Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


[masm32] npgl.erl decryptor

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming
View previous topic :: View next topic  
Author Message
Uzeil
Moderator
Reputation: 6

Joined: 21 Oct 2006
Posts: 2411
PostPosted: Sun Apr 29, 2007 5:13 am    Post subject: [masm32] npgl.erl decryptor Reply with quote
I wrote this a few days ago...

Nothing too interesting really, just your average opcodes/WinAPIs and our dear mmx registers.

However: Mess with it all you like to add other files, or simply switch it to encrypt by a certain key (take out the key variable and don't call FindKey, then continue from there directly loading the register with a specific key of your choosing...)

INCOMING

Code:
.686
.mmx
.xmm
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\msvcrt.inc
includelib \masm32\lib\msvcrt.lib  ;msvcrt.inc/lib

.DATA
wrongfolder db "Either you need to place this correctly named .exe in your GameGuard folder or npgl.erl isn't readable/existant.",0
wrongkey db "The encryption key was not found.  Your npgl.erl file is, more than likely, written by something other than an unmodified MapleStory.exe",0
directory db 260 dUP(0)
clearmem dq 0
memloc dd 0
filesize dd 0
actual dd 0
filename db "npgl.erl",0
Keys dd 0C5F1F435h,\
        083A3A023h,\
        04E626C2Eh,\
        089818809h,\
        0CAF2F83Ah,\
        0D2D416C6h,\
        09C1D8D91h,\
        064264662h,\
        039497178h,\
        01A0A1218h
thekey dd 0
slashpos dd 0
dumpfile db "uzedump.txt",0
exitstring db "Uzeil",0,"Done!",0


.DATA?
filehandle HWND ?

.CODE
start:
    push SIZEOF directory
    push offset directory
    push 0
    call GetModuleFileName
    test eax,eax
    jz checkerror
    call getnpglname

    push 0
    push FILE_ATTRIBUTE_NORMAL
    push OPEN_EXISTING
    push 0
    push FILE_SHARE_READ
    push GENERIC_READ
    push offset directory
    call CreateFileA
    mov filehandle,eax
    cmp eax,-1
    jz nofile

    push 0
    push filehandle
    call GetFileSize
    mov filesize,eax
    cmp eax,-1
    jz closehandleexit

    push PAGE_READWRITE
    push MEM_COMMIT
    push filesize
    push 0
    call VirtualAlloc
    mov memloc,eax
    test eax,eax
    jz closehandleexit

    push 0
    push offset actual
    push filesize
    push memloc
    push filehandle
    call ReadFile

    push filehandle
    call CloseHandle

    call FindKey
    mov eax,thekey
    mov ecx,filesize
    sub ecx,4
    mov esi,memloc
    add esi,4

    decrypt:
    lea eax,[eax+eax*2+1]
    mov edx,eax
    add dl,76h
    xor byte ptr [esi],dl
    inc esi
    loop decrypt

    mov esi,slashpos
    lea edi,dumpfile
    mov eax,dword ptr [edi]
    movq MM1,qword ptr [edi+4]
    mov [esi],eax
    movq [esi+4],MM1

    push 0
    push FILE_ATTRIBUTE_NORMAL
    push CREATE_ALWAYS
    push 0
    push FILE_SHARE_WRITE
    push GENERIC_WRITE
    push offset directory
    call CreateFileA
    mov filehandle,eax
    test eax,eax
    jz exit

    push 0
    push offset actual
    push filesize
    push memloc
    push filehandle
    call WriteFile

    lea esi,exitstring
    push 0
    push esi
    add esi,6
    push esi
    push 0
    call MessageBoxA

    jmp closehandleexit

FindKey:
    pushad
        mov ecx,10
        lea esi,Keys
        mov edi,memloc
        add edi,4
        checknext:
        mov eax,[esi+ecx*4]
        lea eax,[eax+eax*2+1]
        add al,76h
        mov bl,[edi]
        xor bl,al
        cmp bl,"="
        loopnz checknext
        cmp bl,"="
        jnz nokey
        inc ecx
        mov eax,[esi+ecx*4]
        mov thekey,eax
    popad
ret

getnpglname:
    pushad
        mov ecx,SIZEOF directory
        lea esi,[directory-1]
        reloop:
        add esi,1
        cmp byte ptr [esi],00
        loopnz reloop
        cmp byte ptr [esi],00
        jnz exit

        movq MM1,qword ptr clearmem
        movq qword ptr [esi-18],MM1
        movq qword ptr [esi-10],MM1
        mov word ptr [esi-2],0

        movq MM1,qword ptr filename
        movq qword ptr [esi-18],MM1
       
        sub esi,18
        mov slashpos,esi
    popad
ret

closehandleexit:
call GetLastError
mov eax,[esp+4]
push [eax]
call CloseHandle
mov [esp],offset exit
ret 4

nofile:
push 0
push 0
push offset wrongfolder
push 0
call MessageBoxA
checkerror:
call GetLastError
jmp exit

nokey:
push 0
push 0
push offset wrongkey
push 0
call MessageBoxA

exit:
push 0
call ExitProcess

end start


Enjoy... just please, please don't discredit... and any additions to the source are more than welcome to be thrown into this thread. (Although in this case, it'll just be more keys to throw in for other files)
_________________


Mini Engine v3.0
Mipla v1.0

Reposted old threads out of the MS section.
Back to top
View user's profile Send private message
UnLmtD
Grandmaster Cheater
Reputation: 0

Joined: 13 Mar 2007
Posts: 894
Location: Canada
PostPosted: Sun Apr 29, 2007 6:39 am    Post subject: Reply with quote
Interesting, Thank you.
_________________
Back to top
View user's profile Send private message
astrogod
How do I cheat?
Reputation: 0

Joined: 08 Jun 2007
Posts: 2
PostPosted: Fri Jun 08, 2007 12:52 pm    Post subject: Muonline, .npgl.erl encryption algo!! Helppp Reply with quote
Hi, i'm trying to reverse the muonline npgl.erl encryption routine, but it appears the key used to encrypt each byte is random. It changes each time i start the game.

Look the mu encryption algo:
Code:

00686A07 MOV EAX,EBP                           ;  eax points to dec string
00686A09 SUB EDI,ESI
:LOOP_START:
00686A0B MOV EDX,DWORD PTR DS:[ESI+102C]  ;key=random number calculated at the begin of gg_init()
00686A11 LEA EDX,DWORD PTR DS:[EDX+EDX*2+1]  ;do a calc
00686A15 MOV DWORD PTR DS:[ESI+102C],EDX      ;save new key value
00686A1B ADD DL,65
00686A1E XOR BYTE PTR DS:[EAX],DL    ;xors buff[x]
00686A20 INC EAX
00686A21 LEA EDX,DWORD PTR DS:[EAX+EDI]
00686A24 CMP EDX, size_dec_string
00686A26 JL SHORT LOOP_START  ;continue loop while(count<sizeof(string))

I don't understand how it's possible to decrypt it using ur source. Maybe, only the Mapple Story game uses constant key? Help with this noob problem, please!
Back to top
View user's profile Send private message
Uzeil
Moderator
Reputation: 6

Joined: 21 Oct 2006
Posts: 2411
PostPosted: Sat Jun 09, 2007 6:08 am    Post subject: Reply with quote
Small change, same basis of the algorithm.

Two things you need to do:

(1) Change the "add al,76h" in my script to "add al,65h" and anywhere else you see the different addition (in FindKey and in the main area).

(2) After the CreateFile of the .erl, it should immediately write 4 bytes to the file, and then load a starting key which will be placed in that [esi+102c]. Well, that Key will be loaded from the stack according to another value in the stack (the other value says which of the keys in the stack to use, which is what is making you see a different key every open, but really it's just changing through a few hardcoded keys). At the point of it getting that key, you'll see in the stack a set of Keys on top of eachother for you to steal and apply to my script.

In other words: All the possible Keys are in the stack when it first gets the Key. Note all those down and replace the ones in my script with those or add those to mine in the same format and change the 10 in "mov ecx,10" in FindKey to the number of Keys in yours.


And if you can't find these keys, you can always just make it bruteforce the key, but that'll take barely more and if you can't pull off analyzing the assembly for getting the Keys, I'm doubting you'll be able to bruteforce a 4-byte value that only has 1 byte applied to each key, and will, therefore, always tick off at least once in every 255 tries.

Smile
_________________


Mini Engine v3.0
Mipla v1.0

Reposted old threads out of the MS section.
Back to top
View user's profile Send private message
astrogod
How do I cheat?
Reputation: 0

Joined: 08 Jun 2007
Posts: 2
PostPosted: Sun Jun 10, 2007 3:51 am    Post subject: Reply with quote
Thanks for ur reply and sorry for my big delay on reply it.

One thing i need to say is that the main.exe (MUonline) doesn't use these keys to encrypt the NPGL.ERL file. Because of this i never found them! ^^
I'm able to decrypt the NPGL.ERL file just using the hardcoded key inside the file. MappleStore.exe is equal like this?

I have another question about ur algo in the FindKey() proc.
I don't understand the instruction "mov eax,[esi+ecx*4]", that i'm supposing that esi is pointing to an array of DWORD keys and ecx contains the number of keys inside the array and it starts with 10? How the hell is it possible to it access an index 10 * 4 in that array? Sorry for my noobish, i'm not really good with asm algorithms.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites