Minilogin Woes

[sdtuasrt, MD]

I apologise if this has been rehashed somewhere before. I haven't been able to find it. I also have had no help with the Wiki.

This is the problem I am having.

I am attempting to play EverQuest using a correctly functioning server. Everything works. I repeat, everything works. I can login to the server, run around, kill things. The problem is when I attempt to run more than one character.

I am using minilogin. Minilogin does not give a damn about what account name I enter, it seems. It only cares about IP. If I create two different accounts, say, mini1 and mini2, both see each other's characters. This creates a large problem.

When logging in, I appear to be considered to be one account -- account and IP are correlated. Therefore, when zoning, there is an insanely high amount of disconnection. I can normally run four separate copies of the EverQuest client on my computer, and used to do so regularly on certain of the public servers I played. As long as I had enough separate accounts, there were no issues.

As I understand it from what I have read on boxing, there are issues with the emulator with having multiple logins from the same account. This is the crux of the problem.

It is impossible to box from one computer, be it for testing or playing purposes, with minilogin. I find it quite ridiculous that I need 4 separate computers if I want to play four separate accounts with minilogin. Half the attraction of minilogin to me is that I thought I could use it to test modifications to the PEQ database without having to go through the hassle of getting the server connected to the public login server, and having it display for everyone, something I should not like to do, as it is possible that the idea I have for a server may not work.

Is there any solution to my problem using minilogin? I'm fairly sure there is none. If I am mistaken, I beg apology. However, everything I have read and been told, and from personal experience in boxing, tells me explicitly that this is due to the fact that I am attempting to play several different characters from one account, something I cannot seem to avoid doing with minilogin.

Thank you for your time.

[cole89103]

minilogin is ip based the only way to run more then one client from the same ip is to change the ip of the non active accounts before you zone the active character this must be done each and every time before you zone a character the correlating accounts ip has to be set to the correct ip and the non active (non zoning) Accounts must be changed to 0.0.0.0 for instance.

I am working on a system to make this process easier based on an example i saw on the forums not too long ago ill post the binaries when ive gotten it working untill then all i can suggest is using the minilogin php login script from the following post

http://eqemulator.net/forums/showthread.php?t=22846

[sdtuasrt, MD]

So, just to clarify:

I have three characters, a warrior, a cleric, and a druid. When zoning the account the warrior is on, the warrior's ip is the correct, real IP, and the ips of the accounts the Cleric and Druid are on are set to anything but the 127.* block?

[Aramid]

Quote:

Originally Posted by sdtuasrt, MD

So, just to clarify:

I have three characters, a warrior, a cleric, and a druid. When zoning the account the warrior is on, the warrior's ip is the correct, real IP, and the ips of the accounts the Cleric and Druid are on are set to anything but the 127.* block?

Basically, yes ... UNTIL you zone those characters. You would then have to change there IP's to the correct one, one at a time, while changing the one that has already zoned to the incorrect one.
The reason is because minilogin only uses the IP address of the computer for identification. There is NO source code available to change this, never will be.

[sdtuasrt, MD]

Quote:

Originally Posted by Aramid

Basically, yes ... UNTIL you zone those characters. You would then have to change there IP's to the correct one, one at a time, while changing the one that has already zoned to the incorrect one.
The reason is because minilogin only uses the IP address of the computer for identification. There is NO source code available to change this, never will be.

And I take it that decompilation of it would be a no-no.

Let me ask another question.

From what I can gather, minilogin does 'nothing' more than receive incoming client connections, displays a list of servers, and then redirects the client to the server.

Is this the only point at which minilogin is used? Or does it come into play during zoning, etc? If it is the only place during which it is used, it would be relatively simple for one to construct a small program which just automatically sent the correct packets when one says in the client, "Let me automatically reconnect to the last server I was on," and ignores other input?

Hm.

Hold on, need a packet sniffer.

[cole89103]

its been tried you wont get anything usefull out of decompiling minilogin many have tried to make minilogin public and all have failed there have been several work arounds but to make a public loginserver to work how you want it you need the crypto that eq uses to talk to the server and without that you will never get a public loginserver working

better just either use the php updater i mentioned or change the ips manually or use the public loginserver eqemulator.net provides

[nosfentora]

One solution could be to use VMWare or MS VirtualPC. You could install the os once in 1 virtual machine, then make X copies of it, and start each virtual machine. Should give you separate ip's for each machine.

[sdtuasrt, MD]

Quote:

Originally Posted by cole89103

its been tried you wont get anything usefull out of decompiling minilogin many have tried to make minilogin public and all have failed there have been several work arounds but to make a public loginserver to work how you want it you need the crypto that eq uses to talk to the server and without that you will never get a public loginserver working

better just either use the php updater i mentioned or change the ips manually or use the public loginserver eqemulator.net provides

Unless they're using something really, really, really, really, really super complicated, it's crackable. It's always crackable. Someone had to be able to do it in the first place to get the public Login Server to work.

The Login Server, be it the public or the minilogin, has to transmit certain information. It absolutely has to. The Server Name being one of those pieces of information. Unless it is transmitted unencrypted, in plain text, then you have a huge cryptographical advantage -- you know what some of the content of the message already is. On top of that, one should easily be able to discern what the preambles and/or postables of the messages are using the opcodes listed, and indeed, minilogin itself.

There are only three reasons I can think of for the lack of release of source code for either minilogin or the public loginserver. The first is that it contains leaked sourcecode from SOE. The second is that source is no longer available. The third is that people only want software to be 'free' and 'opensource' when it benefits them to do so.

As to the second option, I find it possible, since development has been locked at Titanium. I'm afraid it comes down to a choice between number one and number three.

I readily admit that something such as the loginserver is a non-trivial task. I am also entirely unaware as to the authorship of the public login server -- which is why I believe a possible reason it cannot be made available is due to copyright violation. However, I do know that the emulator itself is open source, and as a programmer, I get extremely frustrated with having to reinvent the wheel. And the axle. And the cart. And the donkey. And all the laws of physics that enable those things to exist.

Oh well. Where's that packet sniffer?

[cole89103]

oh without a doubt its crackable but i dont reccomend discussing it on the forums here cause well most people that have have been banned for one reason or another so watch out lol

[AndMetal]

Quote:

Originally Posted by sdtuasrt, MD

The Login Server, be it the public or the minilogin, has to transmit certain information. It absolutely has to. The Server Name being one of those pieces of information. Unless it is transmitted unencrypted, in plain text, then you have a huge cryptographical advantage -- you know what some of the content of the message already is. On top of that, one should easily be able to discern what the preambles and/or postables of the messages are using the opcodes listed, and indeed, minilogin itself.

This may seem a little off topic, but it should help to explain why minilogin has to use an IP address and doesn't have anything to do with the account name (at least in the Titanium client).

I personally was curious about the cryptography, so for the heck of it, I started sniffing some packets. From what I was able to gather, the login packet that is sent from the client to the server is 56 bytes total, 48 of which are the actual data. From that, there is a 24 byte hash of the username + password. If you're using Ethereal (looking at the entire packet), it starts at 0x4A and ends at 0x55. The last 16 bytes of the packet are apparently a checksum for the data.

Since we know where to look, we can put in what we know to be the username & password, and see what it puts out. Using a lot of math, I'm sure it wouldn't be impossible to reverse engineer the algorithm used, but I'm sure my brain would explode if I tried to figure it out by hand (and cryptography is definitely not my forte).

Because the username is encrypted as part of the hash, minilogin isn't able to decipher it, unless it included the cryptography algorithm (which it doesn't look like it does, because of its limitations). As a result, minilogin doesn't even know what your username is, it just forwards you onto the server itself (including your IP address, which it can detect very easily). So, in essence, your IP address becomes your "username", which is then references back to the actual username in the accounts table.

[cole89103]

little hint word on the grapevine is it uses rc4 encryption but it also uses compression ontop of the encryption just so you know

[Theeper]

I don't think Minilogin uses any type of encryption in communication with World. But why bother trying to decompile it though ? You can see how it works from the server source.

This subject has been beaten to death though. For some reason it has to be brought up again every few months. Someone should sticky the last few "I want to decompile Minilogin" threads.

[cole89103]

minilogin doesnt use encryption you are correct but the client DOES and minilogin is actually just another build of the public loginserver for one minus the crypto obviously. add to that that the client uses crypto to talk to the worldserver and thats what hes going to be siffing or trying to figure out

[Theeper]

You don't need to sniff packets. It's all right there in the server source.

[cole89103]

no its not ive seen the old loginserver source trust me its not in the source if it was eqemu would have been shut down by soe ages ago its also why the loginserver source is guarded so closely the crypto needs to be sniffed with packet and key sniffers it CAN be done if he sniffs the stuff when he connects to the public loginserver but no its not in the worldserver source code