Hi.
I thought that the community might find the readable and fixed code of NexonGuard/BlackCipher useful. :)
So what has been done?
+ BlackCipher.exe (BlackCipher.aes) - Unpacked Themida and devirtualized all virtualized code blocks and deobfuscated almost all codereplaced blocks of code.
+ BlackCall.dll (BlackCall.aes) - Devirtualized all CodeVirtualizer code blocks.
+ BlackXchg.dll (BlackXchg.aes) - Devirtualized all CodeVirtualizer code blocks.
+ BlackGate.dll (BlackGate.aes) - Devirtualized all CodeVirtualizer code blocks.
+ NexonGuard.dll (NexonGuard.aes) - Devirtualized all CodeVirtualizer code blocks.
+ eTracer.exe (eTracer.aes) - Unpacked UPX shell
What can I do with these? Is this a bypass?
The files are almost like the original ones on the inside, meaning you can efficiently analyze the inner workings of these files with a disassembler or debugger (IDA, OllyDbg...).
These files are not a bypass.
Lolwut, I can just dump the modules myself, what differs in these?
If you dump the modules your imports are broken, the virtualized and codereplaced code is not restored, meaning that you can't make heads or tails of the interesting code when analyzing your dumps.
Why did you post these files here, and not in the anticheat area?
I think these files are only used in CombatArms thus this section is very relevant.
The filename extensions were all ".aes", how did you decrypt them?
The filename extensions are only to fool beginners, the real extensions are EXE/DLL, just a simple renaming needed.
[Only registered and activated users can see links. Click Here To Register...]
Scans for the paranoid people:
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
I thought that the community might find the readable and fixed code of NexonGuard/BlackCipher useful. :)
So what has been done?
+ BlackCipher.exe (BlackCipher.aes) - Unpacked Themida and devirtualized all virtualized code blocks and deobfuscated almost all codereplaced blocks of code.
+ BlackCall.dll (BlackCall.aes) - Devirtualized all CodeVirtualizer code blocks.
+ BlackXchg.dll (BlackXchg.aes) - Devirtualized all CodeVirtualizer code blocks.
+ BlackGate.dll (BlackGate.aes) - Devirtualized all CodeVirtualizer code blocks.
+ NexonGuard.dll (NexonGuard.aes) - Devirtualized all CodeVirtualizer code blocks.
+ eTracer.exe (eTracer.aes) - Unpacked UPX shell
What can I do with these? Is this a bypass?
The files are almost like the original ones on the inside, meaning you can efficiently analyze the inner workings of these files with a disassembler or debugger (IDA, OllyDbg...).
These files are not a bypass.
Lolwut, I can just dump the modules myself, what differs in these?
If you dump the modules your imports are broken, the virtualized and codereplaced code is not restored, meaning that you can't make heads or tails of the interesting code when analyzing your dumps.
Why did you post these files here, and not in the anticheat area?
I think these files are only used in CombatArms thus this section is very relevant.
The filename extensions were all ".aes", how did you decrypt them?
The filename extensions are only to fool beginners, the real extensions are EXE/DLL, just a simple renaming needed.
[Only registered and activated users can see links. Click Here To Register...]
Scans for the paranoid people:
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
