Collected UO:KR infos

Diskussion und Informationen über UO:KR
Gesperrt
Nachricht
Autor
Benutzeravatar
Torfo
Moderator (Sphere)
Beiträge: 828
Registriert: 13 Jan 2004 12:00
Kontaktdaten:

Collected UO:KR infos

#1 Beitrag von Torfo » 27 Jun 2007 23:09

Hi,
there are some guys (not me) who collected and provided infos about the new client. One of them allowed some people (including Naz (who published them in another forum) and me) to spread the infos. In the following posts I'll copy and paste the docs as they are! I would be glad if you could post any new informations in this forum or drop at least a link so everyone can find them as fast as possible.
Bild

Benutzeravatar
Torfo
Moderator (Sphere)
Beiträge: 828
Registriert: 13 Jan 2004 12:00
Kontaktdaten:

Known Routines

#2 Beitrag von Torfo » 27 Jun 2007 23:10

Known Routines
ADLER32 :: 003BFE9E :: 007C0A9E
The reference is above.
ADLER32 :: 003D5DEC :: 007D69EC
The reference is above.
ADLER32 :: 0043CFC8 :: 0083DBC8
The reference is above.
CRC32 :: 00645D78 :: 00A47178
Referenced at 006F7501
Referenced at 006F7556
Referenced at 006F75A0
Referenced at 006F75E0
Referenced at 006F761D
Referenced at 006F7654
Referenced at 006F768B
Referenced at 006F76BC
Referenced at 006F76FB
Referenced at 006F7732
Referenced at 006F777F
Referenced at 006F77B1
CryptGenRandom [Import] :: 005C1C14 :: 009C3014
Referenced at 0086989B
Referenced at 00963872
CryptGenRandom [Name] :: 007A4158 :: 00BA5558
Referenced at 008698A4
CRYPTMT/FUBUKI :: 002F0A45 :: 006F1645
The reference is above.
DES [key schedule] [char] :: 006311C4 :: 00A325C4
Referenced at 0087E408
DES [sbox] :: 0062E730 :: 00A2FB30
Referenced at 0087E538
Referenced at 0087E5B2
ECC: B-163 (NIST), hash output :: 0079FB94 :: 00BA0F94
Referenced at 00841BC2
ECC: B-233 (NIST), hash output :: 0079F3A2 :: 00BA07A2
The reference is above.
ECC: B-283 (NIST), hash output :: 0079F8D8 :: 00BA0CD8
Referenced at 00841C4D
ECC: B-409 (NIST), hash output :: 0079EFCA :: 00BA03CA
The reference is above.
ECC: B-571 (NIST), hash output :: 0079EA80 :: 00B9FE80
Referenced at 00841EDD
ECC: K-163 (NIST), base point x-coord :: 0079FFD2 :: 00BA13D2
The reference is above.
ECC: K-233 (NIST), base point x-coord :: 0079F4A2 :: 00BA08A2
The reference is above.
ECC: K-283 (NIST), base point x-coord :: 0079FAB2 :: 00BA0EB2
The reference is above.
ECC: K-409 (NIST), base point x-coord :: 0079F264 :: 00BA0664
The reference is above.
ECC: K-571 (NIST), base point x-coord :: 0079EE0A :: 00BA020A
The reference is above.
ECC: P-192 (NIST), "b" coef :: 007A1364 :: 00BA2764
Referenced at 00841F84
ECC: P-224 (NIST), "b" coef :: 007A0664 :: 00BA1A64
Referenced at 00842273
ECC: P-256 (NIST), "b" coef :: 007A11E8 :: 00BA25E8
Referenced at 00841FC2
ECC: P-384 (NIST), "b" coef :: 007A0458 :: 00BA1858
Referenced at 008422B2
ECC: P-521 (NIST), "b" coef :: 007A016A :: 00BA156A
The reference is above.
ECC: secp112r1 (SEC2), prime modulus :: 007A109C :: 00BA249C
Referenced at 0084200B
ECC: secp112r2 (SEC2), "a" coef :: 007A1000 :: 00BA2400
Referenced at 00842047
ECC: secp128r1 (SEC2), "b" coef :: 007A0BC0 :: 00BA1FC0
Referenced at 0084213A
ECC: secp128r2 (SEC2), "a" coef :: 007A0AC8 :: 00BA1EC8
Referenced at 00842180
ECC: secp160k1 (SEC2), base point x-coord :: 007A0E7A :: 00BA227A
The reference is above.
ECC: secp160r1 (SEC2), "b" coef :: 007A0F50 :: 00BA2350
Referenced at 0084207D
ECC: secp160r2 (SEC2), "b" coef :: 007A0A1C :: 00BA1E1C
Referenced at 008421B6
ECC: secp192k1 (SEC2), base point x-coord :: 007A095A :: 00BA1D5A
The reference is above.
ECC: secp224k1 (SEC2), base point x-coord :: 007A080A :: 00BA1C0A
The reference is above.
ECC: secp256k1 (SEC2), base point x-coord :: 007A0D2A :: 00BA212A
The reference is above.
ECC: sect113r1 (SEC2), "a" coef :: 0079FCE6 :: 00BA10E6
The reference is above.
ECC: sect113r2 (SEC2), "a" coef :: 0079FC46 :: 00BA1046
The reference is above.
ECC: sect131r1 (SEC2), "a" coef :: 0079F81C :: 00BA0C1C
Referenced at 00841C97
ECC: sect131r2 (SEC2), "a" coef :: 0079F764 :: 00BA0B64
Referenced at 00841CDB
ECC: sect163r1 (SEC2), "a" coef :: 0079FEC4 :: 00BA12C4
Referenced at 00841AC4
ECC: sect193r1 (SEC2), "a" coef :: 0079F65E :: 00BA0A5E
The reference is above.
ECC: sect193r2 (SEC2), "a" coef :: 0079F558 :: 00BA0958
Referenced at 00841D60
ECC: sect239k1 (SEC2), base point x-coord :: 0079FE0A :: 00BA120A
The reference is above.
Golden ratio (TEA/N, RC 5/6, ...) :: 003B9472 :: 007BA072
The reference is above.
Golden ratio (TEA/N, RC 5/6, ...) :: 004F1EC5 :: 008F2AC5
The reference is above.
List of small primes [long] :: 006315B8 :: 00A329B8
Referenced at 0083E087
Referenced at 0083E0A1
Referenced at 0083E0EF
Referenced at 0083E156
Referenced at 0083E212
MD5 :: 004F215B :: 008F2D5B
The reference is above.
RIJNDAEL [S] [char] :: 0062EF60 :: 00A30360
Referenced at 00872F76
Referenced at 00872F85
Referenced at 00872F9C
Referenced at 00872FAB
Referenced at 0087303C
Referenced at 0087304B
Referenced at 0087305C
Referenced at 00873066
Referenced at 008730A7
Referenced at 008730B6
Referenced at 008730C2
Referenced at 008730CC
Referenced at 008731BB
Referenced at 008731D2
Referenced at 008731DC
Referenced at 008731F4
Referenced at 0087320E
Referenced at 00873225
Referenced at 0087322F
Referenced at 00873248
Referenced at 00873263
Referenced at 0087327A
Referenced at 00873284
Referenced at 0087329D
Referenced at 008732B8
Referenced at 008732CF
Referenced at 008732E0
Referenced at 008732F2
Referenced at 00873706
Referenced at 00873718
Referenced at 0087372A
Referenced at 00873736
Referenced at 00873745
Referenced at 00873757
Referenced at 00873768
Referenced at 00873774
Referenced at 00873783
Referenced at 00873794
Referenced at 0087379D
Referenced at 008737B1
Referenced at 008737C3
Referenced at 008737CF
Referenced at 008737E0
Referenced at 008737F1
RIJNDAEL [S-inv] [char] :: 00630060 :: 00A31460
Referenced at 00873C2D
Referenced at 00873C3E
Referenced at 00873C50
Referenced at 00873C5C
Referenced at 00873C6A
Referenced at 00873C7C
Referenced at 00873C8D
Referenced at 00873C9A
Referenced at 00873CA9
Referenced at 00873CBA
Referenced at 00873CCC
Referenced at 00873CDB
Referenced at 00873CE4
Referenced at 00873CF0
Referenced at 00873D03
Referenced at 00873D0F
SHA1 [Compress] :: 00469A45 :: 0086A645
The reference is above.
SHA-224 [Init] :: 0046A8A6 :: 0086B4A6
The reference is above.
SHA-256 [mixing] :: 00631238 :: 00A32638
Referenced at 0086AABF
SHA-384 [Init] :: 0046C549 :: 0086D149
The reference is above.
SHA-512 [init] :: 0046A8DE :: 0086B4DE
The reference is above.
ZLIB deflate [long] :: 006319C0 :: 00A32DC0
Referenced at 0083C732
ZLIB deflate [long] :: 007A5650 :: 00BA6A50
The reference is above.
ZLIB deflate [long] :: 007A70A0 :: 00BA84A0
The reference is above.
ZLIB deflate [word] :: 00645C50 :: 00A47050
Referenced at 006F7D2D
Bild

Benutzeravatar
Torfo
Moderator (Sphere)
Beiträge: 828
Registriert: 13 Jan 2004 12:00
Kontaktdaten:

#3 Beitrag von Torfo » 27 Jun 2007 23:11

Encryption
UO:KR uses AES in CFB mode (IV of 16byte and a Key of 32 byte) for Network Encryption.

1. We need to get an IV of 16byte and a Key of 32 byte from e3 and e4 packets
1a. IV in first e3 is the last 0x10 bytes
1b. key is sha256(math-transform(constbytes,packets)))
1c. math-transorm is ???
2. Create a AES object in CFB mode
3. xor the plaintext with the blockcypher to get the crypt packed.
Bild

Benutzeravatar
Torfo
Moderator (Sphere)
Beiträge: 828
Registriert: 13 Jan 2004 12:00
Kontaktdaten:

#4 Beitrag von Torfo » 27 Jun 2007 23:12

Summary
UO:KR Infos ( aka Ultima Online - Kingdom Reborn)
-------------------------------------------------
--Draft 0.1 - OMISSIS --

Fileformats
===========
*.mp3

*.wav

*.8BPS (Adobe)

* .nif
-http://sourceforge.net/project/showfile ... _id=170735

*.particleeffects (ascii)
-texteditor

*.csv (comma seperated value)
-Excel

*.jpg (Aquarium)
*.tga
*.bmp (MS bitmap Format)
-any grahic-viewer

Sound-System
============
-Mythic Sound System is used to playback mp3 (LAME3.89 (beta) encoded) and Wav files.


Music
=====
* Minoc Theme (Ultima IX - Ascension Soundtrack) played from "George Oldziey" is used.
- http://www.oldzieymusic.com/

Network-Communication
=====================
Using winsock.


Scripting (LUA)
===============
UO:KR uses Lua 5.0.1 form scripts. Mainly for Interface/GUI.


Unpacked Filestructure
======================
AssetLoaderConfig.xml
Data/assetmap.xml


Shaders (HLSL)
==============
UO:KR uses Character, Texture Shader and MythicColorShader from Warhammer Online.


Encryption
==========

UO:KR useses the Public Domain Library: Crypto++ : http://www.cryptopp.com/


Network-Encryption:
-------------------
UO:KR uses AES in CFB mode (IV of 16byte and a Key of 32 byte) for Network Encryption.


Hashing:
--------
Currently I don't know what it's used for, maybe Filerevisions!?


DSA-1363/EMSA1(SHA-1)
---------------------

* DSA/ECDSA/EMSA1(SHA-1) (Digital Signature Algorithm (DSA))
EMSA1 is compatible with the encoding used for DSA in FIPS 186, and for ECDSA in X9.62 and FIPS 186-2.

http://www.users.zetnet.co.uk/hopwood/c ... #sem_EMSA1


UO:KR uses also the following Libraries
=======================================
* Standard Library implementation (Dinkumware)
- http://www.dinkumware.com/

* Gamebryo Version 2.2.1.0 from "Emergent Game Technologies
- http://www.emergent.net/
- OSS Tool/Lib to open Gamebryo NIF Files -> http://sourceforge.net/projects/niftools

- WinCPUID from Intel
* http://www.intel.com/cd/ids/developer/a ... htm?page=4
Bild

Benutzeravatar
Torfo
Moderator (Sphere)
Beiträge: 828
Registriert: 13 Jan 2004 12:00
Kontaktdaten:

#5 Beitrag von Torfo » 27 Jun 2007 23:12

IP
Ip is hardcoded

004EBCB5 |. 8901 MOV DWORD PTR DS:[ECX],EAX // I'm on stack
004EBCB7 \. C2 1000 RETN 10
004EBCBA /$ 6A 39 PUSH 39 // .57 (4) Start pushing
004EBCBC |. 68 99000000 PUSH 99 // .153. (2)
004EBCC1 |. 68 9F000000 PUSH 9F // 159. (1)
004EBCC6 |. 56 PUSH ESI
004EBCC7 |. B1 C4 MOV CL,0C4 // .196. (3)
004EBCC9 |. E8 C7FFFFFF CALL UOKR.004EBC95
004EBCCE |. 66:C746 04 5F1>MOV WORD PTR DS:[ESI+4],1E5F // 775 (port)
004EBCD4 \. C3 RETN

in file is @ eb0b7
Bild

Benutzeravatar
Torfo
Moderator (Sphere)
Beiträge: 828
Registriert: 13 Jan 2004 12:00
Kontaktdaten:

#6 Beitrag von Torfo » 27 Jun 2007 23:13

Packets
This file will contain new/changed packet details that have been found in UOKR.

========================
0xFF (client -> server)
LOGIN REQUEST
========================

byte[4] login request

-> This is sent immediately after the client connects to the game server.
-> Always contains 0xffffffff



========================
0xE0 (client -> server)
BUG REPORT
========================

byte[1] packet cmd
byte[2] packet len
byte[4] language
byte[2] bug type
byte[packet len - 9] report body (unicode text)

-> Sent from the client when player fills in a bug report on the ESC menu.
-> Language is 3 character (null terminated) ascii string as found in chat packets.
-> Types:
0x01 - World Environment
0x02 - Wearables
0x03 - Combat
0x04 - UI
0x05 - Crash
0x06 - Stuck
0x07 - Animations
0x08 - Performance
0x09 - NPCs
0x0A - Creatures
0x0B - Pets
0x0C - Housing
0x0D - Lost Item
0x0E - Exploit
0x0F - Other


========================
0xE1 (client -> server)
UNKNOWN
========================

byte[1] packet cmd (0xe1)
byte[unk]

-> Sometimes sent by the client on the character selection screen, but have not
reproduced it with packet logging enabled.
-> Seemed to be related to the max char count somehow (lack of reply grays out the
create button).


========================
0xE3 (server -> client)
ENCRYPTION SET
========================

byte[1] packet cmd (0xe3)
byte[2] packet length
byte[4] length unkA (0x00000003)
byte[length unkA] unkA (0x020103)
byte[4] length unkB (0x00000013)
byte[length unkB] unkB
byte[4] length unkC (0x00000010)
byte[length unkC] unkC
byte[4] unkD (0x00000020)
byte[4] length iv (0x00000010)
byte[length unkE] iv

-> This is sent by the server after the login request, and may contain some kind of
data related to the encryption (ie. encryption keys).
-> Length is always 0x4D or the client will crash.
-> unkA[0] must be 0x02 or the client will crash.
-> Setting unkA[1] to 0x00 will cause the client to send 0s in the 0xE4 response
(see below).
-> Setting too many 0s in the unkX can cause the client to fail connection.
-> unkB always begins with 0x021100. unkB may break down further.


========================
0xE4 (client -> server)
ENCRYPTION REPLY
========================

byte[1] packet cmd (0xe4)
byte[2] packet length (0x17)
byte[4] length unkA (0x00000010)
byte[length unkA] unkA

-> This is a reply to the 0xE3 packet and possibly contains the 3rd key to use with
encryption.
-> The response is almost always different, regardless of the contents of the 0xE3
packet.
-> In 0xE3, if unkA[1]=0x00, then unkA in this packet will always be filled with 0s,
but this does not appear to remove encryption.


========================
0xEC (client -> server)
Equip Item Macro
========================

byte[1] packet cmd
byte[2] packet length
byte[1] item count
byte[length-4] item serials

-> Sent when an equip item macro is played.
-> Item serials is simply a list of item UIDs that the client wants to equip.


========================
0xED (client -> server)
Unequip Item Macro
========================

byte[1] packet cmd
byte[2] packet length
byte[1] layer count
byte[length-4] layers

-> Sent when an unequip item macro is played.
-> layers is a list of layers that the client wants to unequip.


========================
0x8D (client -> server)
CHAR CREATION
========================

byte[1] packet cmd
byte[2] packet length
byte[4] pattern 1
byte[4] pattern 2
byte[30] character name
byte[30] "Unknown"
byte[1] profession
byte[1] unkA
byte[1] gender
byte[1] race
byte[1] strength
byte[1] dexterity
byte[1] intelligence
byte[2] skin hue
byte[8] unkB
byte[1] skill 1 id
byte[1] skill 1 value
byte[1] skill 2 id
byte[1] skill 2 value
byte[1] skill 4 id
byte[1] skill 4 value
byte[1] skill 3 id
byte[1] skill 3 value
byte[26] unkC
byte[2] hair hue
byte[2] hair id
byte[11] unkD
byte[2] skin hue
byte[1] unkE
byte[1] portrait
byte[1] unkF
byte[2] beard hue
byte[2] beard id

-> "Unknown" actually contains the string "Unknown".
-> Profession is the ID of the selected profession, or 0 for custom.
-> Gender values are 0=male, 1=female.
-> Race values are 0=human, 1=elf.
-> UOKR clients can choose 4 starting skills. Skills 4 and 3 are sent in reverse
for some reason.
-> The skill ids and values should only be used when profession is custom (0). If
a profession is selected then the skills will contain 'junk'.
-> Skin hue is repeated twice for some reason.
-> Portrait may be a byte[2].


========================
0x29 (server -> client)
Confirm drop on ground/on container
========================

byte[1] packet cmd (0x29)

-> To send after 0x25 and 0x1A

========================
0xA9 (server -> client)
Char List
========================

-> The flags have been updated. We have now also 0x200 and 0x400 (unknown effects)

========================
0xDE (server -> client)
Unknown purpose
========================

byte[1] packet cmd (0xDE)
byte[2] packet length
byte[4] char serial
byte[1] unk1 (0x00)

--> Seen on OSI (unknown purpose)

========================
0xDD (server -> client)
Compressed Gump
========================

-> The packet has now an indirect effect, GumpID is read and used to find an xml
in Interface.uop that contains the kr-compatible layout, then the dynamic parts
are extracted to complete the layout. Additional LUA scripts are used to define
a client-side behaviour.
If the GumpID is not found a bug report windows is shown.
Bild

Benutzeravatar
Torfo
Moderator (Sphere)
Beiträge: 828
Registriert: 13 Jan 2004 12:00
Kontaktdaten:

#7 Beitrag von Torfo » 27 Jun 2007 23:14

File Formats
UOP Fileformat ( aka Mythic Package )
---------------------------------------
--Draft 0.2 - OMISSIS --

(Every Offset value is its first evidence as example)
All values are stored in Little Endian sequence, as usual in x86 architecture.
Compression method is DEFLATE using zlib.

sizeof(DWORD) = 4
sizeof(QWORD) = 8

[1] - General Format Header (sizeof: 40bytes )
Byte(23) 0x0 - 0x17 -> Containing general file headers (Version etc.)
DWORD? 0x18 -> Amount of contained files/indexes
byte(12) -> Unknown gibberish

[2] - Index Block Header (sizeof: 24bytes)
There can be multiple index blocks, they are splitted into chunks.
DWORD 0x28 -> Amount of contained files in this index, max 100/0x64
QWORD 0x2c -> Offset to the next index block header OR Zero
QWORD 0x34 -> Offset to start of Data Block( -> WORD[2] 0x0008 0x0003 )
DWORD 0x3c -> End of header, Form Feed (0x0000000c)
When a index block doesn't contain 100 index definitions, it will be padded with nulls

[3] - FileIndex Definitions (sizeof: 34bytes )
DWORD 0x40 -> Lenght of compressed data
DWORD 0x44 -> Size of decompressed file
QWORD 0x48 -> UNKNOWN-1 (maybe CRC)
DWORD 0x50 -> UNKNOWN-2
WORD 0x54 -> Separator? (always 0x0001)
QWORD 0x56 -> offsetdatablock + (12 + current compressed size)*id current block {1...max} (last one is 0)
DWORD 0x5e -> end of definition, Form Feed ( 0x0000000c)
...this repreats, until all FileIndexes are processed

[4] - Data Block/File (sizeof: 8+Lenght bytes)
DWORD 0xd7c -> separator, start of Data ( WORD[2] 0x0008 0x0003 )
QWORD 0xd80 -> UNKNOWN, possibly a CRC
BYTE(Lenght) 0xd88 -> compressed data
...this is repeated until all Files from FileIndexes are processed

repreat until next Index Block=0.


Pseudocode:

[1] - General Format Header (sizeof: 40bytes )

while ( repreatindex ) do
[2] - Index Block Header (sizeof: 24bytes)

while ( indexfilenumber~=indexfilecounter ) do
[3] - FileIndex Definitions (sizeof: 34bytes )
end
while ( indexfilenumber~=indexfilecounter ) do
[4] - Data Block/File (sizeof: 8+Lenght bytes)
end
end

Feel free to add your own chapters.
Bild

Gesperrt