[PC] We will be entering maintenance downtime on 4/18 at 8am PDT. We expect this maintenance to take no longer than 3 hours. For further details, please check the following post: http://bit.ly/2XllDgs

XIGNCODE DISCUSSION!

1131416181938

Comments

  • MistyTera wrote: »
    Also from maple-story site it states

    xxd.xem file detected and deleted via anti-virus program. So it's actually looking to corrupt an anti-virus program? THE FUDGE?!

    hhhh.png

    x3.xem -> x3.dll (Themida / Winlicense v2.x) -> System XIGNCODE3
    xcorona.xem -> xcorona.dll (Themida / Winlicense v2.x) -> System XIGNCODE3
    xcorona_x64.xem -> xcorona_x64.dll (Themida / Winlicense v2.x) -> System XIGNCODE3
    xmag.xem -> xmag.xem (Code Virtualizer) -> XIGNCODE3 file
    xnina.xem -> xnina.xem (Not Packed) > XIGNCODE3 file xxd
    -0.xem -> xxd.dll (Not Packed) -> XIGNCODE `WatchDog` process

    -XIGNCOD3 detects thread creations from the kernel level, and then checks to see if the start address comes from the white system / whitelist legal modules (not the legitimate modules or the white zone's memory strip). this gives an end to the game)
    - XIGNCOD3 has its own drivers; Vtany.sys (what is this ...?) And xhunter1.sys (kernelmode driver used to monitor different apis calls through return address, minimize windows, block memory scan)
    - x3.xem uses inverted polynomial crc32
    - Xigncode SDK loads x3.xem as a normal DLL (LoadLibraryA). After that, the only x3.xem export will be called with a constant as a function parameter. The constant defines which direction of function to retrieve. Then the address of the recovered function is called
    - x3.xem is the module of the loader that reads xmag.xem and manually "maps" around 5-10 different modules in the process space.
    - x3.xem maps only a few modules, the rest is mapped manually and recursively from manually mapped modules
    - x3.xem removes process attachments from external attachments to prevent tools from reading game memory
    - xmag.xemis a custom archive file containing about 20 different .xem files (data file)
    - XIGNCOD3 records all files and routes you have modified in the last ~ 48 hours and all executables with pre-search files in your records
    - x3 .xem and xdd.xem use NtSetInformationThread with the ThreadHideFromDebugger flag in the core threads of the process
    - xdd.xem uses RPM (ReadProcessMemory) to read the first 0xC8 bytes (?) of the address of the function that identifies the process
    - xdd.xem checks if the loops and / or threads are open and linked to the game process from external tools, if you know, is minimized
    - XIGNCOD3 uses the [send / recv] functions of winsock2_32

    It creates kernel drivers to get access to your computer. ANTI-VIRUS INSTALLS KERNEL-MODE DRIVERS ON THE COMPUTER, BUT WHEN A COMPUTER CRASHES, THAT'S NOT RIGHT! XIGNCODE reverse engineering is a joke!

    I think you might have read something backwards here. You seem to have found evidence of an antivirus program corrupting xigncode and not the other way around. I'll take a look in my wine bottle and see if I can find this vtany.sys.
  • I did not find a vtany.sys in the wine bottle I have TERA installed to. TERA is currently broken for me, though.
  • MistyTera wrote: »
    Try something and make sure command prompt is admin!

    netstat -ano and netstat -nfb. You will know what's it doing by IP established connection and process! WELLBIA NEEDS TO BE SUED!

    I've dealt with viruses before! By the way netstat -ano will tell you if something is stealing information like WELLBIA! Check while it's running and look up IPs. EME doesn't count!

    Netstat gives information about network connections. I'm fairly sure its not going to tell you what is being sent, though. Using this logic, you might as well not even run TERA since it will open network connections. Regardless, EME should really come out and give us more information about their variant of xigncode since it quite clearly appears different than what many of the online reports report.
  • MistyTera wrote: »
    RandomElin wrote: »
    MistyTera wrote: »
    Try something and make sure command prompt is admin!

    netstat -ano and netstat -nfb. You will know what's it doing by IP established connection and process! WELLBIA NEEDS TO BE SUED!

    I've dealt with viruses before! By the way netstat -ano will tell you if something is stealing information like WELLBIA! Check while it's running and look up IPs. EME doesn't count!

    Netstat gives information about network connections. I'm fairly sure its not going to tell you what is being sent, though. Using this logic, you might as well not even run TERA since it will open network connections. Regardless, EME should really come out and give us more information about their variant of xigncode since it quite clearly appears different than what many of the online reports report.

    What part of network connections do you not understand? It will tell you if any thing is established to send information as in packets. I want to know if anything comes up as suspicious. If any one wants to test, be my guess. HECK NO I'M NOT GOING THERE! Paranoid? A little, but seriously I still had files in my REGISTRY! If it sends information some other way-undetected, I'm no genius to figure out how that works! Let me play detective!

    There wouldn't necessarily be anything suspicious about xigncode sending packets, though. From what I gather, it includes a heart beat. This means the server periodically communicates with it to ensure it is running. It may have other legitimate reasons as an anti-cheat for network connectivity as well. I'm not sure what you are expecting to prove with netstat. If you think the packets might contain inappropriate information, try using something like a packet sniffer to examine them. If it encrypts its communications, not sure if a packet sniffer would actually tell you much, though.

    For the record, my preference is still for EME to remove xigncode so that I can get back to playing TERA NA. At the rate this is going, I might have to move to TERA EU.
  • MistyTera wrote: »
    RandomElin wrote: »
    MistyTera wrote: »
    RandomElin wrote: »
    MistyTera wrote: »
    Try something and make sure command prompt is admin!

    netstat -ano and netstat -nfb. You will know what's it doing by IP established connection and process! WELLBIA NEEDS TO BE SUED!

    I've dealt with viruses before! By the way netstat -ano will tell you if something is stealing information like WELLBIA! Check while it's running and look up IPs. EME doesn't count!

    Netstat gives information about network connections. I'm fairly sure its not going to tell you what is being sent, though. Using this logic, you might as well not even run TERA since it will open network connections. Regardless, EME should really come out and give us more information about their variant of xigncode since it quite clearly appears different than what many of the online reports report.

    What part of network connections do you not understand? It will tell you if any thing is established to send information as in packets. I want to know if anything comes up as suspicious. If any one wants to test, be my guess. HECK NO I'M NOT GOING THERE! Paranoid? A little, but seriously I still had files in my REGISTRY! If it sends information some other way-undetected, I'm no genius to figure out how that works! Let me play detective!

    There wouldn't necessarily be anything suspicious about xigncode sending packets, though. From what I gather, it includes a heart beat. This means the server periodically communicates with it to ensure it is running. It may have other legitimate reasons as an anti-cheat for network connectivity as well. I'm not sure what you are expecting to prove with netstat. If you think the packets might contain inappropriate information, try using something like a packet sniffer to examine them. If it encrypts its communications, not sure if a packet sniffer would actually tell you much, though.

    For the record, my preference is still for EME to remove xigncode so that I can get back to playing TERA NA. At the rate this is going, I might have to move to TERA EU.

    What are your problems with XIGNCODE? I just know that I had a BSOD with XIGNCODE. As far as I can tell, I had Xhunter1 on my laptop computer! The desktop I did not. I download the game on desktop and transferred the game to an external drive. I looked for Vtany and all .xems, I didn't have it on laptop. I played Blade&Soul and Skyforge.

    xhunter1.png

    With netstat -ano it will tell you what IP is established .

    netstat -nfb will tell what foreign address IP is established and process of exe...it's the best! :)

    netstat_nfb.png

    Most is just mircosoft for now.

    So it could tell you what XIGNCODE is establishing to (It might). That's playing detective. Play detective, if you want. TERA.EXE and launcher will show as established.

    By the way the xxd.xem file detected and deleted via anti-virus program. I read that correctly!

    My main problem with xigncode at this point is it breaks support for non-windows operating systems. I was playing on a non-windows operating system. For a while I thought it was a rootkit, but now I suspect TERA NA's version just runs as a regular process. Still, if it requires admin access, that is still too much access for it in my opinion. Based upon all the problems it is causing, sounds like it is quite buggy. A buggy admin program reading a bunch of files. Since files it reads could be crafted by regular users, sounds like a potential security hole to me. Say some malicious code creates a specially crafted file to exploit a bug in xigncode and get admin access. If it turns out that it can be limited to running as a regular user, that would be good for security. TERA NA would still be broken for non-windows operating systems, though.

    You are right that netstat should be able to give some information in regard to network connections xigncode may make. It can't really tell you what it is sending, though.
  • I rarely use the boards but I came here when I first saw the Xigncode logo pop up. So I didn't get any advance warning. I'd rather not have a game change how windows works, much less doing so without any chance to avoid it.

    Since it already modified my system, I logged in a few more times. Tera loads up noticeably slower and inventory/bank stuff is slower for me as well. It also froze up when accessing a shop. I didn't try any combat or dungeons.
  • sum1 wrote: »
    I rarely use the boards but I came here when I first saw the Xigncode logo pop up. So I didn't get any advance warning. I'd rather not have a game change how windows works, much less doing so without any chance to avoid it.

    Since it already modified my system, I logged in a few more times. Tera loads up noticeably slower and inventory/bank stuff is slower for me as well. It also froze up when accessing a shop. I didn't try any combat or dungeons.

    Not sure if TERA NA's xigncode is actually running as anything more than an admin level daemon, though. However, based upon the reports of blue screens and such, it may be touching things it shouldn't really be touching. The significantly increased lag that many are reporting also isn't good. I haven't even been able to launch the client post-xigncode since I'm not running windows.
  • ChristinChristin ✭✭✭
    I'd just like to remind those downloading bypasses to be careful and watch out. Those other cheats and programs could compromise your systems as well if they contain viruses.
    ElinUsagi wrote: »
    nah, forget it, is is just paranoia

    EU laws have not enforced anygame that use Xigncode over there to be removed from their games.
    clfarron4 wrote: »
    You can find this comment in an unofficial TERA Discord if you wish to view it yourself.

    Yeah, this is my point. So many of you are saying Xingcode is peachy, because they are allowing it over in EU. However, that is not the case at all. It is against their new laws, but I highly doubt they'll be enforcing those new laws right away. They most likely will only lean against those laws if a major data breach occurs.
    Well I've been with out a pc since the patch as the damn things bricked my SSD. On my 3rd attempt to log in after patch( numerous memory errors, followed by a BSOD half way through the Xigncod3 launch bar) my SSD refuses to recognize and my pc says no boot device. The pc ran fine with no issues for years, suddenly I update tera with the new malware and bam no pc. Can't even diagnose it right now. Now I've got to waste money I dont have on another hard drive. So pissed off with eme/bhs right now. Most likely won't be reinstalling Tera until they remove this crap.

    If theres ever a class action lawsuit that is successful against XIGNCODE, you should be entitled to some money to replaced the damaged ssd hardware. Unfortunately single individuals attempt at a lawsuit is impossible, the cost alone for 1 hr of legal advice would cost you more than an SSD would.

    There will never be a class action suit, because all EME has to say is "prove it." Plus, if there was any judgement or BHS thought it would lose, they'd just bankrupt EME and close the doors. It would be extremely tough for any lawyer to be able to get any kind of settlement from an overseas company. Hence why BHS is only suing Epic in South Korea, and they aren't even bothering to open the suit up to other countries.
  • well just wanted to say, someone made a thread and it was closed fast so someone from EME is watching the forums...

    Anyway I was told from a friend who is good with PCs and knows a good bit about xing, has known about it for 6 years. So my friend noticed it seems to make TERA laggy and you lose FPS. The main thing my friend said tho was it is very unfriendly with old hardware and can push it to it's end, which could have been near . Which is why those with newer hardware see very little to no problems with xing.
  • MarcusCrassusMarcusCrassus ✭✭✭
    edited June 2018
    Well im my case with i5 2500k, 8gb and a 1060 6gb... This was the byebye for me.
    The only fun part about the game, for me, FWC and CS was destroyed by xing code HARD fps drop.
This discussion has been closed.