TSO-SE Discussion Thread

Discussion in 'Other TSO related projects' started by Blayer98, Jul 29, 2014.

  1. Fatbag

    Fatbag Member

    It turns out that the "message ID" column in the DBRequestWrapperPDU section of the protocol page is some number which is not necessarily the message ID.

    Today, I was trying to get the search-for-Sim/search-for-lot functionality working. When you do a search with the Search Exact button, the client sends a SearchExactMatch DBRequestWrapperPDU to the server. I figured out the structure of the SearchExactMatch body, but after sending the packet, the client did nothing. I was using what I thought was the correct "message ID", 0xE9A2E6CC, but when I did ctrl+F for it in the Regulators section of the article, it wasn't found.

    So I put a hardware breakpoint on the dword that holds the message ID directly after the client reads it from the packet so I could jump to the code that looks at the message ID. The code is located at TSOServiceClientD_base+0x3a479 (in TSO New & Improved trial, as always); whatever the packet specifies as the message ID, this code searches for that key in a binary search tree. I wrote some code at the bottom of the .text section of TSOServiceClientD.dll that dumps the binary search tree:

    Code:
    function: ; TSOServiceClientD_base+0x7b800
        mov ecx, dword [esp+0x04] ; arg1: a node
        test ecx, ecx
        jz function_ret
        push dword [ecx+0x0c] ; this node's right child
        push dword [ecx+0x10] ; this node's value
        push dword [ecx+0x08] ; this node's left child
        call function
        mov eax, dword [destptr]
        pop dword [eax]
        add dword [destptr], 0x04
        call function
    function_ret:
        ret 0x04
        pusha
        push 0x01000000 ; 16 MB, more than enough
        call malloc_cdecl
        pop ecx       ; place breakpoint here; let ptr = eax, destptr = the first value >= ptr such that
        push 043A2308 ; destptr ends in "00" in hex, and set dword [destptr] = destptr+4
        call function
        push ptr ; place breakpoint here and copy the output to your text editor
        call free_cdecl
        pop ecx
        popa
        jmp 00407DD1
    As a result: there were 366 keys in that tree, but there were many duplicate keys for some reason, and the first 161 keys corresponded to "0x00000001, 0x00000002, 0x00000003, ..." in PDURegulator which should not be applicable... This left us with exactly 170 potential message IDs. I wrote some C code to create "0.dat", "1.dat", "2.dat", etc. up to "169.dat" which were all the same packet as before but with the message ID (previously 0xE9A2E6CC) swapped out for one in the list.

    I tried out every one, and I found some interesting message IDs. :)

    First of all, 0xDBF301A9 is the real message ID that handles the SearchExactMatch response body. 0x4947E8F6 causes the map view to become dark, without changing the time. 0xBBFAABC8 causes the map view to become bright again, also without changing the time. Lastly, I found that 0x3BFC2808 changes the time, changes the brightness of the map view to match the time, and makes time begin moving (1 game second per real-life 5 seconds, like normal). After experimenting with the packet, I found that the "Parameter" field specifies the number of real-life seconds (or 5 times the number of game seconds) that have passed since 12:00am ingame. It looks like the "simulate to current time" function might be running on its own without ever synchronizing with the server (until the server explicitly sends another 0x3BFC2808 packet with the current time), indefinitely, without a limit. If so, that's weird...

    If you look at the EA-Land Final Countdown video at 4 minutes in, you can see that when the simulation stops at 4:31, the game time also stops at "7:03 pm", until the game disconnects at 4:49 (about 20 seconds after the disconnect), at which point the game time skips to 7:06 ((6-3 +/- 1)*5 = 20 seconds in this case) and begins moving again. I'm not sure what to take from that. It looks like time can pass without running a simulation when the player is outside of a (functional) lot and can pass in sync with the simulation when the player is inside a (functional) lot.

    Here is the PDU: http://niotso.org/files/starttime.dat
    Last edited: Jan 13, 2015
    Blayer98, SoraTSO and AquilaSim like this.
  2. Blayer98

    Blayer98 Active Member

    Just an update!

    Did you know? If you send starttime.dat on 64% Metrics Purged after sending hostonlinepdu.dat, you will get this!
    [​IMG]
    We may just be one step closer to getting into a lot on NIOTSO/TSO-SE!
    yoyo, Fatbag and AquilaSim like this.
  3. AquilaSim

    AquilaSim Administrator Staff Member Moderator

    Nice progress. ;)

    (Offtopic Note : Blayer98, I was to send u a message and waits for ur response)
  4. Fatbag

    Fatbag Member

    Wow, thanks Blayer!!

    I tried all 11 HouseLoadRegulator message IDs, this time with no body attached, and identical to starttime.dat except for the message ID field.

    0x9B7ED631 causes an access violation, however, if you skip over the offending instruction, then the client otherwise still works, and you get this:
    [​IMG]

    If you then send LoadAvatarByID, you'll be brought to the map view, but the Close/Medium/Far zoom buttons are now enabled. If you zoom into the lot, you get this:
    [​IMG]

    The game time is paused inside the lot, and when you zoom out back to the map view, the time remains paused. According to the Graphics Properties, the Terrain Detail is set to Low, and clicking High does not do anything (it does not even send a packet); it remains stuck at Low. Hovering over the grass shows the footsteps cursor, but clicking it does nothing. Typing in text works, and pressing enter causes a ChatMsgPDU to be sent to the server.

    So as of right now, we're inside a non-simulating lot, however, it did require me to use OllyDbg to skip over an access violation. Without OllyDbg, the program terminates.
    Last edited: Jan 16, 2015
  5. RHY3756547

    RHY3756547 FreeSO Developer Staff Member Moderator

    Very nice. Too bad they didn't leak the simulator server dlls with ea land when they leaked edith... ;)
    aidancheddar and Blayer98 like this.
  6. francot514

    francot514 Well-Known Member

    Interesting progress, there is something you can do with these new information?? is still tso server emulator possible??
  7. AquilaSim

    AquilaSim Administrator Staff Member Moderator

    The progress you see here IS from TSO-SE not from NioTSO, so yeah like u can see here, a server emulator is possible.
  8. RHY3756547

    RHY3756547 FreeSO Developer Staff Member Moderator

    Not without the simulator, as previously mentioned! It might be possible to hack the client simulator to run as a server, but that could prove to be very involved.
    Blayer98 likes this.
  9. francot514

    francot514 Well-Known Member

    And do you want to retake the simulation developtment this year??? or you are no more interested???
  10. Fatbag

    Fatbag Member

    The amount of SimAntics that the server needs to know may be minimal, or it may be extensive. I don't know at this point. My relationship with the TSO-SE project has always been "Let's just see how this goes for curiosity's sake".
    Last edited: Jan 22, 2015
  11. RHY3756547

    RHY3756547 FreeSO Developer Staff Member Moderator

    I'm not going to develop a Simantics emulator that interfaces with the real game because we have no idea how that interface works at the moment. I'm going to keep developing the Project Dollhouse version though, so that there's an accurate open source SimAntics emulator out there.
  12. francot514

    francot514 Well-Known Member

    Code:
    so that there's an accurate open source SimAntics emulator out there.
    Do you mean we should wait until someone else achieve it?? or anyone has already done???
  13. RHY3756547

    RHY3756547 FreeSO Developer Staff Member Moderator

    ...I mean i'm implementing it. So that there is one.
  14. francot514

    francot514 Well-Known Member

    And this what problem will cause??
  15. RHY3756547

    RHY3756547 FreeSO Developer Staff Member Moderator

    I will not develop a simulator for TSO-SE at this time, so if it proves to be very involved we will be stuck.
  16. francot514

    francot514 Well-Known Member

    Im not talking about TSO-SE specific, but if you will complete it for PD, then i tihnk this is off topic...

    Code:
    function: ; TSOServiceClientD_base+0x7b800
        mov ecx, dword [esp+0x04] ; arg1: a node
        test ecx, ecx
        jz function_ret
        push dword [ecx+0x0c] ; this node's right child
        push dword [ecx+0x10] ; this node's value
        push dword [ecx+0x08] ; this node's left child
        call function
        mov eax, dword [destptr]
        pop dword [eax]
        add dword [destptr], 0x04
        call function
    I want to ask to Andrew, if you are able to do this reverse enginering for the sims 1...
  17. Fatbag

    Fatbag Member

    What would you like me (or someone else here) to reverse-engineer?
  18. francot514

    francot514 Well-Known Member

    I only ask you becuase i want to know if is possible do some changes in sims 1 executable, that will benefict me for some stuff i want to try, i have used olydbg with sims.exe, but i cannot get run properly the game...
  19. Blayer98

    Blayer98 Active Member

    Good News!
    Fatbag just told me a few hours ago that he has managed to get HostOnlinePDU and LoadAvatarByID working on EA-Land!
    However, I'm not sure if he made the PDUs... Anyway, the merged cities are there as always. I'll add screenshots when I'm able to get in as well. :p
  20. AquilaSim

    AquilaSim Administrator Staff Member Moderator

    Nice ! This project should be renamed "EA-Land-SE". :D

Share This Page