[RaingodSpires]

Hello,
Some time ago I told to a friend why I keep using eMule, and why was not willing to try to make a clon, but then he motivated me to start the project. I know that it is several implementations of eMule, including some members that are in theory working on another but never published anything.

For the moment I designed the major part of the GUI (that is essentially based on original eMule because I simply love it) and started the core library. I'm able to connect with ed2k servers (at the moment only without obfuscation) and receive a login packet, catch the files and users number, and decompress the server information. I'm doing principally reverse engineering analyzing with wireshark the behavior of the official eMule packet traffic, althrough reading the source code. My idea is to simplify our eMule client, because I know that during decades, the original source code of everyproject could contain obsolete code or disuse, and the abstraction of every developer team can be totally different.

For start, I would like to ask something that I'm not able to find myself so maybe will be faster to simply ask. What is the 4 byte fragment received after the client ID? Named "Flag 1" in the photo. It is always the same in every server: F9 17 00 00. Based on wireshark, I can say that isn't the UDP port.

After that it receives another 4byte package with the TCP port, is right?. And then? Another 4 byte package that I have no idea what is (named "Unknown" in the photo). I suspect that is some obfuscation key? In the case of the intercepted packet of the photo, is A2 D5 40 54.

i.imgur. com/3EV6ICw. png

Basically my problem is that if I enter a server manually on the original eMule (to receive the server short description of the table among other info like max users, etc), the UDP packets received seems to be obfuscated and don't know how. I noticed that even with the same information, the package bytes are different. So first, I thought to discard the unknown flags of the 0x40 packet.

Thank you in advance.

PS: if you want some details or what features will be included, feel free to ask.

i.imgur. com/jRqWvk1. png

(sorry I'm not allowed to post links).

This post has been edited by RaingodSpires: 06 April 2025 - 03:01 PM

[hooligan3000]

gui looks good

[RaingodSpires]

Thank you. Is responsive with the OS theme (light/dark).

Well, I'm helping a lot with AI, and I determined that the unknown flag is my own ip, but in Big Endian instead of Little Endian (which is the order of all other packets). But the F9 17 00 00 packet I still don't know what is.

Now I have to figure out if it's used to obfuscate the UDP protocol, or is used some other value (like the user hash, client ID...). Because the next step is to ask for server description, max users, etc.