Analysis on XINGCODE

[diemw34]

I saw where this had been done in the past (with other games, same ac though), it was on a different bypass (tried it but it didnt work lol) so i know its possible to do, just need to work it out.... (i suck with coding so im not much help, sry lol)

[Jabberwock]

The normal injection is detected cause when injecting with LoadLibrary API the module get logged. Like Process Hacker application does.

The only solution is to inject with a manual mapper.

Or to make the AC somehow not detect the dll by hooking some of the functions it's using.

[Lehsyrus]

The normal injection is detected cause when injecting with LoadLibrary API the module get logged. Like Process Hacker application does.

The only solution is to inject with a manual mapper.

Or to make the AC somehow not detect the dll by hooking some of the functions it's using.

Now that I finally understand assembly registers I'll rip the AC apart and see if I can find te specific offsets for the functions that log te modules.

[Jabberwock]

It is the built in API = EnumProcessModules function (Windows)

Unless they built something different so someone try to hook that function.

[Lehsyrus]

It is the built in API = EnumProcessModules function (Windows)

Unless they built something different so someone try to hook that function.

You just saved me about 20 minute of work (considering everything I am doing is ASM related). I'll see what I can do.

[Buck88]

You just saved me about 20 minute of work (considering everything I am doing is ASM related). I'll see what I can do.

thanks i want to troll these kids

[Lehsyrus]

@Jabberwo0ck I believe what we need to do is hook that function to replace hprocess that HANDLE is pointing to, to a null process function. I'll need to check in to see what hprocess is in the API itself, to make sure it's hooking into XOGNCODE3. If it is, it possible that the function hprocess represents could be the portion of XIGNCODE3 that talks to the API in AVA itself, and I'd that's the case I should be able to simply change hprocess and that should cut the communications between them off completely. In just worried it will crash the client.

[abhishekv]

im trying to to mask the crc check from 3 days and there has been no betterment's can anyone pls help me with this cause if i try to block the crc check it crashes ... im loosing patience and hope ..trust me i have busted punk buster and hackshelid pro this anti-cheat is way above them when it comes to kernel level hooking... damn those noobs who found it :@

[Lehsyrus]

You can not block a CRC check, that is what causes the game to crash. Basically, the CRC chek is a consistency check, it makes sure te AC is running and properly connected to the game. You have to spoof it, which is what I am working on myself. Shits hard.

[abhishekv]

You can not block a CRC check, that is what causes the game to crash. Basically, the CRC chek is a consistency check, it makes sure te AC is running and properly connected to the game. You have to spoof it, which is what I am working on myself. Shits hard.

exactly!!!.. @Lehsyrus please let me know if u have any ideas on spoofing it ...... moreover this anti-cheat is some serious shit man !!!

---------- Post added at 02:20 PM ---------- Previous post was at 02:15 PM ----------

damn this fkin xsherlock.xem this processes is causing a serious amount of problem... how to bust this .. busting this = higher chances of bypassing...

[Lehsyrus]

exactly!!!.. @Lehsyrus please let me know if u have any ideas on spoofing it ...... moreover this anti-cheat is some serious shit man !!!

---------- Post added at 02:20 PM ---------- Previous post was at 02:15 PM ----------

damn this fkin xsherlock.xem this processes is causing a serious amount of problem... how to bust this .. busting this = higher chances of bypassing...

My idea was to mimic the function in AVA's API that the CRC check is addressed to, and vice versa. Basically to take the exact same function, though have the offsets that lead to AVA D/C'ing nulled. This way when the CRC check is activated, it still reads that it is connected to AVA properly, and returns that message to AVA itself, even though AVA is technically not connected to the AC.

[Frought]

The normal injection is detected cause when injecting with LoadLibrary API the module get logged. Like Process Hacker application does.

The only solution is to inject with a manual mapper.

Or to make the AC somehow not detect the dll by hooking some of the functions it's using.

What is the manual mapper?

I didn't get it , it will help the bypass thread.

[Lehsyrus]

What is the manual mapper?

I didn't get it , it will help the bypass thread.

Manual mapping is when you manually hardcode the dll into the API without actually altering the internal code. Basically, you need to use specific hardware breakpoints to hook into the API itself, however you need to use the same ones that Anti-Virus programs use. You would need to code a polymorphic engine that inserts randomized NOP code in between the actual instructions for the injector/dll. This is what I'm working on st the moment, shit is difficult.

Basically any tutorial by Darawk will be beneficial, though I can not post links as e is a member on a rival site. He has not posted in about a year though and his personal website has closed down.

[Jabberwock]

What is the manual mapper?

I didn't get it , it will help the bypass thread.

A manual mapper is a method to inject. For example instead of using the windows's built in API LoadLibrary, you build you own function so the AC wouldn't detect the dll. For example, Injector Gadget's cloak dll feature use his own function.

Well I tried to use a manual mapper from one here on the forum and it gives me some crashes. So it's not completely good.

[Lehsyrus]

A manual mapper is a method to inject. For example instead of using the windows's built in API LoadLibrary, you build you own function so the AC wouldn't detect the dll. For example, Injector Gadget's cloak dll feature use his own function.

Well I tried to use a manual mapper from one here on the forum and it gives me some crashes. So it's not completely good.

Let me see what I can come up with, I have Darawk's original injector code so I'll see if I can even get it to work. So far his explanations on how to implement manual mapping have been pretty good.