Thanks.
the dumpfullRGfix.rar can connect.
Attachment 106720
Printable View
Thanks.
the dumpfullRGfix.rar can connect.
Attachment 106720
Now it works fine. At least until login. When i press on server nothing happens. Server disappears and only background image remains.
Attachment 106721
This happens when i change the IP of main. If i don't change IP than same happens after entering user and pass.
EDIT: Same happens when i try OMEGA main. After entering account and pass nothing happens.
I have a new problem... :glare:
If i select the server, my CS have a problem with login:
login packet rec wpepro:
PHP Code:24 10.1.1.70:1907 10.1.1.2:44405 6 Send 0000 C1 06 F4 03 00 00 ......
25 10.1.1.2:44405 10.1.1.70:1907 22 Recv 0000 C1 16 F4 03 31 30 2E 31 2E 31 2E 32 00 00 00 00 ....10.1.1.2....0010 00 00 00 00 5D DA ....].
26 0.0.0.0:1895 :0 26 SendTo 0000 1A 00 00 00 0A 19 00 00 00 03 6E 1D 00 00 00 00 ..........n.....0010 00 00 01 00 00 00 00 00 00 00 ..........
27 10.1.1.2:55901 10.1.1.70:1909 12 Recv 0000 C1 0C F1 00 01 1F 43 31 30 33 31 31 ......C10311
There is a new protocol crypt as far i understand its does not uses anymore simple modulus to encrypt, decrypt packets!
U can delet Enc1, Dec1.dat or set BP on simple modulus and its make no sens as its never getting called ;)
Other way u can simply look at C3 packets size ;) its simply wrong to Decrypt with simple modulus
Only encrypt the login packet
C3 33 XX
Man wait ex700 server files!!! I same wait server files ;)Quote:
Originally Posted by kukumopa
@Error
Error said something about one "NOP" fix to get work these client on S6 files, if ima not missunderstand him!Quote:
enc/dec itself is a arithmetic manipulation with 20 keys for encryption and 20 for decryption, but thats only enc/dec ... webzen added additional protection by some xor algorithms based on packet headcodes and sizes ( you can bypass that with a simple NOP in main )
U can try look around before load Enc1, Dec1.dat files ;) or simply send alot PM to him eg: Plz man, Man i need, Give me sources, Im no spek englesh, but if not u help i go yor country and eat your dog etc..
Have fun!
maybe him will direct u to the right way or help you ;)
PS. him is kind a pro and sounds like very friendly guy ;) good luck
man u adequate? read and understand my posts correctly!!!Quote:
Originally Posted by AncestraL
Here are the encryption and decryption functions ( encrypt/decrypt blocks of 4 int values - 16 bytes )Code:0041E980 . 83EC 08 SUB ESP,8
0041EA80 . 83EC 08 SUB ESP,8
but you will still need to bypass additional packet manipulations based on packet header ( some xor/place substitutions )
I still think u talk about Simple modulus as its split packet into blocks 4 Dwords and shift it
U confused me, correct me if ima wrongCode:function TSimpleModule.DecryptBlock(lpDest: Pointer; lpSource: Pointer): Integer;
var
dwDecBuffer: array [0 ..3] of DWORD;
iBitPosition, i: Integer;
Temp,Temp1: Word;
btCheckSum: Byte;
begin
FillMemory(lpDest, 15, 0);
FillMemory(@dwDecBuffer, SizeOf(dwDecBuffer), 0);
iBitPosition := 0;
for i := 0 to 3 do
begin
AddBits(@dwDecBuffer[i], 0, lpSource, iBitPosition, 16);
Inc(iBitPosition, 16);
AddBits(@dwDecBuffer[i], 22, lpSource, iBitPosition, 2);
Inc(iBitPosition, 2);
end;
for i := 2 downto 0 do // pareizi viss
dwDecBuffer[i] := (dwDecBuffer[i] xor m_dwXORKey[i]) xor (dwDecBuffer[i + 1] and $FFFF);
Temp := 0;
for i := 0 to 3 do
begin
Temp1 := ((m_dwDecryptionKey[i] * (dwDecBuffer[i])) mod (m_dwModulus[i])) xor m_dwXORKey[i] xor Temp;
Temp := dwDecBuffer[i] and $0000FFFF;
PWord(Integer(lpDest) + 2 * i)^ := PWord(@Temp1)^;
end;
dwDecBuffer[0] := 0;
AddBits(@dwDecBuffer[0], 0, lpSource, iBitPosition, 16);
btCheckSum := $F8;
for i := 0 to 7 do
btCheckSum := btCheckSum xor PByte(Integer(lpDest) + i)^;
if (btCheckSum <> GetH(dwDecBuffer[0])) then //128 249 153 255 189
Result := -1
else
Result := GetH(dwDecBuffer[0]) xor GetL(dwDecBuffer[0]) xor $3D;
end;
function TSimpleModule.Decrypt(lpDest: Pointer; lpSource: Pointer; iSize: Integer): Integer;
var
lpTempDest, lpTempSrc: PByte;
iResult, iDecLen, iTempResult, Epos, Spos: Integer;
begin
if lpDest = nil then
begin
Result := iSize * 8 div 11;
Exit;
end;
lpTempDest := PByte(lpDest);
lpTempSrc := PByte(lpSource);
iResult := 0;
iDecLen := 0;
Epos := 0;
Spos := 0;
if (iSize mod 11) = 0 then
begin
while (iDecLen < iSize) do
begin
iTempResult := DecryptBlock(lpTempDest + EPos, lpTempSrc + Spos); // pirmais loops ir OK!
if (iResult < 0) then
begin
Result := iResult;
Exit;
end;
Inc(iResult, iTempResult);
Inc(iDecLen, 11);
Inc(Epos, 8);
Inc(Spos, 11);
end;
end;
Result := iResult;
end;
Edietd: Ok, its not simple modulus - rechecked again it by your offset
simple modulus changes the size of the packet ) current system - doesnt, and its a lot simplier than simplemodulusQuote:
Originally Posted by mauka
I noted it ;) U helped me alot.. revesing it will be peace of cake compare to simple modulus
someone could fix login muex700 into this source to me?
: APplE PROJECT - By WolF & M.E.S_GameServer_1.00.90.rar
Attachment 106792Quote:
Originally Posted by koceto
By the way, smallHabit got work x700 main.exe on s6 srvr files
nah :D that was just fun, disabling 0xC3 encoding in client ^_^
how did you do that? you can explain ? if yes, it will be helpfull for us...Quote:
Originally Posted by SmallHabit
Quote:
Originally Posted by mauka
I loled at that image/banner :lol:
Absolutely agree :ott:Quote:
Originally Posted by willerson
Where is the problem? Me as developer of muservers would Nop this new call
hook nextCode:00439387
andCode:0043947D E8 BE258300 CALL dump_NO_.00C6BA40
and resore old SimpleModulus!Code:004394E5 E8 56258300 CALL dump_NO_.00C6BA40
Example of calls is on send only ;)
Pss. for u server devs its waste of time and useless reversing new encdec of muonline
Problem is that MU dev's, cant catch new structs of protos from official server ^_^
By that ur meaning u cant right? :DQuote:
Originally Posted by SmallHabit
Quote:
BTW: nice job mauka
hm, hook protocol core and get decrypted buffer and work with it..Quote:
Originally Posted by SmallHabit
U know it, but i will post it here for me and all others who will need it in future
Protocol Core
Code:00663B3F . E8 943E0000 CALL dump_NO_.006679D8
Already made it :
Code:#define DataRecvE ((void(*)(BYTE,PBYTE,DWORD,DWORD,...)) 0x006679D8)
void ProtocolCore(BYTE protoNum, BYTE * aRecv, int aLen, int aIndex, BOOL Encrypt, int serial)
{
DataRecvE(protoNum,aRecv,aLen,aIndex,Encrypt,serial);
}
BYTE ProtoHook1[] = {0xE9, 0xF1, 0xC7, 0xD9, 0xFF };
memcpy((int*)0x663B3F,&ProtoHook1,sizeof(ProtoHook1));
BYTE ProtoHook2[] = {0xFF, 0x15, 0x45, 0x03, 0x40, 0x00};
memcpy((int*)0x400335,&ProtoHook2,sizeof(ProtoHook2));
BYTE ProtoHook3[] = {0xE9,0x3B,0xEE,0xD5,0x00,0x90};
memcpy((int*)0x40033B,&ProtoHook3,sizeof(ProtoHook3));
_asm
{
MOV DWORD PTR DS:[00400345H],Offset ProtocolCore
}
Could YOU unpack the main of Taiwan MUonline. (1.03e+).
www.muonline.com.tw (mublue)
Not all packets have FIX OPCODE, only some of them.
