Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[Help]Remove encrypt/decrypt in client[CMS(Chinese Maplestory)]

Newbie Spellweaver
Joined
Nov 24, 2018
Messages
6
Reaction score
0
Hello everyone! I'm a new guy here, I want to develop an old (CMS V035) maplestory private server, and I already unpacked the client, but i'm confused with the encryption and decryption in client. I hop someone can help me
1. remove encrypt/decrypt the packet directly
2. Or provide the .idb file with function names
3. Or provide the .idc script to show function names
any one of them are useful to me :eek:tt:

client download:
single exe:
full client:

Thanks a lot!
 
Custom Title Activated
Loyal Member
Joined
Jan 18, 2010
Messages
3,109
Reaction score
1,139
can anyone help me :blush:?

Did you try testing anything at all? I mean, if you could unpack the client, you should be able to easily trial and error the crypto.. Anywho, since you already unpacked the client and it only takes 2 seconds for me to analyze, I went ahead and AoB'd the necessary functions. I tried looking for some magical encryption that wasn't in any other client, but found nothing other than the standard MapleStory cryptos. How are you currently handling the network crypto in your decoders and encoders?

Some client information you may want to know:
- uses the same standard buffer appending with 4-byte header (short rawSeq, short dataLen -> dataLen ^= rawSeq)
- uses ZtlSecure for getters and setters on the packet sequences (recv/send iv)
- client version is 35 (confirmed via MakeBufferList, ManipulatePacket, and OnConnect)
- IV transformation key is the same (0xC65053F2)
- AES user key is the same (0x13, 0x08, 0x06, 0xB4, 0x1B, 0x0F, 0x33, 0x52)
- packet headers are bytes

In regards to the encryptions used:
- The AES UserKey as mentioned above is the default key used back in all those old versions (I provided the key anyways, only use first col per row).
- The client decodes packet blocks by decrypting first through AES, and after AES decryption follows Shanda decrypt.
- The client encodes (-> server decodes) packet blocks by decrypting first through Shanda, and after Shanda decryption follows AES decrypt.
- The client has CRC32 hashing (an old GameGuard check) when sending a packet, but this is useless because it will just send you an opcode (0x13 hex/19 dec) with the data. Since you don't use GG, you can ignore that opcode entirely.

Since I'm not really sure if you're having crypto problems or just want the crypto stripped completely because you don't want it, here are the function addresses. I'll let you create your own IDB, then just go to the given addresses below and rename the functions to what I have listed.
Code:
CClientSocket::Close                                                                                                                                          .text   00440B2A 0000001D R . . . . . .
CClientSocket::ManipulatePacket                                                                                                                               .text   0044104D 000000ED R . . . . . .
CClientSocket::OnConnect                                                                                                                                      .text   0043F9CD 00000577 R . . . . . .
CClientSocket::OnError                                                                                                                                        .text   00440A5D 00000075 R . . . . . .
CClientSocket::OnRead                                                                                                                                         .text   00440932 0000012B R . . . . . .
CClientSocket::ProcessPacket                                                                                                                                  .text   00441181 000000D6 R . . . . . .
CClientSocket::SendPacket                                                                                                                                     .text   00440B47 0000013C R . . . . . .
CIGCipher::MorphKey                                                                                                                                           .text   00623C94 0000005D R . . . . . .
CIGCipher::innoHash                                                                                                                                           .text   00623C59 0000003B R . . . B . .
CIOBufferManipulator::_De                                                                                                                                     .text   004FDD91 00000218 R . . . . . .
CInPacket::AppendBuffer                                                                                                                                       .text   004FDC2A 0000010A R . . . B T .
CInPacket::CInPacket                                                                                                                                          .text   004FDBA5 00000085 R . . . . . .
CInPacket::Decode1                                                                                                                                            .text   004165EA 00000036 R . . . B . .
CInPacket::Decode2                                                                                                                                            .text   00416620 00000039 R . . . B . .
COutPacket::COutPacket                                                                                                                                        .text   004FDFA9 00000049 R . . . . . .
COutPacket::Encode1                                                                                                                                           .text   0042CE64 0000001E R . . . . . .
COutPacket::Init                                                                                                                                              .text   004FDFF2 00000028 R . . . . . .
COutPacket::MakeBufferList                                                                                                                                    .text   004FE01A 00000342 R . . . . . .
CWvsApp::Run                                                                                                                                                  .text   00603D7B 000002D6 R . . . . . .
ZtlSecure_Get                                                                                                                                                 .text   00441DF8 000000B5 R . . . B . .
ZtlSecure_Set                                                                                                                                                 .text   00441EAD 000000BE R . . . B . .

Hope this helps! As for naming your OnPacket functions, I'll assume you know how to do this already. I've named the CClientSocket::processPacket function which will already help you being able to access CWvsContext::OnPacket. If you're simply just wanting to remove the crypto and aren't able to with the functions I've given you, just let me know and I can locate and give you the addys.
 
Upvote 0
Newbie Spellweaver
Joined
Nov 24, 2018
Messages
6
Reaction score
0
Thanks a lot for the detailed analyzing, I'm a beginner in reverse-engineering, so I used the 'ASprotect Unpacker' to unpack the executable. The AES decryption is done for me, but I'm troubled with the Shanda decryption, I analysed the "Decode1 and Decode2" you quoted above, but its too hard for me. Could you please help me to translate the Shanda decryption/encryption algorithm to Java/C edition? Many Thanks.:):
 
Upvote 0
Custom Title Activated
Loyal Member
Joined
Jan 18, 2010
Messages
3,109
Reaction score
1,139
Thanks a lot for the detailed analyzing, I'm a beginner in reverse-engineering, so I used the 'ASprotect Unpacker' to unpack the executable. The AES decryption is done for me, but I'm troubled with the Shanda decryption, I analysed the "Decode1 and Decode2" you quoted above, but its too hard for me. Could you please help me to translate the Shanda decryption/encryption algorithm to Java/C edition? Many Thanks.:):

The Shanda encryption (identified by Nexon as "IOBufferManipulator") is what's referred to as "MapleCustomEncryption" by OdinMS. So, assuming you're using an already existing emulator (probably an Odin one, too), then you already have Shanda. You just need to call the decrypt/encrypt in the order I explained above.

All the Decode1/Decode2 functions do is read bytes from stream. Decode1 is the equivalent of OdinMS's slea.readByte() method, as Decode2 is the equivalent of slea.readShort(). Anyways, you should be able to use a clean OdinMS source and change the region/version and it'd connect just fine (also needing opcode changes obviously). Your problem will most likely come from the fact you didn't strip any GameGuard and other misc. client checks, causing it to crash or give error codes.

EDIT: If you're working on a special OG version like v35, I expect you to know how to analyze functions in IDA and how packets work. However, if you don't know either of them, then you may want to start smaller because this will be a big learning curve. Also, on the off chance that you're writing some source in C and actually can't translate the awful pseudocode to clean C, here's Odin's.
 
Last edited:
Upvote 0
Newbie Spellweaver
Joined
Nov 24, 2018
Messages
6
Reaction score
0
Great thanks! I have tried but still have some problems. I'm using v83 Odin server code, changed the MAPLE_VERSION const from 83 to 35, and MAPLE_TYPE const from 8 to 4.
My hello packet is : 0E 00 23 00 01 00 31 46 72 7A 52 52 30 78 73 04
(recv iv is: 70, 114, 122, 82, send iv is: 82, 48, 120, 115)
Then the CMS 035 client show the login UI, I think this means my hello packet works well.

Then I input account "aaaa" and password "111111", and click login button, then I received client message:
64 A4 9F 07 FD 4D 6C 49 4A 3D 96 FE C8 44 85 E4 79 FE EE E3 C7 3E 9B BF 42 3B 97 B2 4E 36 F8 DB F4 8C 0D D9

after AES decryption, it becomes:
71 1A 5B 6A 7E B9 C9 EA 15 17 7E E4 C0 B4 64 6D 1E E7 8A 13 C9 B0 8C 09 4C 7F F5 6F F8 A9 2C 5D 03 2D D4 D5

then after Shanda decryption, it becomes:
E2 FB 40 7E 67 08 B6 77 F4 CC 0E 3E 5D 72 D1 9A 2C 7C F6 44 16 6A 7F 2F ED 39 C8 DE 96 F7 95 04 59 88 C9 6F
I think its wrong because opcode is E2 FB, it should be 01 00, and the data dont contains my account "aaaa" or password "111111".

I checked the "AES user key" and "IV transformation key", its the same as you mentioned above. I compared "MapleAESOFB.java" and "MapleCustomEncryption.java" in my project and the SnowMS, its completely same.

So, I'm stopped here, and dont know how to check what went wrong.

BTW, when I changed the MAPLE_VERSION and MAPLE_TYPE back, the GMS 083 client works well, and can login normally.:(:
 
Upvote 0
Custom Title Activated
Loyal Member
Joined
Jan 18, 2010
Messages
3,109
Reaction score
1,139
Great thanks! I have tried but still have some problems. I'm using v83 Odin server code, changed the MAPLE_VERSION const from 83 to 35, and MAPLE_TYPE const from 8 to 4.
My hello packet is : 0E 00 23 00 01 00 31 46 72 7A 52 52 30 78 73 04
(recv iv is: 70, 114, 122, 82, send iv is: 82, 48, 120, 115)
Then the CMS 035 client show the login UI, I think this means my hello packet works well.

Then I input account "aaaa" and password "111111", and click login button, then I received client message:
64 A4 9F 07 FD 4D 6C 49 4A 3D 96 FE C8 44 85 E4 79 FE EE E3 C7 3E 9B BF 42 3B 97 B2 4E 36 F8 DB F4 8C 0D D9

after AES decryption, it becomes:
71 1A 5B 6A 7E B9 C9 EA 15 17 7E E4 C0 B4 64 6D 1E E7 8A 13 C9 B0 8C 09 4C 7F F5 6F F8 A9 2C 5D 03 2D D4 D5

then after Shanda decryption, it becomes:
E2 FB 40 7E 67 08 B6 77 F4 CC 0E 3E 5D 72 D1 9A 2C 7C F6 44 16 6A 7F 2F ED 39 C8 DE 96 F7 95 04 59 88 C9 6F
I think its wrong because opcode is E2 FB, it should be 01 00, and the data dont contains my account "aaaa" or password "111111".

I checked the "AES user key" and "IV transformation key", its the same as you mentioned above. I compared "MapleAESOFB.java" and "MapleCustomEncryption.java" in my project and the SnowMS, its completely same.

So, I'm stopped here, and dont know how to check what went wrong.

BTW, when I changed the MAPLE_VERSION and MAPLE_TYPE back, the GMS 083 client works well, and can login normally.:(:

Actually, I mistakenly got them backwards. On your decoder you will first decrypt AES, followed by Shanda. On your encoder, you will first encrypt Shanda, followed by AES. This is assuming you even switched or touched them at all.

The only other possibility I can come up with is that your IV is actually being updated numerous times during the CRC32 iterations. Assuming your IV is indeed "70, 114, 122, 82", which converted to an int32 should be "1181907538", then that means after IV transformation it will become "1405971210". Since 1405971210 % 31 is 0, it'll additionally loop more IV transformations. I would try just jumping over those checks by going to addy 00440B90 and changing the instruction to JMP 00440C37. If that still doesn't fix it for you, then I dunno since I can't debug it myself :p. At that point I'd suggest just debugging everything through CE in order to determine where and why the data mismatches between client/server.

I was going to see if I could make a quick login server and connect to it, but the client kept being annoying. After bypassing the region checks, changing the ips (search for mxdlogin.poptang.com btw so you don't need run.bat), and window-moding it to get it to open properly (addy is 00604A97 if you need it btw -> change 0x10 to 0), it always disconnects at the gateway upon connecting to a region. Since I'm too lazy right now to figure out why that's messing up (and have no clue what "China4" or ports 2227~2229 are for), I won't be able to validate the packets unfortunately.
 
Upvote 0
Newbie Spellweaver
Joined
Nov 24, 2018
Messages
6
Reaction score
0
I modified 00440B90 to JMP 00440C37, but nothing happened. The final data is stil:
E2 FB 40 7E 67 08 B6 77 F4 CC 0E 3E 5D 72 D1 9A 2C 7C F6 44 16 6A 7F 2F ED 39 C8 DE 96 F7 95 04 59 88 C9 6F

Im still debuging the client using OllyICE, I think its hard for me, because I'm not familiar with ASM code.:*:

If you are intrested in this client, you can use this tool to "window mode", its useful than change 00604A97 0x10 to 0, because I cant use my mouse after that.
View attachment WindowModeTool.zip (DirectX8)
 

Attachments

You must be registered for see attachments list
Last edited:
Upvote 0
Back
Top