Printable View
And here goes another shity code
No idea what this MapCharacters.bmd is for..Code:T3Bytes = array [0 .. 3] of Byte;
P3Bytes = ^T3Bytes;
T3BytesArray = array of DWORD;
P3BytesArray = ^T3BytesArray;
THdr = packed record
FHdr: T3Bytes;
SHdr: T3Bytes;
end;
PHdr = ^THdr;
TCharacters = packed record
Hdr: array of THdr;
Block: T3BytesArray;
end;
PCharacters = ^TCharacters;
PS. Reversed on current GMO client (S6 ep2 r ep3)
HEhe One realease each day, nice :) Lessons on decrypting bmd shit!
Hey, you could do some teaching on decrypting the xor keys for new GMO ENG protocol.
Thanks mauka
C1C2 xor keys are always constant ;) and definetly not encrypted!
Looks something like that:
Code:MOV BYTE PTR SS:[EBP-0x10],0xD1
MOV BYTE PTR SS:[EBP-0xF],0x73
MOV BYTE PTR SS:[EBP-0xE],0x52
MOV BYTE PTR SS:[EBP-0xD],0xF6
MOV BYTE PTR SS:[EBP-0xC],0xD2
MOV BYTE PTR SS:[EBP-0xB],0x9A
MOV BYTE PTR SS:[EBP-0xA],0xCB
MOV BYTE PTR SS:[EBP-0x9],0x27
MOV BYTE PTR SS:[EBP-0x8],0x3E
MOV BYTE PTR SS:[EBP-0x7],0xAF
MOV BYTE PTR SS:[EBP-0x6],0x59
MOV BYTE PTR SS:[EBP-0x5],0x31
MOV BYTE PTR SS:[EBP-0x4],0x37
MOV BYTE PTR SS:[EBP-0x3],0xB3
MOV BYTE PTR SS:[EBP-0x2],0xE7
MOV BYTE PTR SS:[EBP-0x1],0xA2
Thanks for the tip, i will try looking it on new GMO ENG main...
I know this is offtopic, but can you explain better how does each of these components work on protocol crypting ?
RecvTable
SendTable
XorKeys
Is RecvTable and SendTable also hardcoded on main ? Or we have to produce one thru xor ?
Im very layze to explain, but if u set PB @0065E520 proc who land u later on protocol core u will find C1,C2,C3,C4 crypt algo
;) and if u folow calls u will see that sent buffer is encrypted again with 32 bytes xor ;) this is what are u looking 4 (:
its simply loop func, but u need this keys only, i assume u have cryp proto source:Code:PUSH EBP
MOV EBP,ESP
SUB ESP,0x28
MOV DWORD PTR SS:[EBP-0x28],ECX
MOV BYTE PTR SS:[EBP-0x20],0xAB
MOV BYTE PTR SS:[EBP-0x1F],0x11
MOV BYTE PTR SS:[EBP-0x1E],0xCD
MOV BYTE PTR SS:[EBP-0x1D],0xFE
MOV BYTE PTR SS:[EBP-0x1C],0x18
MOV BYTE PTR SS:[EBP-0x1B],0x23
MOV BYTE PTR SS:[EBP-0x1A],0xC5
MOV BYTE PTR SS:[EBP-0x19],0xA3
MOV BYTE PTR SS:[EBP-0x18],0xCA
MOV BYTE PTR SS:[EBP-0x17],0x33
MOV BYTE PTR SS:[EBP-0x16],0xC1
MOV BYTE PTR SS:[EBP-0x15],0xCC
MOV BYTE PTR SS:[EBP-0x14],0x66
MOV BYTE PTR SS:[EBP-0x13],0x67
MOV BYTE PTR SS:[EBP-0x12],0x21
MOV BYTE PTR SS:[EBP-0x11],0xF3
MOV BYTE PTR SS:[EBP-0x10],0x32
MOV BYTE PTR SS:[EBP-0xF],0x12
MOV BYTE PTR SS:[EBP-0xE],0x15
MOV BYTE PTR SS:[EBP-0xD],0x35
MOV BYTE PTR SS:[EBP-0xC],0x29
MOV BYTE PTR SS:[EBP-0xB],0xFF
MOV BYTE PTR SS:[EBP-0xA],0xFE
MOV BYTE PTR SS:[EBP-0x9],0x1D
MOV BYTE PTR SS:[EBP-0x8],0x44
MOV BYTE PTR SS:[EBP-0x7],0xEF
MOV BYTE PTR SS:[EBP-0x6],0xCD
MOV BYTE PTR SS:[EBP-0x5],0x41
MOV BYTE PTR SS:[EBP-0x4],0x26
MOV BYTE PTR SS:[EBP-0x3],0x3C
MOV BYTE PTR SS:[EBP-0x2],0x4E
MOV BYTE PTR SS:[EBP-0x1],0x4D
MOV EAX,DWORD PTR SS:[EBP+0x8]
MOV DWORD PTR SS:[EBP-0x24],EAX
JMP L042
L039:
MOV ECX,DWORD PTR SS:[EBP-0x24]
ADD ECX,DWORD PTR SS:[EBP+0x10]
MOV DWORD PTR SS:[EBP-0x24],ECX
L042:
MOV EDX,DWORD PTR SS:[EBP-0x24]
CMP EDX,DWORD PTR SS:[EBP+0xC]
JE L064
MOV EAX,DWORD PTR SS:[EBP-0x28]
ADD EAX,DWORD PTR SS:[EBP-0x24]
MOVZX ECX,BYTE PTR DS:[EAX+0x1]
MOV EDX,DWORD PTR SS:[EBP-0x24]
AND EDX,0x8000001F
JNS L054
DEC EDX
OR EDX,0xFFFFFFE0
INC EDX
L054:
MOVZX EAX,BYTE PTR SS:[EBP+EDX-0x20]
XOR ECX,EAX
MOV EDX,DWORD PTR SS:[EBP-0x28]
ADD EDX,DWORD PTR SS:[EBP-0x24]
MOVZX EAX,BYTE PTR DS:[EDX+0x2]
XOR EAX,ECX
MOV ECX,DWORD PTR SS:[EBP-0x28]
ADD ECX,DWORD PTR SS:[EBP-0x24]
MOV BYTE PTR DS:[ECX+0x2],AL
JMP L039
L064:
MOV ESP,EBP
POP EBP
RETN 0xC
Code:MOV BYTE PTR SS:[EBP-0x20],0xAB
MOV BYTE PTR SS:[EBP-0x1F],0x11
MOV BYTE PTR SS:[EBP-0x1E],0xCD
MOV BYTE PTR SS:[EBP-0x1D],0xFE
MOV BYTE PTR SS:[EBP-0x1C],0x18
MOV BYTE PTR SS:[EBP-0x1B],0x23
MOV BYTE PTR SS:[EBP-0x1A],0xC5
MOV BYTE PTR SS:[EBP-0x19],0xA3
MOV BYTE PTR SS:[EBP-0x18],0xCA
MOV BYTE PTR SS:[EBP-0x17],0x33
MOV BYTE PTR SS:[EBP-0x16],0xC1
MOV BYTE PTR SS:[EBP-0x15],0xCC
MOV BYTE PTR SS:[EBP-0x14],0x66
MOV BYTE PTR SS:[EBP-0x13],0x67
MOV BYTE PTR SS:[EBP-0x12],0x21
MOV BYTE PTR SS:[EBP-0x11],0xF3
MOV BYTE PTR SS:[EBP-0x10],0x32
MOV BYTE PTR SS:[EBP-0xF],0x12
MOV BYTE PTR SS:[EBP-0xE],0x15
MOV BYTE PTR SS:[EBP-0xD],0x35
MOV BYTE PTR SS:[EBP-0xC],0x29
MOV BYTE PTR SS:[EBP-0xB],0xFF
MOV BYTE PTR SS:[EBP-0xA],0xFE
MOV BYTE PTR SS:[EBP-0x9],0x1D
MOV BYTE PTR SS:[EBP-0x8],0x44
MOV BYTE PTR SS:[EBP-0x7],0xEF
MOV BYTE PTR SS:[EBP-0x6],0xCD
MOV BYTE PTR SS:[EBP-0x5],0x41
MOV BYTE PTR SS:[EBP-0x4],0x26
MOV BYTE PTR SS:[EBP-0x3],0x3C
MOV BYTE PTR SS:[EBP-0x2],0x4E
MOV BYTE PTR SS:[EBP-0x1],0x4D
thx for showing us the way !
LOL, more bmds shit :P
nice release :D
Im doing now BMD -> SMD did around 70% allready ^_^
Hope i finish it.. xD Once u know decryption and structure of BMD 3Dmesh file u can try do SMD -> BMD convertor