thx man, works in version 1.4.07?
Printable View
thx man, works in version 1.4.07?
It works good in my system (xp 32bit) - I can attach a debugger, and there aren't any crashes. It would be perfect, if you could run more main's versions through it. Like a generic launcher for ex700 versions. Don't know if that's possible, just a thought :)Quote:
Originally Posted by SmallHabit
Hi,
I want to test the main but when I log-in, there are many servers (as image attached) in the list and many sub-server inside each, so could anyone let me know which server should I choose?
Thank you,
Attachment 115520
Solved: I forgot to change IP, so it just showing many servers. After changing IP to fit with server, it just shows only 1 server.
OK, i reversed Level2 encryption of Ex700 PLUS (1.14.17) main.exe and found it useless for me as its uses also for each opcode new switch funtions, i give up to reverse all..
Please note: case of 32 EncDec Level2 is from Login packet $F1 packet opcodes, other cases 8, 16 and next is from PING packet $E
So case $20 encryption was reversed on Login packet
case 4, $10 and base was reversed from ping packet.. so its actualy like merget function )) after i noted its not same i give up and share it
If encrypted data does not have Packet counter byte thenCode:procedure DecryptLevel2(lpSource: Pointer);
var
Offset: Byte;
ContentSize: Word;
PBuffer: PByte;
Condition, Condition2: Byte;
begin
Offset := GetHdrSize(lpSource) +2; // Counter = 2
ContentSize := GetContentSize(lpSource);
PBuffer := PByte(lpSource) + Offset;
if not (ContentSize >= 4) then
Exit // No Decryption for this size
else
if not (ContentSize >= 8) then
begin
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ xor $85; //09CB6897
Condition := SAR(PByte(PBuffer +3)^, 4) and 1;
Condition2 := SAR(PByte(PBuffer +3)^, 2) and 1;
if (Condition = 0) then
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ and $EF //09BFCD94
else
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ or $10; //09CB6573
if (Condition2 = 0) then
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ and $EF //09BFCD94
else
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ or $10; //09CB6573
Condition := SAR(PByte(PBuffer +7)^, 4) and 1;
Condition2 := SAR(PByte(PBuffer +7)^, 5) and 1;
if (Condition = 0) then
PByte(PBuffer +7)^ := PByte(PBuffer +7)^ and $DF //09BFCCF4
else
PByte(PBuffer +7)^ := PByte(PBuffer +7)^ or $20; //09CB6356
if (Condition2 = 0) then
PByte(PBuffer +7)^ := PByte(PBuffer +7)^ and $EF //09BFCD36
else
PByte(PBuffer +7)^ := PByte(PBuffer +7)^ or $10;
end
else
if not (ContentSize >= 16) then
begin
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ xor $85; //09CB6897
Condition := SAR(PByte(PBuffer +3)^, 4) and 1;
Condition2 := SAR(PByte(PBuffer +3)^, 2) and 1;
if (Condition = 0) then
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ and $EF //09BFCD94
else
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ or $10; //09CB6573
if (Condition2 = 0) then
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ and $EF //09BFCD94
else
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ or $10; //09CB6573
Condition := SAR(PByte(PBuffer +7)^, 4) and 1;
Condition2 := SAR(PByte(PBuffer +7)^, 5) and 1;
if (Condition = 0) then
PByte(PBuffer +7)^ := PByte(PBuffer +7)^ and $DF //09BFCCF4
else
PByte(PBuffer +7)^ := PByte(PBuffer +7)^ or $20; //09CB6356
if (Condition2 = 0) then
PByte(PBuffer +7)^ := PByte(PBuffer +7)^ and $EF //09BFCD36
else
PByte(PBuffer +7)^ := PByte(PBuffer +7)^ or $10;
end
else
if not (ContentSize >= 32) then
begin
PByte(PBuffer +$1F)^ := PByte(PBuffer +$1F)^ xor $7D;
Condition := PByte(PBuffer +$10)^;
PByte(PBuffer +$10)^ := PByte(PBuffer +$18)^;
PByte(PBuffer +$18)^ := Condition;
Condition2 := (PByte(PBuffer +$1A)^ shr 5);
PByte(PBuffer)^ := PByte(PBuffer +$1A)^ or Condition2;
PByte(PBuffer +$1A)^ := (PByte(PBuffer)^ shl 3);
Condition := PByte(PBuffer +3)^;
PByte(PBuffer +3)^ := PByte(PBuffer +$18)^;
PByte(PBuffer +$18)^ := Condition;
Condition := (PByte(PBuffer +4)^ shl 2);
PByte(PBuffer +4)^ := PByte(PBuffer +4)^ shr 6;
PByte(PBuffer +4)^ := (PByte(PBuffer +4)^ or Condition);
Condition := (PByte(PBuffer +2)^ shr 5) and 1;
Condition2 := (PByte(PBuffer +2)^ shr 2) and 1;
if (Condition2 = 0) then
PByte(PBuffer +2)^ := PByte(PBuffer +2)^ and $DF //09CB75DE
else
PByte(PBuffer +2)^ := PByte(PBuffer +2)^ or $20; //09CB75D0
if (Condition = 0) then
PByte(PBuffer +2)^ := PByte(PBuffer +2)^ and $FB //09BFD34A
else
PByte(PBuffer +2)^ := PByte(PBuffer +2)^ or 4; //09CB75B7
Condition := (PByte(PBuffer +6)^ shr 7) and 1; //8bit
Condition2 := (PByte(PBuffer +6)^ shr 6) and 1; //7bit
if (Condition = 0) then
PByte(PBuffer +6)^ := PByte(PBuffer +6)^ and $BF //09CB74CB
else
PByte(PBuffer +6)^ := PByte(PBuffer +6)^ or $40; //09CB74BD
if (Condition2 = 0) then
PByte(PBuffer +6)^ := PByte(PBuffer +6)^ and $7F //09CB755F
else
PByte(PBuffer +6)^ := PByte(PBuffer +6)^ or $80; //$FFFFFF7F
PByte(PBuffer +$11)^ := PByte(PBuffer +$11)^ xor $AC;
Condition := (PByte(PBuffer +$15)^ shr 2) and 1;
Condition2 := (PByte(PBuffer +$15)^ shr 2) and 1;
if (Condition = 0) then
PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ and $FB //9CB740B
else
PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ or 4;
if (Condition2 = 0) then
PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ and $DF
else
PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ or 4;
PByte(PBuffer +1)^ := PByte(PBuffer +1)^ xor $1A; //09CB7290
end
else
begin
Condition := PByte(PBuffer +$C)^ shl 6;
Condition2 := PByte(PBuffer +$C)^ shr 2;
PByte(PBuffer +$C)^ := (Condition or Condition2);
Condition := PByte(PBuffer +$A)^ shr 1 and 1;
Condition2 := PByte(PBuffer +$A)^ shr 1 and 1;
if (Condition = 0) then
PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ and $FD //09BFD1E6
else
PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ or $20;
if (Condition2 = 0) then
PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ and $FD //09BFD251
else
PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ or 2; //09BFD242
PByte(PBuffer +8)^ := PByte(PBuffer +8)^ xor $DF;
PByte(PBuffer)^ := PByte(PBuffer)^ xor $A;
Condition := PByte(PBuffer +$B)^;
PByte(PBuffer +$B)^ := PByte(PBuffer +2)^;
PByte(PBuffer +$B)^ := Condition;
end;
end;
procedure EncryptLevel2(lpSource: Pointer); //1.14.17
var
Offset: Byte;
ContentSize: Word;
PBuffer: PByte;
Condition, Condition2: Byte;
begin
Offset := GetHdrSize(lpSource) +2; // Counter = 2
ContentSize := GetContentSize(lpSource);
PBuffer := PByte(lpSource) + Offset;
if not (ContentSize >= 4) then
Exit // No Encryption for this size
else
if not (ContentSize >= 8) then
begin
PByte(PBuffer +2)^ := ((PByte(PBuffer +2)^ shr 2) or (PByte(PBuffer +2)^ shl 6)) xor $91;
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ xor $F6; //09CB62E6
end
else
if not (ContentSize >= 16) then //006681FB
begin
Condition := SAR(PByte(PBuffer +7)^, 4) and 1;
Condition2 := SAR(PByte(PBuffer +7)^, 5) and 1;
if (Condition = 0) then
PByte(PBuffer +7)^ := PByte(PBuffer +7)^ and $DF //09BFCCF4
else
PByte(PBuffer +7)^ := PByte(PBuffer +7)^ or $20; //09CB6356
if (Condition2 = 0) then
PByte(PBuffer +7)^ := PByte(PBuffer +7)^ and $EF //09BFCD36
else
PByte(PBuffer +7)^ := PByte(PBuffer +7)^ or $10;
Condition := SAR(PByte(PBuffer +3)^, 4) and 1;
Condition2 := SAR(PByte(PBuffer +3)^, 2) and 1;
if (Condition = 0) then
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ and $EF //09BFCD94
else
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ or $10; //09CB6573
if (Condition2 = 0) then
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ and $EF //09BFCD94
else
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ or $10; //09CB6573
PByte(PBuffer +3)^ := PByte(PBuffer +3)^ xor $85; //09CB6897
end
else
if not (ContentSize >= 32) then // Login packet
begin
PBuffer := PByte(lpSource) + Offset;
PByte(PBuffer +1)^ := PByte(PBuffer +1)^ xor $1A; //09CB7290
Condition := SAR(PByte(PBuffer +$15)^, 2) and 1;
Condition2 := SAR(PByte(PBuffer +$15)^, 2) and 1;
if (Condition = 0) then
PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ and $FB //9CB740B
else
PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ or 4;
if (Condition2 = 0) then
PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ and $DF
else
PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ or 4;
Condition := SAR(PByte(PBuffer +6)^, 7) and 1;
Condition2 := SAR(PByte(PBuffer +6)^, 6) and 1;
if (Condition = 0) then
PByte(PBuffer +6)^ := PByte(PBuffer +6)^ and $BF //09CB74CB
else
PByte(PBuffer +6)^ := PByte(PBuffer +6)^ or $40; //09CB74BD
if (Condition2 = 0) then
PByte(PBuffer +6)^ := PByte(PBuffer +6)^ and $7F //09CB755F
else
PByte(PBuffer +6)^ := PByte(PBuffer +6)^ or $80; //$FFFFFF7F
PByte(PBuffer +$11)^ := PByte(PBuffer +$11)^ xor $AC;
Condition := SAR(PByte(PBuffer +2)^, 5) and 1;
Condition2 := SAR(PByte(PBuffer +2)^, 2) and 1;
if (Condition = 0) then
PByte(PBuffer +2)^ := PByte(PBuffer +2)^ and $FB //09BFD34A
else
PByte(PBuffer +2)^ := PByte(PBuffer +2)^ or 4; //09CB75B7
if (Condition2 = 0) then
PByte(PBuffer +2)^ := PByte(PBuffer +2)^ and $DF //09CB75DE
else
PByte(PBuffer +2)^ := PByte(PBuffer +2)^ or $20; //09CB75D0
Condition := SAR(PByte(PBuffer +4)^, 2);
PByte(PBuffer +4)^ := PByte(PBuffer +4)^ shl 6;
PByte(PBuffer +4)^ := (PByte(PBuffer +4)^ or Condition);
Condition := PByte(PBuffer +$18)^;
PByte(PBuffer +$18)^ := PByte(PBuffer +3)^;
PByte(PBuffer +3)^ := Condition;
Condition := SAR(PByte(PBuffer +$1A)^, 3); //09CB7680
Condition2 := (PByte(PBuffer +$1A)^ shl 5);
PByte(PBuffer)^ := (Condition or Condition2);
PByte(PBuffer +$1A)^ := Condition;
Condition := PByte(PBuffer +$10)^;
PByte(PBuffer +$10)^ := PByte(PBuffer +$18)^;
PByte(PBuffer +$18)^ := Condition;
PByte(PBuffer +$1F)^ := PByte(PBuffer +$1F)^ xor $7D;
end
else
begin
Condition := PByte(PBuffer +2)^;
PByte(PBuffer +2)^ := PByte(PBuffer +$B)^;
PByte(PBuffer +$B)^ := Condition;
PByte(PBuffer +8)^ := PByte(PBuffer +8)^ xor $DF;
PByte(PBuffer)^ := PByte(PBuffer)^ xor $A;
Condition := SAR(PByte(PBuffer +$A)^, 1) and 1;
Condition2 := SAR(PByte(PBuffer +$A)^, 5) and 1;
if (Condition = 0) then
PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ and $FD //09BFD1E6
else
PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ or $20;
if (Condition2 = 0) then
PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ and $FD //09BFD251
else
PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ or 2; //09BFD242
Condition := SAR(PByte(PBuffer +$C)^, 6);
Condition2 := PByte(PBuffer +$C)^ shl 2;
PByte(PBuffer +$C)^ := (Condition or Condition2);
end;
end;
Here is Encryption order:Code:Offset := 4
BuildPacket -> EncXor32Bytes -> EncryptLevel2 -> EncDec
PS. decryption was made simply inversing Encryption functions
PSS. $F1 (Case 32) was reversed while debug.. other cases simply was riped of from main.exe and ported to delphi ))
PSSSSSSSSSSSSS. SAR is simply SHR as Value of shift never is negative
I wanna note to all thous who wish reverse Ex700 crypt..
There is 3Level encryption now
1 is Base 32Bytes xor
2 is Byte swap with small bit moving
3 is Same shit with shifting bits etc..
1 and 3 are shit, except that 3rd Level uses a Switch function to, but its never change like Level2 encryption changes with in main.exe versions.. and code is obfuscated while Level3 is clean code ;)
Plus Level2 are used on specific packets only for eg: Login, GameGuard heart beat, Skill atack and more.. incluce C1 packets and each function have same 3 switch case.. with 1k line of code )))) crap! But the good new is, that Level2 encryption are used only on packets sent by client and can be simply disabled ( case u are server dev ) by nopoing simply 1 call :)
PS. SimpleModulus haved checksum of each block and know when enc or dec data where wrong.. while this do not check, but simply do work. This can be exploited to overflow GS.. so think ) is worth to reverse it and use original EncDec of Ex700 )))
To add to what mauka said, level2 encryption uses 4 types of operations:
- byte xor'ing
- swapping of 2 bytes
- enabling/disabling a single bit in given byte according to other bit in the same byte
- ROR (encrypt) and ROL (decrypt)
Now, byte numbers, bit numbers, xor values, ROR/ROL shift values - all this is random (by random I mean: generated when Webzen makes new release of main.exe). The number and type of operations used in each block is random, too. This is a really nice protection, like mauka said - there are ~1k lines of code, that changes with every version or compilation of main.exe :)
Another riddle is, how they change level3 encryption after 2048/4096/... packets sent (C3/C4 packets only). Because there's a set of pairs of functions for encrypt/decrypt, and the order of that functions varies each time you run main.exe. E.g.: you run main.exe, and you see, it uses Encryption1, then Encryption7, and then Encrypton2. But then you run main.exe again, and it uses Encryption1, Encryption4, and Encryption8 (just an example). I have no idea, how they set the order of level3 encryption functions :)
Well.. the only way how does main.exe can know if its single running or no is MUTEX or the way CMStarteClone starts Mu -> main.exe (i posted exmaple) Its check for file mapping file and if its exist its skip it and create new mapping file for a new created client ;)
And by commandline args its pass to MU and Mu to Main.exe mapping file name ;) and by this or mutex main.exe can only know if there was a prefiusly launched main.exe or not ;)
Its would be easy to test.. without reversing and debug CMStarterCore or main.exe
-> Start mu from site
-> Kill process CMStarterCore
-> Start another mu from site and start check
There is nothing in the world and never will be as "RANDOM" everything can be calculated ;))
Ps. sorry, im very drunk now ))) come to troll, but write again.. some crap
Bad Unpacking... main = crashes.
Have u applied fixes from Dudi on the main?Quote:
Originally Posted by mauro07
I have a problem, after putting account and pass and click login, it just stay at that main screen, not jump into Character selection screen. The main 1.04.07 from Tomatoes works, but not for this main, i don't know why.
Please anyone share with me your experience on this?
Thanks a lot
For reverse Protocol eX701,I hope this main can be help :)
This is main no obfuscated,use Protocol Kor (with some modified).Chinese hacked Mu Source and build it,I unpacked.
MainDe.rar
You are hero Tomatoes :)
LOL.. i reversed patrial it in obfuscated code ))) this will help alo, thanksQuote:
Originally Posted by tomatoes
Tomatoes, can you put: Ex701.dll, here.?
oh thats a nice one :))
Please stay on topic!
No,that dll I hooked it,not original,I remove function code load smd for write hook that dll,no need Ex701.dll :)Quote:
Originally Posted by mauro07
Tomatoes, you don't have this sources for client side Ex701?Quote:
Originally Posted by tomatoes
1. press 'V' client clash.
2. can't open bag and warehouse
Is there some1 can fix it?
IP, serial, port, version ???
<<< noQuote:
01171B5C // Port : 44405
0117233A // IP : connect.muonline.webzen.com
011730F8 // Version : 2275<
01173100 // Serial : Odn62c0Tt01SzpT7
Version : 2275< <=> 1.04.17Quote:
Originally Posted by user_MU
All links main all fix - die. Re-upload please.
One question Idk if I missed it in the first post but does this client support multi client?
xDCode:MSG "GMO main.exe unpack script v0.000001 by Mauka"
BC
BPHWC
ESTEP
ESTEP
BPHWS esp,"r"
ERUN //Run
ESTEP
ESTI
ESTEP
ESTI //Step Into
CMT eip,"The (near) OEP, by mauka"
BPHWC
FIND eip, #6A02E8????????59C3# //Fix float error at run time
CMP $RESULT, 0
JNE FOUNDFIX
MSG "Script finished, dump and restore IAT"
FOUNDFIX:
CMT $RESULT,"This is the FLOAT ERROR!"
FILL $RESULT, 8, 90
MSG "Script finished and did one additional fix of main.exe, dump and restore IAT"
Have fun, my first olly script Attachment 121373
Could u upload a video?Thanks
TT 11.70.01 main no work.
Enter login\pass - ........
