TFS 1.X+ How to upgrade TFS/OTXServer to work with earlier tibia 11 versions?

[pyschod]

I'm actually running OTXServer that works with tibia 11.45. However I'm interested in making 11.75+ work with new auto loot feature and a few more features. When I try to join server it showes char list but then I can't connect to the game world.
I tried changing definitions.h to 1175 but it still doesn't work.

I'm new at network coding so could anyone point me a direction?

 

[bayview]

could anyone point me a direction?

Learn C++

 

[pyschod]

Well thanks but his is not a direction, this a very generalist basic need for anything that I could ever ask in this forum area.

And I am experienced with C++, I've developed a few tools for other games and many other stuff. I'm currently in middle of science compution graduation college so I can say that I have some experience with coding, but nothing really advanced.

I have never worked with server files, networking and all that so all the libraries and code used in TFS doesn't mean much too me, so I'm just asking for those with more experience on how I could learn or where I could find stuff that I could read about it. Which server files I should look into, etc., that would be a nice direction.

Thanks

 

[gudan garam]

You can read protocolgame.cpp and protocolgamebase.cpp (only exists on otx) to see how the server handles that the packets client sends.
I think the encryption changed on the 11.75 version (not sure) so you have not only the new features but also changes to encryption methods.

I'll try to pass you trough what I've learned trying to implement the new Daily Reward System (keep in mind the 11.75 protocol has a lot more this is just me trying to get you started):

When you click the Reward Wall Button on your 11.4 client:

1) The client sends a packet with a 0xD8 header. (You can find this by printing it on the engine on ProtocolGame:: ParsePacket(NetworkMessage& msg) there is a line printing the packet header, so now you know what packet the client is sending.)

2) You catch that packet on protocolgame.cpp, there is a switch statement there (ProtocolGame:: ParsePacket(NetworkMessage& msg)) and call the method that will parse that request.

For example: case 0xD8: parseOpeningRewardWall(); break;

3) Now, you have to get to know more about the client, and this is the tough part. You need to know what the client is expecting you to send, this is where Reverse Engineering comes in.
I'll not go into this subject because I have no knowledge on how to reverse engineer the client, I'm implementing the reward wall reading the decompiled flash client code.

4) After reading the flash client source for a while (where I found that the client would do the same as tfs, a switch for all the possible packets the server is going to send, I searched for "reward" and easily found this:

protected static const SOPENREWARDWALL:int = 226;
....
case SOPENREWARDWALL:
                  this.readSOPENREWARDWALL(CommunicationData);
                  a_MessageReader.finishMessage();
                  break;

(the s in sopenrewardwall means a server request to open the reward wall)
So now, I know that if the server is sending a 0xE2 (226 in hex) packet header this function will be called in the client:

protected function readSOPENREWARDWALL(param1:ByteArray) : void
      {
         var _loc5_:int = 0;
         var _loc9_:String = null;
         var _loc2_:Boolean = param1.readBoolean(); --
         var _loc3_:int = param1.readUnsignedInt(); --
         var _loc4_:int = param1.readUnsignedByte(); --
         _loc5_ = param1.readUnsignedByte(); --
         if(_loc5_ != 0)
         {
            _loc9_ = StringHelper.s_ReadLongStringFromByteArray(param1);
         }
         var _loc6_:int = param1.readUnsignedInt();
         var _loc7_:int = param1.readUnsignedShort();
         var _loc8_:int = param1.readUnsignedShort();
      }

Now, all I have to do it make the server (otx or tfs) send a 0xE2 packet header with te structure above when it receives a 0xD8 packet header:

On step 2 I show an example: case 0xD8: parseOpeningRewardWall(); break;
But how does that method work? Let me show you:

NetworkMessage msg;
    msg.addByte(0xE2); // this is the packet header that will make the client read this as an "opening reward wall" request.
    msg.addByte(0x01);
    msg.add<uint32_t>(21);
    msg.addByte(0x00);
    msg.addByte(0x00);
    //msg.addString(player->getName()); //  if the last byte is 1 a string needs to be sent after it
    msg.add<uint32_t>(300);
    msg.add<uint16_t>(1);
    msg.add<uint16_t>(1);

    writeToOutputBuffer(msg);

    sendDailyRewards();

Keep in mind that theese bytes i'm adding to the msg are completely fake and only for test purposes and each byte means something on the client side. (I still don't know what some of them mean)

For example: I came to find that the first byte I send is 0x00 or 0x01, 0 means the player is opening the reward wall through the client button (he needs to pay to get instance reward access), 1 means its from a reward shrine so it's free.

I call this "bytes structure" idk if thats right, but its simply the structure or sequence of the bytes you send to the client.

The last method I call is to send the rewards so the window has something for the player to redeem, but thats a story for another time.

Edit:
remainder: when you send something wrong to the client (a string instead of a int or something like that) the client will crash with a debug msg.

I'm not sure and this can easily be untrue, but I think you can't log in to the server because the encryption on that version changed, also the character list is handled by the webservice you have running on your gesior/znote, not by the engine.

I hope this can get you started and if you need anything you can PM me and I'll be glad to help you if possible.

 

[pyschod]

Excellent, thank you so much. Indeed things are much clear now, and I'm starting to understand how this client/server connectiong works.
However my first step before adding all these new features is to actually login using the newest tibia client, but I can't seem to have it working... What encryption are you talking about?

Something odd, when I login at tibia official client and some otservers using 11.75 the world-name showes up at character list, as it should. But at my localhost 11.75 client when I get character list it doesn't show the game world name, I've tried changing some stuff at login.php to see if it could work but no success. I wonder why it is not showing in 11.75 but it is in older versions.

 

[gudan garam]

Ye, so the encryption I'm not sure because I haven't looked into it yet, thats what I've heard from people trying to upgrade to 11.75.

The login, showing the game world name I'm pretty sure thats just a custm feature they added, you not being able to login has to do with far more things, rsa keys could've been changed, encryption type the actual one is xtea, again, I'm not sure if this is what changed, you can check theese files to read more about what that is.

You will have to reverse engineer the client in order to upgrade your engine to 11.75 successfully. I dont think there is anything about that client version on any forum

Another tip: if you use linux, or download a linux console emulator on windows you can use the command showed on the print to search for specific words in the files.

grep -rin "SEARCH HERE"
r means recursive, so it will search on the files inside all folders in ur directory
i means ignore case
n will show the line number that the expression was found.

That will probably help you.

 

[pyschod]

Thanks again, a lot of useful information! I hope I can retribute one day. I'll share everything I learnt and possibly post an OTX edited upgraded version for earlier tibia clients.
But I'm still struggling with some shit... I've past the last days trying to reverse the client, checking things from the inside but not that much progress so far.

If anyone else wants to add some information for reversing the client would be really nice!

 

[jo3bingham]

@gudan garam, and others who are wondering why the character list is odd for anything after 11.49, look at this PR I opened with ZnoteAAC: Tibia client 11.49.5921 support by jo3bingham · Pull Request #323 · Znote/ZnoteAAC
CipSoft just changed the json data the client expects to receive.

As for the encryption, if you look at the flash client source you’ll see they use DEFLATE compression, and, if you look at the disassembly of the C++, you’ll see they specifically use the zlib library. It took me quite some time to reverse-engineer the specific method they use, so I won’t share it just yet (which I understand will rub some people wrong), but that information will at least point you in the right direction.

 

[gunz]

@gudan garam, and others who are wondering why the character list is odd for anything after 11.49, look at this PR I opened with ZnoteAAC: Tibia client 11.49.5921 support by jo3bingham · Pull Request #323 · Znote/ZnoteAAC
CipSoft just changed the json data the client expects to receive.

As for the encryption, if you look at the flash client source you’ll see they use DEFLATE compression, and, if you look at the disassembly of the C++, you’ll see they specifically use the zlib library. It took me quite some time to reverse-engineer the specific method they use, so I won’t share it just yet (which I understand will rub some people wrong), but that information will at least point you in the right direction.

I was able to login and play with otclient till 11.49 using algorithm Ive posted in this thread: Protocol Version 1111

So they changed the algorithm completely ?

 

[jo3bingham]

I was able to login and play with otclient till 11.49 using algorithm Ive posted in this thread: Protocol Version 1111

So they changed the algorithm completely ?

Oh, no, the deflate algorithm is the same. They made a change to the 4-byte value that precedes the packet data (the one that tells whether the packet is compressed or not).

 

[gunz]

Oh, no, the deflate algorithm is the same. They made a change to the 4-byte value that precedes the packet data (the one that tells whether the packet is compressed or not).

Ohh okay,

can you post details?

 

[pyschod]

Thanks for more sweet information, we are getting closer boys!
I'm just struggled trying to intercept the data the client sends. I've been searching methods to do so by reverse engineering it, I've found many functions but none that I could see the packet.
I thought about hooking the encrypt function so I could see the data before it gets encypted, but I can't seem to find anything close to that using Immunity Debugger...

 

[EduardoDantas]

Sorry to intrude.
I have little knowledge, however, I must say that today the OTX is the only Open Tibia project that runs the tibia 11 (stable), I am using the 11.49 client base (of course, I did not succeed in versions larger than this) this is the only project that continues to follow Tibia Global, so I think it deserves respect.

Of course we all must credit the TFS team all over the base of Open Tibia. xD
However, in the current Tibia, only OTX continues to advance (without demeaning all previous projects that were and are very important)

Today, the Brazilian and Mexican community also deserves part of the credit for Open Tibia, I think it is unfair to speak as if it had not ...