[Conceptl] MRS Encryption Concept

The MRS file format is exactly the same as a ZIP file. Meaning, if you take an unencrypted MRS file and change its extension to ".zip" you can open it with WinZIP, WinRAR, etc. The neat thing is that gunz can actually read .zip files and use them(which is really good when your developing).

Now the ZIP file format(which is inherently MRS) has directory headers which list file information for each of the files contained in the ZIP archive, these are located at the beginning of each file. There is also a central header which lists information for the entire archive.

Now to protect their files MAIET used the ZIP file format but encrypted above said headers. When Gunz starts it enumerates all .ZIP and .MRS files. If it's a ZIP it unpacks the files into memory. If it's MRS it goes to a routine called RecoveryChar() which decrypts the data(I.E. the headers) and proceeds like a zip file.

Now to create your own MRS encryption you have two options:

1) Create your own File System and have Gunz use that

2) Edit Gunz.exe and Mrs.exe to slightly change the encryption

For simplicity sake let's do number two.

Let's take a look at where Gunz decrypts headers(Warning: ASM):

First open Ollydbg and load gunz.exe

Hit the Find Sequence of Commands menu button(CTRL + S) and type in

Code:

---

SHR dl,3
SHL al,5

---

This should bring you to the first function you'll need to change. I'll go ahead and paste it here for viewing purposes.

Code:

---

00538680  /$  8B4C24 04    MOV ECX,DWORD PTR SS:[ESP+4]
00538684  |.  85C9          TEST ECX,ECX
00538686  |.  74 1E        JE SHORT Gunz.005386A6
00538688  |.  56            PUSH ESI
00538689  |.  8B7424 0C    MOV ESI,DWORD PTR SS:[ESP+C]
0053868D  |.  85F6          TEST ESI,ESI
0053868F  |.  7E 14        JLE SHORT Gunz.005386A5
00538691  |>  8A01          /MOV AL,BYTE PTR DS:[ECX]
00538693  |.  8AD0          |MOV DL,AL
00538695  |.  C0EA 03      |SHR DL,3
00538698  |.  C0E0 05      |SHL AL,5
0053869B  |.  0AD0          |OR DL,AL
0053869D  |.  F6D2          |NOT DL
0053869F  |.  8811          |MOV BYTE PTR DS:[ECX],DL
005386A1  |.  41            |INC ECX
005386A2  |.  4E            |DEC ESI
005386A3  |.^ 75 EC        \JNZ SHORT Gunz.00538691
005386A5  |>  5E            POP ESI
005386A6  \>  C3            RETN

---

Hit Find Next(CTRL + L) and it should bring you inside another function which also has the decryption routine.

Code:

---

...

005389B0  |.  8B46 14      MOV EAX,DWORD PTR DS:[ESI+14]
005389B3  |.  83C4 1C      ADD ESP,1C
005389B6  |.  83F8 02      CMP EAX,2
005389B9  |.  7C 1D        JL SHORT Gunz.005389D8
005389BB  |.  8D4C24 0C    LEA ECX,DWORD PTR SS:[ESP+C]
005389BF  |.  BF 1E000000  MOV EDI,1E
005389C4  |>  8A01          /MOV AL,BYTE PTR DS:[ECX]
005389C6  |.  8AD0          |MOV DL,AL
005389C8  |.  C0EA 03      |SHR DL,3
005389CB  |.  C0E0 05      |SHL AL,5
005389CE  |.  0AD0          |OR DL,AL
005389D0  |.  F6D2          |NOT DL
005389D2  |.  8811          |MOV BYTE PTR DS:[ECX],DL
005389D4  |.  41            |INC ECX
005389D5  |.  4F            |DEC EDI
005389D6  |.^ 75 EC        \JNZ SHORT Gunz.005389C4
005389D8  |>  8B4424 0C    MOV EAX,DWORD PTR SS:[ESP+C]
005389DC  |.  3D 504B0304  CMP EAX,4034B50
005389E1  |.  74 12        JE SHORT Gunz.005389F5
005389E3  |.  3D 00008485  CMP EAX,85840000
005389E8  |.  74 0B        JE SHORT Gunz.005389F5
005389EA  |>  5F            POP EDI

...

---

Now let's look at the encryption routines in Mrs.exe. Find it the same way as Gunz.exe only switch the "3" and "5".

Code:

---

00401120  /$  57            PUSH EDI
00401121  |.  8B7C24 0C    MOV EDI,DWORD PTR SS:[ESP+C]
00401125  |.  33C9          XOR ECX,ECX
00401127  |.  85FF          TEST EDI,EDI
00401129  |.  76 1E        JBE SHORT mrs.00401149
0040112B  |.  56            PUSH ESI
0040112C  |.  8B7424 0C    MOV ESI,DWORD PTR SS:[ESP+C]
00401130  |>  8A0431        /MOV AL,BYTE PTR DS:[ECX+ESI]
00401133  |.  8AD0          |MOV DL,AL
00401135  |.  C0EA 05      |SHR DL,5
00401138  |.  C0E0 03      |SHL AL,3
0040113B  |.  0AD0          |OR DL,AL
0040113D  |.  41            |INC ECX
0040113E  |.  F6D2          |NOT DL
00401140  |.  885431 FF    |MOV BYTE PTR DS:[ECX+ESI-1],DL
00401144  |.  3BCF          |CMP ECX,EDI
00401146  |.^ 72 E8        \JB SHORT mrs.00401130
00401148  |.  5E            POP ESI
00401149  |>  5F            POP EDI
0040114A  \.  C3            RETN

---

Now we need to think of a decent way to change the encryption. For this example I'll use my encryption method as I don't support it anymore and don't care.

First I'll break down the decryption function(First one listed otherwise known as RecoveryChar() ). Windows calculator in scientific view can do some of the bitwise operators, OR/NOT etc.

ECX is the pointer to the header data
ESI is the length of said data
MOV AL,BYTE PTR DS:[ECX] Move the first byte of data into AL
MOV DL,AL Copy AL to DL
SHR DL,3 Shift DL 3 bytes right
SHL AL,5 Shift AL 5 bytes left
OR DL,AL DL = DL Or AL || It's a bitwise thing
NOT DL Basically an inverse byte of DL
MOV BYTE PTR DS:[ECX],DL Replace the original byte with the encrypted one
INC ECX Go to the next byte in the header
DEC ESI Subtract ESI(header length) by one
JNZ SHORT <<TO TOP>> Jump if ESI isn't 0 to the beginning

Alright now here is how I edited it to change the encryption:

ECX is the pointer to the header data
ESI is the length of said data
32 represents 50 in hex which comprises the code 2 and 25 multiplied together
SUB BYTE PTR DS:[ECX],32 Subtract 0x32 from ecx(first byte of data)
MOV AL,BYTE PTR DS:[ECX] Move the first byte of data into AL
MOV DL,ALCopy AL to DL
SHR DL,3 Shift DL 3 bytes right
SHL AL,5 Shift AL 5 bytes left
OR DL,AL DL = DL Or AL || It's a bitwise thing
NOT DL Basically an inverse byte of DL
MOV BYTE PTR DS:[ECX],DL Replace the original byte with the encrypted one
INC ECX Go to the next byte in the header
DEC ES ISubtract ESI(header length) by one
JNZ SHORT <<TO TOP>> Jump if ESI isn't 0 to the beginning

Now for Mrs.exe(I'm not going to explain how it works, just what to change):

MOV AL,BYTE PTR DS:[ECX+ESI]
MOV DL,AL
SHR DL,5
SHL AL,3
OR DL,AL
INC ECX
NOT DL
ADD DL,32
MOV BYTE PTR DS:[ECX+ESI-1],DL
CMP ECX,EDI
JB SHORT <<TO TOP>>

Alright now let's get down to actually editing the two since that's a little different. Oooo, I know, let's do pictures.

Let's go ahead and edit our first finding in Gunz.exe:

http://img511.imageshack.us/img511/8367/mrspart1ls4.png

Our second edit will be a code cave for simplicities sake. So it will come in two parts:

http://img205.imageshack.us/img205/7561/mrspart2wn1.png

and...

http://img515.imageshack.us/img515/2082/mrspart3vm9.png

Now for MRS.exe:

http://img528.imageshack.us/img528/5308/56143830cz8.png


And time to save it all. Start encrypting your folders to .MRS files with the new MRS.exe and keep a back up of the folders at all times =). This example could be done a little more optimized but it works. Also, don't use the encryption method here as everyone know knows about it. Your encryptions are as good as how well you hide them and how complex they are.


I go into tutorial rants when I get bored XD.............

awesome copy+paste skills xD

lol wesman r u sure he copy and paste?

weeee great TUT

Man, TYVM!!!! You own :D

tnx ill need this when ill finnaly make myself release my p server to the pulbic.

Very nice TuT

we cant use this for theduel.exe filelist runnable by maxteam?

It's good, but face the fact that if Gunz.exe opens it, most of us can.

Quote:

---

Originally Posted by Wizkidje

It's good, but face the fact that if Gunz.exe opens it, most of us can.

---

Which is why solution 1 > solution 2 XD

Very nicce, T6.. you are a profi....

T6 make a tut for option 1 :P

I likez I likez!

Solution 1 requires programming knowledge. Basically you do a WinAPI hook on CreateFile(), ReadFile(), SetFilePointer(), and CloseHandle().

T6 what programming do you use for mrs?

Delphi(Object Pascal)

Isn't there some way to have the client use .zip files instead of .mrs, and then just put a complex password on the archive?

Not sure if it's possible but it'd sure make it near impossible to tamper with.

Edit: May sound crazy but I believe it was evil gunz that had man and woman.mrs as .zip files that were 'damaged.' Most likely over my head but it seems that is much more effective than an easy to break encryption.

Gunz can't open passworded zip files.

Quote:

---

Originally Posted by ThievingSix

(Warning: ASM)

---

LMAO :laugh:

The same way you added and subtracted 32 you can add and subtract any other number?

Yes.

Nice =D. I have just one more question =D. At the text part you wrote the command "SUB BYTE PTR DS:[ECX],32" and at the images you have used "SUB BYTE PTR DS:[ECX],36". Its any kinda conversion or just a mistake? Thanks

typo, should be 36.

Nice tutorial,

I had a question ;s,, I cant find with ctrl-s SHR dl,3
SHL al,5 lol im doing something wrong lol ;sXD i use theduel.exe and not gunz.exe :P i use the Maxteam theduel.exe filelistskip..

theduel.exe is gunz. And yes, to answer you question in the most sarcastic way possible, you are doing something wrong.

Except if now you use your encryption via this method someone can still just look at your clients Runnable, find the shift you perform, and still be able to decrypt it, so please if you use this do be aware it still is possible to decrypt your MRS, just takes a little more work.

xD Buga
well ya, I believe everyone should notice that.
thanks.

Yes buga that's why I said that Option 1 > Option 2

I still think your old way (LegacyGamers, Brittle Bullet) is securer.

Faster, not more protected. Anything can be unpacked and the encryption codes could be deduced and shoved into the MRS Viewer. When you create your own file system your able to use 1024byte keys that can't be reversed very easily(if anyone actually could - Legion/Kolie). The only downside is that it's considerably slower as seen in GameFlare. There are ways to improve upon it by using a cache system since Gunz.exe accesses and reads the entire system.mrs file 116 times(if I remember correctly).

All in all anything is better than nothing.

Whats actually the Brittie Bullet stuff? The thing who blocks LG gunz.exe for being opened by ollydbg?

Quote:

---

Originally Posted by cerealnp

Whats actually the Brittie Bullet stuff? The thing who blocks LG gunz.exe for being opened by ollydbg?

---

i can open it in OllyDBG for u ^^

So teach me =D

Quote:

---

Originally Posted by ThievingSix

Faster, not more protected. Anything can be unpacked and the encryption codes could be deduced and shoved into the MRS Viewer. When you create your own file system your able to use 1024byte keys that can't be reversed very easily(if anyone actually could - Legion/Kolie). The only downside is that it's considerably slower as seen in GameFlare. There are ways to improve upon it by using a cache system since Gunz.exe accesses and reads the entire system.mrs file 116 times(if I remember correctly).

All in all anything is better than nothing.

---

It makes the mrs opening faster. (The BB's way).

And it might be more unsecure, but since there's always an option to unpack the mrs files...

Quote:

---

Originally Posted by cerealnp

So teach me =D

---

Open it in this http://www.mediafire.com/?uymdvin25zj

that is ollydbg crashpoint <.<

Quote:

---

Originally Posted by CrashPoint

Open it in this http://www.mediafire.com/?uymdvin25zj

---

Thanks!

T6 You are again a elite (A) but my "uncle" already did it (A)

themida encryption and custom mrs encryption, your game is pretty much unbreakable by anyone less than a god at reverse engineering. And even if its broken, switch up a simple key, and everything changes.

You're really bored aren't you T6.

Quote:

---

Originally Posted by Asumi

T6 You are again a elite (A) but my "uncle" already did it (A)

---

Didn't say I was the first =P. CBWhiz was lol

Quote:

---

Originally Posted by Applique

themida encryption and custom mrs encryption, your game is pretty much unbreakable by anyone less than a god at reverse engineering. And even if its broken, switch up a simple key, and everything changes.

You're really bored aren't you T6.

---

It's not that hard to unpack a runnable packed with Themida, and it isn't hard to unpack mrs files, if Gunz.exe can unpack iit, we can unpack it.

I can even unpack themida protections... it's so ez...

Which is why I keep saying over and over that if option 1 was used(external file system) it would be much more difficult. You could then use themida's or execryptors main forms of defense which is virtualization. This can't be done in gunz which makes it much much harder. In this case Gunz isn't decrypting the file but the dll is.

T6, have you managed to make a solution with option 1?

I have done it for GameFlare in a rushed manner. So I didn't do a cache so it was slow. But it was a proof of concept.

pascal?

Great source of knowledge.

Quote:

---

Originally Posted by ThievingSix

Didn't say I was the first =P. CBWhiz was lol

---

You are still the first with a tut,... and you didn't leeched!

If fail makes a threat or says he code something he leeched it...

So, ive followed the tutorial step by step and it isn

old LG is 18 03

Quote:

---

Originally Posted by wesman2232

old LG is 18 03

---

18 * 03 => 54 => 36 in HEX.

oh, thanks for helping me understand then

Don't use LG MRS files. Make your own, you'll have less problems.

Quote:

---

Originally Posted by ThievingSix

Don't use LG MRS files. Make your own, you'll have less problems.

---

Like Phail has. Lol.

He's using the Legacy files after he failed at the June files. When I saw it I rofl'led 5 minutes long until my mum came and asked me to be quiet.

The best way to create a server ATM is using Xiao's runnable in combination with Lambda's encrypter. I know it's easy to unpack his way of packing, but since lots of people doesn't know about it (That includes hackers) it doesn't matter.

Ripping my fking GFX! :#@@!%@!%@!%@!@%!@

~.~' Was'nt even mine.. like i care..

1+1=5

Quote:

---

Originally Posted by ThievingSix

Don't use LG MRS files. Make your own, you'll have less problems.

---

Yeah, i know its more complex, but im trying to understand the LG Runnable to change it encryption code. I know is easier to add this encryption to another runnable but i lke LG's one cuz of the Unmasked administrator name =P

Quote:

---

Originally Posted by cerealnp

Yeah, i know its more complex, but im trying to understand the LG Runnable to change it encryption code. I know is easier to add this encryption to another runnable but i lke LG's one cuz of the Unmasked administrator name =P

---

I won't use it if I was you.

But if you really want so, PM me the encryption you want and I'll change it for you. (Send a runnable with it.)

Let's keep it on track here please....

Quote:

---

Originally Posted by ThievingSix

Let's keep it on track here please....

---

Agree on that. Keep it clean and nice please.

I hate mega bumping I am really sorry, but I got a problem with this concept, I open ollydbg and it was going fine until I had to open MRS Decompiler with Olly:

When I open it and try to press Ctrl + L it says in the right hand corner "Paused"

If I try to resume it, it opens the program and then says "Terminated"

Now everytime I open ollydbg thats the message I get in the corner = "Paused"

Any help?

Screenshot:
http://img134.imageshack.us/img134/3193/helpn.jpg

What happened to T6, havent seen him in ages

What I do know is that he's rank 15 on ExpertsExchange in the Delphi forum.

http://www.experts-exchange.com/Prog...s_IDEs/Delphi/

That's pretty cool. Was he the one who replied to your thread there?

ThievingSix stopped developing for Gunz.

Which thread?

Which .exe is being used here? I searched for

Code:

---

SHR dl,3
SHL al,5

---

but Olly couldn't find it.

Quote:

---

Originally Posted by Mr.Lucifer

What I do know is that he's rank 15 on ExpertsExchange in the Delphi forum.

http://www.experts-exchange.com/Prog...s_IDEs/Delphi/

That's pretty cool. Was he the one who replied to your thread there?

ThievingSix stopped developing for Gunz.

---

Rank 9. And no I haven't stopped developing for Gunz. Boredom gets the best of me sometimes.

Quote:

---

Originally Posted by FxS

Which .exe is being used here? I searched for

Code:

---

SHR dl,3
SHL al,5

---

but Olly couldn't find it.

---

The unedited, never been touched one that MAIET developed. You might have a modded exe or your're not using the entire block option in the search.

Blah, ya I couldn't find that piece of code at all. (But yea I was using 'entire block')

I'm sure my runnable uses the same methods as the normal gunz.exe since I made it's .mrs files using the same unedited mrs.exe everyone else uses.


Think I could get a link to the clean .exe used here? I just want to try it out so I can learn more about encrypting my stuff.

Just get the one in the sticky in the release section. Thats what I used.

Thanks T6, I got it working. ^^

rofl using this thread i made an encryption with like 20 different codes XD
awesome.
thanks t6 d:

p.s
soz for bumping OO