Analysis updated 2026-05-18
Reimplement xlive.dll's AES encryption functions without needing the original DLL.
Study how WARBIRD and Syncrosoft MCFACT obfuscation layers were reverse engineered.
Use extracted AES round keys and lookup tables for compatibility or modding work.
Apply a patch that disables an integrity check to make old GFWL games easier to debug.
| widberg/xlive-research | neo773/d9mt | saleyn/glazer | |
|---|---|---|---|
| Stars | 16 | 16 | 16 |
| Language | C++ | C++ | C++ |
| Setup difficulty | hard | hard | moderate |
| Complexity | 5/5 | 5/5 | 2/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires familiarity with reverse engineering tools like ImHex and ScyllaHide plus low-level Windows internals.
This repository documents reverse engineering research into a Windows DLL called xlive.dll, which is the core component of Games for Windows Live (GFWL), a now-discontinued online gaming service from Microsoft that was bundled with PC games in the late 2000s and early 2010s. Games that used GFWL sometimes have compatibility or modding issues today because xlive.dll performs various encryption and copy-protection functions that are difficult to work around without understanding how they operate. The main output of this research is a C++ program called xwife. It reimplements the cryptographic operations from xlive.dll from scratch, without needing the original DLL to be present. This includes several AES-based encryption and decryption functions used to protect game data and user information. The repository also includes the AES round keys extracted from the DLL through analysis, along with explanations of how those keys were found. The README explains that xlive.dll was protected using two separate obfuscation layers. One is Microsoft WARBIRD, a code obfuscator that scrambles the DLL's logic to make it harder to read in a debugger. The researcher used existing open-source tools to strip away that layer. The other protection covers two specific functions and uses a commercial product called Syncrosoft MCFACT. Because MCFACT cannot be cleanly reversed, the researcher extracted the lookup tables it uses directly from the DLL. The README also includes a detailed walkthrough of how xlive.dll stores sensitive data in memory using a construct called a protected buffer. The buffer structure adds a runtime-derived constant to any pointer before storing it, and some buffers XOR their contents across two separate arrays so that the real value is never sitting in memory in plain form. Also included are binary pattern files for a hex editor called ImHex, a configuration file for an anti-anti-debug tool called ScyllaHide, a patch that disables one of xlive's integrity checks to make debugging easier, and a collection of analysis scripts. The project is oriented toward game modding and preservation research.
Reverse engineering research and tools that reimplement the encryption inside Microsoft's discontinued Games for Windows Live DLL.
Mainly C++. The stack also includes C++, ImHex, ScyllaHide.
Setup difficulty is rated hard, with roughly 1day+ to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.