MapleShark2 - A MapleStory 2 Packet Sniffer

[Eric]

WARNING: During the CBT period of MapleStory 2, having MapleShark2 open would disconnect you after 10 minutes from NGS's anti-hack with error code D00000. While I've personally used this dozens of times, and have only ever gotten disconnected, I'm not sure if Nexon would actually ban you or not for using it. Thus, I recommend using either a NGS bypass or a mule account when sniffing to avoid any issues, just in case.

This is MapleShark2, a modified version of MapleShark by Diamondo25 that comes with additional support for MapleStory 2 clients. This project was based on MapleShark 2.0.2.8 (latest git), and contains all of the same functionality from the original program.

Something important to note:
Nexon uses insane port ranges for their hundreds of channels. While the Gateway/Login systems always use port 30000, channels used to range up to 33000 (MapleShark2's default range), but I believe they're even higher now so you may have to adjust your range depending on your region. If you have any questions, or run into any problems, let me know down below (and provide screenshots if possible!).

Links:

You must be registered to see links

You must be registered to see links

 

[ALotOfPosts]

is alliance and hired merchant working?

 

[Htps]

You must be registered to see links

How come all my opcodes values are so high?

Also why when I press stop sniffing and then start sniffing back again I don't get any data? (and I need to restart the game to recieve packets again)
Is there any fix for that?

 

[Tachi Orz]

Encryption probably a bit off. Try to shuffle encryption indexes. (or try to permanently fix it, they come from version number)

 

[Eric]

You must be registered to see links

How come all my opcodes values are so high?

Also why when I press stop sniffing and then start sniffing back again I don't get any data? (and I need to restart the game to recieve packets again)
Is there any fix for that?

May I ask what client region you're sniffing? These values are set for GMS2's client, so they might be in a different order if you're trying to sniff KMS2/CMS2/etc. Remember what I noted at the very beginning if your opcodes showed up incorrect: move around the encryption indexes in the crypto manager class.

EDIT: Lmao nevermind, Nexon is probably over here trying to battle us. It seems they changed the order yet again, I'm guessing a few days after this thread was made. I'll update the source code and the thread, but in the meantime here is the latest encryption indexes (GMS2 v101):

public static readonly int
    ENCRYPT_NONE = 0,
    ENCRYPT_REARRANGE = 1,
    ENCRYPT_XOR = 2,
    ENCRYPT_TABLE = 3
;

In regards to stop/start sniffing, this is just how MapleShark works. The way it's setup is as if it's like its own self-client. It waits until a session is created/connected to a port within that range, and starts a sniffing session. Just like when you connect to the session yourself and the server sends to the client a handshake packet, MapleShark2 will receive that same packet as well. When MapleShark2 receives the initial handshake after it has created a sniff session, it initializes the crypto with the sequences that were contained in that handshake packet. Since those sequences have to constantly be in sync, you can't just resume sniffing because the sequences would be out of order. As far as I'm aware, there's no way around this, unless Diamondo25 has any ideas. Instead of restarting the game though, a quick workaround is to start sniffing again and either change channels or go to character selection screen. Either way should resume sniffing without an entire client/game restart necessary.

Encryption probably a bit off. Try to shuffle encryption indexes. (or try to permanently fix it, they come from version number)

What exactly do you mean when you say they come from the version number? This is the function in GMS2 v100, which is the same as the previous client versions:

If you know of a different method to get these indexes, feel free to share; I'd love to know!

..or were you actually referring to where Nexon uses the version number to initialize their RNG seeds? Those are correctly calculated as well:
TableCrypter:

Rand32 rand32 = new Rand32((uint) Math.Pow(version, 2));

XORCrypter:

Rand32 rand1 = new Rand32(version);
Rand32 rand2 = new Rand32(2 * version);

Where both of these have their versions initialized from the pBuild (major version) provided in the MapleStream, which is constructed after receiving the initial handshake that contains said version.

 

[Tachi Orz]

>>If you know of a different method to get these indexes, feel free to share; I'd love to know!
Indexes computation is optimized away. It wasn't my idea and I can't share, but algo is very simple. Add a little number to the version, get modulo from it.

 

[Htps]

Is there anywhere where I can get the structure for the packets?

How would you go on to understand the structure of the packets?

 

[coopermt]

How can I edit packets and can I send my own packets to the server?

 

[Eric]

Is there anywhere where I can get the structure for the packets?

How would you go on to understand the structure of the packets?

Yes, you can find and understand the structures of the packets through IDA. I recommend reading through my tutorial thread http://forum.ragezone.com/f1005/tutorial-analyzing-maplestory-2-client-1156691/ to get a better idea on how to work with IDA, create/use IDBs, and how to find packet structures in the client.

How can I edit packets and can I send my own packets to the server?

I'm not sure I follow you. You don't edit packets with this tool, it's a read-only view of what is being sent/received from both ends (client, and server). If what you're looking for is a PE Tool to both edit and send packets to the remote server, you won't find that here on RZ. We do not support packet editing or exploitation tools here.

 

[MaTriiXzZ]

Not sure if its just me but after a few seconds of being logged in the incoming packet stops

 

[Eric]

Not sure if its just me but after a few seconds of being logged in the incoming packet stops

Haven't had this happen before myself, but is it possible that it wasn't able to sniff the remaining packets because it was out of port range? Try increasing the range of ports and see if that helps, especially because Nexon will auto-reconnect you to different channels. Another tip would to be simply try changing channels in general, and see if that'll start the sniffing process again if it ever stops.

 

[Ochi]

nvm, I built it myself