[Bug 36671] AVA from Aeria Games does not start with "Xigncode error 0xe0ff0009"
wine-bugs at winehq.org
wine-bugs at winehq.org
Thu Nov 13 16:29:39 CST 2014
https://bugs.winehq.org/show_bug.cgi?id=36671
Anastasius Focht <focht at gmx.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |download, obfuscation
Status|UNCONFIRMED |NEW
URL| |http://download.aeriagames.
| |com/files/games/us/ava/csd/
| |ava_us_downloader.exe
CC| |focht at gmx.net
Version|unspecified |1.7.19
Ever confirmed|0 |1
--- Comment #3 from Anastasius Focht <focht at gmx.net> ---
Hello folks,
confirming.
AVA is protected by XIGNCODE3 anti-cheat engine which is a replacement for
GameGuard.
So garbage got swapped out with garbage.
http://www.wellbia.com/dp/?q=en/node/24
List of implemented "features":
--- quote ---
An accurate activate system
Detection non-clinet bot via using "One-time excutable code" patent
Reject general hacking tool and mutant via using "Win32 API calling pattern
and frequency" patent
Game management company is able to manage illegal system/Mac address/user
account/reject hardware
Emergency pattern creating tool provide (Game managment company is able to
handle it)
Detect and reject VPN access (Game managment company is able to handle it)
Detect of DirectX modulation and illegal call
Detect of WDDM driver modulation
Detect modified of function about time
Detect time modified via using time server
Detect of game client local time modification
Detect of major kernal function modification
Detect DLL injection
Detect virtual memory code injection
Detect harmful thread
Detect harmful window creation in game
Detect keyboard highjacking in game
Detect illegal control of DHCP
Detect Nuking/drop hack
Detect auto click
Detect software/hardware macro
Detect message hook
Detect multy client
Detect VEH/SEH modify and register
Check game client hash
Detect call specific function in game
Detect game resource modification
Reject game process memory accessing
Reject game process handle accessing
Reject game process message transmission
Reject game process keyboard/mouse input transmission
Reject game window GDI accessing
Reject debug interrupt handler modification
Reject calling kernal function directly
Reject stealth process/module/driver
Reject kernal/user mode debugging
Detect excuted on virtual environment
--- quote ---
Several executables are wrapped with Themida protection scheme:
--- snip ---
-=[ ProtectionID v0.6.5.5 OCTOBER]=-
(c) 2003-2013 CDKiLLER & TippeX
Build 31/10/13-21:09:09
Ready...
Scanning -> C:\AeriaGames\AVA\Binaries\AVA.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 7314944 (06F9E00h)
Byte(s)
[File Heuristics] -> Flag : 00000000000001001101000000110011 (0x0004D033)
[Entrypoint Section Entropy] : 4.09
[!] Themida v2.0.1.0 - v2.1.8.0 (or newer) detected !
[i] Hide PE Scanner Option used
- Scan Took : 0.571 Second(s) [00000023Bh tick(s)] [533 scan(s) done]
Scanning -> C:\AeriaGames\AVA\Binaries\XIGNCODE.USA\x3.xem
File Type : 32-Bit Dll (Subsystem : Win GUI / 2), Size : 1548808 (017A208h)
Byte(s)
-> File Appears to be Digitally Signed @ Offset 0178E00h, size : 01408h / 05128
byte(s)
[File Heuristics] -> Flag : 00000000000001001101010000110111 (0x0004D437)
[Entrypoint Section Entropy] : 4.07
[!] Themida v2.0.1.0 - v2.1.8.0 (or newer) detected !
[i] Hide PE Scanner Option used
- Scan Took : 0.335 Second(s) [00000014Fh tick(s)] [229 scan(s) done]
--- snip ---
>From some game hacker site:
--- quote ---
splash.xem --> splash.bmp --> XIGNCODE Splash Bitmap
tray.xem --> tray.ico --> XIGNCODE Tray Icon
x3.xem --> x3.dll --> XIGNCODE System
xm.exe --> xm.exe --> XIGNCODE Message Printer
xmag.xem --> xmag.xem --> XIGNCODE File Archive
xsg.xem --> xsg.dll --> XIGNCODE System Guard
xxd.xem --> xxd.dll --> XIGNCODE WatchDog Process
--- quote ---
Doesn't like relay nor running or attached debuggers (crapload of watcher
threads) :)
Fixing some of the insufficiencies can help to make Wine achieving better
compatibility with other apps/games but I doubt it can make this scheme fully
work.
Besides dealing with native API and low level structures in invasive ways, it
has a kernel driver part which probably employs nasty trickery which Wine is
not made for to detect kernel/usermode hooks.
$ ls -1hs
total 2.9G
3.4M aeria_ignite_install.exe
2.9G ava_gamedata_v9.exe
568K ava_us_installer_20140905.exe
280K DotNetFx35ClientSetup.exe
$ sha1sum *
76fdde78caaf472d2cbdc0b858d02bbd9fafb42b aeria_ignite_install.exe
8e22137db59d7c64c89e93fea1c9cf5546b43344 ava_gamedata_v9.exe
3a5c5eb7c0aa6d7de9bb4fae3608176dd90a3792 ava_us_installer_20140905.exe
2d1200a3f30b4f9a377950c7258c75e1f7293e58 DotNetFx35ClientSetup.exe
$ wine --version
wine-1.7.30-181-gffd3135
Regards
--
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.
More information about the wine-bugs
mailing list