Guide How to bypass XignCode Anticheat Guide - XignCode3

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,539
78,998
2,312
Game Name
N/A
Anticheat
Xigncode
How long you been coding/hacking?
N/A
Coding Language
C++
Here is a compiled list of information and links about XignCode for people that are interested.

Xigncode is a kernel mode anticheat that protects the games that use it from debugging, injecting and other hacking relating activities.

There are many versions of Xigncode, the latest version that most newer games use is XignCode 3

Newest Bypass
https://guidedhacking.com/threads/beating-xigncode-to-it-application-shim-attack.14381/

Xigncode Homepage

Games that use Xigncode:
Combat Arms
Black Desert Online
Tera
Aion
Zula
Wolfteam
Blade and Soul
Special Forces 2
AVA

#1 if you haven't been hacking for at least a year, you have no business trying to bypass an anticheat. Just stop and focus on learning hacking. If you're new to anticheat, read our general guide: Guide - How to Get Started with AntiCheat Bypass

#2 There is no bypass that you just copy and paste or inject and you can hack the game. This is just information to aid you in reversing the anticheat.

#3 Xigncode can be very difficult to bypass in some games depending on the implementation

Versions and Implementation
The game developers can decide what features to use in their game. Basically there are 3 types of xigncode implementation:
  • Basic Xigncode game process protection
  • Basic + custom/manual game specific protections/detections
  • ++ Heartbeat
Some games you just need to disable the basic xigncode protection and other games you will have to do MUCH MUCH MORE.

What is heartbeat?
Heartbeat is a technique used to detect tempering of the xigncode anticheat. The anticheat is in constant communication with the server, the communication is heavily obfuscated, abstracted and the communication is verified at many different places. Any tampering with the anticheat will cause the server to disconnect the client.

If the game has heartbeat sometimes you can disable the anticheat just long enough to dump the modules from memory so you can reverse engineer them or just long enough to find a pointer. Most people say you get disconnected with 30-120 seconds.
XignCode Files
x3.xem - main xigncode DLL
xhunter1.sys - xigncode kernel mode driver
xm.exe
xmag.xem
xsg.xem
xxd.xem

What does it detect?
EVERYTHING!
All Debuggers & Cheat Engine
Directx and other common hooks

Info From GameKiller - Check them out they're cool Bypass???
  • Uses CRC.
  • Suspending won't always be the go to answer for it to work.
  • Don't do anything stupid in DLLMain. Loader lock.
  • Detects thread creations.
  • Likes to be at the kernel level.
  • Avoid Window APIs
  • Removing the PE Header used to make dll's to become undetected.
  • Removing the xhunter1 service used to prevent future detections and dll injection detections.
  • Hook to NtQueryInformationProcess, NtQueryVirtualMemory, NtReadVirtualMemory, NtQueryInformationThread, NtOpenFile, NtWow64QueryInformationProcess64, NtWow64QueryVirtualMemory64, NtWow64ReadVirtualMemory64 to view anything involving to your dll and xign.
  • More tricks are being used than with HShield.
  • Detects LoadLibrary injection, CreateThread, GetAsyncKeyState, CreateFont, LdrLoadDll, LoadLibraryA, LoadLibraryW, LoadLibraryExA, LoadLibraryExW, GetModuleFileName.
  • Always obfuscate / encrypt your dll.
  • They register an callback on the object manager by using ObRegisterCallback(). That means that after the rootkit is enabled xign is able to trace all access you make to the games process.
  • Checks each module's crc / md5 with a internal list.
  • CreateRemoteThread can be used.
  • Xign checks the stack frame from NtUserGetAsyncKeyState
  • Spoof return addresses after looking into SetWindowsHookEx and GetWindowLongPtr
  • Use low level keyboard / mouse hooks
  • for d3d9 use a vtable

Reversing Engineering Xigncode3 Blog Posts from Niemand

Relatively new XignCode3 bypasses that are pretty sick:
VirtualPuppet/XignCode3-bypass-alternative
VirtualPuppet/XignCode3-bypass

Old Bypass Codes that may still be relevant:
C++:
PBYTE FindStartOfFunc(PBYTE Addy)
{
    if (!Addy) return Addy;
    while (true) if (compare((PBYTE)"\x55\x8B\xEC", "xxx", Addy--)) return ++Addy;
}

PBYTE FindPush(PBYTE sig, PCHAR mask, DWORD dwBase, DWORD dwLen)
{
    if (!dwBase) return nullptr;
    BYTE PushSig[5] = { 0x68, 0, 0, 0, 0 };
    *(PDWORD)(&PushSig[1]) = FindSignature(sig, mask, dwBase, dwLen, 0);
    if (*(PDWORD)(&PushSig[1]) == NULL) return NULL;
    return (PBYTE)FindSignature(PushSig, "xxxxx", dwBase, dwLen, 0);
}

bool bTriggered = false, bSuccess = false;
void bypass()
{
    DWORD dwCShell = FindCShell();
    if (dwCShell != NULL)
    {
        PBYTE BypassSig = FindPush((PBYTE)"XIGNCODE", "xxxxxxxxx", dwCShell, 5000000);
        if (BypassSig != nullptr)
        {
            PBYTE BypassFunc = FindStartOfFunc(BypassSig);
            if (BypassFunc && !memcmp(BypassFunc, (PBYTE)"\x55\x8B\xEC", 3))
            {
                Wrt((PBYTE)BypassFunc, (PBYTE)"\xB0\x01\xC3", 3);
                bSuccess = true;
            }
        }
    }
    bTriggered = true;
}
cBreakpoint* bp = NULL;
PBYTE pcheck = 0;
LONG WINAPI ExceptionHandler(EXCEPTION_POINTERS* e)
{
    if (e->ExceptionRecord->ExceptionCode != EXCEPTION_SINGLE_STEP) return EXCEPTION_CONTINUE_SEARCH;
    if (e->ContextRecord->Eip == (DWORD)pcheck)
    {
        e->ContextRecord->Esp -= 4;
        *(PDWORD)(e->ContextRecord->Esp) = e->ContextRecord->Eip + 0x2;
        e->ContextRecord->Eip = e->ContextRecord->Edx;
        bypass();
        return EXCEPTION_CONTINUE_EXECUTION;
    }
    return EXCEPTION_CONTINUE_SEARCH;
}

void Start()
{
    Sleep(1000);
    AntiHWIDBan();
    while (pcheck == nullptr)
    {
        Sleep(30);
        pcheck = FindPush((PBYTE)"DIRECTSHOW\x00", "xxxxxxxxxx", (DWORD)GetModuleHandleA("wolfteam.bin"), 5000000);
    }
    pcheck -= 2;
    bp = new cBreakpoint(ExceptionHandler);
    bp->SetBP((DWORD)pcheck);
    while (!bTriggered) Sleep(1000);
    delete bp;
}
This code can execute your own code without detection since XIGNCODE hasn’t yet loaded. I only tested it on one game with heartbeat and it worked, looking forward to seeing other people’s results on other games.

Instructions:
– Go into the XIGNCODE root folder.
– Rename “x3.xem” to “x3.dummy”.
– Enter the code you want under the DllMain.
– Compile the DLL with the code provided down bellow under the name “x3.dll”.
– Rename “x3.dll” to “x3.xem” and put it into the XIGNCODE root folder.
– Start your game and the code should be executed and not be detected.

C++:


typedef int32_t(__stdcall *t_x3_Dispatch)(OUT void *Function,
                                            IN uint32_t Type);

static t_x3_Dispatch o_x3_Dispatch = nullptr;

void __stdcall DllMain() {
  MessageBoxA(0, "XIGNCODE3 ded", "kek", 0);

  // You put your code here
}

__declspec(dllexport) int32_t
    __stdcall x3_1(void *FunctionAddress, uint32_t Type) {

  if (o_x3_Dispatch == nullptr) {
    std::string ModulePath;
    ModulePath.resize(MAX_PATH);

    if (!GetModuleFileNameA(NULL, const_cast(ModulePath.data()), MAX_PATH)) {
      MessageBoxA(0, "GetModuleFileNameA failed!", "Error", 0);
      return 80000000;
    }

    std::string xignf = ModulePath.substr(0, ModulePath.find_last_of(""));
    xignf += "\\XIGNCODE\\x3.dummy";
    HMODULE hX3 = LoadLibraryW(xignf.c_str());

    if (hX3 == nullptr) {
      MessageBoxA(0, "LoadLibraryA failed!", "Error", 0);
      return 80000000;
    }

    o_x3_Dispatch = reinterpret_cast(GetProcAddress(hX3, reinterpret_cast(1)));

    if (o_x3_Dispatch == nullptr) {
      MessageBoxA(0, "GetProcAddress failed!", "Error", 0);
      return X3_NOT_INITIALIZED;
    }
    DllMain();
  }
  return o_x3_Dispatch(FunctionAddress, Type);
}
From PasteBin:
- XC has a single-call which starts the anti-cheat (it loads x3.xem) just nop that call and fix some of the jumps in that region and you should get a bypass until heartbeat

Hook the following and filter out anything related to your DLL:
NtQueryInformationProcess
NtQueryVirtualMemory
NtReadVirtualMemory
NtQueryInformationThread
NtOpenFile
NtWow64QueryInformationProcess64
NtWow64QueryVirtualMemory64
NtWow64ReadVirtualMemory64

GetAsyncKeyState Detection
Because GAKS is very commonly used in hacks, they very easily detect you using it or hooking it. To bypass this detection use a different method of reading keyboard keys or as @Broihon has said, wait for Xigncode to hook it, then hook it afterwords, something similar to:
C++:
BYTE * pGAKS = reinterpret_cast<BYTE*>(GetAsyncKeyState);
BYTE Orig[10];
memcpy(Orig, pGAKS, 10);

bool bChanged = false;

while (!bChanged)
{
    for (UINT i = 0; i != 10; ++i)
        if (pGAKS[i] != Orig[i])
            bChanged = true;
    Sleep(100);
}

DWORD dwOld = 0;
VirtualProtect(pGAKS, 10, PAGE_EXECUTE_READWRITE, &dwOld);
memcpy(pGAKS, Orig, 10);
VirtualProtect(pGAKS, 10, dwOld, &dwOld);

Misc:
directly hooking into the virtual functions is detected by Xigncode. They also detect Dlls unless you manual map them. Xigncode doesn't detect hooks in the game's code which means you can hook into EndScene at the point where the game calls it.
Xigncode is a rootkit and therefore has complete access to your entire computer and can examine any file or process on it To remove it you can use these commands:

Code:
net stop xhunter1
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xhunter1
del C:\Windows\xhunter1.sys
Several of these bypasses are for older versions of Xigncode, but a few are Xigncode3 Bypass.

Xigncode Bypass Resources:
Release - xingcode3 - x3 and xcorona unpacked files

unkn0wncheats - Multiplayer Game Hacks and Cheats
XIGNCODE3 Final [Anticheat+Driver]
File:XIGNCODE Initialization AVA.PNG - unkn0wncheats Game Hacking Wiki
XIGNCODE3 Information - Pastebin.com

Xigncode Bypass Threads:
Help - Bypass XignCode GetaSyncKeyState Detection
Help - Xigncode game differences
Help - Is There Any Way? to bypass xigncode3 heartbeat
Help - xigncode.
Help - Xigncode 3 bypass for Wolfteam
Help - How to bypass XİGNCODE - ZULA ?
 
Last edited:

tvojama

uz42&4fd
Meme Tier VIP
Dank Tier Donator
Apr 1, 2015
379
2,498
9
Hmm, never heard of Xigncode3 bypass. They new?
 
Last edited by a moderator:

mangosd

Full Member
Apr 30, 2018
5
928
0
Xigncode is around for years now, the newest version is apparently an even bigger pain in the ass compared to the second version.
League of Legends also uses a modified version of that for their client that uses the "Garena"-Client. Its called "Demacia" there.

This information is probably very useful for some people.
Thanks for the post. :)
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,743
40,528
315
The most important fact about Xigncode is that it heavily depends on the game. All those features Rake mentioned are seperate from eachother and sold seperatly. Some games have all of the mechanics implemented, other games only the most basic window detection. Just a few days ago I messed with a Xigncode protected game which only did the following:
- heartbeat
- close handles to the game ONCE (you CAN reopen it after that)
- window detection which ONLY minimizes stuff like Cheat Engine but DOESN'T close the game
Other version are in fact much harder to bypass.

XC's module detection fully relies on NT- and WINAPIs. So you could technically hook all modules listing related APIs but that's a lot of work and you'd also hook their functions which check for hooks. So just stick to manual mapping. They don't have any pattern/signature based module detection. They use NtQueryVirtualMemory which uses kernel information. That's why any usermode cloaking of your dll is useless.

XC calls some native functions directly by using syscall (x64) or the wow64 transition thingy (x86) which makes even finding what native functions they use even more annoying.

As Rake also said using GetAsyncKeyState is detected since XC hooks it and checks the callstack. Unhooking works fine but will probably be detected at some point which is why one should probably switch to lowlevel keyboard hooks now.
Edit: On some systems it might hook NtUserGetAsyncKeystate instead or both. Same method applies.

When it comes to DirectX hooking there are a few reliable methods but the one I prefer is the following. XC doesn't have code checksum checks for the game's code. Or at least I've never encountered that. They hash and check most windows modules but not the game's module. This means we can simply hook into the game's code when it calls the various DX functions (doesn't matter what version). Leave the D3DX.dll alone and just hook into the game directly and you'll be fine. You can also hook into the game's vtable. That undetected aswell. Of course a clean overlay is the best solution.

As for thread creation I've never had trouble spawning as many threads as I liked. But this of course can change or maybe has already been changed.

In case the game properly protects the game's process from being opened you can always hijack a handle. Inheriting an existing handle to a child process which then eg. injects a dll worked fine for me. Again - could've been changed by now but I doubt that. In case it has been changed you can always write more shellcode to the owner of the original handle and inject from there without inheriting the handle to another process.
 
Last edited:

inter 2008

Coder
Silenced
Dank Tier Donator
Jul 3, 2013
477
2,808
17
The most important fact about Xigncode is that it heavily depends on the game. All those features Rake mentioned are seperate from eachother and sold seperatly. Some games have all of the mechanics implemented, other games only the most basic window detection. Just a few days ago I messed with a Xigncode protected game which only did the following:
- heartbeat
- close handles to the game ONCE (you CAN reopen it after that)
- window detection which ONLY minimizes stuff like Cheat Engine but DOESN'T close the game
Other version are in fact much harder to bypass.

XC's module detection fully relies on NT- and WINAPIs. So you could technically hook all modules listing related APIs but that's a lot of work and you'd also hook their functions which check for hooks. So just stick to manual mapping. They don't have any pattern/signature based module detection. They use NtQueryVirtualMemory which uses kernel information. That's why any usermode cloaking of your dll is useless.

XC calls some native functions directly by using syscall (x64) or the wow64 transition thingy (x86) which makes even finding what native functions they use even more annoying.

As Rake also said using GetAsyncKeyState is detected since XC hooks it and checks the callstack. Unhooking works fine but will probably be detected at some point which is why one should probably switch to lowlevel keyboard hooks now.

When it comes to DirectX hooking there are a few reliable methods but the one I prefer is the following. XC doesn't have code checksum checks for the game's code. Or at least I've never encountered that. They hash and check most windows modules but not the game's module. This means we can simply hook into the game's code when it calls the various DX functions (doesn't matter what version). Leave the D3DX.dll alone and just hook into the game directly and you'll be fine. You can also hook into the game's vtable. That undetected aswell. Of course a clean overlay is the best solution.

As for thread creation I've never had trouble spawning as many threads as I liked. But this of course can change or maybe has already been changed.

In case the game properly protects the game's process from being opened you can always hijack a handle. Inheriting an existing handle to a child process which then eg. injects a dll worked fine for me. Again - could've been changed by now but I doubt that. In case it has been changed you can always write more shellcode to the owner of the original handle and inject from there without inheriting the handle to another process.
make this a thread so i can sperm on it
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,743
40,528
315
lul, yeah xc definitely ssdt hooks xd rake fix that
 

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,539
78,998
2,312
@IXSO sent me some info that he had regarding a game that had a pretty shoddy implementation of xigncode
The version I have to work with is super buggy (same as game) and not the latest. The devs copied the xigncode folder from ava and did a terable job implementing it, therefore, i can call any api (GAKS, LL, CT, etc.) without detection. Idk how much help i will be as all i've done is hooked a couple WINAPIs so that i can use whatever i want except for olly (I believe themida is the one detecting it tho)

The APIs I'm hooking:
user32.PostMessageW - used to minimize CE, sends WM_SYSCOMMAND + SC_MINIMIZE in a loop despite window state.
Advapi32.OpenSCManager - removes xigncode's service
kernel32.DuplicateHandle - prevents xigncode from closing handles. Gets called with 1st 2 params being -1, which i believe stands for "All"
kernel32.ExitProcess - never called, still hooking it :fleep:
kernel32.TerminateProcess - same
kernel32.TerminateThread - same
kernel32.IsDebuggerPresent - idk if it's called, but it's still better to hook it
ntdll.ZwTerminateProcess - just in case :fleep:
ntdll.ZwSetInformationThread - iirc i hooked this hoping to avoid themida debugger detections, but i'm not sure
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,743
40,528
315
XC doesn't SSDT hook anything. In fact there's no anticheat (that I know of) that does that because of patchguard. The only thing their driver does is registering a callback using ObRegisterCallsbacks to strip handles when someone tries to open their process (and maybe some module detection gay shit but who cares).
 
  • Like
Reactions: Rake

Ayyyther

Newbie
Dank Tier Donator
Feb 14, 2016
36
143
1
so what of these 3 version does special force 2 use if anybody knows?
If what is written above is factual, the only way to be certain would be to analyse it yourself. The features are sold separately (according to a post above).
 

SDK24

French Canadian so what?
Trump Tier Donator
Nobleman
Aug 22, 2018
118
2,948
5
Xingcode from what I am reading, seems to have some good coders behind it.
~relevant~
 
  • Like
Reactions: eddga199
Feb 12, 2019
1
2
0
how about XignCode3 CallBack ?
its like after 10 minute we play the game then the xigncode comes out again
i need help for this game ...
 
Jun 25, 2019
1
2
0
Can someone help me pass xigncode3 in ept game?
Here is the download link and registration: https: //pt1.subagames.com/Home.aspx
 

Lukor

ded
Meme Tier VIP
Fleep Tier Donator
Dec 13, 2013
441
3,978
24
Can someone help me pass xigncode3 in ept game?
Here is the download link and registration: https: //pt1.subagames.com/Home.aspx
Just post what you need help with and what you already did/tried.
Someone who knows how to do it will help you.

If you want someone to do it for you, you are out of luck.
 
  • Like
Reactions: HereToHack
Oct 22, 2019
4
2
0
Hi , first time posting so be kind willya.
So i came back to a game that uses xg3...sadly now it started to use heartbeat. Weird flex but ok. I am using the
"VirtualPuppet" awsome dude code on github. Going to check if i can do something about the heartbeat thingy.
Any kind of help/suggestion or insight will be appreciated, thank you.
 

Attachments

HereToHack

Meme Tier VIP
Dank Tier Donator
Apr 28, 2019
230
3,303
26
Hi , first time posting so be kind willya.
So i came back to a game that uses xg3...sadly now it started to use heartbeat. Weird flex but ok. I am using the
"VirtualPuppet" awsome dude code on github. Going to check if i can do something about the heartbeat thingy.
Any kind of help/suggestion or insight will be appreciated, thank you.
Looking at his github his XignCode bypasses were released 2/3 years ago and 99% patched/changed in a way that would require you to reverse the AC on your own to get them working. Your best bet would be reading all the info provided in the main post and bypassing the AC on your own once you have enough skill in reversing. A heartbeat isn't a simple thing to get around if the AC devs are good or everyone would be using shit like NoEye to bypass BattlEye and theirs likely many other changes that would need changed.
 
  • Like
Reactions: namadin
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts