XIGNCODE3 Information

1. x3.xem --> x3.dll (Themida/Winlicense v2.x) --> XIGNCODE3 System
2. xcorona.xem --> xcorona.dll (Themida/Winlicense v2.x) --> XIGNCODE3 System
3. xcorona_x64.xem --> xcorona_x64.dll (Themida/Winlicense v2.x) --> XIGNCODE3 System
4. xmag.xem --> xmag.xem (Code Virtualizer) --> XIGNCODE3 File Archive
5. xnina.xem --> xnina.xem (Not Packed) --> XIGNCODE3 File Archive
6. xxd-0.xem --> xxd.dll (Not Packed) --> XIGNCODE WatchDog Process
7.  
8. XIGNCODE3 Detects:
9. -API hooks
10. -Filenames
11. -Files on your drive via USN Journal & Prefetch
12. -API call return addresses
13. -CreateThread
14. -GetKeyState
15. -GetAsyncKeyState
16. -CreateProcessW (xxd-0.xem)
17. -LoadLibrary
18. -CreateFont
19. -[more to be added]
20. -Signatures
21. -Window Titles
22. -Strings using binary search
23. -Patterns using binary search
24. -DNS cache entrys
25. -MessageHooks
26. -Speed hacking
27. -D3D hooking (not all types of it but detours for example)
28. -Icon hashes
29. -linked modules
30. -code injection at runtime
31.  
32. APIs referenced in x3.xem:
33. -NtQueryInformationProcess
34. -NtQueryVirtualMemory (Maybe used with MemoryMappedFileInformation to iterate over memory pages to look for executables that do not belong to a module)
35. -NtReadVirtualMemory
36. -NtQueryInformationThread
37. -NtCreateFile
38. -NtReadFile
39. -NtOpenFile
40. -NtOpenProcess (using SSDT hook)
41. -NtQueryInformationFile
42. -NtSetInformationFile (gets called once at startup)
43. -NtWaitForSingleObject
44. -NtTerminateProcess
45. -NtWow64QueryInformationProcess64
46. -NtWow64QueryVirtualMemory64
47. -NtWow64ReadVirtualMemory64
48. -ZwOpenDirectoryObject
49. -ZwQueryDirectoryObject
50. -ZwClose
51. -LookupPrivilegeValueW
52. -AdjustTokenPrivileges
53. -OpenProcessToken
54. -SeDegubPrivileges
55. -ObRegisterCallback (they register a callback on the object manager) : http://www.unknowncheats.me/forum/anti-cheat-bypass/148364-obregistercallbacks-and-countermeasures.html
56.  
57. - XIGNCOD3 detect's thread creations from kernel level and then check's if the start address comes from legit system/whitelisted modules (not in legit modules/whitelisted region memory range = game close)
58. - XIGNCOD3 has it's own drivers; vtany.sys (what is this...?) and xhunter1.sys (kernelmode driver used to monitor different api calls via return address, minimizes your windows, blocks memory scanning)
59. - x3.xem uses crc32 reversed polynomial
60. - Xigncode SDK loads x3.xem as a normal DLL (LoadLibraryA). After that the only export of x3.xem will be called with a constant as a function parameter. The constant defines which function address should be retrieved. Then the retrieved function address is called
61. - x3.xem is the loader module which reads xmag.xem and manually maps around 5-10 different modules into the process space
62. - x3.xem maps only a few modules, the rest are manually mapped from manually mapped modules
63. - x3.xem removes external attached process privileges in order to prevent tools from reading game memory
64. - xmag.xem is a custom file archive containing around 20 different .xem files (data file)
65. - XIGNCOD3 logs all files and paths that you modified in the last ~48 hours and all executables with prefetch files into their logs
66. - x3.xem and xdd.xem uses NtSetInformationThread with ThreadHideFromDebugger flag on main process threads
67. - xdd.xem uses RPM to read first 0xC8 bytes(?) starting from process handle address
68. - xdd.xem checks for handles/threads opened and linked to game process from external tools, if it is known, it gets minimized
69. - XIGNCOD3 uses winsock2_32 send/recv
70.  
71. http://www.wellbia.com/home/en/pages/xigncode3/
72.  
73. http://www.elitepvpers.com/forum/dekaron-exploits-hacks-bots-tools-macros/835641-release-unpacked-xigncode-files.html#post7661403
74.  
75. http://i.imgur.com/BJiXLfO.png (call sequence in the picture occurs over nearly all user memory)
76.  
77. Korean MapleStory Related: http://i.imgur.com/Yi9N9RQ.png
78.  
79. http://www.gamekiller.net/dfo-general-and-hacks-discussion/3236003-bypass.html#post3292317
80.  
81. http://imgur.com/a/m94vV
82.  
83. ******************
84. *NOTES TO BYPASS:*
85. ******************
86. - XC has a single-call which starts the anti-cheat (it loads x3.xem) just nop that call and fix some of the jumps in that region and you should get a bypass until heartbeat
87.  
88. Hook the following and filter out anything related to your DLL:
89. -NtQueryInformationProcess
90. -NtQueryVirtualMemory
91. -NtReadVirtualMemory
92. -NtQueryInformationThread
93. -NtOpenFile
94. -NtWow64QueryInformationProcess64
95. -NtWow64QueryVirtualMemory64
96. -NtWow64ReadVirtualMemory64
97.  
98. Manual Mapping: http://pastie.org/pastes/10423575/text?key=b5630dzi3ltgnupfwnssiq
99. Alternative to GetAsyncKeyState : http://pastie.org/pastes/10423497/text?key=9uuxzjcvhovzfjf7iaknw
100.  
101. http://www.unknowncheats.me/forum/847082-post140.html
102.  
103. xc3 'collecting' data: http://i.imgur.com/2BTjaqQ.png