Mir3 Encryption

[NickAKAVexus]

I thought we explored that vein, there are no map readers that will read Euro Mir maps.



NickAKAVexus - What version of Mir are those values? I wouldnt have thought they had changed... Mine were from QGO Mir.

European mir2 2.3 lol

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

I thought we explored that vein, there are no map readers that will read Euro Mir maps.

Rumour has it, they remain unchanged.

Also, I see another map editor on Kaori's site (However, I can't grab it, invalid password!?!?!)

 

[NickAKAVexus]

Konni, wondering if you could help me solve my problem.

I can generate the first number but the second one I can't get. Theres only 2 hex values in the asm.

Number1:=$0F2E44FFF xor 2365;
Number2:=2365 xor $0A4A5B277;

Number1 works fine number2 doesnt.. the asm codes:

Generate1:

 call    @IntToStr
CODE:004C4D35                 push    [ebp+Version]
CODE:004C4D38                 push    offset dword_4C4E10
CODE:004C4D3D                 mov     eax, [ebp+cert]
CODE:004C4D40                 mov     eax, [eax+440h]
CODE:004C4D46                 cdq
CODE:004C4D47                 xor     eax, 0F2E44FFFh
CODE:004C4D4D                 xor     edx, 0
CODE:004C4D53                 push    edx
CODE:004C4D54                 push    eax
CODE:004C4D55                 lea     eax, [ebp+var_28]
CODE:004C4D58                 call    @IntToStr_0
CODE:004C4D5D                 push    [ebp+var_28]
CODE:004C4D60                 push    offset dword_4C4E10
CODE:004C4D65                 lea     edx, [ebp+var_2C]

Generate2:

CODE:004C4D7C                 mov     eax, [ebp+cert]
CODE:004C4D7F                 mov     eax, [eax+440h]
CODE:004C4D85                 cdq
CODE:004C4D86                 xor     eax, 0A4A5B277h
CODE:004C4D8C                 xor     edx, 0
CODE:004C4D92                 push    edx
CODE:004C4D93                 push    eax
CODE:004C4D94                 lea     eax, [ebp+var_30]
CODE:004C4D97                 call    @IntToStr_0
CODE:004C4D9C                 push    [ebp+var_30]
CODE:004C4D9F                 push    offset dword_4C4E10
CODE:004C4DA4                 push    offset dword_4C4E1C
CODE:004C4DA9                 lea     eax, [ebp+var_8]
CODE:004C4DAC                 mov     edx, 10h

Do you see anything different? :/

 

[shorty606]

Now i can't read asm but I see this difference:

CODE:004C4DA4                 push    offset dword_4C4E1C

that got anything to do with it?

 

[NickAKAVexus]

Now i can't read asm but I see this difference:

CODE:004C4DA4                 push    offset dword_4C4E1C

that got anything to do with it?

Just seems to be putting it in another variable.. not very sure.

 

[Rocky]

is there meant 2 b another d_sword on the 2nd 1? cos theres only 1 on the 1st 2 on the 2nd;s, then again i dont know **** about codes

 

[shorty606]

@Nick
Maybe it moves it into another variable for processing later? further on in the asm...anyway you can check?

 

[konnichiwa]

Konni, wondering if you could help me solve my problem.

I can generate the first number but the second one I can't get. Theres only 2 hex values in the asm.

Number1:=$0F2E44FFF xor 2365;
Number2:=2365 xor $0A4A5B277;

Number1 works fine number2 doesnt.. the asm codes:

How do you know that number 1 is fine?
How do you know number 2 is not fine?
Have you tried submitting the results to the server and see if you can log in?
Sorry to be pedantic, but you are replacing 2365 with your certificate variable arnt you?


From what I can see from the ASM you've posted, you have the correct code, unless like Shorty says, there is more that is not uncovered, but I doubt it, it would all be in one section.

CODE:004C4D93 push eax <-- Here it is putting Number2 onto the stack, and doesnt get it off again in the posted code.
CODE:004C4D94 lea eax, [ebp+var_30] <-- Here it is replacing where Number2 was, with var_30, whatever that is, can you run it in debug mode and see what happens to the data real time?

 

[shorty606]

Getting the bot to walk:
When I walk in game I record this packet:

#1>L<I<HHGoa`><?P<!

The header is >L<I<HHG as this remains unchanged between packets
The variable part is this: oa`><?P<
When decoded it comes out as this:
ÎY
So I thought maybe convert it into numbers:
it comes out as this:
206
89
2
which makes no sense, I'm looking for coordinate values of less than 20.
The I thought convert it to hex and look at numbers:
206 = CE
89 = 59
2 = 2
That doesn't work either. I'm stuck again. Am I looking at this the wrong way?

 

[konnichiwa]

Shorty, i would start a packet logger and move in each of the 8 directions possible walking then running and compare the results, most likely they will contain a directional byte, and a speed byte (running/walking). From here you can deduce which part of the packet stands for what.

Edit: The header should also contain some variable information as I recall... maybe take a look in there. I think the chat packets contain some info in the header?

 

[shorty606]

You are a star konnichiwa I was just about to say I think the char has variable information in the header- can anyone tell me if this is true but you already said . Thanks. I'll have a look into motion again.

 

[NickAKAVexus]

You are a star konnichiwa I was just about to say I think the char has variable information in the header- can anyone tell me if this is true but you already said . Thanks. I'll have a look into motion again.

The direction is in the header.

Konni I figured it out, I was using an integer instead of long which was causing wrong numbers. Now I get ingame and it disconnects me saying my clients old. No Idea how it knows this as i'm sending the other client CRC check and the current version. sooo any ideas?

 

[shorty606]

I noticed I had to send additional headers as soon as I got in game otherwise I got disconnected.
I used 'hacked' headers just sending the headers with a random number. Seemed to work.

 

[NickAKAVexus]

I noticed I had to send additional headers as soon as I got in game otherwise I got disconnected.
I used 'hacked' headers just sending the headers with a random number. Seemed to work.

I noticed one it send ident 1049 after query bag items I sent it but same results. :P

 

[shorty606]

Are you sending any repeat commands out to keep yourlsef in game? Maybe they need versin number encoding with them.
When you said the chat has variables in the information - how do you decode them. no matter what I do I end up with rubbish - I can't decipher the text.

 

[NickAKAVexus]

Are you sending any repeat commands out to keep yourlsef in game? Maybe they need versin number encoding with them.
When you said the chat has variables in the information - how do you decode them. no matter what I do I end up with rubbish - I can't decipher the text.

The walking packet has a header and body, you can only decode the body. As konni said he was having trouble decoding the headers.

However you can simply log each walk packet walking in every direction and you have all 8 direction packets.

 

[shorty606]

I tried loggin all directions but when I send them to my char - won't work says FAIL. Does it not encode the coords moving to somewhere? I wonder if all headers can be decoded. I thought headers were random strings so you know what protocol is what and you only decode the data they carry.

 

[konnichiwa]

Nope i think the headers have two maybe three fields in them which are applicable to the command.

 

[shorty606]

Is there any way of looking into the asm to see how they are decoded? Very odd the headers. It's also impossibel todecode normal mir3 chat without knowing the headers.

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

The headers _must_ be variable length, from what I remember.