[Help] IGC.dll

[Fusion78]

Code:

00BE443A :SEND_PACKET_HOOK -> MU_SEND_PACKET: 00BE4865 -> MU_SENDER_CLASS : 0160951C
00C48E76 :PARSE_PACKET_HOOK -> PARSE_PACKET_STREAM 00BE5341 -> PROTOCOL_CORE2 : 00C4401E -> PROTOCOL_CORE1 : 00C183E9

0144C6F8 : key size 26
    "w(eb!zen&Mu1@#^Ge&sch%enk!"
    db 77 28 65 62 21 7A 65 6E 26 4D 75 31 40 23 5E 47 65 26 73 63 68 25 65 6E 6B 21

group HOOK CONNECT SERVER >> Use Class CServerInfo 
tmuConnectToCS muConnectToCS = (tmuConnectToCS)MU_CONNECT_FUNC; MU_CONNECT_FUNC->00BF63FA
0045FA6A ->jmp IGC+...  g_Connection = CS_CONNECTED; (1)
00511BAA    
00B2E7FF    g_Connection = GS_CONNECTED;

00504E8D -> HookExitFunc jmp IGC+... : Exit Process
00ADE647 ->  HookExitCharSelectFunc      >Menu-Exit Game
00513202 : HookDCFunc -> Reconnect System
0088111E: call 00626374-> call IGC+... reconnect

    
005066E1 -> mov [ebp-34],005052BA -> mov [ebp-34],IGC+...
    ChangeAddress(MU_WND_PROC_HOOK, FPTR(WndProc));
    -> MU_WND_PROC_HOOK : 005066E1
    
00508209 call SetTimer -> nop

>>0050E275 : Gameguard je -> jmp | 0x74 -> 0xEB
00C1A31F : gg jmp
00CF24A4 : gg jmp
00CF25DD : gg jmp

>00D8535E : remove encrypt mu error log. -> nop it  0x90 0x90 0x90 0x90 0x90 

>>00512CD5 : push "screen dir"


group
006140D5 : cmp eax,0xE0 +>add cmp eax,0xA0<< charset[16] add pet 0xA0 display (panda i think) (s9 has 0xA0)
0061410D : cmp -0x20 +> add cmp -0x60 << same

>>0064731D : Set Battle Zone 
>>00ABD5F8 Hook Set Gen Battle Map (warp command window)

group
0064EDBC : cmp dword ptr [ebp-000000A4],06 - > cmp07 || ->jg
0064EE28 : change jmp addr -- jng 0064F0CE -> jng 0064EFCF

group
00B6084F call IGC... custom jewels mouse hover use
(maybe label color | drop sound | expensive ...) didnt check
00670943:  custom jewels  
0069F1B8:  custom jewels
00B623E2:  custom jewels


>>00868675: Change PStore Zen->Wcoin

>>008697B9: item info custom : contional jmp-> nop (probably joh option on ancient)




009A7036: change Z shop Label Name



009BB302->009BB566 maybe custom event level


0xD84568 MultybyteToWideChar 0x4E4
0xD845AB MultybyteToWideChar 0x4E4
0x1600520 -> memset 00 00 00 00(case 4e4)
00A1BF9B: MultybyteToWideChar 0x4E4  + WideCharToMultyByte 65001 : ascii ->utf-8
0xA6702B WideCharToMultyByte 0x4E4 
0xA6705C  WideCharToMultyByte 0x4E4 
00A4D3F6 : WideCharToMultyByte 0x4E4 
0xA4D426 WideCharToMultyByte 0x4E4 

if(codepage != 0x4e4) //codepage in Class CServerInfo
{
MemSet(0x459260, 0xEB, 1);
MemSet(0xB2C926, 0xEB, 1);
MemSet(0xAF2E2B, 0xEB, 1);
MemSet(0xAF2E2B, 0xEB, 1);
}

00A25E7B: add custom cmp check
00A25E82 : not need.
    MemSet(0xA25E82, 0x90, 2);

00A62136 : mouse hover zen info -> nop
00A62555 : mouse hover ruud info -> nop



00AF0D84 : fname "mu.exe" -> "main.exe"

00B2C25F : Create Character Frame -> set/disable character creation

00B75A87 : ->Inc Max Chat length 33 - > 60 mov [ebp-10],00000021 -> mov [ebp-10],0000003C
    //MemSet(0xB75A8A, 0x3C, 1);

NOP BYTES Area 1 size 88: --I didn't ckeck any NOP areas
00C0F7B4 : 0x90 ...
NOP BYTES Area 2 size 62: 
00C1FDE5 : 0x90 ...
NOP BYTES Area 3 size 62: 
00C20064 : 0x90 ...
NOP BYTES Area 4 size 76: 
00C20F27 : 0x90 ...
    MemSet(0xC0F7B4, 0x90, 88);
    MemSet(0xC20F27, 0x90, 76);
    MemSet(0xC1FDE5, 0x90, 62);
    MemSet(0xC20064, 0x90, 62);
//maybe IGC disabled some UI parts

00B7B5B4 : hook. update PlayerUI hp/mp/sd/ag/toxic ...
009FC982 : hook. something about hp/mp/sd/ag ui... didn't check
009B7427 : hook. something about hp/mp/sd/ag ui... didn't check

00BE4D43 : OnSocketClose?
00BE4D84
00BE4EF9

00BF64FF: On Switch to Select Server. ReInit 2bytes packets Encrypt check

00C1A436: on after select char, Fix reverse Welcome string ("NoriaWelcome to" -> Welcome to Noria)
00C1C8F0: same, but on map move

00C1D259: 65k Shield Dmg fix (no need fix normal 65k dmg, WZ did it)
    00C1D259: mov eax,[eax+14] ...nop...
    db 8B 40 14 90 90 90 90 90 90 90 90 90 90 90 90 90
new 0xDF struct
struct PMSG_ATTACKRESULT
{
    PBMSG_HEAD h;    // header
    BYTE NumberH;    // 3
    BYTE NumberL;    // 4
    //3bytes gap (bt->int)
    int Damage;    // 8
    BYTE DamageTypeH; //C
    BYTE DamageTypeL;    // D
    BYTE btShieldDamageH;    // E
    BYTE btShieldDamageL;    // F
    BYTE newType;    //10
    //3bytes gap (bt->int)
    int iShieldDamage //14
};





stolen bytes 1
00BE5341:
db 55 8B EC 51 51 89 4D F8 8B 45 F8 8B 88 24 40 00 00 E8 1C 03 00 00 0F B6 C0 85 C0 75 29 8B 45 F8 8B 88 24 40 00 00 E8 CF 03 00 00 89 45 FC 8B 45 F8 8B 88 24 40 00 00 E8 B9 02 00 00 8B 4D FC E8 AA 03 00 00 EB 02 33 C0 C9 C3
/*
main.exe+7E5341 - 55                    - push ebp
main.exe+7E5342 - 8B EC                 - mov ebp,esp
main.exe+7E5344 - 51                    - push ecx
main.exe+7E5345 - 51                    - push ecx
main.exe+7E5346 - 89 4D F8              - mov [ebp-08],ecx
main.exe+7E5349 - 8B 45 F8              - mov eax,[ebp-08]
main.exe+7E534C - 8B 88 24400000        - mov ecx,[eax+00004024]
main.exe+7E5352 - E8 1C030000           - call main.exe+7E5673
main.exe+7E5357 - 0FB6 C0               - movzx eax,al
main.exe+7E535A - 85 C0                 - test eax,eax
main.exe+7E535C - 75 29                 - jne main.exe+7E5387
main.exe+7E535E - 8B 45 F8              - mov eax,[ebp-08]
main.exe+7E5361 - 8B 88 24400000        - mov ecx,[eax+00004024]
main.exe+7E5367 - E8 CF030000           - call main.exe+7E573B
main.exe+7E536C - 89 45 FC              - mov [ebp-04],eax
main.exe+7E536F - 8B 45 F8              - mov eax,[ebp-08]
main.exe+7E5372 - 8B 88 24400000        - mov ecx,[eax+00004024]
main.exe+7E5378 - E8 B9020000           - call main.exe+7E5636
main.exe+7E537D - 8B 4D FC              - mov ecx,[ebp-04]
main.exe+7E5380 - E8 AA030000           - call main.exe+7E572F
main.exe+7E5385 - EB 02                 - jmp main.exe+7E5389
main.exe+7E5387 - 33 C0                 - xor eax,eax
main.exe+7E5389 

stolen bytes 2
00BF6423:
db 0F B7 45 0C 50 FF 75 08 68 04 18 43 01 68 E0 6A 63 01 E8 A5 EF 18 00 83 C4 10 6A 01 FF 35 8C 6A 63 01 B9 80 A6 1E 0A E8 77 E7 FE FF 68 00 04 00 00 FF 75 0C FF 75 08 B9 80 A6 1E 0A E8 70 E9 FE FF 85 C0 0F 85 93 00 00 00 68 F0 17 43 01 68 E0 6A 63 01 E8 64 EF 18 00 59 59 6A 01
/*
main.exe+7F6423 - 0FB7 45 0C            - movzx eax,word ptr [ebp+0C]
main.exe+7F6427 - 50                    - push eax
main.exe+7F6428 - FF 75 08              - push [ebp+08]
main.exe+7F642B - 68 04184301           - push main.exe+1031804 { ["[Connect to Server] ip address = %s, port = %d"] }
main.exe+7F6430 - 68 E06A6301           - push main.exe+1236AE0 { [01450A68] }
main.exe+7F6435 - E8 A5EF1800           - call main.exe+9853DF
main.exe+7F643A - 83 C4 10              - add esp,10 { 16 }
main.exe+7F643D - 6A 01                 - push 01 { 1 }
main.exe+7F643F - FF 35 8C6A6301        - push [main.exe+1236A8C] { [007E0F10] }
main.exe+7F6445 - B9 80A61E0A           - mov ecx,main.exe+9DEA680 { [007E0F10] }
main.exe+7F644A - E8 77E7FEFF           - call main.exe+7E4BC6
main.exe+7F644F - 68 00040000           - push 00000400 { 1024 }
main.exe+7F6454 - FF 75 0C              - push [ebp+0C]
main.exe+7F6457 - FF 75 08              - push [ebp+08]
main.exe+7F645A - B9 80A61E0A           - mov ecx,main.exe+9DEA680 { [007E0F10] }
main.exe+7F645F - E8 70E9FEFF           - call main.exe+7E4DD4
main.exe+7F6464 - 85 C0                 - test eax,eax
main.exe+7F6466 - 0F85 93000000         - jne main.exe+7F64FF
main.exe+7F646C - 68 F0174301           - push main.exe+10317F0 { ["Failed to connect. "] }
main.exe+7F6471 - 68 E06A6301           - push main.exe+1236AE0 { [01450A68] }
main.exe+7F6476 - E8 64EF1800           - call main.exe+9853DF
main.exe+7F647B - 59                    - pop ecx
main.exe+7F647C - 59                    - pop ecx
main.exe+7F647D - 6A 01                 - push 01 { 1 }
*/

(signed int16-> unsigned int16 32k->64k)
00A8C96A ; movsx -> movzx : Remove (+/-) stats info 0FBF-> 0FB7 (00A8C96A+1 : BF -> B7)
00A8C981 :same
00A8C996
00A8C98C
00A8C9A1
00A8C9AB
00A8CA4F
00A8CA66
00A8CA71
00A8CA7B
00A8CA86
00A8CA90
00A8CB34
00A8CB4B
00A8CB56
00A8CB60
00A8CB6B
00A8CB75
00A8CC19
00A8CC30
00A8CC3B
00A8CC45
00A8CC50
00A8CC5A
00A8CCFE
00A8CD15
00A8CD20
00A8CD2A
00A8CD35
00A8CD3F
00A8D0FA
00A8D104
00A8D112
00A8D11C
00A8D12A
00A8D143
00A8D188
00A8D192
00A8D1A0
00A8D1AA
00A8D1B8
00A8D1D1
00A8D21C
00A8D226
00A8D234
00A8D23E
00A8D24C
00A8D265
00A8D2B0
00A8D2BA
00A8D2C8
00A8D2D2
00A8D2E0
00A8D2F9
00A8D344
00A8D34E
00A8D35C
00A8D366
00A8D374
00A8D38D

@solarismu do you have any info about 0C5A7DC9? Any data or notes corresponding to this offset?

[MentaL]

[solarismu]

At the 1st look , I only know the address you gave is out of range...-.- not in main.exe
(valid main.exe address about 0x00400000 -> 0x0A??????)

0C5A7DC9 ??? what is this? guessing IGC.dll ??? lol

2nd I don't know what "data or notes" you want...

You must be kidding me :)

[Fusion78]

At the 1st look , I only know the address you gave is out of range...-.- not in main.exe
(valid main.exe address about 0x00400000 -> 0x0A??????)

0C5A7DC9 ??? what is this? guessing IGC.dll ??? lol

2nd I don't know what "data or notes" you want...

You must be kidding me :)

IGC.dll:0C5A7DC9
SetKey function. Seems like it is protected and wondering did u manage to get its info? Or may be u have some clues how it can be obtained.

[solarismu]

I think you should learn something basic first -.-
...
If you means IGC.dll+0x0C5A7DC9
-> IGC.dll must be a HUGE HUGE file :))

2nd IGC.dll address which you see is dynamic... not static...
will change, change, and change...

3rd not everyone use same version of IGC.dll

4th Yes IGCN protected some part of code by obfuscation , need hardcore experience to due with that.
5th I don't think IGC change their keys. check their Season9 release

[Fusion78]

I think you should learn something basic first -.-
...
If you means IGC.dll+0x0C5A7DC9
-> IGC.dll must be a HUGE HUGE file :))

2nd IGC.dll address which you see is dynamic... not static...
will change, change, and change...

3rd not everyone use same version of IGC.dll

4th Yes IGCN protected some part of code by obfuscation , need hardcore experience to due with that.
5th I don't think IGC change their keys. check their Season9 release

Most of dlls i saw were same like from 18/04/18. Btw the address i've posted is static every time i run pe. PacketEncrypt key has changed since s9, that's why im asking.

[solarismu]

Most of dlls i saw wew the same.PacketEncrypt key has changed since s9, that's why im asking.

you won't need their keys if you are creating your own DLL...

[Fusion78]

you won't need their keys if you are creating your own DLL...

You are totally right but what if that is not the case of what im doing...

[solarismu]

You are totally right but what if that is not the case of what im doing...

Now I know...
If you need Keys for "hack/troll" purpose... You can hook something/proxy app to IGC.dll bypass its Encrypts

just fine and easy for me... good luck and sorry for not really help... :D

[Fusion78]

Now I know...
If you need Keys for "hack/troll" purpose... You can hook something/proxy app to IGC.dll bypass its Encrypts

just fine and easy for me... good luck and sorry for not really help... :D

The purpose is not to bypass encryption and get raw data but to get the key.
I can hook send/parsepacket easyly and do whatever i want but that does not really helps to extract the packetencrypt key.
So if u got any ideas i would really appritiate that.

[solarismu]

The purpose is not to bypass encryption and get raw data but to get the key.I can hook send/parsepacket easyly and do whatever i want but that does not really helps to extract the packetencrypt key. I've tried known-text attack cipher with no luck. So if u got any ideas i would really appritiate that.

If you want to hack game, just say hack :)) we wont laugh you. Swear :)Till now, still doubt about your knowlegde causeof the way you gave adrress offet. Sorry :P

[Fusion78]

If you want to hack game, just say hack :)) we wont laugh you. Swear :)Till now, still doubt about your knowlegde causeof the way you gave adrress offet. Sorry :P

If saying "hack" will help the business then hack, whatever.

IGC.dll:0C5A7DA0 is a static start of SetKey() function inside of CPacketEncrypt class and dynamic part begins with a jump at IGC.dll:0C5A7DF3
IGC.dll:0C5A7DC9 which was posted initially contains vftable value that can be read as a string, given to make you understand the deal without a tonns of explanations.

btw we are working with same global mu igc.dll
another btw what significance does knowledge have if the question is posed

[solarismu]

Fine, you only raised confusing with you unclear question and purpose.
Hope mod will clean thread soon. Sorry for the mess
btw,this popic about main.exe... and you did bring igc.dll in... off topic too far :))

[Fusion78]

Fine, you only raised confusing with you unclear question and purpose.
Hope mod will clean thread soon. Sorry for the mess
btw,this popic about main.exe... and you did bring igc.dll in... off topic too far :))

Sorry for being so confusing. Thought of dynamic as of themida protection methods, but not the file mapping.
igc.dll+17DA0 g_PacketEncrypt.SetKey()
igc.dll+17DC9 vftable value
igc.dll+17DF3 jmp to protected stuff, originally supposed to mov btKey to xmm registers