Unpacked + Devirtualized NexonGuard/BlackCipher Modules

[HellSpider]

Hi.

I thought that the community might find the readable and fixed code of NexonGuard/BlackCipher useful.

So what has been done?

+ BlackCipher.exe (BlackCipher.aes) - Unpacked Themida and devirtualized all virtualized code blocks and deobfuscated almost all codereplaced blocks of code.
+ BlackCall.dll (BlackCall.aes) - Devirtualized all CodeVirtualizer code blocks.
+ BlackXchg.dll (BlackXchg.aes) - Devirtualized all CodeVirtualizer code blocks.
+ BlackGate.dll (BlackGate.aes) - Devirtualized all CodeVirtualizer code blocks.
+ NexonGuard.dll (NexonGuard.aes) - Devirtualized all CodeVirtualizer code blocks.
+ eTracer.exe (eTracer.aes) - Unpacked UPX shell

What can I do with these? Is this a bypass?

The files are almost like the original ones on the inside, meaning you can efficiently analyze the inner workings of these files with a disassembler or debugger (IDA, OllyDbg...).
These files are not a bypass.

Lolwut, I can just dump the modules myself, what differs in these?

If you dump the modules your imports are broken, the virtualized and codereplaced code is not restored, meaning that you can't make heads or tails of the interesting code when analyzing your dumps.

Why did you post these files here, and not in the anticheat area?

I think these files are only used in CombatArms thus this section is very relevant.

The filename extensions were all ".aes", how did you decrypt them?

The filename extensions are only to fool beginners, the real extensions are EXE/DLL, just a simple renaming needed.




Scans for the paranoid people:

VirusTotal
Jotti

[Ch40zz-C0d3r]

Very nice, thanks for sharing your time with us

[[SMA] Paradise`]

Seems clean.

/Approved.

[[MPGH]Flengo]

Looks like I'm a nooby beginner then

Thanks a lot for sharing.

[R4v0r]

The only thing I can make up out of BlackCipher crap is that you can make a browser detection bypass. Correct me If I am wrong..

[Saltine]

The only thing I can make up out of BlackCipher crap is that you can make a browser detection bypass. Correct me If I am wrong..

If you are unsure, take a look at the files posted by OP, and see what you can figure out.

[N3OH4X]

Would this help on bypassing simple string checking ?

[[MPGH]Flengo]

If you are unsure, take a look at the files posted by OP, and see what you can figure out.

Quickly looked at BlackCipher.exe for strings and didn't seem like there was much being done in there. Just by that. To me at least, I'm sure I'm wrong

Need a debugger.

[ludgerogabriel]

very good......

[XarutoUsoCrack]

Here located String's:

[HellSpider]

Here located String's:

It's because NexonGuard/BlackCipher encrypts their log content by generating a random 0x10 sized byte key and encrypts the key with 512-bit RSA. Resulting encrypted modulo is 0x40 bytes long (512. bits = 0x200 bits = 0x200 / 8 bytes = 0x40 bytes) and placed in the log header.

The encryption key is public but the decryption key is private. So to get the original random generated byte key, one would have to brute force the RSA protection or hack the private key. Or then hook the process and modify Advapi32.CryptEncrypt() inner workings (the way I prefer).

This information was valid last time I checked, doubt they changed it.