Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


help with understanding cryptdecrypt in maplestory.

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
Zombi3
Expert Cheater
Reputation: 0

Joined: 02 Aug 2007
Posts: 144
PostPosted: Tue Aug 21, 2007 9:06 am    Post subject: help with understanding cryptdecrypt in maplestory. Reply with quote
I am relatively new to cryptography and having problems with understanding the crypto API imployed by windows.I was wondering how the author of GuardDecrypt was able to get the decryption key to read the MalestoryUS.ini file.I came to conclusion that he/she had not gotten the key by just hooked to BYTE* pbData after running cryptdecrypt since pbData has the contents of the decrypted information.
Code:
BOOL WINAPI CryptDecrypt(
  HCRYPTKEY hKey, 0024FBE0 <<- the handler created by CryptoImportkey(
  HCRYPTHASH hHash,0
  BOOL Final, 1
  DWORD dwFlags,0
  BYTE* pbData,012025B0 <--plaintext after decryption
  DWORD* pdwDataLen 0012E8BC
);

Code:

012025B0  5B 47 41 4D 45 4D 4F 4E 5D 0D 0A 47 41 4D 45 5F  [GAMEMON]..GAME_
012025C0  4E 41 4D 45 3D 4D 61 70 6C 65 53 74 6F 72 79 55  NAME=MapleStoryU
012025D0  53 0D 0A 55 50 44 41 54 45 5F 53 45 52 56 45 52  S..UPDATE_SERVER
012025E0  3D 67 61 6D 65 67 75 61 72 64 2E 6D 61 70 6C 65  =gameguard.maple
012025F0  67 6C 6F 62 61 6C 2E 63 6F 6D 0D 0A 55 50 44 41  global.com..UPDA
01202600  54 45 5F 50 41 54 48 3D 2F 6E 50 72 6F 74 65 63  TE_PATH=/nProtec
01202610  74 2F 47 61 6D 65 47 75 61 72 64 2F 52 65 61 6C  t/GameGuard/Real
01202620  53 65 72 76 65 72 2F 0D 0A 42 41 43 4B 55 50 5F  Server/..BACKUP_
01202630  53 45 52 56 45 52 3D 36 33 2E 32 35 31 2E 32 31  SERVER=63.251.21
01202640  37 2E 31 38 34 0D 0A 42 41 43 4B 55 50 5F 50 41  7.184..BACKUP_PA
01202650  54 48 3D 2F 6E 50 72 6F 74 65 63 74 2F 47 61 6D  TH=/nProtect/Gam
01202660  65 47 75 61 72 64 2F 52 65 61 6C 53 65 72 76 65  eGuard/RealServe
01202670  72 2F 0D 0A 4F 50 54 49 4F 4E 5F 56 41 4C 55 45  r/..OPTION_VALUE
01202680  3D 30 0D 0A 53 50 45 45 44 43 48 45 43 4B 5F 49  =0..SPEEDCHECK_I
01202690  4E 54 45 52 56 41 4C 3D 31 30 30 30 0D 0A 53 45  NTERVAL=1000..SE
012026A0  4E 44 45 52 4C 3D 31 0D 0A 47 41 4D 45 43 52 43  NDERL=1..GAMECRC
012026B0  3D 32 0D 0A 52 45 56 49 53 49 4F 4E 3D 34 37     =2..REVISION=47

I Think CryptImportKey might be the solution(retrieving the decryption key) but understanding the PUBLICKEYSTRUC that was referenced by CryptImportKey is confusing.
The below RSA1 blob has nothing do with our decryption of MaplestoryUS.ini and *erl file.I have a feeling this public key is used in some sort traffic encryption or i could just be talking bullshit
Code:
007DF4FC  06 02 00 00 00 24 00 00 52 53 41 31 00 02 00 00  ...$..RSA1...
007DF50C  01 00 01 00 FB E3 FC 09 AF AE 65 8C 96 4C C5 37  ..ûãü.¯®eŒ–LÅ7
007DF51C  D2 A4 77 E7 4C 41 C2 CF F2 FE 2D 9C 80 94 0C 88  Ò¤wçLAÂÏòþ-œ€”.ˆ
007DF52C  6D B3 84 9F 8C 22 A0 C9 CD C0 AB 30 65 82 42 3C  m³„ŸŒ" ÉÍÀ«0e‚B<
007DF53C  EE 3C A8 B7 11 D6 22 FA FB 23 F7 72 CD E7 D0 6F  î<¨·Ö"úû#÷rÍçÐo
007DF54C  6A 8E 96 E3 54 00 00 00                          jŽ–ãT...


Just realized that the RSA1 hash key is hard-coded and not created while the program was in memory.
Code:

BOOL WINAPI CryptImportKey(
  HCRYPTPROV hProv,  001FE5C8
  BYTE* pbData,007DF4FC  dump_.007DF4FC <-- "A BYTE array that contains a PUBLICKEYSTRUC BLOB header followed by the encrypted key"
  DWORD dwDataLen,00000054 <-- header info + key
  HCRYPTKEY hPubKey, 0 <-- weird
  DWORD dwFlags, 0
  HCRYPTKEY* phKey 01E51440
);

http://msdn2.microsoft.com/en-us/library/ms867086.aspx <-- Razz
http://msdn2.microsoft.com/en-us/library/aa382046.aspx
http://msdn2.microsoft.com/en-us/library/aa379908.aspx
_________________
Tutorial On Api hooking

unsigned char sh4llcode[] ="\xx0r\xsucks"


Last edited by Zombi3 on Wed Aug 22, 2007 7:59 pm; edited 6 times in total
Back to top
View user's profile Send private message
smartz993
I post too much
Reputation: 2

Joined: 20 Jun 2006
Posts: 2013
Location: USA
PostPosted: Tue Aug 21, 2007 2:32 pm    Post subject: Reply with quote
There was a C++ app that decrypted MapleStoryUS.ini...and the source was released somewhere also.
Back to top
View user's profile Send private message
Zombi3
Expert Cheater
Reputation: 0

Joined: 02 Aug 2007
Posts: 144
PostPosted: Tue Aug 21, 2007 3:25 pm    Post subject: Reply with quote
smartz993 wrote:
There was a C++ app that decrypted MapleStoryUS.ini...and the source was released somewhere also.

looking @ source is like reading the last chapter of book you just bought Mad . i want to have the same perspective as the original programmer of guarddecryptor and not look at source of somebody else's work.
_________________
Tutorial On Api hooking

unsigned char sh4llcode[] ="\xx0r\xsucks"
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites