- Joined
- Oct 25, 2008
- Messages
- 224
- Reaction score
- 315
Occasionally I find myself bored and in unpacking mood. I've also seemingly rediscovered a fondness for old MapleStory versions, so I figured why not combine the two and help out the community. Is there a particular version you've always wanted a proper client for? Request it here!
Rules:
* I can only make localhosts for versions <= GMS v111 (or equivalents for other maple regions - ca. 2012). This is because VMProtect - and later on newer Themida VM models - cannot be unvirtualized as perfectly as the old CISC-2.
* There must be full game files available (e.g. on msdl, or provided by yourself) for the version you're requesting.
You'll get a fully unprotected single exe binary file that can simply be dropped into the game folder and should run without further complications (compatibility mode settings may be required for old versions on modern Windows). All my binaries are optimized for low file size and performance (in terms of disabling security checks official clients do).
Completed works:
GMS v28 (Aug 2006): https://mega.nz/file/IO4x2Q4Z#jF0Zpbf3Ggu5Ztd_K0Ua0vI-RoAb4qe2fh_wjoA5V9Y
GMS v48 (Dec 2007): https://mega.nz/file/YWZTGKTL#nDVQnGOS0_lFoso4bFD_zWR8CJ8njcGGYMO-UbMlsZM
GMS v53 (Mar 2008): https://mega.nz/file/sSQSUZrJ#1S-IvbFKs_7eZ2NzEtQhaC_lKrhpaksN59IiID-XFoc
GMS v62 (Nov 2008): https://mega.nz/file/BTZlXAIZ#MnKW3tl3ZXPZCSnj8djZ97bLQB13Rz-Khm3VhRVpkb4
GMS v62 4GB: https://mega.nz/file/YagiXL7A#8BOxWLlAR0sP6jNA46ynJZOLDR161Tt3Jt2-PGRNnuo
GMS v68 (Apr 2009): https://mega.nz/file/kPpG3ZhB#gmMAXrq637IjitFA3pOS2pOpPBkniQcJDaKbDe0G2Ew
GMS v68 4GB: https://mega.nz/file/cHhiTJoD#xgLonA1bdphfsPTuCYThswVdbTuWtax6Yxl7-PNKiKU
GMS v83.1 (Feb 2010): https://mega.nz/file/UbIlCSoS#lmjtFelSUt3C5YpuQ8pHU4KE5g4EKRFhE4FDjYAMJ80
GMS v83.1 4GB: https://mega.nz/file/1GBFWIrb#NIWbz7iCmD59tHv3GnEmx0lHG4U4w9MxcHXrqnvOOtQ
GMS v87.1 (Jun 2010): https://mega.nz/file/ROpRzAoL#M6XfcocHQb5tXvO9a1lEqVL6jU-20VhwGVWY088uUGU
GMS v87.1 4GB: https://mega.nz/file/waxkXTYI#7QBjp8qyQSzoBIzyUyNvF4PcZlJykHQ6ZMZDJkFB6Dw
GMS v92.1 (Nov 2010): https://mega.nz/file/cLgQXbaA#wUier-yXUtYvww4TEdtCR4ZfInntB0qmRX7IVJH1zMw
GMS v92.1 4GB: https://mega.nz/file/hT5XjSLR#bLXUa9e0xUGtu2x-5iGHPMZiKDR0kOP5WBWEzdZiqlI
GMS v95.1 (Jan 2011): https://mega.nz/file/dWIgyR4I#6cDN_ycLLiFtad07Eby3UfjdY3TqGI65g6X-xEqlmds
GMS v111.1 (May 2012): https://mega.nz/file/paw3jQpb#ne8xF676O3-5LqStY85m2-8wQKt8MOpqBOuUJIfgR00
EMS v65.1 (Oct 2010): https://mega.nz/file/1bpCybZS#p5MqjIq4AzxlF0WEkjQ9bSg19Xvj68E0AT1x5D4SVQc
EMS v76.1 (Oct 2011): https://mega.nz/file/4CQR3KYQ#baaYWGg48443MALT6nqOJAx_RKjnv1VmxMcrwX1Lfbw
EMS v87.1 (Feb 2013): https://mega.nz/file/tbw2AZQD#O8tsw6jp3naJUeoF8tps11vDcA1of5z_ZzGQZunw0ks
BMS v8 (Oct 2008): https://mega.nz/file/FGRF3K5b#NpOgAl-bxUZvhJOgV5-WBD3xwO-paP1zVsIY9cA2rP0
BMS v19 (Nov 2009): https://mega.nz/file/gCIXVKDT#WB_zzB4Jab934O0qZmtBLaSavhI6AXyDLoNB5YUFKP0
TMS v72 (Apr 2008): https://mega.nz/file/5OozzYpY#xLQFqQ6Ev9JLrywEKu2MRd_Qc5G_o0xva8VigTe1u0g
TMS v90 (Mar 2009): https://mega.nz/file/sXpGHTxZ#SRfv-MX5UTfEX1Fh8jcgpq9ym8BykMuM9GsG8gzK4Ks
JMS v186 (Sep 2010): https://mega.nz/file/ELRDWKyI#aSAH5xKDKXRahHxYi_snFY4FBXcCHOSWx7itNDUgg7k
VMS v23 (Oct 2008): https://mega.nz/file/ESxUzbhD#S4G3hp-HMlKD35-t0P82EBIb0fk5hXeuLOEkb-Ob4MM
THMS v96.1 (Aug 2011): https://mega.nz/file/kLJ1wABT#vOxcKtY98T29Iy4ZJlYJjIkXOJXYHWAe1aoZqpXZPug
Note: Unpacked clients can occasionally have false positive AV detections such as "Trojan.Win32/Mapstosteal". That is nothing to worry about and should simply be whitelisted. The signature name is pretty suspicious tbh. I sometimes wonder if Nexon submitted byte sequences to AV vendors in the past to detect unpacked clients, in order to scare people off from playing private servers...
The "4GB" variants are patched to activate the "large address space aware" (LAA) flag in the PE header. This will allow the client to use up to 4 GB of memory instead of only 2. This is required to fix sound on Wine, and on Windows it can also help prevent/lessen the so-called "GFX issues". When in doubt, you should always prefer this variant. In v93+ it is always set because Nexon activated it.
Server engineering notes
Client patching notes
Tooling
Rules:
* I can only make localhosts for versions <= GMS v111 (or equivalents for other maple regions - ca. 2012). This is because VMProtect - and later on newer Themida VM models - cannot be unvirtualized as perfectly as the old CISC-2.
* There must be full game files available (e.g. on msdl, or provided by yourself) for the version you're requesting.
You'll get a fully unprotected single exe binary file that can simply be dropped into the game folder and should run without further complications (compatibility mode settings may be required for old versions on modern Windows). All my binaries are optimized for low file size and performance (in terms of disabling security checks official clients do).
Completed works:
GMS v28 (Aug 2006): https://mega.nz/file/IO4x2Q4Z#jF0Zpbf3Ggu5Ztd_K0Ua0vI-RoAb4qe2fh_wjoA5V9Y
GMS v48 (Dec 2007): https://mega.nz/file/YWZTGKTL#nDVQnGOS0_lFoso4bFD_zWR8CJ8njcGGYMO-UbMlsZM
GMS v53 (Mar 2008): https://mega.nz/file/sSQSUZrJ#1S-IvbFKs_7eZ2NzEtQhaC_lKrhpaksN59IiID-XFoc
GMS v62 (Nov 2008): https://mega.nz/file/BTZlXAIZ#MnKW3tl3ZXPZCSnj8djZ97bLQB13Rz-Khm3VhRVpkb4
GMS v62 4GB: https://mega.nz/file/YagiXL7A#8BOxWLlAR0sP6jNA46ynJZOLDR161Tt3Jt2-PGRNnuo
GMS v68 (Apr 2009): https://mega.nz/file/kPpG3ZhB#gmMAXrq637IjitFA3pOS2pOpPBkniQcJDaKbDe0G2Ew
GMS v68 4GB: https://mega.nz/file/cHhiTJoD#xgLonA1bdphfsPTuCYThswVdbTuWtax6Yxl7-PNKiKU
GMS v83.1 (Feb 2010): https://mega.nz/file/UbIlCSoS#lmjtFelSUt3C5YpuQ8pHU4KE5g4EKRFhE4FDjYAMJ80
GMS v83.1 4GB: https://mega.nz/file/1GBFWIrb#NIWbz7iCmD59tHv3GnEmx0lHG4U4w9MxcHXrqnvOOtQ
GMS v87.1 (Jun 2010): https://mega.nz/file/ROpRzAoL#M6XfcocHQb5tXvO9a1lEqVL6jU-20VhwGVWY088uUGU
GMS v87.1 4GB: https://mega.nz/file/waxkXTYI#7QBjp8qyQSzoBIzyUyNvF4PcZlJykHQ6ZMZDJkFB6Dw
GMS v92.1 (Nov 2010): https://mega.nz/file/cLgQXbaA#wUier-yXUtYvww4TEdtCR4ZfInntB0qmRX7IVJH1zMw
GMS v92.1 4GB: https://mega.nz/file/hT5XjSLR#bLXUa9e0xUGtu2x-5iGHPMZiKDR0kOP5WBWEzdZiqlI
GMS v95.1 (Jan 2011): https://mega.nz/file/dWIgyR4I#6cDN_ycLLiFtad07Eby3UfjdY3TqGI65g6X-xEqlmds
GMS v111.1 (May 2012): https://mega.nz/file/paw3jQpb#ne8xF676O3-5LqStY85m2-8wQKt8MOpqBOuUJIfgR00
EMS v65.1 (Oct 2010): https://mega.nz/file/1bpCybZS#p5MqjIq4AzxlF0WEkjQ9bSg19Xvj68E0AT1x5D4SVQc
EMS v76.1 (Oct 2011): https://mega.nz/file/4CQR3KYQ#baaYWGg48443MALT6nqOJAx_RKjnv1VmxMcrwX1Lfbw
EMS v87.1 (Feb 2013): https://mega.nz/file/tbw2AZQD#O8tsw6jp3naJUeoF8tps11vDcA1of5z_ZzGQZunw0ks
BMS v8 (Oct 2008): https://mega.nz/file/FGRF3K5b#NpOgAl-bxUZvhJOgV5-WBD3xwO-paP1zVsIY9cA2rP0
BMS v19 (Nov 2009): https://mega.nz/file/gCIXVKDT#WB_zzB4Jab934O0qZmtBLaSavhI6AXyDLoNB5YUFKP0
TMS v72 (Apr 2008): https://mega.nz/file/5OozzYpY#xLQFqQ6Ev9JLrywEKu2MRd_Qc5G_o0xva8VigTe1u0g
TMS v90 (Mar 2009): https://mega.nz/file/sXpGHTxZ#SRfv-MX5UTfEX1Fh8jcgpq9ym8BykMuM9GsG8gzK4Ks
JMS v186 (Sep 2010): https://mega.nz/file/ELRDWKyI#aSAH5xKDKXRahHxYi_snFY4FBXcCHOSWx7itNDUgg7k
VMS v23 (Oct 2008): https://mega.nz/file/ESxUzbhD#S4G3hp-HMlKD35-t0P82EBIb0fk5hXeuLOEkb-Ob4MM
THMS v96.1 (Aug 2011): https://mega.nz/file/kLJ1wABT#vOxcKtY98T29Iy4ZJlYJjIkXOJXYHWAe1aoZqpXZPug
Note: Unpacked clients can occasionally have false positive AV detections such as "Trojan.Win32/Mapstosteal". That is nothing to worry about and should simply be whitelisted. The signature name is pretty suspicious tbh. I sometimes wonder if Nexon submitted byte sequences to AV vendors in the past to detect unpacked clients, in order to scare people off from playing private servers...
The "4GB" variants are patched to activate the "large address space aware" (LAA) flag in the PE header. This will allow the client to use up to 4 GB of memory instead of only 2. This is required to fix sound on Wine, and on Windows it can also help prevent/lessen the so-called "GFX issues". When in doubt, you should always prefer this variant. In v93+ it is always set because Nexon activated it.
Server engineering notes
GMS v87: In this version, the client will send you XOffset/YOffset shorts after the foothold in absolute movement elements (CMovePath::Encode), but it does not read them back when processing packets from the server (CMovePath:ecode). This means if your source simply copies packet contents for NPC animation packets, that won't work. You have to parse the packet and then serialize it again the way the client expects it.
GMS v88~v98: These versions had a bug where the melee attack packet contained one more byte at the beginning when hitting a reactor (as opposed to hitting the air or a mob). There's no way to differentiate this other than doing a check such as this:
EMS v87: This version is more or less equivalent to GMS v125. I patched out the login RSA crypto for simplicity's sake. Note that the authentication packet structure is different from GMS regardless; the username and password strings are somewhere in the middle of the packet.
This EMS version requires you to explicitly set the MapLogin img for the login screen by sending 1B 00 08 00 4D 61 70 4C 6F 67 69 6E (this is MapLogin; MapLogin1 also works to show Angelic Buster). A good point to send it would be upon receiving the 0x36 packet (LoginCreated) from the client.
EMS v76: RSA crypto patched out; send 16 00 08 00 4D 61 70 4C 6F 67 69 6E upon receiving 1F 00.
JMS v186: Send packet 18 00 08 00 4D 61 70 4C 6F 67 69 6E when receiving 0x1A (see EMS v87 for explanation).
GMS v88~v98: These versions had a bug where the melee attack packet contained one more byte at the beginning when hitting a reactor (as opposed to hitting the air or a mob). There's no way to differentiate this other than doing a check such as this:
Code:
// Start of attack parsing
lea.readByte(); // current field key
if (type == AttackType.MELEE && lea.available() == 55) {
lea.readByte(); // skip surplus byte when hitting reactor
}
EMS v87: This version is more or less equivalent to GMS v125. I patched out the login RSA crypto for simplicity's sake. Note that the authentication packet structure is different from GMS regardless; the username and password strings are somewhere in the middle of the packet.
This EMS version requires you to explicitly set the MapLogin img for the login screen by sending 1B 00 08 00 4D 61 70 4C 6F 67 69 6E (this is MapLogin; MapLogin1 also works to show Angelic Buster). A good point to send it would be upon receiving the 0x36 packet (LoginCreated) from the client.
EMS v76: RSA crypto patched out; send 16 00 08 00 4D 61 70 4C 6F 67 69 6E upon receiving 1F 00.
JMS v186: Send packet 18 00 08 00 4D 61 70 4C 6F 67 69 6E when receiving 0x1A (see EMS v87 for explanation).
Client patching notes
These are for when you're unpacking a client yourself. Many of these only apply to v67+.
* WinMain: nop ShowStartUpWndModal
* WinMain: jz->jmp for ShowADBalloon code (pretty much at the end of method, above push with small number)
* CWvsApp::CWvsApp: Find mov ecx, ...; mov dword ptr ..., 2; jmp. Higher up in the method, change jnz below ZXString<char>::IsEmpty to jmp <addr of mov ecx>
* CWvsApp::SetUp: Change short jmp at the beginning to long jmp that skips all the crap
* CWvsApp::SetUp: Patch short jz above CSecurityClient::InitModule and ::StartModule to short jmp
* CWvsApp::SetUp: nop MSLoop_Remove (if present, v91+)
* CWvsApp::SetUp: Place another long jmp after CWvsApp::ConnectLogin that skips all the crap (until CreateInstance calls)
* CWvsApp::SetUp: Change short jmp before HShield mutex stuff to long jmp. Jump to push 104h further down the method
* CClientSocket::Connect: Skip IP checks by changing short jmp at beginning of the method to long jmp that goes to the client socket code
* CWvsApp::InitializeInput: Skip crap after CInputSystem::Init, jump to method epilogue
* CWvsApp::Run: After CClientSocket::ManipulatePacket, long jmp to "push 0FFh push 0 push 0"
* CWvsApp::Run: nop call to CSecurityClient::Update while we're at it
* CWvsApp::Run: Below IWzGr2D::RenderFrame (where it does 0-100 rand stuff), place long jmp to push 1; call Sleep way down in the method
* CWvsApp::Run: At the end of the method, there's a call to _free, followed by add esp, 4, followed by a cmp ..., 12h. Skip the free by jmping straight to the cmp.
* CWvsApp::CallUpdate: Near the beginning of the method there's a jle below a test. Change this jle offset to the end of the method where it does some relevant things (GR and ActionMan stuff)
* CActionMan::SweepCache: It has some crap in a virtualized chunk at the top that may be doing more or less shady things depending on your version. Skip it if it looks like it could cause trouble (a couple incs/decs/xors are harmless)
* DR_check: xor eax, eax; ret (33 C0 C3)
* CClientSocket::OnAliveReq: If your version has a virtualized chunk here, skip the entire chunk (short jmp -> long jmp)
* CWvsContext::OnEnterField: Skip virtualized chunk at the top (short jmp -> long jmp). If your version has a check (recognizable by lots of xors) at the end, best to skip that as well by jnz -> jmp
* CLogin::SendCheckPasswordPacket: At the start of the sequence of pushes that contains 0C9h, place a long jmp to further down in the method to the SystemInfo basic block. Do auth patches for encoding the correct strings (user/pw)
* WinMain: nop ShowStartUpWndModal
* WinMain: jz->jmp for ShowADBalloon code (pretty much at the end of method, above push with small number)
* CWvsApp::CWvsApp: Find mov ecx, ...; mov dword ptr ..., 2; jmp. Higher up in the method, change jnz below ZXString<char>::IsEmpty to jmp <addr of mov ecx>
* CWvsApp::SetUp: Change short jmp at the beginning to long jmp that skips all the crap
* CWvsApp::SetUp: Patch short jz above CSecurityClient::InitModule and ::StartModule to short jmp
* CWvsApp::SetUp: nop MSLoop_Remove (if present, v91+)
* CWvsApp::SetUp: Place another long jmp after CWvsApp::ConnectLogin that skips all the crap (until CreateInstance calls)
* CWvsApp::SetUp: Change short jmp before HShield mutex stuff to long jmp. Jump to push 104h further down the method
* CClientSocket::Connect: Skip IP checks by changing short jmp at beginning of the method to long jmp that goes to the client socket code
* CWvsApp::InitializeInput: Skip crap after CInputSystem::Init, jump to method epilogue
* CWvsApp::Run: After CClientSocket::ManipulatePacket, long jmp to "push 0FFh push 0 push 0"
* CWvsApp::Run: nop call to CSecurityClient::Update while we're at it
* CWvsApp::Run: Below IWzGr2D::RenderFrame (where it does 0-100 rand stuff), place long jmp to push 1; call Sleep way down in the method
* CWvsApp::Run: At the end of the method, there's a call to _free, followed by add esp, 4, followed by a cmp ..., 12h. Skip the free by jmping straight to the cmp.
* CWvsApp::CallUpdate: Near the beginning of the method there's a jle below a test. Change this jle offset to the end of the method where it does some relevant things (GR and ActionMan stuff)
* CActionMan::SweepCache: It has some crap in a virtualized chunk at the top that may be doing more or less shady things depending on your version. Skip it if it looks like it could cause trouble (a couple incs/decs/xors are harmless)
* DR_check: xor eax, eax; ret (33 C0 C3)
* CClientSocket::OnAliveReq: If your version has a virtualized chunk here, skip the entire chunk (short jmp -> long jmp)
* CWvsContext::OnEnterField: Skip virtualized chunk at the top (short jmp -> long jmp). If your version has a check (recognizable by lots of xors) at the end, best to skip that as well by jnz -> jmp
* CLogin::SendCheckPasswordPacket: At the start of the sequence of pushes that contains 0C9h, place a long jmp to further down in the method to the SystemInfo basic block. Do auth patches for encoding the correct strings (user/pw)
Tooling
Magicmida: https://github.com/Hendi48/Magicmida
Last edited: