Ferentus Reverse Data Packets

Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Hardcore Member zipper20032 is online now
    MemberRank
    Oct 2006 Join Date
    109Posts

    ! Ferentus Reverse Data Packets

    Hello again everyone. I'm posting again a bit of a progress with Ferentus Server.

    Okay. First of all: I've managed to understand OPCODES from the client. (I don't know if this is the entire list of opcodes).
    Code:
    OPCODES FOR FERENTUS:
    
    
    1. 0x00 - Failure.
    2. 0x01 - User banned or already logged in game!
    3. 0x02 - Not the latest version of the game!
    4. 0x03 - User not registered!
    5. 0x04 - Incorrect password!
    6. 0x05 - Account is not for game play! Contact GM!
    7. 0x06 - ID Currently is being used! Contact GM!
    8. 0x07 - Incorrect client program! (Probably for version check!)
    9. 0x08 - Using period expired!
    10. 0x09 - All IPs is using!
    11. 0x10 - That slot is already empty!
    12. 0x11 - That slot is empty.
    13. 0x12 - No more time for character deletion.
    14. 0x13 - Status allocation failure.
    15. 0x14 - Item allocation failure.
    16. 0x15 - Skill allocation failure.
    17. 0x16 - Craft allocation failure.
    18. 0x17 - Servers are currently closed. Please try again later.
    19. 0x18 - Not existing zone. Please contact GM.
    20. 0x19 - Login not possible due to maintenance.
    21. 0x20 - Lack of cash.
    22. 0x21 - Level is too low.
    23. 0x22 - Level is too high.
    24. 0x23 - Under penalty of character ability.
    25. 0x24 - The target is under penalty of character ability.
    26. 0x25 - Lack of fame.
    27. 0x26 - Failed to create the item.
    28. 0x27 - Failed to delete the item.
    29. 0x28 - Untradable item.
    30. 0x29 - Already in use.
    31. 0x30 - Corpse looted by someone else.
    32. 0x31 - You have no right to loot this corpse.
    33. 0x32 - Corpse is too weak to loot.
    34. 0x33 - Processing call from other inventory.
    35. 0x34 - Not enough space in the bag.
    36. 0x35 - Can not proceed trading.
    37. 0x36 - The player has canceled the trade.
    38. 0x37 - You lack the space for this item.
    39. 0x38 - Your target lacks the space for this item.
    40. 0x39 - GM service is not currently available.
    41. 0x40 - You have no party.
    42. 0x41 - Player's in a different party.
    43. 0x42 - You can not make yourself a target.
    44. 0x43 - The target is not a party member.
    45. 0x44 - Please check the number of party members.
    46. 0x45 - Processing call from party member's inventory.
    47. 0x46 - Processing party's item sharing.
    48. 0x47 - Processing party's money sharing.
    49. 0x48 - The selected sharing methos is currently active.
    50. 0x49 - Failed to share items.
    51. 0x50 - Mercenary needs a ceratin amount of time to rest.
    52. 0x51 - Requested mercenary is not the same as the saved one.
    53. 0x52 - Only available to guild masters.
    54. 0x53 - The name already exists.
    55. 0x54 - Incorrect choice of city selection.
    56. 0x55 - Not enough members to form a guild.
    57. 0x56 - Forming a guild requires players of certain level or higher.
    58. 0x57 - Max number of member has exceeded.
    59. 0x58 - Could not find the member.
    60. 0x59 - The guild does not exist.
    61. 0x60 - Incorrect item for slot.
    62. 0x61 - The sheet does not exist.
    63. 0x62 - You have tried to use an incorrect craft tool.
    64. 0x63 - You have not placed all the required materials into their slots.
    65. 0x64 - You do not have the skills to initiate this craft session.
    66. 0x65 - You have not placed all the required materials into their slots.
    67. 0x66 - Your manufacture level is too low.
    68. 0x67 - Exceeded maximum enchantment level.
    69. 0x68 - Failed to add to the waiting queue.
    70. 0x69 - Already exists in the waiting queue.
    71. 0x70 - The shop does not exist.
    72. 0x71 - The item does not exist.
    73. 0x72 - Not listed in your friends list.
    74. 0x73 - Already registered as a friend.
    75. 0x74 - Too many friends registered.
    76. 0x75 - Must have a character of certain level in oreder to create a HC character.
    77. 0x76 - Not the correct field.
    78. 0x77 - Not the correct action in this field.
    79. 0x78 - Not the correct action at this position.
    80. 0x79 - Not the correct arena.
    81. 0x80 - Party member is not enough.
    82. 0x81 - Not level.
    83. 0x82 - Not party memeber's level.
    84. 0x83 - Party waiting list is full.
    85. 0x84 - Status has already been initialized.
    86. 0x85 - Can not perform initialization while wearing items.
    87. 0x86 - Quest already complete.
    88. 0x87 - Quest already give up.
    89. 0x88 - Quest add fail.
    90. 0x89 - Quest remove fail.
    91. 0x90 - No more Stat to be reset.
    92. 0x91 - Equipment is not empty.
    93. 0x92 - The player is currently Off-line, you can't summon the player.
    94. 0x93 - The player is currently staying in unable place to visit or be invited.
    95. 0x94 - It's been denied your request.
    96. 0x95 - You are not the guild master.
    97. 0x96 - Teleport is failed.
    98. 0x97 - Error code that does not exist.
    99. 0x0A - Login Duplication
    100. 0x0B - The same name already exists. Please try another name.
    101. 0x0C - Incorrect character status.
    102. 0x0D - This name is not allowed.
    103. 0x0E - This character is member of a guild. Please try again after seceding.
    104. 0x0F - Character slot number overflow.
    105. 0x1A - Can not accept more users. Please try again later.
    106. 0x1B - Failed to item data loading. Please contact GM.
    107. 0x1C - Failed to enter a game field. Please contact GM.
    108. 0x1D - The server already has the same character. Please try later.
    109. 0x1E - The character does not exist. Please try later.
    110. 0x1F - Asked data not sufficient.
    111. 0x2A - Can not divide this item.
    112. 0x2B - This item does not exist.
    113. 0x2C - This skill does not exist.
    114. 0x2D - This skill has not been learned.
    115. 0x2E - Incorrect target.
    116. 0x2F - Target too far.
    117. 0x3A - Your call is already in queue.
    118. 0x3B - The party does not exist.
    119. 0x3C - You must be the party leader.
    120. 0x3D - The target already joined another party.
    121. 0x3E - You already invited player.
    122. 0x3F - The target is already considering an invite.
    123. 0x4A - You can not disband party now.
    124. 0x4B - You can not kick the party member now.
    125. 0x4C - You can not leave party now.
    126. 0x4D - You can not have more than one pet out.
    127. 0x4E - No pet to call.
    128. 0x4F - Mercenary is not in rest state.
    129. 0x5A - You already invited a player.
    130. 0x5B - The target is already in another guild.
    131. 0x5C - The target is being invited by another guild.
    132. 0x5D - The target refused your invitation.
    133. 0x5E - Craft sheet required.
    134. 0x5F - Craft tool required.
    135. 0x6A - Party does not exist in the queue.
    136. 0x6B - The waiting queue required time to refresh.
    137. 0x6C - Player hiring a mercenary cannot open private shop.
    138. 0x6D - Exceeded maximum number of items can be registered.
    139. 0x6E - Failed to register the item.
    140. 0x6F - Sold Out.
    141. 0x7A - It is not the allowed time.
    142. 0x7B - Already registered as opponent.
    143. 0x7C - Failed to register opponent.
    144. 0x7D - Failed to cancel opponent.
    145. 0x7E - Not joined bt the team allowed.
    146. 0x7F - Only allowed to the owner.
    147. 0x8A - Quest is not progress.
    148. 0x8B - Quest ID not found.
    149. 0x8C - Quest UID not found.
    150. 0x8D - Quest Condition fail.
    151. 0x8E - The quest progress failed.
    152. 0x8F - Quest dat already loaded.
    --FOR NOW THOSE ARE THE OPCODES--
    I've managed to get the Login procedure correctly into the Login Server.
    The client is sending the data packet encrypted with XOR:
    The key for the Login data packet: 0xCD, 0x18, 0x3E 0x0D

    The decoding function written into the LoginServer is encrypting the data packet with this key:0x63, 0x3D, 0x4C, 0xB7


    !!!The problem is... I don't know if the decoding keys are changing after the login.

    Okay. On the first image, I'm sending the login information to the client in the first packet, and the client responded with AUTH SUCCES(00 04 00 00 01 00) (01 - actually is 00 for AUTH SUCCES and 01 is for User is banned or already logged in!)

    That 00 03 5F 5A 6C - I don't know what's that, maybe some serverlist requesting for the serverlist choose window.

    Here, the client is requesting data packets to be sent by server:
    00 02 57 57
    00 02 52 52
    ....etc........



    Now. Another packet client is sending is when I'm using the Start.Bat (Client.bin 127.0.0.1 29000).

    The first 31 bytes packet is requesting something which I don't know how to interpret.
    I'm thinking of a new decrypting key.

    00 1D - the data length
    CD 11 - Header of the data


    00 1D CD 11 3E 0D CD 18 3E 0D CD 18 3E 0D CD 18 3E 0D CD 18 3E 0D CD 18
    3F 0D CD 18 3E 0D CC

    3E 0D CD 18 - is repeating 6 times (24 bytes)

    3E 0D CC - Maybe this is the flag or something?

    On background is the client running through that Start.bat.
    The No response from the server came after 7-8 seconds.





    Okay, next data packet sent by the client is when I'm choosing the server from the list.

    I don't know if the decoded packet is correct.

    Maybe the decryption key is different for this kind of data.






    The error came from the client: Mistake input parameter
    I'm thinking is a buffer error. The client is trying to open the game but the data is not correct(I assume, I'm not sure about this).

    I don't know exactly if the client needs to communicate with an World Server, not only with the actual Login Server. I couldn't decode any decimal IPs within the data packets. I've found nothing yet.




    The problem is: I can't get into the game.
    00 16 79 6C... etc... is a request from the client I think it's the "Get info from the World Server so I can create it and launch the main menu").

    I'm still trying to figure it out.


    Any help from anyone who developed any kind of server emulator is so much appreciated!!!

    (I'm trying my best here to make something for Ferentus community xD)
    Thank you all again.Any help is appreciated by anyone who can help me.
    Maybe someone who knows how to decrypt those kind of packets could help me out with this.
    Last edited by zipper20032; 11-01-18 at 02:21 PM.


  2. #2
    Account Upgraded | Title Enabled! jonnybravo is offline
    True MemberRank
    Sep 2006 Join Date
    730Posts

    Re: Ferentus Reverse Data Packets

    00 1D CD 11 3E 0D CD 18 3E 0D CD 18 3E 0D CD 18 3E 0D CD 18 3E 0D CD 18
    3F 0D CD 18 3E 0D CC
    this is still xor'd as you can see the pattern of CD....

    if you can upload a .exe might be able to help more. Your also going to need to reverse the client side packets and switch in order to know what the client wants to receive from the server. As i can only guess the server doesn't exist anymore and your just sending random packets to the client.

  3. #3
    Hardcore Member zipper20032 is online now
    MemberRank
    Oct 2006 Join Date
    109Posts

    Re: Ferentus Reverse Data Packets

    Yes, that's what I'm doing... Hell of a job this guessing work. I'm sending you right now the .exe file and .bin file.

    The server is dead from about 10 years.

    Client.rar - This is Client.bin file.

    Ferentus EXE.rar - Here it is the Ferentus EXE (Launcher).

  4. #4
    Hardcore Member zipper20032 is online now
    MemberRank
    Oct 2006 Join Date
    109Posts

    Re: Ferentus Reverse Data Packets

    I've tried to find with IDA & Olly the encryption function but no result. But... I have something here that maybe is useful.

    There are some functions called Base64Decode and Base64Encode. I'm not really sure if those packets are first encoded with base64 after they are sent or before. I can't find that function.

    When I'm sending random packets it's saying in a Ferentus Error txt file:

    Decode(): Data imperfection

  5. #5
    ◝(⁰▿⁰)◜Smile◝ (⁰▿⁰)◜ Taiga is offline
    ModeratorRank
    May 2007 Join Date
    InternetLocation
    2,574Posts

    Re: Ferentus Reverse Data Packets

    Honestly I think you are correct on the xor key. If you encode 0 values with the xor then you get the original key.

    If you xor 0xCC with 0xCD you get 0x01 (which is 1).

    You are clearly on the right track.

    It could be that the xor keeps wrapping around the 4 bytes or keeps resetting (starting from the beginning) when a message is received.

    Do mind sharing your code snippets so I can take a look at it?


    Moderator & Developer
    I CAN NOT HELP YOU WITH YOUR SERVER, USE THE CORRECT HELP SECTION INSTEAD.
    I AM ONLY TAIGA ON RAGEZONE!


    DO NOT PM ME FOR GAME RELATED QUESTIONS, THESE MESSAGES WILL BE IGNORED!


  6. #6
    Hardcore Member zipper20032 is online now
    MemberRank
    Oct 2006 Join Date
    109Posts

    Re: Ferentus Reverse Data Packets

    Sure. I'm sending you the login server and a debug server.

    https://mega.nz/#!NzYnnB7Q!PsIohGMZv5sgSCYm0X_b5nlA2zS7HWL1gT5eFxxiZCk

    I hope you can help me here! xD
    Attached Files Attached Files

  7. #7
    ◝(⁰▿⁰)◜Smile◝ (⁰▿⁰)◜ Taiga is offline
    ModeratorRank
    May 2007 Join Date
    InternetLocation
    2,574Posts

    Re: Ferentus Reverse Data Packets

    Dumping all in one class isn't going to help you.

    Have you done some programming in the past? A lot of the code you provided can be split into separate classes and can be refactored.

    I quickly went over your code and here is some feedback. (I'm not trying to critize)

    First of all, the parsing server sided is wrong, the length of the packet is provided in a (u)short which is two bytes and not one. This might affect decoding once the packet length goes over 255.

    I am not sure if the decoding works with blocks or starts from zero, the current implementation assumes it starts from 0 for every packet. (this might not be the case).

    I don't have much time at the moment so I quickly re-wrote the networking code and made it easier to extend it.
    Can you quickly test this and give me feedback if you can see the username and password inside the console?
    Attached Files Attached Files


    Moderator & Developer
    I CAN NOT HELP YOU WITH YOUR SERVER, USE THE CORRECT HELP SECTION INSTEAD.
    I AM ONLY TAIGA ON RAGEZONE!


    DO NOT PM ME FOR GAME RELATED QUESTIONS, THESE MESSAGES WILL BE IGNORED!


  8. #8
    Hardcore Member zipper20032 is online now
    MemberRank
    Oct 2006 Join Date
    109Posts

    Re: Ferentus Reverse Data Packets

    @Taiga Thank you very much, Taiga, but the login server don't print anything. Yes, the server is receiving messages from the client, but it doesn't print in console anything. I'm checking a network log from client files and is telling me that is connected to the Login Server and i can see the bytes sent from client to server, but the console is not printing anything. I don't know why.

    The client ports are not static. When client is connecting to the Login Server is having a variable port, not a static one.

    The console is up: Starting emulator... Server is now listening on port 29000.
    Your EMU is very nice wrote. xD





    Yes, I know about my code that is not very effectively wrote.

    Edited : I didn't wrote this login server. Someone else did. xD
    Last edited by zipper20032; 28-01-18 at 09:07 PM.

  9. #9
    Newbie Cynicer is offline
    MemberRank
    Jun 2018 Join Date
    2Posts

    Re: Ferentus Reverse Data Packets

    You're my hero. Any more progress on this? I'm a developer myself and I always planned to look into this topic and also worked on decoding a few files (game models, map, items list as posted in other forums). I will definitely check out your work soon, thanks!

  10. #10
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Ferentus Reverse Data Packets

    Quote Originally Posted by zipper20032 View Post
    I'm checking a network log from client files and is telling me that is connected to the Login Server and i can see the bytes sent from client to server, but the console is not printing anything. I don't know why.
    I don't know if you're working on this still but I thought I'd share some of the stuff I figured out.
    To start off, the encryption. It's a simple xor as mentioned but it's not static throughout the communication. There're 250 keys each for client and server, 500 in total. Actual key to be used is calculated from these 500 keys for each new message. After a fixed number of messages key indices go full circle and restart. Looks something like this:
    https://prnt.sc/kqykqi

    Second, the data after decryption. Both packet size and opcode are 2 bytes and in network byte order (big endian).
    Client starts off by sending 0x0009 (little endian). I believe correct response is 0x000A. Following opcode I used 0x00 and 0x01, 0x00 displays "Failure" message while 0x01 lets client proceed with loading.
    Once loading is completed, client sends 0x000B, and again I believe correct respond is 0x000C. Rest of the data for 0x000C response appears to be for character selection information and 'premium service'. I guess easiest way to figure this out is messing around with bytes and see what they do. Here are some screenshots from character selection and creation:
    https://prnt.sc/kqyni5
    https://prnt.sc/kqynph

    I haven't played this game myself and won't be continuing with developing a proper server. Had a bit of free time and thought I'd contribute a little.

  11. #11
    Hardcore Member zipper20032 is online now
    MemberRank
    Oct 2006 Join Date
    109Posts

    Re: Ferentus Reverse Data Packets

    @AcarX Hello, mate! Wow... Well done!!! Very good, job. So, every packet has it's encryption. Yeah.. I've tried a lot of trial and error but i don't have a proper game server. I'm having a Login-Server, which I've been able to fake a connection for the client in the packet bytes and managed to connect it to it, but my login server is a login server and a game server, and I think, initially, those were separated. (I'm not pretty good with Reverse Engineering). I've been messing around with those packet for about 2 years, and still I couldn't get into the char selection/creation menu. Are you willing to speak a bit privately?

  12. #12
    Newbie Cynicer is offline
    MemberRank
    Jun 2018 Join Date
    2Posts

    Re: Ferentus Reverse Data Packets

    Where did you find that list? Or is it calculated dynamically? Could you maybe provide this information? Thanks a lot!

  13. #13
    Member AcarX is offline
    MemberRank
    Aug 2015 Join Date
    79Posts

    Re: Ferentus Reverse Data Packets

    Quote Originally Posted by Cynicer View Post
    Where did you find that list? Or is it calculated dynamically? Could you maybe provide this information? Thanks a lot!
    I looked into functions where packets are being encrypted/decrypted. Keys may be different from version to version but also maybe not. Version I was working with (from 2005) had these keys:
    https://paste.ubuntu.com/p/H32GNVFvRQ/

    P.S. @zipper20032, ragezone apparently lets me reply once every 30 minutes so I can't reply to you pm.
    Last edited by AcarX; 2 Weeks Ago at 07:03 PM.

  14. #14
    Robb rbb138 is offline
    True MemberRank
    Jan 2009 Join Date
    London, EnglandLocation
    1,238Posts

    Re: Ferentus Reverse Data Packets

    Really nice work!
    Considering this is a game that has been offline more than 10 years now, its crazy how close we are to getting back in game.
    -Robb.

  15. #15
    Newbie lucasxrf is offline
    MemberRank
    Oct 2017 Join Date
    1Posts

    Re: Ferentus Reverse Data Packets

    Hi, glad to see this thread is active once again. I`m also a developer but I have no previous knowledge in the matter of mmo server building neither reverse engineering. Anyway I`d like to help as much as I can.

    To start with, there are some material for me to learn from?



Page 1 of 2 12 LastLast

Advertisement