Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- x3.xem --> x3.dll (Themida/Winlicense v2.x) --> XIGNCODE3 System
- xcorona.xem --> xcorona.dll (Themida/Winlicense v2.x) --> XIGNCODE3 System
- xcorona_x64.xem --> xcorona_x64.dll (Themida/Winlicense v2.x) --> XIGNCODE3 System
- xmag.xem --> xmag.xem (Code Virtualizer) --> XIGNCODE3 File Archive
- xnina.xem --> xnina.xem (Not Packed) --> XIGNCODE3 File Archive
- xxd-0.xem --> xxd.dll (Not Packed) --> XIGNCODE WatchDog Process
- XIGNCODE3 Detects:
- -API hooks
- -Filenames
- -Files on your drive via USN Journal & Prefetch
- -API call return addresses
- -CreateThread
- -GetKeyState
- -GetAsyncKeyState
- -CreateProcessW (xxd-0.xem)
- -LoadLibrary
- -CreateFont
- -[more to be added]
- -Signatures
- -Window Titles
- -Strings using binary search
- -Patterns using binary search
- -DNS cache entrys
- -MessageHooks
- -Speed hacking
- -D3D hooking (not all types of it but detours for example)
- -Icon hashes
- -linked modules
- -code injection at runtime
- APIs referenced in x3.xem:
- -NtQueryInformationProcess
- -NtQueryVirtualMemory (Maybe used with MemoryMappedFileInformation to iterate over memory pages to look for executables that do not belong to a module)
- -NtReadVirtualMemory
- -NtQueryInformationThread
- -NtCreateFile
- -NtReadFile
- -NtOpenFile
- -NtOpenProcess (using SSDT hook)
- -NtQueryInformationFile
- -NtSetInformationFile (gets called once at startup)
- -NtWaitForSingleObject
- -NtTerminateProcess
- -NtWow64QueryInformationProcess64
- -NtWow64QueryVirtualMemory64
- -NtWow64ReadVirtualMemory64
- -ZwOpenDirectoryObject
- -ZwQueryDirectoryObject
- -ZwClose
- -LookupPrivilegeValueW
- -AdjustTokenPrivileges
- -OpenProcessToken
- -SeDegubPrivileges
- -ObRegisterCallback (they register a callback on the object manager) : http://www.unknowncheats.me/forum/anti-cheat-bypass/148364-obregistercallbacks-and-countermeasures.html
- - XIGNCOD3 detect's thread creations from kernel level and then check's if the start address comes from legit system/whitelisted modules (not in legit modules/whitelisted region memory range = game close)
- - XIGNCOD3 has it's own drivers; vtany.sys (what is this...?) and xhunter1.sys (kernelmode driver used to monitor different api calls via return address, minimizes your windows, blocks memory scanning)
- - x3.xem uses crc32 reversed polynomial
- - Xigncode SDK loads x3.xem as a normal DLL (LoadLibraryA). After that the only export of x3.xem will be called with a constant as a function parameter. The constant defines which function address should be retrieved. Then the retrieved function address is called
- - x3.xem is the loader module which reads xmag.xem and manually maps around 5-10 different modules into the process space
- - x3.xem maps only a few modules, the rest are manually mapped from manually mapped modules
- - x3.xem removes external attached process privileges in order to prevent tools from reading game memory
- - xmag.xem is a custom file archive containing around 20 different .xem files (data file)
- - XIGNCOD3 logs all files and paths that you modified in the last ~48 hours and all executables with prefetch files into their logs
- - x3.xem and xdd.xem uses NtSetInformationThread with ThreadHideFromDebugger flag on main process threads
- - xdd.xem uses RPM to read first 0xC8 bytes(?) starting from process handle address
- - xdd.xem checks for handles/threads opened and linked to game process from external tools, if it is known, it gets minimized
- - XIGNCOD3 uses winsock2_32 send/recv
- http://www.wellbia.com/home/en/pages/xigncode3/
- http://www.elitepvpers.com/forum/dekaron-exploits-hacks-bots-tools-macros/835641-release-unpacked-xigncode-files.html#post7661403
- http://i.imgur.com/BJiXLfO.png (call sequence in the picture occurs over nearly all user memory)
- Korean MapleStory Related: http://i.imgur.com/Yi9N9RQ.png
- http://www.gamekiller.net/dfo-general-and-hacks-discussion/3236003-bypass.html#post3292317
- http://imgur.com/a/m94vV
- ******************
- *NOTES TO BYPASS:*
- ******************
- - XC has a single-call which starts the anti-cheat (it loads x3.xem) just nop that call and fix some of the jumps in that region and you should get a bypass until heartbeat
- Hook the following and filter out anything related to your DLL:
- -NtQueryInformationProcess
- -NtQueryVirtualMemory
- -NtReadVirtualMemory
- -NtQueryInformationThread
- -NtOpenFile
- -NtWow64QueryInformationProcess64
- -NtWow64QueryVirtualMemory64
- -NtWow64ReadVirtualMemory64
- Manual Mapping: http://pastie.org/pastes/10423575/text?key=b5630dzi3ltgnupfwnssiq
- Alternative to GetAsyncKeyState : http://pastie.org/pastes/10423497/text?key=9uuxzjcvhovzfjf7iaknw
- http://www.unknowncheats.me/forum/847082-post140.html
- xc3 'collecting' data: http://i.imgur.com/2BTjaqQ.png
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement