gitwtfhub

wtf is xlive-research?

widberg/xlive-research — explained in plain English

Analysis updated 2026-05-18

16C++Audience · developerComplexity · 5/5Setup · hard

TL;DR

Reverse engineering research and tools that reimplement the encryption inside Microsoft's discontinued Games for Windows Live DLL.

Mindmap

mindmap
  root((xlive research))
    What it does
      Reverse engineers xlive.dll
      Reimplements encryption
      Documents obfuscation layers
    Tech stack
      C++
      ImHex
      ScyllaHide
    Use cases
      Rebuild AES functions
      Study obfuscation removal
      Enable game debugging
    Audience
      Reverse engineers
      Game preservationists

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Reimplement xlive.dll's AES encryption functions without needing the original DLL.

REASON 2

Study how WARBIRD and Syncrosoft MCFACT obfuscation layers were reverse engineered.

REASON 3

Use extracted AES round keys and lookup tables for compatibility or modding work.

REASON 4

Apply a patch that disables an integrity check to make old GFWL games easier to debug.

What's in the stack?

C++ImHexScyllaHide

How it stacks up

widberg/xlive-researchneo773/d9mtsaleyn/glazer
Stars161616
LanguageC++C++C++
Setup difficultyhardhardmoderate
Complexity5/55/52/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · hard Time to first run · 1day+

Requires familiarity with reverse engineering tools like ImHex and ScyllaHide plus low-level Windows internals.

Wtf does this do

This repository documents reverse engineering research into a Windows DLL called xlive.dll, which is the core component of Games for Windows Live (GFWL), a now-discontinued online gaming service from Microsoft that was bundled with PC games in the late 2000s and early 2010s. Games that used GFWL sometimes have compatibility or modding issues today because xlive.dll performs various encryption and copy-protection functions that are difficult to work around without understanding how they operate. The main output of this research is a C++ program called xwife. It reimplements the cryptographic operations from xlive.dll from scratch, without needing the original DLL to be present. This includes several AES-based encryption and decryption functions used to protect game data and user information. The repository also includes the AES round keys extracted from the DLL through analysis, along with explanations of how those keys were found. The README explains that xlive.dll was protected using two separate obfuscation layers. One is Microsoft WARBIRD, a code obfuscator that scrambles the DLL's logic to make it harder to read in a debugger. The researcher used existing open-source tools to strip away that layer. The other protection covers two specific functions and uses a commercial product called Syncrosoft MCFACT. Because MCFACT cannot be cleanly reversed, the researcher extracted the lookup tables it uses directly from the DLL. The README also includes a detailed walkthrough of how xlive.dll stores sensitive data in memory using a construct called a protected buffer. The buffer structure adds a runtime-derived constant to any pointer before storing it, and some buffers XOR their contents across two separate arrays so that the real value is never sitting in memory in plain form. Also included are binary pattern files for a hex editor called ImHex, a configuration file for an anti-anti-debug tool called ScyllaHide, a patch that disables one of xlive's integrity checks to make debugging easier, and a collection of analysis scripts. The project is oriented toward game modding and preservation research.

Yoink these prompts

Prompt 1
Explain how the xwife tool reimplements xlive.dll's encryption from scratch.
Prompt 2
Walk me through how the WARBIRD obfuscation layer was stripped away.
Prompt 3
Show me how protected buffers store sensitive data in memory in this research.
Prompt 4
What is Games for Windows Live and why does this repository target it?

Frequently asked questions

wtf is xlive-research?

Reverse engineering research and tools that reimplement the encryption inside Microsoft's discontinued Games for Windows Live DLL.

What language is xlive-research written in?

Mainly C++. The stack also includes C++, ImHex, ScyllaHide.

How hard is xlive-research to set up?

Setup difficulty is rated hard, with roughly 1day+ to a first successful run.

Who is xlive-research for?

Mainly developer.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.