Advertisement
GK-Chubbz

XIGNCODE3 Information

Jun 26th, 2015
4,261
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.72 KB | None | 0 0
  1. x3.xem --> x3.dll (Themida/Winlicense v2.x) --> XIGNCODE3 System
  2. xcorona.xem --> xcorona.dll (Themida/Winlicense v2.x) --> XIGNCODE3 System
  3. xcorona_x64.xem --> xcorona_x64.dll (Themida/Winlicense v2.x) --> XIGNCODE3 System
  4. xmag.xem --> xmag.xem (Code Virtualizer) --> XIGNCODE3 File Archive
  5. xnina.xem --> xnina.xem (Not Packed) --> XIGNCODE3 File Archive
  6. xxd-0.xem --> xxd.dll (Not Packed) --> XIGNCODE WatchDog Process
  7.  
  8. XIGNCODE3 Detects:
  9. -API hooks
  10. -Filenames
  11. -Files on your drive via USN Journal & Prefetch
  12. -API call return addresses
  13. -CreateThread
  14. -GetKeyState
  15. -GetAsyncKeyState
  16. -CreateProcessW (xxd-0.xem)
  17. -LoadLibrary
  18. -CreateFont
  19. -[more to be added]
  20. -Signatures
  21. -Window Titles
  22. -Strings using binary search
  23. -Patterns using binary search
  24. -DNS cache entrys
  25. -MessageHooks
  26. -Speed hacking
  27. -D3D hooking (not all types of it but detours for example)
  28. -Icon hashes
  29. -linked modules
  30. -code injection at runtime
  31.  
  32. APIs referenced in x3.xem:
  33. -NtQueryInformationProcess
  34. -NtQueryVirtualMemory (Maybe used with MemoryMappedFileInformation to iterate over memory pages to look for executables that do not belong to a module)
  35. -NtReadVirtualMemory
  36. -NtQueryInformationThread
  37. -NtCreateFile
  38. -NtReadFile
  39. -NtOpenFile
  40. -NtOpenProcess (using SSDT hook)
  41. -NtQueryInformationFile
  42. -NtSetInformationFile (gets called once at startup)
  43. -NtWaitForSingleObject
  44. -NtTerminateProcess
  45. -NtWow64QueryInformationProcess64
  46. -NtWow64QueryVirtualMemory64
  47. -NtWow64ReadVirtualMemory64
  48. -ZwOpenDirectoryObject
  49. -ZwQueryDirectoryObject
  50. -ZwClose
  51. -LookupPrivilegeValueW
  52. -AdjustTokenPrivileges
  53. -OpenProcessToken
  54. -SeDegubPrivileges
  55. -ObRegisterCallback (they register a callback on the object manager) : http://www.unknowncheats.me/forum/anti-cheat-bypass/148364-obregistercallbacks-and-countermeasures.html
  56.  
  57. - XIGNCOD3 detect's thread creations from kernel level and then check's if the start address comes from legit system/whitelisted modules (not in legit modules/whitelisted region memory range = game close)
  58. - XIGNCOD3 has it's own drivers; vtany.sys (what is this...?) and xhunter1.sys (kernelmode driver used to monitor different api calls via return address, minimizes your windows, blocks memory scanning)
  59. - x3.xem uses crc32 reversed polynomial
  60. - Xigncode SDK loads x3.xem as a normal DLL (LoadLibraryA). After that the only export of x3.xem will be called with a constant as a function parameter. The constant defines which function address should be retrieved. Then the retrieved function address is called
  61. - x3.xem is the loader module which reads xmag.xem and manually maps around 5-10 different modules into the process space
  62. - x3.xem maps only a few modules, the rest are manually mapped from manually mapped modules
  63. - x3.xem removes external attached process privileges in order to prevent tools from reading game memory
  64. - xmag.xem is a custom file archive containing around 20 different .xem files (data file)
  65. - XIGNCOD3 logs all files and paths that you modified in the last ~48 hours and all executables with prefetch files into their logs
  66. - x3.xem and xdd.xem uses NtSetInformationThread with ThreadHideFromDebugger flag on main process threads
  67. - xdd.xem uses RPM to read first 0xC8 bytes(?) starting from process handle address
  68. - xdd.xem checks for handles/threads opened and linked to game process from external tools, if it is known, it gets minimized
  69. - XIGNCOD3 uses winsock2_32 send/recv
  70.  
  71. http://www.wellbia.com/home/en/pages/xigncode3/
  72.  
  73. http://www.elitepvpers.com/forum/dekaron-exploits-hacks-bots-tools-macros/835641-release-unpacked-xigncode-files.html#post7661403
  74.  
  75. http://i.imgur.com/BJiXLfO.png (call sequence in the picture occurs over nearly all user memory)
  76.  
  77. Korean MapleStory Related: http://i.imgur.com/Yi9N9RQ.png
  78.  
  79. http://www.gamekiller.net/dfo-general-and-hacks-discussion/3236003-bypass.html#post3292317
  80.  
  81. http://imgur.com/a/m94vV
  82.  
  83. ******************
  84. *NOTES TO BYPASS:*
  85. ******************
  86. - XC has a single-call which starts the anti-cheat (it loads x3.xem) just nop that call and fix some of the jumps in that region and you should get a bypass until heartbeat
  87.  
  88. Hook the following and filter out anything related to your DLL:
  89. -NtQueryInformationProcess
  90. -NtQueryVirtualMemory
  91. -NtReadVirtualMemory
  92. -NtQueryInformationThread
  93. -NtOpenFile
  94. -NtWow64QueryInformationProcess64
  95. -NtWow64QueryVirtualMemory64
  96. -NtWow64ReadVirtualMemory64
  97.  
  98. Manual Mapping: http://pastie.org/pastes/10423575/text?key=b5630dzi3ltgnupfwnssiq
  99. Alternative to GetAsyncKeyState : http://pastie.org/pastes/10423497/text?key=9uuxzjcvhovzfjf7iaknw
  100.  
  101. http://www.unknowncheats.me/forum/847082-post140.html
  102.  
  103. xc3 'collecting' data: http://i.imgur.com/2BTjaqQ.png
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement