Originally Posted by
Jason
Basically, one way Nexon can detect hack attempts is to take a "hash" of the .dll when it's injected. They then compare this hash to a list of "blacklisted" dlls and if there is a match, they report a hack detection and exit. The purpose of a cipher like this is to change up some data within the .dll so that the hash of the file changes. Previously this was achieved by writing a few extra bytes of data to the end of the file. However, recently Nexon have changed the way they hash the dll (rather than simply hashing the entire file, they hash only a portion of the file), which is why some of the old ciphers have stopped working.
My method modifies safe data within the file itself (through the documented PE structure), and is thus more likely to modify the portion of the file that Nexon hashes (most likely the executable sections, but not 100% sure so I modify a few different areas). The idea, of course, is to not break the .dll itself when modifying data.