can anyone help me :blush:?
CClientSocket::Close .text 00440B2A 0000001D R . . . . . .
CClientSocket::ManipulatePacket .text 0044104D 000000ED R . . . . . .
CClientSocket::OnConnect .text 0043F9CD 00000577 R . . . . . .
CClientSocket::OnError .text 00440A5D 00000075 R . . . . . .
CClientSocket::OnRead .text 00440932 0000012B R . . . . . .
CClientSocket::ProcessPacket .text 00441181 000000D6 R . . . . . .
CClientSocket::SendPacket .text 00440B47 0000013C R . . . . . .
CIGCipher::MorphKey .text 00623C94 0000005D R . . . . . .
CIGCipher::innoHash .text 00623C59 0000003B R . . . B . .
CIOBufferManipulator::_De .text 004FDD91 00000218 R . . . . . .
CInPacket::AppendBuffer .text 004FDC2A 0000010A R . . . B T .
CInPacket::CInPacket .text 004FDBA5 00000085 R . . . . . .
CInPacket::Decode1 .text 004165EA 00000036 R . . . B . .
CInPacket::Decode2 .text 00416620 00000039 R . . . B . .
COutPacket::COutPacket .text 004FDFA9 00000049 R . . . . . .
COutPacket::Encode1 .text 0042CE64 0000001E R . . . . . .
COutPacket::Init .text 004FDFF2 00000028 R . . . . . .
COutPacket::MakeBufferList .text 004FE01A 00000342 R . . . . . .
CWvsApp::Run .text 00603D7B 000002D6 R . . . . . .
ZtlSecure_Get .text 00441DF8 000000B5 R . . . B . .
ZtlSecure_Set .text 00441EAD 000000BE R . . . B . .
Thanks a lot for the detailed analyzing, I'm a beginner in reverse-engineering, so I used the 'ASprotect Unpacker' to unpack the executable. The AES decryption is done for me, but I'm troubled with the Shanda decryption, I analysed the "Decode1 and Decode2" you quoted above, but its too hard for me. Could you please help me to translate the Shanda decryption/encryption algorithm to Java/C edition? Many Thanks.:
Great thanks! I have tried but still have some problems. I'm using v83 Odin server code, changed the MAPLE_VERSION const from 83 to 35, and MAPLE_TYPE const from 8 to 4.
My hello packet is : 0E 00 23 00 01 00 31 46 72 7A 52 52 30 78 73 04
(recv iv is: 70, 114, 122, 82, send iv is: 82, 48, 120, 115)
Then the CMS 035 client show the login UI, I think this means my hello packet works well.
Then I input account "aaaa" and password "111111", and click login button, then I received client message:
64 A4 9F 07 FD 4D 6C 49 4A 3D 96 FE C8 44 85 E4 79 FE EE E3 C7 3E 9B BF 42 3B 97 B2 4E 36 F8 DB F4 8C 0D D9
after AES decryption, it becomes:
71 1A 5B 6A 7E B9 C9 EA 15 17 7E E4 C0 B4 64 6D 1E E7 8A 13 C9 B0 8C 09 4C 7F F5 6F F8 A9 2C 5D 03 2D D4 D5
then after Shanda decryption, it becomes:
E2 FB 40 7E 67 08 B6 77 F4 CC 0E 3E 5D 72 D1 9A 2C 7C F6 44 16 6A 7F 2F ED 39 C8 DE 96 F7 95 04 59 88 C9 6F
I think its wrong because opcode is E2 FB, it should be 01 00, and the data dont contains my account "aaaa" or password "111111".
I checked the "AES user key" and "IV transformation key", its the same as you mentioned above. I compared "MapleAESOFB.java" and "MapleCustomEncryption.java" in my project and the SnowMS, its completely same.
So, I'm stopped here, and dont know how to check what went wrong.
BTW, when I changed the MAPLE_VERSION and MAPLE_TYPE back, the GMS 083 client works well, and can login normally.: