Page 1 of 2 12 LastLast
Results 1 to 15 of 18
  1. #1
    -Bl00d-'s Avatar
    Join Date
    Sep 2011
    Gender
    female
    Location
    Imma girl what about it?
    Posts
    481
    Reputation
    10
    Thanks
    53
    My Mood
    Twisted

    Internal working of NoxenGuard

    was just looking for a new way to bypass HS
    found all the internals here. im not an asm god or anything
    but this could be useful to a few people here

    Code:
    3AFE0001     dec ebp
    3AFE0002     pop edx
    3AFE0003     nop 
    3AFE0005      add byte ptr [ebx], al
    3AFE0007     add byte ptr [eax], al
    3AFE000A     add byte ptr [eax+eax], al
    3AFE000C    add byte ptr [eax], al
    3AFE000B       Unknown operand
    3AFE000B     add byte ptr [eax], al
    3AFE000D    add bh, bh
    3AFE000F     inc dword ptr [eax]
    3AFE0015     add byte ptr [eax+00000000h], bh
    3AFE0017     add byte ptr [eax], al
    3AFE001A     add byte ptr [eax+00h], al
    3AFE001C    add byte ptr [eax], al
    3AFE0020     cmp byte ptr [edx+03h], 00000000h
    3AFE0022     add byte ptr [eax], al
    3AFE0024     add byte ptr [eax], al
    3AFE0026     add byte ptr [eax], al
    3AFE0028     add byte ptr [eax], al
    3AFE002A     add byte ptr [eax], al
    3AFE002C    add byte ptr [eax], al
    3AFE002E     add byte ptr [eax], al
    3AFE0030     add byte ptr [eax], al
    3AFE0032     add byte ptr [eax], al
    3AFE0034     add byte ptr [eax], al
    3AFE0036     add byte ptr [eax], al
    3AFE0038     add byte ptr [eax], al
    3AFE003A     add byte ptr [eax], al
    3AFE003C    add byte ptr [eax], al
    Code:
    3AFE0041     call 48FE0041h // <- calling something from Engine here
    3AFE0042     pop ds
    3AFE0047     mov edx, 09B4000Eh
    3AFE0049     int 21h
    3AFE004E     mov eax, 21CD4C01h
    3AFE004F     push esp
    3AFE0054      push 70207369h
    3AFE0056     jc 3AFE00C5h
    3AFE0059     jc 3AFE00BAh
    3AFE005A     insd 
    3AFE005D    and byte ptr [ebx+61h], ah
    3AFE005E     outsb 
    3AFE005F     outsb 
    3AFE0060     outsd 
    3AFE0062     je 3AFE0082h
    3AFE0065     bound esp, dword ptr [ebp+20h]
    3AFE0067     jc 3AFE00DCh
    3AFE0068     outsb 
    3AFE006B     and byte ptr [ecx+6Eh], ch
    3AFE006F     and byte ptr [edi+ecx*2+53h], al
    3AFE0072     and byte ptr [ebp+6Fh], ch
    3AFE007          A or eax, 00240A0Dh
    3AFE007C    add byte ptr [eax], al
    3AFE007E     add byte ptr [eax], al
    3AFE0080     add byte ptr [eax], al
    3AFE0082     arpl word ptr [edi], sp
    3AFE0083     pop ecx
    3AFE0085     in eax, 27h
    3AFE0086     inc esi
    3AFE0087     aaa 
    3AFE0089     mov dh, 27h
    3AFE008A     inc esi
    3AFE008B     aaa 
    3AFE008D    mov dh, 27h
    3AFE008E     inc esi
    3AFE008F     aaa 
    3AFE0091     mov dh, 2Eh
    3AFE0097     mov byte ptr [374633B6h], al //  <- Ref to CShell here
    3AFE0099     mov dh, 2Eh
    3AFE009C    mov ah, B6h
    3AFE009D    pop esi
    3AFE009E     inc esi
    3AFE009F     aaa 
    3AFE00A1     mov dh, 2Eh
    3AFE00A4     mov bl, B6h
    3AFE00A6     adc al, 00000046h
    3AFE00A7     aaa 
    3AFE00A9      mov dh, 00h
    3AFE00AE     or byte ptr [esi+esi*4+24h], 00000046h
    3AFE00AF     aaa 
    3AFE00B1      mov dh, 27h
    3AFE00B2     inc esi
    3AFE00B5     mov dh, 48h
    3AFE00B6            inc esi
    3AFE00B7            aaa 
    3AFE00B9            mov dh, 2Eh
    3AFE00BF     mov ebp, 37462CB6h // <- CShell again
    3AFE00C1    mov dh, 2Eh
    3AFE00C3    movsd 
    3AFE00C5    mov dh, 26h
    3AFE00C6    inc esi
    3AFE00C7    aaa 
    3AFE00C9    mov dh, 39h
    3AFE00CB    adc al, FFFFFFA3h
    3AFE00CD    mov dh, 26h
    3AFE00CE    inc esi
    3AFE00CF           aaa 
    3AFE00D1    mov dh, 2Eh
    3AFE00D3    cmpsb 
    3AFE00D5    mov dh, 26h
    3AFE00D6    inc esi
    
    EDIT: wtf is with these retarded code tags lately?
    also LOL @ my fail of spelling "Nexon" wrong
    Last edited by -Bl00d-; 01-20-2013 at 03:10 AM. Reason: added few comments
    Successful buys: 20
    Successful sells: 4
    Successful trades: 9
    Scammed: 4

     
    http://www.mpgh.net/forum/490-vouches/560562-vouches.html

    ^^^^^^^^^^^
    vouche for me?

  2. The Following 2 Users Say Thank You to -Bl00d- For This Useful Post:

    monz2 (01-20-2013),The Decoder (01-21-2013)

  3. #2
    ZysorceN's Avatar
    Join Date
    Aug 2012
    Gender
    female
    Location
    California
    Posts
    68
    Reputation
    10
    Thanks
    912
    My Mood
    Aggressive
    what's this fuckery?

  4. The Following User Says Thank You to ZysorceN For This Useful Post:

    Acea (01-20-2013)

  5. #3
    Acea's Avatar
    Join Date
    Oct 2012
    Gender
    female
    Location
    Home of the elks
    Posts
    346
    Reputation
    80
    Thanks
    2,204
    My Mood
    Stressed
    This gave me a boner...

  6. The Following 2 Users Say Thank You to Acea For This Useful Post:

    -Bl00d- (01-20-2013),The Decoder (01-21-2013)

  7. #4
    -Bl00d-'s Avatar
    Join Date
    Sep 2011
    Gender
    female
    Location
    Imma girl what about it?
    Posts
    481
    Reputation
    10
    Thanks
    53
    My Mood
    Twisted
    Quote Originally Posted by ZysorceN View Post
    what's this fuckery?
    This is the memory of the NexonGuard.aes


    Quote Originally Posted by Acea View Post
    This gave me a boner...
    also have one for EHSvc if you like
    Last edited by -Bl00d-; 01-20-2013 at 04:34 AM.
    Successful buys: 20
    Successful sells: 4
    Successful trades: 9
    Scammed: 4

     
    http://www.mpgh.net/forum/490-vouches/560562-vouches.html

    ^^^^^^^^^^^
    vouche for me?

  8. #5
    Flengo's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    Ontario, Canada
    Posts
    15,694
    Reputation
    3319
    Thanks
    11,106
    My Mood
    Happy
    Tbh; I'm shittier in assembly than you are, but this looks like a bunch of junk to me.

    Doesn't seem like its doing anything

    Now once again, I'm shit in asm.


    I Read All Of My PM's & VM's
    If you need help with anything, just let me know.
     
     
    VM | PM

    Publicist Since 04.04.2015
    Middleman Since Unknown - Unknown
    Global Moderator Since 08.01.2013
    Donator Since 05.29.2013

    Minion+ Since 04.18.2013

    District 187 Minion Since 04.04.2013
    Steam Minion Since 02.26.2013
    WarRock Minion Since 02.19.2013
    A.V.A Minion Since 02.13.2013
    DayZ Minion Since 01.21.2013
    Combat Arms Minion Since 12.26.2012
    Contributor Since 11.16.2012
    Member Since 05.11.2010


  9. #6
    -Bl00d-'s Avatar
    Join Date
    Sep 2011
    Gender
    female
    Location
    Imma girl what about it?
    Posts
    481
    Reputation
    10
    Thanks
    53
    My Mood
    Twisted
    Quote Originally Posted by Flengo View Post
    Tbh; I'm shittier in assembly than you are, but this looks like a bunch of junk to me.

    Doesn't seem like its doing anything

    Now once again, I'm shit in asm.
    Most of it is junk of just adding random shit
    (go figure its nexon) i think they do it to throw you off
    but this is whats happening with nexonguard.aes
    as you are playing the game IE in game checks and shit just gott look further into it
    Successful buys: 20
    Successful sells: 4
    Successful trades: 9
    Scammed: 4

     
    http://www.mpgh.net/forum/490-vouches/560562-vouches.html

    ^^^^^^^^^^^
    vouche for me?

  10. The Following User Says Thank You to -Bl00d- For This Useful Post:

    [MPGH]Flengo (01-20-2013)

  11. #7
    Ch40zz-C0d3r's Avatar
    Join Date
    Apr 2011
    Gender
    male
    Posts
    839
    Reputation
    44
    Thanks
    400
    My Mood
    Twisted
    God...
    Stop it from loading and youre done, there is one check for all functions. If you bypass that check you can simply return the load function and youre done.

    Progress with my game - "Disbanded"
    • Fixed FPS lag on spawning entities due to the ent_preload buffer!
    • Edit the AI code to get some better pathfinding
    • Fixed the view bug within the sniper scope view. The mirror entity is invisible now!
    • Added a new silencer for ALL weapons. Also fixed the rotation bugs
    • Added a ton of new weapons and the choice to choose a silencer for every weapon
    • Created a simple AntiCheat, noobs will cry like hell xD
    • The name will be Disbanded, the alpha starts on the 18th august 2014



    Some new physics fun (Serversided, works on every client)



    My new AI
    http://www.youtube.com/watch?v=EMSB1GbBVl8

    And for sure my 8 months old gameplay with 2 friends
    http://www.youtube.com/watch?v=Na2kUdu4d_k

  12. The Following User Says Thank You to Ch40zz-C0d3r For This Useful Post:

    -Bl00d- (01-20-2013)

  13. #8
    -Bl00d-'s Avatar
    Join Date
    Sep 2011
    Gender
    female
    Location
    Imma girl what about it?
    Posts
    481
    Reputation
    10
    Thanks
    53
    My Mood
    Twisted
    Quote Originally Posted by Ch40zz-C0d3r View Post
    God...
    Stop it from loading and youre done, there is one check for all functions. If you bypass that check you can simply return the load function and youre done.
    lol! im like 4 steps behind you chaozz
    what you have already acompished and got bored with most here are just figuring out lol
    Successful buys: 20
    Successful sells: 4
    Successful trades: 9
    Scammed: 4

     
    http://www.mpgh.net/forum/490-vouches/560562-vouches.html

    ^^^^^^^^^^^
    vouche for me?

  14. #9
    monz2's Avatar
    Join Date
    Jan 2012
    Gender
    male
    Location
    never never land
    Posts
    100
    Reputation
    10
    Thanks
    7
    My Mood
    Amused
    good shit bro

  15. #10
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by -Bl00d- View Post


    Most of it is junk of just adding random shit
    (go figure its nexon) i think they do it to throw you off
    but this is whats happening with nexonguard.aes
    as you are playing the game IE in game checks and shit just gott look further into it
    You're viewing the PE header of NexonGuard.dll as ASM code while it's just data. You can skip the first 0x1000 bytes from the module base before the code starts.

    Quote Originally Posted by Flengo View Post
    Tbh; I'm shittier in assembly than you are, but this looks like a bunch of junk to me.

    Doesn't seem like its doing anything

    Now once again, I'm shit in asm.
    The info is indeed "junk" as it's not code at all.

  16. The Following 3 Users Say Thank You to HellSpider For This Useful Post:

    Departure (01-28-2013),[MPGH]Flengo (01-28-2013),Saltine (01-28-2013)

  17. #11
    zdacom's Avatar
    Join Date
    Nov 2012
    Gender
    male
    Posts
    12
    Reputation
    10
    Thanks
    1
    My Mood
    Asleep
    Quote Originally Posted by -Bl00d- View Post
    3AFE002E add byte ptr [eax], al
    3AFE0030 add byte ptr [eax], al
    3AFE0032 add byte ptr [eax], al
    3AFE0034 add byte ptr [eax], al
    3AFE0036 add byte ptr [eax], al
    3AFE0038 add byte ptr [eax], al
    3AFE003A add byte ptr [eax], al
    btw only zeros so it is really junk, u just dumping shit


    Quote Originally Posted by -Bl00d- View Post
    3AFE002E add byte ptr [eax], al
    3AFE0030 - 00 00 - add byte ptr [eax], al
    3AFE0032 - 00 00 - add byte ptr [eax], al
    3AFE0034 - 00 00 - add byte ptr [eax], al
    3AFE0036 - 00 00 - add byte ptr [eax], al
    3AFE0038 - 00 00 - add byte ptr [eax], al
    3AFE003A - 00 00 - add byte ptr [eax], al

  18. #12
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    in olly debug right click and select analyze code.........
    DJector.Lite
    Get the advantages of new injection technology, with 1 click easy to use injector, work for all platforms x86/x64

    Download

    D-Jector
    Get the most advanced and full featured injector around, works for any game and any platform x86/x64, nothing comes even close.
    Download

  19. #13
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by zdacom View Post
    btw only zeros so it is really junk, u just dumping shit
    Zeroes have nothing to do with stuff being junk in general, the problem is just that he is looking at the wrong memory page.

    Quote Originally Posted by Departure View Post
    in olly debug right click and select analyze code.........
    Wont help as the bytes shown at that address are not code, they're part of the PE header (= data). Though if the page is recognized as the PE header, he might get some structure information with the data instead.

    But anyway, that's nothing interesting in this case.
    Last edited by HellSpider; 01-29-2013 at 11:34 AM.

  20. #14
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    @HellSpider

    that's my point if you analyze the code it should be "DB" which will show "00"

    //Edit
    for example non analyzed code in olly will always be "add byte ptr [eax], al" for 00's. and you are correct it looks more like a padding to a given structure, also like you said it could be a possible header.

    Also "mov byte ptr [374633B6h], al // <- Ref to CShell here" it is moving value in al which is a lower part EAX in to that address, which indicates its just a variable, but yes given the address it would be safe to assume its a variable in CShell, But im pretty sure it has nothing to do with bypassing ect..
    Last edited by Departure; 01-30-2013 at 08:52 AM. Reason: giving explanation
    DJector.Lite
    Get the advantages of new injection technology, with 1 click easy to use injector, work for all platforms x86/x64

    Download

    D-Jector
    Get the most advanced and full featured injector around, works for any game and any platform x86/x64, nothing comes even close.
    Download

  21. The Following User Says Thank You to Departure For This Useful Post:

    [MPGH]Flengo (01-30-2013)

  22. #15
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by Departure View Post
    @HellSpider

    that's my point if you analyze the code it should be "DB" which will show "00"

    //Edit
    for example non analyzed code in olly will always be "add byte ptr [eax], al" for 00's. and you are correct it looks more like a padding to a given structure, also like you said it could be a possible header.

    Also "mov byte ptr [374633B6h], al // <- Ref to CShell here" it is moving value in al which is a lower part EAX in to that address, which indicates its just a variable, but yes given the address it would be safe to assume its a variable in CShell, But im pretty sure it has nothing to do with bypassing ect..
    Ah you meant it that way, yes it's true the zero data should turn into "db 00", didn't think about that. My bad.

    And I know 100% it's the PE header, it's not a "possible" header.

    And to that last part, it's not safe to assume it's a variable in CShell. There are misinterpreted data fragments that Olly tries it's best to convert into ASM intructions. It's just "bad luck" that the bytes are in an order that looks like valid code. In reality, that particular instruction does not exist.

    3AFE0000 - 3AFE1000 -> PE Header (0x1000 byte page allocation, in file data the header is smaller).
    3AFE1000 - ... -> Code section = Valid instructions

  23. The Following User Says Thank You to HellSpider For This Useful Post:

    [MPGH]Flengo (01-30-2013)

Page 1 of 2 12 LastLast

Similar Threads

  1. working international unpatched virtual jump
    By jjneshi in forum Combat Arms Hacks & Cheats
    Replies: 25
    Last Post: 04-12-2009, 06:23 PM
  2. chams working for international
    By jjneshi in forum Combat Arms Hacks & Cheats
    Replies: 5
    Last Post: 04-11-2009, 04:34 PM
  3. Working Gunz International hack(Feb 2008)
    By kills999 in forum Gunz Hacks
    Replies: 29
    Last Post: 03-05-2009, 11:14 AM
  4. Plz I Want Maple Global Hacks And Where Do I Get Game Engine 2 Make The Hacks Work???
    By mattinthehat in forum MapleStory Hacks, Cheats & Trainers
    Replies: 3
    Last Post: 01-15-2006, 07:12 PM
  5. Some of my work
    By toshiharu in forum Art & Graphic Design
    Replies: 5
    Last Post: 01-09-2006, 09:33 PM