F1 2002 selfmade Dedicated Server

ThePro · June 09, 2007, 07:13 AM

Hello!
I don't know if this is the wrong board to post this, but since it seems you have some knowledge in reverse engeneering gameprotocols (like BNCS) It could be the correct one.

Sometimes I play F1 2002 with some friends over the Internet.
This is the Best F1 Multiplayer Game I ever played but unfortunally there exists no dedicated server.

You have to run a copy of that game to open a server.
When more than 5 Players connect, the game will be unplayable since there are lots of data to be transmitted.

The F1 series has been canceld by EA SPORTS so there is no hope to wait for another game of them.

Since I have a root Server with a 100Mbit connection my idea was to write an open source dedicated server by my own.

The hardest part of it is to analyse the games protocol.
Is here anyone who has some knowledge in reverse engeneering a protocol or could help me a little bit?

Here is an example how a packet looks like:

Code Select


0000:  04 00 43 00 20 F6 FF 0F 43 00 02 00 00 00 54 68  ..C. ...C.....Th
0010:  65 50 72 6F 00 00 00 00 00 00 00 00 00 00 00 00  ePro............
0020:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 4D 47  ..............MG
0030:  30 35 00 00 00 00 00 FF 00 00 00 00 00 00 00 00  05..............
0040:  03 77 02 00 00 00 01 00 00 00 00 xx xx xx xx xx .w.........

This is send by the Server, when someone connects. My name on the Server is 'ThePro', so this Packet seems to tell the other player how my name is.

Kp · June 09, 2007, 10:34 AM

For protocols of any complexity, you will probably have to disassemble at least parts of the game binary to figure out the meaning of some fields. Depending on how the F1 designers implemented the game, you may end up needing to implement a substantial portion of the game logic in your server. There are a fair number of people who read the forums and have some background in reverse engineering.

Reverse engineering a non-trivial protocol is rarely quick, so I doubt you'll get much help here. Most people who do this do it for some personal gain. This contrasts with certain other types of help provided here, which are easy to give and so do not require gain as a motivator.

warz · June 09, 2007, 10:56 AM

If you were to ask questions specifically regarding reverse engineering tips and tricks, or 'what does this asm do', or 'whats wrong with my code here', you'll most likely receive some helpful answers.

ThePro · June 10, 2007, 07:51 AM

Okay, I started to analyse today.
I found out, which packet hat to be send, when the Server changes the track.

I used WPE Pro to spoof that package, so the game on my other computer tought, that a new track has to be loaded, but on the server the old track was still running.

Here are some pics:
http://img73.imageshack.us/img73/5521/f11tm1.jpg
http://img470.imageshack.us/img470/9669/f12lc7.jpg
http://img470.imageshack.us/img470/918/f13cn2.jpg

It seems, it is a very simple protocol, with no special "out of sync" detection.
Just the coordinates will be transmitted permanently (every 100ms I guess) by UDP packets.

Now I tried to resend one of this coordinate packets, but I got an Error by WPE Pro

In the Messages box I got a "CONNECTION SUCCESFULLY OPEN" but a moment later the Packet(s) Error gets increased by one.

I noticed, that the coordinates will be send to 0.0.0.0:17677, but the "next track" packages will be send to the network IP of my other machine.

This are the 2 magic "track change packes"

Code Select


30  192.168.0.29:30477  192.168.0.21:30477  127  Send  
0000  04 00 77 00 A0 F6 FF 0F 00 00 00 00 6C 6F 6C 00    ..w.........lol.
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0020  00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 10    ................
0030  48 6C 6F 6C 00 00 00 00 00 00 00 00 00 00 00 00    Hlol............
0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0050  00 49 54 41 4C 59 00 00 00 00 00 00 00 00 00 00    .ITALY..........
0060  00 00 00 10 01 01 64 02 00 06 02 B3 0B BD A9 00    ......d.........
0070  3F 00 00 00 00 7F FE 0A 00 45 0D 00 00 00 00       ?........E.....

31  192.168.0.29:30477  192.168.0.21:30477  16  Send  
0000  04 00 08 00 01 F6 FF 0F 00 00 45 45 06 73 09 45    ..........EE.s.E

As you can see, the packages are adressed to 192.168.0.21

Now the coodinate packes:

Code Select


1  :0  0.0.0.0:17677  72  RecvFrom  
0000  04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 81 0C    ..@.`........:..
0010  40 11 04 4F 09 45 F1 6B 9B 43 B8 FC 7F C0 F7 10    @..O.E.k.C......
0020  5F 41 AD FF AE 11 FA FF 0C 0C 04 04 FD FF FD FF    _A..............
0030  FE FF 00 00 00 00 00 00 00 00 00 00 00 00 1D 00    ................
0040  E7 FF C0 50 2E 21 00 80                            ...P.!..

2  0.0.0.0:17677  :0  72  SendTo  
0000  04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 80 0C    ..@.`........:..
0010  40 11 BA 50 09 45 C1 A6 43 41 70 13 EE BF 31 1E    @..P.E..CAp...1.
0020  5A C3 ED FF 28 0C 00 00 0C 0C 04 04 00 00 00 00    Z...(...........
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0040  01 00 C0 F1 0F 00 00 E0                            ........

WTF? why 0.0.0.0?

Ringo · June 10, 2007, 08:58 AM

Quote from: ThePro on June 10, 2007, 07:51 AM
It seems, it is a very simple protocol, with no special "out of sync" detection.
Just the coordinates will be transmitted permanently (every 100ms I guess) by UDP packets.

I would guess that the 100ms "beat" is responceable for game sync, as for a driving game, its very important to know exacly what interval a player turned, accelerated, broke, etc, to work out there exact position/speed on the track.
The UDP packets should* have a sent and recv count (maybe offset 0x0E) for somthing like this, to keep track of lost/late packets.
Depending if the UDP data is transmited to the server, or the player, is going to depend how much (if any) game phisics/logic your server is going to need built in (see Kp's post)

Quote from: ThePro on June 10, 2007, 07:51 AM
This are the 2 magic "track change packes"
Code Select Expand
30 192.168.0.29:30477 192.168.0.21:30477 127 Send 0000 04 00 77 00 A0 F6 FF 0F 00 00 00 00 6C 6F 6C 00 ..w.........lol. 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 10 ................ 0030 48 6C 6F 6C 00 00 00 00 00 00 00 00 00 00 00 00 Hlol............ 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 49 54 41 4C 59 00 00 00 00 00 00 00 00 00 00 .ITALY.......... 0060 00 00 00 10 01 01 64 02 00 06 02 B3 0B BD A9 00 ......d......... 0070 3F 00 00 00 00 7F FE 0A 00 45 0D 00 00 00 00 ?........E..... 31 192.168.0.29:30477 192.168.0.21:30477 16 Send 0000 04 00 08 00 01 F6 FF 0F 00 00 45 45 06 73 09 45 ..........EE.s.E
As you can see, the packages are adressed to 192.168.0.21

Now the coodinate packes:
Code Select Expand
1 :0 0.0.0.0:17677 72 RecvFrom 0000 04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 81 0C ..@.`........:.. 0010 40 11 04 4F 09 45 F1 6B 9B 43 B8 FC 7F C0 F7 10 @..O.E.k.C...... 0020 5F 41 AD FF AE 11 FA FF 0C 0C 04 04 FD FF FD FF _A.............. 0030 FE FF 00 00 00 00 00 00 00 00 00 00 00 00 1D 00 ................ 0040 E7 FF C0 50 2E 21 00 80 ...P.!.. 2 0.0.0.0:17677 :0 72 SendTo 0000 04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 80 0C ..@.`........:.. 0010 40 11 BA 50 09 45 C1 A6 43 41 70 13 EE BF 31 1E @..P.E..CAp...1. 0020 5A C3 ED FF 28 0C 00 00 0C 0C 04 04 00 00 00 00 Z...(........... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 01 00 C0 F1 0F 00 00 E0 ........
WTF? why 0.0.0.0?

I think its shows as 0.0.0.0 rather than the network IP, because of WPE or becuase of a router (Im not sure, but its nothing to worry about if you know the correct address)
Rather than editing the packets with WPE to see the effect, depending how much packet modifying you need to do, it maybe worth createing a gateway, so the F1 game connects to that, and the gayeway connects to the F1 server host, and proxys the data through the gateway.
That should give easy access to packet modications both ways, as wall as making it easy to create a sutible packet buffer, parseing routines, and so on, ready for when you start a server.
Also the gateway can be the packetlogger as well

Im not sure how much you have looked into the packets, but it looks like the 1st 8 bytes are a packet header, and the rest being the payload.
(WORD) 0x04
(WORD) Lengh Of Packet (discluding the header lengh of 8 )
(DWORD) Maybe a checksum or some packet ID+ maybe
(VOID) Packet

Also it looks like the UDP messages has a 2nd header at the start of the packet payload.
Im guessing the F1 game deals and transmites forces, because the udp coordinate packets seem to have alot of values in that would suggest things like acceleration, braking, turning forces etc are all transmited constantly.

also, lol at them 2 in 1 track ss's

ThePro · June 10, 2007, 10:13 AM

Quote from: Ringo on June 10, 2007, 08:58 AM
I think its shows as 0.0.0.0 rather than the network IP, because of WPE or becuase of a router (Im not sure, but its nothing to worry about if you know the correct address)

Hm, it seems to be a problem of WPE. I used Ethereal to check the Packets and noticed, that all packets are adressed correctly to 192.168.0.21
I tried to send the Packet manually with WPE, but I still get an error.
Could you suggest me another good packet editor? I've downloaded NetXray but it says, thats only possible to install it on Machines located in Canada or USA.

Quote from: Ringo on June 10, 2007, 08:58 AM
Im not sure how much you have looked into the packets, but it looks like the 1st 8 bytes are a packet header, and the rest being the payload.
(WORD) 0x04
(WORD) Lengh Of Packet (discluding the header lengh of 8 )
(DWORD) Maybe a checksum or some packet ID+ maybe
(VOID) Packet

Also it looks like the UDP messages has a 2nd header at the start of the packet payload.
Im guessing the F1 game deals and transmites forces, because the udp coordinate packets seem to have alot of values in that would suggest things like acceleration, braking, turning forces etc are all transmited constantly.

also, lol at them 2 in 1 track ss's

No, I didn't checked it yet, but you are right thx. Its similar to BNCS.

PS: The lol you can see twice was the Gamename I choosed when I opend the server.

l2k-Shadow · June 10, 2007, 11:37 AM

Quote from: ThePro on June 10, 2007, 10:13 AM
Could you suggest me another good packet editor? I've downloaded NetXray but it says, thats only possible to install it on Machines located in Canada or USA.

that could probably be cracked.

ThePro · June 10, 2007, 12:08 PM

Yes, but I dunno how.
I tried W32Dasm but I didn't find the string resource of the MessageBox.

l2k-Shadow · June 10, 2007, 12:51 PM

can u post a link to it?

ThePro · June 10, 2007, 12:53 PM

http://www.elitegrounds.net/winPeditors/netxray.zip

ThePro · June 12, 2007, 11:13 AM

Thats what I found out yet: (It will be updated, when I found out more. Last update: 13.June.2007, 04:31 GMT+1:00)

Ports
F1 2002 is using some ports with own special tasks.

Port 3297 (UDP)
The task of this port is to tell the name of the server, which track is currently running and the ammount of connected Players. This will be shown in the Serverlist.
A client has to send "\status\" and the Server will answer like this:
"\\gamename\\f12002\\gamever\\1.000\\hostname\\ThePros Dediacted Server\\hostport\\3397\\mapname\\Germany\\numplayers\\1\\maxplayers\\16\\maxdatarate\\22\\fuelmultiplier\\1\\player_0\\ThePro\\vehicle_0\\MM03\\score_0\\0\\ping_0\\0\\final\\\\queryid\\2.1"

Port 30477 (TCP)
This port will be used for any other information (track change, chat messages, player leaves etc.)
It will also be used, right after a client connected to give it some Information about the server. (which car does every player has etc.)

Port 17677 (UDP)
The gamedata will be transmitted here. Server and client are sending packets in both directions permanently.
I think the contents of the packets will be current speed, coordinates, forces etc. like ringo said above.

Packets
F1_HEADER:
SyncByte (WORD) (Always 0x04)
Datalen (WORD)
MessageID (DWORD)

F1_SC_LOGIN_UNKNOWN1: (MessageID: 0x0FFFF6C0) [Client => Server]
Unknown: 02 00 45 0D
    C0 A8 00 15
    00 00 00 06
    40 00 36 00

F1_SC_LOGIN_UNKNOWN2: (MessageID: 0x0FFFF780) [Client => Server]
Unknown: 00 9A 83 7C
    D8 FC 80 7C
    FF

F1_SC_PLAYERINFO: (MessageID: 0x0FFFF620) [Server => Client]
Unknown: 43 00 02 00 00 00
Playername[32]: (char) (Unknown if terminated)
CarModelName[8] (char) (Unknown if terminated)
Unknown: 00 FF 00 00 00 00 00 00 00 00 03
    77 02 00 00 00 01 00 00 00 00

F1_SC_TRACKINFO: (MessageID: 0x0FFFF6A0) [Server => Client]
Unknown: 00 00 00 00
Gamename[32]: (char)
Unknown (DWORD)
Gamename[32] (char)
Trackname[16?] (char)
Unknown: (Maybe the rules like weather, damage etc.)
00 00 10 01 01 64 02 00 16 00 A0 0B 8E 58 CB 3D 00 00 00 00 FF FF 0A 00 00 00 00
00 00 00

F1_SC_LOGIN_UNKNOWN3: (MessageID: 0x0FFFFA40) [Server => Client]
Unknown: (DWORD) 03 00

F1_SC_LOGIN_REQUEST_UNKNOWN: (MessageID: 0x0FFFF601) [Client => Server]
Unknown: 00 00 43 44 00 00 00 00

F1_SC_LOGIN_REQUEST_UNKNOWN: (MessageID: 0x0FFFF601) [Server => Client]
Unknown: 00 3D 44 44 6B 7E 4A 42 02 00 00 00 00 00 80
(In one of the two responses the Rest will be 'BF 00 00 80' alot of times.)

F1_SC_CHATMSG: (MessageID: 0x0FFFF201) [Client => Server]
Union (WORD)
ChatMessageLen(10 bits)
Sender (6 bits)
Unknown (WORD) (Always 0x4446)
Unknown (DWORD) (Timestamp?)
Message (char) (nonterminated. The length of ChatMessageLen will be asumed)

F1_SC_LEAVE: (MessageID: 0x0FFFF7C0) [Client => Server]
none

Notes
F1_SC_LOGIN_REQUEST_UNKNOWN (0x0FFFF601) seems to be a special message, with different meanings with a subheader.

Messages
F1_SC_CHATMSG = 0x0FFFF201

F1_SC_LOGIN_UNKNOWN1 = 0x0FFFF6C0
F1_SC_LOGIN_UNKNOWN2 = 0x0FFFF780
F1_SC_LEAVE = 0x0FFFF7C0
F1_SC_PLAYERINFO = 0x0FFFF620
F1_SC_TRACKINFO = 0x0FFFF6A0
F1_SC_LOGIN_UNKNOWN3 = 0x0FFFFA40
F1_SC_LOGIN_REQUEST_UNKNOWN = 0x0FFFF601

ThePro · June 12, 2007, 07:44 PM

The hardest part will be editing the received packet of a client correctly and send them to the other clients.
Here is a dump of the Server, when 2 clients are connected:

Code Select


2  Hide  Hide  72  RecvFrom  
0000  04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 81 0C    ..@.`........:..
0010  40 10 61 29 3A 45 22 F9 CD C1 34 05 F9 C0 C2 80    @.a):E"...4.....
0020  E6 41 EE FF F3 FF 00 00 0C 0C 04 04 00 00 00 00    .A..............
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0040  00 00 C0 F1 01 00 00 E0                            ........

3  Hide  Hide  72  SendTo  
0000  04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 80 0C    ..@.`........:..
0010  40 10 21 2A 3A 45 AA 96 27 C2 2D 0B F9 C0 2D 32    @.!*:E..'.-...-2
0020  E6 41 EE FF EB FF 00 00 0D 0D 05 05 00 00 00 00    .A..............
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0040  00 00 C0 F1 01 00 00 E0                            ........

Code Select


4  Hide  Hide  72  SendTo  
0000  04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 80 0C    ..@.`........:..
0010  40 10 E4 2A 3A 45 AA 96 27 C2 2D 0B F9 C0 2D 32    @..*:E..'.-...-2
0020  E6 41 EE FF EB FF 00 00 0D 0D 05 05 00 00 00 00    .A..............
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0040  00 00 C0 F1 01 00 00 E0                            ........

5  Hide  Hide  72  RecvFrom  
0000  04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 81 0C    ..@.`........:..
0010  40 10 F7 2A 3A 45 23 F9 CD C1 34 05 F9 C0 C2 80    @..*:E#...4.....
0020  E6 41 EE FF F3 FF 00 00 0C 0C 04 04 00 00 00 00    .A..............
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0040  00 00 C0 F1 01 00 00 E0                            ........

Code Select


6  Hide  Hide  72  SendTo  
0000  04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 80 0C    ..@.`........:..
0010  40 10 9E 2B 3A 45 AA 96 27 C2 2E 0B F9 C0 2D 32    @..+:E..'.....-2
0020  E6 41 EE FF EB FF 00 00 0D 0D 05 05 00 00 00 00    .A..............
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0040  00 00 C0 F1 01 00 00 E0                            ........

7  Hide  Hide  72  SendTo  
0000  04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 80 0C    ..@.`........:..
0010  40 10 5C 2C 3A 45 A9 96 27 C2 2E 0B F9 C0 2D 32    @.\,:E..'.....-2
0020  E6 41 EE FF EB FF 00 00 0D 0D 05 05 00 00 00 00    .A..............
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF    ................
0040  00 00 C0 F1 01 00 00 E0                            ........

Code Select


8  Hide  Hide  72  RecvFrom  
0000  04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 81 0C    ..@.`........:..
0010  40 10 93 2C 3A 45 23 F9 CD C1 34 05 F9 C0 C2 80    @..,:E#...4.....
0020  E6 41 EE FF F3 FF 00 00 0C 0C 04 04 00 00 00 00    .A..............
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00    ................
0040  00 00 C0 F1 01 00 00 E0                            ........

9  Hide  Hide  72  SendTo  
0000  04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 80 0C    ..@.`........:..
0010  40 10 0E 2D 3A 45 A9 96 27 C2 2D 0B F9 C0 2D 32    @..-:E..'.-...-2
0020  E6 41 EE FF EB FF 00 00 0D 0D 05 05 00 00 00 00    .A..............
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0040  00 00 C0 F1 01 00 00 E0                            ........

10  Hide  Hide  72  SendTo  
0000  04 00 40 00 60 09 BE 00 04 01 08 BE 00 3A 80 0C    ..@.`........:..
0010  40 10 CC 2D 3A 45 A9 96 27 C2 2D 0B F9 C0 2D 32    @..-:E..'.-...-2
0020  E6 41 EE FF EB FF 00 00 0D 0D 05 05 00 00 00 00    .A..............
0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0040  00 00 C0 F1 01 00 00 E0

Hm, I thought that the data of all clients just get forwarded but it isn't that easy.
Sometimes random pieces of a packet gets modified, before its get forwarded.
Without any Information about the packets, it will be very hard or impossible to handle that.

warz · June 12, 2007, 09:17 PM

Who is hosting the server? The game acts as the host, correct? In that case, you'll need to debug the game while you host it, and locate the message dispatcher.

ThePro · June 12, 2007, 10:05 PM

Quote from: betawarz on June 12, 2007, 09:17 PM
Who is hosting the server? The game acts as the host, correct? In that case, you'll need to debug the game while you host it, and locate the message dispatcher.

Yes, the game acts as host. Thats why I want to make a dedicated server.

Debugging is the next thing I'll try, but I'm no reversing expert.
I will download Ollydebug tomorrow and give it a try.
Maybe this is a nice practice in reversing apps.

ThePro · June 13, 2007, 12:40 AM

I found another packet editor called 'Packetyzer'
Its a very powerful packet editor, which is also able to modify UDP packets.

Now I was able to play with the Gamedata Packet.
When I sent a modified packet, for 1ms the car of the player where I spoofed the packet went to that position, which was stored in that packet.
With a littebit trail and error I found out the following most important Data:

x,y,z - Koordinates
x,y,z - rotation

Dunno which bytes they use yet and which data is stored in the packet else, since I just wanted to know if there is some encryption or something. As you can see there is not .

With that, I should be able to get a running server soon.

Finally I will go sleep now.
Updates will follow tomorrow.