Unpacked Ex700 PLUS main.exe of GMO (1.14.17 / 114q)

http://imageshack.us/a/img16/3167/sc...1114360001.jpg

Quote:

---

■ [Update Features]
1. Increased Level Cap to 702
2. Updated 12 New Socket Weapons
- These new socket items can be equipped after 3rd class change and can be created by materials from monsters.
- Materials can be dropped from monsters in Lacleon.


3. Updated 9 New Socket Armor Set
- These items can be equipped after 3rd class change and can be dropped from over 122 level monsters in the continent of MU.

4. Updated 4 Evil’s Cursed Wings
- These wings can’t be obtained in game according to the eX700 storyline.
a. Cape of Death (Dark Lord / Rage Fighter)
b. Wing of Chaos (Blade Knight / Magic Gladiator)
c. Wing of Magic (Soul Master / Magic Gladiator / Bloody Summoner)
d. Wing of Life (Muse Elf)

---

Screen UI change
http://image.webzen.net/Mu/guideImag...acter_name.jpg

1 - Name of Character It displays the name of the corresponding character.
2 - Name of Guild(Name of Alliance) It displays the name of the guild you belong to.
3 - Gens It displays the name of the guild you belong to.
4 - Elements When a character equips a pentagram item, element of the item will be displayed.
* Even if character name display option is turned off, the element will be displayed.
5 - "Always display characters’ name” mode Off When you turn off the "Always display characters’ name”, only the character's element is displayed.
6 - Character’s HP bar HP bar is displayed when you are in a party.

2) Change of (Dialog bubble / Heading function / Display of personal store)
- Character's dialog bubble has been changed.
- Tag function has been added to the chat window.
- Dialog bubble displays the name of the talking character.
- Display of individual shop has changed.
http://image.webzen.net/Mu/guideImag...mg_changof.jpg

1 - Name of Character (Dialog bubble) It displays the name of the corresponding character.
2 - Chatting Headings For the convenience, tags will be added to 4 specialized chatting modes. [guild], [gens], [whisper], [party]
3 - Personal Store Display of personal shop has been changed.

3) Monster information
- The display of the monsters' information has been changed.
- The monsters' name, HP, and element are displayed.
- You can change display options of monsters information.
a. Monster information display On : Displays the information of all the monsters
in the screen.
b. Monster information display Off : Displays the information of the monsters selected
by mouse.
http://image.webzen.net/Mu/guideImag...nster_info.jpg


And more..
Reffer to this article

Code:

---

http://muonline.webzen.com/events/EX700plusGate/

---

Only unpacked:

Code:

---

http://www.gamefront.com/files/22435901/11417.rar

---

Unpacked & Cracked by SmallHabit:

Code:

---

http://forum.ragezone.com/f197/unpacked-ex700-plus-main-exe-884156/index2.html#post7281430

---

IP, Port, Ver, Serial:

Code:

---

http://forum.ragezone.com/f197/unpacked-ex700-plus-main-exe-884156/index5.html#post7283510

---

Patch:

Code:

---

ftp://patch.muonline.webzen.net/pub/webzen/1.04.17/

---

Loader by SmallHabit ( loads packed main.exe and patch all direct in memory what result in no crashes and very stable main.exe as much as it can be

Code:

---

http://forum.ragezone.com/f197/unpacked-ex700-plus-main-exe-884156/index5.html#post7285151

---

Guide/Patches by Dudi (Fix crashes and more Packers shit)

Code:

---

http://forum.ragezone.com/f197/unpacked-ex700-plus-main-exe-884156/index4.html#post7282915

---

unpacked Main.exe with all patches & fixes by caothuphutho

Code:

---

http://forum.ragezone.com/f197/unpacked-ex700-plus-main-exe-884156/index5.html#post7285374

---

Offset to Crack CMStarterCore.exe by IcaruS:

Code:

---

http://forum.ragezone.com/f197/unpacked-ex700-plus-main-exe-884156/index5.html#post7284566

---

Guide to crack CMStarterCore: http://forum.ragezone.com/f196/bypas...-check-670063/
Another guide, how to crack CMStarterCore: http://forum.ragezone.com/f197/games...upport-709976/

Or read this http://forum.ragezone.com/f196/start...te-gmo-883531/ its better solution then crack CMStarterCore



---
Open main.exe with hexeditor and do folowing patches to main.exe (for crack)

Code:

---

MU:
- Search:  75 5B 68 24 A1 FE 00 68 20 82 1A 01 E8 75 11 4F 00
- Replace: EB 5B 68 24 A1 FE 00 68 20 82 1A 01 E8 75 11 4F 00

GG:
- Search:  E8 AE 45 50 00 0F B6 C0 85 C0 0F 85 8A 00 00 00
- Replace: E8 AE 45 50 00 0F B6 C0 85 C0 E9 8B 00 00 00 90
- Search:  74 19 FF 35 34 1A 17 01 8B 8D EC F1 FF FF E8 A3 16 00 00
- Replace: EB 19 FF 35 34 1A 17 01 8B 8D EC F1 FF FF 90 90 90 90 90                                  


RG:
 - Search:  74 23 68 04 AA FE 00 68 20 82 1A 01 E8 37 DD 4E 00                                              .
 - Replace: EB 23 68 04 AA FE 00 68 20 82 1A 01 E8 37 DD 4E 00 

 - Search:  74 23 68 F8 19 00 01 68 20 82 1A 01 E8 DE 0C 3B 00                                              .
 - Replace:  EB 23 68 F8 19 00 01 68 20 82 1A 01 E8 DE 0C 3B 00

---

Max level is now 702? Whoah, amazing!

They cant fix GION event bug with 700LVL char 1Hit die... )))) so they increased it by 2LVL
AHAHAHHA.... Funny dvelopers proest

Works on 11.12.20?

Any protocol changes? or only visual?

No idea, i`we just updated client, unpacked it. :) will now go and check..

hmm okey :) will see what i can do with this :) anyway thx for unpack.

Cool :thumbup1:

Is very posible put 3d camera in: Ex700 main.exe, look this server: GameThuVN MUOnline Ex700 - YouTube

http://imageshack.us/a/img507/3821/s...1118480001.jpg

Monster HP bar looks very nice xD

Awesome stuff from webzen developers, I think the jokes with 999 shits are not far from reality.

Anyway good job mauka for unpacking and cmstartercore src!

mauka, main and client compatible with server files realy? SCF or IGCN

Quote:

---

Originally Posted by Yag4mi2k

mauka, main and client compatible with server files realy? SCF or IGCN

---

i have 11.11.82 is it compatible ?

Thanks for unpack mauka have you any server for we can test this? =)

Quote:

---

Thanks for unpack mauka have you any server for we can test this? =)

---

Quote:

---

mauka, main and client compatible with server files realy? SCF or IGCN

---

You can test it on Global Server MuOnline ^_^

how about server side file?... thanks for this :)

Running Main.ex gives error "Client Closed" error in skill_eng.bmd.

I think there is something wrong.

- Cracked Main (GG,RG).
- Disabled Mu.exe
- Starting Main.exe from GMO webpage
- Login, wait 5-10 seconds, and main closes.

Quote:

---

[Connect to Server] ip address = connect.muonline.webzen.com, port = 44405
> Login Scene init success.
Send Request Server List.
Success Receive Server List.
Success Receive Server List.
[ReceiveServerConnect][Socket Closed][Clear PacketQueue]
[Connect to Server] ip address = 211.43.146.194, port = 55915
> Login Request.
> Try to Login "0000821604"
> Request Character list
> Character scene init success.
Save DumpFile complete - MuError.dmp

---

For me doesn't work at all. (Windows 8 x64)

HOOK SEND C3 Resend

yes,I think it's good enough, thank you so much!

Here is, what i'm talking about. :)

http://www.youtube.com/watch?v=ZsAwFsTfIDo

@SmallHabit
For me, every unpacked main posted here got this problem :) I handle it by attaching IDA debugger. It catches an exception (memory access violation), and then I patch the file on the fly (Patch program->Assemble), by NOP-ing a few instructions. I believe, this problem is a side effect of unpacking.

janson can you post a fixed main so we can test this if its not a problem for you !

look like very beautiful :D can you share sv and path for me to test? i like it :D

Quote:

---

@SmallHabit
For me, every unpacked main posted here got this problem :) I handle it by attaching IDA debugger. It catches an exception (memory access violation), and then I patch the file on the fly (Patch program->Assemble), by NOP-ing a few instructions. I believe, this problem is a side effect of unpacking.

---

f** yeah. thanks, it worked. Now crashed when choose character, but I think I can handle this ^_^

Download main_11417_fix_1.zip from Sendspace.com - send big files the easy way - here fixed main

- GG, RG cracked
- Fixed Character select screen crash
- Fixed When select character crash

P.S. - Maybe there are more crash, can't test, need character info proto to test it in-game.

http://s43.radikal.ru/i099/1210/31/672f44e75353.jpg

patch is 1.04.17,why main is 1.14.17?

I think this is webzens error :)

U can stay online in GMO to check stability ;) for 5 ~ 10.mins without gameguard auth.. mather of fact for thous who are intresting in GG - CS auth, here is one of my old GG emulator source code:

Code:

---

unit uGameGuard;

interface

uses
Windows,SysUtils,Dialogs; {TBytes}

type
Pkey = ^TGG_key;
TGG_Key = array[0..3] of Cardinal;

PCtx = ^TBlowFish_CTX;
TBlowFish_CTX = record
  P: array[0..17] of Cardinal;
  S: array[0..3,0..$FF] of Cardinal;
end;

const
 ORIG_P: array [0..17] of Cardinal =
    ($243F6A88, $85A308D3, $13198A2E, $03707344, $A4093822, $299F31D0,
    $082EFA98, $EC4E6C89, $452821E6, $38D01377, $BE5466CF, $34E90C6C,
    $C0AC29B7, $C97C50DD, $3F84D5B5, $B5470917, $9216D5D9, $8979FB1B);

 ORIG_S: array [0..3,0..$FF] of Cardinal =
  (($D1310BA6, $98DFB5AC, $2FFD72DB, $D01ADFB7, $B8E1AFED, $6A267E96,
    $BA7C9045, $F12C7F99, $24A19947, $B3916CF7, $0801F2E2, $858EFC16,
    $636920D8, $71574E69, $A458FEA3, $F4933D7E, $0D95748F, $728EB658,
    $718BCD58, $82154AEE, $7B54A41D, $C25A59B5, $9C30D539, $2AF26013,
    $C5D1B023, $286085F0, $CA417918, $B8DB38EF, $8E79DCB0, $603A180E,
    $6C9E0E8B, $B01E8A3E, $D71577C1, $BD314B27, $78AF2FDA, $55605C60,
    $E65525F3, $AA55AB94, $57489862, $63E81440, $55CA396A, $2AAB10B6,
    $B4CC5C34, $1141E8CE, $A15486AF, $7C72E993, $B3EE1411, $636FBC2A,
    $2BA9C55D, $741831F6, $CE5C3E16, $9B87931E, $AFD6BA33, $6C24CF5C,
    $7A325381, $28958677, $3B8F4898, $6B4BB9AF, $C4BFE81B, $66282193,
    $61D809CC, $FB21A991, $487CAC60, $5DEC8032, $EF845D5D, $E98575B1,
    $DC262302, $EB651B88, $23893E81, $D396ACC5, $0F6D6FF3, $83F44239,
    $2E0B4482, $A4842004, $69C8F04A, $9E1F9B5E, $21C66842, $F6E96C9A,
    $670C9C61, $ABD388F0, $6A51A0D2, $D8542F68, $960FA728, $AB5133A3,
    $6EEF0B6C, $137A3BE4, $BA3BF050, $7EFB2A98, $A1F1651D, $39AF0176,
    $66CA593E, $82430E88, $8CEE8619, $456F9FB4, $7D84A5C3, $3B8B5EBE,
    $E06F75D8, $85C12073, $401A449F, $56C16AA6, $4ED3AA62, $363F7706,
    $1BFEDF72, $429B023D, $37D0D724, $D00A1248, $DB0FEAD3, $49F1C09B,
    $075372C9, $80991B7B, $25D479D8, $F6E8DEF7, $E3FE501A, $B6794C3B,
    $976CE0BD, $04C006BA, $C1A94FB6, $409F60C4, $5E5C9EC2, $196A2463,
    $68FB6FAF, $3E6C53B5, $1339B2EB, $3B52EC6F, $6DFC511F, $9B30952C,
    $CC814544, $AF5EBD09, $BEE3D004, $DE334AFD, $660F2807, $192E4BB3,
    $C0CBA857, $45C8740F, $D20B5F39, $B9D3FBDB, $5579C0BD, $1A60320A,
    $D6A100C6, $402C7279, $679F25FE, $FB1FA3CC, $8EA5E9F8, $DB3222F8,
    $3C7516DF, $FD616B15, $2F501EC8, $AD0552AB, $323DB5FA, $FD238760,
    $53317B48, $3E00DF82, $9E5C57BB, $CA6F8CA0, $1A87562E, $DF1769DB,
    $D542A8F6, $287EFFC3, $AC6732C6, $8C4F5573, $695B27B0, $BBCA58C8,
    $E1FFA35D, $B8F011A0, $10FA3D98, $FD2183B8, $4AFCB56C, $2DD1D35B,
    $9A53E479, $B6F84565, $D28E49BC, $4BFB9790, $E1DDF2DA, $A4CB7E33,
    $62FB1341, $CEE4C6E8, $EF20CADA, $36774C01, $D07E9EFE, $2BF11FB4,
    $95DBDA4D, $AE909198, $EAAD8E71, $6B93D5A0, $D08ED1D0, $AFC725E0,
    $8E3C5B2F, $8E7594B7, $8FF6E2FB, $F2122B64, $8888B812, $900DF01C,
    $4FAD5EA0, $688FC31C, $D1CFF191, $B3A8C1AD, $2F2F2218, $BE0E1777,
    $EA752DFE, $8B021FA1, $E5A0CC0F, $B56F74E8, $18ACF3D6, $CE89E299,
    $B4A84FE0, $FD13E0B7, $7CC43B81, $D2ADA8D9, $165FA266, $80957705,
    $93CC7314, $211A1477, $E6AD2065, $77B5FA86, $C75442F5, $FB9D35CF,
    $EBCDAF0C, $7B3E89A0, $D6411BD3, $AE1E7E49, $00250E2D, $2071B35E,
    $226800BB, $57B8E0AF, $2464369B, $F009B91E, $5563911D, $59DFA6AA,
    $78C14389, $D95A537F, $207D5BA2, $02E5B9C5, $83260376, $6295CFA9,
    $11C81968, $4E734A41, $B3472DCA, $7B14A94A, $1B510052, $9A532915,
    $D60F573F, $BC9BC6E4, $2B60A476, $81E67400, $08BA6FB5, $571BE91F,
    $F296EC6B, $2A0DD915, $B6636521, $E7B9F9B6, $FF34052E, $C5855664,
    $53B02D5D, $A99F8FA1, $08BA4799, $6E85076A),
    ($4B7A70E9, $B5B32944,
    $DB75092E, $C4192623, $AD6EA6B0, $49A7DF7D, $9CEE60B8, $8FEDB266,
    $ECAA8C71, $699A17FF, $5664526C, $C2B19EE1, $193602A5, $75094C29,
    $A0591340, $E4183A3E, $3F54989A, $5B429D65, $6B8FE4D6, $99F73FD6,
    $A1D29C07, $EFE830F5, $4D2D38E6, $F0255DC1, $4CDD2086, $8470EB26,
    $6382E9C6, $021ECC5E, $09686B3F, $3EBAEFC9, $3C971814, $6B6A70A1,
    $687F3584, $52A0E286, $B79C5305, $AA500737, $3E07841C, $7FDEAE5C,
    $8E7D44EC, $5716F2B8, $B03ADA37, $F0500C0D, $F01C1F04, $0200B3FF,
    $AE0CF51A, $3CB574B2, $25837A58, $DC0921BD, $D19113F9, $7CA92FF6,
    $94324773, $22F54701, $3AE5E581, $37C2DADC, $C8B57634, $9AF3DDA7,
    $A9446146, $0FD0030E, $ECC8C73E, $A4751E41, $E238CD99, $3BEA0E2F,
    $3280BBA1, $183EB331, $4E548B38, $4F6DB908, $6F420D03, $F60A04BF,
    $2CB81290, $24977C79, $5679B072, $BCAF89AF, $DE9A771F, $D9930810,
    $B38BAE12, $DCCF3F2E, $5512721F, $2E6B7124, $501ADDE6, $9F84CD87,
    $7A584718, $7408DA17, $BC9F9ABC, $E94B7D8C, $EC7AEC3A, $DB851DFA,
    $63094366, $C464C3D2, $EF1C1847, $3215D908, $DD433B37, $24C2BA16,
    $12A14D43, $2A65C451, $50940002, $133AE4DD, $71DFF89E, $10314E55,
    $81AC77D6, $5F11199B, $043556F1, $D7A3C76B, $3C11183B, $5924A509,
    $F28FE6ED, $97F1FBFA, $9EBABF2C, $1E153C6E, $86E34570, $EAE96FB1,
    $860E5E0A, $5A3E2AB3, $771FE71C, $4E3D06FA, $2965DCB9, $99E71D0F,
    $803E89D6, $5266C825, $2E4CC978, $9C10B36A, $C6150EBA, $94E2EA78,
    $A5FC3C53, $1E0A2DF4, $F2F74EA7, $361D2B3D, $1939260F, $19C27960,
    $5223A708, $F71312B6, $EBADFE6E, $EAC31F66, $E3BC4595, $A67BC883,
    $B17F37D1, $018CFF28, $C332DDEF, $BE6C5AA5, $65582185, $68AB9802,
    $EECEA50F, $DB2F953B, $2AEF7DAD, $5B6E2F84, $1521B628, $29076170,
    $ECDD4775, $619F1510, $13CCA830, $EB61BD96, $0334FE1E, $AA0363CF,
    $B5735C90, $4C70A239, $D59E9E0B, $CBAADE14, $EECC86BC, $60622CA7,
    $9CAB5CAB, $B2F3846E, $648B1EAF, $19BDF0CA, $A02369B9, $655ABB50,
    $40685A32, $3C2AB4B3, $319EE9D5, $C021B8F7, $9B540B19, $875FA099,
    $95F7997E, $623D7DA8, $F837889A, $97E32D77, $11ED935F, $16681281,
    $0E358829, $C7E61FD6, $96DEDFA1, $7858BA99, $57F584A5, $1B227263,
    $9B83C3FF, $1AC24696, $CDB30AEB, $532E3054, $8FD948E4, $6DBC3128,
    $58EBF2EF, $34C6FFEA, $FE28ED61, $EE7C3C73, $5D4A14D9, $E864B7E3,
    $42105D14, $203E13E0, $45EEE2B6, $A3AAABEA, $DB6C4F15, $FACB4FD0,
    $C742F442, $EF6ABBB5, $654F3B1D, $41CD2105, $D81E799E, $86854DC7,
    $E44B476A, $3D816250, $CF62A1F2, $5B8D2646, $FC8883A0, $C1C7B6A3,
    $7F1524C3, $69CB7492, $47848A0B, $5692B285, $095BBF00, $AD19489D,
    $1462B174, $23820E00, $58428D2A, $0C55F5EA, $1DADF43E, $233F7061,
    $3372F092, $8D937E41, $D65FECF1, $6C223BDB, $7CDE3759, $CBEE7460,
    $4085F2A7, $CE77326E, $A6078084, $19F8509E, $E8EFD855, $61D99735,
    $A969A7AA, $C50C06C2, $5A04ABFC, $800BCADC, $9E447A2E, $C3453484,
    $FDD56705, $0E1E9EC9, $DB73DBD3, $105588CD, $675FDA79, $E3674340,
    $C5C43465, $713E38D8, $3D28F89E, $F16DFF20, $153E21E7, $8FB03D4A,
    $E6E39F2B, $DB83ADF7),
    ($E93D5A68, $948140F7, $F64C261C, $94692934,
    $411520F7, $7602D4F7, $BCF46B2E, $D4A20068, $D4082471, $3320F46A,
    $43B7D4B7, $500061AF, $1E39F62E, $97244546, $14214F74, $BF8B8840,
    $4D95FC1D, $96B591AF, $70F4DDD3, $66A02F45, $BFBC09EC, $03BD9785,
    $7FAC6DD0, $31CB8504, $96EB27B3, $55FD3941, $DA2547E6, $ABCA0A9A,
    $28507825, $530429F4, $0A2C86DA, $E9B66DFB, $68DC1462, $D7486900,
    $680EC0A4, $27A18DEE, $4F3FFEA2, $E887AD8C, $B58CE006, $7AF4D6B6,
    $AACE1E7C, $D3375FEC, $CE78A399, $406B2A42, $20FE9E35, $D9F385B9,
    $EE39D7AB, $3B124E8B, $1DC9FAF7, $4B6D1856, $26A36631, $EAE397B2,
    $3A6EFA74, $DD5B4332, $6841E7F7, $CA7820FB, $FB0AF54E, $D8FEB397,
    $454056AC, $BA489527, $55533A3A, $20838D87, $FE6BA9B7, $D096954B,
    $55A867BC, $A1159A58, $CCA92963, $99E1DB33, $A62A4A56, $3F3125F9,
    $5EF47E1C, $9029317C, $FDF8E802, $04272F70, $80BB155C, $05282CE3,
    $95C11548, $E4C66D22, $48C1133F, $C70F86DC, $07F9C9EE, $41041F0F,
    $404779A4, $5D886E17, $325F51EB, $D59BC0D1, $F2BCC18F, $41113564,
    $257B7834, $602A9C60, $DFF8E8A3, $1F636C1B, $0E12B4C2, $02E1329E,
    $AF664FD1, $CAD18115, $6B2395E0, $333E92E1, $3B240B62, $EEBEB922,
    $85B2A20E, $E6BA0D99, $DE720C8C, $2DA2F728, $D0127845, $95B794FD,
    $647D0862, $E7CCF5F0, $5449A36F, $877D48FA, $C39DFD27, $F33E8D1E,
    $0A476341, $992EFF74, $3A6F6EAB, $F4F8FD37, $A812DC60, $A1EBDDF8,
    $991BE14C, $DB6E6B0D, $C67B5510, $6D672C37, $2765D43B, $DCD0E804,
    $F1290DC7, $CC00FFA3, $B5390F92, $690FED0B, $667B9FFB, $CEDB7D9C,
    $A091CF0B, $D9155EA3, $BB132F88, $515BAD24, $7B9479BF, $763BD6EB,
    $37392EB3, $CC115979, $8026E297, $F42E312D, $6842ADA7, $C66A2B3B,
    $12754CCC, $782EF11C, $6A124237, $B79251E7, $06A1BBE6, $4BFB6350,
    $1A6B1018, $11CAEDFA, $3D25BDD8, $E2E1C3C9, $44421659, $0A121386,
    $D90CEC6E, $D5ABEA2A, $64AF674E, $DA86A85F, $BEBFE988, $64E4C3FE,
    $9DBC8057, $F0F7C086, $60787BF8, $6003604D, $D1FD8346, $F6381FB0,
    $7745AE04, $D736FCCC, $83426B33, $F01EAB71, $B0804187, $3C005E5F,
    $77A057BE, $BDE8AE24, $55464299, $BF582E61, $4E58F48F, $F2DDFDA2,
    $F474EF38, $8789BDC2, $5366F9C3, $C8B38E74, $B475F255, $46FCD9B9,
    $7AEB2661, $8B1DDF84, $846A0E79, $915F95E2, $466E598E, $20B45770,
    $8CD55591, $C902DE4C, $B90BACE1, $BB8205D0, $11A86248, $7574A99E,
    $B77F19B6, $E0A9DC09, $662D09A1, $C4324633, $E85A1F02, $09F0BE8C,
    $4A99A025, $1D6EFE10, $1AB93D1D, $0BA5A4DF, $A186F20F, $2868F169,
    $DCB7DA83, $573906FE, $A1E2CE9B, $4FCD7F52, $50115E01, $A70683FA,
    $A002B5C4, $0DE6D027, $9AF88C27, $773F8641, $C3604C06, $61A806B5,
    $F0177A28, $C0F586E0, $006058AA, $30DC7D62, $11E69ED7, $2338EA63,
    $53C2DD94, $C2C21634, $BBCBEE56, $90BCB6DE, $EBFC7DA1, $CE591D76,
    $6F05E409, $4B7C0188, $39720A3D, $7C927C24, $86E3725F, $724D9DB9,
    $1AC15BB4, $D39EB8FC, $ED545578, $08FCA5B5, $D83D7CD3, $4DAD0FC4,
    $1E50EF5E, $B161E6F8, $A28514D9, $6C51133C, $6FD5C7E7, $56E14EC4,
    $362ABFCE, $DDC6C837, $D79A3234, $92638212, $670EFA8E, $406000E0),
    ($3A39CE37, $D3FAF5CF, $ABC27737, $5AC52D1B, $5CB0679E, $4FA33742,
    $D3822740, $99BC9BBE, $D5118E9D, $BF0F7315, $D62D1C7E, $C700C47B,
    $B78C1B6B, $21A19045, $B26EB1BE, $6A366EB4, $5748AB2F, $BC946E79,
    $C6A376D2, $6549C2C8, $530FF8EE, $468DDE7D, $D5730A1D, $4CD04DC6,
    $2939BBDB, $A9BA4650, $AC9526E8, $BE5EE304, $A1FAD5F0, $6A2D519A,
    $63EF8CE2, $9A86EE22, $C089C2B8, $43242EF6, $A51E03AA, $9CF2D0A4,
    $83C061BA, $9BE96A4D, $8FE51550, $BA645BD6, $2826A2F9, $A73A3AE1,
    $4BA99586, $EF5562E9, $C72FEFD3, $F752F7DA, $3F046F69, $77FA0A59,
    $80E4A915, $87B08601, $9B09E6AD, $3B3EE593, $E990FD5A, $9E34D797,
    $2CF0B7D9, $022B8B51, $96D5AC3A, $017DA67D, $D1CF3ED6, $7C7D2D28,
    $1F9F25CF, $ADF2B89B, $5AD6B472, $5A88F54C, $E029AC71, $E019A5E6,
    $47B0ACFD, $ED93FA9B, $E8D3C48D, $283B57CC, $F8D56629, $79132E28,
    $785F0191, $ED756055, $F7960E44, $E3D35E8C, $15056DD4, $88F46DBA,
    $03A16125, $0564F0BD, $C3EB9E15, $3C9057A2, $97271AEC, $A93A072A,
    $1B3F6D9B, $1E6321F5, $F59C66FB, $26DCF319, $7533D928, $B155FDF5,
    $03563482, $8ABA3CBB, $28517711, $C20AD9F8, $ABCC5167, $CCAD925F,
    $4DE81751, $3830DC8E, $379D5862, $9320F991, $EA7A90C2, $FB3E7BCE,
    $5121CE64, $774FBE32, $A8B6E37E, $C3293D46, $48DE5369, $6413E680,
    $A2AE0810, $DD6DB224, $69852DFD, $09072166, $B39A460A, $6445C0DD,
    $586CDECF, $1C20C8AE, $5BBEF7DD, $1B588D40, $CCD2017F, $6BB4E3BB,
    $DDA26A7E, $3A59FF45, $3E350A44, $BCB4CDD5, $72EACEA8, $FA6484BB,
    $8D6612AE, $BF3C6F47, $D29BE463, $542F5D9E, $AEC2771B, $F64E6370,
    $740E0D8D, $E75B1357, $F8721671, $AF537D5D, $4040CB08, $4EB4E2CC,
    $34D2466A, $0115AF84, $E1B00428, $95983A1D, $06B89FB4, $CE6EA048,
    $6F3F3B82, $3520AB82, $011A1D4B, $277227F8, $611560B1, $E7933FDC,
    $BB3A792B, $344525BD, $A08839E1, $51CE794B, $2F32C9B7, $A01FBAC9,
    $E01CC87E, $BCC7D1F6, $CF0111C3, $A1E8AAC7, $1A908749, $D44FBD9A,
    $D0DADECB, $D50ADA38, $0339C32A, $C6913667, $8DF9317C, $E0B12B4F,
    $F79E59B7, $43F5BB3A, $F2D519FF, $27D9459C, $BF97222C, $15E6FC2A,
    $0F91FC71, $9B941525, $FAE59361, $CEB69CEB, $C2A86459, $12BAA8D1,
    $B6C1075E, $E3056A0C, $10D25065, $CB03A442, $E0EC6E0E, $1698DB3B,
    $4C98A0BE, $3278E964, $9F1F9532, $E0D392DF, $D3A0342B, $8971F21E,
    $1B0A7441, $4BA3348C, $C5BE7120, $C37632D8, $DF359F8D, $9B992F2E,
    $E60B6F47, $0FE3F11D, $E54CDA54, $1EDAD891, $CE6279CF, $CD3E7E6F,
    $1618B166, $FD2C1D05, $848FD2C5, $F6FB2299, $F523F357, $A6327623,
    $93A83531, $56CCCD02, $ACF08162, $5A75EBB5, $6E163697, $88D273CC,
    $DE966292, $81B949D0, $4C50901B, $71C65614, $E6C6C7BD, $327A140A,
    $45E1D006, $C3F27B9A, $C9AA53FD, $62A80F00, $BB25BFE2, $35BDD2F6,
    $71126905, $B2040222, $B6CBCF7C, $CD769C2B, $53113EC0, $1640E3D3,
    $38ABBD60, $2547ADF0, $BA38209C, $F746CE76, $77AFA1C5, $20756060,
    $85CBFE4E, $8AE88DD8, $7AAAF9B0, $4CF9AA7E, $1948C25C, $02FB8A8C,
    $01C36AE4, $D6EBE1F9, $90D4F869, $A65CDEA0, $3F09252D, $C208E69F,
    $B74E6132, $CE77E25B, $578FDFE3, $3AC372E6));

const
 N = 16;
 IncaKey = '@SAU^T2*KY';

 procedure BlowFish_Init(Ctx: PCtx; Key: TBytes; KeyLen: integer);
 procedure GameGuard_Decrypt(InKey: Pkey);
 procedure GameGuard_Encrypt(InKey: Pkey);
 procedure GameGuard_ShiftBits(inKey: Pkey; var Key: TGG_Key);
 function GG_KeyGen(KeyIn,KeyOut: Pkey): Integer;
 procedure GenerateGG(Data:PByteArray);


var
 MyBlowShit: TBlowFish_CTX;
 FirstCall: Boolean = True;
 Key:TBytes;
 GameGuardPacket : TBytes;


implementation

uses
uMainFrm;

procedure GenerateGG(Data:PByteArray);
var
GGKey,SendGameGuard:TGG_Key;
begin
SetLength(GameGuardPacket,20);
GGKey[0] := PDWord(@Data[4])^;
GGKey[1] := PDWord(@Data[8])^;
GGKey[2] := PDWord(@Data[12])^;
GGKey[3] := PDWord(@Data[16])^;
GG_KeyGen(@GGKey,@SendGameGuard);
Move(SendGameGuard[0],GameGuardPacket[4],16);
GameGuardPacket[0]:=$C3;
GameGuardPacket[1]:=$14;
GameGuardPacket[2]:=$73;
GameGuardPacket[3]:=$00;
MainFrm.SendC3C4(MainFrm.Client,GameGuardPacket,$14);
MainFrm.LogMessage('aa '+ IntToHex(GGKey[0],4));
end;

function F(Ctx: PCtx; x: Cardinal): Cardinal;
var
a,b,c,d : Byte;
y: Cardinal;
begin
d := Byte(x and $FF);
x := x shr 8;
c := Byte(x and $FF);
x := x shr 8;
b := Byte(x and $FF);
x := x shr 8;
a := Byte(x and $FF);
y := Ctx.S[0,a] + Ctx.S[1,b];
Result := y xor Ctx.S[2,c] +  Ctx.S[3,d];
end;

procedure BlowFish_Encrypt(Ctx: PCtx; var Xl, Xr: Cardinal);
var
i: Byte;
Tmp: Cardinal;
begin
for I := 0 to N - 1 do
 begin
  Xl  := Xl xor Ctx.P[i];
  Xr  := F(Ctx,Xl) xor Xr;
  Tmp := Xl;
  Xl  := Xr;
  Xr  := Tmp;
 end;
Tmp := Xl;
Xl  := Xr;
Xr  := Tmp;
Xr := Xr xor Ctx.P[n]; //n
Xl := Xl xor Ctx.P[n + 1]; //n
end;

procedure BlowFish_Decrypt(Ctx: PCtx; var Xl,Xr: Cardinal);
var
I: Byte;
Tmp: Cardinal;
begin
for I := n +1 downto 2  do
 begin
  Xl  := Xl xor Ctx.P[i];
  Xr  := F(Ctx,Xl) xor Xr;
  Tmp := Xl;
  Xl  := Xr;
  Xr  := Tmp;
 end;
Tmp := Xl;
Xl  := Xr;
Xr  := Tmp;
Xr := Xr xor Ctx.P[1];
Xl := Xl xor Ctx.P[0];
end;

procedure BlowFish_Init(Ctx: PCtx; Key: TBytes; KeyLen: integer);
var
i,j,k: Integer;
Data,LData,RData: Cardinal;
begin
for I := 0 to 4 - 1 do
 for j := 0 to $FF  do
  Ctx.S[i,j] := Orig_S[i,j];
  J := 0;
  for i := 0 to 18 - 1 do
    begin
    Data := $00000000;
      for k := 0 to 4 - 1 do
      begin
        Data := (Data shl 8) or Key[j];
        Inc(J,1);
      if J >= KeyLen then
        J := 0;
      end;
    Ctx.P[i] := ORIG_P[i] xor Data;
    end;
  LData := $00000000;
  RData := $00000000;
  i := 0;
while i < 18 do
  begin
    BlowFish_Encrypt(Ctx,LData,RData);
    Ctx.P[i] := LData;
    Ctx.P[i + 1] := RData;
    Inc(i,2);
  end;
 for I := 0 to 4 - 1 do
  begin
  j := 0;
  while j < $FF do
  begin
    BlowFish_Encrypt(Ctx,LData,RData);
    Ctx.S[i,j] := LData;
    Ctx.S[i,j + 1] := RData;
    Inc(j,2);
  end;
  end;
end;

procedure GameGuard_Encrypt(InKey: Pkey);
begin
InKey[0] := InKey[0] xor $AFD349D;
InKey[1] := InKey[1] xor $9D28B918;
BlowFish_Encrypt(@MyBlowShit,InKey[0],InKey[2]);
InKey[2] := InKey[2] xor $B64D24A;
InKey[3] := InKey[3] xor $F674C8B9;
BlowFish_Encrypt(@MyBlowShit,InKey[1],InKey[3]);
end;

procedure GameGuard_Decrypt(InKey: Pkey);
begin
BlowFish_Decrypt(@MyBlowShit,InKey[1],InKey[3]);
InKey[2] := InKey[2] xor $64D84A;
InKey[3] := InKey[3] xor $F0F4C802;
BlowFish_Decrypt(@MyBlowShit,InKey[0],InKey[2]);
InKey[0] := InKey[0] xor $FD3A9D;
InKey[1] := InKey[1] xor $9D2DB902;
end;

procedure GameGuard_ShiftBits(inKey: Pkey; var Key: TGG_Key);
var
i: Integer;
begin
for I := 0 to 4 - 1 do
 begin
  Key[i] := ($FF000000 and (InKey[i] shl 24))
        or ($00FF0000 and (InKey[i] shl 8))
        or ($0000FF00 and (InKey[i] shr 8))
        or ($000000FF and (InKey[i] shr 24));
 end;
end;

function GG_KeyGen(KeyIn,KeyOut: Pkey): integer;
var
i:Integer;
iIndex: Integer;
begin
if(FirstCall)then
begin
SetLength(Key,10);
for I := 0 to 10 do
Key[I]:=Ord(IncaKey[I+1]);
Blowfish_Init(@MyBlowShit,Key,10);
FirstCall:=False;
end;
GameGuard_Decrypt(KeyIn);
iIndex := KeyIn[0];
if iIndex <= 500 then
 begin
  case iIndex of
  0: begin
    KeyOut[0] := $00010060;
    KeyOut[1] := $0410E304;
    KeyOut[2] := $77C06F45;
    KeyOut[3] := $0E0BD7B4;
    GameGuard_Encrypt(KeyOut);
  end;
  01: begin
    KeyOut[0] := $00010060;
    KeyOut[1] := KeyIn[1];
    KeyOut[2] := ((((KeyIn[3] - $4AF0A78E) + $6DB3A822) + $54C358B3) + $0C05DFA0);
    KeyOut[3] := KeyIn[3];
    GameGuard_Encrypt(KeyOut);
  end;
  03: begin
    KeyOut[0] := $00010060;
    KeyOut[1] := KeyIn[1];
    KeyOut[2] := KeyIn[2];
    KeyOut[3] := ((((KeyIn[3] xor $52D4C400) xor $211CA524) xor $9EAE3439) + $8D7D61C9);
    GameGuard_Encrypt(KeyOut);
  end;
  05: begin
    KeyOut[0] := $00010060;
    KeyOut[1] := KeyIn[1];
    KeyOut[2] := ((((KeyIn[3] + $2CA95285) - $5F558F46) xor $879CDAC8) + $3737F6EE);
    KeyOut[3] := KeyIn[3];
    GameGuard_Encrypt(KeyOut);
  end;
  07: begin
    KeyOut[0] := $00010060;
    KeyOut[1] := KeyIn[1];
    KeyOut[2] := ((((KeyIn[3] + $22C53062) xor $12790E01) + $02D97EA5) + $A97E0973);
    KeyOut[3] := KeyIn[3];
    GameGuard_Encrypt(KeyOut);
  end;
 09: begin
    KeyOut[0] := $00010060;
    KeyOut[1] := KeyIn[1];
    KeyOut[2] := KeyIn[2];
    KeyOut[3] := ((((KeyIn[3] + $5F8B1DF5) xor $F9D66339) - $669E8117) + $CB54D4BB);
    GameGuard_Encrypt(KeyOut);
 end;
 10: begin
    KeyOut[0] := $00010060;
    KeyOut[1] := ((((KeyIn[3] + $4A859AD7) - $30256CD6) xor $1A09017C) + $B2680BF0);
    KeyOut[2] := KeyIn[2];
    KeyOut[3] := KeyIn[3];
    GameGuard_Encrypt(KeyOut);
 end;
 11: begin
    KeyOut[0] := $00010060;
    KeyOut[1] := ((((KeyIn[3] - $0FC0E2A1) - $6DF0C485) + $4282BD92) + $03607D06);
    KeyOut[2] := KeyIn[2];
    KeyOut[3] := KeyIn[3];
    GameGuard_Encrypt(KeyOut);
  end;
 450: begin
    KeyOut[0] := $00010060;
    KeyOut[1] := KeyIn[1];
    KeyOut[2] := ((((KeyIn[3] + $4602E424) + $1BB854E5) xor $C41C332B) + $660C213C);
    KeyOut[3] := KeyIn[3];
    GameGuard_Encrypt(KeyOut);
 end;
 448: begin
    KeyOut[0] := $00010060;
    KeyOut[1] := KeyIn[1];
    KeyOut[2] := ((((KeyIn[3] - $3FE1DA99) - $7E9676CE) xor $CFC9FF27) + $8D7D61C9);
    KeyOut[3] := KeyIn[3];
    GameGuard_Encrypt(KeyOut);
 end;
 $129: begin
    KeyOut[0] := $00010060;
    KeyOut[1] := ((((KeyIn[3] xor $F79E0778) xor $A26B7D49) - $7B9F0B7E) + $33460E9E);
    KeyOut[2] := KeyIn[2];
    KeyOut[3] := KeyIn[3];
    GameGuard_Encrypt(KeyOut);
 end;
 $1F0: begin
    KeyOut[0] := $00010060;
    KeyOut[1] := KeyIn[1];
    KeyOut[2] := ((((KeyIn[3] + $37AB126A) - $7A417C81) - $20142580) + $1DAC94F9);
    KeyOut[3] := KeyIn[3];
    GameGuard_Encrypt(KeyOut);
 end;
  end;
  Result := iIndex;
 end
else
  Result := iIndex;
end;

end.

---

part of it*

Can you share sv for you :S i want test it :((

Shore: Official MU Online ;)

use titan tech or scf :(

Quote:

---

Originally Posted by SmallHabit

Download main_11417_fix_1.zip from Sendspace.com - send big files the easy way - here fixed main

- GG, RG cracked
- Fixed Character select screen crash
- Fixed When select character crash

---

Thanks, this main is very stable :) But I think there's 1 more RG offset to crack, after char selection.

Code:

---

[...]
[Connect to Server] ip address = connect.muonline.webzen.com, port = 44405
> Login Scene init success.
Send Request Server List.
Success Receive Server List.
Success Receive Server List.
[ReceiveServerConnect][Socket Closed][Clear PacketQueue]
[Connect to Server] ip address = 211.43.146.195, port = 55901
> Login Request.
> Try to Login "00031XXXXX"
> Login Request.
> Try to Login "00031XXXXX"
> Request Character list
> Character scene init success.
> Character selected <1> "adf3dds"
> Main Scene init success. 2012/10/12 16:45
À妽º¸¦ °øÀ¯Çϰųª Delete¾øÀÌ »ç¿ëÇÏ¿´À½Data\World1\leaf01.tga(0x00007695)->Data\World1\leaf01.jpg
[ResourceGuard] Check Integrity... : data\local\Gameguard.csr
[ResourceGuard] Error: main.exe file is modified.
[ResourceGuard] Stop checking integrity.
[Socket Closed][Clear PacketQueue]
> ResourceGuard Error!!
Strange packet
0x0012DFE9 : C147F303 938F0000 00000000 00004A80
          : 00000000 00005E88 00004E00 14001900
          : 0A008200 82001900 1900A600 A6001000
          : 21001200 45040000 03000000 04000000
          : 00000400 00973A
> Connection closed. 2012/10/12 16:45
[Socket Closed][Clear PacketQueue]
Destroy

---

It's the game client that disconnects, not game server. I fix main checksum reply to a valid checksum (in proxy), and I can see a DC from client side. Do you have any solution to this? :)

How can u fix checksum replay in client, if its stored in GameGuard.crs file.. ))
Actualy its simply check GameGuard.crs checksum of main.exe with binnary file (main.exe) but checksum send by client to server is like in "OLD" dayz, but its generated from gameguard.crs instead of main.exe

Code:

---

Strange packet
0x0012DFE9 : C147F303 938F0000 00000000 00004A80
          : 00000000 00005E88 00004E00 14001900
          : 0A008200 82001900 1900A600 A6001000
          : 21001200 45040000 03000000 04000000
          : 00000400 00973A

---

and its definetly strange packet..

PS. habits main.exe works very smooth.. :ott1:
http://imageshack.us/a/img141/8437/habit.png

All these "crashes" and "errors" are caused by protection system from packer (destroy function calls, prologs etc.)

Later I'll post some fixes.

Quote:

---

Originally Posted by mauka

How can u fix checksum replay in client, if its stored in GameGuard.crs file.. ))
Actualy its simply check GameGuard.crs checksum of main.exe with binnary file (main.exe) but checksum send by client to server is like in "OLD" dayz, but its generated from gameguard.crs instead of main.exe

---

I didn't fix it in client. I have a file with 1024 valid replies. I use proxy to block checksum request, so that main doesn't see it. I use my file to send a checksum reply from proxy. I tested it with main not cracked, so I'm sure it works fine. I only mentioned it to prove, disconnect is not because of wrong checksum.

Quote:

---

and its definetly strange packet..

---

WTH is strange packet? :)

@Dudi2
Great :)

if u tal about this: ( i dint even research it, when its changed) [Release] [Source Delphi] MultiCore checksum generator - RaGEZONE forums But this 4kb are not valid anymore on gmo )))

Mather of fact, i start think some "PIG" start share my work with their best friend and their best friend to "their best friends".. untill infinity. ))

Quote:

---

Originally Posted by jansonbuton

WTH is strange packet? :)

---

I think this error was called when Decrypt packet was failed ;) look around EncDec in main.exe

@mauka
Yes, this version uses 1 more byte in checksum reply packet. Before that byte was always 0, now is not. I don't know how they calculate it, I simply use main.exe as a generator, and now my file is 1024 x 5 bytes :)

Hm.. Call me in msn i wanna ask u something ))

the main auto close after loading .what's client work witt main ?

http://failiem.lv/down.php?i=ejpocoa...-0000.jpg&view

Finally got it working, need to fix viewport, and attack protocols

Hello all.

Here is viewport for Players

Quote:

---

#pragma pack(1)
struct PMSG_VIEWPORTCREATE
{
BYTE NumberH;
BYTE NumberL;
BYTE X;
BYTE Y;
BYTE CharSet[18];
char Id[10];
BYTE TX;
BYTE TY;
BYTE DirAndPkLevel;
BYTE ElementIcon;
WORD Level;
DWORD iHealth;
DWORD iMaxHealth;
BYTE btViewSkillStateCount;
BYTE btViewSkillState[MAX_STATE_COUNT];
};
#pragma pack()

---

And this is for monsters and NPC

Quote:

---

#pragma pack(1)
struct PMSG_MONSTER_VIEWPORTCREATE
{
BYTE NumberH;
BYTE NumberL;
BYTE Type_HI;
BYTE Type_LO;
BYTE X;
BYTE Y;
BYTE TX;
BYTE TY;
BYTE Path;
BYTE ElementIcon;
WORD Level;
DWORD iHealth;
DWORD iMaxHealth;
BYTE btViewSkillStateCount;
BYTE btViewSkillState[MAX_STATE_COUNT];
};
#pragma pack()

---

http://clip2net.com/clip/m0/1350087888-clip-396kb.jpg

Quote:

---

Originally Posted by SmallHabit

Hello all.

Here is viewport for Players


And this is for monsters and NPC



http://clip2net.com/clip/m0/1350087888-clip-396kb.jpg

---

Thanks!
So now you can also see the health of other players (only with packet sniffer i guess...)?

Quote:

---

Originally Posted by SmallHabit

Hello all.

Here is viewport for Players


And this is for monsters and NPC



http://clip2net.com/clip/m0/1350087888-clip-396kb.jpg

---

I have no words habbit is the best of the best !!!!!!!!! Always great work !

Quote:

---

Thanks!
So now you can also see the health of other players (only with packet sniffer i guess...)?

---

I think, the main idea of WZ was - health in party. And health bar for mobs. Thats why they added it. +)

Quote:

---

Originally Posted by SmallHabit

Hello all.

Here is viewport for Players


And this is for monsters and NPC



http://clip2net.com/clip/m0/1350087888-clip-396kb.jpg

---

Hi . It can use on Private Servers? on or Titanstech files?

I use it in my test emulator. To test on tt files you need to restore old encdec. Or reverse new encdec. Ex700 will not work at normal tt files.

What need to be the MAX_STATE_COUNT?

Quote:

---

Originally Posted by SmallHabit

I use it in my test emulator. To test on tt files you need to restore old encdec. Or reverse new encdec. Ex700 will not work at normal tt files.

---

I test in GMO, and for me, your main.exe can't process the packet with map info:

Code:

---

C3 53 87 33 47 57 A3 7E 98 67 04 6E 0D 78 1F C0 DB 25 AB F6 91 92 72 60 9D 62 F9 9E 71 74 BF 74 FF 37 21 6D 64 DA 12 3A 73 81 7C E6 92 B8 CA 46 CD ED 28 93 E7 98 44 A7 63 0A 26 13 9A 23 4C 22 B8 B8 B0 C3 46 21 3C AE C5 95 09 11 30 D0 B0 DA 64 4B 09
decrypts as:
C3 49 00 F3 03 93 7B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 00 00 12 00 12 00 0F 00 1E 00 3C 00 3C 00 3C 00 3C 00 63 00 63 00 0A 00 15 00 12 00 DD E9 FA 02 03 00 00 00 02 00 00 00 00 00 02 00 00 97 3A 00

---

If I block it, then char selection is succesfull (but, of course, I don't see the map I'm into ;p). Otherwise, I get ResourceGuard error + strange packet error.

Code:

---

> Character selected <2> "Wizard791"
> Main Scene init success. 2012/10/13 15:37
À妽º¸¦ °øÀ¯Çϰųª Delete¾øÀÌ »ç¿ëÇÏ¿´À½Data\World1\leaf01.tga(0x00007695)->Data\World1\leaf01.jpg
[ResourceGuard] Check Integrity... : data\local\Gameguard.csr
[ResourceGuard] Error: main.exe file is modified.
[ResourceGuard] Stop checking integrity.
[Socket Closed][Clear PacketQueue]
> ResourceGuard Error!!
Strange packet
0x0012DFE9 : C147F303 937B0000 00000000 00000000
          : 00000000 00000064 00001200 12000F00
          : 1E003C00 3C003C00 3C006300 63000A00
          : 15001200 DDE9FA02 03000000 02000000
          : 00000200 00973A
> Connection closed. 2012/10/13 15:37
[Socket Closed][Clear PacketQueue]
Destroy

---

Edit: ok, after some talk with mauka, I think that this error is most likely because of my windows version, XP 32 bit. Must be some nasty trick of the packer, that shows up there. (And C3 packet ID is 0, because this is the very first C3 server --> client).

My EncDec decrypt it 100% same as yours.. The magic is EncDec needs counter for correct Encdec

Code:

---

C3 49 00 F3 0E 93 D4 BA A3 CA 33 C1 CC 66 67 21 F3 32 12 15 35 29 FF FE 79 20 EF DF 53 34 2E 41 42 B5 0F F1 C2 24 1F F9 9F F6 0F A2 AF 05 04 2B F9 27 07 07 27 F4 CB ED E5 45 EC CD 41 24 3E 4E 4D AB 11 CF FC 18 B4 68 99

---

Encrypted data.. Looks to be wrong as Decrypted data dont contains PACKET ID ( counter )
MuOnline crypt always enrypt all content of packet and counter is part of it ;)
ContentSize := PktSize - PktHdrSize;
Post original packet u got before u Re-Encrypt it manualy

Code:

---

function GetHdrSize(lpSource: Pointer): Byte;
begin
 case PByte(lpSource)^ of
  $C1, $C3: Result := 2;
  $C2, $C4: Result := 3;
 else
  Result := 0;
 end;
end;

function GetHdr(lpSource: Pointer): Byte;
begin
 Result := PByte(lpSource)^
end;

function GetPacketSize (lpSource: Pointer): Word;
var
 Hdr: Byte;
begin
 Hdr := GetHdr(lpSource);
 case Hdr of
  $C1, $C3: Result :=  PByte(Integer(lpSource) + 1)^;
  $C2, $C4: Result := (PByte(Integer(lpSource) + 1)^ shl 8) + PByte(Integer(lpSource) + 2)^;
 else
  Result := 0;
 end;
end;

function GetContentSize (lpSource: Pointer): Word;
begin
 Result := GetPacketSize(lpSource) - GetHdrSize(lpSource)
end;

---

As I promised...

Code:

---

1) Init function (allow to run main via Olly):

004ECDCB  55              PUSH EBP
004ECDCC  8BEC            MOV EBP,ESP
004ECDCE  81EC 600F0000    SUB ESP,0F60
004ECDD4  EB 26            JMP SHORT main.004ECDFC
004ECDD6  90              NOP
004ECDD7  90              NOP
004ECDD8  90              NOP
004ECDD9  90              NOP
004ECDDA  90              NOP
004ECDDB  90              NOP
004ECDDC  90              NOP
004ECDDD  90              NOP
004ECDDE  90              NOP
004ECDDF  90              NOP
004ECDE0  90              NOP
004ECDE1  90              NOP
004ECDE2  90              NOP
004ECDE3  90              NOP
004ECDE4  90              NOP
004ECDE5  90              NOP
004ECDE6  90              NOP
004ECDE7  90              NOP
004ECDE8  90              NOP
004ECDE9  90              NOP
004ECDEA  90              NOP
004ECDEB  90              NOP
004ECDEC  90              NOP
004ECDED  90              NOP
004ECDEE  90              NOP
004ECDEF  90              NOP
004ECDF0  90              NOP
004ECDF1  90              NOP
004ECDF2  90              NOP
004ECDF3  90              NOP
004ECDF4  90              NOP
004ECDF5  90              NOP
004ECDF6  90              NOP
004ECDF7  90              NOP
004ECDF8  90              NOP
004ECDF9  90              NOP
004ECDFA  90              NOP
004ECDFB  90              NOP


2) Fix Call to function (crash when progress bar is full)
004F22A5  E8 78606E09      CALL main.09BD8322
004F2523  E8 FA5D6E09      CALL main.09BD8322


3) Fix Calls (Crash on login, select character, join game etc.)
004F1F48  E8 DAE56E09      CALL main.09BE0527
004F2344  E8 3B606E09      CALL main.09BD8384
004F2626  E8 FCDE6E09      CALL main.09BE0527
004F1ACE  E8 B1686E09      CALL main.09BD8384
004F1D37  E8 E6656E09      CALL main.09BD8322
004F44D3  E8 4A3E6E09      CALL main2.09BD8322
004F4476  E8 093F6E09      CALL main2.09BD8384
004F447B  E8 4C816E09      CALL main2.09BDC5CC
004F42AA  E8 33606E09      CALL main2.09BDA2E2
004F42AF  E8 DA626E09      CALL main2.09BDA58E






4) Resource Guard


09BF14BB  -E9 275BA4F6      JMP main2.00636FE7
09BF14C0  90              NOP






5) Crashes in-game (rewrite functions module (packer shit))
0065DC21  E8 28495909      CALL main2.09BF254E // Loading Game
0065F282  E8 331D5F09    CALL main2.09C50FBA // Chaos Machine
009BD443  E8 53A92209      CALL main2.09BE7D9B // Magic Attack (BK)
009BD46B    E8 10AD2209    CALL main2.09BE8180 // Magic Attack (SM)
009BD484  E8 3FB02209      CALL main2.09BE84C8 // Magic Attack (Elf)
009BD49D  E8 CEB02209      CALL main2.09BE8570 // Magic Attack (SU)
009BD4B6  E8 4DB12209      CALL main2.09BE8608 // Magic Attack (RF)
0065EAD4  E8 FC8B5909      CALL main2.09BF76D5 // Kanturu Crash






6) Packet Recv Function Calls Fix (crashes, etc)
0065E476                  E8 10885909      CALL main2.09BF6C8B - INSANE_APPLY messagebox shit and client closes (with OllyDBG) (Packet 0xF6)
0065E5C9                  E8 AF875909      CALL main2.09BF6D7D - same issue, but packet 0xF8
0065E5AD                      E8 9C875909      CALL main2.09BF6D4E - Gens NPC (Join to Gens)
0065E5BB                      E8 A4875909      CALL main2.09BF6D64 - Gens NPC (Leave)








09C22BFB                  B8 01000000      MOV EAX,1
09C22C00                  C3              RETN
09C22C01                  90              NOP
09C22C02                  90              NOP
09C22C03                  90              NOP
09C22C04                  90              NOP
0065E460                  E8 E6875909      CALL main2.09BF6C4B <- prevent corrupt player data (late crash) (packet 0xF3)


09C225CF                  B8 01000000      MOV EAX,1
09C225D4                  C3              RETN
09C225D5                  90              NOP
09C225D6                  90              NOP
09C225D7                  90              NOP
09C225D8                  90              NOP
004F4911                  E8 11BC6E09      CALL main2.09BE0527 <- prevent character disappear after some time

---

If you have some questions, crashes etc. write in this topic, I'll try to help.

very good work

dudi did some crazy researches, very impresive )))

Yeah Dudi Rocks Thanks you keep the good work :)))!!!!

Dudi, these offset are from what version of main.exe? My opcodes 80% are totaly difrent from your posted

Quote:

---

Originally Posted by mauka

Dudi, these offset are from what version of main.exe? My opcodes 80% are totaly difrent from your posted

---

It's from your main ^^ (1.04.17)

http://i47.tinypic.com/2lw27hu.jpg

http://i45.tinypic.com/2uyiyki.jpg

Code:

---

09C22BFB                  B8 01000000      MOV EAX,1

---

http://imageshack.us/a/img525/5835/09c22bfb.png

Code:

---

09C225CF                  B8 01000000      MOV EAX,1

---

http://imageshack.us/a/img23/7448/09c225cf.png

Quote:

---

Originally Posted by Dudi2

It's from your main ^^ (1.04.17)

---

It`s xx.14.17 :F
http://imageshack.us/a/img72/8472/11417.png


EDITED: AH, FK u posted offsets with PATCHES opcodes.. kkkkkkkkkkkkk)))))

Quote:

---

Originally Posted by mauka

EDITED: AH, FK u posted offsets with PATCHES opcodes.. kkkkkkkkkkkkk)))))

---

http://www.reactionface.info/sites/d...0480585093.jpg

I thought that i'm wrong or stupid lol ^^

Itse very intresting.. I guest its related to OS or so.. i dont have so much crashes as DUDI posted :/

Some hint for all: Want to deofuscate? aPlib is used here..

aPLib is a compression library based on the algorithm used in aPACK (my executable compressor). aPLib is an easy-to-use alternative to many of the heavy-weight compression libraries available.

[url=http://www.ibsensoftware.com/products_aPLib.html]Ibsen Software

Might this be of any help?
IDA Plugin Depack APlib And LZMA - Collaborative RCE Tool Library

Quote:

---

Originally Posted by Dudi2

As I promised...

---

Thanks Dudi, that solved my problem :)

Aplib compression is the hardest one i know that the RLPack use that :)

Anyone other then me getting the "memory allocation" warning when trying to load >10mb exe in olly?

Offset infor main 1.04.17, search by me :

Code:

---

01171B5C // Port : 44405
0117233A // IP : connect.muonline.webzen.com
011730F8 // Version : 2275<
01173100 // Serial : Odn62c0Tt01SzpT7

---

List Updated.

(http://forum.ragezone.com/f197/unpac...ml#post7282915)

Quote:

---

Originally Posted by SmallHabit

I use it in my test emulator. To test on tt files you need to restore old encdec. Or reverse new encdec. Ex700 will not work at normal tt files.

---

Sorry for asking cause its been a while since i last played with the mu sources, the one responsible for this in server side is SimpleModulus.lib ? Thanks.

It would be great if anyone can share the main with cracked on CMStarterCore, my ollydbg stuck whenever I load the main :|

If my post as spam, I am sorry!

Quote:

---

Originally Posted by phgkhh

It would be great if anyone can share the main with cracked on CMStarterCore, my ollydbg stuck whenever I load the main :|

If my post as spam, I am sorry!

---

Code:

---

CMStarterCore:
0043DF96      6A 00                                PUSH 0

0043E4CC      8B80 50030000                        MOV EAX,DWORD PTR DS:[EAX+350]
0043E4D2  |.  8B4D FC                              MOV ECX,[LOCAL.1]
0043E4D5      8B89 50030000                        MOV ECX,DWORD PTR DS:[ECX+350]
0043E4DB  |.  8B00                                  MOV EAX,DWORD PTR DS:[EAX]
0043E4DD      FF50 18                              CALL DWORD PTR DS:[EAX+18]

00518A55      /EB 36                                JMP SHORT main700P.00518A8D

---

Hello to all here! =)

Want to share with you with in-line main patcher. With it you will not need to wait for fixed unpacked main. Just run injecter and wait untill main loaded.

What this patch do to main :
- bypasses mu.exe loading
- bypasses GG loading
- bypasses CMStarterCore
- Changes connect address from Patched.ini

What is difference between this and unpacked main :

- Well, it doesn't crash, it works like the original main from GMO server, just without GG, CMStarterCore and can be connected directly to your server.

How to use :

1) Download clean patch - ftp://patch.muonline.webzen.net/pub/webzen/1.04.17/
2) unzip archive, into Mu Online client
3) Edit Patched.ini if needed
4) run START.exe
5) enter Main.exe name
6) wait until it loades

http://clip2net.com/clip/m0/1350254842-clip-268kb.jpg

Download Link:
Download Main_10417_patcher.zip from Sendspace.com - send big files the easy way

P.S. Test it on all possible system, and write here about your results!

as Always Small Habit rocks again thanks y mate :)!!!!

Quote:

---

Originally Posted by SmallHabit

Hello to all here! =)

Want to share with you with in-line main patcher. With it you will not need to wait for fixed unpacked main. Just run injecter and wait untill main loaded.

What this patch do to main :
- bypasses mu.exe loading
- bypasses GG loading
- bypasses CMStarterCore
- Changes connect address from Patched.ini

What is difference between this and unpacked main :

- Well, it doesn't crash, it works like the original main from GMO server, just without GG, CMStarterCore and can be connected directly to your server.

How to use :

1) Download clean patch - ftp://patch.muonline.webzen.net/pub/webzen/1.04.17/
2) unzip archive, into Mu Online client
3) Edit Patched.ini if needed
4) run START.exe
5) enter Main.exe name
6) wait until it loades


Download Link:
Download Main_10417_patcher.zip from Sendspace.com - send big files the easy way

P.S. Test it on all possible system, and write here about your results!

---

Nice one Steve, but write an option to make it silent and they may use it.. but still this can't be integrated with anything, dunno what is the point of a tool like this.

^_^ I can make it with graphics design. Like an Mu launcher.

Quote:

---

Nice one Steve, but write an option to make it silent and they may use it.. but still this can't be integrated with anything, dunno what is the point of a tool like this.

---

Point? :) dunno, maybe to develope server, without having troubles with main things, and etc? =) I just share, tell to people, with which method it is maded... well... I have plenty of time, to play with it! :DDD

Possible to add in the .ini support for serial and version changer?:)

Ow nice SmalHabit, Main.exe executable works fine.....test in server files apropriet

Quote:

---

Originally Posted by duracel

Possible to add in the .ini support for serial and version changer?:)

---

Main 1.04.17 AddOption change infor main by me : Download Main
i use asm, not use c++

Config file : MainConfig.ini

Code:

---

[MainInfo]
Main_IP        =    connect.muonline.webzen.com
Main_Version    =    2275<
Main_Serial    =    Odn62c0Tt01SzpT7

---

Main all fix :

Code:

---

http://forum.ragezone.com/f197/unpacked-ex700-plus-main-exe-884156/index2.html#post7281430

---

Code:

---

http://forum.ragezone.com/f197/unpacked-ex700-plus-main-exe-884156/index4.html#post7282915

---

Code:

---

http://forum.ragezone.com/f197/unpacked-ex700-plus-main-exe-884156/index5.html#post7284566

---

thx man, works in version 1.4.07?

Quote:

---

Originally Posted by SmallHabit

Want to share with you with in-line main patcher.
[...]
P.S. Test it on all possible system, and write here about your results!

---

It works good in my system (xp 32bit) - I can attach a debugger, and there aren't any crashes. It would be perfect, if you could run more main's versions through it. Like a generic launcher for ex700 versions. Don't know if that's possible, just a thought :)

Hi,

I want to test the main but when I log-in, there are many servers (as image attached) in the list and many sub-server inside each, so could anyone let me know which server should I choose?

Thank you,

Attachment 115520

Solved: I forgot to change IP, so it just showing many servers. After changing IP to fit with server, it just shows only 1 server.

OK, i reversed Level2 encryption of Ex700 PLUS (1.14.17) main.exe and found it useless for me as its uses also for each opcode new switch funtions, i give up to reverse all..

Please note: case of 32 EncDec Level2 is from Login packet $F1 packet opcodes, other cases 8, 16 and next is from PING packet $E

So case $20 encryption was reversed on Login packet
case 4, $10 and base was reversed from ping packet.. so its actualy like merget function )) after i noted its not same i give up and share it

Code:

---

procedure DecryptLevel2(lpSource: Pointer);
var
 Offset: Byte;
 ContentSize: Word;
 PBuffer: PByte;
 Condition, Condition2: Byte;
begin
 Offset := GetHdrSize(lpSource) +2; // Counter = 2
 ContentSize := GetContentSize(lpSource);
 PBuffer := PByte(lpSource) + Offset;

 if not (ContentSize >= 4) then
  Exit // No Decryption for this size
 else
 if not (ContentSize >= 8) then
  begin
  PByte(PBuffer +3)^ := PByte(PBuffer +3)^ xor $85; //09CB6897

  Condition  := SAR(PByte(PBuffer +3)^, 4) and 1;
  Condition2  := SAR(PByte(PBuffer +3)^, 2) and 1;

  if (Condition = 0) then
    PByte(PBuffer +3)^ := PByte(PBuffer +3)^ and $EF //09BFCD94
  else
    PByte(PBuffer +3)^ := PByte(PBuffer +3)^ or $10; //09CB6573

  if (Condition2 = 0) then
    PByte(PBuffer +3)^ := PByte(PBuffer +3)^ and $EF //09BFCD94
  else
    PByte(PBuffer +3)^ := PByte(PBuffer +3)^ or $10; //09CB6573

  Condition  := SAR(PByte(PBuffer +7)^, 4) and 1;
  Condition2  := SAR(PByte(PBuffer +7)^, 5) and 1;

  if (Condition = 0) then
    PByte(PBuffer +7)^ := PByte(PBuffer +7)^ and $DF //09BFCCF4
  else
    PByte(PBuffer +7)^ := PByte(PBuffer +7)^ or $20; //09CB6356


  if (Condition2 = 0) then
    PByte(PBuffer +7)^ := PByte(PBuffer +7)^ and $EF //09BFCD36
  else
    PByte(PBuffer +7)^ := PByte(PBuffer +7)^ or $10;
  end
 else
 if not (ContentSize >= 16) then
  begin
  PByte(PBuffer +3)^ := PByte(PBuffer +3)^ xor $85; //09CB6897

  Condition  := SAR(PByte(PBuffer +3)^, 4) and 1;
  Condition2  := SAR(PByte(PBuffer +3)^, 2) and 1;

  if (Condition = 0) then
    PByte(PBuffer +3)^ := PByte(PBuffer +3)^ and $EF //09BFCD94
  else
    PByte(PBuffer +3)^ := PByte(PBuffer +3)^ or $10; //09CB6573

  if (Condition2 = 0) then
    PByte(PBuffer +3)^ := PByte(PBuffer +3)^ and $EF //09BFCD94
  else
    PByte(PBuffer +3)^ := PByte(PBuffer +3)^ or $10; //09CB6573

  Condition  := SAR(PByte(PBuffer +7)^, 4) and 1;
  Condition2  := SAR(PByte(PBuffer +7)^, 5) and 1;

  if (Condition = 0) then
    PByte(PBuffer +7)^ := PByte(PBuffer +7)^ and $DF //09BFCCF4
  else
    PByte(PBuffer +7)^ := PByte(PBuffer +7)^ or $20; //09CB6356


  if (Condition2 = 0) then
    PByte(PBuffer +7)^ := PByte(PBuffer +7)^ and $EF //09BFCD36
  else
    PByte(PBuffer +7)^ := PByte(PBuffer +7)^ or $10;
  end
 else
 if not (ContentSize >= 32) then
  begin
  PByte(PBuffer +$1F)^ := PByte(PBuffer +$1F)^ xor $7D;

  Condition := PByte(PBuffer +$10)^;
  PByte(PBuffer +$10)^ := PByte(PBuffer +$18)^;
  PByte(PBuffer +$18)^ := Condition;


  Condition2 := (PByte(PBuffer +$1A)^ shr 5);
  PByte(PBuffer)^ := PByte(PBuffer +$1A)^ or Condition2;
  PByte(PBuffer +$1A)^ := (PByte(PBuffer)^ shl 3);

  Condition := PByte(PBuffer +3)^;
  PByte(PBuffer +3)^ := PByte(PBuffer +$18)^;
  PByte(PBuffer +$18)^ := Condition;

  Condition := (PByte(PBuffer +4)^ shl 2);
  PByte(PBuffer +4)^ := PByte(PBuffer +4)^ shr 6;
  PByte(PBuffer +4)^ := (PByte(PBuffer +4)^ or Condition);


  Condition  := (PByte(PBuffer +2)^ shr 5) and 1;
  Condition2 := (PByte(PBuffer +2)^ shr 2) and 1;

  if (Condition2 = 0) then
    PByte(PBuffer +2)^ := PByte(PBuffer +2)^ and $DF //09CB75DE
  else
    PByte(PBuffer +2)^ := PByte(PBuffer +2)^ or $20; //09CB75D0

  if (Condition = 0) then
    PByte(PBuffer +2)^ := PByte(PBuffer +2)^ and $FB //09BFD34A
  else
    PByte(PBuffer +2)^ := PByte(PBuffer +2)^ or 4;  //09CB75B7

  Condition  := (PByte(PBuffer +6)^ shr 7) and 1; //8bit
  Condition2 := (PByte(PBuffer +6)^ shr 6) and 1; //7bit

  if (Condition = 0) then
    PByte(PBuffer +6)^ := PByte(PBuffer +6)^ and $BF //09CB74CB
  else
    PByte(PBuffer +6)^ := PByte(PBuffer +6)^ or $40; //09CB74BD

  if (Condition2 = 0) then
    PByte(PBuffer +6)^ := PByte(PBuffer +6)^ and $7F //09CB755F
  else
    PByte(PBuffer +6)^ := PByte(PBuffer +6)^ or $80; //$FFFFFF7F

  PByte(PBuffer +$11)^ := PByte(PBuffer +$11)^ xor $AC;

  Condition  := (PByte(PBuffer +$15)^ shr 2) and 1;
  Condition2 := (PByte(PBuffer +$15)^ shr 2) and 1;

  if (Condition = 0) then
    PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ and $FB //9CB740B
  else
    PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ or 4;

  if (Condition2 = 0) then
    PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ and $DF
  else
    PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ or 4;

  PByte(PBuffer +1)^ := PByte(PBuffer +1)^ xor $1A;  //09CB7290
  end
 else
  begin
  Condition  := PByte(PBuffer +$C)^ shl 6;
  Condition2 := PByte(PBuffer +$C)^ shr 2;
  PByte(PBuffer +$C)^ := (Condition or Condition2);

  Condition  := PByte(PBuffer +$A)^ shr 1 and 1;
  Condition2 := PByte(PBuffer +$A)^ shr 1 and 1;

  if (Condition = 0) then
    PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ and $FD //09BFD1E6
  else
    PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ or $20;

  if (Condition2 = 0) then
    PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ and $FD //09BFD251
  else
    PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ or 2;  //09BFD242

  PByte(PBuffer +8)^ := PByte(PBuffer +8)^ xor $DF;
  PByte(PBuffer)^ := PByte(PBuffer)^ xor $A;

  Condition := PByte(PBuffer +$B)^;
  PByte(PBuffer +$B)^ := PByte(PBuffer +2)^;
  PByte(PBuffer +$B)^ := Condition;
  end;
end;

procedure EncryptLevel2(lpSource: Pointer);  //1.14.17
var
 Offset: Byte;
 ContentSize: Word;
 PBuffer: PByte;
 Condition, Condition2: Byte;
begin
 Offset := GetHdrSize(lpSource) +2; // Counter = 2
 ContentSize := GetContentSize(lpSource);
 PBuffer := PByte(lpSource) + Offset;

 if not (ContentSize >= 4) then
  Exit // No Encryption for this size
 else
 if not (ContentSize >= 8) then
  begin
  PByte(PBuffer +2)^ := ((PByte(PBuffer +2)^ shr 2) or (PByte(PBuffer +2)^ shl 6)) xor $91;
  PByte(PBuffer +3)^ := PByte(PBuffer +3)^ xor $F6; //09CB62E6
  end
 else
 if not (ContentSize >= 16) then //006681FB
  begin
  Condition  := SAR(PByte(PBuffer +7)^, 4) and 1;
  Condition2  := SAR(PByte(PBuffer +7)^, 5) and 1;

  if (Condition = 0) then
    PByte(PBuffer +7)^ := PByte(PBuffer +7)^ and $DF //09BFCCF4
  else
    PByte(PBuffer +7)^ := PByte(PBuffer +7)^ or $20; //09CB6356


  if (Condition2 = 0) then
    PByte(PBuffer +7)^ := PByte(PBuffer +7)^ and $EF //09BFCD36
  else
    PByte(PBuffer +7)^ := PByte(PBuffer +7)^ or $10;

  Condition  := SAR(PByte(PBuffer +3)^, 4) and 1;
  Condition2  := SAR(PByte(PBuffer +3)^, 2) and 1;

  if (Condition = 0) then
    PByte(PBuffer +3)^ := PByte(PBuffer +3)^ and $EF //09BFCD94
  else
    PByte(PBuffer +3)^ := PByte(PBuffer +3)^ or $10; //09CB6573

  if (Condition2 = 0) then
    PByte(PBuffer +3)^ := PByte(PBuffer +3)^ and $EF //09BFCD94
  else
    PByte(PBuffer +3)^ := PByte(PBuffer +3)^ or $10; //09CB6573

  PByte(PBuffer +3)^ := PByte(PBuffer +3)^ xor $85; //09CB6897
  end
 else
 if not (ContentSize >= 32) then // Login packet
  begin
  PBuffer := PByte(lpSource) + Offset;
  PByte(PBuffer +1)^ := PByte(PBuffer +1)^ xor $1A;  //09CB7290

  Condition  := SAR(PByte(PBuffer +$15)^, 2) and 1;
  Condition2 := SAR(PByte(PBuffer +$15)^, 2) and 1;

  if (Condition = 0) then
    PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ and $FB //9CB740B
  else
    PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ or 4;

  if (Condition2 = 0) then
    PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ and $DF
  else
    PByte(PBuffer +$15)^ := PByte(PBuffer +$15)^ or 4;

    Condition  := SAR(PByte(PBuffer +6)^, 7) and 1;
    Condition2 := SAR(PByte(PBuffer +6)^, 6) and 1;

  if (Condition = 0) then
    PByte(PBuffer +6)^ := PByte(PBuffer +6)^ and $BF //09CB74CB
  else
    PByte(PBuffer +6)^ := PByte(PBuffer +6)^ or $40; //09CB74BD

  if (Condition2 = 0) then
    PByte(PBuffer +6)^ := PByte(PBuffer +6)^ and $7F //09CB755F
  else
    PByte(PBuffer +6)^ := PByte(PBuffer +6)^ or $80; //$FFFFFF7F

  PByte(PBuffer +$11)^ := PByte(PBuffer +$11)^ xor $AC;

  Condition  := SAR(PByte(PBuffer +2)^, 5) and 1;
  Condition2 := SAR(PByte(PBuffer +2)^, 2) and 1;

  if (Condition = 0) then
    PByte(PBuffer +2)^ := PByte(PBuffer +2)^ and $FB //09BFD34A
  else
    PByte(PBuffer +2)^ := PByte(PBuffer +2)^ or 4;  //09CB75B7

  if (Condition2 = 0) then
    PByte(PBuffer +2)^ := PByte(PBuffer +2)^ and $DF //09CB75DE
  else
    PByte(PBuffer +2)^ := PByte(PBuffer +2)^ or $20; //09CB75D0


  Condition := SAR(PByte(PBuffer +4)^, 2);
  PByte(PBuffer +4)^ := PByte(PBuffer +4)^ shl 6;
  PByte(PBuffer +4)^ := (PByte(PBuffer +4)^ or Condition);

  Condition := PByte(PBuffer +$18)^;
  PByte(PBuffer +$18)^ := PByte(PBuffer +3)^;
  PByte(PBuffer +3)^  := Condition;

  Condition  := SAR(PByte(PBuffer +$1A)^, 3); //09CB7680
  Condition2 := (PByte(PBuffer +$1A)^ shl 5);
  PByte(PBuffer)^ := (Condition or Condition2);
  PByte(PBuffer +$1A)^ := Condition;

  Condition := PByte(PBuffer +$10)^;
  PByte(PBuffer +$10)^ := PByte(PBuffer +$18)^;
  PByte(PBuffer +$18)^ := Condition;

  PByte(PBuffer +$1F)^ := PByte(PBuffer +$1F)^ xor $7D;
  end
 else
  begin
  Condition := PByte(PBuffer +2)^;
  PByte(PBuffer +2)^ := PByte(PBuffer +$B)^;
  PByte(PBuffer +$B)^ := Condition;

  PByte(PBuffer +8)^ := PByte(PBuffer +8)^ xor $DF;
  PByte(PBuffer)^ := PByte(PBuffer)^ xor $A;

  Condition  := SAR(PByte(PBuffer +$A)^, 1) and 1;
  Condition2 := SAR(PByte(PBuffer +$A)^, 5) and 1;

  if (Condition = 0) then
    PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ and $FD //09BFD1E6
  else
    PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ or $20;

  if (Condition2 = 0) then
    PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ and $FD //09BFD251
  else
    PByte(PBuffer +$A)^ := PByte(PBuffer +$A)^ or 2;  //09BFD242

  Condition  := SAR(PByte(PBuffer +$C)^, 6);
  Condition2 := PByte(PBuffer +$C)^ shl 2;
  PByte(PBuffer +$C)^ := (Condition or Condition2);
  end;
end;

---

If encrypted data does not have Packet counter byte then

Code:

---

Offset := 4

---

Here is Encryption order:
BuildPacket -> EncXor32Bytes -> EncryptLevel2 -> EncDec

PS. decryption was made simply inversing Encryption functions
PSS. $F1 (Case 32) was reversed while debug.. other cases simply was riped of from main.exe and ported to delphi ))
PSSSSSSSSSSSSS. SAR is simply SHR as Value of shift never is negative

I wanna note to all thous who wish reverse Ex700 crypt..
There is 3Level encryption now

1 is Base 32Bytes xor
2 is Byte swap with small bit moving
3 is Same shit with shifting bits etc..

1 and 3 are shit, except that 3rd Level uses a Switch function to, but its never change like Level2 encryption changes with in main.exe versions.. and code is obfuscated while Level3 is clean code ;)
Plus Level2 are used on specific packets only for eg: Login, GameGuard heart beat, Skill atack and more.. incluce C1 packets and each function have same 3 switch case.. with 1k line of code )))) crap! But the good new is, that Level2 encryption are used only on packets sent by client and can be simply disabled ( case u are server dev ) by nopoing simply 1 call :)

PS. SimpleModulus haved checksum of each block and know when enc or dec data where wrong.. while this do not check, but simply do work. This can be exploited to overflow GS.. so think ) is worth to reverse it and use original EncDec of Ex700 )))

To add to what mauka said, level2 encryption uses 4 types of operations:
- byte xor'ing
- swapping of 2 bytes
- enabling/disabling a single bit in given byte according to other bit in the same byte
- ROR (encrypt) and ROL (decrypt)

Now, byte numbers, bit numbers, xor values, ROR/ROL shift values - all this is random (by random I mean: generated when Webzen makes new release of main.exe). The number and type of operations used in each block is random, too. This is a really nice protection, like mauka said - there are ~1k lines of code, that changes with every version or compilation of main.exe :)

Another riddle is, how they change level3 encryption after 2048/4096/... packets sent (C3/C4 packets only). Because there's a set of pairs of functions for encrypt/decrypt, and the order of that functions varies each time you run main.exe. E.g.: you run main.exe, and you see, it uses Encryption1, then Encryption7, and then Encrypton2. But then you run main.exe again, and it uses Encryption1, Encryption4, and Encryption8 (just an example). I have no idea, how they set the order of level3 encryption functions :)

Well.. the only way how does main.exe can know if its single running or no is MUTEX or the way CMStarteClone starts Mu -> main.exe (i posted exmaple) Its check for file mapping file and if its exist its skip it and create new mapping file for a new created client ;)

And by commandline args its pass to MU and Mu to Main.exe mapping file name ;) and by this or mutex main.exe can only know if there was a prefiusly launched main.exe or not ;)

Its would be easy to test.. without reversing and debug CMStarterCore or main.exe
-> Start mu from site
-> Kill process CMStarterCore
-> Start another mu from site and start check

There is nothing in the world and never will be as "RANDOM" everything can be calculated ;))

Ps. sorry, im very drunk now ))) come to troll, but write again.. some crap

Bad Unpacking... main = crashes.

Quote:

---

Originally Posted by mauro07

Bad Unpacking... main = crashes.

---

Have u applied fixes from Dudi on the main?

I have a problem, after putting account and pass and click login, it just stay at that main screen, not jump into Character selection screen. The main 1.04.07 from Tomatoes works, but not for this main, i don't know why.
Please anyone share with me your experience on this?

Thanks a lot

For reverse Protocol eX701,I hope this main can be help :)
This is main no obfuscated,use Protocol Kor (with some modified).Chinese hacked Mu Source and build it,I unpacked.

MainDe.rar

You are hero Tomatoes :)

Quote:

---

Originally Posted by tomatoes

For reverse Protocol eX701,I hope this main can be help :)
This is main no obfuscated,use Protocol Kor (with some modified).Chinese hacked Mu Source and build it,I unpacked.

MainDe.rar

---

LOL.. i reversed patrial it in obfuscated code ))) this will help alo, thanks

Tomatoes, can you put: Ex701.dll, here.?

oh thats a nice one :))

Please stay on topic!

Quote:

---

Originally Posted by mauro07

Tomatoes, can you put: Ex701.dll, here.?

---

No,that dll I hooked it,not original,I remove function code load smd for write hook that dll,no need Ex701.dll :)

Quote:

---

Originally Posted by tomatoes

For reverse Protocol eX701,I hope this main can be help :)
This is main no obfuscated,use Protocol Kor (with some modified).Chinese hacked Mu Source and build it,I unpacked.

MainDe.rar

---

Tomatoes, you don't have this sources for client side Ex701?

1. press 'V' client clash.
2. can't open bag and warehouse


Is there some1 can fix it?

IP, serial, port, version ???

Quote:

---

01171B5C // Port : 44405
0117233A // IP : connect.muonline.webzen.com
011730F8 // Version : 2275<
01173100 // Serial : Odn62c0Tt01SzpT7

---

<<< no

Quote:

---

Originally Posted by user_MU

IP, serial, port, version ???
<<< no

---

Version : 2275< <=> 1.04.17

All links main all fix - die. Re-upload please.

main 1.04.17 unpack

One question Idk if I missed it in the first post but does this client support multi client?

Code:

---

MSG "GMO main.exe unpack script v0.000001 by Mauka" 
 BC
 BPHWC
 ESTEP 
 ESTEP
 BPHWS esp,"r"
 ERUN //Run
 ESTEP
 ESTI 
 ESTEP
 ESTI //Step Into
 CMT eip,"The (near) OEP, by mauka"
 BPHWC
 FIND eip, #6A02E8????????59C3# //Fix float error at run time
 CMP $RESULT, 0
 JNE FOUNDFIX
 MSG "Script finished, dump and restore IAT"

 FOUNDFIX:
 CMT $RESULT,"This is the FLOAT ERROR!"
 FILL $RESULT, 8, 90
 MSG "Script finished and did one additional fix of main.exe, dump and restore IAT"

---

xD
Have fun, my first olly script Attachment 121373

Could u upload a video?Thanks

TT 11.70.01 main no work.
Enter login\pass - ........