Valhalla Legends Archive

the game signature isnt exactly generated.
if you have had a lookk at the actual bytes you might have noticed that 0x50583357 is PX3W in ASCII.
taking byte-order into acount and you end up with W3XP -> Warcraft 3 Expansion (TFT)

as for the w3g_* files, have a look at the cvs at http://warcraft.kliegman.com/

and a minor note: i wouldn call is 'game creation counter' its more like a game-id thats more or less upcounting on new seen/created games.
but you can use whatever you want like 0xdeadbeef or so...


maldn

i have some comments on the gameInfo packet.
about the encoded part.
i am very certain, as i stated in the other thread, that the encoded part starts after the 0x00 after the gamename. why?
1) in replays it starts there
2) some values tagged unknown by you do vanish...

example:

i let my encoded data start with 01034907... not with 997d01...

static const char enc1_raw[] =
{
0x01,0x03,0x49,0x07,0x01,0x01,0x7d,0x01,
0x99,0x7d,0x01,0xa3,0xdf,0x1d,0x43,0x4d,0x8b,0x61,
0x71,0x73,0x5d,0x29,0x35,0x29,0xcd,0x4d,0x6f,0x73,
0x75,0x55,0x65,0x6d,0xe9,0x71,0x6d,0x65,0x2f,0x77,
0x33,0x6d,0x89,0x01,0x47,0x6f,0x73,0x2f,0x53,0x65,
0x03,0x73,0x75,0x01,0x01
};


if we decode that, we get

02 48 06 00 00 7c 00 7c
.  H  .  .  .  |  .  | 
00 a3 df 1c 42 4d 61 70
.  .  .  .  B  M  a  p 
73 5c 28 34 29 4c 6f 73
s  \  (  4  )  L  o  s 
74 54 65 6d 70 6c 65 2e
t  T  e  m  p  l  e  . 
77 33 6d 00 46 6f 72 2e
w  3  m  .  F  o  r  . 
52 65 73 74 00 00
r  e  s  t

we are interested in the first 13 bytes. after that comes gamename&creator name and a null-char/byte.
lets have a closer look (for reference look at w3g_format.txt section 4.3/4.4):


decoded gamesettings:
02 48 06 00 00 7c 00 7c 00 a3 df 1c 42

02 -> 00000010 -> fast gamespeed
48 -> 01001000 -> !hide ; !explored ; !nofog ; default ; no obs ; teams together
06 -> 00000110 -> fixed teams: on
00 -> 00000000 -> no full shared control; no rnd hero; no all rnd; no obs/refs
00 -> 00000000 -> 0
7c -> 01111100 -> unknown (0 in ladder games, but not in custom)
00 -> 00000000 -> 0
7c -> 01111100 -> unknown (0 in ladder games, but not in custom)
00 -> 00000000 -> 0
a3 df 1c 42    -> map checksum


looks good eh?
you dont have your obscure 'codedTag' and the unknown 0x7c00 anymore.


maldn

p.s. for those of you lazy looking into w3g_format.txt, here is section 4.4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4.4 [GameSettings]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Make sure you have decoded the GameSettings (see 4.3).

The game settings (extended options on create game screen) are packed using
various flags distributed over 13 bytes.
For details about the single options read the file
"support/Readme/(PC)UIMainMenus.html"
in your WarCraft III installation directory.

Denoted below are only nonzero flags.

offset | bitnr | Description
-------+-------+---------------------------------------------------------------
0x0000 |  0,1  | Game Speed: 0 = slow, 1 = normal, 2 = fast, 3 = unused
-------+-------+---------------------------------------------------------------
0x0001 |   0   | Visibility: 'hide terrain'
       |   1   | Visibility: 'map explored'
       |   2   | Visibility: 'always visible' (no fog of war)
       |   3   | Visibility: 'default'
       |  4,5  | Observer  : 0 = off or 'Referees' (see 0x0003 Bit6)
       |       |             1 = unused
       |       |             2 = 'Obs on Defeat'
       |       |             3 = on or 'Referees'
       |   6   | Teams Together (team members are placed at neighbored places)
-------+-------+---------------------------------------------------------------
0x0002 |  1,2  | Fixed teams: 0 = off, 1 = unused, 2 = unused, 3 = on
-------+-------+---------------------------------------------------------------
0x0003 |   0   | Full Shared Unit Control
       |   1   | Random Hero
       |   2   | Random Races
       |   6   | Observer: Referees (other observer bits are 0 or 3)
-------+-------+---------------------------------------------------------------
0x0004 |       | 0
0x0005 |       | unknown (0 in ladder games, but not in custom)
0x0006 |       | 0
0x0007 |       | unknown (0 in ladder games, but not in custom)
0x0008 |       | 0
-------+-------+---------------------------------------------------------------
0x0009 | 4Byte | Map Checksum  //TODO: find algorithm
-  0C |       |
-------+-------+---------------------------------------------------------------



its not about hacks like bots or true maphack or something....
but knowing what race, hero starting position, expansions etc. your enemy is going is a cheat...

see http://img207.imageshack.us/my.php?image=info19hd.png

this screenshot was taken while playing against my roommate who took random. and dont tell me this sort of info is no help. note: this should work in battle.net games as well, and is undetectable by blizzard!

@ mods: remove the link to the image if you feel like this may inspire kids do bad things...


maldn@localhost ~ $ cat mooh.c && echo "--" && gcc mooh.c && echo "--" && ./a.out
#include <stdio.h>
#include <arpa/inet.h>

int main()
{
        printf("0x%08x\n", ntohl(0x90000000));
}

--
--
0x00000090
maldn@localhost ~ $


nevermind ;-)

maldn


EDIT: omfg, i guess i should have gone to bed long ago :P

my eyes cant differentiate 0x09 and 0x90 ...

sry :)

Quote from: DotA.For.Rest on May 15, 2006, 10:12 AM
... Decoded data always ends with 2 zeroes, but if size of Decoded data for example 8 with counting zeroes, then last zero is next coded block. and as it says first byte is represends bits0 of all data bytes. but we have zero there so result last block will be 010100. String data will be any 6 bytes and 2 zero, first 7 bytes - first block + 1 coder byte, last block 1 byte (zero) + 1 coder byte. this is moment where you think that data have 3 zeroes. but its fake.

wtf?!?
i doubt anyone, even yourself, has understood that beast-of-a-textblock!

i just wanted to say, that you are not decoding the gameSettings. you start too late. read w3g_format.txt again.

also, if you actually checked the checksum, you would have noticed that this is not crc32...
or your LT is different. mine has fbbe9d57.

Quote from: DotA.For.Rest on May 15, 2006, 10:12 AM
about game packets - no need this here cuz i have all packets info, just need time to make it english. last question was COMMAND packets in game, but after reading W3G format there is no more questons. just wait all my info, or find bugs, or help to find field explain if i have no it

im posting all W3GS packets info, not only LAN, lan is easy to start explain

I strongly advise you to not make that information public. if you have understood the actual game-data, you know why.
I can understand that its hard to not say: "hey look how cool i am, i decoded this all!"
but one can do just too much harm to the game with this...
problem is: you provide stupid kids with info (or better even, code) that can be very easily misused (cheat).
and worst: blizzard cant do anything against it!
so, reconsider publishing this!

perhaps such a discussion had already taken place here on this forum, or maybe we start one :P

p.s. if you do not believe that this is serious shit, i can post a screenshot of some PoC code of mine i had written in like 3-4 hours showing a serious threat to wc3/battle.net.

p.p.s DONT CHEAT!

first of all: please(!) change your formating to something readable. yours is barely readable...

Quote from: DotA.For.Rest on May 15, 2006, 10:02 AM
Request Join Game (clients send this on every try to join game)
W3GS_REQJOIN 0x1E
IN 192.168.000.003:01040 LEN:42

Code Select Expand


·  ·  3 ·  · · · ·  · · 8 ·  ·  · ·  · · · ·  R u s s i a . O n l i n e ·  · ·  · · · · · · · ·  · · · ·  · · · ·
f7 1e 3300 05000000 fed83814 00 e117 02000000 5275737369612e4f6e6c696e6500 0100 020017e0c0a80003 00000000 00000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Join game counter of client
                    |GetTickCount WinAPI value only for LAN games (Zero for battle.net games)
                             |Always zero?
                               |External game port (used by others Game clients to connect to this client)
                                    |Total game join/create counter
                                             |Client name (null terminated string)
                                                                           |Always 0x0001?
                                                                                |Internal client IP and Port (sockaddr_in structure)
                                                                                                 |Always zero?
                                                                                                          |Always zero?


read http://forum.valhallalegends.com/index.php?topic=14964.0 and comment there.

Quote from: DotA.For.Rest on May 15, 2006, 10:02 AM
Reject Join Game (host Rejects join game request W3GS_REQJOIN)
W3GS_REJECTJOIN 0x05
OUT 192.168.000.003:01047 LEN:8

Code Select Expand


·  ·  · ·  · · · ·
f7 05 0800 09000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Always 0x0000009?


oh, and go read some more about endianess, ntohl(0x09000000) != 0x00000009 ! its 0x00000090

Quote from: DotA.For.Rest on May 15, 2006, 10:02 AM
Accept Join Game with Slot info (host send this to client on W3GS_REQJOIN)
W3GS_SLOTINFOJOIN 0x04
Update Slot info (host send this to client on slot changes)
W3GS_SLOTINFO 0x09
OUT 192.168.000.003:01046 LEN:48

Code Select Expand


·  ·  0 ·  · ·
f7 04 3000 1900
|W3GS Signature
   |Packet Signature
      |Packet Size
|SlotsInfo size (can be 0 if host updating slots at this moment)

----SlotsInfo---- (optional for W3GS_SLOTINFOJOIN)

Code Select Expand


·  · d · · · · ` · d  · · · · · · ` · d
02 016402000000600164 00ff0000010c600164
    016402000000600164
    026402000101410164
    016402000000600164
    026402000001410164
    016402000000600164
    026402000101480164
|Count of slots (can be 0 for example in ladder game)
   |Slot1 (9 bytes)   |Slot2 (9 bytes) ...
    \PID - Player ID (0 - not client, 1 - host)
      \Download status (0x64 - 100%, 0xFF - not client)
        \SlotStatus (0 - open, 1 - closed, 2 - controlled)
          \Controller (1 - computer, 0 - human/open/closed)
            \Team Number from 0 to 11 (12 - free/observer/referee)
              \Color Number from 0 to 11 (12 - free/observer/referee)
                \Race flags
                \0x01 - Human
                \0x02 - Orc
                \0x04 - Night Elf
                \0x08 - Undead
                \0x20 - Random
                \0x40 - Race selected or fixed by map or ladder game
                  \Controller Type (0 - easy comp, 2 - hard comp, 1 - human/normal comp)
                    \Handicap from (valid values: 0x32, 0x3C, 0x46, 0x50, 0x5A, 0x64)
- · · ·  ·  ·
2dd21302 00 02
|GetTickCount WinAPI value of host
         |Always zero? ( 0xCC for ladder game)
            |Count of slots (end tag?) (0xCC for ladder game)


see http://forum.valhallalegends.com/index.php?topic=14965.0 and comment there please.
i have some slightly different stuff there... especially after the player-records i have captured some more bytes.
can you please post your original dump in that thread?
and can you also post there some more info about the SlotInfo size field? i dont get why this can be zero, never seen that. do you get a 0x09 for all players then?

Quote from: DotA.For.Rest on May 15, 2006, 10:02 AM

Code Select Expand


·  · · · · · · · ·  · · · ·  · · · ·
02 02000416c0a80003 00000000 00000000
|PID - Player ID that host gives to client
   |Host side client IP and Port (sockaddr_in structure)
                    |Always zero?
                             |Always zero?


when/where do you get this? can you please post full dump?

did you check w3g_format.txt?

the bytes right after the 0x00 after the gamename up to the next 0x00 are all one encoded string.
well... they are 3 actually. so those 2 bytes you think are unknown are just those 2 bytes you have more before decoding.

but i have spotted something else...
after the gameID field there are some interesting bytes:

e4569f00d098d0b3d180d0b0
these are your bytes.
lets do a bit of formating...

e4 56 9f 00 | those bytes are most likely a timestamp / uptime of your wc3-client

bur now comes something i can not see in my dumps.
d0 98 d0 b3 | == htonl(179 208 152 208)
d1 80 d0 b0 | == htonl(176 208 128 209)

looks like ip-adresses to me... but i cant find them in my dumps... those 16 bytes are simply missing

here is one of mine:
maldn@malte ~/pcap $ hexdump -C dieses-game-hab-ich-fuer-dich
00000000  f7 30 73 00 50 58 33 57  14 00 00 00 02 00 00 00  |.0s.PX3W........|
00000010  3a 04 47 00 4c 6f 6b 61  6c 65 73 20 53 70 69 65  |:.G.Lokales Spie|
00000020  6c 20 28 6d 61 6c 64 6e  70 29 00 00 01 03 49 07  |l (maldnp)....I.|
00000030  01 01 a1 01 89 49 01 0f  cd 6b 35 4d 8b 61 71 73  |.....I...k5M.aqs|
00000040  5d 29 33 29 ad 43 6f 6f  75 79 43 61 bb 79 2f 77  |])3).CoouyCa.y/w|
00000050  33 6d 01 6d 03 61 6d 65  6f 71 01 01 00 02 00 00  |3m.m.ameoq......|
00000060  00 09 00 00 00 01 00 00  00 02 00 00 00 15 00 00  |................|
00000070  00 e0 17                                          |...|


also the packets send by waaaghtv doesnt seem to include those bytes too:
f7          | wc3-packet start
30          | packet-type (gameinfo)
82 00       | length (130)
50 58 33 57 | PX3W (Frozen-Throne game)
14 00 00 00 | version 0x14=20 -> 1.20
ef 1f 00 01 | gameid

ff 2e 80 00 | timestamp (?)
21 57 43 43 | gamename
4c 20 55 57 | null terminated string:
4b 20 76 73 |    21 57 43 43 4c 20 55 57 4b 20 76 73 2e 20 53 4b 20 23 36 00
2e 20 53 4b | => !  W  C  C  L  _  U  W  K  _  v  s  .  _  S  K  _  #  6  '\0'
20 23 36 00 | (sorry, this was borrowed from wtv ;-) )

00          | allways 0x00
   01 03 79 | <- start of encoded string
07 41 01 93 | see section for decoding/encoding those strings.

--snip--


oh, and i have some docs about wc3-lan-games and packets and such, but havent posted them b/c they are not complete nor very polished. but since this is now an active topic here in the forums i might post them in the next few days.

those bytes you dont know are gamesettings (first 64bit) and map-checksum (4 byte)
see w3g_format.txt for more information.

after sending the 0x1e packet, the server/host should send you the 'you are in'-packet (assumed game is not full etc).

should look like this:
(first tcp-packet containing some wc3-packets/blocks)

h->c u are in
f7
04
8a 00       | 138 len of block
73 00       | 115 bytes following in playerRecords?
0c          | 12 records following


01 64 02 00 00 00 60 01 64
^id   ^slot used
02 64 02 00 00 01 60 01 64
03 64 02 00 0c 0c 60 01 64
            ^team
04 64 02 00 04 03 60 01 64
               ^color
05 64 02 00 04 06 60 01 64
                  ^race
06 64 02 00 0c 0c 60 01 64
   ^ unknown
07 64 02 00 0c 0c 60 01 64
         ^human player
08 64 02 00 0c 0c 60 01 64
           
09 64 02 00 03 02 60 01 64
0a 64 02 00 03 04 60 01 64
0b 64 02 00 06 05 60 01 64
0c 64 02 00 06 07 60 01 64
                     ^AI strength, 0x01 for humans


2d 63 40 02 | random seed?
00 08 08 02

00          |0x00 - team & race selectable (for standard custom games)?

81 2a 53 ab a4 37
00 00 00 00
00 00 00 00

f7
06
3b 00       | 59 len of block
00 00 00 00 | timestamp?
01          | playerID
74 68 65 72 |ther
65 61 4c 6e |eaLn
69 67 68 74 |ight
65 4c 66 00 |eLf   => thereaLnighteLf (null-terminated)
01          | playerID
00 00 00 00 | 33 0x00s , that doesnt seem to make (much) sense
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00

u got the point, right?
i wont go on on all the players :P
-- snip --

f7
3d
35 00
01 00 00 00
4d 61 70 73 | Maps
5c 46 72 6f | \Fro
7a 65 6e 54 | zenT
68 72 6f 6e | hron
65 5c 28 38 | e\(8
29 46 72 69 | )Fri
65 6e 64 73 | ends
2e 77 33 78 | .w3x
00

d1 9c 03 00 | game-options??

40 5c 8d 09 | mapchecksum?
d3 19 62 ed | mapchecksum?


after that you should receive also a 0x09 (player-options-changed-packet)

hope this helps a bit for now, perhaps im going to post some more packets later...


maldn

i have this in my wc3-netcode-docs:


f7          | its wc3, after all ;P
1e          | let me in!
2a 00       | 42 bytes long
ef 1f 00 01 | gameid
ff 2e 80 00 | timestamp(?)

00          | always(?) 0x00
e0 17       | hum, 0x17E0 is my port (6112)
01 00 00 00 | always(?) 0x01000000
6d          |m
6f 6f 68 00 |ooh  -> 'mooh' was my nickname in that lan-game
01 00       | always(?) 0x1000
02 00       | always(?) 0x2000
28 91       | wtv-port... // 17E1 in my lan (6113->my port)
c0 a8 01 25 |-> 192 168 001 037  => ip-address of the client
            | and why the heck are the above 6 bytes in 'wrong' byte-order?
00 00 00 00 | always(?) 0x00000000
00 00 00 00 | always(?) 0x00000000


look at what i have tagged gameID...

wired that your timestamp (better: what i guess could be a timestamp) is 0x00000000
are you using linux? i get 0x00000000 with my boxes too if i recall correct...
this packet comes from wtv (probably with a windoze-using streamer)
but i am 100% sure that the u_int32_t following the length is the gameID (or gamecount as you call it)
in your packet it was your 3rd lan-game i suppose...

hope this helps.

p.s. oh, yes: hi forum, first post for me :)