Guide Nexon Game Security Bypass info + hot sticky sauce

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,275
37,938
268
Game Name
N/A
Anticheat
Nexon Game Security (NGS)
How long you been coding/hacking?
what day is it
Coding Language
C++
Figured i should do a (very) little writeup to accompany the (partial) bypass i released a while ago since it'd be nice to add to the big anticheat index here.

I spent a few weeks reversing Nexon game security because i was writing that maplestory stuff.

NGS was a good bit of fun, I wrote a call tracer due to it that would log all branches a program took. During this time, I noticed that all the APIs logged were pretty nondescript. After some fine tuning, i found my exceptionally perfect code to be crashing after a set period of time, so i did some further digging.

This is the section that it crashes



Lucky for you, i save random screenshots.

What you're looking at is heaven's gate being dropped into, swapping CS to 0x33 (long mode) to execute x64 code, then swapping it back to 0x23.
In long mode, they fix up some registers as seen in the screenshot, as well as perform a call to some WINAPIs, but the catch is this will go to 64 bit winapis, whilst its running in a 32 bit WoW program.

I'll briefly touch on my bypass because honestly its not that hard. Essentially, what I did was register an exception handler in long mode (by entering heaven's gate myself) and set an x86 exception handler to catch new threads. Then for every thread i found/was created, i placed a HWBP at the location of the calls. This exception will be handled by the x64 handler (called x64handler in the assembly file because im original).

Because i'm too lazy to explain it, here's the raw assembly for the handler:



with the macros defined as:

Code:
potato_fn dq 0
macro SAVE_SCRAP
{
        push rcx
        push r8
        push rbx
        push rsi
        push r15                                                   ; TODO: Perhaps check if our breakpoint is hit immediately after a call, if so, send it to the x86 function to get return value?
        push r14
        push r13
        push r12
        push r11
        push r10
        push rdi
}
macro POP_SCRAP
{
        pop rdi
        pop r10
        pop r11
        pop r12
        pop r13
        pop r14
        pop r15
        pop rsi
        pop rbx
        pop r8
        pop rcx
}
potato_fn is the address of the "x86Callback" which switches back to x86, calls a handler function to filter the called API, and re-enters x64 before returning.

That's the "smart" part done, everything else is dead simple. I grab the syscall index at the current EIP, and send if its one i wish to "hook", i do stuff with it. For example: You can see if the index is 0x26, i hide any ZwOpenProcess calls which are targeting a program with "cheat" in the name, which enables one to use Cheat engine while playing an NGS protected game.

Like i said, this is a partial bypass because it suited my needs at the time, to get a full bypass, you only need to do one more thing, which another user on this forum has already done.

Also, you don't need to do it my way at all. I just like exceptions. You can achieve the same thing with a simple hook, it's just your hook will be able to be detected by checksums, so check for them, heh.

Too long;give source: Bitbucket
 
Last edited by a moderator:

anymoves

Full Member
Jun 11, 2020
2
102
0
Thank you so much for making this thread, I'm sure this will help many people.
Hello,

I recently started playing a Nexon game called Kingdom of Winds or "Baram" (바람의나라) and was wondering if I can ask few questions. Hope this is the appropriate place!

  1. I would like to use this game to teach/learn myself how to use macros. I downloaded the Jibit Macro Recorder and it seems to work fine in the game until it gets detected. Foremost, I have only little background in programming (python) and I'm just guessing that there is a need for some sort of bypass application on top of my macro to hide from Nexon detecting any "unusual activity". I experimented with variety of macro conditions w/ delays, pixel reading, etc. and concluding the Jibit Macro Recorder is suitable and just need a bypass code?
  2. In order to bypass, I first need to know WHAT i need to bypass... How can I search this for information? Whenever I see anything "security" related, there is an .exe application called "Black Cipher" in the game folder that activates in the processes, but i cannot delete this while the game is running. Could this be it? Doing something with this will bypass my macros? I see a lot of people here mentioning GameGuard, but I don't see that running - Has Nexon moved on from GameGuard protection?
  3. Any other places I can start from to learn about hacking into these kind of protections?

***I'm not intending to create any macros to harm the community or the game itself, just playing with my programming skills!

Since MapleStory closely operates with Baram, I hope someone related can answer this! Feel free to reach out for private contact info to talk more, if needed.

Best,
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,275
37,938
268
Hello,

I recently started playing a Nexon game called Kingdom of Winds or "Baram" (바람의나라) and was wondering if I can ask few questions. Hope this is the appropriate place!

  1. I would like to use this game to teach/learn myself how to use macros. I downloaded the Jibit Macro Recorder and it seems to work fine in the game until it gets detected. Foremost, I have only little background in programming (python) and I'm just guessing that there is a need for some sort of bypass application on top of my macro to hide from Nexon detecting any "unusual activity". I experimented with variety of macro conditions w/ delays, pixel reading, etc. and concluding the Jibit Macro Recorder is suitable and just need a bypass code?
  2. In order to bypass, I first need to know WHAT i need to bypass... How can I search this for information? Whenever I see anything "security" related, there is an .exe application called "Black Cipher" in the game folder that activates in the processes, but i cannot delete this while the game is running. Could this be it? Doing something with this will bypass my macros? I see a lot of people here mentioning GameGuard, but I don't see that running - Has Nexon moved on from GameGuard protection?
  3. Any other places I can start from to learn about hacking into these kind of protections?

***I'm not intending to create any macros to harm the community or the game itself, just playing with my programming skills!

Since MapleStory closely operates with Baram, I hope someone related can answer this! Feel free to reach out for private contact info to talk more, if needed.

Best,
Yeah you'll want to tackle black cipher. Searching for this information depends on your ability to reverse engineer, so you should start with practicing that
 

anymoves

Full Member
Jun 11, 2020
2
102
0
Yeah you'll want to tackle black cipher. Searching for this information depends on your ability to reverse engineer, so you should start with practicing that
Ay guys! Cheers for the prompt responses.

Yup, reading the reverse eng. guide atm. I appreciate the neat compilation. Brilliant work. I'm an engineer (water treatment) myself but feel incredible every time i get exposed to this side of engineering, it's like i'm entreing into an astral world for sure haha

@mambda,
Have you been successful at bypassing Black Cipher yourself by chance? Can I please confirm with you that the Jibit Macro Recorder is suitable to even begin with? Looking forward to hearing back from you.
 

mambda

headass
Escobar Tier VIP
Trump Tier Donator
Jun 25, 2014
2,275
37,938
268
Ay guys! Cheers for the prompt responses.

Yup, reading the reverse eng. guide atm. I appreciate the neat compilation. Brilliant work. I'm an engineer (water treatment) myself but feel incredible every time i get exposed to this side of engineering, it's like i'm entreing into an astral world for sure haha

@mambda,
Have you been successful at bypassing Black Cipher yourself by chance? Can I please confirm with you that the Jibit Macro Recorder is suitable to even begin with? Looking forward to hearing back from you.
this entire repo is my bypass for blackcipher (Nexon game security), i dunno anything about macro recorders because ive never used them
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts