Solved xigncode.

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

bYt3_w4LK3r

Jr.Coder
Full Member
Nobleman
Nov 20, 2014
58
283
1
i have tried to make a d3d wallhack for a game protected by xigncode3. i always get detected. my question, how xigncode detects stuff, what stuff it can detect, and what countermeasures i can use to circumvent it. source code not necessary, just information. thanks :)
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
Xigncode scans for hooks in the d3d9.dll. That means you can either try to bypass that check or you simply don't hook inside of that module.
If I recall correctly you can just hook where the game calls the d3d9 functions since Xigncode doesn't scan the game's codepages.
Xigncode also detects call to GetAsyncKeyState since they've hooked that API themselves. You can just unhook it by restoring the original bytes.
Xigncode has a decent module detection. You should use manual mapping if you don't want to go to kernelmode to hide your module. They also use usermode info of course.

https://guidedhacking.com/threads/how-to-bypass-xigncode-anticheat.10800/
 
Last edited by a moderator:
  • Like
Reactions: lda123321

bYt3_w4LK3r

Jr.Coder
Full Member
Nobleman
Nov 20, 2014
58
283
1
the game I'm trying to hack is special force philippines by playpark.

as for mr. Broihon, if i restored the GetAsyncKeyState's original bytes, wouldn't they just hook it again? and if i can't directly hook d3d9.dll functions, i can either use VMT hooks, IAT hooks, or Exception hooks, right?
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
the game I'm trying to hack is special force philippines by playpark.

as for mr. Broihon, if i restored the GetAsyncKeyState's original bytes, wouldn't they just hook it again? and if i can't directly hook d3d9.dll functions, i can either use VMT hooks, IAT hooks, or Exception hooks, right?
No, they won't restore the hook. Xigncode hooks GetAsyncKeyState after the intialization.
Xigncode will detect VMT hooks. IAT hooking won't work since it's a virtual function. Exceptions will cause extreme lag.
Hook where the game calls the function.
 

bYt3_w4LK3r

Jr.Coder
Full Member
Nobleman
Nov 20, 2014
58
283
1
thank you, sir. sorry, but I can't click that thank you button. I can't find it on the mobile version of the site. one last question: how can i find that point where in the game is calling that particular function?
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
thank you, sir. sorry, but I can't click that thank you button. I can't find it on the mobile version of the site. one last question: how can i find that point where in the game is calling that particular function?
Put a breakpoint on the function (in Cheat Engine) and if it gets hit you can see in the callstack where the game calls the function.
For the d3d functions it's probably something like call [ecx + 8C] or something like that.
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
do I have to destroy xigncode's initialization to attach CE?
Yes. But you only need to set a breakpoint and get an address. After that you can just implement the hook in your hack which doesn't require a full bypass.
 

bYt3_w4LK3r

Jr.Coder
Full Member
Nobleman
Nov 20, 2014
58
283
1
Вroihon;48086 said:
Yes. But you only need to set a breakpoint and get an address. After that you can just implement the hook in your hack which doesn't require a full bypass.
thanks for the help, sir. I'll try and do it, see if I can. :)
 

bYt3_w4LK3r

Jr.Coder
Full Member
Nobleman
Nov 20, 2014
58
283
1
@GAFO they have actually mentioned that they should spoof GetAsyncKeyState's return address to be undetected. i would try that.

Broihon i have tried first to breakpoint DIP on a test environment, but the callstack says that the return address points to an address that belonged to a file named "d3dx9_43.dll" is it safe to jack this one?
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
@GAFO they have actually mentioned that they should spoof GetAsyncKeyState's return address to be undetected. i would try that.

Broihon i have tried first to breakpoint DIP on a test environment, but the callstack says that the return address points to an address that belonged to a file named "d3dx9_43.dll" is it safe to jack this one?
Hmm, didn't expect that. So I don't know. Give it a try^^
 

bYt3_w4LK3r

Jr.Coder
Full Member
Nobleman
Nov 20, 2014
58
283
1
I have googled the dll file and it was call the Direct3d Extensions... I think that modifying something in this dll might detect my hack, as I have assumed that Xigncode must be monitoring this one too... i have looked at the source code of the SimpleSample.cpp of the d3d sdk, and the functions that get directly called by the app are Clear, BeginScene, and EndScene. Can I still get my target hack functionality (wallhack) by hooking them instead of DIP?
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
I have googled the dll file and it was call the Direct3d Extensions... I think that modifying something in this dll might detect my hack, as I have assumed that Xigncode must be monitoring this one too... i have looked at the source code of the SimpleSample.cpp of the d3d sdk, and the functions that get directly called by the app are Clear, BeginScene, and EndScene. Can I still get my target hack functionality (wallhack) by hooking them instead of DIP?
No, you have to hook DrawIndexedPrimitive. By hooking one of the other functions you can get the game IDirect3DDevice9 though. Try replacing the pointer to DIP in the device (you should also consider hooking Reset in case the game resets the device - your hook would be gone then).
 

bYt3_w4LK3r

Jr.Coder
Full Member
Nobleman
Nov 20, 2014
58
283
1
so it means that I'm gonna do VMT hooking on the device to point it's DIP to the hook?
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
so it means that I'm gonna do VMT hooking on the device to point it's DIP to the hook?
Yes, I highly doubt that Xigncode checks that since the device is in dynamically allocated memory. You also just have to replace one pointer which is much easier than hooking into a function.
 

bYt3_w4LK3r

Jr.Coder
Full Member
Nobleman
Nov 20, 2014
58
283
1
good thing I have learned in advance how to do what you said I should do... what does reset() do? does xigncode also check the return values of direct3d functions?
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods