Posted: Tue Jan 08, 2008 4:29 pm
.............
Page 29 of 35
Posted: Sun Jan 13, 2008 2:23 pm
...........
Posted: Sun Jan 13, 2008 8:27 pm
What exactly have you changed? I'm too lazy to download an application for that 
Does this make significant changes or minor ones? Is it similar to older versions or completely different? Thanks.
Does this make significant changes or minor ones? Is it similar to older versions or completely different? Thanks.
Posted: Sun Jan 13, 2008 10:10 pm
.......................
Posted: Fri Jan 18, 2008 9:49 am
Hi,
I'm also back (I had no internet 3 month because the local telecommunication company is a bit lazy...).
Maybe someone remembers me. I'm the one who coded WZextract, the WZ file browser (look in my signature), that can also create the ManualPatcher.
Soon I will release a new version that will fix a bug in the MP3 extraction (or to be more precice: I rewrote the whole MP3 extraction code).
But this was only the boring news. The real news is the following:
You may know that WZ extract can save the WZ information in xml files to compare it with the new content after a patch was released (it shows additions and changes).
I will remove this function (because it's slow and has some limitations) soon to implement something even better:
WZextract will be able to read the *.patch files directly!
I'm also back (I had no internet 3 month because the local telecommunication company is a bit lazy...).
Maybe someone remembers me. I'm the one who coded WZextract, the WZ file browser (look in my signature), that can also create the ManualPatcher.
Soon I will release a new version that will fix a bug in the MP3 extraction (or to be more precice: I rewrote the whole MP3 extraction code).
But this was only the boring news. The real news is the following:
You may know that WZ extract can save the WZ information in xml files to compare it with the new content after a patch was released (it shows additions and changes).
I will remove this function (because it's slow and has some limitations) soon to implement something even better:
WZextract will be able to read the *.patch files directly!
Posted: Fri Jan 18, 2008 6:12 pm
Interesting. Will you provide code please? 
Posted: Sat Jan 19, 2008 3:22 am
MapleSEA now has new encryption as of 0.51. They also have a brand new WZ file --> List.wz. Oddly enough, this WZ file contains no header.
Posted: Sat Jan 19, 2008 9:02 am
Ahh, I totally forgot about the new encryption... It's also on my todo list. I'm able to decrypt some of it already, but I still did not figured out the whole algorithm.
If it's not to large, could you please post the list.wz? I want to take a look at it.
If it's not to large, could you please post the list.wz? I want to take a look at it.
Posted: Sat Jan 19, 2008 1:55 pm
The contents of this post was deleted because of possible forum rules violation.
Posted: Sat Jan 19, 2008 5:15 pm
Thanks.
The list.wz seems to be no wz file. Not only because of the missing header, but I don't find any known structures.
But The number "1A 00 00 00" (26 in decimal system) appears often (in a more or less regular pattern). This seams to be some indicator or separtor.
To come back to the new encryption:
Did someone other also tried to decode it?
The basic function is the same (every char is xor'd).
I found out the first 19 bytes to xor with:
0x01 0xCE 0xE5 0xA8 0xC9 0x62 0xE7 0xBB 0x2A 0xC8 0x33 0xBF 0x5A 0xD2 0xBF 0x32 0x2F 0xCF 0x8A
But I can't find any mathematical relation in this sequence (look at the bold ones, two times the same, but followed by another --> there must be an additional variable, if it's a calculation). A possibility would be to find out all 256 values, store them in an array and run through that array each time a string needs to be decrypted. (if there are even 256, maybe there are more, maybe less)
But I can't imagine that Wizet would use such "unserious" code.
And I don't know the sequence for the Unicode strings, because I can't read korean, so I can't verify if it's right...
The list.wz seems to be no wz file. Not only because of the missing header, but I don't find any known structures.
But The number "1A 00 00 00" (26 in decimal system) appears often (in a more or less regular pattern). This seams to be some indicator or separtor.
To come back to the new encryption:
Did someone other also tried to decode it?
The basic function is the same (every char is xor'd).
I found out the first 19 bytes to xor with:
0x01 0xCE 0xE5 0xA8 0xC9 0x62 0xE7 0xBB 0x2A 0xC8 0x33 0xBF 0x5A 0xD2 0xBF 0x32 0x2F 0xCF 0x8A
But I can't find any mathematical relation in this sequence (look at the bold ones, two times the same, but followed by another --> there must be an additional variable, if it's a calculation). A possibility would be to find out all 256 values, store them in an array and run through that array each time a string needs to be decrypted. (if there are even 256, maybe there are more, maybe less)
But I can't imagine that Wizet would use such "unserious" code.
And I don't know the sequence for the Unicode strings, because I can't read korean, so I can't verify if it's right...
Posted: Sat Jan 19, 2008 7:46 pm
Why don't you disassemble the game exe? Maybe it's a value that is dynamically computed.
Posted: Sun Jan 20, 2008 3:38 am
I think you're right. I'm coming up with the same hex numbers. I don't think there's a way around encoding this hex into the program. Chances are that this stream of hex was created using a pseudorandom number generator and encoded as such. See Vernam ciphers. It's a method of security one step higher than what they had before, but it's still crackable.
EDIT: I've included my small analysis of the List.wz. Sorry it's in all caps, it's for readability.
1 0X05000000, 12 BYTE BLOCK
38 0X1A000000, 54 BYTE BLOCK
1 0X0F000000, 32 BYTE BLOCK
2 0X1F000000, 64 BYTE BLOCK
2 0X0F000000, 32 BYTE BLOCK
1 0X11000000, FINAL 36 BYTE BLOCK
45 TOTAL BLOCKS
PRIMARY BLOCK:
05 00 00 00 3C 05 0A CD 3A 0A E1 7B 87 0A
1A BLOCKS ARE NEARLY ALL HOMOGENEOUS
NEW BLOCK:
1A 00 00 00 (OFFSET 16)
BLOCK:
C6 65 28 05 17 CD 78 0A F5 7B
E6 0A 9C 65 28 8B F8 74 57 6C
C3 59 1B 5E 8D 59 31 7E 8A 7D
FA 74 A0 53 17 94 28 6F 53 87
E0 D6 49 1E 82 52 80 52 EF 7A
79 E8 06 90
NEW BLOCK:
1A 00 00 00 (OFFSET 74)
BLOCK:
C6 65 28 05 17 CD 78 0A F5 7B
E6 0A 9C 65 28 8B F8 74 57 6C
C3 59 1B 5E 8D 59 31 7E 8A 7D
FB 74 A0 53 14 94 28 6F 53 87 <-- SEE CHANGES
E0 D6 49 1E 82 52 80 52 EF 7A
79 E8 06 90
IT'S GENERALLY THESE TWO VALUES THAT SWITCH BETWEEN EACH OTHER.
0F BLOCKS ARE INTERESTING. ALL OF THE EVEN OFFSETS CONTAIN THE SAME
HEX NUMBERS AS THE REFERENCE 1A BLOCKS
NEW BLOCK:
0F 00 00 00 (OFFSET 2394)
BLOCK:
DE 65 20 05 48 CD 22 0A F1 7B
F0 0A 85 65 69 8B F1 74 59 6C
C4 59 07 5E CB 59 6E 7E D8 7D
CB 74
1F BLOCKS ALSO FOLLOW THIS SAME PATTERN.
DUE TO THIS PATTERN, IT APPEARS THAT THERE ARE THE 1A, 0F, AND 1F
ARE BLOCK SEPARATORS, AND THUS THEIR CONTENTS ARE SUBBLOCKS.
NEW BLOCK:
1F 00 00 00 (OFFSET 2498)
BLOCK:
C8 65 21 05 06 CD 25 0A F9 7B
E4 0A 98 65 62 8B E7 74 19 6C
C3 59 4C 5E D6 59 66 7E CE 7D
BE 74 F9 53 56 94 37 6F 51 87
E1 D6 41 1E 9C 52 DB 52 B2 7A
2A E8 3E 90 C1 4B 6A FF BE F3
17 4A 39 D3
EDIT: I've included my small analysis of the List.wz. Sorry it's in all caps, it's for readability.
1 0X05000000, 12 BYTE BLOCK
38 0X1A000000, 54 BYTE BLOCK
1 0X0F000000, 32 BYTE BLOCK
2 0X1F000000, 64 BYTE BLOCK
2 0X0F000000, 32 BYTE BLOCK
1 0X11000000, FINAL 36 BYTE BLOCK
45 TOTAL BLOCKS
PRIMARY BLOCK:
05 00 00 00 3C 05 0A CD 3A 0A E1 7B 87 0A
1A BLOCKS ARE NEARLY ALL HOMOGENEOUS
NEW BLOCK:
1A 00 00 00 (OFFSET 16)
BLOCK:
C6 65 28 05 17 CD 78 0A F5 7B
E6 0A 9C 65 28 8B F8 74 57 6C
C3 59 1B 5E 8D 59 31 7E 8A 7D
FA 74 A0 53 17 94 28 6F 53 87
E0 D6 49 1E 82 52 80 52 EF 7A
79 E8 06 90
NEW BLOCK:
1A 00 00 00 (OFFSET 74)
BLOCK:
C6 65 28 05 17 CD 78 0A F5 7B
E6 0A 9C 65 28 8B F8 74 57 6C
C3 59 1B 5E 8D 59 31 7E 8A 7D
FB 74 A0 53 14 94 28 6F 53 87 <-- SEE CHANGES
E0 D6 49 1E 82 52 80 52 EF 7A
79 E8 06 90
IT'S GENERALLY THESE TWO VALUES THAT SWITCH BETWEEN EACH OTHER.
0F BLOCKS ARE INTERESTING. ALL OF THE EVEN OFFSETS CONTAIN THE SAME
HEX NUMBERS AS THE REFERENCE 1A BLOCKS
NEW BLOCK:
0F 00 00 00 (OFFSET 2394)
BLOCK:
DE 65 20 05 48 CD 22 0A F1 7B
F0 0A 85 65 69 8B F1 74 59 6C
C4 59 07 5E CB 59 6E 7E D8 7D
CB 74
1F BLOCKS ALSO FOLLOW THIS SAME PATTERN.
DUE TO THIS PATTERN, IT APPEARS THAT THERE ARE THE 1A, 0F, AND 1F
ARE BLOCK SEPARATORS, AND THUS THEIR CONTENTS ARE SUBBLOCKS.
NEW BLOCK:
1F 00 00 00 (OFFSET 2498)
BLOCK:
C8 65 21 05 06 CD 25 0A F9 7B
E4 0A 98 65 62 8B E7 74 19 6C
C3 59 4C 5E D6 59 66 7E CE 7D
BE 74 F9 53 56 94 37 6F 51 87
E1 D6 41 1E 9C 52 DB 52 B2 7A
2A E8 3E 90 C1 4B 6A FF BE F3
17 4A 39 D3
Posted: Sun Jan 20, 2008 5:20 am
Apparently, the whole List.wz repeats a 59-byte sequence, starting from byte 17 (0x0A), where one byte is different every time.
...Beat
...Beat
Posted: Sun Jan 20, 2008 10:29 am
Encryption:
I'll have a look at this encryption scheme.
I also thought about disassembling the exe. But when I tried it, there were errors (the exe itself seems to be packed [UPX could not decompress it] and/or encrypted), and I am not very familiar with assembler (I only know the very basics).
List.wz:
The repeating blocks are a "list" in some way, so the name of the file is justifiable.
To roll this up from another side:
I had no time to take a deeper look into the file (maybe today I'll find some minutes), but does only MSEA has this file? Or do other versions also have it? (I only have GMS, which don't has it). What does MSEA recently got in a patch, that other version don't have yet? Maybe we can then isolate some possibilities (it's easier to figure structures out, if you know some things that could be it).
I'll have a look at this encryption scheme.
I also thought about disassembling the exe. But when I tried it, there were errors (the exe itself seems to be packed [UPX could not decompress it] and/or encrypted), and I am not very familiar with assembler (I only know the very basics).
List.wz:
The repeating blocks are a "list" in some way, so the name of the file is justifiable.
To roll this up from another side:
I had no time to take a deeper look into the file (maybe today I'll find some minutes), but does only MSEA has this file? Or do other versions also have it? (I only have GMS, which don't has it). What does MSEA recently got in a patch, that other version don't have yet? Maybe we can then isolate some possibilities (it's easier to figure structures out, if you know some things that could be it).
Posted: Sun Jan 20, 2008 1:13 pm
Well that's something I haven't considered. The exe might indeed be protected to prevent disassembling. Normally you can use No-CDs to disassemble it anyway, cause those fixed exes are usually unpacked. But this is a bit different for online games, it's hard to find cracks for them.maststef wrote:I also thought about disassembling the exe. But when I tried it, there were errors (the exe itself seems to be packed [UPX could not decompress it] and/or encrypted), and I am not very familiar with assembler (I only know the very basics).
Scan the exe with PEiD and ProtectionID and report the results please.