Valhalla Legends Archive

Ok, this is the packet I am trying to reverse.... excluding the header info (which I already understand) - the data, as usual, starts at 0x37. This particular packet was a packet sent right after the user joined the lobby. Generally, the joiner will send a packet which really only contains his name in ASCII, a port number, and an internal ip (like 192.168.1.101). Then the host will PSH, ACK him with this packet, and that appears to be when the user enters the lobby.

Users can send those request packets (with the names in them) but not all of them will be able to join - the game may fill up before the user can enter the lobby, in which case this PSH, ACK packet is not sent. This happens often when you are closing/opening single slots to refresh the game (which I'm sure some of you DotA gamers are familiar with), and multiple people try to join with only 1 slot open.

At this point I'm not sure how to interpret it any further. This "type" of packet also seems to be sent to the clients multiple times during a lobby session even after they have officially entered the game. The 0x64 (100) byte appears frequently in these packets, and they kind of seem to have a pattern:

0000  00 14 95 78 1a 21 00 01  29 fc 87 b1 08 00 45 00   ...x.!.. ).....E.
0010  00 b2 3e 6e 40 00 80 06  39 2a 45 e6 e5 17 45 a9   ..>n@... 9*E...E.
0020  12 07 17 e0 76 0f f3 e8  48 9e 79 1d 5f 2f 50 18   ....v... H.y._/P.
0030  ff cd 83 52 00 00 f7 04  8a 00 73 00 0c 00 ff 02   ...R.... ..s.....
0040  01 00 00 04 01 64 01 64  02 00 00 01 04 01 64 00   .....d.d ......d.
0050  ff 00 00 00 02 04 00 64  00 ff 01 00 00 03 04 00   .......d ........
0060  64 00 ff 01 00 00 04 04  00 64 00 ff 01 00 00 05   d....... .d......
0070  04 00 64 00 ff 02 01 01  06 08 01 64 00 ff 01 00   ..d..... ...d....
0080  01 07 08 00 64 00 ff 01  00 01 08 08 00 64 00 ff   ....d... .....d..
0090  01 00 01 09 08 00 64 00  ff 01 00 01 0a 08 00 64   ......d. .......d
00a0  00 ff 01 00 01 0b 08 00  64 37 f3 a5 00 03 0c 02   ........ d7......
00b0  02 00 76 0f 45 a9 12 07  00 00 00 00 00 00 00 00   ..v.E... ........

As I mentioned earlier, this packet was sent right as the user joined the lobby. The packet, for whatever reason, also includes the port number (30223) and the user's IP (69.169.18.7) again at the bottom of the data segment.

That's really the only thing I've been able to break down. Please understand that I litterally just started doing this on Friday (March 3), up until then I didn't even clue what a packet was... So sorry if I ask/say anything stupid.

Any help would be awesome thanks!

Quote from: TheMinistered on March 05, 2006, 10:12 PM
You need to understand how their protocol works to correctly identify all the fields in a packet.

not all data will be ascii, they will be sending perhaps integers, longs, shorts, bytes which represent numbers not an ASCII character (otherwise known as a string/char array/byte array) An ASCII character is actually just a number too btw, it's just that each number stands for a certain character.

so on so forth, this is basic elementary shit

That's essentially what I said in my original post.

Basically you just reiterated what I posted.... Thank you for doing so man, but that's not really why I posted.

The REASON why I posted in the first place was to find out if someone had reversed the protocol and could give me some pointers, or maybe give me some ideas as to how I could break it down myself.

I could care less about the packets been sent back and forth once the game has started.

I'm actually interested in breaking down the packets that are sent back and forth when a host creates a custom game and people leave/join.

Some of you may be familiar with the program "WC3Banlist" (wc3banlist.com). Which uses winPcap to do exactly what I'm curious about.

I am using vBpCap to capture the packets via winPcap, and I've actually been quite successful in retrieving data from the packets in what I can only assume is a very amateur fashion.

I've managed to isolate the packets that include the strings of the names of the people that join my game and add them to a listview. 

As I really didn't have any experience interpreting/breaking down packets and very little experience working with hex...I'll I really did was locate unique offsets for bytes that always seemed to be the same in packets that included username strings, and just counted up from the offset to extract the string within my program - using a simple "loop until" statement that went through the byte array 1 by 1 to retrieve each character of the string.

ALL I really need at this point is to isolate the packet that indicates a user has left the game lobby. I'm a bit stumped because there is no legible ASCII FOR ME TO WORK WITH!!! AHH!! LOL, as I said earlier, my methods up until this point were rather amateur and simple and only worked because the packets consisted of strings that were understandable to me.

I'm assuming blizzard uses similar command and type flags for all of their games so hopefully someone could point me in the right direction.

Any help would be greatly appreciated!
Thanks!