Road to a Localhost

[br1337]

Hi.
I'm trying to create a localhost for BMS v1 from 2008(equivalent to GMS v52), which uses yoda's crypter 1.x / modified packer.
To acomplish this, I started learning how to unpack an packed executable and so far I've got a running client with stolen bytes, IAT, OEP fixed...
Basically what I did was:

• Find the original entry point(use the ESP trick)
• Dump the client.
• Find the stolen bytes using cheat engine and fix it with Olly.
• Fix minor OEP problems.
• Fix the import table.
• Remove game guard.

Tools:

• ImportREC
• OllyDbg
• IDA
• LordPE
• PEiD
• Phantom olly plugin
• Dump ollyplugin
• BinDiff IDA Plugin
• Process Hacker

[MentaL]

[br1337]

Gameguard removed.

Now lets try to skip the AES.

[Fraysa]

Gameguard removed.

Now lets try to skip the AES.

Good job on your progress so far, no offense but - is there a reason to skip AES?

[sunnyboy]

Good job on your progress so far, no offense but - is there a reason to skip AES?

I skip AES in my clients cuz I don't feel like handling it server side

[br1337]

Good job on your progress so far, no offense but - is there a reason to skip AES?

I think it may be easier than retrieve the key.

- - - Updated - - -

I skip AES in my clients cuz I don't feel like handling it server side

@sunnyboy Which function do you skip and how you find it?

I tried to construct an AOB for the AES functions, but failed so far.

Anyways, your v52 PDB was really useful for finding common functions in IDA. BMS v1 is the same as GMS v52.

Have you ever experienced a disconect when clicking on the login button? It's strange because it suddently closes the game with a disconect exception, whichout sending any data to the server.
Editted: I'm so newbye, the disconect problem is just because the key was wrong(of course), had forgot about that the decoder runs first and if the header is invalid, it just closes the connection.

- - - Updated - - -

Good job on your progress so far, no offense but - is there a reason to skip AES?

BTW, do you know how can I find the key in ZLZ.DLL?

- - - Updated - - -

If someone wants to help to retrieve the keys, here's the setup:
https://mega.nz/#!QB83VCgY!ZAO7np3Wfw7Hi2O6PoP2A2wQ0YJTaTMO09VhRseXlrE

[br1337]

@Eric
Do you know a method to retrieve the AES key or to disable it?

- - - Updated - - -

According to Packets: | Maplestory Reference Wiki | Fandom powered by Wikia

"The cipher's key length is 256 bits, or 32 bytes. The key was static, until version 118, when Nexon changed it."

No need to disable AES or the key.
had forgot about it
:)

[sunnyboy]

@Eric
Do you know a method to retrieve the AES key or to disable it?

- - - Updated - - -

According to Packets: | Maplestory Reference Wiki | Fandom powered by Wikia

"The cipher's key length is 256 bits, or 32 bytes. The key was static, until version 118, when Nexon changed it."

No need to disable AES or the key.
had forgot about it
:)

I figured you knew that but wanted it gone anyway lawl

[br1337]

I figured you knew that but wanted it gone anyway lawl

LOL, i've had forgotten about this aspect old old clients.
Now there's another problem:

What could cause a problem like this?

You list the available worlds, but when you click on it, nothing happens, the channels available not appears.

My testing serverlist structure:
https://gist.github.com/br1337/ddb7e...49c33a1a58edd1

[sunnyboy]

LOL, i've had forgotten about this aspect old old clients.
Now there's another problem:

What could cause a problem like this?

You list the available worlds, but when you click on it, nothing happens, the channels available not appears.

My testing serverlist structure:
https://gist.github.com/br1337/ddb7e...49c33a1a58edd1

Post ida version also, i don't feel like making an idb

[br1337]

Post ida version also, i don't feel like making an idb

IDB with many names + DUMP
https://mega.nz/#!GRRUSLAS!_080d-JAe...6CzzXjDKqrKzuo

[br1337]

Still cannot find the reason why I cant see the channels when I click in the world.

Any ideas? @Eric, @sunnyboy

[Diamondo25]

The AES should be the full key, instead of the 'left side' (every first 4 bytes of 16 bytes of the key).
No channels when you click the world? Possibly wrong information in the world packet? screenshot maybe?

[br1337]

The AES should be the full key, instead of the 'left side' (every first 4 bytes of 16 bytes of the key).
No channels when you click the world? Possibly wrong information in the world packet? screenshot maybe?

Whats the name of the 'world' packet in v95 IDB?

The server list packet seens correct and I can see the first world.

[Umbreon]

Whats the name of the 'world' packet in v95 IDB?

The server list packet seens correct and I can see the first world.

It's "OnWorldInformation", you send the total number of channels and a bit of information per channel there. This would be "getServerList" in Odin, so you probably have it correct.

[br1337]

It's "OnWorldInformation", you send the total number of channels and a bit of information per channel there. This would be "getServerList" in Odin, so you probably have it correct.

By looking at the IDA structure, it seens correct.
No Idea why the channels arent displayed..