[Release] Unpacked XignCode Files

[HellSpider]

Hi.

I've unpacked the XignCode anti-cheat files in order to understand better how the anti-cheat works. These files wont work in runtime (because of the security certificate and stripped VirtualMachines), so you can't substitute the original files with these .

Note! This is not a XignCode bypass! These files are just for analyzing purposes!


List of files:

Code:

splash.xem		--> splash.bmp		--> XIGNCODE Splash Bitmap
tray.xem		--> tray.ico		--> XIGNCODE Tray Icon
x3.xem			--> x3.dll		--> XIGNCODE System
xm.exe			--> xm.exe		--> XIGNCODE Message Printer
xmag.xem		--> xmag.xem		--> XIGNCODE File Archive
xsg.xem			--> xsg.dll		--> XIGNCODE System Guard
xxd.xem			--> xxd.dll		--> XIGNCODE WatchDog Process

The file x3.dll was protected by Themida (one of the newest versions), and it had a part of its code virtualized. As I am not able to devirtualize Themida VMs I have stripped it from the file.

This thread is supposed to be a research thread of XignCode. If you have made some research you can post it in this thread and I will add it to the main post (with your approval of course) .


Loading of x3.xem:

Spoiler:

Dekaron.exe loads x3.xem into its process space with LoadLibraryW. Then the address of the first import (and only) of x3.xem is retrieved with GetProcAddress. If that fails, an error code will be set, code = 0xE0190401.



If the address of the export got retrieved successfully it will be called at 0x004024B8. Note that before the call a constant gets pushed onto the stack (PUSH 1). The call will return an address in the stack location pointed by ECX.



Because the constant 1 got pushed before the call, the JNZ at 0x69122477 does not jump. Unfortunately the execution continues inside Themida's VM, so tracing it will be of no use (we can't understand what really happens).



Remember the CALL EAX in picture 2? I let that call execute and returned to the code after that call. Now I have stepped to the second CALL instruction. It calls a value located in the stack (ESP+0xC), as you see it's the address returned by the previous call. This is an address in x3.xem image too.



Unfortunately, most of this procedure is virtualized too .

XignCode packet structure:

Spoiler:

Code:

BYTE		bTotalPackets	<- The amount of packets to be expected in one "thunk"
BYTE		bPacketIndex	<- The index of the packet
WORD		wDataLen	<- Hex number representing the amount of data in bytes
BUF?		xData		<- Data (size wDataLen)

To clarify, if the bTotalPackets byte is 7 ie, the first packet will have the bPacketIndex 0 next 1 next 2 and so forth until 6, {0,1,2,3,4,5,6} = 7 packets.

PacketCMD 2008C - XignCode receive
PacketCMD 2008D - XignCode answer

If I'm completely wrong, let me know .

XignCode kernel-mode hooks:

Spoiler:

Code:

NtCreateProcessEx

NtCreateUserProcess

NtDuplicateObject

NtOpenProcess

NtQuerySystemInformation

NtReadVirtualMemory

NtWriteVirtualMemory

NtSuspendProcess

NtSuspendThread

NtTerminateProcess

NtUserSendInput


+ Some other modifications

-Update Log-

~13.11.2010~

+ Initial release (XIGNCODE 3.1)

~19.01.2011~

+ Detailed file information
+ Basic packet structure


Archive password (without spaces):

Code:

w w w . e l i t e p v p e r s . d e

[iamlegend93]

I willl have a check on that.

[4the]

Thanks for sharing
Good stuff.

[1tamer1]

so i can hack with that ?

[elfulll]

so hell what we do with that ? cant make bypass xign from his files ?

[Redis]

Quote:

Originally Posted by HellSpider

Note! This is not a XignCode bypass! These files are just for analyzing purposes!


This thread is supposed to be a research thread of XignCode. If you have made some research you can post it in this thread and I will add it to the main post (with your approval of course) .

No you CANNOT hack with that...
Read what is written, don't just cry all day "omg i want hacks"

[EliteDKTrader]

Tnx Instant. I'm going to look into it later.

[lord17]

well i hope bypass will be created soon

[Apocalisse]

Thank you, i'm gonna check this out

[GooniGooGoo]

Cheers