Tuesday, February 2, 2016

Bypassing XIGNCODE3 - Dragomon Hunter

Bypassing XIGNCODE3 Anti-Cheat via DLL Injection and Code Modification

Disclaimer: The reverse engineering of Dragomon Hunter has been done for educational purposes only. I do not condone that the information provided below be used for any type of malicious purpose. Any exploits found have been sent to Aeria Games or have already been fixed.

Overview
I received a comment on my first blog post from Hack1209 asking about how to bypass XIGNCODE3 for the game Dragomon Hunter. When I first made the post, XIGNCODE3 was not yet enabled. (Here is a link to the post: http://0xbaadf00dsec.blogspot.com.br/2016/01/reverse-engineering-online-games.html) As I posted there, usually there is some type of "heartbeat" or "ping" packet sent between the server and the game client to make sure the anti-cheat is running on your computer. If this packet is enabled, you will be disconnected from whichever game uses the anti-cheat in a time period usually of 1-5 minutes. On this game, or any other game that this feature is not enabled, you can simply stop the initialization of the anti-cheat to do your analysis without the anti-cheat blocking you from doing so. You can read more about how these anti-cheats work in my first blog post. 
The method I will demonstrate can be achieved very easily and can be used for any game that uses XIGNCODE3. It can be achieved using the APIs OpenProcess and WriteProcessMemory, but I am going to show you how to create a basic DLL and modify the memory from within the process. There are many publicly available DLL injectors you can find across the internet.
I am not going to repeat explaining a bunch of the steps taken in my first blog post as you can read them there.
Let's get started!

What You Will Need:
Analysis:

WARNING: If we were analyzing some type of malware, the process I demonstrate below would be different and should be run under VMWare so you do not infect your computer. However, since this is from a trusted source, Aeria Games, it is not necessary in this case.

Again, please make sure your Dragomon Hunter game is up to date.


Here's what will happen if you open Dragomon Hunter without disabling the anti-cheat.


The XIGNCODE3 initialization will begin and the splash screen will appear.

If you have any type of software open, such as Cheat Engine or Ollydbg, you will get a "suspicious program opened" message as shown below and the game will close.



Analyze the Game.bin file in IDA. After the analysis, IDA will show the beginning of the WinMain function in the IDA View. Run the IDA Function String Associate Plugin by Sirmabus. (ALT+F6)


Here we can already see some referenced strings to the intialization of XIGNCODE3 on the startup of the game. 


If we go down a little bit, we see the function responsible. In other games, this function might not be so easily available to find. I have not seen a game where the XIGNCODE3 strings are encrypted, so another way you would be able to find this function would be to search for "xigncode" in the referenced strings. 


The function we are looking to modify is the function that contains the string with "ErrorCode %08x!!" 


This is where XIGNCODE3 initializes. The string "CGHcjbNstNjf" is unique to each game and as it works as license key. It's a string made up of random characters and when you find this string, you found the function you need to stop the initialization.


The call ends up in a function to load x3.xem, the main module of XIGNCODE3. 

Let's go back to the previous function and see how we can manipulate the game to think it loaded XIGNCODE3 correctly. 


In order for the function to return successful, we need to make sure the function returns with a non-zero value (or just 1 is easy) in the EAX.


We can stop the initialization by placing the following code at the top of the function located at 0x006F1DE0 (this address may change if the game updates):

mov eax,1
ret

Now that we've analyzed how to stop the initialization of XIGNCODE3, let's start coding our DLL.

Coding Our DLL

I prefer to use Visual Studio as an IDE when coding. You are going to have to make sure you have your configuration type set to DLL and your target extension to .dll.




We're also going to need to include the Windows.h header.


Next, let's create a function that allows us to write bytes directly to memory.


Why do we need to use VirtualProtect? We need to make sure we have write access in order to modify the code.


Now we have to get the correct opcodes to write the code:
mov eax,1
ret
I personally have not memorized every single opcode in the x86 Intel instruction set, just the ones used most often so I would recommend you look up what the opcodes are online via a website such as: http://ref.x86asm.net/coder32.html



You can also use Ollydbg, modify the code, and see the bytes that Ollydbg writes.


Ok, so it looks like the code we are going to need to write takes up 6 bytes. However, we're going to add 3 nops at the end because the first 3 instructions at the top of the function we are modifying take up 9 bytes.

Now we're going to use our WriteBytes function to modify the code.


Lastly, we're going to need our DLL Entry Point funtion. (DLLMain)


Let's compile our DLL, inject it while the game is starting, and see what happens. (Source code will be posted at the bottom.)


Our debug string appears with a success and XIGNCODE3 did not initialize! Now we can use our analysis tools without being detected.

Conclusion
Unless you are working with a game that uses a "heartbeat" packet with their anti-cheat, this easy methodology can be used to defeat any anti-cheat, enabling you to commence your analysis without having to worry about bypassing through other methods. In a future blog post, I will demonstrate how to bypass XIGNCODE3 in a game that uses the "heartbeat" packet by disabling their driver and the methods they use to detect known hacks or analysis tools in Ring 3.

The code above can be found at the following link: http://pastebin.com/ZqHrc6Z0

Thanks for reading and I hope you learned something new!