Results 1 to 11 of 11
  1. #1
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep

    Post Unpacked + Devirtualized NexonGuard/BlackCipher Modules

    Hi.

    I thought that the community might find the readable and fixed code of NexonGuard/BlackCipher useful.

    So what has been done?

    + BlackCipher.exe (BlackCipher.aes) - Unpacked Themida and devirtualized all virtualized code blocks and deobfuscated almost all codereplaced blocks of code.
    + BlackCall.dll (BlackCall.aes) - Devirtualized all CodeVirtualizer code blocks.
    + BlackXchg.dll (BlackXchg.aes) - Devirtualized all CodeVirtualizer code blocks.
    + BlackGate.dll (BlackGate.aes) - Devirtualized all CodeVirtualizer code blocks.
    + NexonGuard.dll (NexonGuard.aes) - Devirtualized all CodeVirtualizer code blocks.
    + eTracer.exe (eTracer.aes) - Unpacked UPX shell

    What can I do with these? Is this a bypass?

    The files are almost like the original ones on the inside, meaning you can efficiently analyze the inner workings of these files with a disassembler or debugger (IDA, OllyDbg...).
    These files are not a bypass.

    Lolwut, I can just dump the modules myself, what differs in these?

    If you dump the modules your imports are broken, the virtualized and codereplaced code is not restored, meaning that you can't make heads or tails of the interesting code when analyzing your dumps.

    Why did you post these files here, and not in the anticheat area?

    I think these files are only used in CombatArms thus this section is very relevant.

    The filename extensions were all ".aes", how did you decrypt them?

    The filename extensions are only to fool beginners, the real extensions are EXE/DLL, just a simple renaming needed.




    Scans for the paranoid people:

    VirusTotal
    Jotti
    <b>Downloadable Files</b> Downloadable Files

  2. The Following 16 Users Say Thank You to HellSpider For This Useful Post:

    Brian62637 (02-14-2013),Ch40zz-C0d3r (02-04-2013),Dave's Sheep #3 (02-17-2013),demtrios (02-14-2013),EstranA (07-15-2013),[MPGH]Flengo (02-04-2013),kssiobr (02-17-2013),mgbx112 (02-17-2013),pDevice (02-04-2013),r3v3rer (05-29-2015),rizha008 (06-09-2013),Saltine (02-04-2013),swiftlycreepin (02-22-2013),Timboy67678 (02-04-2013),vRewind (03-05-2013),_disav0w (02-15-2013)

  3. #2
    Ch40zz-C0d3r's Avatar
    Join Date
    Apr 2011
    Gender
    male
    Posts
    839
    Reputation
    44
    Thanks
    400
    My Mood
    Twisted
    Very nice, thanks for sharing your time with us

    Progress with my game - "Disbanded"
    • Fixed FPS lag on spawning entities due to the ent_preload buffer!
    • Edit the AI code to get some better pathfinding
    • Fixed the view bug within the sniper scope view. The mirror entity is invisible now!
    • Added a new silencer for ALL weapons. Also fixed the rotation bugs
    • Added a ton of new weapons and the choice to choose a silencer for every weapon
    • Created a simple AntiCheat, noobs will cry like hell xD
    • The name will be Disbanded, the alpha starts on the 18th august 2014



    Some new physics fun (Serversided, works on every client)



    My new AI
    http://www.youtube.com/watch?v=EMSB1GbBVl8

    And for sure my 8 months old gameplay with 2 friends
    http://www.youtube.com/watch?v=Na2kUdu4d_k

  4. #3
    [SMA] Paradise`'s Avatar
    Join Date
    Nov 2011
    Gender
    male
    Location
    NOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOBNOOB
    Posts
    8,928
    Reputation
    1727
    Thanks
    2,978
    My Mood
    Amused
    Seems clean.

    /Approved.

    Refund Services Still RESUMED!

  5. #4
    Flengo's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    Ontario, Canada
    Posts
    15,690
    Reputation
    3319
    Thanks
    11,101
    My Mood
    Happy
    Looks like I'm a nooby beginner then

    Thanks a lot for sharing.


    I Read All Of My PM's & VM's
    If you need help with anything, just let me know.
     
     
    VM | PM

    Publicist Since 04.04.2015
    Middleman Since Unknown - Unknown
    Global Moderator Since 08.01.2013
    Donator Since 05.29.2013

    Minion+ Since 04.18.2013

    District 187 Minion Since 04.04.2013
    Steam Minion Since 02.26.2013
    WarRock Minion Since 02.19.2013
    A.V.A Minion Since 02.13.2013
    DayZ Minion Since 01.21.2013
    Combat Arms Minion Since 12.26.2012
    Contributor Since 11.16.2012
    Member Since 05.11.2010


  6. #5
    R4v0r's Avatar
    Join Date
    Nov 2012
    Gender
    male
    Location
    London
    Posts
    234
    Reputation
    11
    Thanks
    141
    My Mood
    Amazed
    The only thing I can make up out of BlackCipher crap is that you can make a browser detection bypass. Correct me If I am wrong..

  7. #6
    Saltine's Avatar
    Join Date
    Jun 2011
    Gender
    male
    Posts
    494
    Reputation
    104
    Thanks
    625
    Quote Originally Posted by R4v0r View Post
    The only thing I can make up out of BlackCipher crap is that you can make a browser detection bypass. Correct me If I am wrong..
    If you are unsure, take a look at the files posted by OP, and see what you can figure out.

    Oh no! Vortex is gay!

  8. #7
    N3OH4X's Avatar
    Join Date
    Jan 2013
    Gender
    male
    Posts
    67
    Reputation
    10
    Thanks
    87
    My Mood
    Devilish
    Would this help on bypassing simple string checking ?

  9. #8
    Flengo's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    Ontario, Canada
    Posts
    15,690
    Reputation
    3319
    Thanks
    11,101
    My Mood
    Happy
    Quote Originally Posted by Saltine View Post

    If you are unsure, take a look at the files posted by OP, and see what you can figure out.
    Quickly looked at BlackCipher.exe for strings and didn't seem like there was much being done in there. Just by that. To me at least, I'm sure I'm wrong

    Need a debugger.


    I Read All Of My PM's & VM's
    If you need help with anything, just let me know.
     
     
    VM | PM

    Publicist Since 04.04.2015
    Middleman Since Unknown - Unknown
    Global Moderator Since 08.01.2013
    Donator Since 05.29.2013

    Minion+ Since 04.18.2013

    District 187 Minion Since 04.04.2013
    Steam Minion Since 02.26.2013
    WarRock Minion Since 02.19.2013
    A.V.A Minion Since 02.13.2013
    DayZ Minion Since 01.21.2013
    Combat Arms Minion Since 12.26.2012
    Contributor Since 11.16.2012
    Member Since 05.11.2010


  10. #9
    ludgerogabriel's Avatar
    Join Date
    Nov 2012
    Gender
    male
    Location
    ᵗʰᵃᶰᵏᵧₒᵤ
    Posts
    175
    Reputation
    10
    Thanks
    7,416
    My Mood
    In Love
    very good......
    Hello, Do you like injectors?
    So be sure to choose some that I did
    Follow this list below

    Eagle Injector
    Advanced Inject
    SC Injector
    RAZER INJECTOR
    injector LudgeroGabriel
    Memes Injector v1.3

    These are the most downloaded, I hope you like

  11. #10
    XarutoUsoCrack's Avatar
    Join Date
    Apr 2011
    Gender
    male
    Location
    CFAL Honra & Glria Server
    Posts
    1,087
    Reputation
    51
    Thanks
    2,482
    My Mood
    Relaxed
    Here located String's:


  12. #11
    HellSpider's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Posts
    103
    Reputation
    30
    Thanks
    125
    My Mood
    Asleep
    Quote Originally Posted by XarutoUsoCrack View Post
    Here located String's:

    It's because NexonGuard/BlackCipher encrypts their log content by generating a random 0x10 sized byte key and encrypts the key with 512-bit RSA. Resulting encrypted modulo is 0x40 bytes long (512. bits = 0x200 bits = 0x200 / 8 bytes = 0x40 bytes) and placed in the log header.

    The encryption key is public but the decryption key is private. So to get the original random generated byte key, one would have to brute force the RSA protection or hack the private key. Or then hook the process and modify Advapi32.CryptEncrypt() inner workings (the way I prefer).

    This information was valid last time I checked, doubt they changed it.

  13. The Following User Says Thank You to HellSpider For This Useful Post:

    _disav0w (02-15-2013)

Similar Threads

  1. NexonGuard Unpacked & Cracked
    By TheRealVB in forum Combat Arms Hack Coding / Programming / Source Code
    Replies: 18
    Last Post: 05-19-2011, 10:32 AM
  2. Unpacked GameGuard rev.1512 Modules
    By HellSpider in forum GameGuard
    Replies: 6
    Last Post: 10-22-2010, 07:42 AM
  3. Unpacked system.mrs
    By 1337Sasuke in forum Gunz Hacks
    Replies: 1
    Last Post: 03-22-2006, 03:05 AM
  4. .mrs Unpacker/Packer
    By SpiderByte in forum Gunz Hacks
    Replies: 2
    Last Post: 02-22-2006, 09:07 AM
  5. Need help with mrs packer/unpacker
    By pesst in forum Gunz General
    Replies: 6
    Last Post: 02-07-2006, 09:22 PM