Web [Solved]ExtaliaMS packet crypt

[ngnam87]

hi Rz,
i use mapleshark to sniff packet from Extalia but it's unreadable.
anyone know how they encrypt/ decrypt packet? change the origin AES or bypass some encryption/decryption

 

[Darter]

Re: ExtaliaMS packet crypt

second byte in 128bit aeskey is changed to 0x37... so when you look at it in code you see 0x13, 0x37 huehuehue

 

[ngnam87]

Re: ExtaliaMS packet crypt

second byte in 128bit aeskey is changed to 0x37... so when you look at it in code you see 0x13, 0x37 huehuehue

thanks for reply. what version you are mention? For now Extalia is v149.3, i change the cached key of Maple Shark as you said but result of packet still the same ??!
I use get key from diamondo, then got other key:

FA16BB11ADAE248879FE52DB2543E53CF445D3D828CE0BF5C560593D97278A59

change to

FA[COLOR=#ff0000]37[/COLOR]BB11ADAE248879FE52DB2543E53CF445D3D828CE0BF5C560593D97278A59

but it still the same, idk why try 4 key got the same result and cannot read it as maple packet

 

[AristoCat]

Re: ExtaliaMS packet crypt

thanks for reply. what version you are mention? For now Extalia is v149.3, i change the cached key of Maple Shark as you said but result of packet still the same ??!
I use get key from diamondo, then got other key:

FA16BB11ADAE248879FE52DB2543E53CF445D3D828CE0BF5C560593D97278A59

change to

FA[COLOR=#ff0000]37[/COLOR]BB11ADAE248879FE52DB2543E53CF445D3D828CE0BF5C560593D97278A59

but it still the same, idk why try 4 key got the same result and cannot read it as maple packet

he said 128bit means you probably want to change AD to 37

 

[ngnam87]

Re: ExtaliaMS packet crypt

he said 128bit means you probably want to change AD to 37

i followed the guide and saw some difference. But still cannot read !
Also Maple Shark cached key is 32bit, so i don't understand when Darter said "128bits"

 

[Darter]

Re: ExtaliaMS packet crypt

13522a5b370210600602430fb44b35051b0a5f090f500c1b3355010952dec71e

 

[ngnam87]

Re: ExtaliaMS packet crypt

13522a5b370210600602430fb44b35051b0a5f090f500c1b3355010952dec71e

thanks you very much, the cache key work perfectly! ^^
How did you get it ? The key is completely difference from the AES key in ZLZ.dll. Please explain it !
p/s: i want to steal your brain Darter :junglejane:

 

[Fraysa]

Re: ExtaliaMS packet crypt

thanks you very much, the cache key work perfectly! ^^
How did you get it ? The key is completely difference from the AES key in ZLZ.dll. Please explain it !
p/s: i want to steal your brain @Darter :junglejane:

Because their client is manipulating this.

 

[ngnam87]

Re: ExtaliaMS packet crypt

Because their client is manipulating this.

attempted to find both in dll and exe but found nothing related to AES key (using IDA)

 

[Darter]

Re: ExtaliaMS packet crypt

thanks you very much, the cache key work perfectly! ^^
How did you get it ? The key is completely difference from the AES key in ZLZ.dll. Please explain it !
p/s: i want to steal your brain @Darter :junglejane:

Below quote is from a different thread. Its what I did.

find out CAESCipher::Encrypt or Decrypt and you will find the userkey there, before CAESCipher::AES_EncKeySchedule is called.
zlz.dll has a 'copy of it' . but you can just find out the key from the client directly

 

[ay1239]

Re: ExtaliaMS packet crypt

Below quote is from a different thread. Its what I did.

but need Unpack maplestory.exe work b4

 

[sunnyboy]

Re: ExtaliaMS packet crypt

but need Unpack maplestory.exe work b4

to unpack v120+ clients of gms run extaliams.exe and it unpacks it

 

[ay1239]

Re: ExtaliaMS packet crypt

to unpack v120+ clients of gms run extaliams.exe and it unpacks it

just put Extaliams.dll and exe run exe can unpack?

MapleStory_dumped.exe right? or the other?

 

[Darter]

Re: ExtaliaMS packet crypt

but need Unpack maplestory.exe work b4

naw i did it with cheat engine no problem

 

[ay1239]

Re: ExtaliaMS packet crypt

naw i did it with cheat engine no problem

That way can use KMS also? cos 221.1 KMS had AES Key (like a GMS)

 

[ngnam87]

Re: ExtaliaMS packet crypt

naw i did it with cheat engine no problem

i have no idea how you do because cheat engine not show function named (or i just lack of knowledge)
instead of it. i use AoB to find in cheat engine (base on your key you given)

 

[souravipc53]

Re: ExtaliaMS packet crypt

That way can use KMS also? cos 221.1 KMS had AES Key (like a GMS)

sry for not replying the pm you had sent me , if the hashing algo hasnt changed follow this method -
1. search for "8B 4C 24 08 8B 44 24 04 C7 40 ? ? ? ? ? 85 C9 74 14 8B 11 89 10 8B 11 89 50 04 8B 11 89 50 08 8B 09 89 48 0C C3" via aob. the 1st result(if there is more) should be your CAESCipher::AES_EncInit .
2. place a bp on the start , and let it break.
3. follow the return addy and you are inside CAESCipher::Encrypt
4. you will see a call and push of an address just above it. the pushed value is your location to the aes key .

all these assumes you have debugging ability .

in case you dont, make a dump of the client (64bit is an awesome option to do so.) and analyze it using ida. scan aob with the provided one and get the function . find the xref and you will get CAESCipher::Encrypt . now its same as before .

in case you cant do any of the above. you better start learning basics like memory dumping and cheat engine usage .