Daytona USA Progress

[ioncannon]

So I have mapped out a ton of the NE Engine network code; and found it's using both a TCP and UDP connection. The TCP connection should be talking to a "gameserver" that is sent by the LE when a `le_launchRequest` is called. I seem to have also found the various request functions used along that TCP channel. Still looking for the opcode switch though.

The UDP IP seems to be sent in a packet by the LE that has all the different team member's IP addresses with the host player having a * prefix. When this packet is received; it actually discards all the IPs and only keeps the host one. So it seems the host acts as a router among the different players? So far I think this channel is used mainly for async data.

My hypothesis right now is the UDP channel is a P2P setup that communicates all the async data between clients (the meat of the multiplayer data). This is because the connection seems to be made towards the host's IP. The TCP channel is the so called "game server" that handles session management (Create, Delete, Join, Leave). I only see 14 requests (so far) that the client can send to that game server, so it doesn't do much.

My main issue right now is this damn tcp connection is never made. It seems to be first trying to setup all the UDP connections; and while the player clients send the same 4 bytes over and over to the host IP, the host isn't responding. Found the flag that blocking us from starting the TCP connection so gotta figure out what the issue is.

Edit: Found the tcp Server->Client opcode switch and related tcp byte reading code.

[ioncannon]

Bigger update:

Ok I have the network code mapped out enough that it is readable and the main "path" of how data is sent/received is laid out. I think now the only thing left is to figure out why the connection isn't happening.

Once a connection is made; the rest should be pretty easy to figure out since we got all the possible "send" requests and "receive" responses found.

[DarkSynbios]

Good job my friend!

[ioncannon]

Nother update: I was frustrated with manually inputting my other computer's IP as the client doesn't play nice locally when it's trying to ping ports already in use. So I found the Daytona Key cryptography code.... and it looks very similar to my old friend Mr Blowfish! I have repeatedly seen it in my other projects with Japanese games. Hell, earlier I found Blowfish in Sakura Wars Online (next project?). Analyzing it now to figure out the algorithm, as it's a modified version of what is normally used.

In the key data is both the username and IP, as Dricas (the service) didn't have the account management system here as it did in JP.

Edit: Annnnd I think I have everything figured out. Will run some tests to see if I can encrypt/decrypt the key file.

[ncman071]

wow man really appreciate your efforts in your daytona project!

[SMiTH]

Nother update: I was frustrated with manually inputting my other computer's IP as the client doesn't play nice locally when it's trying to ping ports already in use. So I found the Daytona Key cryptography code.... and it looks very similar to my old friend Mr Blowfish! I have repeatedly seen it in my other projects with Japanese games. Hell, earlier I found Blowfish in Sakura Wars Online (next project?). Analyzing it now to figure out the algorithm, as it's a modified version of what is normally used.

In the key data is both the username and IP, as Dricas (the service) didn't have the account management system here as it did in JP.

Edit: Annnnd I think I have everything figured out. Will run some tests to see if I can encrypt/decrypt the key file.

I know this is off topic but in NFL2k1 there is a file called BLOWFISH.BIN.
It was an online game, and it has some weird encryption of the main bin.
Always wondered if blowfish enc was a reference to online code or to 1st_read? or something else?

[ioncannon]

Nother update: I was frustrated with manually inputting my other computer's IP as the client doesn't play nice locally when it's trying to ping ports already in use. So I found the Daytona Key cryptography code.... and it looks very similar to my old friend Mr Blowfish! I have repeatedly seen it in my other projects with Japanese games. Hell, earlier I found Blowfish in Sakura Wars Online (next project?). Analyzing it now to figure out the algorithm, as it's a modified version of what is normally used.

In the key data is both the username and IP, as Dricas (the service) didn't have the account management system here as it did in JP.

Edit: Annnnd I think I have everything figured out. Will run some tests to see if I can encrypt/decrypt the key file.

I know this is off topic but in NFL2k1 there is a file called BLOWFISH.BIN.
It was an online game, and it has some weird encryption of the main bin.
Always wondered if blowfish enc was a reference to online code or to 1st_read? or something else?

Probably where the initial values to generate the P Table and S-Boxes are. What it's used for I dunno, could be for either (FFXIV for example uses Blowfish to encrypt their login network traffic). I think NFL2K1 was already figured out so whoever built that server can tell you.

[Xiden]

Nother update: I was frustrated with manually inputting my other computer's IP as the client doesn't play nice locally when it's trying to ping ports already in use. So I found the Daytona Key cryptography code.... and it looks very similar to my old friend Mr Blowfish! I have repeatedly seen it in my other projects with Japanese games. Hell, earlier I found Blowfish in Sakura Wars Online (next project?). Analyzing it now to figure out the algorithm, as it's a modified version of what is normally used.

In the key data is both the username and IP, as Dricas (the service) didn't have the account management system here as it did in JP.

Edit: Annnnd I think I have everything figured out. Will run some tests to see if I can encrypt/decrypt the key file.

I know this is off topic but in NFL2k1 there is a file called BLOWFISH.BIN.
It was an online game, and it has some weird encryption of the main bin.
Always wondered if blowfish enc was a reference to online code or to 1st_read? or something else?

Probably where the initial values to generate the P Table and S-Boxes are. What it's used for I dunno, could be for either (FFXIV for example uses Blowfish to encrypt their login network traffic). I think NFL2K1 was already figured out so whoever built that server can tell you.

From my understanding Shu just bypassed the blowfish encryption which I think its similar across all visual concept titles. Basically he created a site to capture the usernames based on ip address as a work around since it was only used for the username password system.

[ioncannon]

I am a purist tho . Now I can generate keys! Here is where the decrypted data is stored. IP is pointing to my PC and username is no longer goodcow@daytonakey.





Alright that is pretty good progress for a single day. Can get back to figuring out the net engine now that my wife's PC can connect into the server as well.

Once this server is done I'll prob make a script for DreamPipe to hook into their user system and created keys from the Daytona Online page.

[ioncannon]

Spent the morning mapping out basically the rest of everything. I don't think this is a code or setup problem; and wonder if there is some issue with Flycast. I can see the packets get sent out, and the `recvFrom` call is being called; but it is always returning -1 (no data). Really frustrating.

Also figured out why I was getting a random IP as my "client ip", 192.168.167.2. It's the IP the faking PPP server built into Flycast sets for the DC. Wonder if that is what is causing issues?

Edit: /SmackHead, -1 is an error... hm 0x23 is the errno (this is POSIX sockets).

Code: Select all

"#define	EDEADLK		35	/* Resource deadlock would occur */

Edit2: Ah, Access (who built this tcp stack) changed the ERRNO to EWOULDBLOCK. Their documentation says (translated):

Code: Select all

【function】Receive data from a datagram socket. If there is received data in the datagram, it returns immediately. If the datagram has no received data and the socket is blocking, the receive call will not return until data arrives. If the datagram has no data and the socket is nonblocking, the external variable errno is set to EWOULDBLOCK and -1 is returned.

So it's working as expected, just the socket is non-blocking. So false alarm.

Edit3: Ok seems the same issues is happening with lobby pinging as well, as they also use recvFrom(). So it's not a problem to be reverse engineered, rather the system it's running in. I can see the packets being sent on wireshark, but somehow the application doesn't receive em. At least I have a starting point to analyze this.

Edit4: Chatted on the Flycast Discord and it seems Flycast requires ports to be opened in the picoppp c file. Might be what was causing the issue.

Edit5 (last one in this post I promise): Woohooo!!! That was it! Had some trouble recompiling Flycast but after opening the internal ports we got traffic! There is a new latency icon that wasn't there before and I now get a burst of UDP traffic when the team member tries to connect to the host.