Internal working of NoxenGuard

**-Bl00d-** · 01-20-2013

was just looking for a new way to bypass HS
found all the internals here. im not an asm god or anything
but this could be useful to a few people here

Code:

3AFE0001     dec ebp
3AFE0002     pop edx
3AFE0003     nop 
3AFE0005      add byte ptr [ebx], al
3AFE0007     add byte ptr [eax], al
3AFE000A     add byte ptr [eax+eax], al
3AFE000C    add byte ptr [eax], al
3AFE000B       Unknown operand
3AFE000B     add byte ptr [eax], al
3AFE000D    add bh, bh
3AFE000F     inc dword ptr [eax]
3AFE0015     add byte ptr [eax+00000000h], bh
3AFE0017     add byte ptr [eax], al
3AFE001A     add byte ptr [eax+00h], al
3AFE001C    add byte ptr [eax], al
3AFE0020     cmp byte ptr [edx+03h], 00000000h
3AFE0022     add byte ptr [eax], al
3AFE0024     add byte ptr [eax], al
3AFE0026     add byte ptr [eax], al
3AFE0028     add byte ptr [eax], al
3AFE002A     add byte ptr [eax], al
3AFE002C    add byte ptr [eax], al
3AFE002E     add byte ptr [eax], al
3AFE0030     add byte ptr [eax], al
3AFE0032     add byte ptr [eax], al
3AFE0034     add byte ptr [eax], al
3AFE0036     add byte ptr [eax], al
3AFE0038     add byte ptr [eax], al
3AFE003A     add byte ptr [eax], al
3AFE003C    add byte ptr [eax], al

Code:

3AFE0041     call 48FE0041h // <- calling something from Engine here
3AFE0042     pop ds
3AFE0047     mov edx, 09B4000Eh
3AFE0049     int 21h
3AFE004E     mov eax, 21CD4C01h
3AFE004F     push esp
3AFE0054      push 70207369h
3AFE0056     jc 3AFE00C5h
3AFE0059     jc 3AFE00BAh
3AFE005A     insd 
3AFE005D    and byte ptr [ebx+61h], ah
3AFE005E     outsb 
3AFE005F     outsb 
3AFE0060     outsd 
3AFE0062     je 3AFE0082h
3AFE0065     bound esp, dword ptr [ebp+20h]
3AFE0067     jc 3AFE00DCh
3AFE0068     outsb 
3AFE006B     and byte ptr [ecx+6Eh], ch
3AFE006F     and byte ptr [edi+ecx*2+53h], al
3AFE0072     and byte ptr [ebp+6Fh], ch
3AFE007          A or eax, 00240A0Dh
3AFE007C    add byte ptr [eax], al
3AFE007E     add byte ptr [eax], al
3AFE0080     add byte ptr [eax], al
3AFE0082     arpl word ptr [edi], sp
3AFE0083     pop ecx
3AFE0085     in eax, 27h
3AFE0086     inc esi
3AFE0087     aaa 
3AFE0089     mov dh, 27h
3AFE008A     inc esi
3AFE008B     aaa 
3AFE008D    mov dh, 27h
3AFE008E     inc esi
3AFE008F     aaa 
3AFE0091     mov dh, 2Eh
3AFE0097     mov byte ptr [374633B6h], al //  <- Ref to CShell here
3AFE0099     mov dh, 2Eh
3AFE009C    mov ah, B6h
3AFE009D    pop esi
3AFE009E     inc esi
3AFE009F     aaa 
3AFE00A1     mov dh, 2Eh
3AFE00A4     mov bl, B6h
3AFE00A6     adc al, 00000046h
3AFE00A7     aaa 
3AFE00A9      mov dh, 00h
3AFE00AE     or byte ptr [esi+esi*4+24h], 00000046h
3AFE00AF     aaa 
3AFE00B1      mov dh, 27h
3AFE00B2     inc esi
3AFE00B5     mov dh, 48h
3AFE00B6            inc esi
3AFE00B7            aaa 
3AFE00B9            mov dh, 2Eh
3AFE00BF     mov ebp, 37462CB6h // <- CShell again
3AFE00C1    mov dh, 2Eh
3AFE00C3    movsd 
3AFE00C5    mov dh, 26h
3AFE00C6    inc esi
3AFE00C7    aaa 
3AFE00C9    mov dh, 39h
3AFE00CB    adc al, FFFFFFA3h
3AFE00CD    mov dh, 26h
3AFE00CE    inc esi
3AFE00CF           aaa 
3AFE00D1    mov dh, 2Eh
3AFE00D3    cmpsb 
3AFE00D5    mov dh, 26h
3AFE00D6    inc esi

EDIT: wtf is with these retarded code tags lately?
also LOL @ my fail of spelling "Nexon" wrong

**ZysorceN** · 01-20-2013

what's this fuckery?

**Acea** · 01-20-2013

This gave me a boner...

**-Bl00d-** · 01-20-2013

Originally Posted by ZysorceN

what's this fuckery?

This is the memory of the NexonGuard.aes

Originally Posted by Acea

This gave me a boner...

also have one for EHSvc if you like

**[MPGH]Flengo** · 01-20-2013

Tbh; I'm shittier in assembly than you are, but this looks like a bunch of junk to me.

Doesn't seem like its doing anything

Now once again, I'm shit in asm.

**-Bl00d-** · 01-20-2013

Originally Posted by Flengo

Tbh; I'm shittier in assembly than you are, but this looks like a bunch of junk to me.

Doesn't seem like its doing anything

Now once again, I'm shit in asm.

Most of it is junk of just adding random shit
(go figure its nexon) i think they do it to throw you off
but this is whats happening with nexonguard.aes
as you are playing the game IE in game checks and shit just gott look further into it

**Ch40zz-C0d3r** · 01-20-2013

God...
Stop it from loading and youre done, there is one check for all functions. If you bypass that check you can simply return the load function and youre done.

**-Bl00d-** · 01-20-2013

Originally Posted by Ch40zz-C0d3r

God...
Stop it from loading and youre done, there is one check for all functions. If you bypass that check you can simply return the load function and youre done.

lol! im like 4 steps behind you chaozz
what you have already acompished and got bored with most here are just figuring out lol

**monz2** · 01-20-2013

good shit bro

**HellSpider** · 01-28-2013

Originally Posted by -Bl00d-

Most of it is junk of just adding random shit
(go figure its nexon) i think they do it to throw you off
but this is whats happening with nexonguard.aes
as you are playing the game IE in game checks and shit just gott look further into it

You're viewing the PE header of NexonGuard.dll as ASM code while it's just data. You can skip the first 0x1000 bytes from the module base before the code starts.

Originally Posted by Flengo

Tbh; I'm shittier in assembly than you are, but this looks like a bunch of junk to me.

Doesn't seem like its doing anything

Now once again, I'm shit in asm.

The info is indeed "junk" as it's not code at all.

**zdacom** · 01-28-2013

Originally Posted by -Bl00d-

3AFE002E add byte ptr [eax], al
3AFE0030 add byte ptr [eax], al
3AFE0032 add byte ptr [eax], al
3AFE0034 add byte ptr [eax], al
3AFE0036 add byte ptr [eax], al
3AFE0038 add byte ptr [eax], al
3AFE003A add byte ptr [eax], al

btw only zeros so it is really junk, u just dumping shit

Originally Posted by -Bl00d-

3AFE002E add byte ptr [eax], al
3AFE0030 - 00 00 - add byte ptr [eax], al
3AFE0032 - 00 00 - add byte ptr [eax], al
3AFE0034 - 00 00 - add byte ptr [eax], al
3AFE0036 - 00 00 - add byte ptr [eax], al
3AFE0038 - 00 00 - add byte ptr [eax], al
3AFE003A - 00 00 - add byte ptr [eax], al

**Departure** · 01-29-2013

in olly debug right click and select analyze code.........

**HellSpider** · 01-29-2013

Originally Posted by zdacom

btw only zeros so it is really junk, u just dumping shit

Zeroes have nothing to do with stuff being junk in general, the problem is just that he is looking at the wrong memory page.

Originally Posted by Departure

in olly debug right click and select analyze code.........

Wont help as the bytes shown at that address are not code, they're part of the PE header (= data). Though if the page is recognized as the PE header, he might get some structure information with the data instead.

But anyway, that's nothing interesting in this case.

**Departure** · 01-30-2013

@HellSpider

that's my point if you analyze the code it should be "DB" which will show "00"

//Edit
for example non analyzed code in olly will always be "add byte ptr [eax], al" for 00's. and you are correct it looks more like a padding to a given structure, also like you said it could be a possible header.

Also "mov byte ptr [374633B6h], al // <- Ref to CShell here" it is moving value in al which is a lower part EAX in to that address, which indicates its just a variable, but yes given the address it would be safe to assume its a variable in CShell, But im pretty sure it has nothing to do with bypassing ect..

**HellSpider** · 01-30-2013

Originally Posted by Departure

@HellSpider

that's my point if you analyze the code it should be "DB" which will show "00"

//Edit
for example non analyzed code in olly will always be "add byte ptr [eax], al" for 00's. and you are correct it looks more like a padding to a given structure, also like you said it could be a possible header.

Also "mov byte ptr [374633B6h], al // <- Ref to CShell here" it is moving value in al which is a lower part EAX in to that address, which indicates its just a variable, but yes given the address it would be safe to assume its a variable in CShell, But im pretty sure it has nothing to do with bypassing ect..

Ah you meant it that way, yes it's true the zero data should turn into "db 00", didn't think about that. My bad.

And I know 100% it's the PE header, it's not a "possible" header.

And to that last part, it's not safe to assume it's a variable in CShell. There are misinterpreted data fragments that Olly tries it's best to convert into ASM intructions. It's just "bad luck" that the bytes are in an order that looks like valid code. In reality, that particular instruction does not exist.

3AFE0000 - 3AFE1000 -> PE Header (0x1000 byte page allocation, in file data the header is smaller).
3AFE1000 - ... -> Code section = Valid instructions

Thread: Internal working of NoxenGuard

Thread Tools

Display

Internal working of NoxenGuard

The Following 2 Users Say Thank You to -Bl00d- For This Useful Post:

The Following User Says Thank You to ZysorceN For This Useful Post:

The Following 2 Users Say Thank You to Acea For This Useful Post:

The Following User Says Thank You to -Bl00d- For This Useful Post:

The Following User Says Thank You to Ch40zz-C0d3r For This Useful Post:

The Following 3 Users Say Thank You to HellSpider For This Useful Post:

The Following User Says Thank You to Departure For This Useful Post:

The Following User Says Thank You to HellSpider For This Useful Post:

Similar Threads

working international unpatched virtual jump

chams working for international

Working Gunz International hack(Feb 2008)

Plz I Want Maple Global Hacks And Where Do I Get Game Engine 2 Make The Hacks Work???

Some of my work