Finding Opcodes

[trevius]

I have been working the past week to try to understand the processes of finding opcodes in an attempt to help fill out some missing ones for Titanium. And, to see if it would be possible to find the Anniversary opcodes without having packet collects from Live when Anniversary was being used.

The wiki pages we have on finding opcodes are far from complete and don't give quite as much information as I would like.

Opcode Questions:

1. Are all opcodes 2-way? What I mean is; are the opcodes that the client sends to the server the same ones that the server sends back to the client? I need to know if there is something we actually MUST have live packet collects for, or if everything we need should be somewhere in the client itself. If everything is in the client, then maybe we can find them without using Live packet collects.

2. Do all opcodes change with every release of the client, or do some stay the same? Did SoE purposely change them so that it was hard for programs like MQ, Showeq, and EQEmu to keep up with live? Or is it the source that changes these automatically?

3. What would it take to get the packet collector updated so that it could at least collect opcodes as they came in? Does anyone have the source for any of the Packet Collectors? I imagine that if the packet collector has some logic or filters to pull opcodes from packet sniffs, then even if the packet collector itself would be too much work to get updated, maybe we could use another packet sniffer like Wireshark and just put a filter on it to only pull opcode packets. Using Wireshark, I can definitely see the opcodes, but without already knowing what you are looking for, it would be near impossible to get the ones that are still unknown.

My Tests So far:

Here is what I did to start trying to find them using Wireshark. Note that this is a learning process for me, so I used one that we are already aware of (Rewind - 0x4cfa):

I loaded up Wireshark and ran EQ (connecting to my EQEmu Server, NOT Live) and then I set a couple of filters just to keep unnecessary traffic from showing up. Mainly, I set it to only show UDP packets and also only anything from 192.168.1.101 or to 192.168.1.100, which are my server and client IPs on my LAN. This blocked out most other web or whatever traffic so I was only seeing client to server packets. Then, I got EQ ready by creating a hotkey for /rewind. At this point, I started the sniffer collecting packets, and immediately switched back to EQ and spammed the crap out of my /rewind hotkey for about 30 secs. Then, I stopped the packet sniff so I could analyze.

What I found was that the client was sending alot of packets to the server that had the opcode in them, but the opcode was backwards with the FA first and then the 4C, so it was showing up as "FA4C". But, this code wasn't just standing alone, it was mixed in with packets that were mostly 17 in size, but sometimes varied to be even bigger. For the most part, the FA4C showed up right before the last 4 characters in the data of the packet. So, if the packet was (not a real example), "FB 04 16 00 A9 90 00 20 B8 09 C2 85 3B FA 4C 8B 20", then the text in bold is where the opcode normally was (but not every time).

More Notes:

I can't seem to get the emu collector to run on my PC, even for Titanium. But, it seems to be a problem with it not finding my NIC card for some reason, and not the version I am trying to collect from. But, I think that if I could get it running, maybe it would show all of the missing opcodes we need just by sniffing the communication from emu server to emu client. So, the emu collector packet sniffers might not need to be updated very much to get to the point that they are needed. Though, it would probably be more work to get them updated to sniff Anniversary.

Another thing I noticed is that some of the log files actually make note of opcodes, and I think even ones that are unknown. So, the source must have some way to convert these so they are easily readable. Maybe that part of the source could be used to help develop a working opcode packet collector.

Idea to get Anniversary Edition working:

My idea for Anniversary is that if we had a working sniffer that can see the opcodes and pull them out so they are easy to find, then we could use a step-by-step process to get anniversary working. By that, I mean that we could start an Anniversary client while already running a packet sniff and then collect the opcodes as they come in. It will get to a point where it fails, and we just find the opcode before that and figure out which opcode it is and add it to the .conf file and then start again. Basically just trying over and over until it gets logged in. Then, it is just figuring out the commands and what not, which should probably be much quicker since you shouldn't have to restart every time it fails.

Another possibility would maybe be using IDA Pro to check the code of the client for opcodes listed. But, so far I have been completely unsuccessful in finding even a single known opcode in there. And, I have done quite a lot of searching and research. Though, my understanding of disassembly files is still very weak. If I could figure out how to get opcodes this way, I think it would make this a piece of cake.

Some references I used when researching how to find opcodes:

Method for hacking from the hackersquest forums that has some good disassembly information:
http://hackersquest.org/boards/viewt...ghlight=opcode

Page in the wiki for finding Opcodes, that I can't really make much sense from at all:
http://www.eqemulator.net/wiki/wikka...vOpcodeFinding

ASM Hunting:
http://www.eqemulator.net/wiki/wikka...DevAsmRoutines

Assembly Tools and Information Links:
http://www.eqemulator.net/wiki/wikka...ka=DevAsmTools

HexVis - A little tool for converting hex or other data to different types of output:
http://www.eqemulator.net/wiki/wikka.php?wakka=HexVis

To convert Decimal to Hex, you can just use windows Calculator and set it to Scientific mode. Then, put the number you want to convert and change the radio button to hex and it automatically converts it.

Also, the eqstr_us.txt and eqls_us.txt both have some information in them that may relate to opcodes and could help in defining what the opcode itself relates to in the code. The hackersquest post above mentions the lines in these files. Though, I haven't been able to find their related hex versions in the ASM of the eqgame file.

If anyone out there has info that might help this process, please respond here or PM me. I am sure we could all appreciate a working Anniversary edition, and it would be worth the work to get to that point. Once we find a good procedure for it, I don't think it will be too bad to get these. But, for now, I am still trying to refine a way to actually gather the opcodes without having to do too much guessing.

[trevius]

After doing a bit more research on Anniversary Edition, it seems like we might be almost too late to use it to put a lot of work in getting an updated version of the emu working. It seems like copies are still easier to get than Platinum, but apparently many stores have already stopped selling the Anniversary Edition and it can even be a little hard to find any online. I am sure it will get even harder soon.

Here are some links to places that should normally be easy to get games from:

http://www.newegg.com/Product/Produc...82E16832135022

http://www.ebgames.com/Catalog/Produ...spx?sku=647003

http://www.amazon.com/Everquest-I-Th...4879400&sr=8-1

As you can see, it appears that the games aren't being shipped much if at all anymore. It seems like they are just trying to sell off remaining stock and that will be it.

I don't quite understand how SoE expects people to get their game if it isn't on shelves or even available to buy the CDs online. I don't suspect that everyone would want to just get a downloaded game file to play it.

The only way I see to reliably get the game is online from SoE directly as a download only. But, we would need to decide on the version to find opcodes for so everyone could get it.

https://store.station.sony.com/

Click on Everquest under the Digital Download section on the lower left. Then, you have to login and you should be able to click cancel on the subscription section. That will take you right to the digital downloads.

I am wondering if those are just standard unpatched downloads, which I imagine they are. If so, then for 20$ we could have the option to go with the ""Starter Pack" which seems to be the exact same thing as Anniversary Edition. Or for 40$, we could go with "The Serpent Spine All-In-One" package that includes every expansion currently out.

If I can figure out how to find opcodes well enough, I will either just get a copy of anniversary, or maybe one of these download packages and start working on finding the opcodes right away. Though, I would prefer an actual CD pack so we don't have to worry about SoE changing the opcodes by changing the versions of the download files. Maybe they will have another CD release soon :P

[Andrew80k]

From what I recall, vaguely, they downloads are, or at least used to be, unpatched versions. They don't update the downloads.

[KLS]

We use a protocol similar to the one used in eq2 I believe though it really isn't documented anywhere outside of the code. It's kind of difficult to put together via the code because of the layers of abstraction on abstraction. It would just be a matter of decoding the packets further to get them to load from something like WireShark.

Usually the opcodes change from exe version to version though some don't; sony does seem to like to change a lot of the ingame ones every patch; probably to hinder stuff like showeq.

Usually if the client sends a packet and expects a direct response packet for it they will use the same opcode; example would be pickpocket or click object.

It's a shame nothing ever came of openeq and we still have to deal with this. =/

[John Adams]

Heh KLS... this sounds hauntingly familiar.

[KLS]

Sir, I thought I was leaving you alone with this!

Anyway basically the packets are encrypted or compressed, there's a flag on the session request for the stream that indicates which it will be; I believe it can be both as well. The server generates a key to send to the client to decode the data as well.

You have larger packets that make up the protocol, things like session requests, whole packets and combined packets etc. Contained within can be the smaller packets, encoded with the key sent from the server etc.

I think we send the key always as 11223344 but obviously were you to do this from live or something you would need to retrieve the actual one to decode the data into readable packets.

in common/EQPacket.cpp there are several functions that deal with compression and encoding of the data as well.