Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: [WIP] C9 Bypass + Trainer

  1. #1
    Senior Member Rask's Avatar
    Join Date
    Apr 2010
    Location
    Oregon, USA
    Posts
    1,620

    [WIP] C9 Bypass + Trainer

    I'm trying to make a bypass for C9's XIGNCode anticheat software. This is the first time I've messed around with asm outside of packet reversing guild wars (using ACB's tutorial). I have no clue to start, any one have any idea what I should be looking for to be sure I have the right breakpoint?



    Few things that I believe are manageable clientside:

    *Enemy Location - Vac hacks are possible.
    *Mana(?) - Not sure. (Possibly outdated information from an outside source.)
    *Cooldowns(?) - Again, not sure. (Possibly outdated information from an outside source.)


    I noticed they have long clientside "cast times" for trading in items and crafting. Wondering if this is for protection against laggy clients spamming the craft button (possible item duping?). Or if it's just to make the game long and grindy.


    Anyways, if anyone has any advice I'd appreciate it.

  2. #2
    Super Moderator ACB's Avatar
    Join Date
    Aug 2009
    Posts
    583
    well i would try to locate the packet send and encryption func if you want to base your api/bot/whatever on packets. to find usefull structures just try to locate some easy variables (own id,target id,mana,hp,position,gold,...) and then work your way from there. without any information of where things are stored youll hardly get anywhere. also look for strings in the exe they often are a great help ^^

  3. #3
    Senior Member
    Join Date
    Feb 2010
    Location
    Ostwestfalen
    Posts
    433
    You talked about the game being protected. You should first use PEiD or similar to detect if the exe might be packed, encrypted or protected.

    After some googling it seems that XIGNCode has not been bypassed really and it works in Kernel mode to prevent User mode intervention. Not sure on that information thought.

    This guy seems to be the one who bypassed the protection some time ago...problem is here never updated it
    http://www.elitepvpers.com/forum/dek...rc-bypass.html

    If you just started reversing this might not be the most appropriate place to start tbh ^^

  4. #4
    Senior Member Rask's Avatar
    Join Date
    Apr 2010
    Location
    Oregon, USA
    Posts
    1,620
    Quote Originally Posted by Patrickssj6 View Post
    You talked about the game being protected. You should first use PEiD or similar to detect if the exe might be packed, encrypted or protected.

    After some googling it seems that XIGNCode has not been bypassed really and it works in Kernel mode to prevent User mode intervention. Not sure on that information thought.

    This guy seems to be the one who bypassed the protection some time ago...problem is here never updated it
    http://www.elitepvpers.com/forum/dek...rc-bypass.html

    If you just started reversing this might not be the most appropriate place to start tbh ^^
    I pmed the guy who posted it to see if he can offer any advice. Gotta go to work now, thanks guys.

  5. #5
    Administrator
    Join Date
    May 2009
    Location
    Denmark
    Posts
    1,439
    I am looking at the kernel hooks of XIGNCODE (xhunter1.sys) and it's quite nasty xD

    EDIT: Ok, good news: I can't run C9 with XIGNCODE working because it is closed down after 2-4 mins saying I got a third party program running that it doesn't like - even when C9 is the only thing running. Anyway, after playing around with disabling the kernel hooks (with no success, it detected it of course), I simply tried suspending the 2 processes associated with XIGNCODE and voila, it no longer closes the game.
    However, still can't disable the kernel hooks since it's the driver dealing with that.


  6. #6
    Senior Member
    Join Date
    Feb 2010
    Location
    Ostwestfalen
    Posts
    433
    I wonder how the communication works, how does XIGNCode knows that the client started? Does the client (or the co-processes) send a message?

    There are probably two ways to go at this:
    Overwrite the Kernel hooks or disable the XIGNCode/Process launch mechanism.

  7. #7
    Administrator
    Join Date
    May 2009
    Location
    Denmark
    Posts
    1,439
    The way it looks to me: The launcher starts XIGNCODE which then starts the game client running 2 ring3 processes and 1 ring0 driver hooking into standard methods such as OpenProcess and Read-/WritePM.

    Overriding kernel hooks results in the client closing down (after like 1 minute) with a XIGNCODE error message.


  8. #8
    Senior Member Rask's Avatar
    Join Date
    Apr 2010
    Location
    Oregon, USA
    Posts
    1,620
    So tl;dr = I'm screwed?

    :P

  9. #9
    Find out what the kernel hooks do. Leave the hook. Break the return.

    Or just find out how it determines that the hook has been overridden, and break that. There are plenty of workarounds.

    If someone can code it, someone can code something to beat it.

    Clientside protection only slows development or hacks/bots. It's just a matter of if you want to invest the time or not.
    Last edited by TheArkanaProject; 07-03-2012 at 02:38 AM.
    Please read the wiki before asking for help!

    GWA˛ 3.6

    I am no longer supporting any Guild Wars projects. Sorry.

  10. #10
    Junior Member
    Join Date
    Jul 2012
    Posts
    2
    Hi Rask, have you had any luck?

    I am able to inject a dll into the code, briefly before the detection code finds it after about 20-30 seconds.

    Two days ago I didn't have any problem, and then there was a patch. I'm kinda curious if my dll got categorized by the anti-cheat mechanism, or if generally the C9 US/EU version is simply at the end of its beta cycle and they decided to turn this on against dlls in general. Shrugs.

    In the past I've been able to accomplish what I needed without disabling HackShield, GameGuard, etc, but this is the first one that's actually noticed my dll.

    I'm wondering if there is a technique to hide a dll immediately after it loads which IGNXCODE won't see through. It would be interesting if that were the only obstacle, since the loaded dll can read and write to the process space without trouble once loaded.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •