[Bug 36671] AVA from Aeria Games does not start with "Xigncode error 0xe0ff0009"

wine-bugs at winehq.org wine-bugs at winehq.org
Thu Nov 13 16:29:39 CST 2014 

https://bugs.winehq.org/show_bug.cgi?id=36671

Anastasius Focht <focht at gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |download, obfuscation
             Status|UNCONFIRMED                 |NEW
                URL|                            |http://download.aeriagames.
                   |                            |com/files/games/us/ava/csd/
                   |                            |ava_us_downloader.exe
                 CC|                            |focht at gmx.net
            Version|unspecified                 |1.7.19
     Ever confirmed|0                           |1

--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,

confirming.

AVA is protected by XIGNCODE3 anti-cheat engine which is a replacement for
GameGuard.

So garbage got swapped out with garbage.

http://www.wellbia.com/dp/?q=en/node/24

List of implemented "features":

--- quote ---
An accurate activate system

    Detection non-clinet bot via using "One-time excutable code" patent
    Reject general hacking tool and mutant via using "Win32 API calling pattern
and frequency" patent
    Game management company is able to manage illegal system/Mac address/user
account/reject hardware
    Emergency pattern creating tool provide (Game managment company is able to
handle it)
    Detect and reject VPN access (Game managment company is able to handle it)
    Detect of DirectX modulation and illegal call
    Detect of WDDM driver modulation
    Detect modified of function about time
    Detect time modified via using time server
    Detect of game client local time modification
    Detect of major kernal function modification
    Detect DLL injection
    Detect virtual memory code injection
    Detect harmful thread
    Detect harmful window creation in game
    Detect keyboard highjacking in game
    Detect illegal control of DHCP
    Detect Nuking/drop hack
    Detect auto click
    Detect software/hardware macro
    Detect message hook
    Detect multy client
    Detect VEH/SEH modify and register
    Check game client hash
    Detect call specific function in game
    Detect game resource modification
    Reject game process memory accessing
    Reject game process handle accessing
    Reject game process message transmission
    Reject game process keyboard/mouse input transmission
    Reject game window GDI accessing
    Reject debug interrupt handler modification
    Reject calling kernal function directly
    Reject stealth process/module/driver
    Reject kernal/user mode debugging
    Detect excuted on virtual environment 
--- quote ---

Several executables are wrapped with Themida protection scheme:

--- snip ---
-=[ ProtectionID v0.6.5.5 OCTOBER]=-
(c) 2003-2013 CDKiLLER & TippeX
Build 31/10/13-21:09:09
Ready...
Scanning -> C:\AeriaGames\AVA\Binaries\AVA.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 7314944 (06F9E00h)
Byte(s)
[File Heuristics] -> Flag : 00000000000001001101000000110011 (0x0004D033)
[Entrypoint Section Entropy] : 4.09
[!] Themida v2.0.1.0 - v2.1.8.0 (or newer) detected !
[i] Hide PE Scanner Option used
- Scan Took : 0.571 Second(s) [00000023Bh tick(s)] [533 scan(s) done]

Scanning -> C:\AeriaGames\AVA\Binaries\XIGNCODE.USA\x3.xem
File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 1548808 (017A208h)
Byte(s)
-> File Appears to be Digitally Signed @ Offset 0178E00h, size : 01408h / 05128
byte(s)
[File Heuristics] -> Flag : 00000000000001001101010000110111 (0x0004D437)
[Entrypoint Section Entropy] : 4.07
[!] Themida v2.0.1.0 - v2.1.8.0 (or newer) detected !
[i] Hide PE Scanner Option used
- Scan Took : 0.335 Second(s) [00000014Fh tick(s)] [229 scan(s) done]
--- snip ---

>From some game hacker site:

--- quote ---
splash.xem    --> splash.bmp    --> XIGNCODE Splash Bitmap
tray.xem    --> tray.ico    --> XIGNCODE Tray Icon
x3.xem        --> x3.dll    --> XIGNCODE System
xm.exe        --> xm.exe    --> XIGNCODE Message Printer
xmag.xem    --> xmag.xem    --> XIGNCODE File Archive
xsg.xem        --> xsg.dll    --> XIGNCODE System Guard
xxd.xem        --> xxd.dll    --> XIGNCODE WatchDog Process
--- quote ---

Doesn't like relay nor running or attached debuggers (crapload of watcher
threads) :)
Fixing some of the insufficiencies can help to make Wine achieving better
compatibility with other apps/games but I doubt it can make this scheme fully
work.

Besides dealing with native API and low level structures in invasive ways, it
has a kernel driver part which probably employs nasty trickery which Wine is
not made for to detect kernel/usermode hooks.

$ ls -1hs
total 2.9G
3.4M aeria_ignite_install.exe
2.9G ava_gamedata_v9.exe
568K ava_us_installer_20140905.exe
280K DotNetFx35ClientSetup.exe

$ sha1sum *
76fdde78caaf472d2cbdc0b858d02bbd9fafb42b  aeria_ignite_install.exe
8e22137db59d7c64c89e93fea1c9cf5546b43344  ava_gamedata_v9.exe
3a5c5eb7c0aa6d7de9bb4fae3608176dd90a3792  ava_us_installer_20140905.exe
2d1200a3f30b4f9a377950c7258c75e1f7293e58  DotNetFx35ClientSetup.exe

$ wine --version
wine-1.7.30-181-gffd3135

Regards

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.

More information about the wine-bugs mailing list