This is going to be my last release as I already quit maplestory development but I still see people struggling with this. I released a v188 idb that wasnt virtualized and gave all the information necessary but people still couldn't figure it out so here's leech-able code (for the most part).
Credits go to myself and @Eric as we worked together to figure this out.
There are 2 parts to this.
Part 1
Multiple Encryption Types: Neckson introduced a secondary encryption type (Value 2) in their MakeBufferList which replaces AES (Value 1). They only use this for their (Server -> Client) packet data as (Client -> Server) still uses AES. It should also be noted they use this on every server except their login server.
The code to decrypt / encrypt this is below.
Bonus MapleShark Code:Code:private static void EncInit(int uSeqSnd, byte[] aSrc, boolean bDecrypt) { for (int i = 0; i < aSrc.length; i++) { if (bDecrypt) { aSrc[i] -= (byte) uSeqSnd; } else { aSrc[i] += (byte) uSeqSnd; } } }
Part 2Code:public void EncInit(byte[] aBuffer, bool bLoopback) { uint uIV = BitConverter.ToUInt32(aIV, 0); for (int i = 0; i < aBuffer.Length; i++) { if (!bLoopback) { aBuffer[i] -= (byte)(uIV); } else { aBuffer[i] += (byte)(uIV); } } }
Opcode Encryption is something they introduced for their (Client -> Server) packets. The packet data itself still uses AES as its encryption but the opcodes are shuffled afterwards using DES-EDE2. Note that they only do this on every server except their login server. You will know if they do this or not by receiving a packet that is a length of 32,776 after MigrateIn. As of v194, the header to this packet is "40". Note that the block size is 4 because every opcode is 4 bytes encrypted however with 3DES, each encryption is 8 bytes as they combined 2 opcodes into a string for an 8 byte encryption.
The dissection of this packet is like this:
Here is the Java class to support 3DES.Code:[XX XX XX XX] - Block Size: The amount of bytes to read for each encrypted opcode. [XX XX XX XX] - Buffer Size: The amount of bytes to read for the buffer [XX x Above Length] - Buffer: This includes all the encrypted opcodes plus padding if amount of opcodes does not reach full buffer length.
Bonus MapleShark Class:Code:/** * * @author PacketBakery */ public class TripleDESCipher { public byte[] aKey = new byte[24]; public Key pKey; public TripleDESCipher(byte[] aKey) { System.arraycopy(aKey, 0, this.aKey, 0, aKey.length); this.pKey = new SecretKeySpec(aKey, "DESede"); } public byte[] Encrypt(byte[] aData) throws Exception { Cipher pCipher = Cipher.getInstance("DESede"); pCipher.init(Cipher.ENCRYPT_MODE, this.pKey); return pCipher.doFinal(aData); } public byte[] Decrypt(byte[] aData) throws Exception { Cipher pCipher = Cipher.getInstance("DESede"); pCipher.init(Cipher.DECRYPT_MODE, this.pKey); return pCipher.doFinal(aData); } }
Now there's a few things to note. First is the key.Code:public class TripleDESCipher { public static String Decrypt(byte[] aData, byte[] aKey) { TripleDESCryptoServiceProvider pCipher = new TripleDESCryptoServiceProvider(); pCipher.BlockSize = 64; pCipher.Mode = CipherMode.ECB; pCipher.Padding = PaddingMode.None; pCipher.FeedbackSize = 64; pCipher.GenerateIV(); MethodInfo mi = pCipher.GetType().GetMethod("_NewEncryptor", BindingFlags.NonPublic | BindingFlags.Instance); object[] aObj = { aKey, pCipher.Mode, pCipher.IV, pCipher.FeedbackSize, 1}; ICryptoTransform pTransform = mi.Invoke(pCipher, aObj) as ICryptoTransform; byte[] aResult = pTransform.TransformFinalBlock(aData, 0, aData.Length); pCipher.Clear(); return UTF8Encoding.UTF8.GetString(aResult); } }
The key consists of 2 parts;
Part 1: Character ID converted into ASCII
Part 2: Machine ID
The key length is a total of 16 bytes, it can not be less and it can not be more. Note that since we are using TripleDES which uses a 24 byte key, this means the first 8 bytes of your key need to be appended as the last 8 bytes as well.
So we need to initialize our key:
Next we need to convert our characterid into ascii and append it into our key array.Code:byte[] aKey = new byte[24];
After this, part 1 is completed. Next is onto part 2.Code:String sCharacterID = String.valueOf(this.dwCharacterID); for (int i = 0; i < sCharacterID.length(); i++) { aKey[i] = (byte) sCharacterID.charAt(i); }
We need to get the length of our current key so we dont go over 16 bytes and then we need to append our machineid into our key.
Now our key is 16 bytes but since 3DES requires a 24 byte key, we append the 1st 8 bytes as our last 8 bytes as well.Code:int nLength = sCharacterID.length(); for (int i = nLength; i < 16; i++) { aKey[i] = pMachineID.aMachineID[i - nLength]; }
Now our key is complete and we can create our buffer with our encrypted opcodes.Code:System.arraycopy(aKey, 0, aKey, 16, 8);
The way I do this is using a map to maintain the real opcode and encrypted opcode for when I decrypt it later in my OnPacket functions.
This map has to be local to the User (or their Socket) as each user does not get the same opcodes.
Next we have to populate the map with the real & encrypted opcodes.Code:public Map<Integer, Integer> mEncryptedOpcode = new LinkedHashMap<>();
After we populated our map, we have to create the buffer and send it to our user.Code:List<Integer> aUsed = new ArrayList<>(); String sOpcode = ""; for (int i = ClientPacket.BeginUser.Get(); i < ClientPacket.Count.Get(); i++) { int nNum = Utilities.GetRandom(ClientPacket.BeginUser.Get(), 9999); while (aUsed.contains(nNum)) { nNum = Utilities.GetRandom(ClientPacket.BeginUser.Get(), 9999); } String sNum = String.format("%04d", nNum); if (!aUsed.contains(nNum)) { this.mEncryptedOpcode.put(nNum, i); aUsed.add(nNum); sOpcode += sNum; } } aUsed.clear();
Note: The buffer does not have to be a size of 32,776 however I add random bytes to pad it since that's also what neckson does. The required length only needs to be that of the amount of opcodes.
As explained above, our packet will look like this:Code:TripleDESCipher pCipher = new TripleDESCipher(aKey); try { byte[] aBuffer = new byte[Short.MAX_VALUE + 1]; byte[] aEncrypt = pCipher.Encrypt(sOpcode.getBytes()); System.arraycopy(aEncrypt, 0, aBuffer, 0, aEncrypt.length); for (int i = aEncrypt.length; i < aBuffer.length; i++) { aBuffer[i] = (byte) Math.random(); } SendPacket(ClientSocketPacket.OnOpcodeEncryption(4, aBuffer), false); } catch (Exception e) { e.printStackTrace(); }
Now the last part is decrypting it to the real opcodes when the client sends the server your encrypted header that you created. Wherever you read in the packet and decode your opcode, you will have to modify it to read from your encrypted opcode map:Code:public static OutPacket OnOpcodeEncryption(int nBlockSize, byte[] aBuffer) { OutPacket oPacket = new OutPacket(LoopbackPacket.OpcodeEncryption, false); oPacket.EncodeInt(nBlockSize); oPacket.EncodeInt(aBuffer.length); oPacket.EncodeBuffer(aBuffer); return oPacket; }
...and that's all you have to do. Below is the mapleshark bonus to decrypt and sniff properly but it'll also be one code block.Code:int nType = iPacket.DecodeShort(); if(pSocket.mEncryptedOpcode.containsKey(nType)) { nType = pSocket.mEncryptedOpcode.get(nType); }
Now you should be able to handle the new encryptions both for your server and sniffing.Code:if (nOpcode == OpcodeEncryption) { int nSize = BitConverter.ToInt32(packetBuffer, 4); byte[] aData = new byte[nSize]; Buffer.BlockCopy(packetBuffer, 8, aData, 0, nSize); String sOpcode = TripleDESCipher.Decrypt(aData, pMain.aKey); try { int x = 0; for (int i = ClientPacket.BeginUser; i < ClientPacket.Count; i++) { pMain.mEncryptedOpcode.Add(Int32.Parse(sOpcode.Substring(x, 4)), i); x += 4; } } catch (Exception e) { MessageBox.Show(e.Message); } } else if (nPort != LoginServer.nPort && bOutbound) { if (pMain.mEncryptedOpcode.ContainsKey(nOpcode)) { nOpcode = (ushort) pMain.mEncryptedOpcode[nOpcode]; } }
Again, credit to myself and @Eric as he was a big help when we were working on this together.
This could of been released long ago by a few people who were aware of it and the only reason I'm releasing it now is because the 1st person who figured it out decided to keep it private and not offer much help to people who asked (or claimed they knew it and were full of shit but who knows). But thats it, I'm gone from this scene and wish everyone who still develops a maplestory server best of luck.
Reply With Quote
Originally Posted by Zdasl
