LCKB ** OLD LCKB DATABASE ** Guides & Help Section Tutorials & Guides Emulation Guides v
[How to] Patch X-Trap out of the Client

Threaded Mode
[How to] Patch X-Trap out of the Client
fulmix
Unregistered
 
#1
06-21-2011, 12:50 PM

First of all you need OllyDBG for this. When you have it,

i assume that you have Basic knowledge for using

this Debugger. Whatever, quick instruction:

 

1)

 

Open OllyDBG

 

2)

 

Click on File -> Open -> Nksp.exe

 

3)

 

Wait until its fully loaded

 

4)

 

Click Plugins -> Command line and type in BP GetModuleHandleA -> Enter.

If you dont have the Command line plugin do the following:

Press CTRL+G -> Type in GetModuleHandleA and press Enter.

You will than land at the start of the Function, set a Software breakpoint.

( Doubleclick that line or Press F2 ).

 

5)

 

Press Run. OllyDBG will stop at your breakpoint ( GetModuleHandleA ).

Rightclick the first line in the SYSTEM Stack and click Follow in Dissambler.

You will see Assembler Code similar to this:

 

PUSH EBX ; /pModule = NULL
CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA
PUSH EAX
CALL Nksp.00406160
MOV [LOCAL.26],EAX
PUSH EAX ; /status = A (10.)
CALL DWORD PTR DS:[<&MSVCRT.exit>] ; \exit

 

Click on the following line:

 

CALL Nksp.00406160

 

and press Enter ( it will probly change with the next update but it will still be a call to a function in Nksp ).

 

Now you will see Assembler code similar to this one:

 

PUSH EBP
MOV EBP,ESP
PUSH -1
PUSH Nksp.00419068
PUSH ; SE handler installation
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
SUB ESP,0C
PUSH EBX
PUSH ESI
PUSH EDI ; ntdll.7C91E920
MOV DWORD PTR SS:[EBP-18],ESP
PUSH Nksp.00422D19 ; /Arg1 = 00422D19
CALL Nksp.004085A0 ; \Nksp.004085A0
ADD ESP,4
CALL DWORD PTR DS:[<&Engine.CTStream::EnableStreamH>; Engine.CTStream::EnableStreamHandling

 

The call above Engine.CTStream::EnableStreamHandling is the Important one. That function will load XTrap.

To verify it you can click on the Call and press Enter. Inside of it you will already see some XTrap stuff.

 

Call:

PUSH Nksp.00422D19 ; /Arg1 = 00422D19
CALL Nksp.004085A0 ; \Nksp.004085A0

 

We only have to NOP out this to lines. Simply rightclick them and choose Binary edit -> Fill with nops.

NOP means NO Operation ( do nothing ). Congratulation you have patched out XTrap. Whatever of course

we want to save those change, to do so do the following:

 

Rightclick in the CPU Window ( anywhere at the code, our nops for example ).

Now choose Copy to Executable -> Copy all. A New small window will open,

do a rightclick in it and choose save file. Now you are able to save it.

Keep in mind that that isnt a complete XTrap patch and will disconnect you

in 10-20 Minutes. To completly get rid of XTrap, you need to emulate the

Communication between the Client ( Last Chaos ) and the XTrap server.

 

Thanks to smashing

 

regards,

fulmix


Forum Jump:


Users browsing this thread: 1 Guest(s)