Mir3 Encryption

[shorty606]

I am quite an experienced Delphi programmer and I am currently working on a project that involves using the mir3 protocol. If anyone has any insight into this it would be greatly appreciated. I can't read asm very well at all and I am still learning thus I can't reverse engineer the encoding and decoding process. I would like to know the bitmask process that is used. E.G what character has which byte reference.
I will kiss anyone who can help.

 

[Rocky]

I am quite an experienced Delphi programmer and I am currently working on a project that involves using the mir3 protocol. If anyone has any insight into this it would be greatly appreciated. I can't read asm very well at all and I am still learning thus I can't reverse engineer the encoding and decoding process. I would like to know the bitmask process that is used. E.G what character has which byte reference.
I will kiss anyone who can help.

hmm... are you having problems with ur sexuality?;o

 

[shorty606]

and who's to say it wouldn't be a kiss on the cheek?

 

[Rocky]

dont matter tbh, still gay imo;o

 

[NickAKAVexus]

Shorty your really not going to get help here, last time I heard it still used 1.4 encryption which I doubt.

Do you have any source file reguarding the mir3 encryption even if they are old? It will be easy to crack if you have a base source.

You have to find the functions in asm you can use IDA pro. Its going to be hard to find the functions because theres no actual names and you have nothing to compare it to. There are methods of finding it like finding a string where you know it will call encodestring and then seeing the asm CALL function then you can search that function down and rename it then you have the actual function. The next step is converting the asm to delphi. If you had a base source you could compare the asm and see the differences 100x easier.

Hope that made sense.

 

[shorty606]

It does but as I said, I'm hopeless with asm. I cna read it but I'm not good at setting breakpoints and things. I heard from Coly that is should be the same as mir2, as you said and this is what I extracted from the Delphi source code for the open project m2server:

var
  n4CEEF4 :Integer = $408D4D;
  n4CEEF8 :Integer = $0C08BA52E;
  w4CEF00 :Word = $8D34;


  DecodeBitMasks:array[0..255] of Byte = (
	$2A, $E7, $18, $6F, $63, $9D, $48, $EA, $39, $CD, $38, $B8, $A0, $AB, $E0, $10, 
	$35, $99, $37, $09, $C0, $69, $B2, $A4, $67, $88, $50, $34, $7F, $FC, $0B, $BE, 
	$0C, $44, $59, $B6, $5B, $9C, $65, $D6, $94, $EB, $C4, $3B, $03, $3C, $C9, $3E, 
	$6B, $9A, $D4, $F6, $C3, $4D, $11, $24, $AA, $FF, $4A, $ED, $95, $93, $D9, $46, 
	$5F, $96, $87, $30, $BA, $CA, $CB, $FA, $8A, $1A, $68, $5C, $AC, $07, $40, $60, 
	$29, $70, $57, $53, $41, $12, $DE, $1D, $64, $14, $97, $72, $FB, $8D, $2B, $08, 
	$CF, $F4, $3A, $00, $C5, $91, $56, $A9, $9E, $71, $BC, $A3, $AF, $A6, $55, $DA, 
	$79, $BB, $33, $A5, $25, $15, $7D, $EE, $C1, $2C, $C7, $D0, $19, $D8, $5A, $E8, 
	$85, $FD, $2F, $6A, $78, $45, $DB, $B5, $F5, $1E, $04, $75, $B0, $7A, $20, $F2, 
	$DF, $D3, $83, $F3, $54, $90, $A2, $C6, $0F, $80, $36, $4E, $C8, $01, $82, $76, 
	$A1, $2E, $84, $86, $0E, $47, $8F, $E1, $F9, $7C, $C2, $74, $DC, $26, $22, $CE, 
	$2D, $4F, $BF, $0D, $73, $27, $21, $B3, $98, $1F, $89, $EC, $FE, $52, $0A, $8C, 
	$9F, $A8, $E5, $E6, $06, $8B, $CC, $F7, $5E, $E3, $7B, $D2, $05, $49, $13, $E9, 
	$66, $B7, $AD, $B4, $F8, $A7, $1C, $F1, $02, $7E, $6E, $17, $62, $4C, $77, $8E, 
	$DD, $F0, $43, $28, $6D, $61, $B9, $D7, $BD, $3D, $9B, $92, $16, $EF, $51, $23, 
	$E2, $B1, $81, $31, $32, $58, $D1, $5D, $D5, $6C, $4B, $E4, $AE, $42, $1B, $3F
  );


procedure Decode6BitBuf (sSource:PChar;pBuf:PChar;nSrcLen,nBufLen:Integer);
const
  Masks: array[2..6] of byte = ($FC, $F8, $F0, $E0, $C0);
   //($FE, $FC, $F8, $F0, $E0, $C0, $80, $00);
var
  I,{nLen,}nBitPos,nMadeBit,nBufPos:Integer;
  btCh,btTmp,btByte:Byte;
begin
//  nLen:= Length (sSource);
  nBitPos:= 2;
  nMadeBit:= 0;
  nBufPos:= 0;
  btTmp:= 0;
  for I:= 0 to nSrcLen - 1 do begin
    if Integer(sSource[I]) - $3C >= 0 then
      btCh := Byte(sSource[I]) - $3C
    else begin
      nBufPos := 0;
      break;
    end;
    if nBufPos >= nBufLen then break;
    if (nMadeBit + 6) >= 8 then begin
      btByte := Byte(btTmp or ((btCh and $3F) shr (6- nBitPos)));
{$IF ENDECODEMODE = NEWMODE}
      btByte:=btByte xor (HiByte(LoWord(n4CEEF8)) +  LoByte(LoWord(n4CEEF8)));
      btByte:=btByte xor LoByte(LoWord(n4CEEF4));
      btByte:=DecodeBitMasks[btByte] xor LoByte(w4CEF00);
{$IFEND}
      pBuf[nBufPos] := Char(btByte);
      Inc(nBufPos);
      nMadeBit := 0;
      if nBitPos < 6 then Inc (nBitPos, 2)
      else begin
        nBitPos := 2;
        continue;
      end;
    end;
    btTmp:= Byte (Byte(btCh shl nBitPos) and Masks[nBitPos]);   // #### ##--
    Inc(nMadeBit, 8 - nBitPos);
  end;
  pBuf[nBufPos] := #0;
end;

I believe the principle is the same - e.g. bit masking but I think the values are completely different for mir3 and I have no idea how to obtain them. This is what I could do with help with lol. I'm assuming it must be on a chinese site but it's specialist information and my language skills aren't good enough to search for it. I'm at a dead end and I know the secret lies with the asm code but it's finding it. Especially when most clients are packed to hell. I have one which isn't but as I said, I'm hopeless at finding anything.

 

[Coly]

hmm this function is Diff to the Normaly Decode.
@Nick this your modify Cryption or ? The Bitmask is to Big...

 

[Coly]

procedure Decode6BitBuf(source: string; buf: PChar; buflen: integer);
const
 Masks: array[2..6] of byte = ($FC, $F8, $F0, $E0, $C0);
var
 i, len, bitpos, madebit, bufpos: integer;
   ch, tmp, _byte: Byte;
begin
  ch:=0;
try
 len := Length (source);
   bitpos  := 2;
   madebit := 0;
   bufpos  := 0;
   tmp   := 0;
   for i:=1 to len do begin
    if Integer(source[i]) - $3C >= 0 then
     ch := Byte(source[i]) - $3C
      else begin
         bufpos := 0;
       break;
     end;
      if bufpos >= buflen then break;
      if (madebit+6) >= 8 then begin
         _byte := Byte(tmp or ((ch and $3F) shr (6-bitpos)));
         buf[bufpos] := Char(_byte);
         Inc (bufpos);
         madebit := 0;
         if bitpos < 6 then Inc (bitpos, 2)
         else begin
          bitpos := 2;
            continue;
         end;
      end;
      tmp := Byte(Byte(ch shl bitpos) and Masks[bitpos]);
      Inc (madebit, 8-bitpos);
   end;
   buf [bufpos] := #0;
except
end;
end;
 
function DecodeString(str: string): string;
begin
   try
      EnterCriticalSection(CSencode);
      Decode6BitBuf(str, EncBuf, BUFFERSIZE);
      Result := StrPas(EncBuf);
   finally
      LeaveCriticalSection(CSencode);
   end;
end;

use this... with this your can Translate Mir3 Protocols.

 

[NickAKAVexus]

hmm this function is Diff to the Normaly Decode.
@Nick this your modify Cryption or ? The Bitmask is to Big...

Coly those arrays are for Philipean mir2 2.3 encryption.

Also that source you posted is just 1.4, no?

 

[shorty606]

Do you want your kiss now or later coly?!
IT WORKED!
Thank you so much!
Don't suppose you have the encrypt too do you? :P
I know I could look through the decrypt and reverse it but it would make a nice sticky if it was posted here too.
Thanks for the pm about the command block too, it worked a treat

 

[NickAKAVexus]

Do you want your kiss now or later coly?!
IT WORKED!
Thank you so much!

Very odd, if thats just 1.4.

Maybe i'm just too tired to see any small changes. lol

 

[Coly]

yep littel bit changes. Nick the Records and the Protocol IDs is very diff to Mir2 rest you can use with this Cryption and (#1,2,3,4... Block !).

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

Mir3 Encryption always was the same as the mir2 one, lol.

They did change the bit mask for a short while, but the main obstacle is the data structures themselves. From what I remember, they changed the packet header.

For the record, you can always find out when they've made a small change. Look for the smallest byte number they have, and you'll have found the 00 byte equivalent. Note that if you put this byte number in place of the 3C, you'll have cracked the funky bitmask-changing stupidity they like to do

 

[shorty606]

Thanks for that Next obstacle is the login protocol. For some reason no matter what I do, I can only trace packets the client sends and not recieves. I even wrote my own program to connect as a client would and log what information the server sent but nope, still can't see anything lol.

 

[NickAKAVexus]

I wouldn't mind turning dm2 into a mir3 server for testing purposes. Might try it later.

Auron you 100% possitive its changed? Even if it did all I would have to do is figure out the new variables it decodes into no?

 

[shorty606]

I don't think it has nick.I can decode packets from Mir3 CD3.40.

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

I wouldn't mind turning dm2 into a mir3 server for testing purposes. Might try it later.

Auron you 100% possitive its changed? Even if it did all I would have to do is figure out the new variables it decodes into no?

I cracked the interim JoB one, way back. All that changed was the 3C bit offset (It changed to 3F).

But basically, the new header is a variable length thing. I took a brief stab at it a while back (JoB-era). Not sure how the 3G ones respond.

--

Use WPA (Windows Packet Analysis) for packet recording. I did, and if you remember, thedeath made an operational (If not complete) VB.NET Mir3 server long ago. Used the old encoding, though.

--

Shorty - you're using a non-official Mir3 server :P Hence, of course it hasn't changed. Get a packetlog of EuroMir or something.

 

[shorty606]

Oh that would explain it lol, its an old server with bits bolted on hehe. Is WPA the name of a program or you referring to monitoring packets sent and recieved by an application? I have a program to do this but it only logs sent messages from client. Not received from server.

 

[¤]´)÷¤--§îr Äürøñ--¤÷(`[¤]

Oh that would explain it lol, its an old server with bits bolted on hehe. Is WPA the name of a program or you referring to monitoring packets sent and recieved by an application? I have a program to do this but it only logs sent messages from client. Not received from server.

Maybe you've not sent it to monitor the receive packets? I know it does, as I used it myself :P

 

[shorty606]

It was a bad program I'm using TCP spy now and I'm making progress. Monitoring my own program I can get to server select and past that. All I want to do is get a character in game then work from that. I'll keep you posted.