Jump to content
Moopler

Question

I'm trying to reverse engineer ngclient.aes, but most of the code section seems to be obfuscated. Lots of useless filler instructions like "add esi, 4; sub esi, 4", adding or bitwise OR'ing two immediate constants together to get the actual constant value, etc. (example and screenshot below)

Was this obfuscation done by a common program? If so, could someone give me the name or a hint of how I would identify it? If this is a custom thing by Nexon, does anyone have any resources or hints about how to tackle this?

Example:

5E3CEBCB | 81 04 24 1A 47 47 53     | add dword ptr ss:[esp],5347471A         |
5E3CEBD2 | 81 04 24 02 D5 EB 48     | add dword ptr ss:[esp],48EBD502         |
5E3CEBD9 | 56                       | push esi                                |
5E3CEBDA | 89 E6                    | mov esi,esp                             |
5E3CEBDC | 81 C6 04 00 00 00        | add esi,4                               |
5E3CEBE2 | 81 EE 04 00 00 00        | sub esi,4                               |
5E3CEBE8 | 56                       | push esi                                |

Instead of:

add dword ptr ss:[esp], 9C331C1C
push esi
mov esi, esp
push esi

 

FnXGXRW.png

Share this post


Link to post

2 answers to this question

Recommended Posts

  • 0

It's not "obfuscation". It's completely transformed into another foreign byteset which you CPU does not understand, thus the "wierd" commands. To interpret them, one must know the byte-set and run it through a translator.

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×