A fundamental event occurred today. But it requires a backstory.
On February 24, 2013, I created a project called TSO-SE, with the following README.md:
# TSO-SE TSO-SE ("The Sims Online Server Emulator") is not a serious project, but a curious one attempting to see just how far the game's original protocol can be cracked.
The project started with some PHP files and some documentation. I intended to upload this project to Github, but day after day inside OllyDbg I found myself repeating the phrase “Let me just finish figuring this thing out first so I can put something nice in for the initial commit”. On March 20, 2013, I successfully broke past the login screen on the official Maxis client for the TSO New & Improved trial (version 1.1097.1.0), into Select-A-Sim, and documented the results on the wiki. The process involves uploading a few PHP files on an HTTPS server, or patching the client to connect over HTTP rather than HTTPS, and specifying its hostname in the client’s ini files. The same server can allow any version of The Sims Online into Select-A-Sim, from Play Test (1.3.2.89) to the final version of EA-Land (2.1667.5.0). For the rest of the game, a new server is required, which must use the ARIES/Voltron protocol over TLS, which must be reverse engineered without the help of any decrypted packet logs.
Today, I have broken into Create-A-Sim. The implications are tremendous. I can make a pixel-perfect reconstruction of the original menus for Niotso Tech Preview 1. And I plan to finish it by the end of the summer.
Getting into Create-A-Sim was significantly more involved than Select-A-Sim. Sure, Select-A-Sim’s protocol was completely plaintext, allowing me to place a breakpoint on the cRZString::Compare() function and write down every XML tag it checked for. But more importantly, the networking code for Select-A-Sim was completely serial, and all the logic started and completed inside the same function. What has held back Create-A-Sim for so long is two issues, the first of which is fully resolved, and the second of which is ongoing.
The first issue was finding the logic that handles the server’s response. Select-A-Sim makes an HTTP request using wininet.dll’s HttpOpenRequest() function and then immediately parses the response. Aries, however, runs on its own thread. When data is discovered using Winsock, it’s decrypted into a buffer using OpenSSL, and the 12-byte header is run through an initial validation. After that, some flags are set somewhere, and the TSOClient thread eventually gets to handling the data. These unknown flags have to indicate that the data has a complete Voltron packet before the TSOClient thread handles the data, meaning hardware breakpoints did nothing until I got the header right, so it’s a chicken-and-egg problem unless you can either find the flags or get it right: in my case, the header was just three fields, so it wasn’t difficult to guess. Afterwards, back over in the TSOClient thread, the code splits into hundreds of branches: unlike Select-A-Sim, there is no single right or wrong response by the server at any given time. How do you guess which (one or more, in cascade) of these corresponds to the Server Hello message (or whatever the hell it’s waiting for)? This problem can be reworded like this: what input state will cause this output state? In theory, as cryptographic hash functions exploit, this problem may be impractical to solve. However, as the “general” logic has at least been found, the initial issue in question can be more or less checked off.
The second issue is actually equivalent to the sub-problem of the first. After finding the function that updates the progress bar (which was not easy, because the results are not drawn until far later), I discovered that I could enter Create-A-Sim by forging the HandleConnectionEstablished message ID (0x3BF7000A) onto the cTSOClientLoginRegulator message queue in place of HandleConnectionFailed (0xFBF7001B), which was already an incredible find, but I wanted more than that: I wanted to know which packets cause the game to make this step on its own. The one function in TSONetServiceSimClientD.dll that posts 0x3BF7000A (located at 0x10011320) does not have any static call references; that is, it’s looked up from a v-table. The function appears in three v-tables at the same offset of +0x74. The regular expression “call[ ]*DWORD PTR \[.*\+0x74\]” yielded 30 matches, and after removing those that supply the wrong number of arguments or an obvious non-pointer as arg1, that still left me with 22 potential candidates. And if the code uses the lea instruction or anything else to look up the function from the v-table, all 22 could be false positives. Resolving references to a function that are computed on the spot like this, in theory, reduces to the halting problem. And this could just keep going back, requiring more and more levels of analysis. What connects the path from state A to state B? This is the point where I decided to give up going backwards, and try to attack this from the other direction.
The run-time type information from EA-Land, giving a name to each Voltron packet type, and guesswork are the only things that saved me here. It turned out that sending a HostOnlinePDU was the answer to getting into Create-A-Sim.
How to do it yourself
- Make a backup of sys/gameentry.ini. Then open it with a text editor and set the “Server” field to niotso.org. If your version of TSO also has a gamedata/sys/ folder, do the same thing with the copy of gameentry.ini in that folder.
- Make a backup of sys/cityselector.ini. Then open it with a text editor and set the “ServerName” field to niotso.org. Keep “ServerPort” at 80. If your version of TSO also has a gamedata/sys/ folder, do the same thing with the copy of cityselector.ini in that folder.
Since I’d rather not pay for HTTPS hosting, you’ll have to make a binary patch to 3 DLLs using a hex editor (such as wxHexEditor, Ghex, or Frhed) to connect over HTTP. (If you decide to connect to a different server that supports HTTPS, you can skip these modifications.)
- Make a backup of authlogin.dll. Then open it with a hex editor. Replace the 5 bytes “68 00 30 C0 84″ (in version 1.1097.1.0 these appear at offset 0x8325) with “68 00 00 40 84″. Also, replace the 5 bytes “68 BB 01 00 00″ (in version 1.1097.1.0 these appear at offset 0x82AC) with “68 50 00 00 00″.
- Make a backup of TSOServiceClientD.dll. Then open it with a hex editor. Replace the 8 bytes “68 74 74 70 73 3A 2F 2F” (in version 1.1097.1.0 these appear at offset 0x923C0) with “68 74 74 70 3A 2F 2F 00″.
- Make a backup of InternetServiceD.dll. Then open it with a hex editor. Replace the 7 bytes “74 07 68 BB 01 00 00″ (in version 1.1097.1.0 these appear at offset 0x17B2) with “EB 07 68 BB 01 00 00″. Not all versions of the game contain this code (play test and EA-Land do not), so for those versions, this file should remain untouched.
The above steps have been tested to work on all five versions of the game in our possession. After these modifications, if you also wish to enter Create-A-Sim, download the TSO-SE cityserver and run it in the background. Because the city server listens on a port, Windows Firewall (if you’ve enabled it) will ask you if you want to allow it to do so; click allow.
After you have done this, launch the game through TSOClient.exe (not the updater utility) and log in with “asdf” as your username and “hjkl” as your password. When you wish to create a Sim, click the button, and when you get to the progress bar, give the cityserver the command: send hostonlinepdu.dat . If you’re curious, communications will be logged in log.dat, so take a look.
The userdata/localavatarcache folder is still being studied. As far as I can tell, the game does not even ask the server for the up-to-date avatar data before you connect to the city. Without valid data in the localavatarcache folder to begin with, you will see the “proxy” Sim shown in this screenshot. This can be solved by placing this data in your localavatarcache folder alongside the “dont_delete.txt” file. (The avatar ID I’m having the City Selection server assign is 1337, which explains the naming.)
Where I’m going next
I’ve just been accepted into electrical engineering at UT Austin. Additionally this summer, I’m starting a basic ray tracer project, going through a digital signal processing textbook, and getting my license.
Wow, cool, I wish you won’t lose desire to continue ^^
Awesome! I’ve been tracking the progress on the wiki page for a while now. A while ago I made a node.js server to provide a dummy select-a-sim server, and was surprised that it actually worked so easily.
Yes!!!! Well done! I hope you still continue and also I look forward to TP1
Is this the last time we’ll see you, fatbag?
I’m a new comer to this project, and can I just say that I Loooove what you are doing. Unfortunately, I was a bit too young to play TSO when it was popular (I’m only 17 now) and i was really disappointed that I never had a chance to experience it. I wish you the best and keep up the great work!
I don’t understand, why can’t you just make a server emulator? Why do you want to rewrite the entire game?
@Luca obviously so we can add our own objects that are still missing in the game from all the other sims 1 expansions, even create our own animations/emotes if i’m not mistaken
Doubt it about the animations/emotes.
And i don’t think EA-Land had the right stuff to add our own objects in.
All i know is that EA-Land could only add your own photos in. (Correct me if i’m wrong.)
Because, that would be violating copyright laws
Afr0’s has been down for the past week…..better start backin up your files Fatbag before they find u!
Afr0’s Project Dollhouse site I mean*
The forums are still up though: http://forum.afr0games.com/
Still no word and still no site :'(
It’s the payments. Don’t act stupid.
THE FORUMS ARE STILL UP.
Honestly…
NOTE: For future readers: you need to start the CLIENT. the updater will get an error, so you need to start the client directly. (at least I did)
then why hasn’t Afr0 commented on them….it’s been down for like a month now
He has.
Oh wow I’m so excited about this!! I’ve been waiting for a reboot/cracked server FOREVER. I started playing this game when I was 9 … the best!
I followed all the directions. I changed the server names and changed the numbers in the dlls with a hex editor, but when I try to login with the Sims Online Update Utility, using the asdf username and the hjkl password, I receive the following:
EA is currently experiencing technical difficulties and this game is temporarily unavailable. Please try again later. (INV – 199)
I clarified the instructions just now. You’re supposed to run TSOClient.exe after you make the modifications, not the updater utility. Thanks for pointing that out!
Thank you!
I had to reinstall but everything works like a charm now. So cool to be back in Create-A-Sim. Ultimate nostalgia, lol!
Is that the only part that works or can you actually PLAY THE GAME has in like a single house / lot ?
I can’t seem to get onto the map with the Sim that’s already there.
Also, my Sim isn’t being created, it’s taking too long.
What do i need to do on cityserver.exe?
Hi i dont know how to patch the dlls.
Here the step
Since I’d rather not pay for HTTPS hosting, you’ll have to make a binary patch to 3 DLLs using a hex editor (such as wxHexEditor, Ghex, or Frhed) to connect over HTTP. (If you decide to connect to a different server that supports HTTPS, you can skip these modifications.)
Make a backup of authlogin.dll. Then open it with a hex editor. Replace the 5 bytes “68 00 30 C0 84″ (in version 1.1097.1.0 these appear at offset 0×8325) with “68 00 00 40 84″.
Make a backup of TSOServiceClientD.dll. Then open it with a hex editor. Replace the 8 bytes “68 74 74 70 73 3A 2F 2F” (in version 1.1097.1.0 these appear at offset 0x923C0) with “68 74 74 70 3A 2F 2F 00″.
Make a backup of InternetServiceD.dll. Then open it with a hex editor. Replace the 7 bytes “74 07 68 BB 01 00 00″ (in version 1.1097.1.0 these appear at offset 0x17B2) with “EB 07 68 BB 01 00 00″. Not all versions of the game contain this code (play test and EA-Land do not), so for those versions, this file should remain untouched.
i cant find the offsets
With what Hex editor it works?
Download wxHexEditor (which is what I used)
I typed into Google “0x8325 to decimal”, pressed Edit>Jump to Offset in wxHexEditor, and then typed in my result (33573), selecting “search by decimal” because that’s what worked for me
then look for the hex codes you have to edit, save the DLLs, and ran the client
remember you can only run create-a-sim and select-a-sim, trying to load a city will freeze the loading screen at 64%
I cant find the hex codes at InternetServiceD.dll 0x17B2 Decimal i found out 6066 but at the hex editor i dont see it
Yes works but i hope the game would work in the future
(SPOILER ALERT!!!)
It won’t freeze, it’s waiting for a response from another .dll. That .dll posts the message that gets you into Map View.
TransmitCreateSimNotification.pdu
(Am I close?)
lol, Blayer and I discussed it in IRC. It’s actually DBRequestWrapperPDU.
That’s true.
Fatbag’s probably still stuck on trying to reverse engineer the code lol
Ah, OK – dont say the words “reverse engineer” again though, EA could, in theory, sue us all. Including me. But I am young. So I’m fine.
They can’t.
1.) NIOTSO’s coding is different and is free to the public, it isn’t sold.
2.) They don’t care about this game anymore. They closed it off in 2008, and never will touch it again.
Good xD
Blayer98 are you working on NIOTSO?
Yeah. Why?
Just wondering. You arent in the contributors panel thingy, thats all.
Mine just exits on login with no error message
I can get into the game but when I try to create-a-sims, it says error: lost server connection. How can I fix this?
All this Hex codes, and .dll code changes are too complicated for us “non-tech people” I wish there was an easier way
It will be later on, but for you to get into Select and Create A Sim, this .dll coding is needed.
yeah like an already setup and edited folder download of some kind call it beta 0.50? xD
I don’t think that would work lol.
They need to update the news now, Another thing’s occurred.
I don’t understand the instructions and is this supposed to help me with TSO Error INV-199
Oh yeah, just forwarding my last comment. Why don’t you just update The Sims Online or just make a video tutorial. Besides, I forgot my TSO installation folder. If does kind of sound easy in the instructions but I can’t find the files you are talking about. SO JUST CHOOSE: UPDATE TSO OR MAKE A VIDEO TUTORIAL! I SPENT TIME WAITING FOR THIS TO DOWNLOAD THEN IT TRASHES ME WITH AN ERROR.