Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Localhost Workshop

Experienced Elementalist
Joined
Oct 25, 2008
Messages
224
Reaction score
314
Occasionally I find myself bored and in unpacking mood. I've also seemingly rediscovered a fondness for old MapleStory versions, so I figured why not combine the two and help out the community. Is there a particular version you've always wanted a proper client for? Request it here!

Rules:
* I can only make localhosts for versions <= GMS v111 (or equivalents for other maple regions - ca. 2012). This is because VMProtect - and later on newer Themida VM models - cannot be unvirtualized as perfectly as the old CISC-2.
* There must be full game files available (e.g. on msdl, or provided by yourself) for the version you're requesting.

You'll get a fully unprotected single exe binary file that can simply be dropped into the game folder and should run without further complications (compatibility mode settings may be required for old versions on modern Windows). All my binaries are optimized for low file size and performance (in terms of disabling security checks official clients do).

Completed works:
GMS v28 (Aug 2006):
GMS v48 (Dec 2007):
GMS v53 (Mar 2008):
GMS v62 (Nov 2008):
GMS v62 4GB:
GMS v68 (Apr 2009):
GMS v68 4GB:
GMS v83.1 (Feb 2010):
GMS v83.1 4GB:
GMS v87.1 (Jun 2010):
GMS v87.1 4GB:
GMS v92.1 (Nov 2010):
GMS v92.1 4GB:
GMS v95.1 (Jan 2011):
GMS v111.1 (May 2012):

EMS v65.1 (Oct 2010):
EMS v76.1 (Oct 2011):
EMS v87.1 (Feb 2013):

BMS v8 (Oct 2008):
BMS v19 (Nov 2009):

TMS v72 (Apr 2008):
TMS v90 (Mar 2009):

JMS v186 (Sep 2010):

VMS v23 (Oct 2008):

THMS v96.1 (Aug 2011):

Note: Unpacked clients can occasionally have false positive AV detections such as "Trojan.Win32/Mapstosteal". That is nothing to worry about and should simply be whitelisted. The signature name is pretty suspicious tbh. I sometimes wonder if Nexon submitted byte sequences to AV vendors in the past to detect unpacked clients, in order to scare people off from playing private servers...

The "4GB" variants are patched to activate the "large address space aware" (LAA) flag in the PE header. This will allow the client to use up to 4 GB of memory instead of only 2. This is required to fix sound on Wine, and on Windows it can also help prevent/lessen the so-called "GFX issues". When in doubt, you should always prefer this variant. In v93+ it is always set because Nexon activated it.

Server engineering notes
GMS v87: In this version, the client will send you XOffset/YOffset shorts after the foothold in absolute movement elements (CMovePath::Encode), but it does not read them back when processing packets from the server (CMovePath::Decode). This means if your source simply copies packet contents for NPC animation packets, that won't work. You have to parse the packet and then serialize it again the way the client expects it.

GMS v88~v98: These versions had a bug where the melee attack packet contained one more byte at the beginning when hitting a reactor (as opposed to hitting the air or a mob). There's no way to differentiate this other than doing a check such as this:
Code:
// Start of attack parsing
lea.readByte(); // current field key
if (type == AttackType.MELEE && lea.available() == 55) {
    lea.readByte(); // skip surplus byte when hitting reactor
}

EMS v87: This version is more or less equivalent to GMS v125. I patched out the login RSA crypto for simplicity's sake. Note that the authentication packet structure is different from GMS regardless; the username and password strings are somewhere in the middle of the packet.
This EMS version requires you to explicitly set the MapLogin img for the login screen by sending 1B 00 08 00 4D 61 70 4C 6F 67 69 6E (this is MapLogin; MapLogin1 also works to show Angelic Buster). A good point to send it would be upon receiving the 0x36 packet (LoginCreated) from the client.

EMS v76: RSA crypto patched out; send 16 00 08 00 4D 61 70 4C 6F 67 69 6E upon receiving 1F 00.

JMS v186: Send packet 18 00 08 00 4D 61 70 4C 6F 67 69 6E when receiving 0x1A (see EMS v87 for explanation).

Client patching notes
These are for when you're unpacking a client yourself. Many of these only apply to v67+.

* WinMain: nop ShowStartUpWndModal
* WinMain: jz->jmp for ShowADBalloon code (pretty much at the end of method, above push with small number)
* CWvsApp::CWvsApp: Find mov ecx, ...; mov dword ptr ..., 2; jmp. Higher up in the method, change jnz below ZXString<char>::IsEmpty to jmp <addr of mov ecx>
* CWvsApp::SetUp: Change short jmp at the beginning to long jmp that skips all the crap
* CWvsApp::SetUp: Patch short jz above CSecurityClient::InitModule and ::StartModule to short jmp
* CWvsApp::SetUp: nop MSLoop_Remove (if present, v91+)
* CWvsApp::SetUp: Place another long jmp after CWvsApp::ConnectLogin that skips all the crap (until CreateInstance calls)
* CWvsApp::SetUp: Change short jmp before HShield mutex stuff to long jmp. Jump to push 104h further down the method
* CClientSocket::Connect: Skip IP checks by changing short jmp at beginning of the method to long jmp that goes to the client socket code
* CWvsApp::InitializeInput: Skip crap after CInputSystem::Init, jump to method epilogue
* CWvsApp::Run: After CClientSocket::ManipulatePacket, long jmp to "push 0FFh push 0 push 0"
* CWvsApp::Run: nop call to CSecurityClient::Update while we're at it
* CWvsApp::Run: Below IWzGr2D::RenderFrame (where it does 0-100 rand stuff), place long jmp to push 1; call Sleep way down in the method
* CWvsApp::Run: At the end of the method, there's a call to _free, followed by add esp, 4, followed by a cmp ..., 12h. Skip the free by jmping straight to the cmp.
* CWvsApp::CallUpdate: Near the beginning of the method there's a jle below a test. Change this jle offset to the end of the method where it does some relevant things (GR and ActionMan stuff)
* CActionMan::SweepCache: It has some crap in a virtualized chunk at the top that may be doing more or less shady things depending on your version. Skip it if it looks like it could cause trouble (a couple incs/decs/xors are harmless)
* DR_check: xor eax, eax; ret (33 C0 C3)
* CClientSocket::OnAliveReq: If your version has a virtualized chunk here, skip the entire chunk (short jmp -> long jmp)
* CWvsContext::OnEnterField: Skip virtualized chunk at the top (short jmp -> long jmp). If your version has a check (recognizable by lots of xors) at the end, best to skip that as well by jnz -> jmp

* CLogin::SendCheckPasswordPacket: At the start of the sequence of pushes that contains 0C9h, place a long jmp to further down in the method to the SystemInfo basic block. Do auth patches for encoding the correct strings (user/pw)

Tooling
Magicmida:
 
Last edited:
Initiate Mage
Joined
Jan 14, 2018
Messages
14
Reaction score
0
Thank you in advance for this opportunity.

Do you mind doing the v62 localhost from this thread https://forum.ragezone.com/f427/clean-v62-localhost-1068520/ ? The original link is down but I archived a copy and re-uploaded it here


And how about the "official" localhost? I downloaded and extracted the GMSSetupv62.exe from and uploaded just the localhost for convenience


Thanks again!
 
Moderator
Staff member
Moderator
Joined
Jul 30, 2012
Messages
1,094
Reaction score
428
Thank you in advance for this opportunity.

Do you mind doing the v62 localhost from this thread https://forum.ragezone.com/f427/clean-v62-localhost-1068520/ ? The original link is down but I archived a copy and re-uploaded it here


And how about the "official" localhost? I downloaded and extracted the GMSSetupv62.exe from and uploaded just the localhost for convenience


Thanks again!

Just a small note since I replied in that thread: The localhost was not clean; it had tubi and the other usual v62 localhost things enabled. As far as I am aware there's no longer a public clean v0.62 localhost available, nor do I have it in case you wonder :p

Hendi48:
My request would be v0.87 GMS. Why v0.87? It's the very last version that still has the classic login theme before transitioning into big-bang. Would like to have a localhost of it in case we ever need it, and you offer it here, so may as well! v0.87 from what I heard already has some nastier "anti private server" checks in place, but not sure how severe.

A likely easier request if you have time to do two (or not enough ability for v0.87) would be v0.68. v0.67 is a major version that introduced MB, the newer UI, inventory expanding, etc but still has only the explorer classes, so it's closest to v0.62 but with a lot of improvements to QOL.

v0.68 is just a "bug fix" version of v0.67. Also, it's the very last version before nexon changed to Hackshield in v0.69.

Thanks a lot in advance!

Download v68:
Download v87:
 
Last edited:
Experienced Elementalist
Joined
Oct 25, 2008
Messages
224
Reaction score
314
A likely easier request if you have time to do two (or not enough ability for v0.87) would be v0.68. v0.67 is a major version that introduced MB, the newer UI, inventory expanding, etc but still has only the explorer classes, so it's closest to v0.62 but with a lot of improvements to QOL.

Quite honestly, the newer, the easier. v92+ is the easiest for me because it was compiled with MSVC9. v8x is okay. v55-v7x is a pain in the butt because apparently their ancient Themida version outright refuses to run on Windows 10. I'll have to resort to using a VM.
 
Moderator
Staff member
Moderator
Joined
Jul 30, 2012
Messages
1,094
Reaction score
428
Quite honestly, the newer, the easier. v92+ is the easiest for me because it was compiled with MSVC9. v8x is okay. v55-v7x is a pain in the butt because apparently their ancient Themida version outright refuses to run on Windows 10. I'll have to resort to using a VM.

Interesting, wouldn't have expected compatibility to take a role doing these. In that case, my main request would be v0.87 and v0.68 if you wish to do one that is a little more painful. Both would still help a lot eitherway!
 
Initiate Mage
Joined
Jan 14, 2018
Messages
14
Reaction score
0
Just a small note since I replied in that thread: The localhost was not clean; it had tubi and the other usual v62 localhost things enabled. As far as I am aware there's no longer a public clean v0.62 localhost available, nor do I have it in case you wonder :p


Wow I never realized there was tubi in that v62 localhost, I've been using it for years and never noticed it. In any case, I still would like to get an unpacked version of that v62 localhost because it's the best I have. And also the "official" v62 MapleStory.exe that you get from extracting GMSSetupv62.exe (is that possible? pardon my ignorance).
 
Experienced Elementalist
Joined
Oct 25, 2008
Messages
224
Reaction score
314
Wow I never realized there was tubi in that v62 localhost, I've been using it for years and never noticed it. In any case, I still would like to get an unpacked version of that v62 localhost because it's the best I have. And also the "official" v62 MapleStory.exe that you get from extracting GMSSetupv62.exe (is that possible? pardon my ignorance).

I don't bother with existing localhosts. There's all manner of things wrong with them. I've created a clean version from the official binary in GMSSetupv62 now, you can find it in the first post. The only "optional" patches I've done to it are to remove Nexon's annoying ads (starting ad, ending ad, and in this version also ad under windowed mode...).

I've added support to my tooling for the ancient Themida version, so I can process v55-v7x quickly now. Thus I'll do v68 next.

v68 done now too. That version surprised me. It has nearly all parts of the IP checks and Winsock-related anti-tampering that can also be found in later versions in place already. I suppose Nexon got really pissed when v62 was cracked almost straight away back then despite their efforts.
 
Last edited:
Initiate Mage
Joined
Mar 15, 2021
Messages
46
Reaction score
10
dsgxcbxcbxc
 
Last edited:
Initiate Mage
Joined
Oct 2, 2021
Messages
2
Reaction score
4
Very cool, thanks a bunch Hendi.
I agree with Kimberly that GMS v87 would be a nice addition. The pre-BB scene has been stuck in a v83 rut as of late, and I think it's largely due to the availability of clients.
 
Initiate Mage
Joined
Feb 4, 2009
Messages
4
Reaction score
0
Can you do it for BMS? additionaly to the themida packing it also do calls for some anti cheat on launch, is it possible to strip it off?
 
Experienced Elementalist
Joined
Oct 25, 2008
Messages
224
Reaction score
314
GMS v87 added. This version had the ugly debug register bytes at the beginning of every attack & player movement packet. For some reason I thought they were added in v88, but it could have been v84. They only cleaned up that mess in v99. Oh well.

Very cool, thanks a bunch Hendi.
I agree with Kimberly that GMS v87 would be a nice addition. The pre-BB scene has been stuck in a v83 rut as of late, and I think it's largely due to the availability of clients.
I don't know. I released a v90 localhost back in 2011 and v83 seemingly didn't lose one bit of its momentum.

Can you do it for BMS? additionaly to the themida packing it also do calls for some anti cheat on launch, is it possible to strip it off?
Of course, stripping any anti-cheat is part of the process. You'll have to provide full game files, though.
 
Moderator
Staff member
Moderator
Joined
Jul 30, 2012
Messages
1,094
Reaction score
428
GMS v87 added. This version had the ugly debug register bytes at the beginning of every attack & player movement packet. For some reason I thought they were added in v88, but it could have been v84. They only cleaned up that mess in v99. Oh well.

Out of curiosity since my knowledge of later versions is extremely limited: What exactly are the debug register bytes and what do they do?

Thanks a lot, once again, by the way! I'll leave requests for others now since I have no other personal request as of right now.
 
Experienced Elementalist
Joined
Oct 25, 2008
Messages
224
Reaction score
314
Out of curiosity since my knowledge of later versions is extremely limited: What exactly are the debug register bytes and what do they do?

Thanks a lot, once again, by the way! I'll leave requests for others now since I have no other personal request as of right now.

It's 24 bytes (6 * 4) that specify the negated values of the dr0 through dr3 x86 registers, a random value, and a CRC32 checksum of the debug check result using said random value as initial value. These debug registers are set by debuggers that use hardware breakpoints - e.g. by Cheat Engine when you use the infamous "Tick ZF" on an address in Memory Viewer and have your breakpoint mode set to HW BPs. CE will set one of the four debug registers to the address. Its debugger then receives a debug event when execution hits that address, where it will toggle the zero flag and continue execution. The main advantage of HW BPs is that they don't trip CRC checks.

Nexon wanted to detect cheating by transmitting the register values to the server - in some of the most common packets. For magic attacks they actually fucked up and sent the whole thing twice, meaning 48 bytes of trash. They're also interspersed with other data belonging to the actual packet, meaning you can't just skip it all in one go. It's not terribly bad but still annoying.

Under normal circumstances (and without cheats) the values you'd see on the server side for dr0~dr3 would be all FF. In my localhosts they're random (stack) trash because I stubbed the DR_check method that reads them.
 
Skilled Illusionist
Joined
May 28, 2011
Messages
379
Reaction score
38
Hello,

I think EMS v0.87 would be a very cool release. Mainly because it has Supreme World, and it has some post-bb elements.



Also, the existing GMS v0.95 localhost has some problems. Could we get a proper v95? Asking for a friend.
 
Experienced Elementalist
Joined
Apr 26, 2015
Messages
298
Reaction score
76
Thanks for the effort hendi

Would you kindly do BMS v8?



Edit: the unpacked and iat fixed should be enought, I can manage to remove gg.
 
Last edited:
Experienced Elementalist
Joined
Oct 25, 2008
Messages
224
Reaction score
314
Hello,

I think EMS v0.87 would be a very cool release. Mainly because it has Supreme World, and it has some post-bb elements.



Also, the existing GMS v0.95 localhost has some problems. Could we get a proper v95? Asking for a friend.

EMS v87 added. By far the most modern version I've done here so far and it exceeds the version range I can do for GMS.

EMS87_1 - Localhost Workshop - RaGEZONE Forums EMS87_0 - Localhost Workshop - RaGEZONE Forums

I'll handle v95 with low priority.
 

Attachments

You must be registered for see attachments list
Joined
Oct 8, 2013
Messages
68
Reaction score
9
hi i'd like TMS 0.72 can you make it?
i hope you can try make it
setup:
 
Last edited:

DSG

Initiate Mage
Joined
Jan 23, 2018
Messages
30
Reaction score
2
can you do v83 but make it work on wine? wine is close but it crashes around 30 seconds into the game. prior to wine 6.15 it would quit and after 6.16.
 
Back
Top