Originally Posted by
TheRealVB
actually it is packed (: thats why its AES
its Encrypted+Packed its packed using Themedia + encrypted usin AESCrypt WIN OS version (: if we can figure out the actual main pw for nexons we can easily unencrypt it n find out exactly wut all it does cuz mine that i uploaded isnt showing the full thing >,<
Which CA client do you have? I got CA EU and it's not packed, just change the .aes extension to .dll without any external programs. Then disassemble or debug the file, you'll land directly on the Microsoft Visual C++ 9.0 DLL entry.
Code:
3AFF0521 >/$ 8BFF mov edi,edi
3AFF0523 |. 55 push ebp
3AFF0524 |. 8BEC mov ebp,esp
3AFF0526 |. 837D 0C 01 cmp [arg.2],1
3AFF052A |. 75 05 jnz short NexonGua.3AFF0531
3AFF052C |. E8 C9490000 call NexonGua.3AFF4EFA
3AFF0531 |> FF75 08 push [arg.1]
3AFF0534 |. 8B4D 10 mov ecx,[arg.3]
3AFF0537 |. 8B55 0C mov edx,[arg.2]
3AFF053A |. E8 ECFEFFFF call NexonGua.3AFF042B
3AFF053F |. 59 pop ecx
3AFF0540 |. 5D pop ebp
3AFF0541 \. C2 0C00 retn 0C
Yes it's true that some parts are "hidden", they're virtualized as I said earlier. Themida and CodeVirtualizer uses the same virtual machine, but the difference is that CodeVirtualizer does not have antidumps in it's virtual machine and CodeVirtualizer wont do anything else than virtual machines, while Themida can mess up the whole file really good.
Code:
3AFE15B0 . 55 push ebp
3AFE15B1 . 8BEC mov ebp,esp
3AFE15B3 . 6A FF push -1
3AFE15B5 . 68 28D8FF3A push NexonGua.3AFFD828
3AFE15BA . 64:A1 0000000>mov eax,dword ptr fs:[0]
3AFE15C0 . 50 push eax
3AFE15C1 . 81EC 50020000 sub esp,250
3AFE15C7 . A1 5020003B mov eax,dword ptr ds:[3B002050]
3AFE15CC . 33C5 xor eax,ebp
3AFE15CE . 8945 F0 mov dword ptr ss:[ebp-10],eax
3AFE15D1 . 50 push eax
3AFE15D2 . 8D45 F4 lea eax,dword ptr ss:[ebp-C]
3AFE15D5 . 64:A3 0000000>mov dword ptr fs:[0],eax
3AFE15DB . 898D A4FDFFFF mov dword ptr ss:[ebp-25C],ecx
3AFE15E1 .- E9 7AAB0300 jmp NexonGua.3B01C160
The code above is an example of a jump to the CodeVirtualizer virtual machine. There are some junk bytes at the place of the real instructions below the jump (those wont get executed).
There are almost 30 virtualized functions, nothing else to worry about.