Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: [WIP] C9 Bypass + Trainer

  1. #11
    Senior Member rafi's Avatar
    Join Date
    Sep 2009
    Location
    munich
    Posts
    200
    regarding module hiding you could try the following things:
    -> zero out mapped file headers (usually first 0x1000 bytes of mapped module)
    - http://undocumented.ntinternals.net/...ocess/PEB.html
    -> PEB.LoaderData
    - http://undocumented.ntinternals.net/..._LDR_DATA.html
    - http://undocumented.ntinternals.net/...DR_MODULE.html
    -> LoaderData.InLoadOrderModuleList holds list of LDR_MODULE ptrs. find your module in this list over LDR_MODULE::BaseAddress ( = "module handle")
    -> LDR_MODULE has 4 doubly linked lists. remove the current ptr from all lists (forwardptr of prev entry to next entry and backptr of next entry to prev entry)
    -> zero out the entire LDR_MODULE struct (you can also first zero the FullDllName and BaseDllName strings)

    if all that doesnt help i dont think you can do much more in usermode

  2. #12
    Senior Member Rask's Avatar
    Join Date
    Apr 2010
    Location
    Oregon, USA
    Posts
    1,620
    I have absolutely zero experience, and there's a severe lack of public knowledge on XIGNcode. One guy bypassed it ages ago (2010) but I haven't been able to get in contact with him.

  3. #13
    Junior Member
    Join Date
    Jul 2012
    Posts
    2
    Rafi, I will give that a shot and post the result, thanks!

  4. #14
    It might just be detecting your method of injection.

    It's possible that the injection is being logged at a kernel level, and it's response is delayed because the game only checks for messages every X seconds (so anti-cheat doesn't eat CPU). Just a theory, since I have no access to a xigncode game to test (and don't really care that much anyway).

    For example, if you're using create remotethread to activate LoadLibrary, you had to use WPM to enter the .dll name. It's possible that it's just seeing that you're using WPM on the program and shutting down because of that.

    Try a few different injection methods.

    EDIT: Are you trying to inject at process startup, or after the game's already running?
    Last edited by TheArkanaProject; 07-18-2012 at 08:28 PM.
    Please read the wiki before asking for help!

    GWA˛ 3.6

    I am no longer supporting any Guild Wars projects. Sorry.

  5. #15
    Senior Member Rask's Avatar
    Join Date
    Apr 2010
    Location
    Oregon, USA
    Posts
    1,620
    Both.

    ==EDIT==

    Saw some guy mention that he had no problems with an ssdt hook. Going to practice on other stuff some bit and then make a hook/driver. Also thinking about making my own proxy/packet editor in C#.
    Last edited by Rask; 07-19-2012 at 06:46 AM.

  6. #16
    Little knowledge on XIGNcode

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •