Mir3 Encryption

[shorty606]

The length seems to be uniform to me...well for most things. I can tell what packet is what by looking at headers as they often have 'stable' chunks of text to discern them.

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

The length seems to be uniform to me...well for most things. I can tell what packet is what by looking at headers as they often have 'stable' chunks of text to discern them.

Yes, each packet has it's own data to go with it, however, the header itself varies in length, depending on the Ident of the command.

 

[konnichiwa]

Yes, each packet has it's own data to go with it, however, the header itself varies in length, depending on the Ident of the command.

I've not seen an instance of this.

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

I've not seen an instance of this.

There's plenty, or at least, there used to be.

For example, some packets like SM_SELECTSERVEROK would come through with a single int32 in the header, rest of the message your Selchar stuff.

Then, you'd get other things, like the spell packets, which used a much longer header.

 

[Damian]

Do the headers use different encoding, has anyone looked through the ASM
to confirm this? Or perhaps there are new headers for certain commands
to minimize packet size.

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

Do the headers use different encoding, has anyone looked through the ASM
to confirm this? Or perhaps there are new headers for certain commands
to minimize packet size.

BINGO! HOLE IN ONE! GIVE THE MAN A CUDDLY TOY! :P

Afaik, yes, they do use different encoding, and yes, tracing back through the encryption routine you should be able to find it.

Knowing our luck it's probably bit inversion ¬_¬

 

[konnichiwa]

BINGO! HOLE IN ONE! GIVE THE MAN A CUDDLY TOY! :P

Afaik, yes, they do use different encoding, and yes, tracing back through the encryption routine you should be able to find it.

Knowing our luck it's probably bit inversion ¬_¬

Get to it then...


20 chars.

 

[shorty606]

hehe, I suggested this a while ago if anyone could look through the asm to find header encryption. It does look like bit shifting from just looking at the headers,aslo a lot of text repetition. But as I said before, I'm hopeless with asm lol.

 

[Damian]

The encryption routines in IDA are @:
0048D2B0 - Encode6BitBuf
0048D380 - Decode6BitBuf

Mir3.exe - 846KB - 15/08/2006
Or try searching "sub al, 3Ch" should find it in any exe.

 

[shorty606]

I'll give it a go later - Really appreciate the help damian!

 

[NickAKAVexus]

I'll give it a go later - Really appreciate the help damian!

Shorty upload the client and I might have a look throught asm. I'll see what I can find.


A couple packets with data in header wouldn't hurt either(also what the data should be).

 

[shorty606]

Here you go Nick, also the exe has been edited so it doesn't take command line paramters. Just click the exe to start (useful for some debuggers).
http://www.mirheros.com/upload/files/49/Mir3.rar
Here are some headers - I don't know what they should say but you will get an idea of what they should:
This is the first code that should be sent when logged in:

<<<<<I@C<<<<<<<

Another header is this too:

<<<<<B\<<<<<<<<<

I just gave some simple ones to test the decryption routine. If you have any thoughts send post them and I'll convert it into delphi code and test the decryption.

 

[NickAKAVexus]

Add me to msn via the tab we shall talkith.

By the way you can decode those headers fine...


I decoded <<<<<B\<<<<<<<<<
I got ident 104, so I tried encoding a packet with header 104 and it came out with same result meaning its no different. So what problem are you actually having?

Decode:

var
Msg:TDefaultMessage;
begin
Msg := DecodeMessage(edit1.text);
edit2.text := inttostr(msg.Ident);

Encode test:

var
Msg:TDefaultMessage;
begin
Msg := MakeDefaultMsg(104,0,0,0,0);
edit2.text := EncodeMessage(msg);

Its all 1.4 encryption..

 

[shorty606]

It does work lol, but I thought it changed once logged in as I'm having problems nailing down the chat packets. I know which packets are chat but I can't seem to get any text out of them.

 

[NickAKAVexus]

Paste me the whole packets your having problems with.

 

[shorty606]

#=VUh<muO<Q<=lL`^<=@@L\<<<<<<<<<<<<<<<<<=x<uo`<!
#=V]l==uO<Q<=lL`^<=@@L\<<<<<<<<<<<<<<<<<=x<uo`<!
#<fam=]vc<SL=V\`_<M\D<L<<<<>\K_qy>\pB?l<IYY{{x<!

Now as far as I have found it. I can decode packets from guild chat and I can decode shouts and whispers. That's all fine. I can also capture SOME text of people saying things in normal chat that everyoen can see. Problem is when I record packets of about 6 people saying things, I can only decode about 2 messages so I think the other 4 messages must be encoded differently.
Is it complete rubbish that I'm talking and all messages are encoded the same?
Also I assumed that the packets above are some speech as they appeared when people where talking but they could be completely unrelated. I'm still having problems decoding them though so any help would be appreciated.

 

[NickAKAVexus]

#=VUh<muO<Q<=lL`^<=@@L\<<<<<<<<<<<<<<<<<=x<uo`<!
#=V]l==uO<Q<=lL`^<=@@L\<<<<<<<<<<<<<<<<<=x<uo`<!
#<fam=]vc<SL=V\`_<M\D<L<<<<>\K_qy>\pB?l<IYY{{x<!

Now as far as I have found it. I can decode packets from guild chat and I can decode shouts and whispers. That's all fine. I can also capture SOME text of people saying things in normal chat that everyoen can see. Problem is when I record packets of about 6 people saying things, I can only decode about 2 messages so I think the other 4 messages must be encoded differently.
Is it complete rubbish that I'm talking and all messages are encoded the same?
Also I assumed that the packets above are some speech as they appeared when people where talking but they could be completely unrelated. I'm still having problems decoding them though so any help would be appreciated.

Those aren't chat packets, they look like buffers. To decode the buffer you need to know what thats for and decode it into the correct record size.

Example record.

TFeature=packed record
Appearance :Byte;
Weapon :Byte;
Dress :Byte;
Hair :Byte;
end;

 

[shorty606]

I wonder where the chat packets are disappearing to then? I'll further investigate.

 

[shorty606]

I found out the reason I had leakage problems...some commands are sent at once and this causes problems for the way I read my packets...I'll sort it out when I'm bak from holiday, I'm currently in Canada hehe.

 

[NickAKAVexus]

Aha I see, my hook reads all the packets even if they're joined.

Take a peek: BufferStr being the string that has the current received data.This processes every packet even if theres like 93843 of them joined. Its sexi.
[delphi]
if BufferStr <> '' then begin
while Length(BufferStr) >= 2 do begin
if Pos('!', BufferStr) <= 0 then break;
BufferStr := ArrestStringEx (BufferStr, '#', '!', data);
if data = '' then break;
ProcessPacket(data);
if Pos('!', BufferStr) <= 0 then break;
end;
end;
[/delphi]