MuOnline Japan S6 Client.

[duracel]

This are the new xorkeys used by the new kor mains.

Code:

byXorFilter[0] = 0xAB;
byXorFilter[1] = 0x11;
byXorFilter[2] = 0xCD;
byXorFilter[3] = 0xFE;
byXorFilter[4] = 0x18;
byXorFilter[5] = 0x23;
byXorFilter[6] = 0xC5;
byXorFilter[7] = 0xA3;
byXorFilter[8] = 0xCA;
byXorFilter[9] = 0x33;
byXorFilter[10] = 0xC1;
byXorFilter[11] = 0xCC;
byXorFilter[12] = 0x66;
byXorFilter[13] = 0x67;
byXorFilter[14] = 0x21;
byXorFilter[15] = 0xF3;
byXorFilter[16] = 0x32;
byXorFilter[17] = 0x12;
byXorFilter[18] = 0x15;
byXorFilter[19] = 0x35;
byXorFilter[20] = 0x29;
byXorFilter[21] = 0xFF;
byXorFilter[22] = 0xFE;
byXorFilter[23] = 0x1D;
byXorFilter[24] = 0x44;
byXorFilter[25] = 0xEF;
byXorFilter[26] = 0xCD;
byXorFilter[27] = 0x41;
byXorFilter[28] = 0x26;
byXorFilter[29] = 0x3C;
byXorFilter[30] = 0x4E;
byXorFilter[31] = 0x4D;

In gs.90 you can find them here:

004B3032 |> C645 D8 AB MOV BYTE PTR SS:[EBP-28],0AB
and
004B3201 |> C645 DC AB MOV BYTE PTR SS:[EBP-24],0AB

Don't know how to find these in the japan main...

[willerson]

see this ^^

00684C0D |. C64424 20 E7 ||MOV BYTE PTR SS:[ESP+20],0E7
00684C12 |. C64424 21 6D ||MOV BYTE PTR SS:[ESP+21],6D
00684C17 |. C64424 22 3A ||MOV BYTE PTR SS:[ESP+22],3A
00684C1C |. 8808 ||MOV BYTE PTR DS:[EAX],CL
00684C1E |. 8B8424 B80100>||MOV EAX,DWORD PTR SS:[ESP+1B8]
00684C25 |. 25 FFFF0000 ||AND EAX,0FFFF
00684C2A |. C64424 23 89 ||MOV BYTE PTR SS:[ESP+23],89
00684C2F |. C64424 24 BC ||MOV BYTE PTR SS:[ESP+24],0BC
00684C34 |. C64424 25 B2 ||MOV BYTE PTR SS:[ESP+25],0B2
00684C39 |. 8D48 01 ||LEA ECX,DWORD PTR DS:[EAX+1]
00684C3C |. C64424 26 9F ||MOV BYTE PTR SS:[ESP+26],9F
00684C41 |. 3BC1 ||CMP EAX,ECX
00684C43 |. C64424 27 73 ||MOV BYTE PTR SS:[ESP+27],73
00684C48 |. C64424 28 23 ||MOV BYTE PTR SS:[ESP+28],23
00684C4D |. C64424 29 A8 ||MOV BYTE PTR SS:[ESP+29],0A8
00684C52 |. C64424 2A FE ||MOV BYTE PTR SS:[ESP+2A],0FE
00684C57 |. C64424 2B B6 ||MOV BYTE PTR SS:[ESP+2B],0B6
00684C5C |. C64424 2C 49 ||MOV BYTE PTR SS:[ESP+2C],49
00684C61 |. C64424 2D 5D ||MOV BYTE PTR SS:[ESP+2D],5D
00684C66 |. C64424 2E 39 ||MOV BYTE PTR SS:[ESP+2E],39
00684C6B |. C64424 2F 5D ||MOV BYTE PTR SS:[ESP+2F],5D
00684C70 |. C64424 30 8A ||MOV BYTE PTR SS:[ESP+30],8A
00684C75 |. C64424 31 CB ||MOV BYTE PTR SS:[ESP+31],0CB
00684C7A |. C64424 32 63 ||MOV BYTE PTR SS:[ESP+32],63
00684C7F |. C64424 33 8D ||MOV BYTE PTR SS:[ESP+33],8D
00684C84 |. C64424 34 EA ||MOV BYTE PTR SS:[ESP+34],0EA
00684C89 |. C64424 35 7D ||MOV BYTE PTR SS:[ESP+35],7D
00684C8E |. C64424 36 2B ||MOV BYTE PTR SS:[ESP+36],2B
00684C93 |. C64424 37 5F ||MOV BYTE PTR SS:[ESP+37],5F
00684C98 |. C64424 38 C3 ||MOV BYTE PTR SS:[ESP+38],0C3
00684C9D |. C64424 39 B1 ||MOV BYTE PTR SS:[ESP+39],0B1
00684CA2 |. C64424 3A E9 ||MOV BYTE PTR SS:[ESP+3A],0E9
00684CA7 |. C64424 3B 83 ||MOV BYTE PTR SS:[ESP+3B],83
00684CAC |. C64424 3C 29 ||MOV BYTE PTR SS:[ESP+3C],29
00684CB1 |. C64424 3D 51 ||MOV BYTE PTR SS:[ESP+3D],51
00684CB6 |. C64424 3E E8 ||MOV BYTE PTR SS:[ESP+3E],0E8
00684CBB |. C64424 3F 56 ||MOV BYTE PTR SS:[ESP+3F],56



its in main, i think this is the key...

[duracel]

Yeah those are, then the xor key is not changed.
In muerror.log from main i get a new one from the gs this time

Code:

[Connect to Server] ip address = 192.168.2.100, port = 55911


>WIC_[Require]Cash -  3ｼｭｹﾍﾀﾇ ﾁ｢ｼﾓﾁｾｷ・

And also have this semi login window that is saying :"Please wait."



Uploaded with ImageShack.us

[willerson]

i bypassed this screen, show the screen of login, i put my login and password and but nothing happens... if you thest this, the offsets are

//Crack CmStarterCore
*(BYTE*)0x00476382 = 0x90;
*(BYTE*)0x00476383 = 0x90;

*(BYTE*)0x0040A5C5 = 0xE9;// /E9 C4000000 JMP main_hoo.0040A68E
*(BYTE*)0x0040A5C6 = 0xC4;
*(BYTE*)0x0040A5C7 = 0x00;
*(BYTE*)0x0040A5C8 = 0x00;
*(BYTE*)0x0040A5C9 = 0x00;
*(BYTE*)0x0040A5CA = 0x90;// |90 NOP


Att. Willerson

[Gembrid]

change this

//Crack CmStarterCore
*(BYTE*)0x00476382 = 0x90;
*(BYTE*)0x00476383 = 0x90;

to this

Code:

0049AE9B      90            NOP
0049AE9C      90            NOP

[duracel]

Ok i will try that Gembrid and also, did you mange to get it working like to login in?

---------- Post added at 12:11 PM ---------- Previous post was at 11:26 AM ----------

Yeah it works now, and i get this xD


Uploaded with ImageShack.us

[Bl4ck I0t4]

dude give me your msn please o_O

[Gembrid]

Ok i will try that Gembrid and also, did you mange to get it working like to login in?

---------- Post added at 12:11 PM ---------- Previous post was at 11:26 AM ----------

Yeah it works now, and i get this xD


Uploaded with ImageShack.us

new protocol

for example

Code:

struct PMSG_CHARLISTCOUNT 
{
  /*<thisrel this+0x0>*/ /*|0x3|*/ struct PBMSG_HEAD h;
  /*<thisrel this+0x3>*/ /*|0x1|*/ unsigned char subcode;
  /*<thisrel this+0x4>*/ /*|0x1|*/ unsigned char MaxClass;
  /*<thisrel this+0x5>*/ /*|0x1|*/ unsigned char MoveCnt;
  /*<thisrel this+0x6>*/ /*|0x1|*/ unsigned char Count;

  char _new_data_for_new_login_system[0x11];
};

new charset


may be you will find here on forum some info or sources for s6

[duracel]

Ok i will see what i can find so that all will be over with this main. xD
Thanks a lot.

[Bigman]

This client miss S6 E2 bmd's.

So.. we can assume that its S6 E1. (same as kor 1.07V+)

[duracel]

Yes..i saw that..but its no problem, i will update the client when they go to Ep2 meanwhile need to fix the protocol. I just got 1.03.36 main and played a bit on it, the servers are almost dead..low population.

[Bigman]

I hope they wont pack the E2 client.

[duracel]

Someone managed to fix this? I tried a few things but with no luck..im new at this charset thingy and packet things..

[Bl4ck I0t4]

I hope they wont pack the E2 client.

oh yes they will because they are so stupied who thinks themida is a good protection for there products :D

[zarahlee]

any body can reupload this main.exe? plsss. thanks :)

[Lena1004]

Let's try Japan Main.
I do not know what the protocol can be changed?