XIGNCODE - Driver Bypass

08/27/2017 15:24 iMostLiked#1
Since there weren't much releases in last time I decided to post my driver bypass for xigncode. If you use this and an undetected memory scanner like CrySearch, you'll be able to scan wolfteam's memory without any problems. Cheat Engine doesn't work, if you want to use this with Cheat Engine, you have to download [Only registered and activated users can see links. Click Here To Register...], change a lot and compile it.

Note: This doesn't bypass the whole xigncode anti cheat system and you'll not be able to call d3d9 functions. It's only memory based. It does bypass Heartbeat. You won't get kicked after 5 minutes.

C++
Code:
bool DriverBypass(int pID) 
{
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pID);
	if (!hProcess) {
		return false;
	}

	HMODULE hMod = LoadLibrary("advapi32.dll");
	if (!hMod) {
		return false;
	}

	LPVOID dwSSA = (LPVOID)GetProcAddress(hMod, "StartServiceA");
	LPVOID dwOSW = (LPVOID)GetProcAddress(hMod, "OpenServiceW");
	if (!dwSSA || !dwOSW) {
		return false;
	}

	byte wByte[] = { 0xC2, 0x0C, 0x00 };
	if (!WriteProcessMemory(hProcess, dwSSA, &wByte, sizeof(wByte), NULL)) {
		return false;
	}
	if (!WriteProcessMemory(hProcess, dwOSW, &wByte, sizeof(wByte), NULL)) {
		return false;
	}

	return true;
}

// int pID = process id of "Wolfteam.bin"

Please don't ask me how to include this in your hack. I finished coding hacks for wolfteam 2 years ago, it's only a method I want to share with you. It does also work for other games that use xigncode.

-----

For the lazy ones:

Download: See attachment
VirusTotal: [Only registered and activated users can see links. Click Here To Register...]

Instructions:
1.) Start "drvbp.exe" as admin
2.) Start Wolfteam
3.) Wait until the window shows "Bypassed", like this:

[Only registered and activated users can see links. Click Here To Register...]


4.) Enjoy

[Only registered and activated users can see links. Click Here To Register...]
08/28/2017 00:59 PavexDesigns#2
awesome work

thanks bro
08/28/2017 13:53 killzone#3
Any way to update this to work with different binary, per se Blade & Soul?
08/28/2017 14:26 iMostLiked#4
Quote:
Originally Posted by killzone View Post
Any way to update this to work with different binary, per se Blade & Soul?
I've posted the method I use above.

Quote:
Originally Posted by iMostLiked View Post
C++
Code:
bool DriverBypass(int pID) 
{
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pID);
	if (!hProcess) {
		return false;
	}

	HMODULE hMod = LoadLibrary("advapi32.dll");
	if (!hMod) {
		return false;
	}

	LPVOID dwSSA = (LPVOID)GetProcAddress(hMod, "StartServiceA");
	LPVOID dwOSW = (LPVOID)GetProcAddress(hMod, "OpenServiceW");
	if (!dwSSA || !dwOSW) {
		return false;
	}

	byte wByte[] = { 0xC2, 0x0C, 0x00 };
	if (!WriteProcessMemory(hProcess, dwSSA, &wByte, sizeof(wByte), NULL)) {
		return false;
	}
	if (!WriteProcessMemory(hProcess, dwOSW, &wByte, sizeof(wByte), NULL)) {
		return false;
	}

	return true;
}

// int pID = process id of "Wolfteam.bin"
There's no guarantee that this will work for all games using xigncode, but I think it should.
08/28/2017 17:32 sakiriye#5
Can u share source code of drvbp.exe ?
08/28/2017 18:59 iMostLiked#6
Quote:
Originally Posted by sakiriye View Post
Can u share source code of drvbp.exe ?
No, I posted 90% of the source already above.

Quote:
Originally Posted by iMostLiked View Post
C++
Code:
bool DriverBypass(int pID) 
{
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pID);
	if (!hProcess) {
		return false;
	}

	HMODULE hMod = LoadLibrary("advapi32.dll");
	if (!hMod) {
		return false;
	}

	LPVOID dwSSA = (LPVOID)GetProcAddress(hMod, "StartServiceA");
	LPVOID dwOSW = (LPVOID)GetProcAddress(hMod, "OpenServiceW");
	if (!dwSSA || !dwOSW) {
		return false;
	}

	byte wByte[] = { 0xC2, 0x0C, 0x00 };
	if (!WriteProcessMemory(hProcess, dwSSA, &wByte, sizeof(wByte), NULL)) {
		return false;
	}
	if (!WriteProcessMemory(hProcess, dwOSW, &wByte, sizeof(wByte), NULL)) {
		return false;
	}

	return true;
}

// int pID = process id of "Wolfteam.bin"
You only have to detect the process id and you're done.. if you are going to use it for wolfteam then use the .exe I already compiled, otherwise you have to make your own thoughts.
08/29/2017 20:35 leftspace#7
its not bypass heartbeat dude :) (because xhunter1.sys not have heartbeat) its just disable xhunter1.sys start thats all.

xhunter1.sys using ObRegistercallback its Block your Process & Thread Access.
08/29/2017 20:45 iMostLiked#8
Quote:
Originally Posted by leftspace View Post
its not bypass heartbeat dude :) (because xhunter1.sys not have heartbeat) its just disable xhunter1.sys start thats all.

xhunter1.sys using ObRegistercallback its Block your Process & Thread Access.
Whether it bypasses heartbeat or not, the fact that you'll not be kicked after 5, 30 or even 600 minutes is true, so there's nothing disturbing you in searching through wolfteam's or other games' memory.
01/26/2018 17:59 yowfurry#9
Seems to be detected, or? I'm getting kicked from server for using an illegal program (not x3 message, but ingame message). Using CrySearch.
01/27/2018 18:52 iMostLiked#10
Quote:
Originally Posted by yowfurry View Post
Seems to be detected, or? I'm getting kicked from server for using an illegal program (not x3 message, but ingame message). Using CrySearch.
There's a chance that this got detected, but I don't know to 100%.
You can try doing nothing for 5 minutes, if you get kicked this is probably detected.
01/27/2018 21:05 __chkstk#11
Quote:
Originally Posted by iMostLiked View Post
There's a chance that this got detected, but I don't know to 100%.
You can try doing nothing for 5 minutes, if you get kicked this is probably detected.
It can not break xigncode heartbeat, probably he gonna get kick after 5 minutes. But it does not make it detected. You can do a lot of shit in 5 minutes :bandit: