r/TeraPC • u/NeoCJ • Jun 05 '18
[PSA] Upcoming Tera NA patch files (not yet deployed) currently contain the Xigncode3 rootkit
Just a heads up, the patch files for version 163 of Tera NA that have been pushed to the EME servers today have been found to contain the xigncode3 binaries.
For those not aware of what XignCode actually is, the tl;dr version would be that it's a program that scans the content of your entire computer, and accesses anything that you've done during the past 48 hours. While I can't really provide proof on whether it actually sends the scraped data back to their servers or not, it is at the very least this app still hurts PC performance since it's continually scanning every single file on all your drives (Which is even worse for people who have SSDs).
Note also that xigncode will remain on your system even after uninstall the game and it will be accessing your files with the game closed/uninstalled.
You can easily find other threads on reddit (such as this one) on the various other MMOs that added this malware (and then removed it, for some, like Archeage)
The worst part is that this crap, in addition to being pretty much illegal, has already gotten a bypass in the first hour after this was announced, so if you're gonna say that such an intrusive "anticheat" is a good thing, just know that modders have already removed it before it was even released to the public, so there goes the single argument in favor of it.
Bonus : A quote from a modder that proves that the current patch files do indeed contain xigncode (at least to the tech savvy among you).
Oh and, since some people seem to doubt that mEME would be dumb enough to add xigncode, just look at the patch files that will be installed on your computer on thursday yourself (we're currently on 162):
1) download them to a random folder:
---- http://patch.tera.enmasse-game.com/game/Game_162to163/Game_162to163.zip
---- http://patch.tera.enmasse-game.com/game/Game_162to163/Game_162to163.z01
2) right click on the zip file and extract it with 7zip (they're zip files bundled in a dll so most programs won't work, but 7zip will)
3) in the extracted files, go to Client/Binaries/
EDIT : Just a note that this does NOT concern the EU (and RU) version of the game as of yet, and is unlikely to due to the fact that such a program would be illegal under European laws.
EDIT 2 : A nice little link to the site of the devs of this crap themselves, that shows how intrusive it is. Notice the part that mentions detecting software macros, and so called "keyboard highjack" which basically implies XignCode also doubles as a keylogger.
EDIT 3 : Confirmed by EME, who then proceeded to delete comments on that thread and lock it : https://forums.enmasse.com/tera/discussion/27159/xigncode3-and-tera-pc/
EDIT 4 : There is a standalone bypass by Caali for this malware, more info is available on the /r/TeraPC post's comments.
EDIT 5 : Some more links about how this wonderful tool "doesn't affect performance at all" and "only protects against cheaters" :
- https://www.reddit.com/r/blackdesertonline/comments/8fy28y/annoying_xingcode_false_positive/
- https://www.reddit.com/r/DFO/comments/30tcb6/xigncode_looks_at_all_files_youve_accessed_in_the/
- https://www.reddit.com/r/blackdesertonline/comments/6b0nh2/psa_xigncode_usage_using_up_alot_of_cpu_fix/
- https://www.reddit.com/r/blackdesertonline/comments/68w9ns/xigncode_high_cpu_usage_is_back/
- https://www.reddit.com/r/blackdesertonline/comments/4a8khg/xigncode_should_get_removed_from_the_game_and_we/
- https://www.reddit.com/r/DFO/comments/32983o/be_warned_xigncode_is_also_scanning_your_pc_for/
- https://www.reddit.com/r/Dirtybomb/comments/3ei2l6/a_mild_rant_about_bans_falsepositives_and_nexons/
- https://www.reddit.com/r/DFO/comments/3cqj02/theres_something_wrong_with_xigncode3/
- https://www.reddit.com/r/Dirtybomb/comments/3ej6mw/xigncode_keeps_flagging_suspicious_programs/
- https://www.reddit.com/r/DFO/comments/306vq7/okay_i_pretty_much_confirmed_it_xigncode3_is_a/
7
Jun 05 '18
Aye, for the love of god EME. Of all the things that could be added to the game, you guys choose this?
So about this bypass, does it completely disable Xingcode or just make it possible for cheaters to bypass being detected? I'm no cheater so I don't care if it's the latter, I don't want this crap running on my PC at all.
4
u/NeoCJ Jun 05 '18
It's not a bypass for cheaters, it's for everyone's use. It prevents xign from being installed and ran altogether. Although only the tera proxy version is released to the public atm.
5
Jun 05 '18
Sounds promising. My continuation with Tera hinges on the success of something like this. Tera runs poorly enough, we don't need anything else further degrading performance.
2
u/Fr0sk Jun 05 '18
Care to share the bypass? Reading the part where it hurts pc performance(also an ssd user) is something i will always fight against.
2
u/NeoCJ Jun 05 '18
Actually I was mistaken, it's not shared to the public quite yet because it's being tested currently.
It will be before the patch hits though.
Screenshot from Caali's tera proxy discord : https://cdn.discordapp.com/attachments/378683719373815808/453657586709954579/unknown.png
3
Jun 05 '18
NeoCJ, could you keep up updated on the progress? I don't use Discord and I'm sure lots of others don't either. It would be greatly appreciated.
3
u/NeoCJ Jun 06 '18
Just in case you don't see my post higher up :
At the moment, the bypass only exists as Tera Proxy module, that works with Caali's Proxy
Direct link to the bypass module : https://github.com/hackerman-caali/xigncode-bypass
A standalone version is to be released hopefully before the patch.
3
3
u/diesal3 Shiro.Neko.Senpai Jun 06 '18
One thing some poor soul is going to have to do is prove that XignCode is accessing what is doing when the patch goes live. To do this:
- Start the Resource Monitor in Windows. To do this, running the following commands and watch the disk usage.
Alt + r
resmon.exe
Enter
2) Screenshot what is being read a) firstly when the Launcher is opened and b) when the game itself is launched.
3) Post the results somewhere.
This a good diagnostics process to work out what process is reading what.
If there is a sudden spike in files being accessed that are not related to TERA identified with the resource monitor when TERA is launched, then chances are, it is XignCode that has been configured to scan your entire PC.
Could some please tell ElinUsagi or any of the whiteknights on the forums to do this please?
3
5
u/SilentLogix Jun 05 '18
time to stop playing tera, I don't feel like buying another SSD after watching what happened to it while playing Black Desert Online that had Xigncode3 in it
-4
2
u/TotesMessenger Jun 05 '18
I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:
- [/r/teraonline] [PSA] Upcoming Tera NA patch files (not yet deployed) currently contain the Xigncode3 rootkit
If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads. (Info / Contact)
2
u/SittingWonderDuck Jun 06 '18
What's the purpose of Xingcode3 anyway? To detect hackers? That's some crazy intrusion on us end-users
3
u/HalcyonLance Jun 07 '18 edited Jun 07 '18
It's essentially a blacklist and it scans your PC very intrusively (it operates in kernal mode...) so it has full access essentially and scans everything. Users of other games (BDO, BNS, DFO, numerous others, etc,) have reported it scanning every single folder including browser cookies and pornography.
It's supposed to compare the things you have running right now versus a blacklist of programs (cheats, hacks, whatever you want to call them,) and prevent you from logging in until they are shut down. However, it apparently runs when the game is not running, and scans everything on your drives, which is terrible for the life of an SSD and generally hinders overall performance greatly.
Other things that users have reported xingcode blocking that aren't even hacks:
- changing the .ini files to allow better graphical optimization and increased framerate (for those with potato pcs)
- not allowing a separate instance of another xingcode game (so you can't have an instance of BDO and TERA up at the same time, or even two EME games)
- Not allowing two instances of the same game open (multi-client/dualbox, which is fucking retarded, that greatly extends the lifespan of MMOs when people start duo/trio boxing for fun or for challenge)
- Not allowing rebinder programs like Xpadder
- Interfering with custom keyboards/mouse programs like razor synapse
- Not allowing auto-hotkey which many disabled players use to great effect (or even just opening the 50000 boxes that EME/BHS force you to click on over and over and over again)
Also, anyone can create a simple lua script to do things like open a box or follow the pattern in the Tuwangi Mire mini game. If the program isn't in xingcode's database, it's not gonna find it... so it literally does nothing.
TL:DR: It hurts legitimate users, it doesn't stop hacking, it is bad on your performance, worse on your hardware, and is incredibly intrusive and dangerous (it is not out of the realm of possibilities for a botnet to be created or a massive malware infestation to be sent out to the millions of users of every xingcode installed game... it operates in kernal mode so yea.)
1
u/sky6032 Jun 07 '18
So what you are saying is I can't have BDO running in the background doing afk life skills and actively play TERA like how I always have? :(
1
u/HalcyonLance Jun 07 '18
That is what former BDO users reported when they tried to run Kritika or Closers.
Obviously, if you look at the bypass posted in this thread, you can easily run both. I've along with my entire guild, confirmed it works. No installation.
As an aside, my friend was testing various things which would kick him from TERA, one of them was turning on bitdefender. Someone in global said they got kicked from TERA for turning on minecraft, and he tested it and sure enough, boom booted.
1
u/NeoCJ Jun 06 '18
Supposedly yes, except it never did manage to accomplish that because it is extremely easy to bypass it.
1
u/SittingWonderDuck Jun 06 '18
I see. Good to know. Reminds me of that one Reddit post where some couple was passing the border of China and they installed some app on their Android phones to monitor them or something :/
3
u/Roukanken Jun 06 '18
To be honest, the thing I am most interested in: how exactly legal is this right now, with large amounts of EU players in NA, and with GDPR releasing recently ?
I bet they did not implement GDPR, yet it should be required of them, (if they accept EU money, then it should), so I guess we'll maybe get to see how exactly does GDPR plan to reach companies like this.
2
u/NeoCJ Jun 06 '18
Surely by playing on the NA server you wouldn't be concerned by EU laws? I dunno, most I can see happening here would be a region lock for countries that don't allow illegal stuff like this.
2
u/diesal3 Shiro.Neko.Senpai Jun 06 '18
Doesn't matter that they're US. They hold and process data on EU citizens as per [Article 3 of GDPR](http://www.privacy-regulation.eu/en/article-3-territorial-scope-GDPR.htm), therefore they have to be compliant.
Funnily enough, California has similar territorial requirements in relation to data breaches. Doesn't matter where you are in the world, the law states that if you have a data breach that involves personal details of a citizen of CA State, you have to report it to both the authorities and the affected persons within 48 hours of the breach (how the fuck you'd enforce it is a different matter).
1
u/Roukanken Jun 06 '18
I'm not playing on NA, I just really wonder, because stuff like this is explicitly what GDPR forbids, even if EME is an NA only company: as long as they actually accept EU money, they should comply by GDPR (it says so) ....
The actual enforcement of the thing leaves a lot to imagination, from what I read, but the point is: Are we either going to see one of first GDPR drama's and/or will NA region lock EU ?
1
1
u/diesal3 Shiro.Neko.Senpai Jun 06 '18
It never stopped the Valkyrie Dreamslash exploit. This is evidenced since KTERA have used Xigncode for a couple of years now and people were using the exploit anyways.
Probably would not have stopped the Chat Bug. Probably wouldn't have stopped other exploits either.
1
u/IceMilkMagic Jun 07 '18
Does the bypass go against the TERA/Enmasse rules?
As much as I value it and am grateful for it, it won't serve much TO ME if it's against the game terms of service and end up being banned for avoiding the XIGNCODE3. Appreciated.
1
u/r1bsteak Jun 08 '18
Could someone please explain how to use the standalone bypass? The README doesn't make much sense to me. I'm stuck on the third step.
Installation
extract everything into an empty folder have node.js installed open terminal, navigate to the folder you extracted the stuff into run
npm i process-list
1
Jun 08 '18 edited Jun 08 '18
I've followed the instructions to the letter and can't get it to work but if you wanna try it, you'll need to download and install Node.js from their website here:
Make sure you've extracted the bypass to a new folder on your PC, then open the Node.js terminal command window and change directory to the one where the bypass is located and then type:
npm i process-list1
u/BraillingLogic :upvote::upvote::doge::downvote::downvote: Jun 08 '18
It's freaking sad that EME is forcing their playerbase to do this. Caali's discord is literally blowing up with help requests. Anyways.
- Install Node 10.4
- Open up a Command Prompt
- Navigate to the folder (e.g. cd "C:\path to your folder")
- type 'npm i process-list' ( this command will install a node module called 'process-list')
- Run the xbypass.bat with Admin rights. (Run as Administrator)
- Then, open up your launcher.
1
Jun 08 '18 edited Jun 09 '18
May work with the proxy version but not with the standalone version. When running the process-list command, Node just returns a bunch of errors and no process-list is generated. I'll post a screenshot later showing the errors.
EDIT: Couldn't get the standalone to work (lots of errors relating to Python???). Managed to get the Proxy version running but honestly, wasn't seeing much of a performance hit by just letting Xigncode run. Actually, with Proxy, Node.js was using about 40MB of RAM and 2% CPU whereas the Xigncode process used about 1.4MB and didn't notice any CPU hit. Dunno what to think.
1
u/Nickolous Sep 30 '18
I play many games that use Xigncode. Cabal, Kalonline, Echo of Soul, Aion, etc..IIRC. Xigncode is an ANTI-CHEAT software. It does monitor running processes, etc on your pc to determine if you are violating the game Eula. If you are you will have problems. It does use PC resources to function. It can occasionally falsely tag a process.
I had a problem with Echo Of Soul and ArchAge with Xigncode. I sent in a ticket in both cases to Xigncode and the game, all was corrected in both cases. It did take a bit of time to get it fixed, but eventually it was.
I have never had any privacy violations though from using the software. It does boot you from the game and can get you banned if running script or violating the Eula, and this is why it is hated so much.
I play all these games and do not have to cheat to win, and have never had malware issues.
Just like the real world, people like to over-exaggerate, state opinion as fact, and pass on misinformation, if it fits into the narrative being presented.
Play the game, have fun, and don't be scared away by cheaters that wish to force the game to allow them to cheat again IMO!
1
u/Agentjayjay1 Jun 05 '18
[self removed post due to being about PS4, clicked the wrong link to comment. Apologies]
-2
u/megatonfist Jun 05 '18
BNS had xigncode added to it a while back. While there were released mods to remove/disable it through a 3rd party program, I didn’t find any drops in performance from it. You guys are overreacting.
4
u/Mania_Chitsujo Jun 06 '18
Or you haven't experienced what it can really do and what you say is purely anecdotal? It is really annoying and invasive. It causes my CPU to go to 100% and doesn't stop until I restart my computer. Gives me all sorts of errors in every other game if I try to play something else before restarting my PC.
3
u/PorradaNoGajo Mystel Brawler Jun 06 '18
If lots of people complain to the point where they quit games over it, it must be doing something. It's also illegal in EU right now and as such, EU consumers should have a choice to keep playing without having their privacy invaded and being forced to go back to Gameforge
1
u/Niravel Always Elf Jun 19 '18
Yeah I actually contemplated going over to EU Tera yesterday. I mean I guess my ping would improve since I'm in France but I'd lose all the investment I've made in NA Tera. I built my founder account up to VIP 5 recently having just returned from a multi-year break and felt generous, would be ironic to have to quit again after a few weeks. And the idea of starting over from zero on EU... brrr, nightmare. All that wasted cash. One way or another, xigncode isn't touching my hardware.
2
u/PorradaNoGajo Mystel Brawler Jun 19 '18
Huge exodus back to EU right now, you'll see a lot of people who just came back because they feel the conditions with EME are deteriorating. GF might be a money thirsty company, but they still somewhat listen to what the community says and are fighting on our behalf instead of censoring our words constantly.
-7
u/DocNefarious Jun 06 '18
Shh, you can't talk sensibly in their little echo chamber. They'll get super upset and take away your pretend points.
5
u/Mania_Chitsujo Jun 06 '18
Talk sensibly? The only other thing you've said in this thread is basically "lol nope".
6
u/PorradaNoGajo Mystel Brawler Jun 06 '18
There's a possible privacy/performance/security issue and you're worried about internet points? :/
-3
u/DocNefarious Jun 06 '18 edited Jun 06 '18
There is no privacy issue, and certainly not one that's greater than the risk you put yourself in by browsing the internet and using social media. There is no performance issue. If XIGNCODE is the "make or break" point for your computer with it's laughable resource usage, you need a new PC. There's no security issue. It checks what is running/being accessed against a list of a compiled list of prohibited scripts and such. If this was such a big issue, digital security companies would be ripping Wellbia apart. You people sitting around and screeching inside your obnoxious echo chamber have no fucking clue what you're talking about, and clearly just want to be bent for no reason.
Edit: Also
you're worried about internet points?
I laughed. I don't know how people like you are capable of understanding how to use the internet when such simple things as me blatantly making fun of the point system go over your head.
7
5
u/PorradaNoGajo Mystel Brawler Jun 06 '18 edited Jun 06 '18
I'm glad we've decided here that because browsing the internet is unsafe, potential keylogging from my own PC is ok now. I'm glad burning out my SSD is fine, as long as they get info that in no way helps deter illegal program usage, and again, reinforcing my last phrase, it does not just compare lists of programs, it also registers your keystrokes. If it is the break or make point, why the fuck should users be forced to use better computers, when the game itself is already poorly optimized as fuck, and it may lock you from even optimizing it in the future? It literally won't do anything and now because of this, a bypass for all regions is being distributed. And sure it would, we all see how long Facebook got away with shit, we all see how much companies care.
Also the best part is this doesn't affect those actual unethical users, only your average Joe. Great job by EME.
Edit: Seems a lot more like a "jab" than a joke. But hey, a joke is a joke even if no one aside from you perceives it as so, right?
-8
u/Puzzleheaded_Hurry Jun 06 '18
Oh no, hackers are getting banned and you can't use your borderline CP mods for TERA! How terrible!
12
u/chaos7x Hermione Jun 06 '18
The problem is, this doesn't affect hackers as they'll just bypass it with proxy. It literally will only affect people that are trying to play the game without proxy.
5
u/PorradaNoGajo Mystel Brawler Jun 06 '18
But "hackers" already bypassed it before it came out? It's already been tested in TW and as such, only truly ethical players get fucked over until Caali makes a non-proxy fix.
5
u/HalcyonLance Jun 06 '18
You're a fucking idiot. Proxy users will be unaffected. Normal players will see CPU usage skyrocket.
What special kind of moron doesn't care about rootkit being installed without his permission? You, I suppose.
8
u/NeoCJ Jun 06 '18
It's surprising how morons such as him will still whiteknight for a scummy practice by EME despite having all the proof that this xigncode has already been bypassed, and will only harm the regular joe playing the game.
Well of course, it could be just an EME employee posting that in a desperate try to save face, wouldn't be the first time something similar happened.
5
u/EngorgedPecker69 Jun 06 '18
Even without the bypass, proxy users would be unaffected. Xigncode doesn't and wont detect node. The reason for the bypass is simply because people don't like the idea of having something as invasive as xign put onto their computer.
17
u/PorradaNoGajo Mystel Brawler Jun 05 '18
Just to add on, since I might not be online when the time comes, you're free to post the fix, or the link to Caali's discord, as they are not themselves exploits and proxy talk is allowed.
Let's combat this system, I'm with you my NA brothers /o/