[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80557":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":15,"stars30d":16,"stars90d":14,"forks30d":14,"starsTrendScore":14,"compositeScore":17,"rankGlobal":9,"rankLanguage":9,"license":9,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":9,"pushedAt":9,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":14,"starSnapshotCount":14,"syncStatus":16,"lastSyncTime":25,"discoverSource":26},80557,"xign_poc_april_2026","waryas\u002Fxign_poc_april_2026","waryas","Use XIGNCODE3 driver to cheat",null,"C",81,19,79,0,1,2,3.9,false,"main",true,[],"2026-06-12 02:04:03","## Public Disclosure reason\n\nPublic disclosure. Driver shipped with the gacha game MONGIL:STAR DRIVE that came out the 14th April 2026.\nEmail sent the same day. Completely ignored.\n\n## Protocol refresher\n\nDevice is accessed by `CreateFileW(L\"\\\\\\\\.\\\\xhunter1\", ...)`. Commands are sent with `WriteFile`, not `DeviceIoControl`. Dispatch is **not** via `IRP_MJ_DEVICE_CONTROL`; the driver only registers `IRP_MJ_CREATE`, `IRP_MJ_CLOSE`, `IRP_MJ_WRITE`.\n\n```\nIRP_MJ_WRITE buffer, 624 bytes, DO_BUFFERED_IO:\n +0 DWORD in_size = 624\n +4 DWORD magic = 0x345821AB (verified empirically from cmp at sub_14000B568;\n IDA decompile printed the constant as decimal\n 878191019 which I initially mis-hexed)\n +8 DWORD nonce (echoed as ~nonce in rsp[+8])\n +12 DWORD command (∈ { 774..821 }, not contiguous)\n +16 QWORD response VA (user VA in caller; mapped via UserMode MDL, 762-byte write)\n +24 ... per-command args\n\nResponse:\n +0 DWORD size = 624\n +4 DWORD magic = 0x12121212\n +8 DWORD ~nonce\n +12 DWORD NTSTATUS (negative = driver failure)\n +16 ... per-command result fields (up to 762 bytes total)\n```\n\nAuth is per-command via `sub_140005E84()` — returns true iff `(driver_flag_table[caller_PID] & 0x80000008) == 0x80000008`. Bits get stamped by the process-image-load notify callback that parses a trust cache shipped with the driver (`sub_140007074`), not by any IOCTL.\n\n---\n\n## Per-command table\n\nLegend for the last column:\n- **R** = arbitrary or near-arbitrary **read** primitive reachable through this command\n- **W** = arbitrary **write** primitive\n- **X** = arbitrary code **execution** primitive\n- **L** = information **leak** \u002F narrower disclosure\n- **A** = auth bypass \u002F privilege confusion\n- **OOB** = out-of-bounds pool read\n- `auth` = requires `sub_140005E84()` (trusted-process flag)\n- `—` = no security-relevant primitive identified\n\n| Cmd | Handler (`sub_`) | Purpose (inferred) | Key sinks | Class |\n|-----|-----|-----|-----|-----|\n| 774 | `140001F54` | Ping\u002Fecho | — | — |\n| 775 | `140001DD8` | Set per-PID flag bits (low word) | `sub_140005F98(pid=cmd+24, flags=cmd+28)` | **A — AUTH GATE BYPASS.** Caller chooses both target PID and low-16 flag bits. Setting bit 3 (`0x8`) on self is step 2 of the 2-IOCTL unauth auth-bypass chain. See Auth section. |\n| 776 | `140003598` | Clear per-PID flags | `sub_140006324(pid=cmd+24)` | **A** (same class as 775) |\n| 777 | `140003498` | Register caller PID, set upper-16 flag bits to `0x8000` | `sub_140006A10`+`sub_140006418(self, 0x80000000)` | **A** — sets bit 31 on self. **Step 1 of the 2-IOCTL unauth auth-bypass chain** (pair with cmd 775 for bit 3). Does not yield auth alone, but trivially does with cmd 775. |\n| 778 | `140003708` | Unregister caller | `sub_140006AC4`+`sub_140006190` | — |\n| 779 | `140003398` | Enumerate trusted PIDs to user buffer; size-checked | `sub_140006968` under UserMode MDL | **L** (discloses which PIDs are currently \"trusted\") |\n| 782 | `1400035D4` | Set a global byte flag | `sub_14000739C(cmd+24 byte)` | — |\n| 783 | `1400026C8` | Version\u002Fstatus query | `sub_140007394()` | — |\n| 785 | `1400030B8` | **Open any process by PID with user-specified access mask** | `sub_1400087F4` → `ObOpenObjectByPointer(KernelMode, user access mask)` | **A**, **W-capable** (the returned user-mode handle has arbitrary access, including `PROCESS_VM_WRITE` + `PROCESS_CREATE_THREAD`, skipping DACL) — `auth` |\n| 786 | `1400022F8` | Counter query | `sub_140004B34()` | — |\n| 787 | `140003278` | Cross-process user-space **read** (handle access-mask bypass) | `sub_140007874` ladder → `sub_140008924` (per-byte, `srcVA \u003C MmSystemRangeStart`) | **A**, **R** (user-space of any non-protected process) |\n| 788 | `1400031C4` | **Arbitrary kernel read** | `sub_1400084AC` per-byte copy, only `MmIsAddressValid` gate | **R (kernel)** — `auth` |\n| 789 | `140002180` | Command on path string | `sub_1400037AC((WCHAR*)(cmd+24))` | **L\u002FOOB** (unbounded wcslen on buffered input; same class as 790) |\n| 790 | `140003508` | Command on path string (image-name registry) | `do{++v5;}while(*(WORD*)(cmd+24+2v5));` → `sub_1400074E8` | **OOB** (unbounded wcslen past SystemBuffer) |\n| 791 | `140003018` | **`ZwQueryInformationProcess` proxy** with user handle + user-controlled info class + user output buffer | `ZwQueryInformationProcess` | **A** (Zw sets PreviousMode=Kernel → handle\u002Finfo-class access checks bypassed); some info classes (e.g. `ProcessImageFileName`, `ProcessDebugPort`) yield data normally gated by `PROCESS_QUERY_INFORMATION` even with a `QUERY_LIMITED_INFORMATION` handle |\n| 792 | `1400027F0` | Generic per-process op | `sub_140007874` ladder → `sub_1400086C0` | **A** (same ladder issue, op-specific severity) |\n| 793 | `140002990` | Process op returning a pointer | `sub_140007874` ladder → `sub_1400087B8` | **A\u002FL** |\n| 794 | `140002730` | Process op into user buffer | `sub_140007874` ladder → `sub_140008400` | **A\u002FL** |\n| 796 | `1400021FC` | Read file by path (kernel context), return DWORD checksum | `ZwOpenFile(OBJ_KERNEL_HANDLE)` + `ZwReadFile` | **L** (kernel-mode read bypasses caller's DACL; attacker-controlled path; weak disclosure channel — only sum-of-DWORDs) |\n| 797 | `140002954` | Look up per-PID flags (any PID) | `sub_140006204` | **L** (disclose trust table entries) |\n| 798 | `1400020D8` | Fill user buffer | `sub_1400054E4` | — (size-checked) |\n| 799 | `140002A10` | Returns constant `30` | — | — |\n| 800 | `140001FF8` | Close handle in another process | `sub_140007874` ladder → `KeStackAttachProcess` → `ObSetHandleAttributes` + `ZwClose` on `cmd[+32]` handle value inside target | **A\u002FW-ish** (can close arbitrary handle inside another process once handle is resolved via ladder) |\n| 801 | `140003658` (→ `sub_140009C5C`) | Trigger win32k SSDT-index capture \u002F internal init | `MmGetSystemRoutineAddress`, NT\u002Fwin32k section parse | — (no user args) |\n| 802 | `1400036D0` | Acquire+release internal mutex | `KeWaitForSingleObject`\u002F`KeReleaseMutex` | — |\n| 803 | `140003658` (same as 801) | Same initializer | — | — |\n| 804 | `140003694` | Per-PID win32k affinity op | `sub_14000AB34` (`PsLookupProcessByProcessId` → attach → win32k call via captured function pointer) | **A** (operates on any PID; narrow effect: sets `NtUserSetWindowDisplayAffinity`-equivalent) |\n| 805 | `140002870` | **Page-table walk via physical-memory read** — returns PTE for (handle-resolved process, VA) | `sub_140007778` (ladder) → `sub_140006598` (opens `\\Device\\PhysicalMemory` \u002F resolves `MmCopyMemory`) → `sub_14000646C` (4× `sub_140006648`) | **A\u002FL** — PFN leak on kernel VAs breaks KASLR; on user VAs leaks phys layout (details in deep-dive below) |\n| 806 | `140002E88` | No-op probe | — | — |\n| 807 | `140001E14` | **Inject driver-provided payload into resolved process** | `sub_140009FF4`→`sub_14000A6C8`→`sub_14000A738`→`sub_14000A028`→`sub_14000A7A4` | **X** (driver-owned payload, `PROCESS_ALL_ACCESS` via `ObOpenObjectByPointer(KernelMode)`, `RtlCreateUserThread`\u002F`NtCreateThreadEx`); target chosen by attacker |\n| 808 | `140001ED4` | Same injector, alternate entry | `sub_14000A6C8`→… | **X** |\n| 809 | `140002704` | Returns constant `822` | — | — |\n| 810 | `140002F1C` | **`ZwCreateFile` with attacker-controlled path & access mask in kernel context** | `ZwCreateFile` (OBJ_CASE_INSENSITIVE only, handle returned to caller's *user* handle table) | **A\u002FW** (kernel-mode open bypasses caller's DACL; full `DesiredAccess` from user — read, write, delete, set-security on any file) — `auth` |\n| 811 | `140001F14` | Injector wrapper | `sub_14000A738` → driver payload | **X** |\n| 812 | `1400021C0` | Info struct fill | `sub_1400061C0` | — |\n| 813 | `140003458` | **Populate trust-cache entry**: add `{path=cmd+28 WCHARs, flag=cmd+24 DWORD}` | `sub_14000CA84` → `sub_14000CAC0` → `sub_14000CB18` (writes `qword_1400220F8[count++]`); also `RtlInitUnicodeString` (unbounded wcslen) | **A — CACHE POISON.** Unauth'd. Plant entry with flag bit 3 set → any child process launched from that exact NT path is stamped with bit 3 at `PsSetCreateProcessNotifyRoutine` time. Independent auth-bypass path. Also **OOB** (unbounded wcslen). |\n| 814 | `140001F78` | Info fill | `sub_140003C54` | — |\n| 815 | `140001E54` | Injector wrapper (driver payload) | `sub_14000A028` → `sub_14000A7A4` | **X** |\n| 816 | `140002334` | Win32k global state fill | reads `qword_140022068[48]+*` kernel ptrs | **L** (leaks win32k internal field values \u002F offsets) |\n| 817 | `140001FB4` | Config query | `sub_140003D28` | — |\n| 818 | `140003140` | `MmSecureVirtualMemory(Ex)` wrapper | `MmSecureVirtualMemory` | — (legitimate use; no user-RW granted) |\n| 819 | `140002EB0` | Process fingerprint | `sub_140007874` ladder → `sub_140001A5C` | **A\u002FL** |\n| 820 | `140001E94` | **Inject attacker-supplied shellcode into arbitrary process** | `sub_14000A1AC` → `sub_14000A330` | **X** (see below) |\n| 821 | `14000361C` | Internal op | `sub_140004CF0(DWORD)` | — |\n\n---\n","该项目通过利用XIGNCODE3驱动程序来实现对游戏MONGIL:STAR DRIVE的作弊功能。其核心功能是通过特定命令与驱动程序交互,执行包括读写操作、代码执行等在内的多种特权操作。技术上,它使用了`CreateFileW`和`WriteFile`函数与设备进行通信,并通过一系列命令实现了认证绕过、权限提升等功能。该项目适合于研究游戏安全漏洞或了解驱动程序如何被恶意利用的场景。","2026-06-11 04:01:13","CREATED_QUERY"]