Difference between revisions of "Retail Patcher and Login"

Revision as of 18:30, 24 May 2019

Originally the retail version of the game used a built in patcher and login program to both update and start the game. The patcher consists of two programs ffxivboot.exe and ffxivupdater.exe. The login program is ffxivlogin.exe. Finally the actual game is ffxivgame.exe.

FFXIVBoot

This is the main application that is started when a user clicks on the "Final Fantasy XIV" shortcut. It facilitates version checking as well as patch downloading and verification. The patch downloader is a modified Bittorrent client, which causes problems with using non-ffxivboot clients. Interestingly ffxivboot was built on top of the Rapture engine and contains the same various RTTI info and referenced strings as the main ffxivgame executable. This was most likely to reuse the logic for rendering the Silverlight based UI, access game files, and to play the SCD music.

Version Check

The first thing ffxivboot does after initialization is perform a version check for both ffxivboot and ffxivgame programs. A GET HTTP request is made to ver01.ffxiv.com first for the boot program, followed by the game program. Both requests and responses have the same format.

/vercheck/ffxiv/win32/release/<game or boot>/<patchnumber>

If the version requested is up to date, the following is responded back:

header("HTTP/1.0 204 No Content");
header("Content-Location: ffxiv/2d2a390f/vercheck.dat");
header("X-Repository: ffxiv/win32/release/boot");
header("X-Patch-Module: ZiPatch");
header("X-Protocol: torrent");
header("X-Info-Url: http://www.example.com");
header("X-Latest-Version: 2012.09.19.0000");

If the version requested is out of date and an update is needed, the following is responded back:

header("HTTP/1.0 200 OK");
header("Content-Location: ffxiv/48eca647/vercheck.dat");
header("Content-Type: multipart/mixed; boundary=477D80B1_38BC_41d4_8B48_5273ADB89CAC");
header("X-Repository: ffxiv/win32/release/boot");
header("X-Patch-Module: ZiPatch");
header("X-Protocol: torrent");
header("X-Info-Url: http://example.com");
header("X-Latest-Version: 2012.05.20.0000.0001");
header("Connection: keep-alive")

--477D80B1_38BC_41d4_8B48_5273ADB89CAC
Content-Type: application/octet-stream
Content-Location: ffxiv/48eca647/metainfo/D2012.05.20.0000.0001.torrent
X-Patch-Length: 20874726
X-Signature: jqxmt9WQH1aXptNju6CmCdztFdaKbyOAVjdGw_DJvRiBJhnQL6UlDUcqxg2DeiIKhVzkjUm3hFXOVUFjygxCoPUmCwnbCaryNqVk_oTk_aZE4HGWNOEcAdBwf0Gb2SzwAtk69zs_5dLAtZ0mPpMuxWJiaNSvWjEmQ925BFwd7Vk=

[TORRENT FILE HERE]
--477D80B1_38BC_41d4_8B48_5273ADB89CAC--

Both responses contain the same HTTP headers:

• Content-Location: Defines the location on the user's computer (in My Documents/My Games/Final Fantasy XIV/) where the patch file is stored.
• X-Respository: Either ffxiv/win32/release/boot or ffxiv/win32/release/game depending on what's being version checked.
• X-Patch-Module: Defines what format the patch file is in. FFXIV used ZiPatch.
• X-Protocol: Defines how the patch will be downloaded. While the client makes reference to http (and FFXIV ARR uses that), ffxivboot does not have code to download by http.
• X-Info-Url: Unknown but always set to http://example.com.
• X-Latest-Version: The latest version of that program.

When the program is out of date the body of the HTTP response contains more information as well as the torrent file to get the patch. Of note is Content-Location which like the head, stores the torrent file under the same location. Next is X-Patch-Length which is the size of the torrent file, as well as the X-Signature used for source verification. The ffxivboot program will use OpenSSL's rsa_verify function to verify that the sent patch is from Square Enix. We can patch out the returned value from rsa_verify to always return true (valid). Interestingly this verification was removed in FFXIV ARR. Finally after the signature is a single line followed by the full .torrent file.

If the version was up to date, ffxivboot will then continue and launch ffxivlogin to handle session login. Otherwise the patch downloader is started.

Patch Downloader

Once downloaded the necessary files will be stored like this:

• <FFXIV Games Folder>/<program hash>/vercheck.dat - This is just the response returned above, stored in a file.
• <FFXIV Games Folder>/<program hash>/metainfo/D2012.05.20.0000.0001.torrent - The torrent file.
• <FFXIV Games Folder>/<program hash>/patch/D2012.05.20.0000.0001.patch - The actual patch file that is being downloaded.

For all intents and purposes the FFXIV patch downloader is an off-the-shelf Bittorrent client, with the peer handshake functionality modified.

• The protocol name is changed from BitTorrent protocol to SqexPatchSystem v01
• The infoHash is Blowfish encrypted using the peerId as a key.

The rest of the protocol is standard Bittorrent and does not require any special use case. Once the patch is fully downloaded ffxivboot closes and updating commences.

FFXIVUpdater

Once the patch file has been downloaded ffxivboot copies the ffxivupdater program to the FFXIV documents folder and executes it.

The patcher does two things: iterator over every entry, verifying both the old file and new file SHA1 signatures and then executes and operation on them. Once all blocks are iterated over the program is patched and ffxivboot is rebooted to start the process all over again.

FFXIVLogin

The final step is logging in. This program is quite simple, yet has some extra encoding that makes modifications difficult. Primarily it's an old implementation of an Internet Explorer browser (4.0 iirc). However what makes it difficult is that all strings are encoded using a strange algorithm so that they cannot be easily modified. This includes the URL of the login page itself.

On every response the program reads the HTML body and searches for this custom tag:

<x-sqexauth sid="" lang="" region="" utc="" />

• sid: The session id of the now logged in user. This will be passed to ffxivgame.
• lang: The language the user is using. Shouldn't matter.
• region: The region the user is in. Shouldn't matter.
• utc: Used to generate the Blowfish key use to encrypt the command line arguments sent to ffxivgame.

Once this tag is detected the params are encoded and then sent as a command line argument to ffxivgame.

Command Line Argument Encoding

String Decode Algorithm

Converted from the raw ASM in ffxivlogin.exe.

public static string FFXIVLoginStringDecode(byte[] data)
{
    string result = "";
    uint key = (uint)data[0] << 8 | data[1];
    uint key2 = data[2];
    key = RotateRight(key, 1) & 0xFFFF;
    key -= 0x22AF;
    key2 = key2 ^ key;
    key = RotateRight(key, 1) & 0xFFFF;
    key -= 0x22AF;
    uint finalKey = key;
    key = data[3];
    uint count = (key2 & 0xFF) << 8;
    key = key ^ finalKey;
    key &= 0xFF;
    count |= key;

    int count2 = 0;
    while (count != 0)
    {
        uint encrypted = data[4 + count2];
        finalKey = RotateRight(finalKey, 1) & 0xFFFF;
        finalKey -= 0x22AF;
        encrypted = encrypted ^ (finalKey & 0xFF);
        result += (char)encrypted;
        count--;
        count2++;
    }

    return result;
}

Reversed Encode Algorithm

This was made by working the decode algorithm backwards.

public static byte[] FFXIVLoginStringEncode(uint key, string text)
{
    key = key & 0xFFFF;

    uint count = 0;
    byte[] asciiBytes = Encoding.ASCII.GetBytes(text);
    byte[] result = new byte[4 + text.Length];
    for (count = 0; count < text.Length; count++)
    {
        result[result.Length - count - 1] = (byte)(asciiBytes[asciiBytes.Length - count - 1] ^ (key & 0xFF));
        key += 0x22AF;
        key &= 0xFFFF;
        key = RotateLeft(key, 1) & 0xFFFF;
    }

    count = count ^ key;
    result[3] = (byte)(count & 0xFF);

    key += 0x22AF & 0xFFFF;
    key = RotateLeft(key, 1) & 0xFFFF;

    result[2] = (byte)(key & 0xFF);

    key += 0x22AF & 0xFFFF;
    key = RotateLeft(key, 1) & 0xFFFF;


    result[1] = (byte)(key & 0xFF);
    result[0] = (byte)((key >> 8) & 0xFF);

    return result;
}