This information is from a jump table called in the RecvThreadProc, my brother indulg traced and documented the packets! heh =p
// jump table called in RecvDataThread to identify the packet type
// PKT_GAMEDATA = 0x00
// PKT_CLIENTREQ = 0x03
// PKT_SERVERPING = 0x05
// PKT_SELFPING = 0x06
// PKT_KEEPALIVE = 0x07
// PKT_CONNTEST = 0x08
// PKT_CONNTEST2 = 0x09
// SID_NULL = 0x00
// SID_STOPADV = 0x05
// SID_SERVERLIST = 0x06
// SID_CLIENTID = 0x07
// SID_STARTVERSIONING = 0x08
// SID_REPORTVERSION = 0x09
// SID_GETADVLISTEX = 0x0A
// SID_ENTERCHAT = 0x0B
// SID_GETCHANNELLIST = 0x0C
// SID_JOINCHANNEL = 0x0D
// SID_CHATCOMMAND = 0x0E
// SID_CHATEVENT = 0x0F
// SID_LEAVECHAT = 0x10
// SID_LOCALEINFO = 0x12
// SID_FLOODDETECTED = 0x13
// SID_UDPPINGRESPONSE = 0x14
// SID_CHECKAD = 0x15
// SID_CLICKAD = 0x17
// SID_QUERYMEM = 0x18
// SID_MESSAGEBOX = 0x19
// SID_STARTADVEX2 = 0x1A
// SID_GAMEDATAADDRESS = 0x1B
// SID_STARTADVEX3 = 0x1C
// SID_LOGONCHALLENGEEX = 0x1E
// SID_CLIENTID2 = 0x1F
// SID_BROADCAST = 0x20
// SID_DISPLAYAD = 0x21
// SID_NOTIFYJOIN = 0x22
// SID_SETCOOKIE = 0x23
// SID_GETCOOKIE = 0x24
// SID_PING = 0x25
// SID_READUSERDATA = 0x26
// SID_WRITEUSERDATA = 0x27
// SID_LOGONCHALLENGE = 0x28
// SID_LOGONRESPONSE = 0x29
// SID_CREATEACCOUNT = 0x2A
// SID_SYSTEMINFO = 0x2B
// SID_GAMERESULT = 0x2C
// SID_GETICONDATA = 0x2D
// SID_GETLADDERDATA = 0x2E
// SID_FINDLADDERUSER = 0x2F
// SID_CDKEY = 0x30
// SID_CHANGEPASSWORD = 0x31
// SID_GETFILETIME = 0x32
// SID_CDKEY2 = 0x33
// SID_CHECKDATAFILE2 = 0x34
// SID_CREATEACCOUNT2 = 0x35
// SID_STARTVERSIONING2 = 0x36
// SID_QUERYADURL = 0x37
// SID_CDKEY3 = 0x38
// SID_AUTH_INFO = 0x50
// SID_AUTH_CHECK = 0x51
// SID_AUTH_ACCOUNTCREATE = 0x52
// SID_AUTH_ACCOUNTLOGON = 0x53
// SID_AUTH_ACCOUNTLOGONPROOF = 0x54
// SID_AUTH_ACCOUNTCHANGE = 0x55
// SID_AUTH_ACCOUNTCHANGEPROOF = 0x56
// SID_AUTH_ACCOUNTUPGRADE = 0x57
// SID_AUTH_ACCOUNTUPGRADEPROOF = 0x58
// SID_AUTH_RECONNECT = 0x59
// SID_AUTH_RECONNECTPROOF = 0x5A
// SID_AUTH_DISCONNECT = 0x5B
// SID_UNK = 0x5C
// SN_ADDCHANNEL = 0x01
// SN_DELETECHANNEL = 0x02
// SN_JOINCHANNEL = 0x03
// SN_ADDUSER = 0x04
// SN_DELETEUSER = 0x05
// SN_DISPLAYSTRING = 0x06
// SN_DOWNLOADING = 0x08
// SN_DOWNLOADFAILED = 0x09
// SN_DOWNLOADSUCCEEDED = 0x0A
// SN_FAILEDTOCONNECT = 0x0B
// SN_USERNAME = 0x0C
// SN_LOSTCONNECTION = 0x0D
// SN_CHANGEUSERFLAGS = 0x0E
// SN_CHANNELLISTISFULL = 0x10
// SN_CHANNELDOESNOTEXIST = 0x11
// SN_CHANNELISRESTRICTED = 0x12
// SN_SQUELCHUSER = 0x13
// SN_UNSQUELCHUSER = 0x14
// SN_BADCONNECTION = 0x15
// SN_SETADINFO = 0x16
// SN_DISPLAYAD = 0x17
// SN_MESSAGEBOX = 0x18
// SN_ICONDATA = 0x19
// SN_TOS = 0x1A
// SN_BNSERVER_INI = 0x1B
// SN_FAILEDTOCONNECTEXT = 0x1C
// SN_UNIQUEICONDATA = 0x1D
Yes. I've been using those IDs for some time. The SN_ codes are for the Battle.snp GUI and have no relation to Battle.net messages.
Also, I think you've got some errors in that table. SID_CLIENTID2 is not 0x1f, it's 0x1e. I recommend making a program to automatically dump tables such as that instead of doing it manually which introduces errors like this frequently for tables of this size.
Also, several of those are incorrect :)
Yes more than 1 is incorrect...
I was half asleep when i wrote it... and havent edited it...
:yawn:
how about you post some corrections ;)
Quotehow about you post some corrections ;)
You
could try and find them on your own, and then you'd have no worries about errors, right? ;)
How about a tutorial on how you would find something like this? :)
I don't even know all the SIDs. :-[
Uh -- I think i should take skywings advice on how to retrieve the full list... There is a big jumptable for those IDs... they are for debug output... :x
--- You do know all the SID's they are listed above -- there are just some errors on their values...
I was talking about what I'd found on my own, kthx.
A couple parts of my bot aren't as nice as I'd like yet...my Connection class could use a few upgrades when I get around to it...sigh...so much work still to do...
Softice, bpx recv.
Trace through (F10) till you see the symbol SID_something show up. Open up the process and jump to the address and see what's there.
SID_??? results will be a return value from a function...
The way I did it was to write a small HDL to call the function which translates a packet id into a packet name repeatedly for 0 through 0xff, logging the results to a file.
:boo: thats what i was going to do just now
Here are reliable results straight from battle.snp
0x00: SID_NULL
0x02: SID_STOPADV
0x04: SID_SERVERLIST
0x05: SID_CLIENTID
0x06: SID_STARTVERSIONING
0x07: SID_REPORTVERSION
0x09: SID_GETADVLISTEX
0x0A: SID_ENTERCHAT
0x0B: SID_GETCHANNELLIST
0x0C: SID_JOINCHANNEL
0x0E: SID_CHATCOMMAND
0x0F: SID_CHATEVENT
0x10: SID_LEAVECHAT
0x12: SID_LOCALEINFO
0x13: SID_FLOODDETECTED
0x14: SID_UDPPINGRESPONSE
0x15: SID_CHECKAD
0x16: SID_CLICKAD
0x17: SID_QUERYMEM
0x19: SID_MESSAGEBOX
0x1A: SID_STARTADVEX2
0x1B: SID_GAMEDATAADDRESS
0x1C: SID_STARTADVEX3
0x1D: SID_LOGONCHALLENGEEX
0x1E: SID_CLIENTID2
0x20: SID_BROADCAST
0x21: SID_DISPLAYAD
0x22: SID_NOTIFYJOIN
0x23: SID_SETCOOKIE
0x24: SID_GETCOOKIE
0x25: SID_PING
0x26: SID_READUSERDATA
0x27: SID_WRITEUSERDATA
0x28: SID_LOGONCHALLENGE
0x29: SID_LOGONRESPONSE
0x2A: SID_CREATEACCOUNT
0x2B: SID_SYSTEMINFO
0x2C: SID_GAMERESULT
0x2D: SID_GETICONDATA
0x2E: SID_GETLADDERDATA
0x2F: SID_FINDLADDERUSER
0x30: SID_CDKEY
0x31: SID_CHANGEPASSWORD
0x33: SID_GETFILETIME
0x36: SID_CDKEY2
0x3C: SID_CHECKDATAFILE2
0x3D: SID_CREATEACCOUNT2
0x3F: SID_STARTVERSIONING2
0x41: SID_QUERYADURL
0x42: SID_CDKEY3
0x50: SID_AUTH_INFO
0x51: SID_AUTH_CHECK
0x52: SID_AUTH_ACCOUNTCREATE
0x53: SID_AUTH_ACCOUNTLOGON
0x54: SID_AUTH_ACCOUNTLOGONPROOF
0x55: SID_AUTH_ACCOUNTCHANGE
0x56: SID_AUTH_ACCOUNTCHANGEPROOF
0x57: SID_AUTH_ACCOUNTUPGRADE
0x58: SID_AUTH_ACCOUNTUPGRADEPROOF
0x59: SID_AUTH_RECONNECT
0x5A: SID_AUTH_RECONNECTPROOF
0x5B: SID_AUTH_DISCONNECT
0x01: SN_ADDCHANNEL
0x02: SN_DELETECHANNEL
0x03: SN_JOINCHANNEL
0x04: SN_ADDUSER
0x05: SN_DELETEUSER
0x06: SN_DISPLAYSTRING
0x08: SN_DOWNLOADINGUPGRADE
0x09: SN_DOWNLOADFAILED
0x0A: SN_DOWNLOADSUCCEEDED
0x0B: SN_FAILEDTOCONNECT
0x0C: SN_USERNAME
0x0D: SN_LOSTCONNECTION
0x0E: SN_CHANGEUSERFLAGS
0x10: SN_CHANNELISFULL
0x11: SN_CHANNELDOESNOTEXIST
0x12: SN_CHANNELISRESTRICTED
0x13: SN_SQUELCHUSER
0x14: SN_UNSQUELCHUSER
0x15: SN_BADCONNECTION
0x16: SN_SETADINFO
0x17: SN_DISPLAYAD
0x18: SN_MESSAGEBOX
0x19: SN_ICONDATA
0x1A: SN_TOS
0x1B: SN_BNSERVER_INI
0x1C: SN_FAILEDTOCONNECTEXT
0x1D: SN_UNIQUEICONDATA
0x00: PKT_GAMEDATA
0x03: PKT_CLIENTREQ
0x05: PKT_SERVERPING
0x06: PKT_SELFPING
0x07: PKT_KEEPALIVE
0x08: PKT_CONNTEST
0x09: PKT_CONNTEST2
My guess would be a Handle, but that's probably more like HNDL instead of HDL.
Perhaps *something* dynamic library?
It's a type of hack file. I would guess it modifies things in memory when the program it affects is running? Adron has some info about HDLs at his site, IIRC.
its sexy :D
a dll with local access to a process' memory...
It's a hook DLL, I believe. I know about windows hooks, but I don't understand HDL's.
EDIT: When I said I know about windows hooks, I mean I only know of them. I have yet to read about them, but I will in time.
Sounds like fun ;D
http://www.valhallalegends.com/yoni/SampleHDL.zip
:)
heh you got the link in the right place this time yoni ;)
Found the function in IDA, now how do i go figuring out the args it takes and what it returns?
think about how it works.. look at the instructions.
.text:19015D80 cmp ecx, 5Bh
.text:19015D83 ja loc_19015F0C
.text:19015D89 xor eax, eax
.text:19015D8B mov al, ds:byte_19016024[ecx]
.text:19015D91 jmp ds:off_19015F28[eax*4]
ecx is the id. if it's above 5B it breaks out of the "switch". so instead of pushing onto the stack, put your id in ecx.
since this is apparently public domain now -- heres my lil c++ routine contribution... did at 4 am lol...
FILE *stream;
BYTE bSID = 0;
char* szTemp;
if (!(stream = fopen ("C:\\SID_Output.txt", "a")))
{
sprintf (t, "Unable to append C:\\PktID.txt");
server->GamePrintError (t);
return TRUE;
}
__asm
{
sidloop:
mov ecx, bSID
push 0x19015D80
ret
mov szTemp, eax
}
sprintf (swi, "%#.2x: %s", b, *szTemp);
fprintf (stream, "%s\n", swi);
if (bSID == 0xFF) { goto closesid }
bSID++;
goto sidloop;
closesid:
fclose (stream);
delete stream;
This is assuming its being called from within SC Memory space... Obviously :)
Aren't you going to need to push your return address too? Otherwise I don't see how that will avoid crashing.
Alternative #1, using call
__asm
{
sidloop:
mov ecx, bSID
mov eax, 0x19015D80
call eax
mov szTemp, eax
}
sprintf (swi, "%#.2x: %s", b, *szTemp);
fprintf (stream, "%s\n", swi);
if (bSID == 0xFF) { goto closesid }
bSID++;
goto sidloop;
Alternative #2, using no assembly (should work in msvc++)
typedef char *__fastcall sid2sfunc(BYTE);
sid2sfunc *sid2s = (sid2sfunc*)0x19015D80;
do {
szTemp = sid2s(bSID);
sprintf (swi, "%#.2x: %s", b, *szTemp);
fprintf (stream, "%s\n", swi);
} while(bSid++ != 0xff)
Is it not possible to display those tables, but for something else? Such as, event IDs for packet SID_CHATEVENT? Or perhaps getting all the names of possible values in various unknown?
QuoteIs it not possible to display those tables, but for something else? Such as, event IDs for packet SID_CHATEVENT? Or perhaps getting all the names of possible values in various unknown?
Those have been available for years in the GreetBot source code provided by Blizzard.
ah thanks for the info.