Analysis on XINGCODE

[~FALLEN~]

Every gamehacking forum has at least one raging skid with no real skill. Congratulations retard, you've earned that title. Bye skiddo.

What's that make you then? super rager skid? I have more skill in my thumb than you do all together. If you knew anything about me you wouldn't assume such things. As you can very well see I have already beat XignCode

https://i.imgur.com/AJVo8.jpg
https://i.imgur.com/4VVQl.jpg

but okay, continue to live in your land of make believe where you're better than me and the sky is red. You have no idea who I am.

[Lehsyrus]

Stop bitching at each other or else.

[CyanideC00kies]

What's that make you then? super rager skid? I have more skill in my thumb than you do all together. If you knew anything about me you wouldn't assume such things. As you can very well see I have already beat XignCode

https://i.imgur.com/AJVo8.jpg
https://i.imgur.com/4VVQl.jpg

You aren't fooling anyone kid, those are old pictures from a vip hack and anyone can put a date on a picture with mspaint.

Why do you feel like you have to prove yourself to random people on the internet. Are you that much a tool?

I'm sorry that you have no friends, but this is the internet. Nobody cares about you or even wants you here.

Not even worth trying to reason with someone this retarded, so we're just going to pretend you don't exist kid.

[~FALLEN~]

You aren't fooling anyone kid, those are old pictures from a vip hack and anyone can put a date on a picture with mspaint.

Why do you feel like you have to prove yourself to random people on the internet. Are you that much a tool?

I'm sorry that you have no friends, but this is the internet. Nobody cares about you or even wants you here.

Not even worth trying to reason with someone this retarded, so we're just going to pretend you don't exist kid.

lol... It's my vip? derp... I have the menu, It's my code, I have the sdk generated... like I said kid you have no idea who I am.

https://i.imgur.com/muKtv.png

Go on UC click the top banner, good fight scrub.

[R3d_L1n3]

Just because you can't do something doesn't mean it's impossible.

FALLEN, all I've seen you do is talk. Real hackers share information and we've been perfectly clear about it.

Nothing personal but if you have no intention of contributing then leave, because we don't need or want you here.

If i coded a bypass why would i share it ? so ppl can give credits for them self ? , oh btw that make it get patched alot faster dont u think , something else he have right to not share camon guys he spend all time on something and easly give it to All ? its kinda hard .. and look at way ur talking to him if ur mad u couldn't hook the game or the method didnt work move on ..

the cool part u call him nob while u dont know who he is or what could he do oh he is way better than u .. thats not really cool the guy tryed to help and ur like ungreat full :s , he is nice guy i sow his work on many forums he hookedblots of game ( hard ones ) , if u want something he would be happy to help but ask on the correct way ..

On topic :

Hardware breakpoints would probably work

Good job

[~FALLEN~]

Also for those who are talking about manual mapping their modules, you can do this, but you don't have to. You can still use LoadLibrary, I do for testing. An overview on manual mapping : load module into memory -> map sections -> walk import table -> if module exits rebuild import / if module does not exist -> load module -> rebuild import -> handle relocations if needed -> ( if there is an exception table rebuild it ) -> call entry point w/ DLL_PROCESS_ATTACH. Note. Everything has to be relative when manually mapping a module. If you're a beginner I don't recommend it, however there are various ways to do manual mapping, all manual mapping is ( is what the name sugests ) mapping a module into memory manually with your own code instead of mapping it with the windows PE loader. Anyways, best of luck with xigncode everybody

[Jabberwock]

CyanideC00kies, I don't see your point here. You are just misunderstanding things here.

( if there is an exception table rebuild it )

What do you mean? I have a manual mapper but it can't really map some dependency DLLs. Like WINNM.dll. But since the game already loaded that module I'm lucky.

Also for hardware breakpoints, I think they are checking for them with the API IsDebuggerPresent but I haven't tested.

[~FALLEN~]

CyanideC00kies, I don't see your point here. You are just misunderstanding things here.



What do you mean? I have a manual mapper but it can't really map some dependency DLLs. Like WINNM.dll. But since the game already loaded that module I'm lucky.

Also for hardware breakpoints, I think they are checking for them with the API IsDebuggerPresent but I haven't tested.

Hardware breakpoints aren't detected by IsDebuggerPresent, if they were to be detected the anticheat probably is scanning them via GetThreadContext / NTGetThreadContext. There are other ways to detect them of course, but I haven't seen an anticheat detect them any other way as of yet.

As far as your question about the import table, your manual mapper needs to call loadlibrary on winmm.dll and get the relative virtual address of the functions you need and rebuild the imports for the module by doing such.

[Jabberwock]

Yes it is done like that. I thought you said something else. But there is a problem with a dependency of WINNM.dll, don't remember its name. Also when packing my dll with themida, the packer adds other dependencies to the dll that wasn't in it before. So I can't pack with it.

[~FALLEN~]

Yes it is done like that. I thought you said something else. But there is a problem with a dependency of WINNM.dll, don't remember its name. Also when packing my dll with themida, the packer adds other dependencies to the dll that wasn't in it before. So I can't pack with it.

The reason you can't pack your module with Themida isn't because it has additional dependencies ( because it doesn't, Themida embeds a stub into your module ) but is more than likely because Themida isn't being unpacked ( which it naturally does at runtime ) and also your entrypoint probably isn't being called. You could easily allocate your loader code into the remote process and have it take care of it, but than they could do a byte signature scan on it and detect you like that. You could make it metamorphic I guess. Up to you (:

[Jabberwock]

But I do call the entry point of the DLL. This is the error message:

---------------------------
Themida
---------------------------
An internal exception occured (Address: 0x7ff2964)

Please, contact support@oreans.com. Thank you!
---------------------------
OK
---------------------------

And what do you mean metamorphic. If ill cast the function as virtual it'll give them some kind of protection?

Wait, I think I misunderstood that part. You mean to avoid their signature scan I should insert NOP like opcodes...
But that's a lot of work...

[~FALLEN~]

But I do call the entry point of the DLL. This is the error message:

---------------------------
Themida
---------------------------
An internal exception occured (Address: 0x7ff2964)

Please, contact support@oreans.com. Thank you!
---------------------------
OK
---------------------------

And what do you mean metamorphic. If ill cast the function as virtual it'll give them some kind of protection?

Wait, I think I misunderstood that part. You mean to avoide their signature scan I should insert NOP like opcodes...
But that's a lot of work...

hmm I would look at oreans support documents, as far as "metamorphism" goes, it means to take parts of code and mutate them at runtime. It works on the principal of computations. e.g. CALL 0x12345678 -> MOV EDX, 0x12345678 CALL EDX -> MOV EDX 0x13245677 ADD EDX, 1 CALL EDX, etc.

[FantaWauWau]

Why Injection? Why not External?
Good External hack on ring0 can´t be detected, because the Anti-Cheat programs
don´t "look" at this level..
Maybe Injection works on ring0 too, but I don´t know this :/
And I don´t know how you can program an ring0 cheat....

But ring0 is best way for any chear I think

[~FALLEN~]

Why Injection? Why not External?
Good External hack on ring0 can´t be detected, because the Anti-Cheat programs
don´t "look" at this level..
Maybe Injection works on ring0 too, but I don´t know this :/
And I don´t know how you can program an ring0 cheat....

But ring0 is best way for any chear I think

To enter kenel mode you need to have your code signed with microsoft authenticode so unless you have 200 - 500 usd a year to spare there really isn't a point.
Externals are slow by the way. So why not Injection? You have direct memory access, it's faster, just as easy to maintain, etc.

[FantaWauWau]

To enter kenel mode you need to have your code signed with microsoft authenticode so unless you have 200 - 500 usd a year to spare there really isn't a point.
Externals are slow by the way. So why not Injection? You have direct memory access, it's faster, just as easy to maintain, etc.

Ok I don´t know much things about the kernel mode, but now I know it Thx

And Injection is good and maybe faster than External, but External is harder to detect.

Sorry for bad english :/