By looking at the IDA structure, it seens correct.
No Idea why the channels arent displayed..
I'd have to of seen the structure and IDB myself to make sure everything was properly name and used throughout each packet, but if you're right about what you're saying and BMS v1 is equivalent to GMS v52 then all structures would be nearly identical to GMS packet structure. I don't believe GMS v52 used Yoda at the time though, but that could also just be a BMS thing. Anyways, could it be possible that something you modified, bypassed, or removed in order to achieve this localhost has caused an issue with loading channels? Nice progress along the way nonetheless.
Also, since you asked me if there was a way to find the AES key, one easy way I found was this: bDefaultAESKeyValue. Since I already have it defined in a constants file it's fast for me to retrieve, but you can find it very easily yourself either online or in some program (even in another PDB itself). The default AES key value defined here unlike the real AES key utilizes every byte in each column per row. Here's the key:
PHP:
public static final byte[] DefaultAESKeyValue = {
0xC6, 0x50, 0x53, 0xF2,
0xA8, 0x42, 0x9D, 0x7F,
0x77, 0x09, 0x1D, 0x26,
0x42, 0x53, 0x88, 0x7C,
0x00, 0x40, 0xE0, 0xFD
};
To find AES, all you'll need to identify is CAESCipher::Encrypt which gives a direct offset reference to CAESCipher::UserKey. To identify it using the above key, simply do an AoB search on the first four bytes. Since this is a default with the Cipher Nexon used as implementation, it is the same defaulted value in all client versions since it's entirely unused (this goes far post-bb; even when the AES key changed, Nexon does not VM these subs and thus you may ALWAYS find them through this method). You can do a quick AoB search by doing ALT+B, entering
C6 50 53 F2 (first 4 bytes), ticking 'Find all occurences', and search. You'll get one result with it that won't lead you to a function, but instead the offset containing that array. XREF it (just click on the dword and click X) and you'll get two xrefs: CAESCipher::Enc_Init, and CAESCipher:
ec_Init. This will give you your xrefs to all AES encryption/decryption. Nonetheless, you would jump to either one of those two subs and XREF them. The only XREF to AES Enc/Dec Init functions are the CAESCipher::Encrypt/Decrypt functions, and they will include the initialization of the cipher's key schedule. The first parameter within that function will be a dword, and that dword is your UserKey. There you have it though, simple guaranteed way to always find it
. I know you realize the AES key is always the same, but in our emulators the only key stored for the UserKey is the first column byte per row, not the full key. This means that you replace the last 3 bytes with 0x00's, and you won't find that AoB in the client at all. If you wish to remove it (a common thing for very low versions such as this), then that'd be the easiest way imo to find it in IDA.
Good luck with your further progress though! I really want to take the time to master the steps involved to be able to do all this myself as well, just wish I could find the time.