[Release] Main V1.18 Season 13 Unpack

[Pinkof]

hi i am trying unpack a main s13 i dont know if is full working.. but we can get offsets and some struct now! we can open it with olly and ida!
client

You must be registered to see links

main unpack(not full tested)

You must be registered to see links

enojoy it !

Merry Christmas to all member from ragezone!

 

[myheart]

how to unpack any main called "isn't full working":

- open main with ollydbg
- add hw breakpoint at OEP -> F9
- right click -> Goto -> previous offset
- remove breakpoint

now you can see somethings like this

00F7A4B4 > E8 FF207DFF      CALL main.0074C5B8

00F7A4B9  -E9 95B45400      JMP main.[COLOR=#ff0000]014C5953[/COLOR]

- 014C5953 is new OEP
- open Scylla put OEP -> IAT Autosearch
- Save dump.exe

- and now you can open dump.exe with IDA =))

 

[Razzor]

Any one have unpacked main 1.18.26 (Current IGCN Main Ver) ? or meaby just offset for protocoleRecv, will be grateful ;]

 

[Pinkof]

how to unpack any main called "isn't full working":

- open main with ollydbg
- add hw breakpoint at OEP -> F9
- right click -> Goto -> previous offset
- remove breakpoint

now you can see somethings like this

00F7A4B4 > E8 FF207DFF      CALL main.0074C5B8

00F7A4B9  -E9 95B45400      JMP main.[COLOR=#ff0000]014C5953[/COLOR]

- 014C5953 is new OEP
- open Scylla put OEP -> IAT Autosearch
- Save dump.exe

- and now you can open dump.exe with IDA =))

try with it and tell me if work .. you need desobfuscate entry point and many functions.. and get correct iat if you put iat autosearch not work.

Here a example

original entry point call

00E0CE46 E8 6BBA4909 CALL main.0A2A88B6
00E0CE4B ^\E9 A6BBFFFF JMP main.00E089F6

Entry point fixed

00E0CE46 > E8 7FF02800 CALL dump_IF.0109BECA
00E0CE4B E9 AD212700 JMP dump_IF.0107EFFD

getstartupinfo

0107EFFD ^\E9 532BDAFF JMP main.00E21B55
0107F002 CC INT3
0107F003 1BA0 E9B9355A SBB ESP,DWORD PTR DS:[EAX+0x5A35B9E9]

getstartupinfo Fixed

0107EFFD 6A 58 PUSH 0x58
0107EFFF 68 90705B01 PUSH dump_IF.015B709
00107F004 E8 1FAC0000 CALL dump_IF.01089C28

and more function you need fix..

it not full tested becouse i dont have a server to test it.. i can test just to select server.

 

[myheart]

try with it and tell me if work .. you need desobfuscate entry point and many functions.. and get correct iat if you put iat autosearch not work.

Here a example

original entry point call


Entry point fixed


getstartupinfo

getstartupinfo Fixed




and more function you need fix..

it not full tested becouse i dont have a server to test it.. i can test just to select server.

i see, but enought for search offsets with IDA

 

[solarismu]

Here is offsets list I pulled off from IGC.dll (S13 main 1.18.89 - their newest main)
It's only a piece of note I saved when making my S13 DLL file last month. So not perfect, but hope it may help for dev IGC.dll S13 from S9 DLL ^^

no guarantee 100% full & correct

00BE443A :SEND_PACKET_HOOK -> MU_SEND_PACKET: 00BE4865 -> MU_SENDER_CLASS : 0160951C
00C48E76 :PARSE_PACKET_HOOK -> PARSE_PACKET_STREAM 00BE5341 -> PROTOCOL_CORE2 : 00C4401E -> PROTOCOL_CORE1 : 00C183E9

0144C6F8 : key size 26
    "w(eb!zen&Mu1@#^Ge&sch%enk!"
    db 77 28 65 62 21 7A 65 6E 26 4D 75 31 40 23 5E 47 65 26 73 63 68 25 65 6E 6B 21

group HOOK CONNECT SERVER >> Use Class CServerInfo 
tmuConnectToCS muConnectToCS = (tmuConnectToCS)MU_CONNECT_FUNC; MU_CONNECT_FUNC->00BF63FA
0045FA6A ->jmp IGC+...  g_Connection = CS_CONNECTED; (1)
00511BAA    
00B2E7FF    g_Connection = GS_CONNECTED;

00504E8D -> HookExitFunc jmp IGC+... : Exit Process
00ADE647 ->  HookExitCharSelectFunc      >Menu-Exit Game
00513202 : HookDCFunc -> Reconnect System
0088111E: call 00626374-> call IGC+... reconnect

    
005066E1 -> mov [ebp-34],005052BA -> mov [ebp-34],IGC+...
    ChangeAddress(MU_WND_PROC_HOOK, FPTR(WndProc));
    -> MU_WND_PROC_HOOK : 005066E1
    
00508209 call SetTimer -> nop

>>0050E275 : Gameguard je -> jmp | 0x74 -> 0xEB
00C1A31F : gg jmp
00CF24A4 : gg jmp
00CF25DD : gg jmp

>00D8535E : remove encrypt mu error log. -> nop it  0x90 0x90 0x90 0x90 0x90 

>>00512CD5 : push "screen dir"


group
006140D5 : cmp eax,0xE0 +>add cmp eax,0xA0<< charset[16] add pet 0xA0 display (panda i think) (s9 has 0xA0)
0061410D : cmp -0x20 +> add cmp -0x60 << same

>>0064731D : Set Battle Zone 
>>00ABD5F8 Hook Set Gen Battle Map (warp command window)

group
0064EDBC : cmp dword ptr [ebp-000000A4],06 - > cmp07 || ->jg
0064EE28 : change jmp addr -- jng 0064F0CE -> jng 0064EFCF

group
00B6084F call IGC... custom jewels mouse hover use
(maybe label color | drop sound | expensive ...) didnt check
00670943:  custom jewels  
0069F1B8:  custom jewels
00B623E2:  custom jewels


>>00868675: Change PStore Zen->Wcoin

>>008697B9: item info custom : contional jmp-> nop (probably joh option on ancient)




009A7036: change Z shop Label Name



009BB302->009BB566 maybe custom event level


0xD84568 MultybyteToWideChar 0x4E4
0xD845AB MultybyteToWideChar 0x4E4
0x1600520 -> memset 00 00 00 00(case 4e4)
00A1BF9B: MultybyteToWideChar 0x4E4  + WideCharToMultyByte 65001 : ascii ->utf-8
0xA6702B WideCharToMultyByte 0x4E4 
0xA6705C  WideCharToMultyByte 0x4E4 
00A4D3F6 : WideCharToMultyByte 0x4E4 
0xA4D426 WideCharToMultyByte 0x4E4 

if(codepage != 0x4e4) //codepage in Class CServerInfo
{
MemSet(0x459260, 0xEB, 1);
MemSet(0xB2C926, 0xEB, 1);
MemSet(0xAF2E2B, 0xEB, 1);
MemSet(0xAF2E2B, 0xEB, 1);
}

00A25E7B: add custom cmp check
00A25E82 : not need.
    MemSet(0xA25E82, 0x90, 2);

00A62136 : mouse hover zen info -> nop
00A62555 : mouse hover ruud info -> nop



00AF0D84 : fname "mu.exe" -> "main.exe"

00B2C25F : Create Character Frame -> set/disable character creation

00B75A87 : ->Inc Max Chat length 33 - > 60 mov [ebp-10],00000021 -> mov [ebp-10],0000003C
    //MemSet(0xB75A8A, 0x3C, 1);

NOP BYTES Area 1 size 88: --I didn't ckeck any NOP areas
00C0F7B4 : 0x90 ...
NOP BYTES Area 2 size 62: 
00C1FDE5 : 0x90 ...
NOP BYTES Area 3 size 62: 
00C20064 : 0x90 ...
NOP BYTES Area 4 size 76: 
00C20F27 : 0x90 ...
    MemSet(0xC0F7B4, 0x90, 88);
    MemSet(0xC20F27, 0x90, 76);
    MemSet(0xC1FDE5, 0x90, 62);
    MemSet(0xC20064, 0x90, 62);
//maybe IGC disabled some UI parts

00B7B5B4 : hook. update PlayerUI hp/mp/sd/ag/toxic ...
009FC982 : hook. something about hp/mp/sd/ag ui... didn't check
009B7427 : hook. something about hp/mp/sd/ag ui... didn't check

00BE4D43 : OnSocketClose?
00BE4D84
00BE4EF9

00BF64FF: On Switch to Select Server. ReInit 2bytes packets Encrypt check

00C1A436: on after select char, Fix reverse Welcome string ("NoriaWelcome to" -> Welcome to Noria)
00C1C8F0: same, but on map move

00C1D259: 65k Shield Dmg fix (no need fix normal 65k dmg, WZ did it)
    00C1D259: mov eax,[eax+14] ...nop...
    db 8B 40 14 90 90 90 90 90 90 90 90 90 90 90 90 90
new 0xDF struct
struct PMSG_ATTACKRESULT
{
    PBMSG_HEAD h;    // header
    BYTE NumberH;    // 3
    BYTE NumberL;    // 4
    //3bytes gap (bt->int)
    int Damage;    // 8
    BYTE DamageTypeH; //C
    BYTE DamageTypeL;    // D
    BYTE btShieldDamageH;    // E
    BYTE btShieldDamageL;    // F
    BYTE newType;    //10
    //3bytes gap (bt->int)
    int iShieldDamage //14
};





stolen bytes 1
00BE5341:
db 55 8B EC 51 51 89 4D F8 8B 45 F8 8B 88 24 40 00 00 E8 1C 03 00 00 0F B6 C0 85 C0 75 29 8B 45 F8 8B 88 24 40 00 00 E8 CF 03 00 00 89 45 FC 8B 45 F8 8B 88 24 40 00 00 E8 B9 02 00 00 8B 4D FC E8 AA 03 00 00 EB 02 33 C0 C9 C3
/*
main.exe+7E5341 - 55                    - push ebp
main.exe+7E5342 - 8B EC                 - mov ebp,esp
main.exe+7E5344 - 51                    - push ecx
main.exe+7E5345 - 51                    - push ecx
main.exe+7E5346 - 89 4D F8              - mov [ebp-08],ecx
main.exe+7E5349 - 8B 45 F8              - mov eax,[ebp-08]
main.exe+7E534C - 8B 88 24400000        - mov ecx,[eax+00004024]
main.exe+7E5352 - E8 1C030000           - call main.exe+7E5673
main.exe+7E5357 - 0FB6 C0               - movzx eax,al
main.exe+7E535A - 85 C0                 - test eax,eax
main.exe+7E535C - 75 29                 - jne main.exe+7E5387
main.exe+7E535E - 8B 45 F8              - mov eax,[ebp-08]
main.exe+7E5361 - 8B 88 24400000        - mov ecx,[eax+00004024]
main.exe+7E5367 - E8 CF030000           - call main.exe+7E573B
main.exe+7E536C - 89 45 FC              - mov [ebp-04],eax
main.exe+7E536F - 8B 45 F8              - mov eax,[ebp-08]
main.exe+7E5372 - 8B 88 24400000        - mov ecx,[eax+00004024]
main.exe+7E5378 - E8 B9020000           - call main.exe+7E5636
main.exe+7E537D - 8B 4D FC              - mov ecx,[ebp-04]
main.exe+7E5380 - E8 AA030000           - call main.exe+7E572F
main.exe+7E5385 - EB 02                 - jmp main.exe+7E5389
main.exe+7E5387 - 33 C0                 - xor eax,eax
main.exe+7E5389 

stolen bytes 2
00BF6423:
db 0F B7 45 0C 50 FF 75 08 68 04 18 43 01 68 E0 6A 63 01 E8 A5 EF 18 00 83 C4 10 6A 01 FF 35 8C 6A 63 01 B9 80 A6 1E 0A E8 77 E7 FE FF 68 00 04 00 00 FF 75 0C FF 75 08 B9 80 A6 1E 0A E8 70 E9 FE FF 85 C0 0F 85 93 00 00 00 68 F0 17 43 01 68 E0 6A 63 01 E8 64 EF 18 00 59 59 6A 01
/*
main.exe+7F6423 - 0FB7 45 0C            - movzx eax,word ptr [ebp+0C]
main.exe+7F6427 - 50                    - push eax
main.exe+7F6428 - FF 75 08              - push [ebp+08]
main.exe+7F642B - 68 04184301           - push main.exe+1031804 { ["[Connect to Server] ip address = %s, port = %d"] }
main.exe+7F6430 - 68 E06A6301           - push main.exe+1236AE0 { [01450A68] }
main.exe+7F6435 - E8 A5EF1800           - call main.exe+9853DF
main.exe+7F643A - 83 C4 10              - add esp,10 { 16 }
main.exe+7F643D - 6A 01                 - push 01 { 1 }
main.exe+7F643F - FF 35 8C6A6301        - push [main.exe+1236A8C] { [007E0F10] }
main.exe+7F6445 - B9 80A61E0A           - mov ecx,main.exe+9DEA680 { [007E0F10] }
main.exe+7F644A - E8 77E7FEFF           - call main.exe+7E4BC6
main.exe+7F644F - 68 00040000           - push 00000400 { 1024 }
main.exe+7F6454 - FF 75 0C              - push [ebp+0C]
main.exe+7F6457 - FF 75 08              - push [ebp+08]
main.exe+7F645A - B9 80A61E0A           - mov ecx,main.exe+9DEA680 { [007E0F10] }
main.exe+7F645F - E8 70E9FEFF           - call main.exe+7E4DD4
main.exe+7F6464 - 85 C0                 - test eax,eax
main.exe+7F6466 - 0F85 93000000         - jne main.exe+7F64FF
main.exe+7F646C - 68 F0174301           - push main.exe+10317F0 { ["Failed to connect. "] }
main.exe+7F6471 - 68 E06A6301           - push main.exe+1236AE0 { [01450A68] }
main.exe+7F6476 - E8 64EF1800           - call main.exe+9853DF
main.exe+7F647B - 59                    - pop ecx
main.exe+7F647C - 59                    - pop ecx
main.exe+7F647D - 6A 01                 - push 01 { 1 }
*/

(signed int16-> unsigned int16 32k->64k)
00A8C96A ; movsx -> movzx : Remove (+/-) stats info 0FBF-> 0FB7 (00A8C96A+1 : BF -> B7)
00A8C981 :same
00A8C996
00A8C98C
00A8C9A1
00A8C9AB
00A8CA4F
00A8CA66
00A8CA71
00A8CA7B
00A8CA86
00A8CA90
00A8CB34
00A8CB4B
00A8CB56
00A8CB60
00A8CB6B
00A8CB75
00A8CC19
00A8CC30
00A8CC3B
00A8CC45
00A8CC50
00A8CC5A
00A8CCFE
00A8CD15
00A8CD20
00A8CD2A
00A8CD35
00A8CD3F
00A8D0FA
00A8D104
00A8D112
00A8D11C
00A8D12A
00A8D143
00A8D188
00A8D192
00A8D1A0
00A8D1AA
00A8D1B8
00A8D1D1
00A8D21C
00A8D226
00A8D234
00A8D23E
00A8D24C
00A8D265
00A8D2B0
00A8D2BA
00A8D2C8
00A8D2D2
00A8D2E0
00A8D2F9
00A8D344
00A8D34E
00A8D35C
00A8D366
00A8D374
00A8D38D

 

[magtjr]

hi i am trying unpack a main s13 i dont know if is full working.. but we can get offsets and some struct now! we can open it with olly and ida!
client

You must be registered to see links

main unpack(not full tested)

You must be registered to see links

enojoy it !

Merry Christmas to all member from ragezone!

Link off friend, could you post the client again please

 

[aspire219]

its nice to see you again here pinkof its been a while! by by the way is this from korean server or from igcn?

 

[Coenx]

Could anyone describe what tools and methods were used to secure the main.exe file? Where and how is the OEP hidden/obfuscated? I would like to learn something and not just use ready-made memory addresses for the selected version. Is deobfuscation of OEP enough to run in the debugger like IDA or x64dbg?

In addition, I have a question, where all main.exe files come from? By downloading the updates from the address "http://patch-ggp.muonline.webzen.net/(version)/up_list.zip" I did not find most versions that are in this forum or on private servers.

 

[Natzugen]

In addition, I have a question, where all main.exe files come from? By downloading the updates from the address "http://patch-ggp.muonline.webzen.net/(version)/up_list.zip" I did not find most versions that are in this forum or on private servers.

That url is for gmo patches fomr s3.2 patches can be found there, as for s9+ most people use mu blue client

 

[Coenx]

Links to download latest RED and BLUE versions:

RED:

You must be registered to see links

You must be registered to see links

BLUE:

You must be registered to see links

You must be registered to see links

 

[myheart]

can someone reupload the client?

 

[mel9]

+1 can someone reupload client?

 

[mrmadmadman]

Yet another post about re-uploading... Thanks. It's unfortunate that we have people sabotaging the links with reports.

 

[7770988]

Is there any difference between Red and Blue?

 

[devJava]

Here is offsets list I pulled off from IGC.dll (S13 main 1.18.89 - their newest main)
It's only a piece of note I saved when making my S13 DLL file last month. So not perfect, but hope it may help for dev IGC.dll S13 from S9 DLL ^^

no guarantee 100% full & correct

00BE443A :SEND_PACKET_HOOK -> MU_SEND_PACKET: 00BE4865 -> MU_SENDER_CLASS : 0160951C
00C48E76 :PARSE_PACKET_HOOK -> PARSE_PACKET_STREAM 00BE5341 -> PROTOCOL_CORE2 : 00C4401E -> PROTOCOL_CORE1 : 00C183E9

0144C6F8 : key size 26
    "w(eb!zen&Mu1@#^Ge&sch%enk!"
    db 77 28 65 62 21 7A 65 6E 26 4D 75 31 40 23 5E 47 65 26 73 63 68 25 65 6E 6B 21

group HOOK CONNECT SERVER >> Use Class CServerInfo 
tmuConnectToCS muConnectToCS = (tmuConnectToCS)MU_CONNECT_FUNC; MU_CONNECT_FUNC->00BF63FA
0045FA6A ->jmp IGC+...  g_Connection = CS_CONNECTED; (1)
00511BAA    
00B2E7FF    g_Connection = GS_CONNECTED;

00504E8D -> HookExitFunc jmp IGC+... : Exit Process
00ADE647 ->  HookExitCharSelectFunc      >Menu-Exit Game
00513202 : HookDCFunc -> Reconnect System
0088111E: call 00626374-> call IGC+... reconnect

    
005066E1 -> mov [ebp-34],005052BA -> mov [ebp-34],IGC+...
    ChangeAddress(MU_WND_PROC_HOOK, FPTR(WndProc));
    -> MU_WND_PROC_HOOK : 005066E1
    
00508209 call SetTimer -> nop

>>0050E275 : Gameguard je -> jmp | 0x74 -> 0xEB
00C1A31F : gg jmp
00CF24A4 : gg jmp
00CF25DD : gg jmp

>00D8535E : remove encrypt mu error log. -> nop it  0x90 0x90 0x90 0x90 0x90 

>>00512CD5 : push "screen dir"


group
006140D5 : cmp eax,0xE0 +>add cmp eax,0xA0<< charset[16] add pet 0xA0 display (panda i think) (s9 has 0xA0)
0061410D : cmp -0x20 +> add cmp -0x60 << same

>>0064731D : Set Battle Zone 
>>00ABD5F8 Hook Set Gen Battle Map (warp command window)

group
0064EDBC : cmp dword ptr [ebp-000000A4],06 - > cmp07 || ->jg
0064EE28 : change jmp addr -- jng 0064F0CE -> jng 0064EFCF

Thanks for the code, can you help? Because when I try to connect right after the login screen of entering login and password it doesn't go to the character screen? What do I need to change to work? It seems that the communication has changed, can you share the source of the .dll you made? hugs

 

[tieugiao]

up client full plz

 

[jhonhy]

Does anyone know why when you change the window name it is in Korean?

SetDword(0x0050669F,(DWORD)"TESTE");