aaron2z (01-03-2013),AznNicholas1314 (11-09-2012),zZzeta/S (11-09-2012)
THIS CONTENT IS HELP FULL FOR CODERS ONLY!!
hey guys after hours of testing the new anti cheat i drew up some conclusions :- {basically help full for dll injection}
>the detection:- whenever a cheat is injected the anti-cheats detects it it might be bcuz :-
# there is an faint possibilty that the injection is logged at the kernel level which is picked up by the anti-cheat moreover the anti-cheat checks for this @ every given point of time.
# another reason is since the dll's are logged in the cpu's proceses bcuz your using it through the load librarires there is another chance that the anti-cheat picks it from there .
The possible solution:-
# look @ the kernel links of XINGCODE3.(disable the logging if its hooking any process logs.)
# try to overwrite the Kernel hooks or disable the XIGNCODE3/Process launch mechanism system.
# try to come out with an idea of how to hide the dll when its injected... (maybe by making like an common processes like an chat application,anti-virus or any other .........................you know what i mean )
these are all theoretical however in practicality its 100% possible requires some work
---------- Post added at 12:08 PM ---------- Previous post was at 11:49 AM ----------
another break through i just figured out that the detection is triggered by an task to be precise crc (cyclic redundancy check)..
now our new venture is to disable this ..
---------- Post added at 01:05 PM ---------- Previous post was at 12:08 PM ----------
example working of crc (cyclic redundancy check)
#include< stdlib.h>
#include< conio.h>
#include< stdio.h>
void main()
{
int i,j,n,g,a,arr[20],gen[20],b[20],q[20],s;
clrscr();
printf("Transmitter side:");
printf("\nEnter no. of data bits:");
scanf("%d",&n);
printf("Enter data:");
for(i=0;i< n;i++)
scanf("%d",&arr[i]);
printf("Enter size of generator:");
scanf("%d",&g);
do{
printf("Enter generator:");
for(j=0;j< g;j++)
scanf("%d",&gen[j]);
}
while(gen[0]!=1);
printf("\n\tThe generator matrix:");
for(j=0;j< g;j++)
printf("%d",gen[j]);
a=n+(g-1);
printf("\n\tThe appended matrix is:");
for(i=0;i< j;++i)
arr[n+i]=0;
for(i=0;i< a;++i)
printf("%d",arr[i]);
for(i=0;i< n;++i)
q[i]= arr[i];
for(i=0;i< n;++i)
{
if(arr[i]==0)
{
for(j=i;j< g+i;++j)
arr[j] = arr[j]^0;
}
else
{
arr[i] = arr[i]^gen[0];
arr[i+1]=arr[i+1]^gen[1];
arr[i+2]=arr[i+2]^gen[2];
arr[i+3]=arr[i+3]^gen[3];
}
}
printf("\n\tThe CRC is :");
for(i=n;i < a;++i)
printf("%d",arr[i]);
s=n+a;
for(i=n;i< s;i++)
q[i]=arr[i];
printf("\n");
for(i=0;i< a;i++)
printf("%d",q[i]);
getch();
}
/* Output
Transmitter side:
Enter no. of data bits:8
Enter data:1 0 1 0 0 0 0 1
Enter size of generator:4
Enter generator:1 0 0 1
The generator matrix:1001
The appended matrix is:10100001000
The CRC is :111
10100001111
*/
---------- Post added at 01:13 PM ---------- Previous post was at 01:05 PM ----------
way to inject a dll undetected :- this might be a breakthrough guys this code is undetected
// To Inject a DLL, we need three steps in APIHandler side.
// Allocate memory in the remote process for our library
// with write permission using the below mentioned WINAPI.
HANDLE hProc;
pLibRemote = ::VirtualAllocEx( hProcess,
NULL, sizeof(szLibPath), MEM_COMMIT, PAGE_READWRITE );
// This API writes the library path name to third party process.
::WriteProcessMemory( hProcess, pLibRemote, (void*)szLibPath,
sizeof( szLibPath ), NULL );
// Load the DLL to third party process by creating a thread in that
// process, using the below mentioned WIN API, this API enable
hThread = ::CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)::GetProcAddress( hKernel32,"LoadLibraryA" ),
pLibRemote,0,NULL );
// Once address is found, we have to redirect using the VirtualProtect WinAPI
// that enables write permission to third party EXE.
bool ChangeAddress(DWORD* dwOldAddress,DWORD dwNewAddress)
{
// Change the old address of the function with the new address.
// Firstly this address is changed.
DWORD dwOld;
if (!(VirtualProtect(dwOldAddress,4,PAGE_READWRITE,&d wOld)))
{
return false;
}
*dwOldAddress = dwNewAddress;
// Once changed it updated in the executable.
if (!(VirtualProtect(dwOldAddress,4,PAGE_EXECUTE,&dwO ld)))
{
return false;
}
else
{
OutputDebugString( "Change Address Final.." );
return true;
}
}
Last edited by abhishekv; 11-09-2012 at 12:18 PM.
aaron2z (01-03-2013),AznNicholas1314 (11-09-2012),zZzeta/S (11-09-2012)
So.. How can we inject a DLL undetected?.. Just make a program or just whatever..
cant the .dll be encrypted?
---------- Post added at 04:54 PM ---------- Previous post was at 04:53 PM ----------
im browsing all posible websites for this new anticheat that aeria have for ava, if i do find 1 il post it
---------- Post added at 05:00 PM ---------- Previous post was at 04:54 PM ----------
i found this on a website maybe its important maybe not but here it is..................................
The biggest customer so far has xingcode That is Game_hi license key.
Xigncode Also Have the license key for themes / winlisence WHICH IS fairly good Verison Them is, yep the claims neha (pussy Wellbar engineer who dont know much)
Xigncode loads the kernel mode driver via "xhunter1.sys. Deleting Will it result only in re-creating it Themida it is part of the themdia Protection Software.
One of the funcitons of the driver (along with Various other files together) is to load "xxd.xem" and "*. exe gameclient" {* name of the execultable of the game client, for eg suddenattack.exe) enquiry.c; make sure nothing has Been modifyied; if anything changed then return with error Which driver to decide what to log the direct & straight to Wellbar engineers / analysis team.
Also it Prevents Thees two files, once running, from Being acessed via user mode (developer files license key holder Enables Given to Them Whether to choose the game client is Able to process seen in taskmanager or such usermode {}; Able to end process manually or and not a few other things i have no clue about)
"Question is, how to disable this xingcode?"
Well im not sure about disabling, but you do would need license key files (developer files), Wellbar developer and thats about it: P
well, build your own driver would b best way .. i made my own started to Develop driver never got around crippler But to finish-start only
Thats all i can remember so far, ITS Been long time since i researched Xingcode. Have I did some good analysis and some ideas_ <Cannot Seem To find: (. I heard last month They made much improvements and now another driver
2 thing :
1. the problem with injection is already fixed
2. this was stupid to post that there, (*i didn't say you were stupid since you doesn't look like*), also with the code, people with that AC will see it and patch it, that AC suck, but is really active to check bypass or thing to patch them, if you want to release something or make something, encrypt it or protect it.
---------- Post added at 05:42 PM ---------- Previous post was at 05:41 PM ----------
2009 -2010, *probatly* too old to get something working with
omg stop posting shit guys...... Discuss this with our best coders.
What exactly is ChangeAddress for?
Dumb Revelation:The Log file that xigncode creates, makes the game crash.
I just saw "The Detection", I felt mind blown. (Because im simple minded) @AznNicholas1314 sorry but i dunno that yet
the only possible way is to tweak it at the kernel level and that is to un hook the anti cheat log reader from the api ......and like i said i already have the code for a undetected injection ......
way to inject a dll undetected :- this might be a breakthrough guys this code is undetected
// To Inject a DLL, we need three steps in APIHandler side.
// Allocate memory in the remote process for our library
// with write permission using the below mentioned WINAPI.
HANDLE hProc;
pLibRemote = ::VirtualAllocEx( hProcess,
NULL, sizeof(szLibPath), MEM_COMMIT, PAGE_READWRITE );
// This API writes the library path name to third party process.
::WriteProcessMemory( hProcess, pLibRemote, (void*)szLibPath,
sizeof( szLibPath ), NULL );
// Load the DLL to third party process by creating a thread in that
// process, using the below mentioned WIN API, this API enable
hThread = ::CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)::GetProcAddress( hKernel32,"LoadLibraryA" ),
pLibRemote,0,NULL );
// Once address is found, we have to redirect using the VirtualProtect WinAPI
// that enables write permission to third party EXE.
bool ChangeAddress(DWORD* dwOldAddress,DWORD dwNewAddress)
{
// Change the old address of the function with the new address.
// Firstly this address is changed.
DWORD dwOld;
if (!(VirtualProtect(dwOldAddress,4,PAGE_READWRITE,&d wOld)))
{
return false;
}
*dwOldAddress = dwNewAddress;
// Once changed it updated in the executable.
if (!(VirtualProtect(dwOldAddress,4,PAGE_EXECUTE,&dwO ld)))
{
return false;
}
else
{
OutputDebugString( "Change Address Final.." );
return true;
}
}
give me a few more hours ill be done with this injector.......
---------- Post added at 09:46 PM ---------- Previous post was at 09:42 PM ----------
see encryption has nothing to do with detection like i figured out the crash is triggered out by an task called CRC and the only way to inject undetectedly is t o stop the CRC task or by masking the .dll processes as an common process like internet explorer, Microsoft api etc.....
---------- Post added at 09:48 PM ---------- Previous post was at 09:46 PM ----------
i dont know whats dumb about this revelation but what i only know is that ur eccentric ..it would be better if u let people do there job to crack the anti-cheat soon..
Yes it seems encrypting this will work ....
https://www.mpgh.net/forum/164-combat...pe-cipher.html
COFEE is here take a break guys, good morning good to see u all awake and working hard keep it up but still take some breaks..
---------- Post added at 03:22 AM ---------- Previous post was at 03:20 AM ----------
my whife made some fresh cofee il invite u all over, damn i so wish to learn this stuff so i can help along by destroyng aeria
tried encrypting it got detected bro.... like i told the injection is triggering the main issue.....
---------- Post added at 07:17 AM ---------- Previous post was at 07:15 AM ----------
AWW! its so nice to here that your trying to be helpfull ... thanks for the concern brothern
hmm.. try to encrypt MD5 both dll and the process
https://www.mpgh.net/forum/201-alliance-valiant-arms-ava-hacks-cheats/651255-exmacro-re-updated.html
What we need to do is spoof the CRC check while convincing the AC that it is still receiving it from the client. This is the only way I've seen it done successfully without being patched permanently. This will allow us to use the standard AutoIt scripts along with CE and library-based hacks without hard coding them into the API itself.