Page 1 of 7 123 ... LastLast
Results 1 to 15 of 97
  1. #1
    abhishekv's Avatar
    Join Date
    Oct 2012
    Gender
    male
    Posts
    39
    Reputation
    10
    Thanks
    9
    My Mood
    Angelic

    Analysis on XINGCODE

    THIS CONTENT IS HELP FULL FOR CODERS ONLY!!

    hey guys after hours of testing the new anti cheat i drew up some conclusions :- {basically help full for dll injection}

    >the detection:- whenever a cheat is injected the anti-cheats detects it it might be bcuz :-
    # there is an faint possibilty that the injection is logged at the kernel level which is picked up by the anti-cheat moreover the anti-cheat checks for this @ every given point of time.
    # another reason is since the dll's are logged in the cpu's proceses bcuz your using it through the load librarires there is another chance that the anti-cheat picks it from there .

    The possible solution:-
    # look @ the kernel links of XINGCODE3.(disable the logging if its hooking any process logs.)
    # try to overwrite the Kernel hooks or disable the XIGNCODE3/Process launch mechanism system.
    # try to come out with an idea of how to hide the dll when its injected... (maybe by making like an common processes like an chat application,anti-virus or any other .........................you know what i mean )



    these are all theoretical however in practicality its 100% possible requires some work

    ---------- Post added at 12:08 PM ---------- Previous post was at 11:49 AM ----------

    another break through i just figured out that the detection is triggered by an task to be precise crc (cyclic redundancy check)..

    now our new venture is to disable this ..

    ---------- Post added at 01:05 PM ---------- Previous post was at 12:08 PM ----------

    example working of crc (cyclic redundancy check)
    #include< stdlib.h>
    #include< conio.h>
    #include< stdio.h>
    void main()
    {
    int i,j,n,g,a,arr[20],gen[20],b[20],q[20],s;
    clrscr();
    printf("Transmitter side:");
    printf("\nEnter no. of data bits:");
    scanf("%d",&n);
    printf("Enter data:");
    for(i=0;i< n;i++)
    scanf("%d",&arr[i]);

    printf("Enter size of generator:");
    scanf("%d",&g);
    do{
    printf("Enter generator:");
    for(j=0;j< g;j++)
    scanf("%d",&gen[j]);

    }
    while(gen[0]!=1);
    printf("\n\tThe generator matrix:");
    for(j=0;j< g;j++)
    printf("%d",gen[j]);

    a=n+(g-1);
    printf("\n\tThe appended matrix is:");
    for(i=0;i< j;++i)
    arr[n+i]=0;

    for(i=0;i< a;++i)

    printf("%d",arr[i]);

    for(i=0;i< n;++i)
    q[i]= arr[i];

    for(i=0;i< n;++i)
    {
    if(arr[i]==0)
    {
    for(j=i;j< g+i;++j)
    arr[j] = arr[j]^0;
    }
    else
    {
    arr[i] = arr[i]^gen[0];
    arr[i+1]=arr[i+1]^gen[1];
    arr[i+2]=arr[i+2]^gen[2];
    arr[i+3]=arr[i+3]^gen[3];
    }
    }
    printf("\n\tThe CRC is :");
    for(i=n;i < a;++i)
    printf("%d",arr[i]);
    s=n+a;
    for(i=n;i< s;i++)
    q[i]=arr[i];
    printf("\n");
    for(i=0;i< a;i++)
    printf("%d",q[i]);
    getch();
    }
    /* Output

    Transmitter side:
    Enter no. of data bits:8
    Enter data:1 0 1 0 0 0 0 1
    Enter size of generator:4
    Enter generator:1 0 0 1

    The generator matrix:1001
    The appended matrix is:10100001000
    The CRC is :111
    10100001111
    */

    ---------- Post added at 01:13 PM ---------- Previous post was at 01:05 PM ----------

    way to inject a dll undetected :- this might be a breakthrough guys this code is undetected

    // To Inject a DLL, we need three steps in APIHandler side.
    // Allocate memory in the remote process for our library
    // with write permission using the below mentioned WINAPI.
    HANDLE hProc;
    pLibRemote = ::VirtualAllocEx( hProcess,
    NULL, sizeof(szLibPath), MEM_COMMIT, PAGE_READWRITE );

    // This API writes the library path name to third party process.
    ::WriteProcessMemory( hProcess, pLibRemote, (void*)szLibPath,
    sizeof( szLibPath ), NULL );
    // Load the DLL to third party process by creating a thread in that
    // process, using the below mentioned WIN API, this API enable
    hThread = ::CreateRemoteThread( hProcess, NULL, 0,
    (LPTHREAD_START_ROUTINE)::GetProcAddress( hKernel32,"LoadLibraryA" ),
    pLibRemote,0,NULL );

    // Once address is found, we have to redirect using the VirtualProtect WinAPI
    // that enables write permission to third party EXE.

    bool ChangeAddress(DWORD* dwOldAddress,DWORD dwNewAddress)
    {
    // Change the old address of the function with the new address.
    // Firstly this address is changed.
    DWORD dwOld;
    if (!(VirtualProtect(dwOldAddress,4,PAGE_READWRITE,&d wOld)))
    {
    return false;
    }
    *dwOldAddress = dwNewAddress;
    // Once changed it updated in the executable.
    if (!(VirtualProtect(dwOldAddress,4,PAGE_EXECUTE,&dwO ld)))
    {
    return false;
    }
    else
    {
    OutputDebugString( "Change Address Final.." );
    return true;
    }
    }
    Last edited by abhishekv; 11-09-2012 at 01:18 PM.

  2. The Following 3 Users Say Thank You to abhishekv For This Useful Post:

    aaron2z (01-03-2013),AznNicholas1314 (11-09-2012),zZzeta/S (11-09-2012)

  3. #2
    DarkSt0rmX's Avatar
    Join Date
    Sep 2011
    Gender
    male
    Location
    Dragonball GT
    Posts
    1,217
    Reputation
    19
    Thanks
    1,372
    My Mood
    Relaxed
    So.. How can we inject a DLL undetected?.. Just make a program or just whatever..

     
    Skype: vituzzzu21

     
    Quote Originally Posted by Nuuma View Post
    he added me amd65 i got it , legit guy i vouch him
    Quote Originally Posted by .Cereal View Post
    People these 3 guys are trusted and safe, no harm for you .
    Quote Originally Posted by Kailani View Post
    thanks for gun adding for me
    Quote Originally Posted by kurtdampire View Post
    Really fast ! I vouch for this guy. Thanks again.
    Quote Originally Posted by GtxRive123 View Post
    THIS GUY IS SO LEGIT.! HE DOES THE GUNADD SO FAST.! HE IS 100% LEGIT no SCAM.!! Fastest gunadder in MPGH.NET in my oppinion I VOUCH FOR HIM !
    Quote Originally Posted by FreaZzer View Post
    Thanks for adding ! He's legit and fast !

  4. #3
    ash1m4's Avatar
    Join Date
    Sep 2012
    Gender
    male
    Location
    Infiltrating AERIA HQ
    Posts
    246
    Reputation
    10
    Thanks
    404
    My Mood
    Daring
    cant the .dll be encrypted?

    ---------- Post added at 04:54 PM ---------- Previous post was at 04:53 PM ----------

    im browsing all posible websites for this new anticheat that aeria have for ava, if i do find 1 il post it

    ---------- Post added at 05:00 PM ---------- Previous post was at 04:54 PM ----------

    i found this on a website maybe its important maybe not but here it is..................................

    The biggest customer so far has xingcode That is Game_hi license key.
    Xigncode Also Have the license key for themes / winlisence WHICH IS fairly good Verison Them is, yep the claims neha (pussy Wellbar engineer who dont know much)

    Xigncode loads the kernel mode driver via "xhunter1.sys. Deleting Will it result only in re-creating it Themida it is part of the themdia Protection Software.

    One of the funcitons of the driver (along with Various other files together) is to load "xxd.xem" and "*. exe gameclient" {* name of the execultable of the game client, for eg suddenattack.exe) enquiry.c; make sure nothing has Been modifyied; if anything changed then return with error Which driver to decide what to log the direct & straight to Wellbar engineers / analysis team.


    Also it Prevents Thees two files, once running, from Being acessed via user mode (developer files license key holder Enables Given to Them Whether to choose the game client is Able to process seen in taskmanager or such usermode {}; Able to end process manually or and not a few other things i have no clue about)

    "Question is, how to disable this xingcode?"
    Well im not sure about disabling, but you do would need license key files (developer files), Wellbar developer and thats about it: P
    well, build your own driver would b best way .. i made my own started to Develop driver never got around crippler But to finish-start only

    Thats all i can remember so far, ITS Been long time since i researched Xingcode. Have I did some good analysis and some ideas_ <Cannot Seem To find: (. I heard last month They made much improvements and now another driver

  5. #4
    AVA PlaYe's Avatar
    Join Date
    Feb 2012
    Gender
    male
    Location
    delusional
    Posts
    1,484
    Reputation
    36
    Thanks
    3,702
    Quote Originally Posted by abhishekv View Post
    THIS CONTENT IS HELP FULL FOR CODERS ONLY!!

    hey guys after hours of testing the new anti cheat i drew up some conclusions :- {basically help full for dll injection}
    2 thing :

    1. the problem with injection is already fixed
    2. this was stupid to post that there, (*i didn't say you were stupid since you doesn't look like*), also with the code, people with that AC will see it and patch it, that AC suck, but is really active to check bypass or thing to patch them, if you want to release something or make something, encrypt it or protect it.

    ---------- Post added at 05:42 PM ---------- Previous post was at 05:41 PM ----------

    Quote Originally Posted by ash1m4 View Post
    cant the .dll be encrypted?

    ---------- Post added at 04:54 PM ---------- Previous post was at 04:53 PM ----------

    im browsing all posible websites for this new anticheat that aeria have for ava, if i do find 1 il post it

    ---------- Post added at 05:00 PM ---------- Previous post was at 04:54 PM ----------

    i found this on a website maybe its important maybe not but here it is..................................

    The biggest customer so far has xingcode That is Game_hi license key.
    Xigncode Also Have the license key for themes / winlisence WHICH IS fairly good Verison Them is, yep the claims neha (pussy Wellbar engineer who dont know much)

    Xigncode loads the kernel mode driver via "xhunter1.sys. Deleting Will it result only in re-creating it Themida it is part of the themdia Protection Software.

    One of the funcitons of the driver (along with Various other files together) is to load "xxd.xem" and "*. exe gameclient" {* name of the execultable of the game client, for eg suddenattack.exe) enquiry.c; make sure nothing has Been modifyied; if anything changed then return with error Which driver to decide what to log the direct & straight to Wellbar engineers / analysis team.


    Also it Prevents Thees two files, once running, from Being acessed via user mode (developer files license key holder Enables Given to Them Whether to choose the game client is Able to process seen in taskmanager or such usermode {}; Able to end process manually or and not a few other things i have no clue about)

    "Question is, how to disable this xingcode?"
    Well im not sure about disabling, but you do would need license key files (developer files), Wellbar developer and thats about it: P
    well, build your own driver would b best way .. i made my own started to Develop driver never got around crippler But to finish-start only

    Thats all i can remember so far, ITS Been long time since i researched Xingcode. Have I did some good analysis and some ideas_ <Cannot Seem To find: (. I heard last month They made much improvements and now another driver
    2009 -2010, *probatly* too old to get something working with

  6. #5
    DajZk's Avatar
    Join Date
    Jan 2011
    Gender
    male
    Location
    Zombieland
    Posts
    660
    Reputation
    10
    Thanks
    48
    My Mood
    Sleepy
    omg stop posting shit guys...... Discuss this with our best coders.

  7. #6
    AznNicholas1314's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    445
    Reputation
    20
    Thanks
    670
    What exactly is ChangeAddress for?

  8. #7
    SatanisX's Avatar
    Join Date
    Jul 2012
    Gender
    male
    Location
    Here
    Posts
    347
    Reputation
    10
    Thanks
    14
    My Mood
    Stressed
    Dumb Revelation:The Log file that xigncode creates, makes the game crash.
    I just saw "The Detection", I felt mind blown. (Because im simple minded) @AznNicholas1314 sorry but i dunno that yet

  9. #8
    abhishekv's Avatar
    Join Date
    Oct 2012
    Gender
    male
    Posts
    39
    Reputation
    10
    Thanks
    9
    My Mood
    Angelic
    the only possible way is to tweak it at the kernel level and that is to un hook the anti cheat log reader from the api ......and like i said i already have the code for a undetected injection ......

    way to inject a dll undetected :- this might be a breakthrough guys this code is undetected

    // To Inject a DLL, we need three steps in APIHandler side.
    // Allocate memory in the remote process for our library
    // with write permission using the below mentioned WINAPI.
    HANDLE hProc;
    pLibRemote = ::VirtualAllocEx( hProcess,
    NULL, sizeof(szLibPath), MEM_COMMIT, PAGE_READWRITE );

    // This API writes the library path name to third party process.
    ::WriteProcessMemory( hProcess, pLibRemote, (void*)szLibPath,
    sizeof( szLibPath ), NULL );
    // Load the DLL to third party process by creating a thread in that
    // process, using the below mentioned WIN API, this API enable
    hThread = ::CreateRemoteThread( hProcess, NULL, 0,
    (LPTHREAD_START_ROUTINE)::GetProcAddress( hKernel32,"LoadLibraryA" ),
    pLibRemote,0,NULL );

    // Once address is found, we have to redirect using the VirtualProtect WinAPI
    // that enables write permission to third party EXE.

    bool ChangeAddress(DWORD* dwOldAddress,DWORD dwNewAddress)
    {
    // Change the old address of the function with the new address.
    // Firstly this address is changed.
    DWORD dwOld;
    if (!(VirtualProtect(dwOldAddress,4,PAGE_READWRITE,&d wOld)))
    {
    return false;
    }
    *dwOldAddress = dwNewAddress;
    // Once changed it updated in the executable.
    if (!(VirtualProtect(dwOldAddress,4,PAGE_EXECUTE,&dwO ld)))
    {
    return false;
    }
    else
    {
    OutputDebugString( "Change Address Final.." );
    return true;
    }
    }



    give me a few more hours ill be done with this injector.......

    ---------- Post added at 09:46 PM ---------- Previous post was at 09:42 PM ----------

    see encryption has nothing to do with detection like i figured out the crash is triggered out by an task called CRC and the only way to inject undetectedly is t o stop the CRC task or by masking the .dll processes as an common process like internet explorer, Microsoft api etc.....

    ---------- Post added at 09:48 PM ---------- Previous post was at 09:46 PM ----------

    Quote Originally Posted by SatanisX View Post
    Dumb Revelation:The Log file that xigncode creates, makes the game crash.
    I just saw "The Detection", I felt mind blown. (Because im simple minded) @AznNicholas1314 sorry but i dunno that yet
    i dont know whats dumb about this revelation but what i only know is that ur eccentric ..it would be better if u let people do there job to crack the anti-cheat soon..

  10. #9
    Artificial intelligence is no match for natural stupidity
    Premium Member
    Frought's Avatar
    Join Date
    Aug 2012
    Gender
    male
    Location
    In the dark island
    Posts
    3,399
    Reputation
    156
    Thanks
    5,950
    My Mood
    Cool
    Quote Originally Posted by AVA PlaYe View Post
    2 thing :

    1. the problem with injection is already fixed
    2. this was stupid to post that there, (*i didn't say you were stupid since you doesn't look like*), also with the code, people with that AC will see it and patch it, that AC suck, but is really active to check bypass or thing to patch them, if you want to release something or make something, encrypt it or protect it.

    ---------- Post added at 05:42 PM ---------- Previous post was at 05:41 PM ----------



    2009 -2010, *probatly* too old to get something working with
    Yes it seems encrypting this will work ....

    http://www.mpgh.net/forum/164-combat...pe-cipher.html
    If the facts don't fit the theory, change the facts.
    Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.
    Try not to become a man of success, but rather try to become a man of value.
    You have to learn the rules of the game. And then you have to play better than anyone else.

    -Albert Einstein



  11. #10
    abhishekv's Avatar
    Join Date
    Oct 2012
    Gender
    male
    Posts
    39
    Reputation
    10
    Thanks
    9
    My Mood
    Angelic
    Quote Originally Posted by AeriaAVA View Post


    Yes it seems encrypting this will work ....

    http://www.mpgh.net/forum/164-combat...pe-cipher.html
    nice idea but bro what about the injection at the time of the injection the logs are picked up by that shit anti cheat that's whats being the real pain in the ass..........

  12. #11
    Artificial intelligence is no match for natural stupidity
    Premium Member
    Frought's Avatar
    Join Date
    Aug 2012
    Gender
    male
    Location
    In the dark island
    Posts
    3,399
    Reputation
    156
    Thanks
    5,950
    My Mood
    Cool
    Quote Originally Posted by abhishekv View Post
    nice idea but bro what about the injection at the time of the injection the logs are picked up by that shit anti cheat that's whats being the real pain in the ass..........
    The injection is not the important thing if we encrypted the DLL it maybe get UNDETECTED ....

    Also The Injectors are many and i got my MENU HACK Still Working and UNDETECTED and My ED Injector UNDETECTED.
    If the facts don't fit the theory, change the facts.
    Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning.
    Try not to become a man of success, but rather try to become a man of value.
    You have to learn the rules of the game. And then you have to play better than anyone else.

    -Albert Einstein



  13. #12
    ash1m4's Avatar
    Join Date
    Sep 2012
    Gender
    male
    Location
    Infiltrating AERIA HQ
    Posts
    246
    Reputation
    10
    Thanks
    404
    My Mood
    Daring
    COFEE is here take a break guys, good morning good to see u all awake and working hard keep it up but still take some breaks..

    ---------- Post added at 03:22 AM ---------- Previous post was at 03:20 AM ----------

    my whife made some fresh cofee il invite u all over, damn i so wish to learn this stuff so i can help along by destroyng aeria

  14. #13
    abhishekv's Avatar
    Join Date
    Oct 2012
    Gender
    male
    Posts
    39
    Reputation
    10
    Thanks
    9
    My Mood
    Angelic
    Quote Originally Posted by AeriaAVA View Post

    The injection is not the important thing if we encrypted the DLL it maybe get UNDETECTED ....

    Also The Injectors are many and i got my MENU HACK Still Working and UNDETECTED and My ED Injector UNDETECTED.
    tried encrypting it got detected bro.... like i told the injection is triggering the main issue.....

    ---------- Post added at 07:17 AM ---------- Previous post was at 07:15 AM ----------

    Quote Originally Posted by ash1m4 View Post
    COFEE is here take a break guys, good morning good to see u all awake and working hard keep it up but still take some breaks..

    ---------- Post added at 03:22 AM ---------- Previous post was at 03:20 AM ----------

    my whife made some fresh cofee il invite u all over, damn i so wish to learn this stuff so i can help along by destroyng aeria
    AWW! its so nice to here that your trying to be helpfull ... thanks for the concern brothern

  15. #14
    CHANGEMYNAMEKTHX's Avatar
    Join Date
    Oct 2012
    Gender
    male
    Location
    There Everywhere
    Posts
    117
    Reputation
    19
    Thanks
    1,043
    My Mood
    Relaxed
    hmm.. try to encrypt MD5 both dll and the process
    http://www.mpgh.net/forum/201-alliance-valiant-arms-ava-hacks-cheats/651255-exmacro-re-updated.html

  16. #15
    ☬Ξη†τσρîζ Ζσ♍βîε δτσηε☬
    Former Staff
    Premium Member
    Lehsyrus's Avatar
    Join Date
    Aug 2009
    Gender
    male
    Location
    Jersey
    Posts
    10,899
    Reputation
    1281
    Thanks
    3,064
    What we need to do is spoof the CRC check while convincing the AC that it is still receiving it from the client. This is the only way I've seen it done successfully without being patched permanently. This will allow us to use the standard AutoIt scripts along with CE and library-based hacks without hard coding them into the API itself.

Page 1 of 7 123 ... LastLast

Similar Threads

  1. Hack Shield Analysis
    By Yepikiyay in forum HackShield
    Replies: 7
    Last Post: 11-03-2010, 02:52 AM
  2. Hacksheild Analysis
    By why06 in forum Combat Arms Hack Coding / Programming / Source Code
    Replies: 8
    Last Post: 03-03-2010, 12:43 AM
  3. [Help] Xingcode erro
    By ArthurAquino in forum Sudden Attack General
    Replies: 5
    Last Post: 03-02-2010, 08:22 AM
  4. Hacksheild Analysis WTF
    By why06 in forum Combat Arms Hack Coding / Programming / Source Code
    Replies: 20
    Last Post: 11-19-2009, 11:51 PM
  5. MPGH Content Analysis
    By arunforce in forum General
    Replies: 26
    Last Post: 04-14-2008, 05:48 PM