XTrap Concept

[Dragon(H)ell]

@Ende! what about making fake xtrapva,xtrap.xt ?

[Ende!]

@Ende! what about making fake xtrapva,xtrap.xt ?

Did you read my post completely?

Code:

|     - receives check requests from server, generates response data          |
|       validated by the server, so nopping does not help, as the server      |
|       expects correct data (checksums, for instance)                        |
|     - on a special opcode, requests heartbeat data generated by XTrapVa.dll |
...
|   => Generates a heartbeat data block validated by the server when asked    |

First of all, an important part of XTrap is linked statically (in simple words: copied by the linker) into CrossFire's main binary, so replacing it would be incredibly time consuming. Secondly, your 'fake' DLL would have to generate correct heartbeat packets, as you get kicked with HTD (0:5:0:0) in case of invalid / lacking heartbeat packets. Thirdly, HGWC could detect your DLL replacement by it's CRC pretty easily. Last but not least, you would have to reverse and reconstruct the complete API provided by the DLL (which is much more complex than the exported functions, one of those exported functions is fed with a ton of callbacks by the statically linked part of XT).

The only real way of perfect bypassing with a ban-chance of zero is complete removal and emulation of HGWC and XTrap. That's not even illegal for private purposes, however when dropping such stuff public, it really fucks up the game, as it is absolutely undetectable (at least when implemented correctly) and if you combine it with pattern magic, it is also very hard to patch. Luckily there is not even a handful of coders in this section who are capable of developing such stuff.

[kmanev073]

Even if we distanced from CF haxxoring, I'll give you guys a hand. Your concept is total bullshit.

Here, have one I quickly put together just now.

Code:

 _____________________________________________________________________________
| HGWC.exe                                                                    |
|                                                                             |
| => Establishes connection to HGWC server                                    |
| => Receives tons of CRCs of common 'bad tools' and detected hacks           |
| => Validates integrity of .rez files with CRCs from server                  |
| => Receives the HGWC server-key passed as parameter to the game             |
|     - Key is sent in CF's login-packet                                      |
|     - Invalid key -> kick after server selection                            |
| => Launches the game process                                                |
| => Keeps alive connection to HGWC server, regularly sends trivial heartbeat |
|    packets                                                                  |
| => Connection is encrypted with a static key, key is later changed to one   |
|    provided by the server                                                   |
| => Tunnels heartbeat-packets from XTrap.lib/XTrapVa.dll in CF process       |
| => Protocol consists of ~ 35 server- and ~ 15 client-opcodes                |
| => Sending incorrect response packets to the server results in a disconnect |
| => Manages bans of specific kinds (didn't dive into that further, emulated  |
|    whole HGWC/XT anyway, so didn't care about the banning stuff)            |
|_____________________________________________________________________________|
                                     |
                                     |
                                     v
 _____________________________________________________________________________
| crossfire.exe                                                               |
|                                                                             |
| => calls 4 (not sure, but I think it were 4) callbacks to assure XTrap.lib  |
|    is initialized correctly (in WinMain, post window creation, post login,  |
|    WndProc - nopping these prevents XT from loading, DC after ~2 min inc)   |
|  _____________                                                              |
| | XTrap.lib   |                                                             |
|   => Establishes encrypted named pipe connection to HGWC                    |
|   => Loads XTrapVa.dll                                                      |
|   => XT-heartbeat packet generation                                         |
|     - 7 server-, 5 client packet types                                      |
|     - obfuscated opcodes                                                    |
|     - static packet length (0x80 bytes)                                     |
|     - receives check requests from server, generates response data          |
|       validated by the server, so nopping does not help, as the server      |
|       expects correct data (checksums, for instance)                        |
|     - on a special opcode, requests heartbeat data generated by XTrapVa.dll |
|   => Statically linked into crossfire.exe                                   |
|  _____________                                                              |
| | XTrapVa.dll |                                                             |
|   => Generates a heartbeat data block validated by the server when asked    |
|   => Performs actual AC stuff (detour checks, ...)                          |
|_____________________________________________________________________________|

As you can see above, HGWC is not only a tiny part of the AC, but the main gateway between the XT-server and the XT-client, adding some additional functionality. The above 'diagram' is far from being complete. I don't want to provide stuff that kids can turn into an emulator, I just give skilled reversers a hand by showing them the main structure and give them a point to start. Whatever XTrap.xt does, it is not involved in heartbeat generation, so I didn't dive into that any further.

PS: Don't ask me stuff about ****, I won't tell you more than you probably already found out from public sources.
PS2: I typed that together in a few minutes, might add/correct some stuff later. I'm sure I missed something important.

thanks ! i wont write emulator i believe it is easier to make the 2 minutes bypass working by changing something in HGWC. Danke anyways now i know that xtrap and hgwc are connected with pipe

---------- Post added at 10:00 PM ---------- Previous post was at 09:58 PM ----------

today i took a deeper look into HGWC the only things i found there were some switches, hashes and timers i dont believe it will be that hard

[~FALLEN~]

Why bother with emulating an anticheat... you can't use it... whether it be public or included in a paysite hack, it's illegal. Not to mention they would probably either dmca or sue you... no point, just go around the fucking thing, its a piece of cake.

[arun823]

My opinion would be, even if you do cut off the XTrap access to the game, they still have server checks every couple of minutes if xtrap is loaded, so this probably even wouldnt work. Idk, just my thinking off of hackshield knowledge from other games.

[derh.acker]

My opinion would be, even if you do cut off the XTrap access to the game, they still have server checks every couple of minutes if xtrap is loaded, so this probably even wouldnt work. Idk, just my thinking off of hackshield knowledge from other games.

How should the server check if XTrap really runs if it's emulated?

Thnxxxxxxxxxxxx

Spam to increase your post count?

[alaska321]

Task-Manager->Terminate XtrapVa.dll

[arun823]

How should the server check if XTrap really runs if it's emulated?

The Game most likely has a server checksum system to see if XTrap is loaded, XTrap unloaded + Server Checksum->GameCrash

[derh.acker]

The Game most likely has a server checksum system to see if XTrap is loaded, XTrap unloaded + Server Checksum->GameCrash

How should the server know that the checksum really isn't faked?

[Royku]

what if i we make a Virtual xtrap server who doesn't send report's to HGW or z8 server..
and make Xtrap dll's like the original but with the virtual server?????
seems hard and interesting.

zY*N already did that.. it worked perfect.. but they got shutdown by z8games..

[arun823]

How should the server know that the checksum really isn't faked?

The only way you can "fake" the check is if you tell the server to not check w/e you don't want to be.