[Research] Client.exe

[lamphankhoi]

TSR: I read your reply in previous post, however, when I came back to do reply the thread had been modified by Mod. Therefore, Now I star a new thread called Research then, sorry if I put the wrong name. So lets me start the thing.

First, the reason I mention that we should find a way to look into Client.exe, because there are packets communication for different version.
for example:
Gamigo version 1.3.5 will have different string_table.xml for that gamigo client.exe

Loong3d version 3.3 will have different string_table.xml for that loong3d client.exe

Loong.us version 2.2 will have different string_table.xml for that loongus client.exe

Therefore, if we use 001 pack and use loong.us for an example. We synced and everything done. Then, in the game, if we are trying to get into a Cave Quest thing then we may got kick out of the game. I mean the cave quest boss etc not the level system quest. The reason we might got kick out of the game because missing and wrong packet communication. If we synced and use version 3.2 loong3d we can enter fine. I did research and found out those problems caused by String_table.xml. For version 2.2 it will just pop up that found cave, enter will get deduction etc. thing ( This I read inside string_table.xml, we cannot see this in game because got kicked out and pop up error), for version 3.2 it will pop up that 1st Found cave, 2nd pop up wanna enter or not and got deduction etc, and then if we agree we can enter into the cave quest, without game-errors. Thats one of the things. So to fix it simply, we can use string_table.xml 3.2 for 2.2 if we use client.exe released in 001, but that fix required alot of translations etc.

Let me start another one.
Secondly, Many things had been defined and fixed inside client.exe. For example the length of the Title, for client.exe 3.2 it will be limited to 9 charactes since to Chinese it is very long. But to English and other languages than Chinese, 9 characters will not be enough for displaying the whole title. It still display title, but the title got cut out and the length limited to 9 characters.

Thirdly, The UI inside the local of system.pak is designed to run according with the corresponding client.exe. Therefore even if we can synced and resynced to the new version released by the retail, but we surely will miss many new functions if we cannot use the retail client.exe for that version. For example, the Flying Up Angel the player can learn when reach level 80, but even if we can satisfy all the conditions and learn it, but we cannot use it. We click the buttton but nothing happened. The reason caused this because wrong UI, wrong packet, therefore rework on UI and packet will be alot tremendous works than we just work straight ahead on client.exe which is released for that version from the retail.

Hopefully I am doing explain myself clearly enough here. And hopefully many people will involve on this working. Since a game will only play much better if we can use the retail client, for examples Lineage II, AION, Dekaron, those games are using a thing to bypass gameguard and use the retail client, therefore its functions works more correctly and nicer in the game.

The reason I called help since I don't know how to do unpack client.exe and disasm and after that to repack thing, Or write a program to trick client.exe that we connect to the IP as it is forced to connect although that IP may be different than what it is hard-coded inside the client.exe.

All please come and share your ideas to help to improve this.
All the best.

 

[HuninHune]

I stickied his posts as a new thread I'll leave this here for a bit but then i'll have to move it to the dev section

 

[tsr]

...Or write a program to trick client.exe that we connect to the IP as it is forced to connect although that IP may be different than what it is hard-coded inside the client.exe.

I do not know how the other, but in Russian client.exe not bind to ip ... try to change
launcher/Launcher.ini
launcher/serverinfo.xml
launcher/serverinfo_back.xml
config/lastlogin.xml
files from the client that you use for your server (the ip must be external) ...
download a simple sniffer, I use it when you do not need to specifically go into the bags and use wareshark...
I use rPE _http://www.megaupload.com/?d=NMKN4BFL
run the !client.exe!, run rPe.exe with administrator privileges...
in rPE Menu->Select Process->Open Process
find and select Client.exe and press Inject... press Start button...
now switch to the client and try to login... after the client will throw us, switch Back in rPE and you see "All:" digit 4? press Stop button...
opens a window in which we will see 4 packs login ... here consider the ip address where we try to login a client, I have it that I prescribe ... In other words, the client ip is not strictly prescribed ...
so I desassemblie Russian client and have not found the ip address, but it may not necessarily bowl to the client.exe...
rPE tips to keep as still useful...

---------- Post added 14-06-11 at 12:46 AM ---------- Previous post was 13-06-11 at 11:20 PM ----------

relative to the rest, at this moment I am trying to write a tool to work with, that would do the localization, knowing what you are doing, and not dully wondering what would happen if "this change for this"...
still have to work with the pair loongword.exe & client.exe which meets...
until such time until we get a new server...

 

[lamphankhoi]

Thanks TSR for your responses. Let me clarify the situation more clear for you to understand.
All the files you mentioned I knew how to edit and update corresponding as well. However if I try to use the retail client, that client will just quiet and reply that time out, try to connect server so long. If I replace that client with the client in 001.cpk then that client can connect immediately. Therefore, the client in loongus.com got tied in to some conditions so when the ip is different with what what it is predefined, it will not work.
TSR you can try download this loong and do some research in this client. I will attach the URL for those in this post as well. I will try to use the program you mentioned above too.

Loongus.com the download link is

You must be registered to see links

Thanks.

 

[tsr]

client connects to where you are told how I wrote the above ....
in the client to which you gave me a link length of the login packet = 384 bytes, in the version the server that we have a long login packet = 352 bytes and it seems that the hash of the password in the client does not md5
Compare
B 6 A9CA B 19231AD08 5 C010000 62 B 0F9C7 746573740000000000000000000000000000000000000000000000000000000000000000 96292749F647751 0 3532303531374142383834324236393533354431304534423344413831383842 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

B D A9CA 9 19231AD08 7 C010000 A9 B 9D00A 746573740000000000000000000000000000000000000000000000000000000000000000 000000000000000 0 00000000000000000000000000000000000000000600000022D65CBBF6477510 45313041444333393439424135394142424535364530353746323046383833450000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

first our client, the second - us...
74657374 - login name "test"
3532303531374142383834324236393533354431304534423344413831383842 hash pass "123456"
Login is present in both packages, but the md5 hash of the second missing ... Now think about how the server should respond kogoda it sends a packet:
A different length
Two hash it can not recognize

Even if you know what a hash is used, and substitute it into the database, it is all the same there is no guarantee that the server understands packet from this client

 

[lamphankhoi]

TSR, your information for that client is great. Based on that we now know there are different sets of server protocols too.
TSR how about your Russian client, is it the length of the title is long enough to display the full title?
And how about reaching level 80 learn Flying Up skill can it be executed ?
If you please can you please provide me the link to download that client, since I wanna give a test on Russian client too.
All the best.

 

[tsr]

TSR how about your Russian client, is it the length of the title is long enough to display the full title?

If I understand correctly, we are talking about names NPCs, and other inscriptions in the game? I do not know how to other sites, in the Russian names of NPCs not literally translated from Chinese, and Russian names may be different from the Chinese, the same and different label ...
so for example if the translation from Chinese NPC called "black green lunar wolf clan, " and in Chinese it will look like three or four characters, it is not in English than Russian is not enough field to display ... because NPC referred to by another, which entails a certain change in the quests and stuff ...

And how about reaching level 80 learn Flying Up skill can it be executed ?

have no information

If you please can you please provide me the link to download that client, since I wanna give a test on Russian client too.
All the best.

_http://loong.mail.ru/client/ СКАЧАТЬ
_http://loong.mail.ru/auth/register/

 

[lamphankhoi]

TSR:
Thanks for providing me the web, I am downloading it now.

Regarding about the title, I meant the title of the player, not the name of the NPC. For example, when you complete certain quests, you will receive that title with some little effects. You can activate and use the title by going into Profile character, there will a section in there called Title. For my loong, I used the client from 001.pak the whole length of the title got cut, example: a title could be like this "Long Thanh Ho Dau" however it will only show "Long Than" right above player name. It only displayed all the titles with 9 characters only. Therefore I suspected the length of the title is predefined inside the client, because I already searched up and down to find where I could change it but I couldn't.

 

[Cain142]

client connects to where you are told how I wrote the above ....
in the client to which you gave me a link length of the login packet = 384 bytes, in the version the server that we have a long login packet = 352 bytes and it seems that the hash of the password in the client does not md5
Compare
B 6 A9CA B 19231AD08 5 C010000 62 B 0F9C7 746573740000000000000000000000000000000000000000000000000000000000000000 96292749F647751 0 3532303531374142383834324236393533354431304534423344413831383842 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

B D A9CA 9 19231AD08 7 C010000 A9 B 9D00A 746573740000000000000000000000000000000000000000000000000000000000000000 000000000000000 0 00000000000000000000000000000000000000000600000022D65CBBF6477510 45313041444333393439424135394142424535364530353746323046383833450000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

first our client, the second - us...
74657374 - login name "test"
3532303531374142383834324236393533354431304534423344413831383842 hash pass "123456"
Login is present in both packages, but the md5 hash of the second missing ... Now think about how the server should respond kogoda it sends a packet:
A different length
Two hash it can not recognize

Even if you know what a hash is used, and substitute it into the database, it is all the same there is no guarantee that the server understands packet from this client

The second hash is generated in same function as the first hash. If you put a breakpoint on the md5+salt function in the client and then trace to the second place where the salt is showing up you see that it runs the hash through the second salt and generates a secondary hash. That one is the hash you see in the packet.
also there are more than 4 packets making the trouble with official client. since they changed some structures in the packet sent to server for quests and skills as well. Easy to fix those but pretty hard to fix the sent/recv data at login since they contain more info. The reason you end up dead at login is because client sends out data that will make server send back a character is dead packet to client but server still got char is not dead in the database so you cant resurrect.
it is possible to fix that issue by filtering the data traffic intercepting the info and change it to proper values.

Hope this info helps you alittle more.

 

[lamphankhoi]

Thank you TSR and Cain.
However for the loong.us client, I cannot get into server it only replied "Time Out connection to Server", therefore my character in game not dead yet. Before I tried to learn how to use that retail client to connect and play since the version I played is Vietnamese, and that client is written for Vietnamese version. However, by TSR researched it used many different packets and communication protocols inside, therefore, currently I didn't know what else to do yet.
I already downloaded TSR Russian client, however, I havent tried it yet, since I was busy with company's meetings. I will give it a test by today.

Cain if you know how to hex or edit client, maybe you please give a short tutorial or hints what we should start to look at too.
All the best. Thanks

 

[tsr]

TSR:
Thanks for providing me the web, I am downloading it now.

Regarding about the title, I meant the title of the player, not the name of the NPC. For example, when you complete certain quests, you will receive that title with some little effects. You can activate and use the title by going into Profile character, there will a section in there called Title. For my loong, I used the client from 001.pak the whole length of the title got cut, example: a title could be like this "Long Thanh Ho Dau" however it will only show "Long Than" right above player name. It only displayed all the titles with 9 characters only. Therefore I suspected the length of the title is predefined inside the client, because I already searched up and down to find where I could change it but I couldn't.

titles are described in data\local\zhCN\attdata\role_title_name.xml - restrictions on the number of displayed characters is not
window in which all output is described in data\local\zhCN\ui\rolestate.xml - here, too, seems there are no restrictions
but still displays 9 characters ... The fact that system.cpk many relationships, and until we get a tool (probably until I write it) where you can visually edit it, then it will be difficult to predict anything for sure ... in the client is supposedly an editor, but he does not write, but for that you can easily spy on where and what is and what is the name

---------- Post added at 06:59 AM ---------- Previous post was at 06:45 AM ----------

The second hash is generated in same function as the first hash. If you put a breakpoint on the md5+salt function in the client and then trace to the second place where the salt is showing up you see that it runs the hash through the second salt and generates a secondary hash. That one is the hash you see in the packet.
also there are more than 4 packets making the trouble with official client. since they changed some structures in the packet sent to server for quests and skills as well. Easy to fix those but pretty hard to fix the sent/recv data at login since they contain more info. The reason you end up dead at login is because client sends out data that will make server send back a character is dead packet to client but server still got char is not dead in the database so you cant resurrect.
it is possible to fix that issue by filtering the data traffic intercepting the info and change it to proper values.

Hope this info helps you alittle more.

in various locales servers, there is likely a different set of network packets, we have only one server, and then I did not understand where this server, under whom he was initially localized? because we do not have the source code server, and modify it would be very difficult ...
interrupt in the compiled file network packets - this is madness, you still do not get anything sensible, packets are collected and dealt with the designer ... way out of this situation, two - to write an emulator server (very, very difficult), the second way to find out all the same and find the client version, which corresponds to this server version, and already its localized ...

questions from the above stories:
1. taken from this server?
2. What versions of the client it should work?

 

[lamphankhoi]

Thanks TSR, I already tried and looked at the rolestate as well before, but it still displayed 9 characters only not the full title as we described in roletitle. Thats the reason why somehow it got predefined in the localized retail client.

I think for that retail loong.us they bought the source code and then they modified the whole thing differently, so for what the server we currently having right now, I think we just stick to loong3d and try to modify and develop from there, in which based on what server files we are currently having right now. Just some thoughts.
All the best.

 

[Cain142]

if you look in launcher.ini you see the line

LoginMode = 0

LoginMode 0 is what will work on the current serverfiles.
LoginMode 1 (loong3d uses this mode currently and is not working on the serverfiles we have.)

The login mode 2 accesses different area in the md5 function to calculate a secondary hash that you can see in the sent packet to server.

005A54F7 |> 6A 20 PUSH 20 ; Case 0 of switch 005A54E0

Gets accessed when login mode is 0

005A5644 |> 6A 20 PUSH 20 ; Case 1 of switch 005A54E0

gets accessed when login mode is 1

005A58AA |> 8B8D E4030000 MOV ECX,DWORD PTR SS:[EBP+3E4] ; Case 2 of switch 005A54E0

gets accessed when login mode is set to 2 (Some kind of autologin mode)

and here is last mode and this one is funky.

005A5904 |> 80BD 6C010000>CMP BYTE PTR SS:[EBP+16C],0 ; Case 3 of switch 005A54E0
005A590B |. 6A 20 PUSH 20 ; /maxlen = 20 (32.)
005A590D |. 0F84 D8000000 JE 005A59EB ; |
005A5913 |. 8B35 089B6A00 MOV ESI,DWORD PTR DS:[<&MSVCR80.strncpy>>; |MSVCR80.strncpy
005A5919 |. 8D8424 840100>LEA EAX,DWORD PTR SS:[ESP+184] ; |
005A5920 |. 68 C4366D00 PUSH 006D36C4 ; |src = "NathanielYu"
005A5925 |. 50 PUSH EAX ; |dest

I havn't had much time to look much into this last mode but the function is realy odd looking.

Anyhow on loong3d latest client you can install client then in the launcher ini set loginmode to 0 and the structure should be the same in the login packet.

I will look more into the login functions on client and server and see what is different in different versions to pinpoint out where the problem area is located and then we can see if it is possible to just make a rewrite of code to fix most problems.