Xingcod3 Analysis
I WANT HELP TO MAKE BYPASS FOR THIS AC ALL ATM INFORMATIONS HERE:
List of files:
Loading of x3.xem:Code:splash.xem --> splash.bmp --> XIGNCODE Splash Bitmap tray.xem --> tray.ico --> XIGNCODE Tray Icon vashj.xem --> vashj.dll --> XIGNCODE Core System x3.xem --> x3.dll --> XIGNCODE System xdna.xem --> xdna.dll --> XIGNCODE DNA xm.exe --> xm.exe --> XIGNCODE Message Printer xmag.xem --> xmag.xem --> ???? xnina.xem --> xnina.xem --> ???? xnoa.xem --> xnoa.xem --> ???? xsg.xem --> xsg.dll --> XIGNCODE System Guard xxd.xem --> xxd.dll --> XIGNCODE WatchDog Process
Spoiler
Dekaron.exe loads x3.xem into its process space with LoadLibraryW. Then the address of the first import (and only) of x3.xem is retrieved with GetProcAddress. If that fails, an error code will be set, code = 0xE0190401.
If the address of the export got retrieved successfully it will be called at 0x004024B8. Note that before the call a constant gets pushed onto the stack (PUSH 1).
Because the constant 1 got pushed before the call, the JNZ at 0x69122477 does not jump. Unfortunately the execution continues inside Themida's VM, so tracing it will be of no use (we can't understand what really happens).
Remember the CALL EAX in picture 2? I let that call execute and returned to the code after that call. Now I have stepped to the second CALL instruction. It calls a value located in the stack (ESP+0xC). This is an address in x3.xem image too.
Unfortunately, most of this procedure is virtualized too .
with Charles Proxy
xigncode uses this to load/dl xxd.xem: xigncode.cdnetworks.net/xigncode/PatchRoot/Ze7cxckcIB4rna/List/30085/xxd.xem/68f68bfa514457645522f3893fafff50/xxd.xem
That can't be done just because it is a virtual machine. It's not stolen bytes that you can trace easily. Themida VM works this way, it obfuscates the real code, then translates the obfuscated stuff into it's own VM opcodes, and then the newer versions even obfuscate the VM handlers.
Consider this piece of code:
Spoiler
pushfd
push eax
push ebx
push eax
push esp
pop eax
push esi
mov dword ptr ss:[esp],eax
push dword ptr ss:[esp+4]
mov eax,dword ptr ss:[esp]
push edi
mov edi,esp
add edi,4
add edi,4
xchg dword ptr ss:[esp],edi
pop esp
pop dword ptr ss:[esp]
pop esp
mov dword ptr ss:[esp],esp
add dword ptr ss:[esp],4
pop ebx
push eax
push ebp
mov ebp,6FF12ACC
mov eax,EE9134D7
sub eax,1C4522EB
add eax,ebp
add eax,1C4522EB
mov ebp,dword ptr ss:[esp]
add esp,4
add eax,550A087B
shr eax,4
sub eax,0B38C67D
add ebx,eax
push dword ptr ss:[esp]
pop eax
add esp,4
sub ebx,4
xchg dword ptr ss:[esp],ebx
mov esp,dword ptr ss:[esp]
mov dword ptr ss:[esp],edi
mov dword ptr ss:[esp],ebx
mov dword ptr ss:[esp],ecx
push eax
push esp
push dword ptr ss:[esp]
pop eax
add esp,4
push 32C2
mov dword ptr ss:[esp],ebp
sub esp,4
mov dword ptr ss:[esp],ebx
mov ebx,5FB47367
push ebx
pop ebp
pop ebx
dec ebp
push edx
push 7FBA3455
pop edx
xor ebp,edx
pop edx
push ecx
mov ecx,5DC46C3C
or ecx,748437DE
not ecx
inc ecx
inc ecx
sub ecx,1B2D032D
and ebp,ecx
pop ecx
add ebp,DFF1BBF2
add eax,ebp
mov ebp,dword ptr ss:[esp]
push edx
push esp
pop edx
add edx,4
add edx,4
push edx
push dword ptr ss:[esp+4]
mov edx,dword ptr ss:[esp]
add esp,4
pop dword ptr ss:[esp]
pop esp
push edx
mov edx,4
sub eax,edx
pop edx
xchg dword ptr ss:[esp],eax
mov esp,dword ptr ss:[esp]
mov dword ptr ss:[esp],edx
push ebp
push esp
pop ebp
push esi
mov esi,35222117
shl esi,7
and esi,44FC48BC
shl esi,7
not esi
xor esi,F7FBBFFB
add ebp,esi
mov esi,dword ptr ss:[esp]
add esp,4
push edx
mov edx,57AA4625
or edx,6B6277A2
push ebx
push ebp
mov ebp,47F42CFA
shl ebp,8
shr ebp,6
push ecx
mov ecx,62EB2F0C
sub ebp,ecx
pop ecx
xor ebp,D9F6D7C4
mov ebx,ebp
pop ebp
xor edx,ebx
push dword ptr ss:[esp]
pop ebx
add esp,4
sub edx,0B61054A
sub edx,74327172
inc edx
add edx,789A5200
sub ebp,7C856EBA
sub ebp,edx
add ebp,7C856EBA
mov edx,dword ptr ss:[esp]
add esp,4
xchg dword ptr ss:[esp],ebp
mov esp,dword ptr ss:[esp]
mov dword ptr ss:[esp],ebp
mov dword ptr ss:[esp],ebx
push esp
pop ebx
add ebx,4
sub ebx,4
xchg dword ptr ss:[esp],ebx
mov esp,dword ptr ss:[esp]
mov dword ptr ss:[esp],ecx
mov dword ptr ss:[esp],ebx
push 584B
push esi
mov dword ptr ss:[esp],esp
push edi
mov edi,4
sub dword ptr ss:[esp+4],61CF7F48
add dword ptr ss:[esp+4],edi
add dword ptr ss:[esp+4],61CF7F48
pop edi
pop dword ptr ss:[esp]
push edi
mov edi,esp
push ecx
mov ecx,4
add edi,ecx
pop ecx
push eax
mov eax,4
sub edi,eax
pop eax
xchg dword ptr ss:[esp],edi
mov esp,dword ptr ss:[esp]
mov dword ptr ss:[esp],edx
push ebp
mov ebp,2F0456C9
push ebp
mov ebp,40770443
not ebp
inc ebp
shr ebp,6
inc ebp
add ebp,CDFD854C
mov edx,ebp
pop ebp
sub edx,13C5588C
add edx,ebp
push esi
mov esi,13C5588C
add edx,esi
push dword ptr ss:[esp]
pop esi
add esp,4
mov ebp,dword ptr ss:[esp]
add esp,4
sub dword ptr ss:[esp+4],7C831555
add dword ptr ss:[esp+4],edx
push ebp
mov ebp,7C831555
add dword ptr ss:[esp+8],ebp
pop ebp
pop edx
push 2312
mov dword ptr ss:[esp],esi
mov dword ptr ss:[esp],eax
mov dword ptr ss:[esp],esi
mov dword ptr ss:[esp],ebp
push ecx
push esp
mov ecx,dword ptr ss:[esp]
add esp,4
sub esp,4
mov dword ptr ss:[esp],esi
mov esi,76705FB6
inc esi
shr esi,4
shl esi,3
or esi,599D015A
push ecx
mov ecx,29C21C5F
sub esi,ecx
pop ecx
sub esp,4
mov dword ptr ss:[esp],ebp
mov ebp,3240642E
push esi
mov esi,6C216329
add esi,198C7B46
add esi,CDFD2709
xor ebp,esi
pop esi
not ebp
push 4EB6
mov dword ptr ss:[esp],esi
mov esi,5DEC09F9
not esi
inc esi
shr esi,6
sub esi,C5F9E64B
add ebp,esi
pop esi
xor ebp,74A7E4BF
add esi,ebp
mov ebp,dword ptr ss:[esp]
push ebp
push esp
pop ebp
add ebp,4
add ebp,4
xchg dword ptr ss:[esp],ebp
pop esp
add ecx,341F3617
add ecx,esi
sub ecx,341F3617
pop esi
sub esp,4
mov dword ptr ss:[esp],edi
mov edi,4
sub ecx,edi
pop edi
push ecx
push dword ptr ss:[esp+4]
pop ecx
pop dword ptr ss:[esp]
pop esp
mov dword ptr ss:[esp],esi
push 537
mov dword ptr ss:[esp],ebp
mov dword ptr ss:[esp],edi
cld
push eax
push edx
push ebx
mov ebx,0D1175B5
push 7DAE
mov dword ptr ss:[esp],edi
mov edi,ebx
push edi
add dword ptr ss:[esp],22CE50CD
pop edx
sub edx,22CE50CD
pop edi
pop ebx
push ebx
mov ebx,49BB6E0C
sub dword ptr ss:[esp+8],ebx
pop ebx
add dword ptr ss:[esp+4],edx
add dword ptr ss:[esp+4],49BB6E0C
pop edx
push dword ptr ss:[esp]
pop eax
push ebx
mov ebx,esp
add ebx,4
push ecx
mov ecx,56D85174
neg ecx
sub ecx,4033419D
add ecx,970B9315
add ebx,ecx
pop ecx
xchg dword ptr ss:[esp],ebx
mov esp,dword ptr ss:[esp]
push edx
push esi
mov esi,7D533BF2
neg esi
xor esi,3D862011
push eax
mov eax,B23B91AA
xor esi,eax
pop eax
push ecx
mov ecx,esi
mov edx,ecx
pop ecx
pop esi
sub eax,3B9113C4
sub eax,edx
add eax,3B9113C4
push dword ptr ss:[esp]
pop edx
add esp,4
call @L00000001
@L00000001:
mov edi,dword ptr ss:[esp]
push ebx
mov ebx,esp
add ebx,4
sub ebx,4
xchg dword ptr ss:[esp],ebx
mov esp,dword ptr ss:[esp]
mov dword ptr ss:[esp],edi
mov edi,esp
push ebx
push eax
mov eax,4
push eax
sub dword ptr ss:[esp],506E78A8
pop ebx
add ebx,506E78A8
pop eax
add edi,ebx
mov ebx,dword ptr ss:[esp]
add esp,4
push ebp
mov ebp,4
push edx
push 786F
mov dword ptr ss:[esp],esi
mov esi,5C9E6759
shl esi,2
or esi,3D2A65B9
add esi,218E7968
add esi,60E56815
and esi,4CC64399
add esi,6623271F
mov edx,esi
mov esi,dword ptr ss:[esp]
add esp,4
add edi,edx
pop edx
add edi,ebp
push ebp
mov ebp,1EA25D7
and ebp,2FF76A09
not ebp
neg ebp
neg ebp
sub ebp,973475C7
sub edi,ebp
pop ebp
push dword ptr ss:[esp]
mov ebp,dword ptr ss:[esp]
add esp,4
add esp,4
xor edi,dword ptr ss:[esp]
xor dword ptr ss:[esp],edi
xor edi,dword ptr ss:[esp]
pop esp
push 6E4F
mov dword ptr ss:[esp],ebp
push esp
pop ebp
push ebx
mov ebx,508A615A
add ebx,AF759EAA
add ebp,ebx
pop ebx
sub ebp,4
push ebp
push dword ptr ss:[esp+4]
pop ebp
pop dword ptr ss:[esp]
pop esp
mov dword ptr ss:[esp],ebp
mov ebp,0A7B6A8F
push 605C
mov dword ptr ss:[esp],esi
mov esi,66C92313
add edi,6A822294
sub edi,esi
sub edi,6A822294
pop esi
sub edi,6397767A
sub edi,ebp
add edi,6397767A
push 7A90
mov dword ptr ss:[esp],eax
mov eax,5D42384B
shl eax,8
push edi
push 31C2523A
mov edi,dword ptr ss:[esp]
add esp,4
sub edi,247B2F2A
not edi
shl edi,4
add edi,1
xor edi,0F1D16E2
add eax,edi
pop edi
add edi,eax
mov eax,dword ptr ss:[esp]
add esp,4
pop ebp
push 7294
mov dword ptr ss:[esp],ecx
mov ecx,0CA064F3
dec ecx
push eax
push ebx
mov ebx,4E2E1188
not ebx
inc ebx
dec ebx
sub ebx,4B667725
mov eax,ebx
pop ebx
add eax,F57AEB38
sub ecx,eax
mov eax,dword ptr ss:[esp]
add esp,4
push ebp
mov ebp,1
add ecx,ebp
pop ebp
add ecx,852868EB
xor ecx,ebp
xor ebp,ecx
xor ecx,ebp
xchg ebp,edi
not edi
xchg ebp,edi
xor ecx,ebp
xor ebp,ecx
xor ecx,ebp
shl ecx,3
push eax
mov eax,AF135558
xor ecx,eax
push dword ptr ss:[esp]
pop eax
push edi
mov dword ptr ss:[esp],ecx
mov ecx,esp
add ecx,4
sub esp,4
mov dword ptr ss:[esp],ebp
mov ebp,4
add ecx,ebp
mov ebp,dword ptr ss:[esp]
add esp,4
xchg dword ptr ss:[esp],ecx
pop esp
and edi,ecx
pop ecx
push eax
mov eax,14
add edi,6A3D6188
add edi,eax
sub edi,6A3D6188
push dword ptr ss:[esp]
push dword ptr ss:[esp]
pop eax
add esp,4
push edi
sub esp,4
mov dword ptr ss:[esp],esp
add dword ptr ss:[esp],4
push dword ptr ss:[esp]
pop edi
add esp,4
add edi,4
push edx
mov edx,4
sub edi,69B63708
add edi,74625050
add edi,edx
sub edi,74625050
sub esp,4
mov dword ptr ss:[esp],esi
mov esi,459D64E8
dec esi
sub esi,DBE72DDF
add edi,esi
mov esi,dword ptr ss:[esp]
add esp,4
mov edx,dword ptr ss:[esp]
add esp,4
xor edi,dword ptr ss:[esp]
xor dword ptr ss:[esp],edi
xor edi,dword ptr ss:[esp]
mov esp,dword ptr ss:[esp]
push 3FF0
mov dword ptr ss:[esp],edi
push dword ptr ss:[esp]
push dword ptr ss:[esp]
pop eax
push ebx
push edi
mov dword ptr ss:[esp],esp
add dword ptr ss:[esp],4
pop ebx
push 9ED
mov dword ptr ss:[esp],edi
mov edi,36DC0239
xor edi,36DC023D
sub ebx,1BDA5302
add ebx,3EB14543
add ebx,edi
push ecx
mov ecx,1F957DDA
neg ecx
and ecx,0AD756F0
neg ecx
shl ecx,2
sub ecx,C046B23D
sub ebx,ecx
pop ecx
add ebx,1BDA5302
pop edi
push 63D4
mov dword ptr ss:[esp],edx
mov edx,4
add ebx,edx
mov edx,dword ptr ss:[esp]
push ecx
mov ecx,esp
add ecx,4
add ecx,4
xchg dword ptr ss:[esp],ecx
pop esp
xor ebx,dword ptr ss:[esp]
xor dword ptr ss:[esp],ebx
xor ebx,dword ptr ss:[esp]
mov esp,dword ptr ss:[esp]
add esp,4
push ebx
mov ebx,5D346A32
not ebx
xor ebx,14F00472
push 4DD1
mov dword ptr ss:[esp],ebp
push edi
push 2D024A02
pop edi
shl edi,7
add edi,1
sub edi,0B828FF6
mov ebp,edi
pop edi
push ebx
mov dword ptr ss:[esp],ebp
not dword ptr ss:[esp]
push dword ptr ss:[esp]
mov ebp,dword ptr ss:[esp]
add esp,4
push edi
mov edi,esp
add edi,4
add edi,4
xchg dword ptr ss:[esp],edi
pop esp
neg ebp
push edx
mov edx,72BE1616
not edx
add edx,624F6A07
neg edx
dec edx
sub edx,30B9229C
add edx,D55B08E9
sub ebp,7B8D4BDA
sub ebp,4BF46CCC
add ebp,edx
add ebp,4BF46CCC
add ebp,7B8D4BDA
pop edx
or ebx,ebp
pop ebp
neg ebx
not ebx
push esi
mov esi,89650D6
not esi
xor esi,326822A1
not esi
add esi,10C160D3
add ebx,esi
pop esi
sub edi,29582D19
add edi,ebx
add edi,29582D19
mov ebx,dword ptr ss:[esp]
push esi
mov esi,esp
add esi,4
add esi,4
xchg dword ptr ss:[esp],esi
pop esp
push dword ptr ss:[esp+24]
push dword ptr ss:[esp]
mov esi,dword ptr ss:[esp]
sub esp,4
mov dword ptr ss:[esp],esi
mov esi,esp
add esi,4
push ebp
mov ebp,4
add esi,ebp
pop ebp
xchg dword ptr ss:[esp],esi
pop esp
push edi
mov edi,esp
push edi
mov dword ptr ss:[esp],ebx
push edi
mov edi,28893892
mov ebx,edi
pop edi
push eax
mov eax,70AA4827
shr eax,7
not eax
dec eax
shr eax,5
shl eax,3
xor eax,C0385527
add ebx,eax
pop eax
dec ebx
push eax
push esi
mov esi,79321129
mov eax,0A9B560B
xor eax,esi
pop esi
xor ebx,eax
pop eax
sub ebx,5B207FAE
add edi,ebx
mov ebx,dword ptr ss:[esp]
push edi
push esp
pop edi
add edi,4
add edi,4
push edi
push dword ptr ss:[esp+4]
pop edi
pop dword ptr ss:[esp]
pop esp
add edi,4
push edi
push dword ptr ss:[esp+4]
pop edi
pop dword ptr ss:[esp]
pop esp
push 0E18
mov dword ptr ss:[esp],esi
push dword ptr ss:[esp]
push dword ptr ss:[esp]
pop ebx
push eax
push esp
pop eax
push ecx
mov dword ptr ss:[esp],edi
mov edi,4
add eax,edi
pop edi
push 18C6
mov dword ptr ss:[esp],ebx
push edi
mov edi,4
mov ebx,edi
pop edi
add eax,ebx
pop ebx
push ebp
mov dword ptr ss:[esp],eax
push dword ptr ss:[esp+4]
pop eax
pop dword ptr ss:[esp]
mov esp,dword ptr ss:[esp]
push edx
mov dword ptr ss:[esp],eax
mov eax,esp
push edx
mov edx,63A011ED
add edx,40603F00
neg edx
add edx,A40050F1
add eax,edx
pop edx
add eax,4
xchg dword ptr ss:[esp],eax
mov esp,dword ptr ss:[esp]
push eax
mov eax,62371BA3
or eax,32AA2B1C
push ebp
mov ebp,2D115506
and ebp,71E47997
shl ebp,4
push ebp
push edi
mov ebp,dword ptr ss:[esp]
add esp,4
mov edi,dword ptr ss:[esp]
add esp,4
not edi
xor ebp,edi
xor edi,ebp
xor ebp,edi
push esi
mov esi,329737F3
push eax
mov eax,211F7B8F
sub esi,eax
pop eax
sub esi,3639B2E
and ebp,esi
pop esi
add ebp,18C3D898
add eax,24A65DBE
add eax,65A5700C
sub eax,ebp
sub eax,65A5700C
push ebp
mov ebp,24A65DBE
sub eax,35E23C8E
sub eax,ebp
add eax,35E23C8E
pop ebp
mov ebp,dword ptr ss:[esp]
add esp,4
sub esi,eax
push dword ptr ss:[esp]
mov eax,dword ptr ss:[esp]
add esp,4
add esp,4
add esi,eax
push ebp
push ebx
mov ebx,33A04A95
mov ebp,184AF77C
add ebp,ebx
pop ebx
add esi,ebp
pop ebp
push 1
push dword ptr ss:[esp]
mov ecx,dword ptr ss:[esp]
push ebx
push esp
pop ebx
push esi
mov esi,5D6C28BD
add esi,23D54359
xchg esi,ecx
not ecx
xchg esi,ecx
xor esi,7EBE93ED
add ebx,esi
pop esi
add ebx,4
xchg dword ptr ss:[esp],ebx
pop esp
push 7399
mov dword ptr ss:[esp],eax
mov eax,esp
sub esp,4
mov dword ptr ss:[esp],ebp
mov ebp,4D7C5F89
push ecx
mov ecx,63FB3262
inc ecx
neg ecx
dec ecx
and ecx,6D727BFD
xor ecx,43D724E5
add ecx,2D57C1D2
or ebp,ecx
pop ecx
xor ebp,7D7F7FCF
sub eax,506C6306
add eax,63393920
add eax,ebp
sub eax,63393920
add eax,506C6306
mov ebp,dword ptr ss:[esp]
push 1712
mov dword ptr ss:[esp],edi
mov edi,esp
add edi,4
add edi,4
xchg dword ptr ss:[esp],edi
pop esp
add eax,4
xor eax,dword ptr ss:[esp]
xor dword ptr ss:[esp],eax
xor eax,dword ptr ss:[esp]
mov esp,dword ptr ss:[esp]
xor eax,eax
Can you resolve what it does, because I can't (it's supposed to be only some lines of real code)
(Note! It's just an example, it's just a small part of the VM code)
Just some extra info.
XIGN seems to communicate with this URL 222.231.57.223/x2/xls2.cg
The file seems to return +100. which I believe is a good code and +300. for errors.
Random folder names that may contain Xign files.
Base URL: xigncode.cdnetworks.net/xigncode/PatchRoot
Code:X77cjckcIB84CNt Dekaron_CNt Ze7cxckcIB4rUSt SuddenAttack_USt S37cccjcVi8vKRs Wellbia.comt FF7cjcycIB38TWt Aceonline_TWt _97cpcxcIB3AJPt Pristontale_JPt lX7cjcxcIB4PTWt Pristontale2_TWt X77cjckcIB84JPt Dekaron_JPt X77cjckcIB84TWt Dekaron_TWt X77cjckcIB84THt Dekaron_THt X77cjckcIB84PHt Dekaron_PHt X77cjckcIB84USt Dekaron_USt X77cjckcIB84KRt Dekaron_KRt aFccpckcIB7yJPt GoGoXing_JPt FF7cjcycIB38CNt Aceonline_CNt Y57cdckcIB4aKRt Zombie_KRt B77cjcXcIB8LJPt SpellBorn_JPt _97cpcxcIB3ATWt Pristontale_TWt iScckckcIB7FKRt MetalRage_KRt pmccPckcIB7nKRt Spring_KRcby HellSpider
Please register or login to download attachments.
Reply With Quote