W3GS Known Packets

maldn · May 15, 2006, 07:16 AM

those bytes you dont know are gamesettings (first 64bit) and map-checksum (4 byte)
see w3g_format.txt for more information.

DotA.For.Rest · May 15, 2006, 08:01 AM

thanks but still unknown 2 bytes before map checksum

maldn · May 15, 2006, 08:22 AM

did you check w3g_format.txt?

the bytes right after the 0x00 after the gamename up to the next 0x00 are all one encoded string.
well... they are 3 actually. so those 2 bytes you think are unknown are just those 2 bytes you have more before decoding.

but i have spotted something else...
after the gameID field there are some interesting bytes:

Code Select


e4569f00d098d0b3d180d0b0
these are your bytes.
lets do a bit of formating...

e4 56 9f 00 | those bytes are most likely a timestamp / uptime of your wc3-client

bur now comes something i can not see in my dumps.
d0 98 d0 b3 | == htonl(179 208 152 208)
d1 80 d0 b0 | == htonl(176 208 128 209)

looks like ip-adresses to me... but i cant find them in my dumps... those 16 bytes are simply missing

here is one of mine:
maldn@malte ~/pcap $ hexdump -C dieses-game-hab-ich-fuer-dich 
00000000  f7 30 73 00 50 58 33 57  14 00 00 00 02 00 00 00  |.0s.PX3W........|
00000010  3a 04 47 00 4c 6f 6b 61  6c 65 73 20 53 70 69 65  |:.G.Lokales Spie|
00000020  6c 20 28 6d 61 6c 64 6e  70 29 00 00 01 03 49 07  |l (maldnp)....I.|
00000030  01 01 a1 01 89 49 01 0f  cd 6b 35 4d 8b 61 71 73  |.....I...k5M.aqs|
00000040  5d 29 33 29 ad 43 6f 6f  75 79 43 61 bb 79 2f 77  |])3).CoouyCa.y/w|
00000050  33 6d 01 6d 03 61 6d 65  6f 71 01 01 00 02 00 00  |3m.m.ameoq......|
00000060  00 09 00 00 00 01 00 00  00 02 00 00 00 15 00 00  |................|
00000070  00 e0 17                                          |...|


also the packets send by waaaghtv doesnt seem to include those bytes too:
f7          | wc3-packet start
30          | packet-type (gameinfo)
82 00       | length (130)
50 58 33 57 | PX3W (Frozen-Throne game)
14 00 00 00 | version 0x14=20 -> 1.20
ef 1f 00 01 | gameid

ff 2e 80 00 | timestamp (?)
21 57 43 43 | gamename
4c 20 55 57 | null terminated string:
4b 20 76 73 |    21 57 43 43 4c 20 55 57 4b 20 76 73 2e 20 53 4b 20 23 36 00
2e 20 53 4b | => !  W  C  C  L  _  U  W  K  _  v  s  .  _  S  K  _  #  6  '\0'
20 23 36 00 | (sorry, this was borrowed from wtv ;-) )

00          | allways 0x00
   01 03 79 | <- start of encoded string
07 41 01 93 | see section for decoding/encoding those strings.

--snip--

oh, and i have some docs about wc3-lan-games and packets and such, but havent posted them b/c they are not complete nor very polished. but since this is now an active topic here in the forums i might post them in the next few days.

DotA.For.Rest · May 15, 2006, 10:02 AM

Request Join Game (clients send this on every try to join game)
W3GS_REQJOIN 0x1E
IN 192.168.000.003:01040 LEN:42

Code Select


 ·  ·  3 ·  · · · ·  · · 8 ·  ·  · ·  · · · ·  R u s s i a . O n l i n e ·  · ·  · · · · · · · ·  · · · ·  · · · ·
 f7 1e 3300 05000000 fed83814 00 e117 02000000 5275737369612e4f6e6c696e6500 0100 020017e0c0a80003 00000000 00000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Join game counter of client
                    |GetTickCount WinAPI value only for LAN games (Zero for battle.net games)
                             |Always zero?
                               |External game port (used by others Game clients to connect to this client)
                                    |Total game join/create counter
                                             |Client name (null terminated string)
                                                                           |Always 0x0001?
                                                                                |Internal client IP and Port (sockaddr_in structure)
                                                                                                 |Always zero?
                                                                                                          |Always zero?

Reject Join Game (host Rejects join game request W3GS_REQJOIN)
W3GS_REJECTJOIN 0x05
OUT 192.168.000.003:01047 LEN:8

Code Select


 ·  ·  · ·  · · · ·
 f7 05 0800 09000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Always 0x0000009?

Accept Join Game with Slot info (host send this to client on W3GS_REQJOIN)
W3GS_SLOTINFOJOIN 0x04
Update Slot info (host send this to client on slot changes)
W3GS_SLOTINFO 0x09
OUT 192.168.000.003:01046 LEN:48

Code Select


 ·  ·  0 ·  · · 
 f7 04 3000 1900
|W3GS Signature
   |Packet Signature
      |Packet Size
      |SlotsInfo size (can be 0 if host updating slots at this moment)

----SlotsInfo---- (optional for W3GS_SLOTINFOJOIN)

Code Select


 ·  · d · · · · ` · d  · · · · · · ` · d
 02 016402000000600164 00ff0000010c600164
    016402000000600164
    026402000101410164
    016402000000600164
    026402000001410164
    016402000000600164
    026402000101480164
|Count of slots (can be 0 for example in ladder game)
   |Slot1 (9 bytes)   |Slot2 (9 bytes) ...
    \PID - Player ID (0 - not client, 1 - host)
      \Download status (0x64 - 100%, 0xFF - not client)
        \SlotStatus (0 - open, 1 - closed, 2 - controlled)
          \Controller (1 - computer, 0 - human/open/closed)
            \Team Number from 0 to 11 (12 - free/observer/referee)
              \Color Number from 0 to 11 (12 - free/observer/referee)
                \Race flags
                \0x01 - Human
                \0x02 - Orc
                \0x04 - Night Elf
                \0x08 - Undead
                \0x20 - Random
                \0x40 - Race selected or fixed by map or ladder game
                  \Controller Type (0 - easy comp, 2 - hard comp, 1 - human/normal comp)
                    \Handicap from (valid values: 0x32, 0x3C, 0x46, 0x50, 0x5A, 0x64)
 - · · ·  ·  ·
 2dd21302 00 02
|GetTickCount WinAPI value of host
         |Always zero? ( 0xCC for ladder game)
            |Count of slots (end tag?) (0xCC for ladder game)

----SlotsInfo End----
----JoinInfo---- (only for W3GS_SLOTINFOJOIN)

Code Select


 ·  · · · · · · · ·  · · · ·  · · · ·
 02 02000416c0a80003 00000000 00000000
|PID - Player ID that host gives to client
   |Host side client IP and Port (sockaddr_in structure)
                    |Always zero?
                             |Always zero?

----JoinInfo End----

Player information (host send this to each client on every player)
W3GS_PLAYERINFO 0x06
OUT 192.168.000.003:01053 LEN:52

Code Select


 ·  ·  4 ·  · · · ·  ·  F o r . R e s t ·  · ·  · · · · · · · ·  · · · ·  · · · ·  · · · · · · · ·  · · · ·  · · · ·
 f7 06 3400 12000000 01 466f722e5265737400 0100 0000000000000000 00000000 00000000 0000000000000000 00000000 00000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Player join/create counter
                    |PID
                       |Player name (null terminated)
                                          |Always 0x0001?
                                               |External player IP and Port (sockaddr_in structure) (Zero for host)
                                                                |Always Zero?
                                                                         |Always Zero?
                                                                                  |Internal player IP and Port (sockaddr_in structure) (Zero for host)
                                                                                                   |Always Zero?
                                                                                                            |Always Zero?

DotA.For.Rest · May 15, 2006, 10:12 AM

Quote from: maldn on May 15, 2006, 08:22 AM
did you check w3g_format.txt?

the bytes right after the 0x00 after the gamename up to the next 0x00 are all one encoded string.
well... they are 3 actually. so those 2 bytes you think are unknown are just those 2 bytes you have more before decoding.

but i have spotted something else...
after the gameID field there are some interesting bytes:

oh, and i have some docs about wc3-lan-games and packets and such, but havent posted them b/c they are not complete nor very polished. but since this is now an active topic here in the forums i might post them in the next few days.

yes i found all documentation on w3g and have readed it.
about 2 or 3 bytes it depends on Decoded data size. Decoded data always ends with 2 zeroes, but if size of Decoded data for example 8 with counting zeroes, then last zero is next coded block. and as it says first byte is represends bits0 of all data bytes. but we have zero there so result last block will be 010100. String data will be any 6 bytes and 2 zero, first 7 bytes - first block + 1 coder byte, last block 1 byte (zero) + 1 coder byte. this is moment where you think that data have 3 zeroes. but its fake.

about game packets - no need this here cuz i have all packets info, just need time to make it english. last question was COMMAND packets in game, but after reading W3G format there is no more questons. just wait all my info, or find bugs, or help to find field explain if i have no it

im posting all W3GS packets info, not only LAN, lan is easy to start explain

maldn · May 16, 2006, 09:17 AM

first of all: please(!) change your formating to something readable. yours is barely readable...

Quote from: DotA.For.Rest on May 15, 2006, 10:02 AM
Request Join Game (clients send this on every try to join game)
W3GS_REQJOIN 0x1E
IN 192.168.000.003:01040 LEN:42
Code Select Expand
· · 3 · · · · · · · 8 · · · · · · · · R u s s i a . O n l i n e · · · · · · · · · · · · · · · · · · · f7 1e 3300 05000000 fed83814 00 e117 02000000 5275737369612e4f6e6c696e6500 0100 020017e0c0a80003 00000000 00000000 |W3GS Signature |Packet Signature |Packet Size |Join game counter of client |GetTickCount WinAPI value only for LAN games (Zero for battle.net games) |Always zero? |External game port (used by others Game clients to connect to this client) |Total game join/create counter |Client name (null terminated string) |Always 0x0001? |Internal client IP and Port (sockaddr_in structure) |Always zero? |Always zero?

read http://forum.valhallalegends.com/index.php?topic=14964.0 and comment there.

Quote from: DotA.For.Rest on May 15, 2006, 10:02 AM
Reject Join Game (host Rejects join game request W3GS_REQJOIN)
W3GS_REJECTJOIN 0x05
OUT 192.168.000.003:01047 LEN:8
Code Select Expand
· · · · · · · · f7 05 0800 09000000 |W3GS Signature |Packet Signature |Packet Size |Always 0x0000009?

oh, and go read some more about endianess, ntohl(0x09000000) != 0x00000009 ! its 0x00000090

Quote from: DotA.For.Rest on May 15, 2006, 10:02 AM
Accept Join Game with Slot info (host send this to client on W3GS_REQJOIN)
W3GS_SLOTINFOJOIN 0x04
Update Slot info (host send this to client on slot changes)
W3GS_SLOTINFO 0x09
OUT 192.168.000.003:01046 LEN:48
Code Select Expand
· · 0 · · · f7 04 3000 1900 |W3GS Signature |Packet Signature |Packet Size |SlotsInfo size (can be 0 if host updating slots at this moment)
----SlotsInfo---- (optional for W3GS_SLOTINFOJOIN)
Code Select Expand
· · d · · · · ` · d · · · · · · ` · d 02 016402000000600164 00ff0000010c600164 016402000000600164 026402000101410164 016402000000600164 026402000001410164 016402000000600164 026402000101480164 |Count of slots (can be 0 for example in ladder game) |Slot1 (9 bytes) |Slot2 (9 bytes) ... \PID - Player ID (0 - not client, 1 - host) \Download status (0x64 - 100%, 0xFF - not client) \SlotStatus (0 - open, 1 - closed, 2 - controlled) \Controller (1 - computer, 0 - human/open/closed) \Team Number from 0 to 11 (12 - free/observer/referee) \Color Number from 0 to 11 (12 - free/observer/referee) \Race flags \0x01 - Human \0x02 - Orc \0x04 - Night Elf \0x08 - Undead \0x20 - Random \0x40 - Race selected or fixed by map or ladder game \Controller Type (0 - easy comp, 2 - hard comp, 1 - human/normal comp) \Handicap from (valid values: 0x32, 0x3C, 0x46, 0x50, 0x5A, 0x64) - · · · · · 2dd21302 00 02 |GetTickCount WinAPI value of host |Always zero? ( 0xCC for ladder game) |Count of slots (end tag?) (0xCC for ladder game)

see http://forum.valhallalegends.com/index.php?topic=14965.0 and comment there please.
i have some slightly different stuff there... especially after the player-records i have captured some more bytes.
can you please post your original dump in that thread?
and can you also post there some more info about the SlotInfo size field? i dont get why this can be zero, never seen that. do you get a 0x09 for all players then?

Quote from: DotA.For.Rest on May 15, 2006, 10:02 AM
Code Select Expand
· · · · · · · · · · · · · · · · · 02 02000416c0a80003 00000000 00000000 |PID - Player ID that host gives to client |Host side client IP and Port (sockaddr_in structure) |Always zero? |Always zero?

when/where do you get this? can you please post full dump?

DotA.For.Rest · May 16, 2006, 09:39 AM

i understand what about you talking ... ill change all formating my info to more readable. also ill post it in new topic where i will change first post on every change. i will call it W3GS_format.txt. and there ill try post all diferent packets to understand how they comes.
sry my bad english.
this topic was my first in my life of this type, i mean information type, about structure of packets.
and ntohl(0x09000000) = 0x00000009; cuz 09 00 00 00 is hex format, each 2 symbols is byte, only bytes reverts theyr positions.
im programming 18 years and beleave me i know it!
try simple ASM code:
mov eax, 0x09000000
bswap eax // which means ntohl(eax)
after this eax will be 0x00000009
its just example.
i love assembler, and maby most of my examles will be asm coded.
assembler code works much faster than compiled C/C++ code, thats why i used it.

THIS TOPICK IS CLOSED FOR NOW. PLEASE WAIT WHILE I OPEN NEW TOPICK WITH NAME: W3GS_Format.txt

maldn · May 16, 2006, 10:07 AM

Quote from: DotA.For.Rest on May 15, 2006, 10:12 AM
... Decoded data always ends with 2 zeroes, but if size of Decoded data for example 8 with counting zeroes, then last zero is next coded block. and as it says first byte is represends bits0 of all data bytes. but we have zero there so result last block will be 010100. String data will be any 6 bytes and 2 zero, first 7 bytes - first block + 1 coder byte, last block 1 byte (zero) + 1 coder byte. this is moment where you think that data have 3 zeroes. but its fake.

wtf?!?
i doubt anyone, even yourself, has understood that beast-of-a-textblock!

i just wanted to say, that you are not decoding the gameSettings. you start too late. read w3g_format.txt again.

also, if you actually checked the checksum, you would have noticed that this is not crc32...
or your LT is different. mine has fbbe9d57.

Quote from: DotA.For.Rest on May 15, 2006, 10:12 AM
about game packets - no need this here cuz i have all packets info, just need time to make it english. last question was COMMAND packets in game, but after reading W3G format there is no more questons. just wait all my info, or find bugs, or help to find field explain if i have no it

im posting all W3GS packets info, not only LAN, lan is easy to start explain

I strongly advise you to not make that information public. if you have understood the actual game-data, you know why.
I can understand that its hard to not say: "hey look how cool i am, i decoded this all!"
but one can do just too much harm to the game with this...
problem is: you provide stupid kids with info (or better even, code) that can be very easily misused (cheat).
and worst: blizzard cant do anything against it!
so, reconsider publishing this!

perhaps such a discussion had already taken place here on this forum, or maybe we start one :P

p.s. if you do not believe that this is serious shit, i can post a screenshot of some PoC code of mine i had written in like 3-4 hours showing a serious threat to wc3/battle.net.

p.p.s DONT CHEAT!

maldn · May 16, 2006, 10:10 AM

Code Select


maldn@localhost ~ $ cat mooh.c && echo "--" && gcc mooh.c && echo "--" && ./a.out 
#include <stdio.h>
#include <arpa/inet.h>

int main()
{
        printf("0x%08x\n", ntohl(0x90000000));
}

--
--
0x00000090
maldn@localhost ~ $

nevermind ;-)

maldn

EDIT: omfg, i guess i should have gone to bed long ago :P

my eyes cant differentiate 0x09 and 0x90 ...

sry :)

DotA.For.Rest · May 16, 2006, 11:03 AM

this topick moved to http://forum.valhallalegends.com/index.php?topic=14994.0

you sad kids can use it for cheating ... you are wrong ...
game sends only target commands (while in game) all path, damage, and other is calculated by warcraft client,
so even u will know where other player moves - it will not let u spuff packet to attack him for example if he invisible.
also you should know that most of kids use MapHack... its more easy way to see what enemy do...
also you should know that MoneyHack can pool money from player to player without understand packet strucrures.
also you should know that DropHack and many others cheats done!
all cheats aviable ... so there is no reason to do this again
this documentation will help many of smart guys to create theyr own Banlists programs, or AMP calculators in game,
or some other usefull addons.
you cant do BOT without understand how War3 client works!

beat me if im not right!

maldn · May 16, 2006, 03:08 PM

its not about hacks like bots or true maphack or something....
but knowing what race, hero starting position, expansions etc. your enemy is going is a cheat...

see http://img207.imageshack.us/my.php?image=info19hd.png

this screenshot was taken while playing against my roommate who took random. and dont tell me this sort of info is no help. note: this should work in battle.net games as well, and is undetectable by blizzard!

@ mods: remove the link to the image if you feel like this may inspire kids do bad things...

DotA.For.Rest · May 16, 2006, 07:49 PM

man . theres alot of cheats that blizzard cant detect. one of them MapHack - will not give link to this one.
i just want to say that all this hacks aviable for download. if u need - you will find what u need.

and one more -- as good TDA DotA player i can say, the CHEATS will not save yours hero against smart and skilled player.
skilled players never use CHEATS - cuz there is no reason to play then.
in ladder - good players do harras, so they know what you have every moment, and where u are.
you can call them CHEATERS cuz they have such skill.
only noob will use CHEAT, and he will die without skill.
its TWO different sides CHEATER and SKILLED. and real skill always own cheat.
I never cry when i see MapHackers in DotA games, cuz they always lose.
Let them play with Cheats. When they grow, they will turn it off. MapHack helps to learn skill.
Where better to go at start, what to build, but better look replay after game.
You cant kill all CHEATs - Never! Its same as you cant catch all HACKERs.
So relax and use this info for yours own purpose, but remember SKILL OWN CHEAT!
Better make some usefull mod like Banlist.NL, but without Country Detection.
im from Russia, and when im joining most of Custom Public games - they kick me cuz im Russian,
i ban such hosts on TDA Channel, so i will never see them again in Private Games.
........
plz dont post here replys ... i did new topick ... ask all Q there.