fuzziqersoftware
[Blue Burst] Connecting with the latest 1.25.11 JPBB client
Now that we have access to the latest JPBB client in a unmodified state which has been uploaded at https://archive.org/details/psobb_jp_setup_12511_20240109
I wanted to ask if you guys knew a way to prepare it to connect to newserv.
Similar to Tethealla ideally I would like to know what kind of tools or methods can be used to:
- Create an uncompressed copy of the psobb.exe or psobb.pat for easier manipulation
- Get rid of the GameGuard code
- Any other steps or modifications needed to make the client connect to newserv
I want to be able to know how to achieve all this to document it and add it to another PR into the usual notes folder so this information is always kept at hand as an alternative to the Tethealla client.
I've been trying to do my own research but I keep hitting roadblocks everywhere or extremelly outdated information so any pointers on this woudl be really helpful!
Unpacking the executable is nontrivial. In ages long past, a program called stripper was used to do this, but it's difficult to find via search engines for obvious reasons. This version of stripper works on 32-bit Windows 2000 and XP only (and not 64-bit); I'd recommend running it in an isolated qemu instance, since it likely won't work at all on any modern hardware.
After the executable is unpacked, patching out GameGuard is probably not hard. You could disassemble the Tethealla client and go to the address mentioned here, then search for a similar sequence in the unpacked, disassembled 1.25.11 executable to find the appropriate location for the patch.
Finally, changing the connection address is easy. Look in the unpacked executable for strings like ".jp" and ".com" and you'll probably find the connection addresses. You can then overwrite them with whatever you want.
I am not going to spend time working on this client myself, but would be willing to offer more thoughts like the above as needed.
I've done some preliminary research into unpacking the executable and have played with a few tools that look promising. I think unpacking is still possible, that being said it is not going to be a simple task. Unfortunately I will not have time to do any real work on this until after the end of January as all of my time is booked solid until then. But I take a crack at unpacking once my time is free and report any success or failure.
Here's the information I have come up with so far in case anyone wants to pursue it further: Using PEiD to inspect the executable, and if PEiD is reporting correctly, the PSOBB.EXE file is compressed with ASProtect 1.23 RC4. In the past people have used OllyDbg and custom ASProtect extraction scripts to dump these into unpacked executables. Unfortunately I have not come across a script that works on this particular version of ASProtect, but it may be possible to look at the similar scripts and glean some helpful information. My few attempts at this method have ended in failure but I think that may simply be due to my own inexperience in cracking these thing open. But the results have encouraged me that it can be done. After unpacking however there will still be some work to do as ASProtect makes changes that will have to be undone to get a working executable. Documentation on this is scarce but I have hope a working method can be found. As @fuzziqersoftware mentioned Stripper has also been used but my attempts as using stripper were complete failures, it could be that I am simply doing it wrong or this version of ASProtect is harder to crack. Although I say that but interestingly enough have not seen the version of Stripper that @fuzziqersoftware linked above. perhaps that's the missing piece.
Have you guys managed to find anything interesting regarding this client lately?
I had just a little extra time before my busy push started so I decided to put this into a Windows XP development environment since some of the tools only seem to work there. While attempting to identify the packer both PeID and DIE now list the packing software as Yoda's Cryptor, which was different from what they identified in a Windows 10 environment. Further digging revealed what appear to be signatures for both Yoda's Cryptor and ASProtect within the code. I did make a couple of feeble attempts to find the OEP of the file but GameGuard would launch when I ran PSOBB.EXE in the debugger and appears to terminate the process before I can find the true entrypoint. To be honest my reverse engineering skills are practically nonexistent so any progress I can make would be slow, However I will continue to hammer at this as a learning project for myself once I finish with the big work project I am on now. I am willing to take any advice anyone may have on how to proceed.
If it helps, you can always try to run psobb.exe /1095189843 or possibly psobb.exe /1397049153 to give the program some more time to load.
First one should at least attempt to launch the game, but may still launch GameGuard, which will eventually throw an error, and second should show the credits. Not sure if credits are still GameGuard protected, though.
I tried to start it via command prompt with this command PS C:\SEGA\PHANTASY STAR ONLINE Blue Burst> .\PsoBB.exe /1095189843 it begins to download the gameguard files, but since the gameguard servers are down it will attempt to connect several times (in the little gameguard window) until it displays an error message stating the gameguard cannot connect to the network.
But the game never started
The credits are protected too after all you are calling the same psobb.exe so same issue
@fuzziqersoftware used to have a little utility that would attempt to bypass GameGuard, but I couldn't get it to work.
I have the old utility and source, but you'll need to modify it (see below). Still posting it here in the event it could be helpful to someone.
PSOBB Launcher - runs PSOBB and disables GameGuard. Make sure it's in the same directory as online.exe. (This version is for PSOBB v1.24.3; it can be built for other versions of PSOBB by changing the patch addresses in the source.)
--
I have a local legit XP machine that I've used to test newserv for PSOBB. I'll take a stab at this when possible as well.
Oh? This is created by fuzzi himself more than 10 years ago lol, I sadly cannot understand much about this tool, since you have a real XP machine laying around please give it a try whatever you get the chance.
Since this is a clean client I'm expecting first of all the game loading the correct title screen with the Episode IV subtitle which is a flag that either got disabled or got lost or got screwed up in the tethealla client but should look like this
Then if possible try to access the game and create an Episode 1 room and verify the main teleport only displays FOREST 1 (and not the other areas) to select, this is another flag that got enabled by SEGA to open all areas by default and got lost in the docs so i've been unable to find in the tethealla client to disable/enable it , and would really help me debug stuff like the offline story quests and Episode 2 yellow door issue at the lab
You guys are better than me at figuring stuff like this I honestly is very out of my current knowledge
@ShiftaDeband thanks for uploading @fuzziqersoftware's tool. I was aware that existed but could not find it myself. I just took a quick look at the source and it validated one of my thoughts on the PSOBB code. This may come in handy.
@nolrinale, Oh just some of the header info matched what I was seeing in the debugger so that makes me think I may be on the right track, or not too far off of it anyway. That was using 1.24.3 for my trials, but this code gives me a better idea of what to look for and where to look.
@nolrinale, using Fuzzi's launcher I was able to run this client and check the screens for you, but they are not as you expected. Take a look at the attached screenshots, you will see there is no Episode 4 subtitle, and I am able to go into all areas via the teleporter:
For the specific Episode IV flag, you may want to look the the Episode IV DVD that was released at retail. I know its on Archive.org, this version was basically paid DLC that was free in the US. As you noted, I think it was free later in the PSOBB lifecycle, but I'm not sure they enabled the fancy Episode IV screen for this.
I have the disc as well if there's any issues, but I doubt that you'll have any.
(The following comes from memory and should be treated with a grain of salt.)
I know there are other flags that are undocumented. In the US, the client was released but only with Episode I. A little while later (week or month?), Episode II was released.
More time went by and Episode IV was released. This was also special in that each area, along with the respective government quests, were released at a time. When you'd get to the end of something like the Subterranean Desert, the warp to the next area would be fenced off.
I believe that each area was in the client, and you could warp to 'restricted' areas by using something like Cheat Engine to progress.
Regardless, I believe there should be flags to enable access to areas, probably on a per-level basis, and episodes as well. There's likely a very old US client out there that has these in them.
The EP IV screen appeared for everyone in the public client, in fact the picture I posted above is the same public client you downloaded from the archive copy.
What I think is happening here is that the one that controls which title screen appears and which one doesn't is the online.exe via special flag/argument, similar to how it also controls if it launchs the main game in game mode or credits mode.
As for the all areas opened I already confirmed they were also activated by the time sega posted this client in their site so might be necessary to keep checking for the hidden area switch in order to disable it. The client inside the Episode IV box which was also uploaded to the archive would be the best candidate to check for it being an older version as @ShiftaDeband mentioned, it's at: https://archive.org/details/psobb
As for how EPIV was distributed I will explain for Japan and then for US
For JPBB,
The client initially launched with Episode I and Episode II only during the beta and for a while after the official service began, until late 2004 when EP IV launched as a very very short network trial for select players, but is not like they had a 'test server' to try they were testing everything in the live server so they would go into EP IV and return to the lobby and share with the rest of us their findings, I believe they were limited only to visit the Wilds area and nothing else, we all began to receive EP IV assets via patch server but couldn't access them yet, it was very fun to speculate to the max what would be in EPIV just by looking at the weird file names that were being downloaded!
By the time formal EPIV was released (the box) you had to purchase it and inside there was a serial code you had to assign to your account via billing site, it changed your in-game name from White to Orange and that meant you had the posibility to access Episode IV, at first you could only play with other orange name players, but during the PSO 5th anniv event they decided to make EP 1, 2 , 4 free for all and turned everyone in Orange names.
But since the very beginning it was 1 client for everyone it was all artificially limited via the serial code in the billing site.
for USBB:
USBB had a short beta with Episode I and II only, and by the time of the formal launch, they enabled EP IV, but this client was already the newest client we had in JPBB so it already had the EPIV assets preloaded into it, this is why you guys managed to hack it and teleport to the EPIV areas freely without much of an issue.
For this version SOA decided to maintain everyone with white names too as it wasnt necessary to do the extra step of getting an additional serial code to enable EPIV.
Ok, a bit of a surprise for me here: On a whim I decided to try and load PSOBB on a Windows 11 PC (using Fuzzi's launcher) To my surprise the boot screen came up with the Episode 4 subtitle. I was not able to go further because I currently don't have a connection to my server, but I am curious what is different about my Windows 11 install that triggered this, and what else may be different in-game. I will investigate further later this week when I get back to the home office.
I wonder if that is the non-.pat version of the game.
Windows XP was the last version of Windows that really didn't require administrative privilege to modify the program files directory. What would happen behind the scenes is that when you would open up the online.exe, and select online game, it would rename the .pat version of the client into the .exe. It's still possible on Windows Vista and above, but it is not set to require administrator by default.
In fact, if you open up online.exe without administrator privileges, it will give an error (garbled) that it cannot update the client.
I wonder if the .exe and .pat versions really only differ in the flag? (Or is the flag set elsewhere?)
Interesting find for sure.
Thanks for that info, I was completely unaware of that behavior, I was wondering what the .pat version was used for. But that gives me something to investigate.
The .pat is how sega used to push client updates alongside other assets remotely in the patch update screen, in fact the patch server is capable of telling when the .pat file is being served, this is why after each patch the client closes entirely, then the online.exe would decompress and rename it into psobb.exe and start the game this all happens once you press GAME START in the launcher.
This launcher also requires for some reason to always have a psobb.exe present on it, even if it's an older version if you attempt to delete the original psobb.exe and leave only the .pat and start the game via the online.exe you will be presented witht he garbled text that just says that "It cannot find the original psobb.exe"
The online.exe has different ways to start the game which I believe is what controls the title screens, there are other settings such as enabling the special login via the Hangame gateway as PSOBB was also distributed in Japan by Hangame as well, among other unknown stuff.
It might look like the online.exe is a simple program to start the game but I'm sure there's more than meets the eye with it too.
It's a relationship between psobb.pat, psobb.exe and online.exe
@MADrewry managed to launch the client under windows 10 and adjusted the HOST file to point to my server like the newserv readme says, but then I keep getting error 908 how did you managed to connect to your server with it?
Im using these btw
127.0.0.1 psobb-ep4-db.segaonline.jp
127.0.0.1 psobb-ep4-patch.segaonline.jp
127.0.0.1 patch01.psobb.segaonline.jp
127.0.0.1 game01.psobb.segaonline.jp
I have the these additional entries in my host file:
db.psobb.cn patch.psobb.cn game01.us.segaonline.jp patch01.us.segaonline.jp
I didn't think it was using any of those, as a packet trace only showed connection attempts to patch01.psobb.segaonline.jp, but those are all addresses I found in the file. give those a try anyway and see if that helps.
I haven't tried both server and client on the same box before, so as a test I started a Windows newserv server and the new client on the same Windows 10 box using the following settings in my host file:
127.0.0.1 game01.us.segaonline.jp 127.0.0.1 game01.psobb.segaonline.jp 127.0.0.1 patch01.us.segaonline.jp 127.0.0.1 patch01.psobb.segaonline.jp 127.0.0.1 db.psobb.cn 127.0.0.1 patch.psobb.cn 127.0.0.1 psobb-ep4-db.segaonline.jp 127.0.0.1 psobb-ep4-patch.segaonline.jp
I also set the LocalAddress in the newserv config.json to 127.0.0.1 I was able to successfully connect to the server. I also ran other packet trace just to refresh my memory and the client is only looking for patch01.psobb.segaonline.jp so that entry should work. Not sure what it is about your configuration that may be different.
On a side note I did get the Windows firewall popup to allow access the first time I started the server. Maybe you bypassed that without realizing it?
Tried both in the main linux server and in the local one same thing 908, servers are all linux, is just the client running on windows
Alright the problem was with the ports in the config.json, i already sent a PR with the correct ones but you need to add these as the official client uses different ports than tethealla
"bb-patch2": [11100, "patch", "patch_server_bb"],
"bb-init2": [11101, "bb", "login_server"],
Well that is curious. Mine has been working without those ports in my config.json. I wonder, is there something about Fuzzi's launcher that changes the client? How did you manage to run the client, are you using Fuzzi's launcher or another tool?
just the fuzzi launcher nothing else, just confirmed the required ports via the official site FAQ and added them to the config
https://web.archive.org/web/20101128224327/http://psobb.jp/support/faq/faq_98.html
Interesting. That makes me curious about my setup and why it's working. I may do a new clean setup and see what happens.
On a side note: after many frustrating unsuccessful attempts at unpacking the client via debuggers, I haven't been able to get past Gameguard yet so instead I managed to get a (mostly) unpacked client by running the client with Fuzzi's launcher, then dumping the process from memory to a file. Unfortunately I haven't been able to find the OEP of the original file and cannot fix the .dll imports correctly. So while I have an unpacked client it does not run because of missing .dll calls. I'm still taking potshots at cracking this puzzle as time permits but willing to take any advice anyone has.
I have managed to get a working version of the unpacked psobb.exe file. Although I can't take credit for it; after going bleary eyed looking at the code in the debugger I realized the answer was in front of me in an open tab on my browser the whole time: I had initially tried to use stripper to unpack the file, both the version fuzzi posted here and a newer version I already had. Both had failed so I abandoned the software and was looking at other methods. But syd had also created this version of stripper. The reference to it was sitting in an old forum post on an open page of my browser for days and I didn't notice it. I was able to locate the actual file via the wayback machine. This version successfully unpacked the file. So now we have a viable way of unpacking the file. I haven't posted the actual unpacked file because I am not sure if it is ok to do so here, but if fuzzi gives the go ahead I will upload it.
Please could you explain how to do it?, just explaining the process how to do it from beginning to end is enough to document it. Is not necessary to post the unpacked file
In the meantime I managed to decompress it in the windows VM but im currently trying to disable GG with the @fuzziqersoftware instructions he posted above but Ive been unable to find that specific adress in enither tethealla or the clean exe...
It's fine to post the unpacked executable here. I can't promise I'll have time to figure out the GameGuard patch, but maybe someone else will be able to.