[INFO]
XTrap scans its own memory + target exe memory and creates a crc of it, if you change something, it'll be detected in a few
seconds.
This is a short tutorial, how to bypass it.
The functon which scans is easy to find, set a page_guard on your page and log all accesses on it(The plugin "Stealth Edit 2"
for Cheat Engine does it well).
Once found, you've to find out the calling convention + parameters, it's hard to explain, try to find some information with
google.
The actual calling convention is:
Code:
int __cdecl newScanPage(int unknown, DWORD targetPage, unsigned int pageSize);
The rest is easy, hook the function and "fake" the page, you can map the original exe into the process or create second
page for every page once.
Code:
int __cdecl newScanPage(int unknown, DWORD targetPage, unsigned int pageSize)
{
DWORD fakePage = createFakePage(targetPage);
return origScanPage(unknown, fakePage, pageSize);
}
/*
...
*/
DWORD addr = FindPattern(baseAddress, codeSize,
(BYTE*)"\x55\x8B\xEC\x83\xEC\x2C\x83\x7D\x10\x00\x75\x05\xE9\x00\x00\x00\x00\x8B\x45\x08\x8B\x48\x14\x8B\x55\x10\x8D\x04\xD1\x89\x45\xEC\x8B\x4D\x08\x8B\x55\xEC\x3B\x51\x14\x73\x0F\x8B\x45\x08\x8B\x48\x18\x83\xC1\x01\x8B\x55\x08",
"xxxxxxxxxxxxx????xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
createFakePage(addr);
origScanPage = (typeScanPage) Detourfunction((PBYTE)addr, (PBYTE)newScanPage);
Have fun