• messages MU Online protocol messages

    Check out new promising project Games Network Protocols

    MU Online protocol reverse engineering for fun

    Introduction

    I played MU online MMORPG recently, but bored from this alot. Nice graphics, but dumb gameplay.. Girlfriend of mine still plaing, so I decided to find another way to enjoy it.

    Communication protocol between MU-Online client and server - good point for reseach. So, I put tcpdump in one pocket, ethereal into another, and start my search.

    MU Online is MMORPG(Massivly Multiplayer Online Role Playing Game), one from many others. In comparing with others (Ultima Online, Ragnarok, World of Warcraft, EverQuest, even RYL), it is like Diablo - click&kill, get lots of stuff and so on...

    This page is for educational purposes only! I don't use (and will not use) obtained information for MU Online hack or to abuse game service.

    Contacts

    You are welcome to contact me via dikiy@scn.ru or on IRC-network RusNet (find me using '/nickserv info dikiy' command). I speak Russian and English.

    Don't ever write me emails like this! I'll never reply you. Thanks!

    am a mu player.Mu online philippines..i just want to know bout duplicating items or edit..pls send me an info..thanks

    Links

    The story

    27 march 2006

    Guy named MiKiOnE (mikione at o2.pl) find out algorithm for client-to-server communication encoding. Good work!

    Hi.. I back :P
    i found cript algorytm:
    
    //code
    unsigned char T1;//temp
    unsigned char package[];//uncrypt
    unsigned char crypt[];//crypt
    unsigned char key[]={
            0xe7,0x6D,0x3a,0x89,
            0xbc,0xb2,0x9f,0x73,
            0x23,0xa8,0xfe,0xb6,
            0x49,0x5d,0x39,0x5d,
            0x8a,0xcb,0x63,0x8d,
            0xea,0x7d,0x2b,0x5f,
            0xc3,0xb1,0xe9,0x83,
            0x29,0x51,0xe8,0x56};
     int a;
     for(int b=0;b<=2;b++)crypt[b]=package[b]; // copy first 3 bits
     int a=4;  
     int size; // size of package
     for(int i=0;i<=size;i++,a++)
     { 
      if (a == 32)a=0;
      T1=crypt[i+2]^key[a];
      package[i+3]=crypt[i+3]^T1;
    };
    
    //end code
    
    
    its very simple :P [i use softice to find it]
    with Greetings MiKiOnE 
    

    21 october 2004

      New messages from RealKeeper. He found new message type - c4, next 2 bytes are message length (like c2).

    • c137 - Trader info
    • c460 - Trade cancelation

    18 october 2004

    New messages from RealKeeper, plus some other corrected.

    14 october 2004

    Guy named RealKeeper (realkeep.com) send me 2 new packets:

    Thanks!

    24 may 2004

    Possibly, this is the last update. I show you the way I did this work.

    I write Perl-program to represent tcpdump -Xqt (yes, you need Unix or Linux or you should find windows ports) output in human-readible format. Known messages is decoded, unknown - in hex form. So, we can look on MU window and on program output and make a decision about the meaning of unknown messages.

    For example, you can run to coordinates 100,100 and cast some spell, then run to 105,105 and cast some other spell .) As far I remember, it is 'c11b' message, I don't check this.

    You can get program here - MU-dumper. Typical usage:

    $ tcpdump -s 10000 -w ./mu.dump
    ^C
    $ tcpdump -Xqt -r ./mu.dump | ./MU-dumper | less

    Typical output:

    serv > me
       Move ID:152d @ 96,bf
       We meet 1 characters
            char  pinoy_nga Dark Knight ID:1405 stand @ 8b,c3->88,c4 [0]
                    Weared: Armor:scale Helm:scale Pants:scale Gloves:scale Boots:scale
                    LeftHand: 0b RightHand:NONE Pet:NONE Wind:no
                    [cpLLRRHAPGBf0080400000000800--C-H-A-R--N-A-M-E--XXYY6300]
       We meet 2 monsters:
            MOB         Yeti ID:0517 @ 9b,c5->9b,c5 [000000|60]
            MOB         Yeti ID:0534 @ 9a,c7->9a,c7 [000000|70]
       Guilds (01) :
            guild MaRiKiNa ID:[18e7] 
                    33133333
                    33133333
                    33133111
                    33333333
                    33333333
                    11133133
                    33333133
                    33333133
       Char ID:[1405] binded to guild ID:[18e7]
    
       Move ID:152d @ 96,bf
       44:020a19
       44:020a19
       Move ID:0531 @ 94,c5
       Move ID:11cd @ 96,be
    me > serv ACK
    serv > me
       Move ID:133a @ a5,cb
       2a:01f600
       Damage: ID:04ec CRIT! hited on 92HP [04ec005c03]
    me > serv ACK
    serv > me
       Move ID:133a @ a5,cb
       2a:01f000
       Damage: ID:04ec hited on 68HP [04ec004400]
    me > serv ACK
    serv > me
       2a:01ef00
       Death: 04ec killed by 133a
    Skip C3 msg [2a653a29cf1d10ffc1e5d0]
    me > serv ACK
    

    Good luck!

    23 may 2004

    Since my girlfriend account was robed and she stop playing, I don't care about this page. You can enter without password.

    18 may 2004

    Sque, please contact me via e-mail or IRC, need to talk.

    11 may 2004

    30 apr 2004 - I write some PHP-code for generating "message tables"

    Some new messages:

    26 apr 2004 - i recived by e-mail info about MU server download and setup:

    -------------------------------------------
    Vendor has sent you this email from http://forum.zolik.net/index.php.
    
    here
    www.rzpatches.com/Mu97Server.exe
    
    some reading about it
    http://forum.ragezone.com/forumdisplay.php?f=82
    
    installation instruction
    http://members.lycos.co.uk/metasha/
    
    seek on microsoft
    mSsql for it
    sql2ksp3.exe - 55 Mb
    SQLEVAL.exe - 267 Mb
    --------------------------------------------
    

    20 apr 2004 Some intersting results, I'm not ready to describe it. Some notes about message format: each message begin from c1, c2 or c3. If message begins from c1, next byte is whole message length; if begins from c2 - next 2 bytes is message length.

    13 apr 2004 - first look thru dumps. first results.

    Server message with character list on account (for character select menu):
    value length description
    List header
    c1 xx f3 00 4 "charlist" message id
    char_num_total 1 number of characters
    List item (repeated number of characters times)
    num 1 number of character in list
    name 11 name (padded with \x00)
    level 1 level
    00 00 00 ff ff ff ff ff 00 00 00 f8 00 13 ??? weared items, research needed (value = items of new DW)

    "Object stand (stop moving)" server message. I walk around and write down the coordinates; laster search in dump and find "stand here" message. After it I ask friend of mine walk around me and tell coodrinates.
    value length description
    c108d4 3 "stand here" message id
    who_id 1 id of character (or monster?)
    ?? 1 stand type? =) '7f' - for traced session character
    X 1 first coordinate
    Y 1 second coordinate
    arg 1 rotation angel? something else?

    12 apr 2004 - Work is going on. I take some initial net flow dumps. In few simple steps was generated special-crafted dumps:

    • run MU.EXE; wait 30 seconds
    • click on connect; wait 30 seconds
    • click on server cluster name; wait 30 seconds
    • click on server; wait 30 seconds
    • send account name & password; wait 30 seconds
    • click on character and 'ok' button; wait 30 seconds
    • leave the game