[Release] Unpacked x700 main.exe of GMO (1.04.07 / 104G)

[city7]

Only encrypt the login packet
C3 33 XX

[koceto]

I have a new problem...
If i select the server, my CS have a problem with login:

Man wait ex700 server files!!! I same wait server files ;)

[mauka]

@Error

enc/dec itself is a arithmetic manipulation with 20 keys for encryption and 20 for decryption, but thats only enc/dec ... webzen added additional protection by some xor algorithms based on packet headcodes and sizes ( you can bypass that with a simple NOP in main )

Error said something about one "NOP" fix to get work these client on S6 files, if ima not missunderstand him!
U can try look around before load Enc1, Dec1.dat files ;) or simply send alot PM to him eg: Plz man, Man i need, Give me sources, Im no spek englesh, but if not u help i go yor country and eat your dog etc..
Have fun!

maybe him will direct u to the right way or help you ;)

PS. him is kind a pro and sounds like very friendly guy ;) good luck

[kukumopa]

are u fcking kidding?

THERE IS NO SERVER FILES THAT CAN SUPPORT THIS MAIN!!!!!

NOOOOOOOOOOOOOOOOB

man u adequate? read and understand my posts correctly!!!

[RoRRe]

Code:

0041E980   . 83EC 08        SUB ESP,8
0041EA80   . 83EC 08        SUB ESP,8

Here are the encryption and decryption functions ( encrypt/decrypt blocks of 4 int values - 16 bytes )
but you will still need to bypass additional packet manipulations based on packet header ( some xor/place substitutions )

[mauka]

I still think u talk about Simple modulus as its split packet into blocks 4 Dwords and shift it

Code:

function TSimpleModule.DecryptBlock(lpDest: Pointer; lpSource: Pointer): Integer;
var
 dwDecBuffer: array [0 ..3] of DWORD;
 iBitPosition, i: Integer;
 Temp,Temp1: Word;
 btCheckSum: Byte;
begin
 FillMemory(lpDest, 15, 0);
 FillMemory(@dwDecBuffer, SizeOf(dwDecBuffer), 0);
 iBitPosition := 0;

 for i := 0 to 3 do
  begin
   AddBits(@dwDecBuffer[i], 0, lpSource, iBitPosition, 16);
   Inc(iBitPosition, 16);
   AddBits(@dwDecBuffer[i], 22, lpSource, iBitPosition, 2);
   Inc(iBitPosition, 2);
  end;

 for i := 2 downto 0 do // pareizi viss
  dwDecBuffer[i] := (dwDecBuffer[i] xor  m_dwXORKey[i]) xor (dwDecBuffer[i + 1] and $FFFF);

 Temp := 0;
 for i := 0 to 3 do
  begin
   Temp1 := ((m_dwDecryptionKey[i] * (dwDecBuffer[i])) mod (m_dwModulus[i])) xor m_dwXORKey[i] xor Temp;
   Temp  := dwDecBuffer[i] and $0000FFFF;
   PWord(Integer(lpDest) + 2 * i)^ := PWord(@Temp1)^;
  end;

 dwDecBuffer[0] := 0;
 AddBits(@dwDecBuffer[0], 0, lpSource, iBitPosition, 16);

 btCheckSum := $F8;
 for i := 0 to 7 do
  btCheckSum := btCheckSum xor PByte(Integer(lpDest) + i)^;

 if (btCheckSum <> GetH(dwDecBuffer[0])) then     //128  249  153 255 189
  Result := -1
 else
  Result := GetH(dwDecBuffer[0]) xor GetL(dwDecBuffer[0]) xor $3D;
end;

function TSimpleModule.Decrypt(lpDest: Pointer; lpSource: Pointer; iSize: Integer): Integer;
var
 lpTempDest, lpTempSrc: PByte;
 iResult, iDecLen, iTempResult, Epos, Spos: Integer;
begin
 if lpDest = nil then
  begin
   Result := iSize * 8 div 11;
   Exit;
  end;

 lpTempDest := PByte(lpDest);
 lpTempSrc  := PByte(lpSource);

 iResult := 0;
 iDecLen := 0;
 Epos := 0;
 Spos := 0;
 if (iSize mod 11) = 0 then
  begin
   while (iDecLen < iSize) do
    begin
     iTempResult := DecryptBlock(lpTempDest + EPos, lpTempSrc + Spos); // pirmais loops ir OK!
     if (iResult < 0) then
      begin
       Result := iResult;
       Exit;
      end;
     Inc(iResult, iTempResult);
		 Inc(iDecLen, 11);
     Inc(Epos, 8);
     Inc(Spos, 11);
    end;
  end;
 Result := iResult;
end;

U confused me, correct me if ima wrong

Edietd: Ok, its not simple modulus - rechecked again it by your offset

[RoRRe]

Edietd: Ok, its not simple modulus - rechecked again it by your offset

simple modulus changes the size of the packet ) current system - doesnt, and its a lot simplier than simplemodulus

[mauka]

I noted it ;) U helped me alot.. revesing it will be peace of cake compare to simple modulus

[favgames]

someone could fix login muex700 into this source to me?
: APplE PROJECT - By WolF & M.E.S_GameServer_1.00.90.rar

[mauka]

Man wait ex700 server files!!! I same wait server files ;)

By the way, smallHabit got work x700 main.exe on s6 srvr files

[SmallHabit]

nah :D that was just fun, disabling 0xC3 encoding in client ^_^

[willerson]

nah :D that was just fun, disabling 0xC3 encoding in client ^_^

how did you do that? you can explain ? if yes, it will be helpfull for us...

[Acnathon]

By the way, smallHabit got work x700 main.exe on s6 srvr files

I loled at that image/banner

how did you do that? you can explain ? if yes, it will be helpfull for us...

Absolutely agree

[mauka]

Where is the problem? Me as developer of muservers would Nop this new call

Code:

00439387

hook next

Code:

0043947D   E8 BE258300      CALL dump_NO_.00C6BA40

and

Code:

004394E5   E8 56258300      CALL dump_NO_.00C6BA40

and resore old SimpleModulus!

Example of calls is on send only ;)
Pss. for u server devs its waste of time and useless reversing new encdec of muonline

[SmallHabit]

Problem is that MU dev's, cant catch new structs of protos from official server ^_^