() As Process = Process.GetProcessesByName("MicroVolts")
Dim XT() As Process = Process.GetProcessesByName("XTrap.xt")
GetProcAddress = GetMemoryAddress("MicroVolts", &HF5F0F0, {&H0}, 0, 4) REM: Grab MicroVolts' GetProcAddress function.
ReadProcessMemory = ReadInteger("MicroVolts", GetProcAddress, 4) REM: Use MicroVolts' GetProcAddress function.
XTrapDriver = GetMemoryAddress("MicroVolts", &H406BECD4, {&H0}, 0, 4) REM: Grab the XTrap driver.
'You'll need this if you want to create BYPASSED multiclients.
Dim MVIndex As Integer = MV.Count - 1
Dim XTIndex As Integer = XT.Count - 1
If XT.Count = MV.Count Then REM: Check if XTrap is running.
'Begin the motherf*cking hook.
SuspendProcess(MV(MVIndex))
DefineBytes("MicroVolts", XTrapDriver, "6F 6C 6F 6C 6F 6C 6F") REM: F*cking up the XTrap driver.
DefineBytes("MicroVolts", ReadProcessMemory, "EB FE") REM: Send ReadProcessMemory to an infinite loop.
ResumeProcess(MV(MVIndex)) REM: Enjoy the bypass ;).
End REM: Close our handle.
End If
End Sub
#End Region
End Module
C++:
/*
Anti TerminateProcess/ExitProcess Check
Description :
XTrap check the first byte of TerminateProcess/ExitProcess
if the byte is E9/C2 then XTrap returns true!
What we do :
xor eax,eax // (so that eax = 0)
retn
*/
copymemory((void*)(xtrap+0x2C940),(void*)"\x33\xC0\xC3",3);
/*
Anti TerminateProcess/ExitProcess
Description :
XTrap Closes the process with TermanateProcess first
if that fails it then trys ExitProcess
so we just return so that nothing will close our process
What we do :
return
*/
copymemory((void*)(xtrap+0x31800),(void*)"\xC3\x90\x90\x90\x90",5);
/*
Anti XTrap Message's
Description :
XTrap likes to be rude and when we playing we get annoying message's
like Please close program XXXXX so we just return the message kindly ;)
What we do :
return 8
*/
copymemory((void*)(xtrap+0x388D0),(void*)"\xC2\x08\x00",3);
C++:
/* Replace "dll.h" with the name of your header */
#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <iostream>
#include <winioctl.h>
typedef LONG NTSTATUS;
typedef NTSTATUS (WINAPI *pNtQIT)(HANDLE, LONG, PVOID, ULONG, PULONG);
#define STATUS_SUCCESS ((NTSTATUS)0x000000000L)
#define ThreadQuerySetWin32StartAddress 9
unsigned char *call_terminateThread;
void config_ini();
int Sleeped;
char PATH_FILE_TMP[FILENAME_MAX];
void myTerminateThread()
{
asm("mov eax, %0 \n"
//"mov eax, dword ptr ds:[eax]\n"
//"add eax, 3\n"
//7C81CB3E 8BEC MOV EBP,ESP
"jmp eax" :: "d" (call_terminateThread)); //7C81CB3E 8BEC MOV EBP,ESP
}
DWORD WINAPI GetThreadStartAddress(HANDLE hThread)
{
NTSTATUS ntStatus;
HANDLE hDupHandle;
DWORD dwStartAddress;
pNtQIT NtQueryInformationThread = (pNtQIT)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationThread");
if(NtQueryInformationThread == NULL) return 0;
HANDLE hCurrentProcess = GetCurrentProcess();
if(!DuplicateHandle(hCurrentProcess, hThread, hCurrentProcess, &hDupHandle, THREAD_QUERY_INFORMATION, FALSE, 0)){
SetLastError(ERROR_ACCESS_DENIED);
return 0;
}
ntStatus = NtQueryInformationThread(hDupHandle, ThreadQuerySetWin32StartAddress, &dwStartAddress, sizeof(DWORD), NULL);
CloseHandle(hDupHandle);
if(ntStatus != STATUS_SUCCESS) return 0;
return dwStartAddress;
}
void CreateThreadFunction();
BOOL EnumThread(DWORD dwProcessId);
DWORD GetProcessID(const char* szExeName)
{
PROCESSENTRY32 pe = { sizeof(PROCESSENTRY32) };
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(Process32First(hSnapshot, &pe))
while(Process32Next(hSnapshot, &pe))
if(!strcmp(pe.szExeFile, szExeName))
return pe.th32ProcessID;
return 0;
}
DWORD XTrapVa;
BOOL Teste = true;
HANDLE mInstance;
unsigned char buffer[3];
BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
{
if(Teste)
{
mInstance = hInst;
//config_ini();
bool test = 0;
//char buffer_msg[] = "\x6A\x00\x68\xB5\x95\xB8\x00\x68\xB5\x95\xB8\x00\xFF\x15\x60\x34\xCF\x00\xC3\x46\x69\x72\x65\x66\x6F\x78\x00";
//test = WriteProcessMemory((void*)-1, (void*)0x00B895A2, buffer_msg, sizeof(buffer_msg), 0);
//if(test == -1)
//MessageBox(0, 0, 0, 0);
MessageBox(0, "[Bypass XTrapGC] Criado por Firefox [PressEnter]", "Criado por Firefox [PressEnter]", 0);
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)CreateThreadFunction, NULL, 0, NULL);
Teste = false;
}
/* Returns TRUE on success, FALSE on failure */
return TRUE;
}
void config_ini()
{
int i;
char PATH_FILE[FILENAME_MAX];
GetModuleFileName((HINSTANCE)mInstance, PATH_FILE, FILENAME_MAX);
i = strlen(PATH_FILE);
for(i; i > 0; i--)
{
if(PATH_FILE[i] == '\\')
{
break;
}
}
strncpy(PATH_FILE_TMP, PATH_FILE, i+1);
PATH_FILE_TMP[i+1] = '\0';
strcat(PATH_FILE_TMP, "config.ini");
Sleeped = GetPrivateProfileInt("AntiXTrapbyFirefox", "Sleep", 25000, PATH_FILE_TMP);
}
HANDLE hProcess;
DWORD pID;
BOOLEAN testes = true;
FILE * pFile;
void CreateThreadFunction()
{
DWORD myPID = GetCurrentProcessId();
//HANDLE tprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, myPID);
DWORD address = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"), "TerminateThread");
call_terminateThread = (unsigned char*)address;
call_terminateThread += 3;
buffer[0] = 0x0C2;
buffer[1] = 0x08;
buffer[2] = 0x00;
WriteProcessMemory((void*)-1, (void*)address, buffer, 3, 0);
char buffer_msg[] = "\x6A\x00\x68\xB5\x95\xB8\x00\x68\xB5\x95\xB8\x00\xFF\x15\x60\x34\xCF\x00\xC3\x46\x69\x72\x65\x66\x6F\x78\x00";
int test = 0;
// Coloca um interrupt no codigo, "Remover proteção na Driver"
test = WriteProcessMemory((void*)-1, (void*)0x00B895A2, buffer_msg, sizeof(buffer_msg), 0);
if(test == -1)
MessageBox(0, 0, 0, 0);
char SVCNAME[] = "ExamplesDriver";
#define IOCTL_UNKNOWN_BASE FILE_DEVICE_UNKNOWN
#define UnHookXTrapbyFirefox CTL_CODE(IOCTL_UNKNOWN_BASE, 0x0803, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
DWORD hFile = 0;
DWORD dwReturn = 0;
//while(true)
//{
//Sleep(25000);
while(true)
{
XTrapVa = (DWORD)GetModuleHandleA("XTrapVa.dll");
/*hFile = (DWORD)CreateFile("\\\\.\\Example", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
DeviceIoControl((void*)hFile, UnHookXTrapbyFirefox, NULL, 0, 0, 0, &dwReturn, NULL);
CloseHandle((void*)hFile);*/
if(testes)
{
pFile = fopen ("ADDRESS_MAIN.txt","a+");
fprintf(pFile, "Xtrap.dll -> [%x]\n", XTrapVa);
EnumThread(myPID);
fprintf(pFile, "********************\n");
fclose(pFile);
//MessageBox(0, 0, 0, 0);
}
/*else
{
Sleep(30000);
MessageBox(0, "XTrap.xt foi Removido!!!", "XTrap.xt foi Removido!!!", 0);
pID = GetProcessID("XTrap.xt");
hProcess = OpenProcess(PROCESS_TERMINATE, FALSE, pID);
TerminateProcess(hProcess, 0);
}*/
Sleep(1000);
}
//FreeLibrary((HINSTANCE)XTrapVa);
Sleep(100);
//}
}
HANDLE hThread;
HANDLE hThreadOne;
DWORD dwThreadStartAddress;
HANDLE hModuleSnap;
THREADENTRY32 TE32 = {0};
char buffers[20];
int soma = 0;
bool active_all = 0;
BOOL EnumThread(DWORD dwProcessId){
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwProcessId);
if (hModuleSnap == INVALID_HANDLE_VALUE)
return FALSE; TE32.dwSize = sizeof(THREADENTRY32);
if(!Thread32First(hModuleSnap, &TE32))
{
CloseHandle(hModuleSnap);
return FALSE;
}
do
{
if(TE32.th32OwnerProcessID != dwProcessId)
continue;
hThreadOne = OpenThread(THREAD_QUERY_INFORMATION, FALSE, TE32.th32ThreadID);
dwThreadStartAddress = GetThreadStartAddress(hThreadOne);
hThread = (HANDLE)OpenThread(THREAD_ALL_ACCESS, FALSE, TE32.th32ThreadID);
//itoa(dwThreadStartAddress, buffers, 16);
//MessageBox(0, buffers, buffers, 0);
fprintf(pFile, "ADDRESS THREAD -> [%x]\n", dwThreadStartAddress);
if(dwThreadStartAddress == (DWORD)0x00DF5D70)
{
LoadLibrary("StopProgramming.dll");
MessageBox(0, 0, 0, 0);
active_all = true;
asm("push %0" :: "d" (0));
asm("push %0" :: "d" (hThread));
myTerminateThread();
}
if(active_all == true)
{
if(dwThreadStartAddress == (DWORD)0xEFB360)
{
soma++;
//strcpy(buffers, "0xeaaf30");
//MessageBox(0, buffers, buffers, 0);
asm("push %0" :: "d" (0));
asm("push %0" :: "d" (hThread));
myTerminateThread();
}
if(dwThreadStartAddress == 0x00C6295F)
{
//strcpy(buffers, "0xea9be0");
//MessageBox(0, buffers, buffers, 0);
soma++;
asm("push %0" :: "d" (0));
asm("push %0" :: "d" (hThread));
myTerminateThread();
}
if(dwThreadStartAddress == 0x0DF5D70) // OK
{
soma++;
//strcpy(buffers, "0xdaaaa0");
//MessageBox(0, buffers, buffers, 0);
asm("push %0" :: "d" (0));
asm("push %0" :: "d" (hThread));
myTerminateThread();
}
if(dwThreadStartAddress == 0x0EF5BA0) // OK
{
soma++;
//strcpy(buffers, "0xeaf3a0");
//MessageBox(0, buffers, buffers, 0);
asm("push %0" :: "d" (0));
asm("push %0" :: "d" (hThread));
myTerminateThread();
}
if(dwThreadStartAddress == 0x0EF6EF0) // OK
{
soma++;
//strcpy(buffers, "0xc179cf");
//MessageBox(0, buffers, buffers, 0);
asm("push %0" :: "d" (0));
asm("push %0" :: "d" (hThread));
myTerminateThread();
}
//if(dwThreadStartAddress == XTrapVa+0x468F0 && soma == 5) // ok
if(dwThreadStartAddress == XTrapVa+0x13B10) // ok
{
//strcpy(buffers, "XTrapVa+0x3f370");
//MessageBox(0, buffers, buffers, 0);
asm("push %0" :: "d" (0));
asm("push %0" :: "d" (hThread));
myTerminateThread();
MessageBox(0, 0, 0, 0);
}
//if(dwThreadStartAddress == XTrapVa+0x17C0 && soma == 5) // ok
if(dwThreadStartAddress == XTrapVa+0x13C90)
{
//strcpy(buffers, "XTrapVa+0x17e0");
//MessageBox(0, buffers, buffers, 0);
asm("push %0" :: "d" (0));
asm("push %0" :: "d" (hThread));
myTerminateThread();
MessageBox(0, 0, 0, 0);
}
if(dwThreadStartAddress == XTrapVa+0x17C0 && soma == 5) // ok
{
//strcpy(buffers, "XTrapVa+0x17e0");
//MessageBox(0, buffers, buffers, 0);
asm("push %0" :: "d" (0));
asm("push %0" :: "d" (hThread));
myTerminateThread();
}
if(dwThreadStartAddress == XTrapVa+0x422E0 && soma == 5) // ok
{
testes = 0x00;
//strcpy(buffers, "XTrapVa+0x3A4b0");
//MessageBox(0, buffers, buffers, 0);
asm("push %0" :: "d" (0));
asm("push %0" :: "d" (hThread));
myTerminateThread();
}
}
CloseHandle(hThreadOne);
CloseHandle(hThread);
} while (Thread32Next(hModuleSnap, &TE32));
CloseHandle(hModuleSnap);
return TRUE;
}
C++:
#include <Windows.h>
#include <process.h>
#include <TlHelp32.h>
#include <Psapi.h>
#include "mHook.h"
#pragma comment(lib,"Psapi.lib")
// Module to exit
HMODULE hDLL;
/* Our hooked-function */
void DefineNothing_CC();
/* Our hooked-function */
void K32Enum_CC();
// Function to begin the hook
void _beginhook(void*){
// our addresses
DWORD dwAddy;
DWORD dwDLL;
DWORD dwXTrap;
DWORD dwXTrapDriver;
// wait for xtrap
while(1){
// break
Sleep(500);
// get xtrap base
dwXTrap = (DWORD)GetModuleHandle("XTrapVa.dll");
// check if it exists
if(dwXTrap){
// leave
break;
}
}
if(PSAPI_VERSION == 1){
// get address
dwDLL = (DWORD)GetModuleHandle("Psapi.dll");
// get address
dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"EnumProcesses");
// Prevent that Xtrap scan processes
mHook::DetourCodeCave(dwAddy,(DWORD)DefineNothing_CC,19);
// get address
dwDLL = (DWORD)GetModuleHandle("Kernel32.dll");
// get address
dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"ExitProcess");
// Prevent exit then ollydbg was found
mHook::DetourCodeCave(dwAddy,(DWORD)DefineNothing_CC,27);
}
else
{
// little break
Sleep(500);
// set new dll
dwDLL = (DWORD)GetModuleHandle("Kernel32.dll");
// get new addy
dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"K32EnumProcesses");
// Prevent that Xtrap scan processes
mHook::DetourCodeCave(dwAddy,(DWORD)K32Enum_CC,3);
// get address
dwDLL = (DWORD)GetModuleHandle("Kernel32.dll");
// get address
dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"ExitProcess");
// Prevent exit then ollydbg was found
mHook::DetourCodeCave(dwAddy,(DWORD)DefineNothing_CC,27);
}
// Get driver Address
dwXTrapDriver = 0x406668A0;
// Change it
wmemcpy((wchar_t*)dwXTrapDriver,L"X6va01",6);
// Exit
FreeLibraryAndExitThread(hDLL,8);
}
/* Main */
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved){
if(fdwReason == DLL_PROCESS_ATTACH){
// set our Module
hDLL = hinstDLL;
// begin
_beginthread(_beginhook,0,0);
// success
return true;
}
// fail
return false;
}
/* Our hooked-function */
__declspec( naked ) void K32Enum_CC(){
__asm{
ret 0x00C
}
}
/* Our hooked-function */
__declspec( naked ) void DefineNothing_CC(){
__asm{
mov edi,edi
push ebp
mov ebp,esp
pop ebp
jmp orig
nop
nop
nop
nop
nop
orig:
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
}
}
main.cpp
C++:
#include "Bypass.h"
DWORD WINAPI InitializeXTrapBypass() {
DWORD nBase;
while(1)
{
nBase = (DWORD)GetModuleHandleA("XTrapVa.dll");
if(nBase){
Sleep(500);
BYPASS bypass;
bypass.Driver64();
bypass.ProcessDetection();
break;
}
}
return 0;
}
BOOL WINAPI DllMain ( HMODULE hDll, DWORD dwReason, LPVOID lpReserved )
{
DisableThreadLibraryCalls(hDll);
if( dwReason == DLL_PROCESS_ATTACH)
{
_beginthread((void(*)(void*))InitializeXTrapBypass,sizeof(&InitializeXTrapBypass),0);
}
return TRUE;
}
C++:
#include <Windows.h>
#include <tlhelp32.h>
#include <process.h>
#include <wchar.h>
class BYPASS
{
public:
int BYPASS::ProcessDetection();
int BYPASS::Driver64();
};
int BYPASS::ProcessDetection()
{
DWORD K32EnumAddr = (DWORD)GetProcAddress(LoadLibraryA("Kernel32.dll"),"K32EnumProcesses");
//DWORD EnumAddr = (DWORD)GetProcAddress(LoadLibraryA("Psapi.dll"),"EnumProcesses");
DWORD old;
VirtualProtect((LPVOID)K32EnumAddr,sizeof(K32EnumAddr),PAGE_EXECUTE_READWRITE,&old);
//VirtualProtect((LPVOID)EnumAddr,sizeof(EnumAddr),PAGE_EXECUTE_READWRITE,&old);
memcpy((LPVOID)K32EnumAddr,(LPVOID)"\xC2\x0C\x00",3);
//memcpy((LPVOID)EnumAddr,(LPVOID)"\xC2\x0C\x00",3);
return 0;
}
int BYPASS::Driver64()
{
wmemcpy((wchar_t*)0x405D0C24,(const wchar_t*)"X6va01",6);
return 0;
}
https://github.com/sup817ch/BypassXTrap
Attachments
You can download 0 Attachments
-
245.3 KB Views: 28
-
11.6 KB Views: 22
-
357.3 KB Views: 21
-
1.2 MB Views: 43
Last edited: