WDDM Hook - UD D3D HOOKING

[~FALLEN~]

Code:

.text:4041D8D0 ; =============== S U B R O U T I N E =======================================
.text:4041D8D0
.text:4041D8D0
.text:4041D8D0 sub_4041D8D0    proc near               ; CODE XREF: sub_4041C9F0+2Dp
.text:4041D8D0                 push    esi
.text:4041D8D1                 mov     esi, ecx
.text:4041D8D3                 push    offset aAticfx32_dll ; "Aticfx32.dll"
.text:4041D8D8                 call    LoadLibrary
.text:4041D8DE                 test    eax, eax
.text:4041D8E0                 jz      short loc_4041D909
.text:4041D8E2                 push    offset aOpenadapter ; "OpenAdapter"
.text:4041D8E7                 push    eax             ; hLibrary
.text:4041D8E8                 call    GetProcAddress_1
.text:4041D8EE                 test    eax, eax
.text:4041D8F0                 mov     pOpenAdapter, eax
.text:4041D8F5                 jz      short loc_4041D909
.text:4041D8F7                 push    5
.text:4041D8F9                 add     esi, 210h
.text:4041D8FF                 push    eax
.text:4041D900                 push    esi
.text:4041D901                 call    sub_4042F9D0
.text:4041D906                 add     esp, 0Ch
.text:4041D909
.text:4041D909 loc_4041D909:                           ; CODE XREF: sub_4041D8D0+10j
.text:4041D909                                         ; sub_4041D8D0+25j
.text:4041D909                 pop     esi
.text:4041D90A                 retn
.text:4041D90A sub_4041D8D0    endp
.text:4041D90A
.text:4041D90A ; ---------------------------------------------------------------------------
.text:4041D90B                 align 10h
.text:4041D910
.text:4041D910 ; =============== S U B R O U T I N E =======================================
.text:4041D910
.text:4041D910
.text:4041D910 sub_4041D910    proc near               ; CODE XREF: sub_4041C9F0+26p
.text:4041D910                 push    esi
.text:4041D911                 mov     esi, ecx
.text:4041D913                 push    offset aNvd3dum_dll ; "Nvd3dum.DLL"
.text:4041D918                 call    LoadLibrary
.text:4041D91E                 test    eax, eax
.text:4041D920                 jz      short loc_4041D949
.text:4041D922                 push    offset aOpenadapter ; "OpenAdapter"
.text:4041D927                 push    eax             ; hLibrary
.text:4041D928                 call    GetProcAddress_1
.text:4041D92E                 test    eax, eax
.text:4041D930                 mov     dword_40540720, eax
.text:4041D935                 jz      short loc_4041D949
.text:4041D937                 push    5
.text:4041D939                 add     esi, 1FCh
.text:4041D93F                 push    eax
.text:4041D940                 push    esi
.text:4041D941                 call    sub_4042F9D0
.text:4041D946                 add     esp, 0Ch
.text:4041D949
.text:4041D949 loc_4041D949:                           ; CODE XREF: sub_4041D910+10j
.text:4041D949                                         ; sub_4041D910+25j
.text:4041D949                 pop     esi
.text:4041D94A                 retn
.text:4041D94A sub_4041D910    endp
.text:4041D94A
.text:4041D94A ; ---------------------------------------------------------------------------
.text:4041D94B                 align 10h

Just a small quote from an IDB file of XTrapVA.dll I created ~Nov.12 (with cleaned Themida IAT calls and reconstructed custom XT import table). Didn't perform further analysis, however they obviously do 'something' with it. The sub_XX call is the function they use to obfuscate their pointers which are put into a special structure to hold them all. I'm significantly too lazy to find the references to see what they are doing with it right now.

Oh by the way, that image came into mind when I reopened the IDB again. Probably nobody except ~FALLEN~ will understand it, but whatever, I'll post it anyway.

Made me rofl so hard.... Why not just get the address by walking the PEB to enumerate modules and then walk the import table to get the ordinal and from there get the actual address.... I guess that's too much logic for XCrap to use... smh

[XarutoUsoCrack]

@~FALLEN~ i don't understud nothing you said but, no ones have your knowledge.

[0xB4DF00D]

@~FALLEN~ i don't understud nothing you said but, no ones have your knowledge.

You deserve a cocksucker tag.

What he said is nothing new, anyone with a little knowledge knows this.

[pceumel]

@~FALLEN~ i don't understud nothing you said but, no ones have your knowledge.

he´s just talking about "rewriting" GetModuleHandle and GetProcAddress :P
don´t know how to say it :/
@~FALLEN~ correct me pls if it´s wrong ^^

PCe

[XarutoUsoCrack]

@0xB4DF00D ok but i don't understanded any problem on that your little troll, go suck dicks.

[Ende!]

Made me rofl so hard.... Why not just get the address by walking the PEB to enumerate modules and then walk the import table to get the ordinal and from there get the actual address.... I guess that's too much logic for XCrap to use... smh

Do you really expect someone who implements a "detour detection" like that

and string "encryption" using this technique

to know about ANY windows-internals, even if they are trivial? :P

Edit: Oh and in case of crypto-algorithms: better initialize the key multiple times, safety first.


We should consider starting a thread to honor the glorious coding-skills of the XTrap developers - finding content to feed it definitely won't be a big deal.

[~FALLEN~]

Do you really expect someone who implements a "detour detection" like that

and string "encryption" using this technique

to know about ANY windows-internals, even if they are trivial? :P

Edit: Oh and in case of crypto-algorithms: better initialize the key multiple times, safety first.


We should consider starting a thread to honor the glorious coding-skills of the XTrap developers - finding content to feed it definitely won't be a big deal.

I really hope they're unlocking... inb4 deadlock

["Woldhack"]

thanks idol?

[467079188]

thanks i will try it

[mamo007]

@pceumel what is iltmessage ?

[giniyat101]

@pceumel what is iltmessage ?

An interface..?

[mamo007]

An interface..?

aha .. Ok .