Bypassing XIGNCODE3 Anti-Cheat via DLL Injection and Code Modification
Disclaimer: The reverse engineering of Dragomon Hunter has been done for educational purposes only. I do not condone that the information provided below be used for any type of malicious purpose. Any exploits found have been sent to Aeria Games or have already been fixed.
Overview
I received a comment on my first blog post from Hack1209 asking about how to bypass XIGNCODE3 for the game Dragomon Hunter. When I first made the post, XIGNCODE3 was not yet enabled. (Here is a link to the post: http://0xbaadf00dsec.blogspot.com.br/2016/01/reverse-engineering-online-games.html) As I posted there, usually there is some type of "heartbeat" or "ping" packet sent between the server and the game client to make sure the anti-cheat is running on your computer. If this packet is enabled, you will be disconnected from whichever game uses the anti-cheat in a time period usually of 1-5 minutes. On this game, or any other game that this feature is not enabled, you can simply stop the initialization of the anti-cheat to do your analysis without the anti-cheat blocking you from doing so. You can read more about how these anti-cheats work in my first blog post.
The method I will demonstrate can be achieved very easily and can be used for any game that uses XIGNCODE3. It can be achieved using the APIs OpenProcess and WriteProcessMemory, but I am going to show you how to create a basic DLL and modify the memory from within the process. There are many publicly available DLL injectors you can find across the internet.
I am not going to repeat explaining a bunch of the steps taken in my first blog post as you can read them there.
Let's get started!
What You Will Need:
- Knowledge of x86 Assembly, C/C++, Reverse Engineering, and Win32 APIs
- Aeria Games Account (http://aeriagames.com)
- Dragomon Online (http://dragomonhunter.aeriagames.com/)
- Ollydbg v1.10 (http://www.ollydbg.de/)
- IDA Pro (https://www.hex-rays.com/products/ida/support/download_freeware.shtml)
- IDA Function String Associate Plugin by Sirmabus (http://sourceforge.net/projects/idafunctionstringassociate/)
- DebugView (https://technet.microsoft.com/en-us/sysinternals/debugview.aspx)
Analysis:
WARNING: If we were analyzing some type of malware, the process I demonstrate below would be different and should be run under VMWare so you do not infect your computer. However, since this is from a trusted source, Aeria Games, it is not necessary in this case.
Again, please make sure your Dragomon Hunter game is up to date.
Again, please make sure your Dragomon Hunter game is up to date.
Here's what will happen if you open Dragomon Hunter without disabling the anti-cheat.
The XIGNCODE3 initialization will begin and the splash screen will appear.
If you have any type of software open, such as Cheat Engine or Ollydbg, you will get a "suspicious program opened" message as shown below and the game will close.
Analyze the Game.bin file in IDA. After the analysis, IDA will show the beginning of the WinMain function in the IDA View. Run the IDA Function String Associate Plugin by Sirmabus. (ALT+F6)
Here we can already see some referenced strings to the intialization of XIGNCODE3 on the startup of the game.
If we go down a little bit, we see the function responsible. In other games, this function might not be so easily available to find. I have not seen a game where the XIGNCODE3 strings are encrypted, so another way you would be able to find this function would be to search for "xigncode" in the referenced strings.
The function we are looking to modify is the function that contains the string with "ErrorCode %08x!!"
This is where XIGNCODE3 initializes. The string "CGHcjbNstNjf" is unique to each game and as it works as license key. It's a string made up of random characters and when you find this string, you found the function you need to stop the initialization.
The call ends up in a function to load x3.xem, the main module of XIGNCODE3.
Let's go back to the previous function and see how we can manipulate the game to think it loaded XIGNCODE3 correctly.
In order for the function to return successful, we need to make sure the function returns with a non-zero value (or just 1 is easy) in the EAX.
We can stop the initialization by placing the following code at the top of the function located at 0x006F1DE0 (this address may change if the game updates):
mov eax,1
ret
Now that we've analyzed how to stop the initialization of XIGNCODE3, let's start coding our DLL.
Coding Our DLL
I prefer to use Visual Studio as an IDE when coding. You are going to have to make sure you have your configuration type set to DLL and your target extension to .dll.
We're also going to need to include the Windows.h header.
Next, let's create a function that allows us to write bytes directly to memory.
Why do we need to use VirtualProtect? We need to make sure we have write access in order to modify the code.
Now we have to get the correct opcodes to write the code:
mov eax,1
ret
I personally have not memorized every single opcode in the x86 Intel instruction set, just the ones used most often so I would recommend you look up what the opcodes are online via a website such as: http://ref.x86asm.net/coder32.html
You can also use Ollydbg, modify the code, and see the bytes that Ollydbg writes.
Ok, so it looks like the code we are going to need to write takes up 6 bytes. However, we're going to add 3 nops at the end because the first 3 instructions at the top of the function we are modifying take up 9 bytes.
Now we're going to use our WriteBytes function to modify the code.
Lastly, we're going to need our DLL Entry Point funtion. (DLLMain)
Let's compile our DLL, inject it while the game is starting, and see what happens. (Source code will be posted at the bottom.)
Our debug string appears with a success and XIGNCODE3 did not initialize! Now we can use our analysis tools without being detected.
Conclusion
Unless you are working with a game that uses a "heartbeat" packet with their anti-cheat, this easy methodology can be used to defeat any anti-cheat, enabling you to commence your analysis without having to worry about bypassing through other methods. In a future blog post, I will demonstrate how to bypass XIGNCODE3 in a game that uses the "heartbeat" packet by disabling their driver and the methods they use to detect known hacks or analysis tools in Ring 3.
The code above can be found at the following link: http://pastebin.com/ZqHrc6Z0
Thanks for reading and I hope you learned something new!
Could you make an API based only xigncode bypass?
ReplyDeleteNice job tho ..
ReplyDeletecan you add me on skype cuz I need your help in something
skype : ammarko94
Thx :D
nice job :)
ReplyDeleteDo you make more blogs for bypassing ? and can you give me name of books they can help me to understand all what I need to know to do this myself?
good wishes Bl4ckSmok3
Very nice article!
ReplyDeleteI have been playing around with working on a bypass for xigncode with heartbeat (by replacing the x3.xem file with my own dll) and I have had some successes ( namely I can trick the client into accepting the x3.xem file ) and even do whatever I want until the heartbeat kick gets me.
If you have made some progress on the point of reverse engineering the heartbeat I am really looking forward to the article you will reveal it in.
If you have made some progress but no breakthrough yet please kindly contact me at office[at]entro-p(dot)com maybe we can work out something together.
Cheers
hi great article! how can i disassemble and decompile xigncode.xem file? before, i was able to successfully by-pass xigncode completely by decompiling the game code so that it does not even call or initialize xigncode at all. but they updated game and now the game requires a "cookie" (a string value composed by seed value + game hash value) to work. the problem is that this "cookie" value is from xigncode itself, so by-passing xigncode does not seem to be a viable strategy, the game will not start, and leaving xigncode in will not work obviously either since it will detect the changes i made to the game and will produce an invalid cookie value and will also self-exit the game eventually. the following is the call to the xigncode native function for the cookie:
ReplyDeleteprivate native String ZCWAVE_GetCookie2(String paramString)
the paramString is the seed value which seems to be time-sensitive, and changes each time you call the URL to get it.
any idea how best to tackle this problem? it seems i have no choice but to alter xigncode.xem, but don't know how. any help or advice is appreciated! (is the same as the 'heartbeat' protection scheme?)
Good articles.
ReplyDeleteBut, I want bypass Xigncode Heartbeat.
How to bypass it?
Nice very detailed
ReplyDeleteWhat a joke... You must of been so happy after seeing xign uses one export with dispatches. If anyone wants a full src with heartbeat for any game just msg, it takes literally 10-30 mins to port.
ReplyDeleteJust post it here man...
DeleteThis comment has been removed by the author.
DeleteHi,
DeleteCan I refer you to my comment above?
I have meanwhile made some more progress on the bypass ( I can trick the heartbeat for around 20 minutes, but after 4-20 heartbeat requests I do something wrong and I get disconnected). Any help would be appreciated :)
Cheers
Feel free to hit me up <3
DeleteAnd to all the "new" coders, this bypass above will °not° work with 99% of games that use xigncode. Youll be disconnected after 5mins due to their sin/ack. Great blog, will keep reading it and laughing.
ReplyDeleteHello, Could you help me With Atlantica Online (Nexon - Xingcode3)?
DeleteHello.. Jay , Iam John Ali
ReplyDeleteI want to ask I've followed the instructions that as above
http://puu.sh/mTa1V/bf9ac7cbea.png
http://s32.postimg.org/mn82jd1e9/image.jpg
But after I follow his code is different ??
http://puu.sh/mTc8b/2a556ee9df.png
http://s32.postimg.org/kwp1hvjv5/image.jpg
Can you help me ?
Contact me facebook: http://facebook.com/johnaligembelcit
Jay, this is an awesome guide for those looking to begin learning how to bypass XignCode. At http://guidedhacking.com we get this question alot and I always link them to this page. Thanks for the great article
ReplyDeletehi how did you know that it is the game.bin to use?
ReplyDeleteThis no longer works, it hasn't for a long time. 2000 word blog spent writing "mov eax, 1" then "ret" on a single address. Jay Rosenburg is surely the greatest digital nomad who can break any system.
ReplyDeleteHello,
ReplyDeleteI followed your tutorial but the game kicked me out after 1 or 2 minutes in game ("kick by the server"). Do you have any idea ? a bypass for hearbeat check ?
could you just create the game hacked and them put link
ReplyDeleteif i give you the dll. can you edit it for me to bypass xincode3 ?
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteVery nice blog, thanks for this post and I have some special things for you. If you are finding something to relax, Fruit candy shop; game super mario run will be my best recommendation for you. Let’s play and get more deep relaxation!
ReplyDeleteBeside, you can try Free momery games kids. Now, you can completely play this addicting fun game on your mobile. Have fun!!!!
I like what you shared in the article, thank you for that, it has given me more experience. These games are free but will bring you many interesting things like games online racing games. I would like to share with you some interesting things, if you have free time and want to find a tool for fun read it now.quotes about wanting what you can t have . Or you can go and search for the most fun games to play likenhạc chuông tom and jerry. Surely what I'm introducing to you will not disappoint you. Or you can relax by playing free games without downloading or losing any fees. Read and ponder the good quotes of life below, you will surely draw in life's own deep lessonstruyện h nặng . Please click and experience. Having fun.
ReplyDeleteYour posts are my cup of tea. I'm interested in your articles. I always read them everyday and wait for incoming ones. It's because your posts are interesting.
ReplyDeleteMr.Paul amazing games || My Coloring Book jogos online || Brealk The Cup unblocked games 2 player
Incredible post! I am really getting prepared to over this data, is exceptionally useful my companion. Likewise extraordinary blog here with the majority of the significant data you have. I am sharing related topic which is mostly important for How to get free Robux on Roblox?
ReplyDelete
ReplyDeletecan i contact you?
Your Affiliate Profit Machine is ready -
ReplyDeletePlus, making profit with it is as simple as 1..2..3!
Here's how it works...
STEP 1. Tell the system what affiliate products the system will push
STEP 2. Add PUSH BUTTON TRAFFIC (this LITERALLY takes 2 minutes)
STEP 3. See how the system grow your list and up-sell your affiliate products all for you!
So, do you want to start making profits?
Click here to check it out
To access your account and start playing, simply enter your credentials on the 24kbet login page.
ReplyDelete