UO Protocol Help!

Aidis · Post by **Aidis** » Sun Mar 11, 2007 5:50 pm

Hello ^_^,

I am a student playing around with making an Open Source UO Server Emulator in C++, everything went well, until i reached the packet after the client sends the second authentication (after it reconnects to the game server) i think thats 0x91, the server should reply with (optionaly) the feature packet 0xB9 and the character list 0xA9, but instead i get this:

Code: Select all

unsigned char PackA9[429] = 
				{	0xb3, 0x32, 0x8d, 0xc6, 0x80, 0x81, 0x5a, 0x3c, 0x7e, 0xd1, 0x3d, 0x30, 0x60, 0x80, 0x00, 0x00, 
					0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
					0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
					0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
					0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
					0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
					0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x56, 0x11, 0xbe, 0x6f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
					0x00, 0x5e, 0x40, 0xf3, 0x6a, 0x3f, 0x06, 0xc7, 0xa6, 0x64, 0x0b, 0x65, 0xb3, 0xf9, 0xff, 0x2c, 
					0xe0, 0x00, 0x00, 0x00, 0x3e, 0x8c, 0x83, 0xc7, 0xc4, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
					0x2f, 0x20, 0x79, 0xb6, 0x73, 0xa4, 0x3e, 0x3d, 0x23, 0x5a, 0xbc, 0x80, 0x00, 0x00, 0x00, 0x01, 
					0x14, 0xe4, 0x38, 0x39, 0xba, 0x41, 0xe2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xcd, 0xbf, 0xcf, 
					0x9c, 0xd6, 0xe7, 0x21, 0xf9, 0xe9, 0x82, 0xed, 0x6b, 0x1b, 0x8f, 0x10, 0x00, 0x00, 0x00, 0x1a, 
					0x23, 0x3c, 0x78, 0xe2, 0xe1, 0x6a, 0xf1, 0x78, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0xc8, 0x1e, 
					0x6d, 0xe6, 0xc6, 0xa0, 0x78, 0x6a, 0xe9, 0x0d, 0xda, 0xd6, 0x37, 0x1e, 0x20, 0x00, 0x00, 0x00, 
					0x75, 0x5e, 0x87, 0x07, 0x8b, 0xb4, 0x18, 0xd0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0xe4, 0x0f, 
					0x36, 0xaf, 0x43, 0xe8, 0x8a, 0xf2, 0xd5, 0xe6, 0x1b, 0x80, 0xed, 0x6b, 0x1b, 0x8f, 0x10, 0x00, 
					0x00, 0x02, 0x84, 0x67, 0x47, 0x0c, 0x1e, 0x31, 0xb0, 0x7a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
					0xbc, 0x81, 0xe6, 0xd4, 0x8c, 0x3f, 0x3d, 0x33, 0x5a, 0x87, 0xf1, 0x0f, 0x8b, 0xb5, 0xab, 0xdd, 
					0x11, 0x5e, 0x61, 0xf1, 0x00, 0x00, 0x3b, 0xbb, 0xa0, 0x79, 0x6a, 0xf1, 0x82, 0x00, 0x00, 0x00,	
					0x00, 0x00, 0x00, 0x2f, 0x20, 0x79, 0xb5, 0x19, 0xe6, 0x1c, 0x6f, 0x9e, 0x3d, 0x21, 0xb3, 0xad, 
					0x63, 0x71, 0xe2, 0x00, 0x00, 0x00, 0x0c, 0xb9, 0xab, 0x0e, 0x90, 0xfa, 0x5b, 0x39, 0x0f, 0xa7, 
					0x90, 0x00, 0x00, 0x00, 0x00, 0x01, 0x79, 0x03, 0xcd, 0xb8, 0xfe, 0x8d, 0x51, 0xbe, 0x38, 0xf9, 
					0x86, 0xe0, 0x3b, 0x5a, 0xc6, 0xe3, 0xc4, 0x00, 0x00, 0x00, 0xe0, 0x95, 0xf9, 0x76, 0xb1, 0xf3, 
					0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5e, 0x40, 0xf3, 0x6b, 0x1a, 0x1f, 0x8e, 0x37, 0xf8, 
					0xf1, 0xc9, 0x6b, 0x1b, 0x8f, 0x10, 0x00, 0x00, 0x00, 0x18, 0x90, 0xfd, 0x11, 0x5e, 0x78, 0x80, 
					0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x22, 0x93, 0xe6, 0x1f, 0x4e, 0x9c, 0x5c, 0x07, 0x6b, 0x51, 
					0x9d, 0x38, 0xbb, 0x41, 0xf1, 0xc4, 0x00, 0x00, 0x00, 0x03, 0xf3, 0xbe, 0x80 };

I read somewhere the server employs compression, i also saw some Zlib dlls in some source, but when i tried inflating it with Zlib i go "Z_DATA_ERROR" (meaning it couldnt find the header) even when i did inflateSync();. So uhh, my question is, whats going on? lol

tekproxy · Post by **tekproxy** » Mon Mar 12, 2007 6:01 am

Are you using a client with the encryption removed?

Aidis · Post by **Aidis** » Mon Mar 12, 2007 12:16 pm

I am using a test client to see how the server should reply and stuff.

Just to recap:

(I am trying to connect to an existing emu with a test client to see the protocol)

My client connects, sends the 4 bytes that are used for encryption and are ignored,

-> UINT (inet_addr(localip))

Then i send the first auth.

-> 0x80 (62 Bytes)

I get the server list.

<- 0xa8 (46 Bytes)

I select server id 1.

-> 0xa0 (3 Bytes)

I get the gameserver info.

<- 0x8c (11 Bytes)

I reconnect to the game server. And resend the 4 enc bytes.

-> UINT (inet_addr(localip))

Now i send the second authentication.

-> 0x91 (65 Bytes)

And i receive that strange packet instead of the character list.

Now that i think of it, should i like skip the initial encryption key thing? Ill try that when i get home. Maybe i shouldnt send them the second time or something...

tekproxy · Post by **tekproxy** » Mon Mar 12, 2007 2:04 pm

Try getting UO Packet Log and using a normal client to connect to the server, that'll sort things out:
http://forums.polserver.com/viewtopic.php?t=407

This may also help:
http://www.koders.com/perl/fid43F8A7C80 ... def%3Atree

It's some code for a Perl text-based UO client. It was useful to me when I was making a ruby version.

That 4-byte encryption seed is the IP address in reverse order. Not all guides agree but that's how it works. I only had 4 hours sleep last night and my memory is foggy but I believe it's used by the server to test latency, some UDP commuication. If you don't send it right it wont really matter.

What packet guides are you using? I like this one:
http://kec.cz/tartaros/steamengine/uplo ... m/uo/info/

Aidis · Post by **Aidis** » Mon Mar 12, 2007 2:34 pm

When i tried using the offical client to connect to my test emu, if i sent the correctly formatted (0xA9 - Character List) it wouldnt accept it, but if i sent the weird one that i got from an existing emu, it displayed the character list normally in the client, and the client then responded with a normal NON compressed NON encrypted packet, it was driving me nuts for days

Ill try the packet logger to see whats up ...

Edit: Ok i read through you perl file and you seem to compress the packet 0xA9 i was reffering too, what kind of compression is this? lol

$client->send(compress($packet),0);

is there an uncompression algorithm?

Edit2: I rewrote the compression algorithm in the perl file to C, ill try it when i get home and see if it works

Here it is

:

Code: Select all

int UOCompress(char *in, char *out, int len) {

	char outP	= 0;
	int outI	= 0;
	int offset	= 0;
	int bit;

	int bits;
	int byte;
	int value;

	while (len--) {
		byte	=	in[offset];
		offset++;
		bits	=	bitTable[byte*2];
		value	=	bitTable[(byte*2)+1];

	    while (bits--){
			outP <<= 1;
			outP |= (value>>bits)&1;
			bit=(bit+1)&7;
			if (!bit) { out[outI] = outP; outI++; outP=0; }
	    }
	}

	bits = bitTable[256*2];
	value = bitTable[(256*2)+1];
	while (bits--) {
		outP <<= 1;
		outP |= (value>>bits)&1;
		bit=(bit+1)&7;
		if (!bit) { out[outI]  = outP; outI++; outP=0; }
	}
	if (bit) {
	    while (bit < 8) {
			outP <<= 1;
			bit++;
		}
	    out[outI] = outP; outI++;
	}
  
  return outI;
}

tekproxy · Post by **tekproxy** » Tue Mar 13, 2007 6:56 am

The Perl script isn't mine and I only borrowed a few pieces of it to make a ruby UO password cracker

. For testing how strong my own passwords were, of course.

What emulator are you using?

Aidis · Post by **Aidis** » Tue Mar 13, 2007 2:14 pm

I testing it on all the current ones, i extracted the algorithm from the uox source for the "packing" and compared it to the perl one, very similar, but i still cant find any "unpacking" algorithm, and the packing doesnt work for some reason

Aidis · Post by **Aidis** » Tue Mar 13, 2007 2:58 pm

The packet logger shows all the packets uncompressed, and it doesn't show what the client sends, and i cant packet sniff local host or wifi, this is crazy hehe ..

CWO · Post by **CWO** » Tue Mar 13, 2007 8:15 pm

Folko's packet logger sure does show what packets are sent too. Make sure you're using a client thats supported fully in clients.cfg and that the settings are correctly set to show all packets.

tekproxy · Post by **tekproxy** » Wed Mar 14, 2007 6:18 am

CWO is right, it should show you all packets regardless of it being on localhost or wifi. I'd reckon to say the overwhelming majority of UO emulators out there are ran without encryption and I've never compressed anything I've sent.

What information is the packet logger giving you?

What emulator are you using, anyway?

Aidis · Post by **Aidis** » Wed Apr 18, 2007 6:03 am

The open source emulators out there have references to ZLib and compression on certain packets, the code you sent me earlier also compresses certain packets.

tartaros · Post by **tartaros** » Wed Apr 18, 2007 9:23 am

Server-sent packets are compressed by a form of huffman compression.

Zlib is, I think, only used for 0xDD packet (http://packets.polserver.com/index.php? ... acket=0xDD)

The only actual explanation of the UO compression I know of was the one produced by a person known as Kair. The web is no more on it's original location (just like some other valuable UO protocol resources

), but it can still be retrieved from Archive.org: http://web.archive.org/web/200410100901 ... ession.htm

I happen to be a developer of an UO emu too (known as Steamengine), I among other things often use and collect various resources about UO protocol, so feel free to ask me if you need help

Post by **MuadDib** » Wed Apr 18, 2007 9:44 am

A nice thing is, we have a packet list (although incomplete) with the 096+ cores now since we support packet hooking. Luckily, it's one of the most verbose listings out there. Really helps on packet hooking when you know what you are hooking