Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Ferentus Reverse Data Packets

Joined
Oct 8, 2006
Messages
740
Reaction score
289
Hello again everyone. I'm posting again a bit of a progress with Ferentus Server.

Okay. First of all: I've managed to understand OPCODES from the client. (I don't know if this is the entire list of opcodes).
Code:
OPCODES FOR FERENTUS:

[LIST=1]
[*]0x00 - Failure.
[*]0x01 - User banned or already logged in game!
[*]0x02 - Not the latest version of the game!
[*]0x03 - User not registered!
[*]0x04 - Incorrect password!
[*]0x05 - Account is not for game play! Contact GM!
[*]0x06 - ID Currently is being used! Contact GM!
[*]0x07 - Incorrect client program! (Probably for version check!)
[*]0x08 - Using period expired!
[*]0x09 - All IPs is using!
[*]0x10 - That slot is already empty!
[*]0x11 - That slot is empty.
[*]0x12 - No more time for character deletion.
[*]0x13 - Status allocation failure.
[*]0x14 - Item allocation failure.
[*]0x15 - Skill allocation failure.
[*]0x16 - Craft allocation failure.
[*]0x17 - Servers are currently closed. Please try again later.
[*]0x18 - Not existing zone. Please contact GM.
[*]0x19 - Login not possible due to maintenance.
[*]0x20 - Lack of cash.
[*]0x21 - Level is too low.
[*]0x22 - Level is too high.
[*]0x23 - Under penalty of character ability.
[*]0x24 - The target is under penalty of character ability.
[*]0x25 - Lack of fame.
[*]0x26 - Failed to create the item.
[*]0x27 - Failed to delete the item.
[*]0x28 - Untradable item.
[*]0x29 - Already in use.
[*]0x30 - Corpse looted by someone else.
[*]0x31 - You have no right to loot this corpse.
[*]0x32 - Corpse is too weak to loot.
[*]0x33 - Processing call from other inventory.
[*]0x34 - Not enough space in the bag.
[*]0x35 - Can not proceed trading.
[*]0x36 - The player has canceled the trade.
[*]0x37 - You lack the space for this item.
[*]0x38 - Your target lacks the space for this item.
[*]0x39 - GM service is not currently available.
[*]0x40 - You have no party.
[*]0x41 - Player's in a different party.
[*]0x42 - You can not make yourself a target.
[*]0x43 - The target is not a party member.
[*]0x44 - Please check the number of party members.
[*]0x45 - Processing call from party member's inventory.
[*]0x46 - Processing party's item sharing.
[*]0x47 - Processing party's money sharing.
[*]0x48 - The selected sharing methos is currently active.
[*]0x49 - Failed to share items.
[*]0x50 - Mercenary needs a ceratin amount of time to rest.
[*]0x51 - Requested mercenary is not the same as the saved one.
[*]0x52 - Only available to guild masters.
[*]0x53 - The name already exists.
[*]0x54 - Incorrect choice of city selection.
[*]0x55 - Not enough members to form a guild.
[*]0x56 - Forming a guild requires players of certain level or higher.
[*]0x57 - Max number of member has exceeded.
[*]0x58 - Could not find the member.
[*]0x59 - The guild does not exist.
[*]0x60 - Incorrect item for slot.
[*]0x61 - The sheet does not exist.
[*]0x62 - You have tried to use an incorrect craft tool.
[*]0x63 - You have not placed all the required materials into their slots.
[*]0x64 - You do not have the skills to initiate this craft session.
[*]0x65 - You have not placed all the required materials into their slots.
[*]0x66 - Your manufacture level is too low.
[*]0x67 - Exceeded maximum enchantment level.
[*]0x68 - Failed to add to the waiting queue.
[*]0x69 - Already exists in the waiting queue.
[*]0x70 - The shop does not exist.
[*]0x71 - The item does not exist.
[*]0x72 - Not listed in your friends list.
[*]0x73 - Already registered as a friend.
[*]0x74 - Too many friends registered.
[*]0x75 - Must have a character of certain level in oreder to create a HC character.
[*]0x76 - Not the correct field.
[*]0x77 - Not the correct action in this field.
[*]0x78 - Not the correct action at this position.
[*]0x79 - Not the correct arena.
[*]0x80 - Party member is not enough.
[*]0x81 - Not level.
[*]0x82 - Not party memeber's level.
[*]0x83 - Party waiting list is full.
[*]0x84 - Status has already been initialized.
[*]0x85 - Can not perform initialization while wearing items.
[*]0x86 - Quest already complete.
[*]0x87 - Quest already give up.
[*]0x88 - Quest add fail.
[*]0x89 - Quest remove fail.
[*]0x90 - No more Stat to be reset.
[*]0x91 - Equipment is not empty.
[*]0x92 - The player is currently Off-line, you can't summon the player.
[*]0x93 - The player is currently staying in unable place to visit or be invited.
[*]0x94 - It's been denied your request.
[*]0x95 - You are not the guild master.
[*]0x96 - Teleport is failed.
[*]0x97 - Error code that does not exist.
[*]0x0A - Login Duplication
[*]0x0B - The same name already exists. Please try another name.
[*]0x0C - Incorrect character status.
[*]0x0D - This name is not allowed.
[*]0x0E - This character is member of a guild. Please try again after seceding.
[*]0x0F - Character slot number overflow.
[*]0x1A - Can not accept more users. Please try again later.
[*]0x1B - Failed to item data loading. Please contact GM.
[*]0x1C - Failed to enter a game field. Please contact GM.
[*]0x1D - The server already has the same character. Please try later.
[*]0x1E - The character does not exist. Please try later.
[*]0x1F - Asked data not sufficient.
[*]0x2A - Can not divide this item.
[*]0x2B - This item does not exist.
[*]0x2C - This skill does not exist.
[*]0x2D - This skill has not been learned.
[*]0x2E - Incorrect target.
[*]0x2F - Target too far.
[*]0x3A - Your call is already in queue.
[*]0x3B - The party does not exist.
[*]0x3C - You must be the party leader.
[*]0x3D - The target already joined another party.
[*]0x3E - You already invited player.
[*]0x3F - The target is already considering an invite.
[*]0x4A - You can not disband party now.
[*]0x4B - You can not kick the party member now.
[*]0x4C - You can not leave party now.
[*]0x4D - You can not have more than one pet out.
[*]0x4E - No pet to call.
[*]0x4F - Mercenary is not in rest state.
[*]0x5A - You already invited a player.
[*]0x5B - The target is already in another guild.
[*]0x5C - The target is being invited by another guild.
[*]0x5D - The target refused your invitation.
[*]0x5E - Craft sheet required.
[*]0x5F - Craft tool required.
[*]0x6A - Party does not exist in the queue.
[*]0x6B - The waiting queue required time to refresh.
[*]0x6C - Player hiring a mercenary cannot open private shop.
[*]0x6D - Exceeded maximum number of items can be registered.
[*]0x6E - Failed to register the item.
[*]0x6F - Sold Out.
[*]0x7A - It is not the allowed time.
[*]0x7B - Already registered as opponent.
[*]0x7C - Failed to register opponent.
[*]0x7D - Failed to cancel opponent.
[*]0x7E - Not joined bt the team allowed.
[*]0x7F - Only allowed to the owner.
[*]0x8A - Quest is not progress.
[*]0x8B - Quest ID not found.
[*]0x8C - Quest UID not found.
[*]0x8D - Quest Condition fail.
[*]0x8E - The quest progress failed.
[*]0x8F - Quest dat already loaded.
[/LIST]
--FOR NOW THOSE ARE THE OPCODES--

I've managed to get the Login procedure correctly into the Login Server.
The client is sending the data packet encrypted with XOR:
The key for the Login data packet: 0xCD, 0x18, 0x3E 0x0D

The decoding function written into the LoginServer is encrypting the data packet with this key:0x63, 0x3D, 0x4C, 0xB7


!!!The problem is... I don't know if the decoding keys are changing after the login.

Okay. On the first image, I'm sending the login information to the client in the first packet, and the client responded with AUTH SUCCES(00 04 00 00 01 00) (01 - actually is 00 for AUTH SUCCES and 01 is for User is banned or already logged in!)

That 00 03 5F 5A 6C - I don't know what's that, maybe some serverlist requesting for the serverlist choose window.

Here, the client is requesting data packets to be sent by server:
00 02 57 57
00 02 52 52
....etc........

zipper20032 - Ferentus Reverse Data Packets - RaGEZONE Forums


Now. Another packet client is sending is when I'm using the Start.Bat (Client.bin 127.0.0.1 29000).

The first 31 bytes packet is requesting something which I don't know how to interpret.
I'm thinking of a new decrypting key.

00 1D - the data length
CD 11 - Header of the data


00 1D CD 11 3E 0D CD 18 3E 0D CD 18 3E 0D CD 18 3E 0D CD 18 3E 0D CD 18
3F 0D CD 18 3E 0D CC

3E 0D CD 18 - is repeating 6 times (24 bytes)

3E 0D CC - Maybe this is the flag or something?

On background is the client running through that Start.bat.
The No response from the server came after 7-8 seconds.

zipper20032 - Ferentus Reverse Data Packets - RaGEZONE Forums




Okay, next data packet sent by the client is when I'm choosing the server from the list.

I don't know if the decoded packet is correct.

Maybe the decryption key is different for this kind of data.




zipper20032 - Ferentus Reverse Data Packets - RaGEZONE Forums


The error came from the client: Mistake input parameter
I'm thinking is a buffer error. The client is trying to open the game but the data is not correct(I assume, I'm not sure about this).

I don't know exactly if the client needs to communicate with an World Server, not only with the actual Login Server. I couldn't decode any decimal IPs within the data packets. I've found nothing yet.




The problem is: I can't get into the game.
00 16 79 6C... etc... is a request from the client I think it's the "Get info from the World Server so I can create it and launch the main menu").

I'm still trying to figure it out.


Any help from anyone who developed any kind of server emulator is so much appreciated!!!

(I'm trying my best here to make something for Ferentus community xD)
Thank you all again.Any help is appreciated by anyone who can help me.
Maybe someone who knows how to decrypt those kind of packets could help me out with this.
 
Last edited:
Joined
Sep 27, 2006
Messages
557
Reaction score
88
00 1D CD 11 3E 0D CD 18 3E 0D CD 18 3E 0D CD 18 3E 0D CD 18 3E 0D CD 18
3F 0D CD 18 3E 0D CC

this is still xor'd as you can see the pattern of CD....

if you can upload a .exe might be able to help more. Your also going to need to reverse the client side packets and switch in order to know what the client wants to receive from the server. As i can only guess the server doesn't exist anymore and your just sending random packets to the client.
 
Joined
Oct 8, 2006
Messages
740
Reaction score
289
I've tried to find with IDA & Olly the encryption function but no result. But... I have something here that maybe is useful.

There are some functions called Base64Decode and Base64Encode. I'm not really sure if those packets are first encoded with base64 after they are sent or before. I can't find that function.

When I'm sending random packets it's saying in a Ferentus Error txt file:

Decode(): Data imperfection
 
◝(⁰▿⁰)◜Smile◝ (⁰▿⁰)◜
Developer
Joined
May 29, 2007
Messages
2,167
Reaction score
898
Honestly I think you are correct on the xor key. If you encode 0 values with the xor then you get the original key.

If you xor 0xCC with 0xCD you get 0x01 (which is 1).

You are clearly on the right track.

It could be that the xor keeps wrapping around the 4 bytes or keeps resetting (starting from the beginning) when a message is received.

Do mind sharing your code snippets so I can take a look at it?
 
Joined
Oct 8, 2006
Messages
740
Reaction score
289
Sure. I'm sending you the login server and a debug server.

https://mega.nz/#!NzYnnB7Q!PsIohGMZv5sgSCYm0X_b5nlA2zS7HWL1gT5eFxxiZCk

I hope you can help me here! xD
 

Attachments

You must be registered for see attachments list
◝(⁰▿⁰)◜Smile◝ (⁰▿⁰)◜
Developer
Joined
May 29, 2007
Messages
2,167
Reaction score
898
Dumping all in one class isn't going to help you.

Have you done some programming in the past? A lot of the code you provided can be split into separate classes and can be refactored.

I quickly went over your code and here is some feedback. (I'm not trying to critize)

First of all, the parsing server sided is wrong, the length of the packet is provided in a (u)short which is two bytes and not one. This might affect decoding once the packet length goes over 255.

I am not sure if the decoding works with blocks or starts from zero, the current implementation assumes it starts from 0 for every packet. (this might not be the case).

I don't have much time at the moment so I quickly re-wrote the networking code and made it easier to extend it.
Can you quickly test this and give me feedback if you can see the username and password inside the console?
 

Attachments

You must be registered for see attachments list
Joined
Oct 8, 2006
Messages
740
Reaction score
289
@Taiga Thank you very much, Taiga, but the login server don't print anything. Yes, the server is receiving messages from the client, but it doesn't print in console anything. I'm checking a network log from client files and is telling me that is connected to the Login Server and i can see the bytes sent from client to server, but the console is not printing anything. I don't know why.

The client ports are not static. When client is connecting to the Login Server is having a variable port, not a static one.

The console is up: Starting emulator... Server is now listening on port 29000.
Your EMU is very nice wrote. xD





Yes, I know about my code that is not very effectively wrote.

Edited : I didn't wrote this login server. Someone else did. xD
 
Last edited:
Initiate Mage
Joined
Jun 2, 2018
Messages
3
Reaction score
1
You're my hero. Any more progress on this? I'm a developer myself and I always planned to look into this topic and also worked on decoding a few files (game models, map, items list as posted in other forums). I will definitely check out your work soon, thanks!
 
Newbie Spellweaver
Joined
Aug 14, 2015
Messages
79
Reaction score
18
I'm checking a network log from client files and is telling me that is connected to the Login Server and i can see the bytes sent from client to server, but the console is not printing anything. I don't know why.

I don't know if you're working on this still but I thought I'd share some of the stuff I figured out.
To start off, the encryption. It's a simple xor as mentioned but it's not static throughout the communication. There're 250 keys each for client and server, 500 in total. Actual key to be used is calculated from these 500 keys for each new message. After a fixed number of messages key indices go full circle and restart. Looks something like this:
zipper20032 - Ferentus Reverse Data Packets - RaGEZONE Forums


Second, the data after decryption. Both packet size and opcode are 2 bytes and in network byte order (big endian).
Client starts off by sending 0x0009 (little endian). I believe correct response is 0x000A. Following opcode I used 0x00 and 0x01, 0x00 displays "Failure" message while 0x01 lets client proceed with loading.
Once loading is completed, client sends 0x000B, and again I believe correct respond is 0x000C. Rest of the data for 0x000C response appears to be for character selection information and 'premium service'. I guess easiest way to figure this out is messing around with bytes and see what they do. Here are some screenshots from character selection and creation:



I haven't played this game myself and won't be continuing with developing a proper server. Had a bit of free time and thought I'd contribute a little.
 
Joined
Oct 8, 2006
Messages
740
Reaction score
289
@AcarX Hello, mate! Wow... Well done!!! Very good, job. So, every packet has it's encryption. Yeah.. I've tried a lot of trial and error but i don't have a proper game server. I'm having a Login-Server, which I've been able to fake a connection for the client in the packet bytes and managed to connect it to it, but my login server is a login server and a game server, and I think, initially, those were separated. (I'm not pretty good with Reverse Engineering). I've been messing around with those packet for about 2 years, and still I couldn't get into the char selection/creation menu. Are you willing to speak a bit privately? :w00t:
 
Initiate Mage
Joined
Jun 2, 2018
Messages
3
Reaction score
1
Where did you find that list? Or is it calculated dynamically? Could you maybe provide this information? Thanks a lot!
 
Newbie Spellweaver
Joined
Aug 14, 2015
Messages
79
Reaction score
18
Where did you find that list? Or is it calculated dynamically? Could you maybe provide this information? Thanks a lot!
I looked into functions where packets are being encrypted/decrypted. Keys may be different from version to version but also maybe not. Version I was working with (from 2005) had these keys:


P.S. @zipper20032, ragezone apparently lets me reply once every 30 minutes so I can't reply to you pm.
 
Last edited:
Robb
Loyal Member
Joined
Jan 22, 2009
Messages
1,224
Reaction score
465
Really nice work!
Considering this is a game that has been offline more than 10 years now, its crazy how close we are to getting back in game.
 
Initiate Mage
Joined
Oct 18, 2017
Messages
1
Reaction score
0
Hi, glad to see this thread is active once again. I`m also a developer but I have no previous knowledge in the matter of mmo server building neither reverse engineering. Anyway I`d like to help as much as I can.

To start with, there are some material for me to learn from?
 
Robb
Loyal Member
Joined
Jan 22, 2009
Messages
1,224
Reaction score
465
Hi, glad to see this thread is active once again. I`m also a developer but I have no previous knowledge in the matter of mmo server building neither reverse engineering. Anyway I`d like to help as much as I can.

To start with, there are some material for me to learn from?

Hi Lucasxrf,

You're more than welcome to get than involved!
Can share with you the edited client, server code so far etc..

There's no complex programming at this stage, just lots of trial&error and debugging necessary to work out the packet structure.
Current stage is: we have reached world login thanks to AcarX, and have some of the character profile information worked out. We need to figure out the character items and state information so that the actual character can be loaded:
PTNa4cQ - Ferentus Reverse Data Packets - RaGEZONE Forums


There is a list of opcodes at
 

Attachments

You must be registered for see attachments list
Last edited:
Initiate Mage
Joined
Nov 2, 2018
Messages
1
Reaction score
0
Hi, I'm not a computer person, but I really enjoyed this game when it was out. Is there any eta or a website I can visit to be able to play the game or test it.
 
Joined
Oct 8, 2006
Messages
740
Reaction score
289
Hi, I'm not a computer person, but I really enjoyed this game when it was out. Is there any eta or a website I can visit to be able to play the game or test it.

Hello, Cipherdec. There isn't any website yet. We are progressing with the reversing the client packets. You can join up our discord if you want to track our updates:
 
Newbie Spellweaver
Joined
Sep 8, 2018
Messages
5
Reaction score
0
To start off, the encryption. It's a simple xor as mentioned but it's not static throughout the communication. There're 250 keys each for client and server, 500 in total. Actual key to be used is calculated from these 500 keys for each new message. After a fixed number of messages key indices go full circle and restart. Looks something like this:
zipper20032 - Ferentus Reverse Data Packets - RaGEZONE Forums
I am interested in this code, mainly what are "l" and "r" for? What are their initial values?
Also I am assuming that "fiz" is just a macro for a for loop
 
Robb
Loyal Member
Joined
Jan 22, 2009
Messages
1,224
Reaction score
465


Progress since this thread
 
Back
Top