AES Key Extractor

[shailist]

Works for up 64bit versions (testes on up-to-date) and for 32bit versions (tested on v207+).
Requires Python 3.6+.
Prints the full AES key and the stripped AES key (which is the key that is actually used by MapleStory).



Screenshot:

Also, if the script doesn't seem to work for your ZLZ.dll, it is probably because it is old and it doesn't contain the function that updates the key. If that is the case, try the following key:

0x13, 0x00, 0x00, 0x00,
0x52, 0x00, 0x00, 0x00,
0x2a, 0x00, 0x00, 0x00,
0x5b, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00,
0x10, 0x00, 0x00, 0x00,
0x60, 0x00, 0x00, 0x00

or stripped:

0x13, 0x52,0x2a, 0x5b, 0x08, 0x02, 0x10, 0x60

If this key also doesn't work, feel free to post your ZLZ.dll below, when I have time I'll take a look at it. If the script works for it or it is the old key (see above), don't even expect a reply.

Have fun!

 

[zhyon]

Thanks for sharing the script.

 

[rkqhtls]

Can I get a aes key in this zlz.dll??

 

[shailist]

Can I get a aes key in this zlz.dll??

wtf is this ZLZ.dll, seems to not contain an AES key
What version is it from?

Edit:
After digging into it a little bit, I've found that there isn't actually a routine that initializes the AES key in this DLL.
Example of a ZLZ.dll which contains a key initialization routine:

The one you sent:

So there are 2 options:
1. This DLL is broken.
2. The AES key in this DLL is just the one that is compiled into the data section of the binary, which is:

0x13, 0x00, 0x00, 0x00,
0x52, 0x00, 0x00, 0x00,
0x2a, 0x00, 0x00, 0x00,
0x5b, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00,
0x10, 0x00, 0x00, 0x00,
0x60, 0x00, 0x00, 0x00

or stripped:

0x13, 0x52, 0x2a, 0x5b, 0x08, 0x02, 0x10, 0x60

 

[rkqhtls]

Thank you so much!! This is korean private server maple dll. 109v(maybe 1xx downgrade or upgrade modifired version).
If you want to get some information, download client this file

 

[HowardTD]

I'm also having trouble extracting aes key from this file, can you help me get it please? I tried and it doesn't work

 

[shailist]

I'm also having trouble extracting aes key from this file, can you help me get it please? I tried and it doesn't work

Seems to be the same case as the one rkqhtls sent.
You can see my answer:

wtf is this ZLZ.dll, seems to not contain an AES key
What version is it from?

Edit:
After digging into it a little bit, I've found that there isn't actually a routine that initializes the AES key in this DLL.
Example of a ZLZ.dll which contains a key initialization routine:
View attachment 255155

The one you sent:
View attachment 255154
So there are 2 options:
1. This DLL is broken.
2. The AES key in this DLL is just the one that is compiled into the data section of the binary, which is:

0x13, 0x00, 0x00, 0x00,
0x52, 0x00, 0x00, 0x00,
0x2a, 0x00, 0x00, 0x00,
0x5b, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00,
0x10, 0x00, 0x00, 0x00,
0x60, 0x00, 0x00, 0x00

or stripped:

0x13, 0x52, 0x2a, 0x5b, 0x08, 0x02, 0x10, 0x60

 

[godhyun]

Can I get aeskey from zlz.dll?
I run the script and it doesn't find it.
I think I will be happy if you help me

 

[shailist]

Can I get aeskey from zlz.dll?
I run the script and it doesn't find it.
I think I will be happy if you help me

Seems to be the same case as the one rkqhtls sent.
You can see my answer:

wtf is this ZLZ.dll, seems to not contain an AES key
What version is it from?

Edit:
After digging into it a little bit, I've found that there isn't actually a routine that initializes the AES key in this DLL.
Example of a ZLZ.dll which contains a key initialization routine:
View attachment 255155

The one you sent:
View attachment 255154
So there are 2 options:
1. This DLL is broken.
2. The AES key in this DLL is just the one that is compiled into the data section of the binary, which is:

0x13, 0x00, 0x00, 0x00,
0x52, 0x00, 0x00, 0x00,
0x2a, 0x00, 0x00, 0x00,
0x5b, 0x00, 0x00, 0x00,
0x08, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00,
0x10, 0x00, 0x00, 0x00,
0x60, 0x00, 0x00, 0x00

or stripped:

0x13, 0x52, 0x2a, 0x5b, 0x08, 0x02, 0x10, 0x60

Also, I've updated the thread to state the matter, I'm not gonna find AES keys for ZLZ.dlls that people will post if you aren't going to bother checking previous answers and specifying the version (for anyone in the future)

 

[godhyun]

Seems to be the same case as the one rkqhtls sent.
You can see my answer:


Also, I've updated the thread to state the matter, I'm not gonna find AES keys for ZLZ.dlls that people will post if you aren't going to bother checking previous answers and specifying the version (for anyone in the future)

thank you for your help sir
Sorry for annoying you
private server kms v95 or v109

Did you find the key using the shared script?
Or is there another way?

 

[shailist]

thank you for your help sir
Sorry for annoying you
private server kms v95 or v109

Did you find the key using the shared script?
Or is there another way?

all cool,
and there is no magic way to do it, I've just reversed this DLL enough to be familiar with its structure, and I can recognize the relevant functions in IDA

 

[godhyun]

all cool,
and there is no magic way to do it, I've just reversed this DLL enough to be familiar with its structure, and I can recognize the relevant functions in IDA

Are you familiar with packet decryption?
I came here while researching packet decryption.

 

[shailist]

Are you familiar with packet decryption?
I came here while researching packet decryption.

You should take a look at existing server sources and

You must be registered to see links

.
I never reversed it myself (because there is no reason to), but you can learn how it works by looking at existing tools.

 

[godhyun]

You should take a look at existing server sources and

You must be registered to see links

.
I never reversed it myself (because there is no reason to), but you can learn how it works by looking at existing tools.

What are AES keys used for?
I came looking for it without even knowing where it was used. lol
Thank you as always for your kind answers.

 

[shailist]

What are AES keys used for?
I came looking for it without even knowing where it was used. lol
Thank you as always for your kind answers.

The AES keys are used for packet encryption and decryption.
The algorithm is a bit weird and I can't explain it in a single message, but AES is used to "progress" the encryption key.
You should take a look at MapleShark or existing server sources to understand it further

 

[godhyun]

AES 키는 패킷 암호화 및 암호 해독에 사용됩니다.
알고리즘이 좀 이상해서 단일 메시지로 설명할 수는 없지만 AES는 암호화 키를 "진행"하는 데 사용됩니다.
더 자세히 이해하려면 MapleShark 또는 기존 서버 소스를 살펴봐야 합니다.

Could you please help me?
I have been searching the internet for a month trying to learn this technique but with little success.
I'd like to see a detailed explanation.
I think the Maple Shark is broken.

If you don't mind, could you add holy0918 to Discord?
If you can't add, we'll continue the conversation here.

 

[737229091]

that's it

 

[shailist]

that's it

bruh

Anyways:

AES Key: {0xBF, 0x14, 0xD6, 0x7E, 0x2D, 0xDC, 0x8E, 0x66, 0x83, 0xEF, 0x57, 0x49, 0x61, 0xFF, 0x69, 0x8F, 0x61, 0xCD, 0xD1, 0x1E, 0x9D, 0x9C, 0x16, 0x72, 0x72, 0xE6, 0x1D, 0xF0, 0x84, 0x4F, 0x4A, 0x77}
Stripped AES Key: {0xBF, 0x2D, 0x83, 0x61, 0x61, 0x9D, 0x72, 0x84}

 

[737229091]

bruh
View attachment 257729

Anyways:

AES Key: {0xBF, 0x14, 0xD6, 0x7E, 0x2D, 0xDC, 0x8E, 0x66, 0x83, 0xEF, 0x57, 0x49, 0x61, 0xFF, 0x69, 0x8F, 0x61, 0xCD, 0xD1, 0x1E, 0x9D, 0x9C, 0x16, 0x72, 0x72, 0xE6, 0x1D, 0xF0, 0x84, 0x4F, 0x4A, 0x77}
Stripped AES Key: {0xBF, 0x2D, 0x83, 0x61, 0x61, 0x9D, 0x72, 0x84}

thx my bro, but I still have a question for you. I used this to replace MAPLESHARK's AES and then captured the packet and it was still encrypted. Do I need to change any settings?

I just researched this and it bothers me so much

And this error will be reported every time the program is started. Does this have any impact?
"System.UnauthorizedAccessException" (located in mscorlib.dll)
Error registering file association: System.UnauthorizedAccessException: Access to registry key 'HKEY_CLASSES_ROOT\.msb' is denied

 

[shailist]

thx my bro, but I still have a question for you. I used this to replace MAPLESHARK's AES and then captured the packet and it was still encrypted. Do I need to change any settings?

I just researched this and it bothers me so much

And this error will be reported every time the program is started. Does this have any impact?
"System.UnauthorizedAccessException" (located in mscorlib.dll)
Error registering file association: System.UnauthorizedAccessException: Access to registry key 'HKEY_CLASSES_ROOT\.msb' is denied

Nah, the error doesn't really matter.
Anyways, the public MapleShark version on GitHub isn't very updated and can do some funky stuff when sniffing modern versions of MapleStory. You might need to tweak some stuff in the code to make it work, and there is also a high chance that CMS is using a slightly different encryption method than GMS/KMS (which are what MapleShark mainly targeted at the time)