Results 1 to 8 of 8
  1. #1
    desayer
    desayer is offline
    New member
    Join Date
    2010 Oct
    Posts
    4
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    2
    Thanked in
    1 Post
    Rep Power
    0

    Post Xingcod3 Analysis

    I WANT HELP TO MAKE BYPASS FOR THIS AC ALL ATM INFORMATIONS HERE:

    List of files:
    Code:
    splash.xem		--> splash.bmp		--> XIGNCODE Splash Bitmap
    tray.xem		--> tray.ico		--> XIGNCODE Tray Icon
    vashj.xem		--> vashj.dll		--> XIGNCODE Core System
    x3.xem			--> x3.dll		--> XIGNCODE System
    xdna.xem		--> xdna.dll		--> XIGNCODE DNA
    xm.exe			--> xm.exe		--> XIGNCODE Message Printer
    xmag.xem		--> xmag.xem		--> ????
    xnina.xem		--> xnina.xem		--> ????
    xnoa.xem		--> xnoa.xem		--> ????
    xsg.xem			--> xsg.dll		--> XIGNCODE System Guard
    xxd.xem			--> xxd.dll		--> XIGNCODE WatchDog Process
    Loading of x3.xem:

    Spoiler



    with Charles Proxy


    xigncode uses this to load/dl xxd.xem: xigncode.cdnetworks.net/xigncode/PatchRoot/Ze7cxckcIB4rna/List/30085/xxd.xem/68f68bfa514457645522f3893fafff50/xxd.xem

    That can't be done just because it is a virtual machine. It's not stolen bytes that you can trace easily. Themida VM works this way, it obfuscates the real code, then translates the obfuscated stuff into it's own VM opcodes, and then the newer versions even obfuscate the VM handlers.

    Consider this piece of code:

    Spoiler



    Can you resolve what it does, because I can't (it's supposed to be only some lines of real code)

    (Note! It's just an example, it's just a small part of the VM code)

    Just some extra info.

    XIGN seems to communicate with this URL 222.231.57.223/x2/xls2.cg

    The file seems to return +100. which I believe is a good code and +300. for errors.

    Random folder names that may contain Xign files.

    Base URL: xigncode.cdnetworks.net/xigncode/PatchRoot

    Code:
                X77cjckcIB84CNt
       Dekaron_CNt   Ze7cxckcIB4rUSt   SuddenAttack_USt   S37cccjcVi8vKRs   Wellbia.comt   FF7cjcycIB38TWt   Aceonline_TWt   _97cpcxcIB3AJPt   Pristontale_JPt   lX7cjcxcIB4PTWt   Pristontale2_TWt   X77cjckcIB84JPt
       Dekaron_JPt   X77cjckcIB84TWt
       Dekaron_TWt   X77cjckcIB84THt
       Dekaron_THt   X77cjckcIB84PHt
       Dekaron_PHt   X77cjckcIB84USt
       Dekaron_USt   X77cjckcIB84KRt
       Dekaron_KRt   aFccpckcIB7yJPt   GoGoXing_JPt   FF7cjcycIB38CNt   Aceonline_CNt   Y57cdckcIB4aKRt	   Zombie_KRt   B77cjcXcIB8LJPt   SpellBorn_JPt   _97cpcxcIB3ATWt   Pristontale_TWt   iScckckcIB7FKRt   MetalRage_KRt   pmccPckcIB7nKRt	   Spring_KRc
    by HellSpider

    Virustotal result: 9%

    Please register or login to download attachments.


  2. The Following User Says Thank You to desayer For This Useful Post:


  3. #2
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    Re: [REQUEST] XINGCOD3 BYPASS ALL DETAILS

    Good compilation of useful data. But don't forget about authors. As I know most part of this information was written by HellSpider
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  4. #3
    desayer
    desayer is offline
    New member
    Join Date
    2010 Oct
    Posts
    4
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    2
    Thanked in
    1 Post
    Rep Power
    0
    dwar and possibly help me on something? I do not know to remove the protection or something to think about bypass?

  5. #4
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    Quote Originally Posted by desayer View Post
    I do not know to remove
    I can't help with it. I don't analyze it
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  6. #5
    inesbrasil
    inesbrasil is offline
    Member-in-training inesbrasil's Avatar
    Join Date
    2012 Aug
    Location
    brasil,MG
    Posts
    156
    Thanks Thanks Given 
    12
    Thanks Thanks Received 
    143
    Thanked in
    44 Posts
    Rep Power
    0
    (option 1)

    42425E 90
    F E9

    (option 2)

    42410F 90
    10 90
    this is a code check bypass this should allow us to use the files without the client getting pissy.

  7. #6
    h4x0r
    h4x0r is offline
    h4x0r's Avatar
    Join Date
    2011 Aug
    Location
    ..\root\home\pgc
    Posts
    826
    Thanks Thanks Given 
    64
    Thanks Thanks Received 
    525
    Thanked in
    205 Posts
    Rep Power
    15
    90% there are additional checks. Anyway interesting protection

  8. #7
    inesbrasil
    inesbrasil is offline
    Member-in-training inesbrasil's Avatar
    Join Date
    2012 Aug
    Location
    brasil,MG
    Posts
    156
    Thanks Thanks Given 
    12
    Thanks Thanks Received 
    143
    Thanked in
    44 Posts
    Rep Power
    0
    this should allow us to use the files without the client getting pissy.

  9. The Following User Says Thank You to inesbrasil For This Useful Post:


  10. #8
    Sensus
    Sensus is offline
    Guest
    Join Date
    2014 Oct
    Posts
    1
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Actually, nice work and thank's for sharing.
    But I'm sure I saw some things on another Forum, so maybe drag in the Credits

    Xigncode is not easy to bypass- trying on AVA atm.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •