Ok. Its about CMStarterCore. I saw some guides, how to crack CMStarterCore.. But, my mission was to find out how CMStarterCore <> MU.exe <> Main.exe comunicates.
The question is, why we need crack it! If.. we can exploit it and use for example to force player start game only from our launcher or our website ;)
If we start mu without website (GMO) we got message, that we need start game through games site
http://imageshack.us/a/img196/6524/seerrt.png
Well... its intresting, how does main.exe knows if we started it through website or direct clicked on it!
If we check arguments how MU.exe where started by CMstarterCore.exe
Code:
"C:\Program Files (x86)\WEBZEN\Mu\Mu.exe" -name MU
and if we look forward, how MU.exe start main.exe
Code:
"C:\Program Files (x86)\WEBZEN\Mu\main.exe" connect /mMU
OK.. we can test
- START GAME through website, its will launch CMStarterCore and CMStarterCore will create child process -> MU.exe with same args.
Lets do shortcut of main.exe with these args
Code:
"C:\Program Files (x86)\WEBZEN\Mu\main2.exe" connect /mMU1337
and double click on it.. Hm.. We still have that message "Starte game through website... bla bla"
After small research i found out, that main.exe comunicates with CMStarterCore using
File Mapping
OK.. lets do test. I write small app to see what happens
Code:
procedure TForm27.Button1Click(Sender: TObject);
begin
hFileMapObj := CreateFileMapping(MAXDWORD, nil, PAGE_READWRITE, 0, 300, 'MAUKA');
end;
After we start main.exe manualy with our file name (I assume we allready "cracked" MU.exe ;) )):
Code:
"C:\Program Files (x86)\WEBZEN\Mu\main.exe" connect /mMAUKA
HA!! We bypassed message, but there is no login.. T_T
http://imageshack.us/a/img716/5559/nologin.png
Ok.. lets do another test. We will try pass account name to our mapped file and see whats happens
Code:
type
TrResult = packed record
Acc: array [0 .. 9] of AnsiChar;
GarbageData: array [0 .. 299] of Byte;
end;
PtrResult = ^TrResult;
var
Form27: TForm27;
hFileMapObj: THandle;
hMapObjPtr: PtrResult;
implementation
{$R *.dfm}
procedure TForm27.Button1Click(Sender: TObject);
begin
hFileMapObj := CreateFileMapping(MAXDWORD, nil, PAGE_READWRITE, 0, 300, 'MAUKA');
if hFileMapObj > 0 then
begin
hMapObjPtr := MapViewOfFile(hFileMapObj, $0F001F, 0, 0, 300);
if hMapObjPtr = nil then
Exit
else
begin
StrPCopy(hMapObjPtr^.Acc, 'TESTACCNAME'); // Copy to our mapped file our testaccount
end;
end;
end;
procedure TForm27.FormClose(Sender: TObject; var Action: TCloseAction);
begin
CloseHandle(hFileMapObj);
UnMapViewOfFile(hMapObjPtr);
end;
Its does works )))
http://imageshack.us/a/img545/6820/nologin2.png
and now we can login in our account ;)
http://imageshack.us/a/img840/7978/torz1.png
I`we edited Text_Eng.bmd message
Code:
//2893: The game client is loaded only through the offical Website. Closing the application please try again.
and now if u start it without my app its will show u my message ))
http://img402.imageshack.us/img402/3...0811130001.jpg
So all we need is create a file and pass to it our account info..
Code:
{*******************************************************}
{CMStarterClone }
{Unit: UCMStarterCloneFrm.pas }
{Last update: 2012.10.08. 12:06:02 }
{Author: 6748222@gmail.com }
{*******************************************************}
unit UCMStarterCloneFrm;
interface
uses
Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants,
System.Classes, Vcl.Graphics, Vcl.Controls, Vcl.Forms, Vcl.Dialogs,
Vcl.StdCtrls, System.UITypes, Winapi.ShellAPI, System.Win.Registry;
const
MU = 'RageZone%s'; // Multy client support
type
TrResult = packed record
Acc: array [0 .. 9] of AnsiChar;
GarbageData: array [0 .. 299] of Byte;
end;
PtrResult = ^TrResult;
type
TForm26 = class(TForm)
Button1: TButton;
Edit1: TEdit;
procedure Button1Click(Sender: TObject);
procedure FormClose(Sender: TObject; var Action: TCloseAction);
procedure FormCreate(Sender: TObject);
private
hFileMapObj: THandle;
hMapObjPtr: PtrResult;
MU_PATH, FOLDER_PATH: string;
public
{ Public declarations }
end;
var
Form26: TForm26;
CLIENT_ID: Integer = 1;
{
0D0C1240 54 68 65 20 67 61 6D 65 20 63 6C 69 65 6E 74 20 The game client
0D0C1250 69 73 20 6C 6F 61 64 65 64 20 6F 6E 6C 79 20 74 is loaded only t
0D0C1260 68 72 6F 75 67 68 20 74 68 65 20 6F 66 66 69 63 hrough the offic
0D0C1270 61 6C 20 57 65 62 73 69 74 65 2E 20 43 6C 6F 73 al Website. Clos
0D0C1280 69 6E 67 20 74 68 65 20 61 70 70 6C 69 63 61 74 ing the applicat
0D0C1290 69 6F 6E 20 70 6C 65 61 73 65 20 74 72 79 20 61 ion please try a
0D0C12A0 67 61 69 6E 2E 00 00 00 00 00 00 00 00 00 00 00 gain............
}
implementation
{$R *.dfm}
procedure TForm26.Button1Click(Sender: TObject);
var //2893: The game client is loaded only through the offical Website. Closing the application please try again.
LPName: string;
begin
LPName := Format(MU, [InttoStr(CLIENT_ID)]); //Multy client
hFileMapObj := CreateFileMapping(MAXDWORD, nil, PAGE_READWRITE, 0, 300, PWideChar(LPName));
if hFileMapObj > 0 then
begin
hMapObjPtr := MapViewOfFile(hFileMapObj, $0F001F, 0, 0, 300);
if hMapObjPtr = nil then
MessageDlg('Something went wrong. Please, restart application', mtWarning, [mbOK], 0)
else
begin
{$WARNINGS OFF}
StrPCopy(hMapObjPtr^.Acc, Edit1.Text);
{$WARNINGS ON}
LPName := 'connect /m' + LPName; //Multyclient and memory mapping args
ShellExecute(Handle, 'Open', PWideChar(FOLDER_PATH + 'main2.exe'), PWideChar(LPName), PWideChar(FOLDER_PATH), 1);
Inc(CLIENT_ID, 1); //Multy client
end;
end;
end;
procedure TForm26.FormClose(Sender: TObject; var Action: TCloseAction);
begin
UnMapViewOfFile(hMapObjPtr);
CloseHandle(hFileMapObj);
end;
procedure TForm26.FormCreate(Sender: TObject);
var
Reg: TRegistry;
begin
Reg := TRegistry.Create;
try
Reg.RootKey := HKEY_CURRENT_USER;
if Reg.OpenKeyReadOnly('\Software\Webzen\MU\Config') then
begin
MU_PATH := Reg.ReadString('Exe'); // Return MU.exe path
FOLDER_PATH := ExtractFilePath(MU_PATH);
end
else
begin
MessageBox(0, 'Ops, could not find path to main.exe.', 'Game error', MB_ICONWARNING or MB_OK);
// Layze code - ;) So i do app terminate xD
Application.Terminate;
end;
finally
Reg.Free;
end;
end;
end.
Now we can force player start game only through our launher or through our site ;)
Ok. Its about CMStarterCore. I saw some guides, how to crack CMStarterCore.. But, my mission was to find out how CMStarterCore <> MU.exe <> Main.exe comunicates.