Hardline Dreams - A Python Matrix Online Server Project

Full Version: MxO Client - Connection sequence Launchpad->Worldlist (Work in progress)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Findings findings and more findings...

At first, i used some easy-cheating software to look for my user and pass. It was supposed to work as even having great encryption mechanism, what you typed has to be plain-text sended to the client as string to encode it later; and it worked indeed.

Got a fixed location where user + pass where plain text stored. I was happy.

But happyness is a short state, as I found that i was mid-wrong. Indeed, MxO client stored the user + pass there but... when I looked more into the matrix code (haha easy joke) i saw that it was copied from another fixed location and writes some more data.

This may mean that what i saw in first place was the place where a copy was stored, and we know that copies are mean to be .. sent, edited, compared, ... so it may be the place where it tooks the password plain-text to encoded one...

It needs some research but... hey.. Big Grin is a start.

More things...

After so many tries, I have found that the first packet to launchpad:

00 01 00 00 00 02 <4 "random" characters here> 00 00 02 00

is stored in the ingame code (that means where the packet info is) and made a trace after sending, so i reach the place where response is stored too.

first place is always the same, but 2nd i'm not so sure about it (maybe it was xD).

followed the ingame code (from now on i will refer to this as "press F7 till your finger hurts") after getting the:

00 02 <same 4 chars> <4chars response> 00 00 00 00 00 00 00 00 00 02

And i... (apart from getting a "sick" status over my head) found that:
- it writes it in some code that makes blahblahblah, commented like 100-200 lines of pure asm + "press f7 till finger really hurts...." and got nothing.
- I suspect that it doesnt make so much about that response, meaning that client may accept it and use it later.
- suspecting is augmented because client checks the first block of the response, aka "<same 4 chars>" agains one memory dir, and keeps doing operations with the second block aka "<4chars response>", writing it on another memory place, and not comparing it to anything (or i got tired before it did!)

.... its a work in progress from here peeps! ....
Ok for myself launchpad isnt very interesting, and i will explain why.
Before August 2005 , Matrix Online wasnt on SOE, means Launchpad wasn required..and you can see this if you disable the launchpad api.

That means the clients auth twice, first on launchpad and after that on auth server MxO....sure a launchpad session id could be sent to auth server too.

For informations about launchpad packets this might be helpful :

These are packets from SWG Emu and there is a part of it described.
it wasnt helpfull....

it was wonderful Big Grin ... ... Big Grin
This seems to be a "common" standard in SoE games that require it launcher so it matches here too... great.

in my opinion, launchpad maybe not neede but its faster to understand how it passes things to auth server, so we dont have to worry about knowing how auth ask for passwords... or not... keep working Big Grin


launchpad or MXO auth isnt required at all
all you need is to make a class instance with all the required data and objects
and pass it along to a function in client.dll which will open up the 3d window and do everything else (talking only to margin and world server)
client.dll is the actual game, launcher.exe is just the launcher...which you dont need if you reverse engineer enough
(06-29-2009, 05:06 AM)rajkosto Wrote: [ -> ]all you need is to make a class instance with all the required data and objects
and pass it along to a function in client.dll
So that's why there are so many tmoemu around there, isnt it?

MxO Client stills looks good enough to use for a normal user, and at first instance, i would want to made some server (even solo play offline) that was no intrusive to the client already done, like a patched exe's or dll's and the server files only.

I think (with my small knowledge on reversing) that when client.dll is loaded it handles most of the things but it stills gives execution to matrix module sometimes.

How does your class instance handle that?

Knowledge incoming appreciated HeartTongue


No, all communication ceases after client.dll function is called

the exported functions from client.dll are

launcher.exe (matrix.exe really, they are both the same exe), just call InitClientDLL with a few pointers to some class instances ( i have no idea which, but i guess they give all the info required for the client to proceed), and then calls RunClientDLL.
The other functions are only called in special cases