• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

OTClient for Web Browsers

OT Archive

OT Archive

Advanced OT User
Joined
Aug 15, 2022
Messages
78
Reaction score
169
Location
Brazil
GitHub
OTArchive
OTClient Redemption (mehah) for Web Browsers

I've adapted OTClient Redemption to run on browsers:
1728749200490.webp
1728749254819.webp



@Gesior.pl was the first to add support to a real server:
Gesior.pl said:
I setup nginx+websockify like this:
444 -> 7171
443 -> 7172

In client set port to login to 444 and in modules/client_entergame/characterlist.lua forced it to use proxy address "web.skalski.pro":
LUA: 
    g_game.loginWorld(G.account, G.password, charInfo.worldName, "web.skalski.pro", charInfo.worldPort,
                      charInfo.characterName, G.authenticatorToken, G.sessionKey)

I've updated my client files on host, you can use this URL to start client that logins to arm.skalski.pro ThaisWar with bots 8.6 OTS:
Code: 
https://webclient.otarchive.com/?gameData=https://downloads-oracle.ots.me/data/MehahWeb860/otclient-otarchive.zip
Login/password: ppp/ppp (many people use this and kick other players from this account characters)
You can create own account: Createaccount - Forgotten (https://arm.skalski.pro/?subtopic=createaccount)

It would be much easier to use with WS, not WSS. You could use IP, not domain and it would not require generating SSL certificates.
I use nginx proxy to offload SSL now. After changing to WS, I could use just websockify.
Tibia protocol itself is encrypted with XTEA, packets containing user login/password are encrypted using RSA.


View attachment 87536

View attachment 87537



nginx config:
Code: 
server {
        server_name web.skalski.pro;
        location / {
          proxy_pass http://localhost:7172;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          # WebSocket support
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
  }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/web.skalski.pro/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/web.skalski.pro/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
        server_name web.skalski.pro;
        location / {
          proxy_pass http://localhost:7171;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          # WebSocket support
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
  }

    listen [::]:444 ssl ipv6only=on; # managed by Certbot
    listen 444 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/web.skalski.pro/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/web.skalski.pro/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
Click to expand...
 
Last edited:
Marceklos said:
This is so nice!!! Congratulations!

Any known issue / caveat?
Click to expand...
Thank you!
  • Currently there's a bit of higher CPU overhead because of WebGL, when compared to the desktop version;
  • No support for opening the keyboard on iOS, for now;
  • Freezing when the client loses connection while the tab is in the background and tries to connect again. Have to iron it out.
Post automatically merged:

Niebieski said:
I'm using iOS 17.6.1 (14 pro) (which is almost newset one if we won't count 18 which came like 2 months ago) - but having exactly same issue on BlueStack with Android (on my windows)
Click to expand...
@Niebieski This is very odd, BlueStacks should also work:
1728757501810.webp
 
Last edited:
OT Archive said:
Thank you!
  • Currently there's a bit of higher CPU overhead because of WebGL, when compared to the desktop version;
  • No support for opening the keyboard on iOS, for now;
  • Freezing when the client loses connection while in the background and try to connect again. Have to iron it out.
Post automatically merged:


@Niebieski This is very odd, BlueStacks should also work:
View attachment 87638
Click to expand...
1728758467209.webp
 
Niebieski said:
View attachment 87639
Click to expand...
Can you update it and try again?
Post automatically merged:

MagicWall said:
Have you tried using these security headers:
HTML: 
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

More info:
SharedArrayBuffer security requirements
stackoverflow
Vercel docs
Click to expand...
@MagicWall These are already set in my pages and pointed at in my guide. Without the headers the client wouldn't work at all.
 
Last edited:
What an achievement!

This is truly a milestone in OT history.

You've surpassed CipSoft. Their dead flash client is shedding a tear right now 😂

4 years ago, during the first COVID wave, I tried to do this myself and even successfully logged in for a hunt on a 8.60 server, but I quit after quarantine ended before I solved performance and random crashes.

I really hope this gets merged and not stuck in PR hell 🙏

Attached screenshot from 4 years ago
 

Attachments

  • IMG-20200420-WA0014.webp
    IMG-20200420-WA0014.webp
    129.2 KB · Views: 109 · VirusTotal
Last edited:
zippoxer said:
What an achievement!

This is truly a milestone in OT history.

You've surpassed CipSoft. Their dead flash client is shedding a tear right now 😂

4 years ago, during the first COVID wave, I tried to do this myself and even successfully logged in for a hunt on a 8.60 server, but I quit after quarantine ended before I solved performance and random crashes.

I really hope this gets merged and not stuck in PR hell 🙏

Attached screenshot from 4 years ago
Click to expand...
Thank you!
Awesome work, 4 years ago it should have been much harder.
 
OT Archive said:
@Gesior.pl I was able to greatly reduce CPU usage of the connection and now the main CPU hog is webgl committing the frames. Seems to have improved things a bit.
If you have issues starting the client. please clear browser cache or try incognito mode.
Click to expand...
I have now pushed an update that improves performance again.
By no longer manually swapping buffers, CPU overhead has been greatly reduced.

Here are the results:

Test Machine
config.webp

Before
before.gif

After (frame capped by the browser)
after.gif
 
El Bringy said:
Can't wait to see how this would be used in the OT community
Click to expand...

I assume many people, like myself, have thought about how it could be used. One thing that comes to mind is like Tibia flash client, where once you're logged in, you can simply click "Play Now" and it would redirect you or open a new browser page and log you into the character page.

@OT Archive Is it possible to take the value of the username and password from the logged-in person and use it to log in to the client? Would that create security vulnerabilities? Would we have to hash the username and password and instruct the client on how to use it?
 
iNux said:
I assume many people, like myself, have thought about how it could be used. One thing that comes to mind is like Tibia flash client, where once you're logged in, you can simply click "Play Now" and it would redirect you or open a new browser page and log you into the character page.

@OT Archive Is it possible to take the value of the username and password from the logged-in person and use it to log in to the client? Would that create security vulnerabilities? Would we have to hash the username and password and instruct the client on how to use it?
Click to expand...
More into the tools that will be created with it to manage stuff inside the server tbh.
it can be converted into a professional in-game server console (thats controls the server).
 
OT Archive said:
I have now pushed an update that improves performance again.
Click to expand...
I've recreated my .zip archive using newest files from browser branch (click Update on start screen to get new files):

OTClient Web

Play OTServers in your browser.
webclient.otarchive.com

CPU usage of Web Browser client is still 2-3x higher than OTC Mehah compiled for DirectX (low CPU, but items are not sharp when walking), but it's lower than OTC Mehah compiled for OpenGL (all items on screen are super sharp when walking).
IDK why (some variance in FPS time? delivery to screen time?), but Web Browser client items are less sharp when walking than in OTC .exe even with DirectX.

EDIT:
I've tested it on laptop with Ryzen 5 7520U (4x 2.8 GHz) with integrated graphics. It never went under 120 FPS, most of time 180-200 FPS.
 
Last edited:
OT Archive said:
Can you update it and try again?
Post automatically merged:


@MagicWall These are already set in my pages and pointed at in my guide. Without the headers the client wouldn't work at all.
Click to expand...
1728845975201.webp

Installed newest stable iOS version (18 is kinda beta, so I rather to not install it yet) and still the same issue (dark screen, nothing happens)
 
iNux said:
@OT Archive Is it possible to take the value of the username and password from the logged-in person and use it to log in to the client? Would that create security vulnerabilities? Would we have to hash the username and password and instruct the client on how to use it?
Click to expand...
It should be possible, and should probably not be done with user and password. Maybe sessions or something else, security is definitely a concern.

Michy said:
It would be amazing if WebGPU is considered to fully unlock the potential, as WebGL isn't quite cutting it!
Click to expand...
I did consider, but discarded it for now. Maybe in the future.

Niebieski said:
View attachment 87661

Installed newest stable iOS version (18 is kinda beta, so I rather to not install it yet) and still the same issue (dark screen, nothing happens)
Click to expand...
Could you test with BlueStacks again? Your Chrome was asking for an update.
I would also like if some other people with apple devices could chime in and comment about their experience, mostly if the client works, the phone model and iOS version.
 
OT Archive said:
It should be possible, and should probably not be done with user and password. Maybe sessions or something else, security is definitely a concern.


I did consider, but discarded it for now. Maybe in the future.


Could you test with BlueStacks again? Your Chrome was asking for an update.
I would also like if some other people with apple devices could chime in and comment about their experience, mostly if the client works, the phone model and iOS version.
Click to expand...
Tested on 3 devices with iOS 17.7 (all of these were black screen), tested on 1 device with iOS 18 and it works. But still - iOS 17.7 is one of newer systems (expect 18), strange.
 
Niebieski said:
Tested on 3 devices with iOS 17.7 (all of these were black screen), tested on 1 device with iOS 18 and it works. But still - iOS 17.7 is one of newer systems (expect 18), strange.
Click to expand...
I've given a shot to BrowserStack testing on real devices and had the same results, it currently only works on iOS 18.

Screenshot 2024-10-13 170252.webpScreenshot 2024-10-13 170349.webpScreenshot 2024-10-13 170424.webpScreenshot 2024-10-13 170507.webpScreenshot 2024-10-13 170543.webp



Post automatically merged:



Update:

To allow for better control, I've added the option to select the version you will want to use with the modular client:

1728866929762.webp


You can manually define it in the url by using version as a param:
Code: 
https://webclient.otarchive.com/?version=f1c2ce0


As I compile new versions, I will be adding them to the list. The version code will be based on the commit, for example:
1728867221961.webp


If no version is defined, the latest will be automatically loaded.
 
Last edited:
iNux said:
I assume many people, like myself, have thought about how it could be used. One thing that comes to mind is like Tibia flash client, where once you're logged in, you can simply click "Play Now" and it would redirect you or open a new browser page and log you into the character page.

@OT Archive Is it possible to take the value of the username and password from the logged-in person and use it to log in to the client? Would that create security vulnerabilities? Would we have to hash the username and password and instruct the client on how to use it?
Click to expand...
using some kind of asymmetric key encryption scheme would be the ideal option here
 

Similar threads

Joriku
Linux Ubuntu + Nginx, simple/advanced DDOS protection
Replies
2
Views
292
Joriku
Joriku
Back
Top