Mir3 Encryption

[shorty606]

Has anyone succesfully written a log in routine for cd3.40? It's that last part I can't get my head round. Any help is really appreciated.
I can't connect to server using a random number and the server accepts any client version. The answer must lie in the session id but I can't see how to use it to generate numbers.

EDIT:
If I posted the asm for the process which produces those codes - could someone translate it into delphi for me? I'm so close to logging in, this is the last step and I've hit a brick wall.

 

[konnichiwa]

i uncovered what those numbers mean, or at least how to generate them from the official Mir3 servers by looking at the ASM code for Mir3.exe. I'm at work now so cannot look for code but I will look tonight for you and post what I have.

 

[shorty606]

Thanks Konnichiwa and to everyone who has helped. I'll write an in depth post documenting the log in process when I have finally got to grips with it.

 

[NickAKAVexus]

I was having that problem with the euro mir2 client it actually generates 3 numbers. I might just poke my head into asm too thats a great idea. lol

 

[shorty606]

A description of how to calculate it will be just as good if you can't find the code konnichiwa
How did you get on Nick. Did you manage to reverse engineer the asm?

 

[konnichiwa]

Sorry, i meant i dont remember what it does.

Anyway, here you are.

int firstNumber = 0x3EB2C5CC ^ m_Certificate;;
int secondNumber = (m_Certificate ^ 0x131CCDA) ^ 0x5580AF27;
bot.Start("**" + txtUsername.Text + "/" + cbCharacterList.SelectedItem + "/" + firstNumber + "/" + secondNumber + "/-80524171/1");


m_Certificate is your session id

 

[shorty606]

Thanks for your help konnichiwa but I think it is different on CD 3.4 as the number I get is different to what I've recorded. Maybe I'm doing something wrong I'll have a look.
EDIT: Can't see what I'm doing wrong. But you have given me something to start with kon I'll keep looking into it.
Was it easy to find those values in asm?
I'm new to it and wondering if I coud have a crack at it lol.

 

[Damian]

Thanks for your help konnichiwa but I think it is different on CD 3.4 as the number I get is different to what I've recorded. Maybe I'm doing something wrong I'll have a look.
EDIT: Can't see what I'm doing wrong. But you have given me something to start with kon I'll keep looking into it.
Was it easy to find those values in asm?
I'm new to it and wondering if I coud have a crack at it lol.

ASM is not easy, your better off not bothering, maybe konni can help u more

 

[shorty606]

NOPE! It works. Silly me mistyped the flaming number - cut and paste from now no lol!

 

[NickAKAVexus]

Sorry, i meant i dont remember what it does.

Anyway, here you are.

int firstNumber = 0x3EB2C5CC ^ m_Certificate;;
int secondNumber = (m_Certificate ^ 0x131CCDA) ^ 0x5580AF27;
bot.Start("**" + txtUsername.Text + "/" + cbCharacterList.SelectedItem + "/" + firstNumber + "/" + secondNumber + "/-80524171/1");


m_Certificate is your session id

Thanks konni you helpped solve my mistery. :P

Euro does it the same way only I don't know if they use those same numbers to the power of your cert.

edit: konnie what does 0x3EB2C5CC reffer to. :P

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

what does 0x3EB2C5CC reffer to. :P

It's a number, in this case?

 

[shorty606]

In delphi you type it as $03EB2C5CC
Here is my encoding routine that I used:

procedure TForm2.EncodeFirstNumClick(Sender: TObject);
var
firstnum : integer;
begin
 firstnum :=  $03EB2C5CC xor strtoint(session.text);
 output.Text := inttostr(firstnum);
end;

 

[shorty606]

I can get a character in game now: New problem - the character disappears.
At first it was after a 10 seconds so I added more protocol to send. Now that character disappears after 20 seconds.
Anyone know how the client and server interact to keep a connection?
If not I'll try and work it out but I have a feeling it is complicated.

 

[konnichiwa]

Thanks konni you helpped solve my mistery. :P

Euro does it the same way only I don't know if they use those same numbers to the power of your cert.

edit: konnie what does 0x3EB2C5CC reffer to. :P

Those XOR masks are from Mir3 euro, out of the exe that Kaori managed to unpack.

shorty606, look at your packet logs and see if it sends the packet that you send on regular intervals, if so you need a seperate thread to poll the server with that packet.

Finding that bit of code was really the almost the first peice of reverse engineering out of ASM that i'd done, and was quite pleased that i'd got it to work! Its not too bad you just have to know how to debug really.

Step 1) Put a breakpoint on winsock send.
Step 2) Put a write-breakpoint on the data that is being sent.
Step 3) Work backwards till you find the point thats writing the data you want.
Step 4) Analyse and convert to psudo code!

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

Konni - any chance you might like to decrypt those funky new-style headers?

 

[shorty606]

Well thanks for all you help guys and girls - I've made a bot for mi3 cd3.40 thats stable and stays in game monitoring chat for abuse. It then logs who said it and when .
Couldn't have done it without any of your help from everyone!

 

[konnichiwa]

Konni - any chance you might like to decrypt those funky new-style headers?

As I said in an earlier post, I have had issues with trying to get 'ingame' as they say.

I can go as far as getting the notification about updates, just before you press OK to go ingame, but I cannot get any further due to what i think is another layer of encryption/different mask. I belive I might be able to solve it, however I do not have the expertise of say Kaori to unpack a recent version of the highly protected Euro Mir3 executable in order to analyse the ASM.

Edit:
On that note, if I did have a recent unprotected Mir3 executable, I would also be able to find out how to render the Map Files (kMir - Auron).

 

[NickAKAVexus]

found euros.. and yes it works yay

0F2E44FFFh
0A4A5B277h

Thanks konni and shorty

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

Edit:
On that note, if I did have a recent unprotected Mir3 executable, I would also be able to find out how to render the Map Files (kMir - Auron).

Aye, I'm feeling you on that, but why not try it on one of the map editors? That could be just as effective, no?

 

[konnichiwa]

Aye, I'm feeling you on that, but why not try it on one of the map editors? That could be just as effective, no?

I thought we explored that vein, there are no map readers that will read Euro Mir maps.



NickAKAVexus - What version of Mir are those values? I wouldnt have thought they had changed... Mine were from QGO Mir.