I was talking to Bombsaway a few days ago and he was saying that the old method of ciphering a file (pumping shit onto the end of the file) no longer works with CA. It just so happens I was bored at the time so I wrote this simple little cipher. Basically it just manipulates a few values within the PE structure and also rewrites some data into the .text section.
This, unlike the older ciphers, should work to fool Nexon's hash logic.
Using it is pretty straightforward:
- Download the .zip and extract it
- Run "Simple PE Cipher.exe"
- Press the browse button to locate your Dll
- Press "Run Cipher", if all goes as expected you should see a "Cipher Completed Successfully" message box appear.
- Inject the .dll. A backup of the original .dll is also created (with a .bak extension) in the same directory as the ciphered dll so you can revert at any time if something goes wrong.
Written in Win32 C++ for teh lulz.
If you have any issues with it, please feel free to PM me or post in the thread, I'll do my best to rectify the issues.
No idea why this had those two scanners report a backdoor to be honest. Perhaps because I'm using some I/O API, dunno.
Anyways, enjoy, and report back with results.